Subscribe Now
Trending News

Blog Post

OpenBSD 7.1
News

OpenBSD 7.1 


OpenBSD

7.1


The Great Wave off Calgary
Released Apr 21, 2022. (52nd OpenBSD release)
Copyright 1997-2022, Theo de Raadt.

Artwork by Luc Houweling.

  • See the information on the FTP page for
    a list of mirror machines.
  • Go to the pub/OpenBSD/7.1/ directory on
    one of the mirror sites.
  • Have a look at the 7.1 errata page for a list
    of bugs and workarounds.
  • See a detailed log of changes between the
    7.0 and 7.1 releases.
  • signify(1)
    pubkeys for this release:

    openbsd-71-base.pub:
    RWR2eHwZTOEiTWog354iy3StRj18VbZl87O9uZpa1M2jGLXEkco6vDT5
    openbsd-71-fw.pub: RWQCAJ4gBK3pbcm/Q5XYxu+hIY3Zvx9kwGv2uJphEN7kNl1DD4QRue6v
    openbsd-71-pkg.pub: RWQgLTtHQtisyH9qc9imxVFsf+P24M75F1aNio5qJCfG/bO6gATAzC9V
    openbsd-71-syspatch.pub: RWTVqN+z9ta+Z6Ri7W7Vlf+XgXE30rGXld8kO78L1GmE61U5Xvbr/zHM

All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via ports.tar.gz.


What’s New

This is a partial list of new features and systems included in OpenBSD 7.1.
For a comprehensive list, see the changelog leading
to 7.1.

  • New/extended platforms:
    • Support for Apple Silicon Macs has improved and is ready for general use:
      • Added aplspi(4), a driver for the SPI controller found on the Apple M1 SoC.
      • Added aplhidev(4) support for the keyboard/touchpad on Apple M1 laptops.
      • Introduced aplpmgr(4), a driver for the power management controller found on Apple SoCs.
      • Introduced aplmbox(4), a driver for the mailbox that provides a communication channel with additional cores integrated on Apple SoCs.
      • Introduced apliic(4), a driver for the I2C controller found on Apple SoCs.
      • Added the chip ids used on Apple M1 Pro/Max and Apple T2 Macs to bwfm(4).
      • Rewrote arm64 kernel FPU handling code to fix the random crashes seen with SMP kernels on Apple M1.
      • Restricted the pci(4) ioctl interface to devices detected by the kernel, preventing Xorg PCI probes from breaking the WiFi chip on M1 macs.
      • Introduced aplsmc(4), a driver for the SMC found on Apple M1 SoCs.
      • Introduced aplnco(4), a driver for the Numerically-controlled oscillator (NCO) clock which drives the audio clocks on Apple silicon.
      • Introduced tascodec(4), a driver for the TI TAS2770/TAS5770 digital audio amplifier codec found on Apple M1 Macs.
      • Introduced apldma(4), a driver for the DMA controller found on Apple SoCs.
      • Added support to explicitly power on some PCIe devices on the M1 and M1 Pro/Max through a GPIO controlled by the SMC.
      • Added aplcpu(4), a driver to control the CPU performance levels on Apple SoCs.
      • Modified aplintc(4) to support a newer interrupt controller, making OpenBSD run on M1 Pro/Max machines.
      • Added nvmem support to aplpmu(4) and made it available on Apple SPMI PMUs.
      • Added RTC support to aplsmc(4).
      • Made the arm64 ramdisk installer fetch bwfm(4) firmware from the EFI System Partition on Apple Silicon devices for use during installation and addition to the newly installed system.
      • Added support for controlling keyboard LEDs to aplhidev(4).
      • Added basic GPIO support to aplsmc(4).
      • Ensured apldart(4) keeps the DART enabled in front of the display controller to preserve its access to the framebuffer and continued display.
      • Fixed reading motherboard time on Apple machines with old SMC firmware.
      • Implemented reboot/powerdown support in aplsmc(4).
      • Implemented aplintc(4) support for multiple dies, making OpenBSD work on the M1 Ultra.
    • Support for other arm64 architecture hardware was also improved with the following changes:
      • Introduced gpiocharger(4), a
        driver providing support for battery chargers connected to GPIO pins,
        such as those found on the Pinebook Pro.
      • Introduced gpioleds(4) for arm64, a
        driver providing support for LEDs connected to GPIO pins, such as
        those found on the Pinebook Pro.
      • Added gpiokeys(4)
        for arm64, a driver which handles events triggered by GPIO keys such
        as lid status and power button.
      • Added pclk clock used by dwdog(4) on RK3399 to rkclock(4).
      • Introduced mpfclock(4), a driver
        for the PolarFire SoC MSS clock controller.
      • Introduced cdsdhc(4), a driver for
        the Cadence SD/SDIO/eMMC host controller.
      • Introduced mpfiic(4), a driver for
        the PolarFire SoC MSS I2C controller.
      • Introduced mpfgpio(4), a driver for
        the PolarFire SoC MSS GPIO controller.
      • Enabled cduart(4)
        on arm64.
      • Added mvpinctrl(4) support
        for the CP115 block found on Marvell CN9K SoCs.
      • Added mvclock(4)
        support for the AP807 block found on Marvell CN9K SoCs.
    • Changes on other architectures:
      • Enabled uhid(4)/fido(4) on riscv64.
      • Allowed riscv64 installation on a disk with a GPT.
      • Added missing locking to pmap_extract(9) and
        pmap_unwire(9) on
        arm64 and riscv64.
      • Improved stack unwinding on riscv64 in ddb(4).
      • Fixed kernel stack alignment on riscv64.
      • Fixed RISC-V lld link code when dealing with object files created with “ld -b”.
      • Made sure nothing can map address zero on RISC-V.
      • Made sure armv7,arm64 and risc-v FDT bootloader code does not write beyond the FDT data structure.
      • Fixed booting from an IDE block device on the Sun Blade 100.
      • Fixed radeondrm(4) console colors on sparc64.
      • Enabled dt(4) on
        macppc.
      • Increased ddb(1)
        access to registers on macppc and powerpc64.
      • Enabled enforcing of RLIMIT_MEMLOCK on powerpc64.
      • Allowed ddb(4) trace
        through interrupt on macppc.
  • Various kernel improvements:
    • Made futexes work in shared anonymous memory.
    • Improved tracking of mbuf memory usage in the whole system.
    • Switched to using long filenames by default with mount_msdos(8).
    • Fixed memory leak in fuse(4) when calling namei(9).
    • Fixed establishing legacy INTx interrupts on machines without a
      (usable) MSI interrupt controller.
    • Cleaned up irrelevant uses of 3rd mode_t parameter for open(2)/openat(2), unused when not
      creating files.
    • Reworked garbage collector for unix(4) sockets to prevent
      potential kernel panics.
    • Changed the power management sysctl(8)
      hw.perfpolicy to “auto” at startup, defaulting to 100%
      performance with AC power connected and using the auto algorithm when
      on battery.
    • Aligned memory allocation for USB device drivers and USB HC
      drivers, enlarging the USB memory pool.
    • Prevent panic in softraid(4) while
      rebooting if softraid has been disabled.

    • Fixed hibernate setups where removal of a umass(4) device results in
      a renumbered softraid(4) boot device.
    • Fix hibernate on newer hardware by allowing more memory ranges.
    • If CPU sleep state S4 is not available, use S5 for the
      ACPI-transitions in hibernate support.
    • Added code to update hw.power whenever AC state changes on
      resume.
    • Fixed a panic by prohibiting renames of tmpfs mount-points.
    • Fixed double free after allocation failure in bpf(4).
  • SMP Improvements
    • Made pipe event filters MP-safe.
    • Set klist lock for sockets to make socket event filters MP-safe.
    • Implemented poll(2),
      select(2), ppoll(2) and pselect(2) on top of
      kqueue.
    • Unlocked top part of UVM fault handler on mips64.
    • Unlocked the kevent(2) system call.
    • Made the kqread event filter MP-safe.
    • Reduced the time overhead of kqueue(2)-based poll(2) and select(2) systems calls by
      keeping knotes between the system calls.
    • Unlocked accept(2)
      and accept4(2)
      syscalls.
    • Prevented select(2) from blocking if
      registering found pending events.
    • Protected ipsec(4)
      input and output with the kernel lock to allow forwarding of non-ipsec
      traffic in parallel.
    • Unlocked the bottom part of the uvm fault handler.
    • Unlocked getpeername(2).
    • Made bpf(4) MP-safe.
    • Implemented the poll(2) system call on top
      of the kqueue(2)
      subsystem, obsoleting the old, non-MP-safe poll backend.
    • Made audio(4) event filters MP-safe.
    • Unlocked getsockname(2).
    • Added kernel interfaces for atomic load and store functions for int and long to be used in reference counted struct members.
  • Direct Rendering Manager
    • Updated drm(4)
      to Linux 5.15.26
    • inteldrm(4):
      support for Elkhart Lake, Jasper Lake, Rocket Lake
    • amdgpu(4):
      support for Van Gogh APU, Rembrandt “Yellow Carp” Ryzen 6000 APU,
      Navi 22 “Navy Flounder”, Navi 23 “Dimgrey Cavefish”,
      Navi 24 “Beige Goby”
  • VMM/VMD improvements
    • Retired
      switch(4)
      support in
      vmd(8)
      .
    • Fixed a bug where vmd(8)
      would exit when requesting a new VM and hitting memory resource
      limits.
    • Fixed vmm(4) state
      corruption on Intel hosts.
    • Fixed vmm(4) cpuid leaf
      clamping when the host has an invariant TSC.
    • Added quiesce/wakeup hooks to
      vmm(4)
      allowing Intel hosts to suspend and hibernate safely with
      running guests.
    • Added a new login class for
      vmd(8)
      on amd64.
    • Fixed broken vmd(8)
      “boot device cdrom” feature after a fix in seabios.
    • Reintroduced support for vmctl(8) start -B net
      -b bsd.rd
      , which emulates a PXE boot and performs an
      autoinstall.
    • Made vmm(4) dt(4) tracepoints amd64-only.
  • Various new userland features:
    • Added realpath(1), a wrapper
      for realpath(3) for
      use in ports.
    • Added rcctl(8) “ls
      rogue” to show daemons which are running but not set as “enabled” in
      rc.conf.local(8).
    • Implemented probe variables in BPFtrace (bt(5)).
    • Provided common btrace(8) scripts
      kprofile.bt (to save kernel stackframes and produce flamegraphs) and
      runqlat.bt (to measure the latency of the scheduler runqueues).
    • DNSSEC support: Implemented RFC6840 (AD flag processing) in the libc resolver, if
      using trusted name servers specified with ‘trust-ad’ in resolv.conf(5)
    • Enabled support for displaying an estimated battery recharge time
      in apm(8) and apmd(8).
    • Introduced support for storing capability databases in
      /etc/login.conf.d, allowing easy addition of custom login classes from
      packages and made rcctl(8) look for the login
      class in both login.conf and login.conf.d/${class}.
    • Added a malloc(3)
      cache of regions between 128k and 2M to accommodate programs
      allocating and deallocating regions of these sizes quickly.
      `
    • Added pax(1) support
      for mtime/atime/ctime extended headers (in not-SMALL builds).
    • Added -k flag to gzip(1) and gunzip(1) to retain
      (de)compressed file.
    • Implemented openrsync(1) –compare-dest, allowing specification of additional directories to check for files to be available.
    • Implemented openrsync(1) –max-size and –min-size.
  • Various bugfixes and tweaks in userland:
    • Reliability and performance of
      pkg_add(1):
      fixed a bug which resulted in a “XXX” warning for
      “shouldn’t ever happen” situations in a scenario that
      was actually harmless.
      Also, massive improvement of performances in scenarios like
      texlive updates, by reducing filesystem names churn when
      updated files didn’t change.
    • Enabled subpixel rendering in FreeType.
    • Updated xorg-server to 21.1.3, leaving in place an earlier change
      to compute the screen resolution from dimensions returned by the
      screen, reverted by upstream.
    • Allowed bare numbers for key and mouse bindings in cwm(1).
    • Added a cwm(1)
      “group-last” command that shows only the previously active group.
    • Fixed glass console and getty(8) interference with Xorg on arm64.
    • Fixed octal escape parsing in tr(1) backslash().
    • Added uniq(1)
      support for arbitrarily long input lines.
    • Made uniq(1) ignore
      trailing newlines when comparing lines.
    • Made uniq(1) skip()
      each input line only once, improving performance.
    • Increased tee(1) I/O
      buffer size from 8KB to 64KB.
    • Improved performance of rev(1).
    • Made ed(1) flush all
      stdio streams before running a shell command.
    • Prevented a file descriptor leak in touch(1) after futimens(2) failure.
    • Added seq(1), a
      command to print sequences of numbers.

    • Set cpuspeed to 0 in apm(8) when hw.cpuspeed
      cannot be retrieved.

    • Copied the cos(3)
      cosine software implementation from FreeBSD-13, and disabled assembly
      implementations of trig functions on x86 platforms.
    • Added optimization for tiny x in cos(3) and sin(3) trigonometry
      functions.

    • Switched aucat(1)
      internal sample representation and default file encoding to 24-bit.
    • Switched sndiod(8)
      internal sample representation to 24-bit fixed point.

    • Allowed passing a different signal than SIGTERM in the default
      rc_stop() function in rc.subr(8).
    • Improved and simplified timer handling in rc.d(8) “stop” and “reload”.
    • Made fdisk(8)
      -b available on all architectures.
    • Removed the constraint that fdisk(8) -b block
      count and block offset must be greater than 63.
    • Made fdisk(8) -b
      partitions other than EFI System partitions DOSACTIVE.
    • Switched to using fdisk(8) -b to create boot
      partitions on multiple architectures.
    • Removed fdisk(8)
      “disk” editing command.
    • Prevented fdisk(8)
      from initializing an MBR to have overlapping partitions 0 and 3.
    • Allowed fdisk(8) to
      extend the default OpenBSD partition to the end of the disk, rather
      than truncating at the end of the last full cylinder.
    • Corrected GPT checksums written by fdisk(8) on big-endian
      architectures to be little-endian as per spec.
    • Made fdisk(8) -A
      preserve BIOS boot partition.
    • Made fdisk(8) -A
      preserve the EFI System partition on GPT disks with Apple APFS partitions.
    • Removed the builtin MBR from fdisk(8).
    • Removed the “rpath” and “wpath” pledges from fdisk(8).
    • Ensured fdisk(8)
      creates the default OpenBSD MBR partition only when there is space for it.
    • Ensured fdisk(8)
      does not set MBR DOSACTIVE flag on unused partitions when initializing MBR.
    • Reduced the alignment space fdisk(8)
      inserts before the start of the default OpenBSD partition.

    • Merged bugfixes from upstream into less(1) including fixes for
      the prompt hiding feature (CTRL-P) and an integer overflow.
    • Fixed possible use after free with long lines in less(1).
    • Fixed file descriptor leak of /dev/tty on doas(1) auth failure.
    • Replaced lrint(3),
      lrintf(3), llrint(3) and llrintf(3)
      implementations from NetBSD with the existing FreeBSD implementations
      we were already using for lrintl(3) and llrintl(3).
    • In various games, call pledge(2)
      later to prevent it from killing various games using ncurses when both
      stdout and stderr are redirected to a non-tty.
    • Switched LLD_ARCHs (architectures using the LLVM ld.lld(1) linker) to also
      user the LLVM archiver llvm-ar(1).
    • Added openvpn ports (udp/1194 & tcp/1194) to /etc/services.
    • Prevented an access to uninitialized memory in awk(1).
    • Fixed vi(1) recovery
      mode.
    • Extended and reordered the process accounting information
      structure acct(5). Flag
      Day for the acct(2) file
      format.
    • Fixed setusercontext(3)
      error when /etc/login.conf is not present.
  • Improved hardware support and driver bugfixes, including:
    • Added support to pchgpio(4) for Cannon
      Lake H and Tiger Lake H platforms.
    • Ensured use of the correct encoding in xenocara when /etc/kbdtype
      is present with an attached ucc(4) keyboard.
    • Added support for tpm2 CRB interface to tpm(4), fixing recent S4
      regressions on the Surface Go 2 caused by a firmware change.
      `
    • Ensured armv7 and arm64 efiboot allocate fresh memory for the
      device tree with at least one page of free space to extend into. This
      fixes booting on VMWare Fusion.
    • Stopped binding audio devices exposed by sndiod(8) to physical
      devices.
    • Fixed handling of interrupts shared between multiple swiic(4) devices.
    • Introduced iicmux(4), a driver that
      switches between I2C busses connected to a single I2C controller by
      using the pin muxing facilities of an SoC.
    • Introduced pcyrtc(4), a driver for
      the NXP PCF85063A/TP RTC chips.
    • Fixed a panic when running utvfu(4) on xhci(4).
    • Added acpipci(4)
      support for interrupts represented by ACPI PCI Interrupt Link Devices,
      making PCI interrupts work on QEMU’s SBSA target.
    • Added handling of multi-port controllers to uslcom(4).
    • Make com(4) attach
      over acpi(4) on amd64.
    • Added address locators for the ACPI “bus” and used these to fix
      the order of the com(4)
      devices to match the traditional order on the ISA bus.
    • Added Intel Jasper Lake to the azalia(4) audio driver.
    • Ensured azalia(4)
      matches on Intel 300 Series audio, fixing attaching on the Dell G3
      3590.
    • Added Synopsys Designware UART support to com(4).
    • Fixed an issue where com(4) would attach for a
      disabled serial port leading to misdirection of the hardware variant
      and a subsequent hang when /etc/rc runs ttyflags(8) -a.
    • Fixed sdhc(4) for
      Jasper Lake eMMC.
    • Improved how quirks are handled on sdhc(4)-compatible drivers.
    • Enabled acpibat(4) use with the
      Surface Go 3.
    • Fixed suspend/resume issues with com(4) at acpi(4).
    • Correlated uaudio(4) and ucc(4) devices
      to adjust the volume of the correct audio device
      rather than the first one attached.
    • Enabled FIFO support in pluart(4).
    • Added support for XBox One game controller.
    • Stopped suspending the tpm(4) device upon
      hibernation, preventing some systems from hanging when hibernating a
      second time.
    • Fixed hilkbd(4)
      Swedish keyboard layout on non-PS/2 style keyboards.
  • New or improved network hardware support:
    • Added support to umb(4) for SIMCom SIM7600.
    • Fixed an interrupt storm on dwge(4) variants which
      support Energy Efficient Ethernet when connected to a switch which
      does so as well.
    • Made dwge(4) and dwxe(4) MP-safe.
    • Added igc(4), a
      driver for the Intel 2.5Gb Ethernet controllers.
    • Implemented em(4)
      support for selecting SMGII or SerDes mode depending on the plugged-in
      SFP transceiver and for reading out transceiver information via ifconfig(8).
    • Enabled hardware vlan tagging for ixl(4).
    • Re-enabled ixl(4)
      IPv4, TCP4/6 and UDP4/6 checksum offloading.
    • Enabled receive
      checksum offloading on ixl(4).
    • Prevented a possible deadlock in cad(4).
    • Prevented aq(4) nics
      from writing to mbufs taken off the ring when the interface was taken
      down.
    • Fixed receive filter handling and vlan packet reception in aq(4).
    • Enabled vlan and checksum offloads in aq(4).
    • Enabled interrupt moderation in aq(4), aiming at around 20k
      per second.
    • Fixed ure(4) vlan
      transmission with hw tagging.
    • Added preliminary ure(4) support for RTL8156B
      and bug fixes for RTL8153/RTL8156.
    • Reworked ix(4)
      checksum/vlan offloading and enabled it for IPv6.
    • Enabled IP header checksum offloading in ix(4).
    • Fixed msk(4) operation
      after interface state changes.
    • Enabled vmx(4) on arm64.
  • Added or improved wireless network drivers:
    • Introduced mtw(4), a
      driver for MediaTek MT7601U USB wifi devices, enabled on amd64, i386, macppc, and arm64.
    • Added 802.11n Tx aggregation support to the iwx(4) driver.
    • Added support for 802.11n 40MHz channels, and 802.11ac 80MHz channels, to the iwm(4) and iwx(4) drivers.
    • Reset the Tx watchdog timer when a block ack notification is received by
      iwx(4) and iwm(4) firmware to prevent spurios device timeouts.
    • Prevent invalid net80211 state transitions in the
      iwm(4) and
      iwx(4) drivers
      to avoid a potential hang.
    • Fixed a panic when iwx(4) cannot find firmware
      at boot time.
    • Fixed iwm(4)
      performance drop after roaming between APs in 11n mode.
    • When roaming with iwm(4) or
      iwx(4), keep the old BSSID available for use by firmware
      commands which tear down device state before switching to the new AP.
    • Fix race conditions in the iwm(4) and
      iwx(4) drivers while roaming between APs with
      outstanding frames on transmit queues.
    • Reverted to use iwm(4) firmware v17 on Intel
      AC 7265, fixing instability issues on X1 Carbon gen3.
    • Explicitly stop iwx(4) Rx block ack sessions when
      roaming between access points.
    • Fixed monitor mode on iwm(4) and iwx(4).
    • Let iwx(4) and iwm(4) use per-Tx-queue
      interface timers to ensure the Tx watchdog triggers if a particular Tx queue gets
      stuck.
    • Switched iwx(4) to new -67 firmware images, and updated iwm(4) 9260 and 9560 firmware, to address INTEL-SA-00509.
    • Made iwm(4) attach to PCI devices with product ID 0x31dc, part of the 9560 chip family.
    • Fixed wrong pointer assignment causing the iwx(4)
      driver to read Rx block ack request information from the wrong offset.
    • Fixed and reenabled use of probe requests during scans on iwm(4) and iwx(4).
    • Fixed attach of multiple iwm(4) or iwx(4) interfaces in the same machine.
    • Fixed iwn(4) with 4965 devices.
    • Improved roaming stability on iwn(4), particularly with wpa_supplicant.
    • Added relicensed wireless firmwares from Realtek for rsu(4), rtwn(4) and urtwn(4) devices, allowing
      these devices to work without requiring a separate firmware download.
    • Added a workaround for buggy athn(4) devices to prevent
      filling up the node cache when used in hostap mode.
    • Applied a workaround in mvkpcie(4) to fix an
      external abort under load with athn(4).
    • Made athn(4) attach
      to the Sony UWA-BR100.
    • Fixed “(null node)” panics on run(4).
    • Disabled minimum power consumption in bwfm(4) hostap mode,
      improving connection reliability when used as an access point.
    • Added support for the BCM4387 to bwfm(4).
    • Improved TX performance on urtwn(4) RTL8192EU devices.
    • Fix TX rate used by rtwn(4) and urtwn(4) for RTS frames.
  • IEEE 802.11 wireless stack improvements and bugfixes:
    • Added an ADDBA_OFFLOAD capability for wifi devices to manage Tx block ack sessions entirely in firmware.
    • Added support for 40MHz channels to net80211 Tx rate adaptation in 11n mode.
    • Added monitoring of 20/40MHz channel width changes in beacons sent by our access point, notifying drivers when the channel width has changed.
    • Introduced an optional background-scan handler for wireless drivers, which drivers can use to take control of the device teardown sequence, ensuring that race conditions between firmware state and net80211 state are avoided.
    • Taught the net80211 stack to remove corresponding frames from ic_pwrsaveq when a power-saving client decides to leave our hostap interface, preventing a panic in the athn(4) driver.
    • Added initial 802.11ac (VHT) support to the wifi stack.
    • Made tcpdump(8) show 802.11ac VHT capability and operation IEs with the IEEE802_11_RADIO data link type (-y) in verbose (-v) mode.
    • Added 802.11ac/VHT TX rate adaptation support to net80211.
    • When choosing networks during SSID selection, give a higher score to 11ac and 11n access points, prioritizing 11ac.
    • When choosing from a set of access points for a given SSID, prefer APs on 5GHz channels over APs on 2GHz channels. This was already supposed to happen in earlier OpenBSD releases but did not always work as intended.
  • Generic network stack improvements and bugfixes:
    • Fixed pfctl(8) $nr incorrect macro expansion.
    • Fixed pfctl(8) rdr-to rules failing on certain port ranges when explicitly specified.
    • Ensured the pf(4) “set prio” values are checked consistently.
    • Made “set skip on …” in pf.conf(5) dynamic, with
      this, “set skip” can be used on interfaces that are not configured
      yet.
    • Protected pfsync(4) tdb flags and
      lists with a mutex to prevent crashes involving pfsync, IPsec and
      parallel forwarding.

    • Added support for PPP IPCP extensions for DNS to sppp(4).
    • Added display of DNS information from sppp(4) to ifconfig(8).
    • Switched to calculating pppoe(4) session duration
      using system uptime rather than UTC.

    • Fixed veb(4) vport
      handling to prevent improper drop of packets leaving a vport
      interface.
    • Prevented tweaks to tun(4) if_flags when the
      NET_LOCK isn’t held.
    • Prevented reopening of tun(4)/tap(4) interfaces which are
      being destroyed.
    • Rewrote vxlan(4) to
      operate independently of bridge(4), create and bind
      udp sockets and prevent loops.
    • Stopped hiding the mtu on “bridge” interfaces which do handle l3
      traffic in ifconfig(8).
    • Added mbuf tags to prevent output loops in etherip(4).
    • Added rtable capability to login.conf(5),
      allowing to specify the rtable a process uses.
    • Made su(1) honor the
      login class routing table when doing a full login with su -l.
    • Fix IP output routines on raw sockets so route sourceaddr can
      take effect using sendto(2) or similar.
    • Ensured pcap_lookupdev(3)
      matches only on complete interface names.
  • Installer and upgrade improvements:
    • Corrected installer to understand “inet autoconf” properly in hostname.if(5) files.
    • Stopped prompting whether to fall back to HTTP in the installer,
      making the fallback automatic.
    • Used ifconfig(8)
      “join” command by default in hostname.if(5) files,
      replacing the old “nwid”.
    • Replace custom bootloader installation code with installboot(8) on
      riscv64 and armv7 architecture installations.
    • New logic for pkg_add(1) to avoid
      excessive moving of files during updates when possible.
    • Documented OpenBSD installation and upgrade customization using the install.site(5) file.
    • Corrected “!” escape handling in the installer when accepting WEP/WPA passphrase.
    • Prevented a potential race which could make umount(8) fail spuriously
      in the installer.
    • Made config(8) -e
      work with ramdisk kernels.
    • Made config(8) -c
      cmdfile use lines from the command file for all input, not just
      commands. This allows complex actions like changing device parameters.
    • Ensured that an interrupted arm64 install from the ramdisk kernel
      can be restarted.
    • Made redistributable firmwares available across all architectures.
    • Returned to a shell-script based fw_update(8), written
      to be usable by the install script, allowing earlier retrieval of
      downloaded firmwares.
    • Stopped fw_update(8) from
      downloading SHA256.sig when not needed, to allow installing local
      files without network access.
    • Modified the installer to use fw_update(8) to install
      non-free firmware files if present on the install media.
    • Made fw_update(8)
      re-download existing files with failed checksums.
    • Made fw_update(8) use the
      /snapshots directory only on -current snapshot installations.
  • Security improvements:
    • Clear the length of keys in vnconfig(8) alongside keys themselves.
    • Removed hifn(4), safe(4) and ubsec(4) crypto drivers.
    • Added call to unveil(2) to restrict stty(1) -f filesystem access.
    • Disabled xterm(1) mouse tracking by default.
    • On arm64 architectures, use “rng-seed” and “kaslr-seed” properties from the device tree to mix extra entropy into the random pool.
    • Made apmd(8) replace /etc/random.seed for hibernate-resumes.
    • Restricted usbhidctl(1) and usbhidaction(1) file
      system access with unveil(2).
    • Added ps(1) status flag “c” to indicate a process is chrooted.
    • In rpc.rusersd(8) unveil(2) “/dev” read-only
      instead of using chroot(2).
  • Routing daemons and other userland network improvements:
    • switchd(8), the software-defined networking (SDN) sflow
      controller was removed. While interesting the OpenFlow implementation
      never managed to really get into a usable state.
    • Switched nsd(8) to enable default DNS cookies on, matching behavior as released in OpenBSD 7.0.
    • Ensured enabled resolvers are honored by unwind(8) to keep unused forwarders disabled properly.
    • Installed missing scope identifiers for IPv6 link-local addresses for unwind(8) and resolvd(8).
    • Allowed interface names as scope-id in IPv6 link-local addresses in unbound(8).
    • Let unwind(8) probe for DNS64 presence with an absolute name, so asr doesn’t add search domains and retry.
    • Stopped duplicating “Connection: close” headers in relayd(8), only adding it if it’s not a websocket response.
    • Modified syslog.conf(5) examples to use TLS rather than the plaintext protocols.
    • Stopped ignoring carp(4) interfaces in dhcpleased(8).
    • Made the dhcpleased(8) host name DHCP option configurable.
    • Prevented a crash in slaacd(8) due to updating an interface which no longer exists.
    • Prevented a potential crash when slaacd(8) receives more than 7 nameservers.
    • Fixed crash in slaacd(8) when receiving a negative length field for DNS labels.
    • Fix unveil(2) in ldapd(8), create permissions are required for databases.
    • Made dhcpd(8) start listening on interface in ‘down’ state. Interfaces can come up later, at which point dhcpd(8) will start receiving packets.
    • Added a basic printer for EAPOL packets to tcpdump(8).
    • Made ping(8) print out the source address and sequence number when the signature on an icmp echo reply doesn’t match.
    • Rate limit rad(8) router advertisements according to RFC 4861.
    • In smtpd(8),
      • Stop verifying the cert or CA for a relay using opportunistic TLS.
      • Enabled TLS verify by default for outbound “smtps://” and “smtp+tls://”, restoring documented smtpd(8) behavior.
    • httpd(8) received new features and bugfixes:
      • Respond with 400 Bad Request when a client sends header lines without a colon.
      • Added protocol version checking.
      • Annotated an httpd(8) 413 error with “request body too large” in the error log.
      • Corrected httpd(8) version string
        checking, responding with 505 Version Not Supported rather than 400
        Bad Request when the version format is incorrect.
      • Stop sending content alongside responses to HEAD requests.
      • Added support for custom error pages.
      • Added a gzip-static option to httpd.conf(5),
        allowing delivery of precompressed files with content-encoding gzip.
      • Improved handling of static compressed gzip files.
    • IPsec support was improved:
      • Made iked.conf(5) proto config option accept a list to allow specifying multiple protocols for a single policy.
      • Fixed removal of SAs that could not be flushed with ipsecctl(8) -F.
      • Changed isakmpd(8) to log a warning when proto is NULL rather than dereferencing it.
      • Fixed broken key exchange negotiation with matching proposals in iked(8).
      • Added ikectl(8) “show certinfo” to show trusted CAs and certificates.
      • Added iked(8) -V to display the version.
      • Fixed a bug where iked(8) sent zero-prefixed NAT-T messages on port 500, causing parsing errors.
      • Improved message fragment retransmissions for iked(8).
      • Make sure iked(8) vroute messages are correctly aligned, fixes autoconfiguration of addresses on octeon.
    • rpki-client(8) was
      made more resilient regarding untrusted input. The following
      bugfixes and improvements were made:

      • Added support for validating BGPsec Router Public Keys.
      • Fix issues with chunked transfer encoding in the RRDP HTTP client.
      • Cleanup and improvement of how IO is handled.
      • Improvements in the way X509 certificates are verified.
      • Limit the number of concurrent rsync processes.
      • Fix CRLF in tal files.
      • Enforce the correct namespace of rrdp files.
      • Fail certificate verification if a certificate contains unknown
        critical extensions.
      • Improve cleanup of rrdp directory contents.
      • Introduce a validated cache which holds all the files that have
        successfully been verified by rpki-client.
      • Add a new option ‘-f ‘ to validate a signed object in a file
        against the RPKI cache.
      • Add various RFC 6488 compliance checks to improve the CMS parser.
      • Improve RRDP replication through less aggressive cache cleanup.
      • Add a check whether a given Manifest EE certificate is listed on the
        applicable CRL.
      • For forward compatibility permit ASPA object to appear on Manifests.
      • Various improvements to the ‘-f ‘ diagnostic option to
        now also validate files containing Trust Anchor certs and CRLs.
      • Do not apply timezone offsets when converting X509 times. X509
        times are in UTC and comparing them to times in different timezones
        would cause validity problems.
    • In bgpd(8),
      • The bgpd login
        class datasize attribute (in login.conf(5)) was set
        to either 16G or 1G, depending on architecture.
      • Macro expansion in the config file was improved. It is now possible
        to expand ‘set large-community $myAS:$location:$transit’.
      • Added a “port” option to “listen on” and the “neighbor” section
        in bgpd.conf(5) to make it
        possible to bind and connect to non-default ports.
      • The RIB codebase was refactored in order to add multipath
        support in an upcoming release.
  • tmux(1) improvements and bug fixes:
    • Fixed a crash in tmux(1) when a session with
      multiple clients is destroyed but tmux does not close completely due
      to other sessions.
    • Fixed a tmux(1)
      redraw problem on automargin terminals.
    • Fixed a problem with repeat in tmux(1) copy mode.
    • Added -T to set a popup title in tmux(1).
    • Added -s and -S to tmux(1) display-popup to set
      popup and border style.
    • Fixed application-set fg and bg in tmux(1) panes.
    • Added a way to force a color to RGB in tmux(1) and a format to
      display it.
    • Added a cursor-colour option to tmux(1).
    • Added a cursor-style option to tmux(1).
    • Added a pane-border-format pane option to tmux(1).
    • Added attempts to turn on less-capable mouse modes when tmux(1) turns on more-capable ones, in case the terminal doesn’t support the desired mode.
    • Added a tmux(1) option to show arrows for the active pane indicator.
    • Added a key in tmux(1) copy mode to toggle the position indicator.
    • Added an option in tmux(1) to set the character for unused areas of the terminal.
    • Add tmux(1) option to control if it scrolls into history on clear.
    • Added OSC 7 capability to tmux(1) for setting titles.
  • LibreSSL version 3.5.2
    • New Features
      • The RFC 3779 API was ported from OpenSSL.
        Many bugs were fixed, regression tests were added and the code was cleaned up.
      • Certificate Transparency was ported from OpenSSL.
        Many internal improvements were made, resulting in cleaner and safer code.
        Regress coverage was added. libssl does not yet make use of it.
    • Portable Improvements
      • Enabled ASAN CI on Linux platform.
      • Fixed various POSIX compliance and other portability issues
        found by the port to the Sortix operating system.
      • Add libmd as platform specific libraries for Solaris.
      • Set IA-64 compiler flag only if it is HP-UX with IA-64.
      • Enabled and scheduled Coverity scans.
    • Compatibility Changes
      • Most structs that were previously defined in the following headers
        are now opaque as they are in OpenSSL 1.1:
        bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h,
        x509.h, x509v3.h, x509_vfy.h
      • Switch TLSv1.3 cipher names from AEAD- to OpenSSL’s TLS_
        OpenSSL added the TLSv1.3 ciphersuites with “RFC names” instead
        of using something consistent with the previous naming.
        Various test suites expect these names (instead of checking for the much
        more sensible cipher numbers).
        The old names are still accepted as aliases.
      • Subject alternative names and name constraints are now validated
        when they are added to certificates.
        Various interoperability problems with stacks that validate
        certificates more strictly than OpenSSL can be avoided this way.
      • Attempt to opportunistically use the host name for SNI in s_client
      • Allow non-standard name constraints of the form @domain.com.
    • Bug fixes
      • Avoid infinite loop for custom curves of order 1.
      • Avoid infinite loop on parsing DSA private keys.
      • Prevent a malicious certificate from causing an infinite loop.
      • In some situations, the verifier would discard the error on an
        unvalidated certificate chain.
        This would happen when the verification callback was in use,
        instructing the verifier to continue unconditionally.
        This could lead to incorrect decisions being made in software.
      • Avoid an infinite loop in SSL_shutdown()
      • Handle zero byte reads/writes that trigger handshakes in the
        TLSv1.3 stack.
      • A long standing memleak in libtls CRL handling was fixed
      • Allow name constraints with a leading dot.
      • Fix NULL dereferences in openssl(1) cms option parsing.
      • Do not zero the computed cofactor on ec_guess_cofactor() success.
      • Bound cofactor in EC_GROUP_set_generator() to reduce the number of
        bogus groups that can be described with nonsensical parameters.
      • Avoid various potential segfaults in EVP_PKEY_CTX_free() in low
        memory conditions.
    • Internal Improvements
      • Cache the SHA-512 hash instead of the SHA-1 hash and cache
        notBefore and notAfter times when X.509 certificates are parsed.
      • The X.509 lookup code has been simplified and cleaned up.
      • Fixed numerous issues flagged by coverity and the cryptofuzz project.
      • Increased the number of Miller-Rabin checks in DH and DSA
        key/parameter generation.
      • Started using the bytestring API in libcrypto for cleaner and
        safer code.
      • Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB
      • Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN()
      • Consolidate ASN.1 universal tag type data
      • Rewrite ASN.1 identifier/length parsing in CBS
      • Make OBJ_obj2nid() work correctly with NID_undef
      • Untangle ssl3_get_message() return values
      • Provide a way to determine our maximum legacy version
      • Add explicit CBS_contains_zero_byte() check in CBS_strdup()
      • Improve SNI hostname validation
      • Ensure SSL_set_tlsext_host_name() is given a valid hostname
      • Factor out/rewrite DHE key exchange
      • Convert server serialisation of DHE parameters/public key to new
        functions
      • Provide CBS_get_last_u8(), CBS_get_u64(), CBS_add_u64() and various
        CBS_peek_* functions.
      • Use CBS_get_last_u8() to find the content type in TLSv1.3 records
      • Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack
      • Only allow zero length key shares when we know we’re doing HRR
      • Pull key share group/length CBB code up from
        tls13_key_share_public()
      • Refactor ssl3_get_server_kex_ecdhe() to separate parsing and
        validation.
      • Allocate and free the EVP_AEAD_CTX struct in
        tls13_record_protection.
      • Convert legacy TLS client and server to tls_key_share
      • Clean up pkey handling in ssl3_get_server_key_exchange()
      • Fix GOST skip certificate verify handling
      • Simplify SSL_get_peer_certificate()
      • Cleanup/simplify ssl_cert_type()
      • The openssl(1) cms, smime and ts subcommands option handling was
        converted and the C source was cleaned up.
      • Limit OID text conversion to 64 bits per arc.
      • Clean up and simplify memory BIO code.
      • Reduce number of memmove() calls in memory BIOs.
      • Factor out alert handling code in the legacy stack.
      • Add sanity checks on p and q in old_dsa_priv_decode()
      • Cache the SHA-512 hash instead of the SHA-1 for CRLs.
      • Suppress various compiler warnings for old gcc versions.
      • Rework ASN1_STRING_set().
      • Clean up and simplify ssl3_renegotiate{,_check}().
      • Rewrite legacy TLS and DTLS unexpected handshake message handling.
      • Simplify SSL_do_handshake().
      • Rewrite ASCII/text to ASN.1 object conversion.
      • Convert {c2i,d2i}_ASN1_OBJECT() to CBS.
      • Clean up {dtls1,ssl3}_read_bytes().
      • Be more careful with embedded and terminating NULs in the new
        name constraints code.
      • Various minor code cleanup in openssl(1) pkcs12.
      • Simplify priv_key handling in d2i_ECPrivateKey().
    • Documentation improvements
      • 45 new manual pages, most of which were written from scratch.
        Documentation coverage of ASN.1 and X.509 code has been
        significantly improved.
      • Update d2i_ASN1_OBJECT(3) documentation to reflect reality after
        refactoring and bug fixes.
      • Fixed numerous minor grammar, spelling, wording, and punctuation
        issues.
  • OpenSSH 9.0
    • Security
      • Near miss in sshd(8):
        fix an integer overflow in the user authentication path
        that, in conjunction with other logic errors, could have yielded
        unauthenticated access under difficult to exploit conditions.
        This situation is not exploitable because of independent checks in
        the privilege separation monitor. Privilege separation has been
        enabled by default in since OpenBSD 3.2 (released in 2002) and
        has been mandatory since OpenBSD 6.1 (released in 2017).
    • Potentially incompatible changes
      • In OpenSSH 8.9 the FIDO security key middleware interface
        changed and increments SSH_SK_VERSION_MAJOR.

      • This release switches scp(1)
        from using the legacy scp/rcp protocol
        to using the SFTP protocol by default.
        Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
        “scp host:* .”) through the remote shell. This has the side effect of
        requiring double quoting of shell meta-characters in file names
        included on scp(1)
        command-lines, otherwise they could be interpreted
        as shell commands on the remote side.
        This creates one area of potential incompatibility:
        scp(1) when using
        the SFTP protocol no longer requires this finicky and brittle quoting,
        and attempts to use it may cause transfers to fail. We consider the
        removal of the need for double-quoting shell characters in file names
        to be a benefit and do not intend to introduce bug-compatibility for
        legacy scp/rcp in scp(1)
        when using the SFTP protocol.
        Another area of potential incompatibility relates to the use of remote
        paths relative to other user’s home directories, for example –
        “scp host:~user/file /tmp”. The SFTP protocol has no native way to
        expand a ~user path. However,
        sftp-server(8)
        in OpenSSH 8.7 and later support a protocol extension
        “expand-path@openssh.com” to support this.
        In case of incompatibility, the
        scp(1) client may be instructed to use
        the legacy scp/rcp using the -O flag.
    • New features
      • ssh(1),
        sshd(8),
        ssh-add(1),
        ssh-agent(1):
        add a system for restricting forwarding and use of keys added to
        ssh-agent(1)
        A detailed description of the feature is available at
        https://www.openssh.com/agent-restrict.html and the protocol
        extensions are documented in the
        PROTOCOL and
        PROTOCOL.agent files in the source release.
      • ssh(1),
        sshd(8):
        add the sntrup761x25519-sha512@openssh.com hybrid
        ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
        default KEXAlgorithms list (after the ECDH methods but before the
        prime-group DH ones).
      • ssh-keygen(1):
        when downloading resident keys from a FIDO token,
        pass back the user ID that was used when the key was created and
        append it to the filename the key is written to (if it is not the
        default). Avoids keys being clobbered if the user created multiple
        resident keys with the same application string but different user
        IDs.
      • ssh-keygen(1),
        ssh(1),
        ssh-agent(1):
        better handling for FIDO keys
        on tokens that provide user verification (UV) on the device itself,
        including biometric keys, avoiding unnecessary PIN prompts.
      • ssh-keygen(1): add “ssh-keygen -Y match-principals” operation to
        perform matching of principals names against an allowed signers
        file. To be used towards a TOFU model for SSH signatures in git.
      • ssh-add(1),
        ssh-agent(1):
        allow pin-required FIDO keys to be added
        to ssh-agent(1).
        $SSH_ASKPASS will be used to request the PIN at authentication time.
      • ssh-keygen(1):
        allow selection of hash at sshsig signing time
        (either sha512 (default) or sha256).
      • ssh(1),
        sshd(8):
        read network data directly to the packet input
        buffer instead of indirectly via a small stack buffer. Provides a
        modest performance improvement.
      • ssh(1),
        sshd(8):
        read data directly to the channel input buffer,
        providing a similar modest performance improvement.
      • ssh(1):
        extend the PubkeyAuthentication configuration directive to
        accept yes|no|unbound|host-bound to allow control over one of the
        protocol extensions used to implement agent-restricted keys.

      • ssh(1),
        sshd(8):
        use the hybrid Streamlined NTRU Prime + x25519 key
        exchange method by default (“sntrup761x25519-sha512@openssh.com”).
        The NTRU algorithm is believed to resist attacks enabled by future
        quantum computers and is paired with the X25519 ECDH key exchange
        (the previous default) as a backstop against any weaknesses in
        NTRU Prime that may be discovered in the future. The combination
        ensures that the hybrid exchange offers at least as good security
        as the status quo.
        We are making this change now (i.e. ahead of cryptographically-
        relevant quantum computers) to prevent “capture now, decrypt
        later” attacks where an adversary who can record and store SSH
        session ciphertext would be able to decrypt it once a sufficiently
        advanced quantum computer is available.
      • sftp-server(8):
        support the “copy-data” extension to allow server-
        side copying of files/data, following the design in
        draft-ietf-secsh-filexfer-extensions-00.
      • sftp(1):
        add a “cp” command to allow the sftp client to perform
        server-side file copies.
    • Bugfixes
      • sshd(8):
        document that CASignatureAlgorithms, ExposeAuthInfo and
        PubkeyAuthOptions can be used in a Match block.
      • sshd(8):
        fix possible string truncation when constructing paths to
        .rhosts/.shosts files with very long user home directory names.
      • ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512
        exchange hashes
      • ssh(1):
        don’t put the TTY into raw mode when SessionType=none,
        avoids ^C being unable to kill such a session.
      • scp(1):
        fix some corner-case bugs in SFTP-mode handling of
        ~-prefixed paths.
      • ssh(1):
        unbreak hostbased auth using RSA keys. Allow
        ssh(1) to
        select RSA keys when only RSA/SHA2 signature algorithms are
        configured (this is the default case). Previously RSA keys were
        not being considered in the default case.
      • ssh-keysign(1): make ssh-keysign use the requested signature
        algorithm and not the default for the key type. Part of unbreaking
        hostbased auth for RSA/SHA2 keys.
      • ssh(1):
        stricter UpdateHostkey signature verification logic on
        the client- side. Require RSA/SHA2 signatures for RSA hostkeys
        except when RSA/SHA1 was explicitly negotiated during initial
        KEX
      • ssh(1),
        sshd(8):
        fix signature algorithm selection logic for
        UpdateHostkeys on the server side. The previous code tried to
        prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some
        cases. This will use RSA/SHA2 signatures for RSA keys if the
        client proposed these algorithms in initial KEX.
      • All: convert all uses of
        select(2)/
        pselect(2) to
        poll(2)/
        ppoll(2).
        This includes the mainloops in
        ssh(1),
        ssh-agent(1),
        ssh-agent(1)
        and sftp-server(8),
        as well as the sshd(8)
        listen loop and all other FD read/writability checks.
      • ssh-keygen(1):
        the “-Y find-principals” command was verifying key
        validity when using ca certs but not with simple key lifetimes
        within the allowed signers file.
      • ssh-keygen(1):
        make sshsig verify-time argument parsing optional
      • sshd(8):
        fix truncation in rhosts/shosts path construction.
      • ssh(1),
        ssh-agent(1):
        avoid xmalloc(0) for PKCS#11 keyid for ECDSA
        keys (we already did this for RSA keys). Avoids fatal errors for
        PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B
        “cryptoauthlib”
      • ssh(1),
        ssh-agent(1):
        improve the testing of credentials against
        inserted FIDO: ask the token whether a particular key belongs to
        it in cases where the token supports on-token user-verification
        (e.g. biometrics) rather than just assuming that it will accept it.
        Will reduce spurious “Confirm user presence” notifications for key
        handles that relate to FIDO keys that are not currently inserted in at
        least some cases.
      • ssh(1),
        sshd(8):
        correct value for IPTOS_DSCP_LE. It needs to
        allow for the preceding two ECN bits.
      • ssh-keygen(1):
        add missing -O option to usage() for the “-Y sign” option.
      • ssh-keygen(1):
        fix a NULL deref when using the find-principals
        function, when matching an allowed_signers line that contains a
        namespace restriction, but no restriction specified on the
        command-line
      • ssh-agent(1):
        fix memleak in process_extension(); oss-fuzz issue #42719
      • ssh(1):
        suppress “Connection to xxx closed” messages when LogLevel
        is set to “error” or above.
      • ssh(1),
        sshd(8):
        use correct zlib flags when inflate(3)-ing compressed packet data.
      • scp(1):
        when recursively transferring files in SFTP mode, create the
        destination directory if it doesn’t already exist to match
        scp(1) in
        legacy RCP mode behaviour.
      • scp(1):
        many improvements in error message consistency between
        scp(1)
        in SFTP mode vs legacy RCP mode.
      • sshd(8):
        fix potential race in SIGTERM handling
      • ssh(1),
        sshd(8)):
        since DSA keys are deprecated, move them to the end of the default
        list of public keys so that they will be tried last.
      • ssh-keygen(1):
        allow ‘ssh-keygen -Y find-principals’ to match
        wildcard principals in allowed_signers files

      • ssh(1),
        sshd(8):
        fix
        poll(2) spin when a
        channel’s output fd closes without data in the channel buffer.
      • sshd(8):
        pack pollfd array in server listen/accept loop. Could
        cause the server to hang/spin when MaxStartups> RLIMIT_NOFILE
      • ssh-keygen(1):
        avoid NULL deref via the find-principals and check-novalidate operations.
      • scp(1):
        fix a memory leak in argument processing.
      • sshd(8):
        don’t try to resolve ListenAddress directives in the sshd
        re-exec path. They are unused after re-exec and parsing errors
        (possible for example if the host’s network configuration changed)
        could prevent connections from being accepted.
      • sshd(8):
        when refusing a public key authentication request from a
        client for using an unapproved or unsupported signature algorithm
        include the algorithm name in the log message to make debugging
        easier.
  • mandoc 1.14.6 plus several bugfixes, including:
    • Fixed man(1)
      to always read the configuration file and respect
      the other directives contained in it,
      even when the manpath is overridden by other means.
    • Fixed a memory leak in
      man(1)
      that mattered when many names were given on the command line.
    • Fixed a small memory leak in the
      roff(7) parser
      that occurred each time a user-defined macro was called.
    • Fixed the width of the h (horizontal motion)
      roff(7)
      escape sequence in the PostScript and PDF output modes.
  • Ports and packages:

    Many pre-built packages for each architecture:

    • aarch64: 11081
    • amd64: 11301
    • arm: 8372
    • i386: 10136
    • mips64: 8708
    • powerpc: 9290
    • powerpc64: 9132
    • riscv64: 9108
    • sparc64: 9288

    Some highlights:

    • Asterisk 16.25.1, 18.11.1 and 19.3.1
    • Audacity 2.4.2
    • CMake 3.20.3
    • Chromium 100.0.4896.75
    • Emacs 27.2
    • FFmpeg 4.4.1
    • GCC 8.4.0 and 11.2.0
    • GHC 8.10.6
    • GNOME 41.5
    • Go 1.17.7
    • JDK 8u322, 11.0.14 and 17.0.2
    • KDE Applications 21.12.2
    • KDE Frameworks 5.91.0
    • Krita 5.0.2
    • LLVM/Clang 13.0.0
    • LibreOffice 7.3.2.2
    • Lua 5.1.5, 5.2.4 and 5.3.6
    • MariaDB 10.6.7
    • Mono 6.12.0.122
    • Mozilla Firefox 99.0 and ESR 91.8.0
    • Mozilla Thunderbird 91.8.0
    • Mutt 2.2.2 and NeoMutt 20211029
    • Node.js 16.14.2
    • OCaml 4.12.1
    • OpenLDAP 2.4.59
    • PHP 7.4.28, 8.0.17 and 8.1.4
    • Postfix 3.5.14
    • PostgreSQL 14.2
    • Python 2.7.18, 3.8.13, 3.9.12 and 3.10.4
    • Qt 5.15.2 and 6.0.4
    • R 4.1.2
    • Ruby 2.7.5, 3.0.3 and 3.1.1
    • Rust 1.59.0
    • SQLite 2.8.17 and 3.38.2
    • Shotcut 21.10.31
    • Sudo 1.9.10
    • Suricata 6.0.4
    • Tcl/Tk 8.5.19 and 8.6.8
    • TeX Live 2021
    • Vim 8.2.4600 and Neovim 0.6.1
    • Xfce 4.16
  • As usual, steady improvements in manual pages and other documentation.
  • The system includes the following major components from outside suppliers:
    • Xenocara (based on X.Org 7.7 with xserver 1.21.1.3 + patches,
      freetype 2.11.0, fontconfig 2.12.94, Mesa 21.3.7, xterm 369,
      xkeyboard-config 2.20, fonttosfnt 1.2.2 and more)
    • LLVM/Clang 13.0.0 (+ patches)
    • GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    • Perl 5.32.1 (+ patches)
    • NSD 4.4.0
    • Unbound 1.15.0
    • Ncurses 5.7
    • Binutils 2.17 (+ patches)
    • Gdb 6.3 (+ patches)
    • Awk October 12, 2021
    • Expat 2.4.7

How to install

Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 7.1 on your machine:


Quick installer information for people familiar with OpenBSD, and the use of
the “disklabel -E” command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!

OpenBSD/alpha:

If your machine can boot from CD, you can write install71.iso or
cd71.iso to a CD and boot from it.
Refer to INSTALL.alpha for more details.

OpenBSD/amd64:

If your machine can boot from CD, you can write install71.iso or
cd71.iso to a CD and boot from it.
You may need to adjust your BIOS options first.

If your machine can boot from USB, you can write install71.img or
miniroot71.img to a USB stick and boot from it.

If you can’t boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.

If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.

OpenBSD/arm64:

Write install71.img or miniroot71.img to a disk and boot from it
after connecting to the serial console. Refer to INSTALL.arm64 for more
details.

OpenBSD/armv7:

Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.

OpenBSD/hppa:

Boot over the network by following the instructions in INSTALL.hppa or the
hppa platform page.

OpenBSD/i386:

If your machine can boot from CD, you can write install71.iso or
cd71.iso to a CD and boot from it.
You may need to adjust your BIOS options first.

If your machine can boot from USB, you can write install71.img or
miniroot71.img to a USB stick and boot from it.

If you can’t boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.

If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.

OpenBSD/landisk:

Write miniroot71.img to the start of the CF
or disk, and boot normally.

OpenBSD/luna88k:

Copy ‘boot’ and ‘bsd.rd’ to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.

OpenBSD/macppc:

Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the C key until the display turns on and
shows OpenBSD/macppc boot.

Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot
/7.1/macppc/bsd.rd

OpenBSD/octeon:

After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.

OpenBSD/powerpc64:

To install, write install71.img or miniroot71.img to a
USB stick, plug it into the machine and choose the OpenBSD
install
menu item in Petitboot.
Refer to the instructions in INSTALL.powerpc64 for more details.

OpenBSD/riscv64:

To install, write install71.img or miniroot71.img to a
USB stick, and boot with that drive plugged in.
Make sure you also have the microSD card plugged in that shipped with the
HiFive Unmatched board.
Refer to the instructions in INSTALL.riscv64 for more details.

OpenBSD/sparc64:

Burn the image from a mirror site to a CDROM, boot from it, and type
boot cdrom.

If this doesn’t work, or if you don’t have a CDROM drive, you can write
floppy71.img or floppyB71.img
(depending on your machine) to a floppy and boot it with boot
floppy
. Refer to INSTALL.sparc64 for details.

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.

You can also write miniroot71.img to the swap partition on
the disk and boot with boot disk:b.

If nothing works, you can boot over the network as described in INSTALL.sparc64.


How to upgrade

If you already have an OpenBSD 7.0 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
Upgrade Guide.


Notes about the source code

src.tar.gz contains a source archive starting at /usr/src.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:

# mkdir -p /usr/src
# cd /usr/src
# tar xvfz /tmp/src.tar.gz

sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:

# mkdir -p /usr/src/sys
# cd /usr/src
# tar xvfz /tmp/sys.tar.gz

Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described here.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.


Ports Tree

A ports tree archive is also provided. To extract:

# cd /usr
# tar xvfz /tmp/ports.tar.gz

Go read the ports page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.

The ports/ directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
AnonCVS.
So, in order to keep up to date with the -stable branch, you must make
the ports/ tree available on a read-write medium and update the tree
with a command like:

# cd /usr/ports
# cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_1

[Of course, you must replace the server name here with a nearby anoncvs
server.]

Note that most ports are available as packages on our mirrors. Updated
ports for the 7.1 release will be made available if problems arise.

If you’re interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
ports@openbsd.org is a good place to know.

Read More

Related posts

© Copyright 2022, All Rights Reserved