OpenBSD 5.8 arrives on the 20th birthday of the OpenBSD project.
October 18, 2015.
We are pleased to announce the official release of OpenBSD 5.8.
This is our 38th release on CD-ROM (and 39th via FTP/HTTP). We remain
proud of OpenBSD's record of twenty years with only two remote holes in
the default install.
As in our previous releases, 5.8 provides significant improvements,
including new features, in nearly all areas of the system:
- Improved hardware support, including:
o New rtwn(4) driver for Realtek RTL8188CE wifi cards.
o New hpb(4) driver for HyperTransport bridges as found in the IBM
CPC945.
o The ugold(4) driver now supports TEMPerHUMV1.x temperature and
humidity sensors.
o Improved sensor support for the upd(4) driver for USB Power
Devices (UPS).
o Support for jumbo frames on re(4) devices using RTL8168C/D/E/F/G
and RTL8411, including PC Engines APU.
o re(4) now works with newer devices e.g. RTL8111GU.
o Partial support has been added for full-speed isochronous devices
in ehci(4), allowing USB 1.1 audio devices to be used on
EHCI-only systems in some cases.
o Improved macppc stability and G5 performances with MP kernels.
o acpicpu(4) uses ACPI C-state information to reduce power
consumption of idle CPUs.
o Kernel supports x86 AVX instructions on CPUs that have them.
o Avoid assigning low address to PCI BARs, fixing various issues on
machines whose BIOSes neglect to claim low memory.
o wscons(4) works with even more odd trackpads.
o Added pvbus(4) paravirtual device tree root on virtual machines
that are running on hypervisors.
o New octdwctwo(4) driver for USB support on OpenBSD/octeon.
o New amdcf(4) driver for embedded flash on OpenBSD/octeon.
o Support for RTL8188EU devices was added to the urtwn(4) driver.
- Removed hardware support:
o The lmc(4) driver for Lan Media Corporation SSI/T1/DS1/HSSI/DS3
devices has been removed.
o The san(4) driver for Sangoma Technologies AFT T1/E1 devices has
been removed.
- Generic network stack improvements:
o MTU of vlan(4) devices can now be set independently from the
parent interface's MTU.
o The same network range can now be assigned to multiple
interfaces, using interface priorities to choose between them.
o New MPLS pseudowire driver mpw(4).
o Much preparatory work for MP unlocking of the network stack.
- Installer improvements:
o The logic of the 'Allow root ssh login?' question has been
changed.
- The default answer is now 'no'.
- 'prohibit-password' has been added to the list of possible
answers.
o autoinstall(8) has been extended to allow
- hostname-mode.conf response file names.
- response files to be placed in a subdir of the webserver's
document root.
- passing a template file to disklabel(8) to automatically
partition the disk.
o ntpd(8) is now enabled by default at install time.
o DUID support has improved enough that new installs now use them
unconditionally.
o Installing sets from CD-ROM has been fixed if more than one
CD-ROM drive is present.
o The 'Which CD-ROM contains the install media?' question has been
removed. Available cdrom devices are now shown directly in the
'Location of sets?' prompt.
- Routing daemons and other userland network improvements:
o Many improvements and simplifications in ldpd(8), including
configuration reload and support for mpw(4) pseudowire interfaces.
o bgpd(8) now allows rules to match on the peer AS number.
o For terminated BGP sessions, bgpctl(8) now displays the number of
prefixes received on the last session.
o ospfd(8) now correctly handles carp(4) interfaces in "backup" mode
at startup.
o Log messages in bgpd(8) and ospfd(8) have been made more specific.
o The default Diffie-Hellman group for VPNs configured by
ipsec.conf(5) has been changed to modp3072.
o New radiusd(8), Remote Authentication Dial In User Service
(RADIUS) daemon.
- Security improvements:
o sudo in base has been replaced with doas(1), sudo is available as
a package.
o file(1) has been replaced with a new modern implementation,
including sandbox and privilege separation.
o pax(1) (and tar(1) and cpio(1)) now prevent archive extraction
from escaping the current directory via symlinks; tar(1) without
-P option now strips up through any ".." path components.
o Static PIE support for sparc.
o Alpha switched to secure PLT.
o Improved kernel checks of ELF headers.
o Support for the NX (No-eXecute) bit on i386, resulting in much
better W^X enforcement in userland for hardware that has this
feature.
o Enforcement of W^X in the kernel address space on i386 when using
processors with the NX bit.
o Work started on a new