- OpenBSD 7.1 RELEASED -------------------------------------------------

April 21, 2022.

We are pleased to announce the official release of OpenBSD 7.1.
This is our 52nd release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 7.1 provides significant improvements,
including new features, in nearly all areas of the system:

 - New/extended platforms:
    o Support for Apple Silicon Macs has improved and is ready for
      general use:
       - Added aplspi(4), a driver for the SPI controller found on the
         Apple M1 SoC.
       - Added aplhidev(4) support for the keyboard/touchpad on Apple
         M1 laptops.
       - Introduced aplpmgr(4), a driver for the power management
         controller found on Apple SoCs.
       - Introduced aplmbox(4), a driver for the mailbox that provides
         a communication channel with additional cores integrated on
         Apple SoCs.
       - Introduced apliic(4), a driver for the I2C controller found
         on Apple SoCs.
       - Added the chip ids used on Apple M1 Pro/Max and Apple T2 Macs
         to bwfm(4).
       - Rewrote arm64 kernel FPU handling code to fix the random
         crashes seen with SMP kernels on Apple M1.
       - Restricted the pci(4) ioctl interface to devices detected by
         the kernel, preventing Xorg PCI probes from breaking the WiFi
         chip on M1 macs.
       - Introduced aplsmc(4), a driver for the SMC found on Apple M1
       - Introduced aplnco(4), a driver for the Numerically-controlled
         oscillator (NCO) clock which drives the audio clocks on Apple
       - Introduced tascodec(4), a driver for the TI TAS2770/TAS5770
         digital audio amplifier codec found on Apple M1 Macs.
       - Introduced apldma(4), a driver for the DMA controller found
         on Apple SoCs.
       - Added support to explicitly power on some PCIe devices on the
         M1 and M1 Pro/Max through a GPIO controlled by the SMC.
       - Added aplcpu(4), a driver to control the CPU performance
         levels on Apple SoCs.
       - Modified aplintc(4) to support a newer interrupt controller,
         making OpenBSD run on M1 Pro/Max machines.
       - Added nvmem support to aplpmu(4) and made it available on
         Apple SPMI PMUs.
       - Added RTC support to aplsmc(4).
       - Made the arm64 ramdisk installer fetch bwfm(4) firmware from
         the EFI System Partition on Apple Silicon devices for use
         during installation and addition to the newly installed
       - Added support for controlling keyboard LEDs to aplhidev(4).
       - Added basic GPIO support to aplsmc(4).
       - Ensured apldart(4) keeps the DART enabled in front of the
         display controller to preserve its access to the framebuffer
         and continued display.
       - Fixed reading motherboard time on Apple machines with old SMC
       - Implemented reboot/powerdown support in aplsmc(4).
       - Implemented aplintc(4) support for multiple dies, making
         OpenBSD work on the M1 Ultra.
    o Support for other arm64 architecture hardware was also improved
      with the following changes:
       - Introduced gpiocharger(4), a driver providing support for
         battery chargers connected to GPIO pins, such as those found
         on the Pinebook Pro.
       - Introduced gpioleds(4) for arm64, a driver providing support
         for LEDs connected to GPIO pins, such as those found on the
         Pinebook Pro.
       - Added gpiokeys(4) for arm64, a driver which handles events
         triggered by GPIO keys such as lid status and power button.
       - Added pclk clock used by dwdog(4) on RK3399 to rkclock(4).
       - Introduced mpfclock(4), a driver for the PolarFire SoC MSS
         clock controller.
       - Introduced cdsdhc(4), a driver for the Cadence SD/SDIO/eMMC
         host controller.
       - Introduced mpfiic(4), a driver for the PolarFire SoC MSS I2C
       - Introduced mpfgpio(4), a driver for the PolarFire SoC MSS
         GPIO controller.
       - Enabled cduart(4) on arm64.
       - Added mvpinctrl(4) support for the CP115 block found on
         Marvell CN9K SoCs.
       - Added mvclock(4) support for the AP807 block found on Marvell
         CN9K SoCs.
    o Changes on other architectures:
       - Enabled uhid(4)/fido(4) on riscv64.
       - Allowed riscv64 installation on a disk with a GPT.
       - Added missing locking to pmap_extract(9) and pmap_unwire(9)
         on arm64 and riscv64.
       - Improved stack unwinding on riscv64 in ddb(4).
       - Fixed kernel stack alignment on riscv64.
       - Fixed RISC-V lld link code when dealing with object files
         created with "ld -b".
       - Made sure nothing can map address zero on RISC-V.
       - Made sure armv7,arm64 and risc-v FDT bootloader code does not
         write beyond the FDT data structure.
       - Fixed booting from an IDE block device on the Sun Blade 100.
       - Fixed radeondrm(4) console colors on sparc64.
       - Enabled dt(4) on macppc.
       - Increased ddb(1) access to registers on macppc and powerpc64.
       - Enabled enforcing of RLIMIT_MEMLOCK on powerpc64.
       - Allowed ddb(4) trace through interrupt on macppc.

 - Various kernel improvements:
    o Made futexes work in shared anonymous memory.
    o Improved tracking of mbuf memory usage in the whole system.
    o Switched to using long filenames by default with mount_msdos(8).
    o Fixed memory leak in fuse(4) when calling namei(9).
    o Fixed establishing legacy INTx interrupts on machines without a
      (usable) MSI interrupt controller.
    o Cleaned up irrelevant uses of 3rd mode_t parameter for
      open(2)/openat(2), unused when not creating files.
    o Reworked garbage collector for unix(4) sockets to prevent
      potential kernel panics.
    o Changed the power management sysctl(8) hw.perfpolicy to "auto" at
      startup, defaulting to 100% performance with AC power connected
      and using the auto algorithm when on battery.
    o Aligned memory allocation for USB device drivers and USB HC
      drivers, enlarging the USB memory pool.
    o Prevent panic in softraid(4) while rebooting if softraid has been
    o Fixed hibernate setups where removal of a umass(4) device results
      in a renumbered softraid(4) boot device.
    o Fix hibernate on newer hardware by allowing more memory ranges.
    o If CPU sleep state S4 is not available, use S5 for the
      ACPI-transitions in hibernate support.
    o Added code to update hw.power whenever AC state changes on resume.
    o Fixed a panic by prohibiting renames of tmpfs mount-points.
    o Fixed double free after allocation failure in bpf(4).

 - SMP Improvements
    o Made pipe event filters MP-safe.
    o Set klist lock for sockets to make socket event filters MP-safe.
    o Implemented poll(2), select(2), ppoll(2) and pselect(2) on top of
    o Unlocked top part of UVM fault handler on mips64.
    o Unlocked the kevent(2) system call.
    o Made the kqread event filter MP-safe.
    o Reduced the time overhead of kqueue(2)-based poll(2) and select(2)
      systems calls by keeping knotes between the system calls.
    o Unlocked accept(2) and accept4(2) syscalls.
    o Prevented select(2) from blocking if registering found pending
    o Protected ipsec(4) input and output with the kernel lock to allow
      forwarding of non-ipsec traffic in parallel.
    o Unlocked the bottom part of the uvm fault handler.
    o Unlocked getpeername(2).
    o Made bpf(4) MP-safe.
    o Implemented the poll(2) system call on top of the kqueue(2)
      subsystem, obsoleting the old, non-MP-safe poll backend.
    o Made audio(4) event filters MP-safe.
    o Unlocked getsockname(2).
    o Added kernel interfaces for atomic load and store functions for
      int and long to be used in reference counted struct members.

 - Direct Rendering Manager
    o Updated drm(4) to Linux 5.15.26
    o inteldrm(4): support for Elkhart Lake, Jasper Lake, Rocket Lake
    o amdgpu(4): support for Van Gogh APU, Rembrandt "Yellow Carp" Ryzen
      6000 APU, Navi 22 "Navy Flounder", Navi 23 "Dimgrey Cavefish",
      Navi 24 "Beige Goby"
    o Reinstated a drm(4) workaround to get framebuffer size from efifb,
      preventing fatal errors for the BESSTAR TECH HM90 with Ryzen 9

 - VMM/VMD improvements
    o Retired switch(4) support in vmd(8).
    o Fixed a bug where vmd(8) would exit when requesting a new VM and
      hitting memory resource limits.
    o Fixed vmm(4) state corruption on Intel hosts.
    o Fixed vmm(4) cpuid leaf clamping when the host has an invariant
    o Added quiesce/wakeup hooks to vmm(4) allowing Intel hosts to
      suspend and hibernate safely with running guests.
    o Added a new login class for vmd(8) on amd64.
    o Fixed broken vmd(8) "boot device cdrom" feature after a fix in
    o Reintroduced support for vmctl(8) start -B net -b bsd.rd, which
      emulates a PXE boot and performs an autoinstall.
    o Made vmm(4) dt(4) tracepoints amd64-only.

 - Various new userland features:
    o Added realpath(1), a wrapper for realpath(3) for use in ports.
    o Added rcctl(8) "ls rogue" to show daemons which are running but
      not set as "enabled" in rc.conf.local(8).
    o Implemented probe variables in BPFtrace (bt(5)).
    o Provided common btrace(8) scripts kprofile.bt (to save kernel
      stackframes and produce flamegraphs) and runqlat.bt (to measure
      the latency of the scheduler runqueues).
    o DNSSEC support: Implemented RFC6840 (AD flag processing) in the
      libc resolver, if using trusted name servers specified with
      'trust-ad' in resolv.conf(5)
    o Enabled support for displaying an estimated battery recharge time
      in apm(8) and apmd(8).
    o Introduced support for storing capability databases in
      /etc/login.conf.d, allowing easy addition of custom login classes
      from packages and made rcctl(8) look for the login class in both
      login.conf and login.conf.d/${class}.
    o Added a malloc(3) cache of regions between 128k and 2M to
      accommodate programs allocating and deallocating regions of these
      sizes quickly. `
    o Added pax(1) support for mtime/atime/ctime extended headers (in
      not-SMALL builds).
    o Added -k flag to gzip(1) and gunzip(1) to retain (de)compressed
    o Implemented openrsync(1) --compare-dest, allowing specification of
      additional directories to check for files to be available.
    o Implemented openrsync(1) --max-size and --min-size.

 - Various bugfixes and tweaks in userland:
    o Stopped pkg_add(1) from communicating warnings starting with "XXX"
      which appeared to indicate errors.
    o Enabled subpixel rendering in FreeType.
    o Updated xorg-server to 21.1.3, leaving in place an earlier change
      to compute the screen resolution from dimensions returned by the
      screen, reverted by upstream.
    o Allowed bare numbers for key and mouse bindings in cwm(1).
    o Added a cwm(1) "group-last" command that shows only the previously
      active group.
    o Fixed glass console and getty(8) interference with Xorg on arm64.
    o Fixed octal escape parsing in tr(1) backslash().
    o Added uniq(1) support for arbitrarily long input lines.
    o Made uniq(1) ignore trailing newlines when comparing lines.
    o Made uniq(1) skip() each input line only once, improving
    o Increased tee(1) I/O buffer size from 8KB to 64KB.
    o Improved performance of rev(1).
    o Made ed(1) flush all stdio streams before running a shell command.
    o Prevented a file descriptor leak in touch(1) after futimens(2)
    o Added seq(1), a command to print sequences of numbers.
    o Set cpuspeed to 0 in apm(8) when hw.cpuspeed cannot be retrieved.
    o Copied the cos(3) cosine software implementation from FreeBSD-13,
      and disabled assembly implementations of trig functions on x86
    o Added optimization for tiny x in cos(3) and sin(3) trigonometry
    o Switched aucat(1) internal sample representation and default file
      encoding to 24-bit.
    o Switched sndiod(8) internal sample representation to 24-bit fixed
    o Allowed passing a different signal than SIGTERM in the default
      rc_stop() function in rc.subr(8).
    o Improved and simplified timer handling in rc.d(8) "stop" and
    o Made fdisk(8) -b available on all architectures.
    o Removed the constraint that fdisk(8) -b block count and block
      offset must be greater than 63.
    o Made fdisk(8) -b partitions other than EFI System partitions
    o Switched to using fdisk(8) -b to create boot partitions on
      multiple architectures.
    o Removed fdisk(8) "disk" editing command.
    o Prevented fdisk(8) from initializing an MBR to have overlapping
      partitions 0 and 3.
    o Allowed fdisk(8) to extend the default OpenBSD partition to the
      end of the disk, rather than truncating at the end of the last
      full cylinder.
    o Corrected GPT checksums written by fdisk(8) on big-endian
      architectures to be little-endian as per spec.
    o Made fdisk(8) -A preserve BIOS boot partition.
    o Made fdisk(8) -A preserve the EFI System partition on GPT disks
      with Apple APFS partitions.
    o Removed the builtin MBR from fdisk(8).
    o Removed the "rpath" and "wpath" pledges from fdisk(8).
    o Ensured fdisk(8) creates the default OpenBSD MBR partition only
      when there is space for it.
    o Ensured fdisk(8) does not set MBR DOSACTIVE flag on unused
      partitions when initializing MBR.
    o Reduced the alignment space fdisk(8) inserts before the start of
      the default OpenBSD partition.
    o Merged bugfixes from upstream into less(1) including fixes for the
      prompt hiding feature (CTRL-P) and an integer overflow.
    o Fixed possible use after free with long lines in less(1).
    o Fixed file descriptor leak of /dev/tty on doas(1) auth failure.
    o Replaced lrint(3), lrintf(3), llrint(3) and llrintf(3)
      implementations from NetBSD with the existing FreeBSD
      implementations we were already using for lrintl(3) and
    o In various games, call pledge(2) later to prevent it from killing
      various games using ncurses when both stdout and stderr are
      redirected to a non-tty.
    o Switched LLD_ARCHs (architectures using the LLVM ld.lld(1) linker)
      to also user the LLVM archiver llvm-ar(1).
    o Added openvpn ports (udp/1194 & tcp/1194) to /etc/services.
    o Prevented an access to uninitialized memory in awk(1).
    o Fixed vi(1) recovery mode.
    o Extended and reordered the process accounting information
      structure acct(5). Flag Day for the acct(2) file format.
    o Fixed setusercontext(3) error when /etc/login.conf is not present.

 - Improved hardware support and driver bugfixes, including:
    o Added support to pchgpio(4) for Cannon Lake H and Tiger Lake H
    o Ensured use of the correct encoding in xenocara when /etc/kbdtype
      is present with an attached ucc(4) keyboard.
    o Added support for tpm2 CRB interface to tpm(4), fixing recent S4
      regressions on the Surface Go 2 caused by a firmware change. `
    o Ensured armv7 and arm64 efiboot allocate fresh memory for the
      device tree with at least one page of free space to extend into.
      This fixes booting on VMWare Fusion.
    o Stopped binding audio devices exposed by sndiod(8) to physical
    o Fixed handling of interrupts shared between multiple swiic(4)
    o Introduced iicmux(4), a driver that switches between I2C busses
      connected to a single I2C controller by using the pin muxing
      facilities of an SoC.
    o Introduced pcyrtc(4), a driver for the NXP PCF85063A/TP RTC chips.
    o Fixed a panic when running utvfu(4) on xhci(4).
    o Added acpipci(4) support for interrupts represented by ACPI PCI
      Interrupt Link Devices, making PCI interrupts work on QEMU's SBSA
    o Added handling of multi-port controllers to uslcom(4).
    o Make com(4) attach over acpi(4) on amd64.
    o Added address locators for the ACPI "bus" and used these to fix
      the order of the com(4) devices to match the traditional order on
      the ISA bus.
    o Added Intel Jasper Lake to the azalia(4) audio driver.
    o Ensured azalia(4) matches on Intel 300 Series audio, fixing
      attaching on the Dell G3 3590.
    o Added Synopsys Designware UART support to com(4).
    o Fixed an issue where com(4) would attach for a disabled serial
      port leading to misdirection of the hardware variant and a
      subsequent hang when /etc/rc runs ttyflags(8) -a.
    o Fixed sdhc(4) for Jasper Lake eMMC.
    o Improved how quirks are handled on sdhc(4)-compatible drivers.
    o Enabled acpibat(4) use with the Surface Go 3.
    o Fixed suspend/resume issues with com(4) at acpi(4).
    o Correlated uaudio(4) and ucc(4) devices to adjust the volume of
      the correct audio device rather than the first one attached.
    o Enabled FIFO support in pluart(4).
    o Added support for XBox One game controller.
    o Stopped suspending the tpm(4) device upon hibernation, preventing
      some systems from hanging when hibernating a second time.
    o Fixed hilkbd(4) Swedish keyboard layout on non-PS/2 style

 - New or improved network hardware support:
    o Added support to umb(4) for SIMCom SIM7600.
    o Fixed an interrupt storm on dwge(4) variants which support Energy
      Efficient Ethernet when connected to a switch which does so as
    o Made dwge(4) and dwxe(4) MP-safe.
    o Added igc(4), a driver for the Intel 2.5Gb Ethernet controllers.
    o Implemented em(4) support for selecting SMGII or SerDes mode
      depending on the plugged-in SFP transceiver and for reading out
      transceiver information via ifconfig(8).
    o Enabled hardware vlan tagging for ixl(4).
    o Re-enabled ixl(4) IPv4, TCP4/6 and UDP4/6 checksum offloading. \
    o Enabled receive checksum offloading on ixl(4).
    o Prevented a possible deadlock in cad(4).
    o Prevented aq(4) nics from writing to mbufs taken off the ring when
      the interface was taken down.
    o Fixed receive filter handling and vlan packet reception in aq(4).
    o Enabled vlan and checksum offloads in aq(4).
    o Enabled interrupt moderation in aq(4), aiming at around 20k per
    o Fixed ure(4) vlan transmission with hw tagging.
    o Added preliminary ure(4) support for RTL8156B and bug fixes for
    o Reworked ix(4) checksum/vlan offloading and enabled it for IPv6.
    o Enabled IP header checksum offloading in ix(4).
    o Fixed msk(4) operation after interface state changes.
    o Enabled vmx(4) on arm64.

 - Added or improved wireless network drivers:
    o Introduced mtw(4), a driver for MediaTek MT7601U USB wifi devices,
      enabled on amd64, i386, macppc, and arm64.
    o Added 802.11n Tx aggregation support to the iwx(4) driver.
    o Added support for 802.11n 40MHz channels, and 802.11ac 80MHz
      channels, to the iwm(4) and iwx(4) drivers.
    o Reset the Tx watchdog timer when a block ack notification is
      received by iwx(4) and iwm(4) firmware to prevent spurios device
    o Prevent invalid net80211 state transitions in the iwm(4) and
      iwx(4) drivers to avoid a potential hang.
    o Fixed a panic when iwx(4) cannot find firmware at boot time.
    o Fixed iwm(4) performance drop after roaming between APs in 11n
    o When roaming with iwm(4) or iwx(4), keep the old BSSID available
      for use by firmware commands which tear down device state before
      switching to the new AP.
    o Fix race conditions in the iwm(4) and iwx(4) drivers while roaming
      between APs with outstanding frames on transmit queues.
    o Reverted to use iwm(4) firmware v17 on Intel AC 7265, fixing
      instability issues on X1 Carbon gen3.
    o Explicitly stop iwx(4) Rx block ack sessions when roaming between
      access points.
    o Fixed monitor mode on iwm(4) and iwx(4).
    o Let iwx(4) and iwm(4) use per-Tx-queue interface timers to ensure
      the Tx watchdog triggers if a particular Tx queue gets stuck.
    o Switched iwx(4) to new -67 firmware images, and updated iwm(4)
      9260 and 9560 firmware, to address INTEL-SA-00509.
    o Made iwm(4) attach to PCI devices with product ID 0x31dc, part of
      the 9560 chip family.
    o Fixed wrong pointer assignment causing the iwx(4) driver to read
      Rx block ack request information from the wrong offset.
    o Fixed and reenabled use of probe requests during scans on iwm(4)
      and iwx(4).
    o Fixed attach of multiple iwm(4) or iwx(4) interfaces in the same
    o Fixed iwn(4) with 4965 devices.
    o Improved roaming stability on iwn(4), particularly with
    o Added relicensed wireless firmwares from Realtek for rsu(4),
      rtwn(4) and urtwn(4) devices, allowing these devices to work
      without requiring a separate firmware download.
    o Added a workaround for buggy athn(4) devices to prevent filling up
      the node cache when used in hostap mode.
    o Applied a workaround in mvkpcie(4) to fix an external abort under
      load with athn(4).
    o Made athn(4) attach to the Sony UWA-BR100.
    o Fixed "(null node)" panics on run(4).
    o Disabled minimum power consumption in bwfm(4) hostap mode,
      improving connection reliability when used as an access point.
    o Added support for the BCM4387 to bwfm(4).
    o Improved TX performance on urtwn(4) RTL8192EU devices.
    o Fix TX rate used by rtwn(4) and urtwn(4) for RTS frames.

 - IEEE 802.11 wireless stack improvements and bugfixes:
    o Added an ADDBA_OFFLOAD capability for wifi devices to manage Tx
      block ack sessions entirely in firmware.
    o Added support for 40MHz channels to net80211 Tx rate adaptation in
      11n mode.
    o Added monitoring of 20/40MHz channel width changes in beacons sent
      by our access point, notifying drivers when the channel width has
    o Introduced an optional background-scan handler for wireless
      drivers, which drivers can use to take control of the device
      teardown sequence, ensuring that race conditions between firmware
      state and net80211 state are avoided.
    o Taught the net80211 stack to remove corresponding frames from
      ic_pwrsaveq when a power-saving client decides to leave our hostap
      interface, preventing a panic in the athn(4) driver.
    o Added initial 802.11ac (VHT) support to the wifi stack.
    o Made tcpdump(8) show 802.11ac VHT capability and operation IEs
      with the IEEE802_11_RADIO data link type (-y) in verbose (-v)
    o Added 802.11ac/VHT TX rate adaptation support to net80211.
    o When choosing networks during SSID selection, give a higher score
      to 11ac and 11n access points, prioritizing 11ac.
    o When choosing from a set of access points for a given SSID, prefer
      APs on 5GHz channels over APs on 2GHz channels. This was already
      supposed to happen in earlier OpenBSD releases but did not always
      work as intended.

 - Generic network stack improvements and bugfixes:
    o Fixed pfctl(8) $nr incorrect macro expansion.
    o Fixed pfctl(8) rdr-to rules failing on certain port ranges when
      explicitly specified.
    o Ensured the pf(4) "set prio" values are checked consistently.
    o Made "set skip on ..." in pf.conf(5) dynamic, with this, "set
      skip" can be used on interfaces that are not configured yet.
    o Protected pfsync(4) tdb flags and lists with a mutex to prevent
      crashes involving pfsync, IPsec and parallel forwarding.
    o Added support for PPP IPCP extensions for DNS to sppp(4).
    o Added display of DNS information from sppp(4) to ifconfig(8).
    o Switched to calculating pppoe(4) session duration using system
      uptime rather than UTC.
    o Fixed veb(4) vport handling to prevent improper drop of packets
      leaving a vport interface.
    o Prevented tweaks to tun(4) if_flags when the NET_LOCK isn't held.
    o Prevented reopening of tun(4)/tap(4) interfaces which are being
    o Rewrote vxlan(4) to operate independently of bridge(4), create and
      bind udp sockets and prevent loops.
    o Stopped hiding the mtu on "bridge" interfaces which do handle l3
      traffic in ifconfig(8).
    o Added mbuf tags to prevent output loops in etherip(4).
    o Added rtable capability to login.conf(5), allowing to specify the
      rtable a process uses.
    o Made su(1) honor the login class routing table when doing a full
      login with su -l.
    o Fix IP output routines on raw sockets so route sourceaddr can take
      effect using sendto(2) or similar.
    o Ensured pcap_lookupdev(3) matches only on complete interface

 - Installer and upgrade improvements:
    o Corrected installer to understand "inet autoconf" properly in
      hostname.if(5) files.
    o Stopped prompting whether to fall back to HTTP in the installer,
      making the fallback automatic.
    o Used ifconfig(8) "join" command by default in hostname.if(5)
      files, replacing the old "nwid".
    o Replace custom bootloader installation code with installboot(8) on
      riscv64 and armv7 architecture installations.
    o New logic for pkg_add(1) to avoid excessive moving of files during
      updates when possible.
    o Documented OpenBSD installation and upgrade customization using
      the install.site(5) file.
    o Corrected "!" escape handling in the installer when accepting
      WEP/WPA passphrase.
    o Prevented a potential race which could make umount(8) fail
      spuriously in the installer.
    o Made config(8) -e work with ramdisk kernels.
    o Made config(8) -c cmdfile use lines from the command file for all
      input, not just commands. This allows complex actions like
      changing device parameters.
    o Ensured that an interrupted arm64 install from the ramdisk kernel
      can be restarted.
    o Made redistributable firmwares available across all architectures.
    o Returned to a shell-script based fw_update(8), written to be
      usable by the install script, allowing earlier retrieval of
      downloaded firmwares.
    o Stopped fw_update(8) from downloading SHA256.sig when not needed,
      to allow installing local files without network access.
    o Modified the installer to use fw_update(8) to install non-free
      firmware files if present on the install media.
    o Made fw_update(8) re-download existing files with failed
    o Made fw_update(8) use the /snapshots directory only on -current
      snapshot installations.

 - Security improvements:
    o Clear the length of keys in vnconfig(8) alongside keys themselves.
    o Removed hifn(4), safe(4) and ubsec(4) crypto drivers.
    o Added call to unveil(2) to restrict stty(1) -f filesystem access.
    o Disabled xterm(1) mouse tracking by default.
    o On arm64 architectures, use "rng-seed" and "kaslr-seed" properties
      from the device tree to mix extra entropy into the random pool.
    o Made apmd(8) replace /etc/random.seed for hibernate-resumes.
    o Restricted usbhidctl(1) and usbhidaction(1) file system access
      with unveil(2).
    o Added ps(1) status flag "c" to indicate a process is chrooted.
    o In rpc.rusersd(8) unveil(2) "/dev" read-only instead of using

 - Routing daemons and other userland network improvements:
    o switchd(8), the software-defined networking (SDN) sflow controller
      was removed. While interesting the OpenFlow implementation never
      managed to really get into a usable state.
    o Switched nsd(8) to enable default DNS cookies on, matching
      behavior as released in OpenBSD 7.0.
    o Ensured enabled resolvers are honored by unwind(8) to keep unused
      forwarders disabled properly.
    o Installed missing scope identifiers for IPv6 link-local addresses
      for unwind(8) and resolvd(8).
    o Allowed interface names as scope-id in IPv6 link-local addresses
      in unbound(8).
    o Let unwind(8) probe for DNS64 presence with an absolute name, so
      asr doesn't add search domains and retry.
    o Stopped duplicating "Connection: close" headers in relayd(8), only
      adding it if it's not a websocket response.
    o Modified syslog.conf(5) examples to use TLS rather than the
      plaintext protocols.
    o Stopped ignoring carp(4) interfaces in dhcpleased(8).
    o Made the dhcpleased(8) host name DHCP option configurable.
    o Prevented a crash in slaacd(8) due to updating an interface which
      no longer exists.
    o Prevented a potential crash when slaacd(8) receives more than 7
    o Fixed crash in slaacd(8) when receiving a negative length field
      for DNS labels.
    o Fix unveil(2) in ldapd(8), create permissions are required for
    o Made dhcpd(8) start listening on interface in 'down' state.
      Interfaces can come up later, at which point dhcpd(8) will start
      receiving packets.
    o Added a basic printer for EAPOL packets to tcpdump(8).
    o Made ping(8) print out the source address and sequence number when
      the signature on an icmp echo reply doesn't match.
    o Rate limit rad(8) router advertisements according to RFC 4861.
    o In smtpd(8),
       - Stop verifying the cert or CA for a relay using opportunistic
       - Enabled TLS verify by default for outbound "smtps://" and
         "smtp+tls://", restoring documented smtpd(8) behavior.
    o httpd(8) received new features and bugfixes:
       - Respond with 400 Bad Request when a client sends header lines
         without a colon.
       - Added protocol version checking.
       - Annotated an httpd(8) 413 error with "request body too large"
         in the error log.
       - Corrected httpd(8) version string checking, responding with
         505 Version Not Supported rather than 400 Bad Request when
         the version format is incorrect.
       - Stop sending content alongside responses to HEAD requests.
       - Added support for custom error pages.
       - Added a gzip-static option to httpd.conf(5), allowing
         delivery of precompressed files with content-encoding gzip.
       - Improved handling of static compressed gzip files.
    o IPsec support was improved:
       - Made iked.conf(5) proto config option accept a list to allow
         specifying multiple protocols for a single policy.
       - Fixed removal of SAs that could not be flushed with
         ipsecctl(8) -F.
       - Changed isakmpd(8) to log a warning when proto is NULL rather
         than dereferencing it.
       - Fixed broken key exchange negotiation with matching proposals
         in iked(8).
       - Added ikectl(8) "show certinfo" to show trusted CAs and
       - Added iked(8) -V to display the version.
       - Fixed a bug where iked(8) sent zero-prefixed NAT-T messages
         on port 500, causing parsing errors.
       - Improved message fragment retransmissions for iked(8).
       - Make sure iked(8) vroute messages are correctly aligned,
         fixes autoconfiguration of addresses on octeon.
    o rpki-client(8) was made more resilient regarding untrusted input.
      The following bugfixes and improvements were made:
       - Added support for validating BGPsec Router Public Keys.
       - Fix issues with chunked transfer encoding in the RRDP HTTP
       - Cleanup and improvement of how IO is handled.
       - Improvements in the way X509 certificates are verified.
       - Limit the number of concurrent rsync processes.
       - Fix CRLF in tal files.
       - Enforce the correct namespace of rrdp files.
       - Fail certificate verification if a certificate contains
         unknown critical extensions.
       - Improve cleanup of rrdp directory contents.
       - Introduce a validated cache which holds all the files that
         have successfully been verified by rpki-client.
       - Add a new option '-f <file>' to validate a signed object in a
         file against the RPKI cache.
       - Add various RFC 6488 compliance checks to improve the CMS
       - Improve RRDP replication through less aggressive cache
       - Add a check whether a given Manifest EE certificate is listed
         on the applicable CRL.
       - For forward compatibility permit ASPA object to appear on
       - Various improvements to the '-f <file>' diagnostic option to
         now also validate files containing Trust Anchor certs and
       - Do not apply timezone offsets when converting X509 times.
         X509 times are in UTC and comparing them to times in
         different timezones would cause validity problems.
    o In bgpd(8),
       - The bgpd login class datasize attribute (in login.conf(5))
         was set to either 16G or 1G, depending on architecture.
       - Macro expansion in the config file was improved. It is now
         possible to expand 'set large-community
       - Added a "port" option to "listen on" and the "neighbor"
         section in bgpd.conf(5) to make it possible to bind and
         connect to non-default ports.
       - The RIB codebase was refactored in order to add multipath
         support in an upcoming release.

 - tmux(1) improvements and bug fixes:
    o Fixed a crash in tmux(1) when a session with multiple clients is
      destroyed but tmux does not close completely due to other
    o Fixed a tmux(1) redraw problem on automargin terminals.
    o Fixed a problem with repeat in tmux(1) copy mode.
    o Added -T to set a popup title in tmux(1).
    o Added -s and -S to tmux(1) display-popup to set popup and border
    o Fixed application-set fg and bg in tmux(1) panes.
    o Added a way to force a color to RGB in tmux(1) and a format to
      display it.
    o Added a cursor-colour option to tmux(1).
    o Added a cursor-style option to tmux(1).
    o Added a pane-border-format pane option to tmux(1).
    o Added attempts to turn on less-capable mouse modes when tmux(1)
      turns on more-capable ones, in case the terminal doesn't support
      the desired mode.
    o Added a tmux(1) option to show arrows for the active pane
    o Added a key in tmux(1) copy mode to toggle the position indicator.
    o Added an option in tmux(1) to set the character for unused areas
      of the terminal.
    o Add tmux(1) option to control if it scrolls into history on clear.
    o Added OSC 7 capability to tmux(1) for setting titles.

 - LibreSSL version 3.5.2
    o New Features
       - The RFC 3779 API was ported from OpenSSL.
         Many bugs were fixed, regression tests were added and the
         code was cleaned up.
       - Certificate Transparency was ported from OpenSSL.
         Many internal improvements were made, resulting in cleaner
         and safer code.
         Regress coverage was added. libssl does not yet make use of
    o Portable Improvements
       - Enabled ASAN CI on Linux platform.
       - Fixed various POSIX compliance and other portability issues
         found by the port to the Sortix operating system.
       - Add libmd as platform specific libraries for Solaris.
       - Set IA-64 compiler flag only if it is HP-UX with IA-64.
       - Enabled and scheduled Coverity scans.
    o Compatibility Changes
       - Most structs that were previously defined in the following
         headers are now opaque as they are in OpenSSL 1.1:
         bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h,
         rsa.h, x509.h, x509v3.h, x509_vfy.h
       - Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_
         OpenSSL added the TLSv1.3 ciphersuites with "RFC names"
         instead of using something consistent with the previous
         Various test suites expect these names (instead of checking
         for the much more sensible cipher numbers).
         The old names are still accepted as aliases.
       - Subject alternative names and name constraints are now
         validated when they are added to certificates.
         Various interoperability problems with stacks that validate
         certificates more strictly than OpenSSL can be avoided this
       - Attempt to opportunistically use the host name for SNI in
       - Allow non-standard name constraints of the form @domain.com.
    o Bug fixes
       - Avoid infinite loop for custom curves of order 1.
       - Avoid infinite loop on parsing DSA private keys.
       - Prevent a malicious certificate from causing an infinite
       - In some situations, the verifier would discard the error on
         an unvalidated certificate chain.
         This would happen when the verification callback was in use,
         instructing the verifier to continue unconditionally.
         This could lead to incorrect decisions being made in
       - Avoid an infinite loop in SSL_shutdown()
       - Handle zero byte reads/writes that trigger handshakes in the
         TLSv1.3 stack.
       - A long standing memleak in libtls CRL handling was fixed
       - Allow name constraints with a leading dot.
       - Fix NULL dereferences in openssl(1) cms option parsing.
       - Do not zero the computed cofactor on ec_guess_cofactor()
       - Bound cofactor in EC_GROUP_set_generator() to reduce the
         number of bogus groups that can be described with nonsensical
       - Avoid various potential segfaults in EVP_PKEY_CTX_free() in
         low memory conditions.
    o Internal Improvements
       - Cache the SHA-512 hash instead of the SHA-1 hash and cache
         notBefore and notAfter times when X.509 certificates are
       - The X.509 lookup code has been simplified and cleaned up.
       - Fixed numerous issues flagged by coverity and the cryptofuzz
       - Increased the number of Miller-Rabin checks in DH and DSA
         key/parameter generation.
       - Started using the bytestring API in libcrypto for cleaner and
         safer code.
       - Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM
         to CBB
       - Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN()
       - Consolidate ASN.1 universal tag type data
       - Rewrite ASN.1 identifier/length parsing in CBS
       - Make OBJ_obj2nid() work correctly with NID_undef
       - Untangle ssl3_get_message() return values
       - Provide a way to determine our maximum legacy version
       - Add explicit CBS_contains_zero_byte() check in CBS_strdup()
       - Improve SNI hostname validation
       - Ensure SSL_set_tlsext_host_name() is given a valid hostname
       - Factor out/rewrite DHE key exchange
       - Convert server serialisation of DHE parameters/public key to
         new functions
       - Provide CBS_get_last_u8(), CBS_get_u64(), CBS_add_u64() and
         various CBS_peek_* functions.
       - Use CBS_get_last_u8() to find the content type in TLSv1.3
       - Correct SSL_get_peer_cert_chain() when used with the TLSv1.3
       - Only allow zero length key shares when we know we're doing
       - Pull key share group/length CBB code up from
       - Refactor ssl3_get_server_kex_ecdhe() to separate parsing and
       - Allocate and free the EVP_AEAD_CTX struct in
       - Convert legacy TLS client and server to tls_key_share
       - Clean up pkey handling in ssl3_get_server_key_exchange()
       - Fix GOST skip certificate verify handling
       - Simplify SSL_get_peer_certificate()
       - Cleanup/simplify ssl_cert_type()
       - The openssl(1) cms, smime and ts subcommands option handling
         was converted and the C source was cleaned up.
       - Limit OID text conversion to 64 bits per arc.
       - Clean up and simplify memory BIO code.
       - Reduce number of memmove() calls in memory BIOs.
       - Factor out alert handling code in the legacy stack.
       - Add sanity checks on p and q in old_dsa_priv_decode()
       - Cache the SHA-512 hash instead of the SHA-1 for CRLs.
       - Suppress various compiler warnings for old gcc versions.
       - Rework ASN1_STRING_set().
       - Clean up and simplify ssl3_renegotiate{,_check}().
       - Rewrite legacy TLS and DTLS unexpected handshake message
       - Simplify SSL_do_handshake().
       - Rewrite ASCII/text to ASN.1 object conversion.
       - Convert {c2i,d2i}_ASN1_OBJECT() to CBS.
       - Clean up {dtls1,ssl3}_read_bytes().
       - Be more careful with embedded and terminating NULs in the new
         name constraints code.
       - Various minor code cleanup in openssl(1) pkcs12.
       - Simplify priv_key handling in d2i_ECPrivateKey().
    o Documentation improvements
       - 45 new manual pages, most of which were written from scratch.
         Documentation coverage of ASN.1 and X.509 code has been
         significantly improved.
       - Update d2i_ASN1_OBJECT(3) documentation to reflect reality
         after refactoring and bug fixes.
       - Fixed numerous minor grammar, spelling, wording, and
         punctuation issues.

 - OpenSSH 9.0
    o Security
       - Near miss in sshd(8): fix an integer overflow in the user
         authentication path that, in conjunction with other logic
         errors, could have yielded unauthenticated access under
         difficult to exploit conditions.
         This situation is not exploitable because of independent
         checks in the privilege separation monitor. Privilege
         separation has been enabled by default in since OpenBSD 3.2
         (released in 2002) and has been mandatory since OpenBSD 6.1
         (released in 2017).
    o Potentially incompatible changes
       - In OpenSSH 8.9 the FIDO security key middleware interface
         changed and increments SSH_SK_VERSION_MAJOR.
       - This release switches scp(1) from using the legacy scp/rcp
         protocol to using the SFTP protocol by default.
         Legacy scp/rcp performs wildcard expansion of remote
         filenames (e.g. "scp host:* .") through the remote shell.
         This has the side effect of requiring double quoting of shell
         meta-characters in file names included on scp(1)
         command-lines, otherwise they could be interpreted as shell
         commands on the remote side.
         This creates one area of potential incompatibility: scp(1)
         when using the SFTP protocol no longer requires this finicky
         and brittle quoting, and attempts to use it may cause
         transfers to fail. We consider the removal of the need for
         double-quoting shell characters in file names to be a benefit
         and do not intend to introduce bug-compatibility for legacy
         scp/rcp in scp(1) when using the SFTP protocol.
         Another area of potential incompatibility relates to the use
         of remote paths relative to other user's home directories,
         for example - "scp host:~user/file /tmp". The SFTP protocol
         has no native way to expand a ~user path. However,
         sftp-server(8) in OpenSSH 8.7 and later support a protocol
         extension "expand-p...@openssh.com" to support this.
         In case of incompatibility, the scp(1) client may be
         instructed to use the legacy scp/rcp using the -O flag.
    o New features
       - ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
         restricting forwarding and use of keys added to ssh-agent(1)
         A detailed description of the feature is available at
         https://www.openssh.com/agent-restrict.html and the protocol
         extensions are documented in the PROTOCOL and PROTOCOL.agent
         files in the source release.
       - ssh(1), sshd(8): add the sntrup761x25519-sha...@openssh.com
         hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX
         to the default KEXAlgorithms list (after the ECDH methods but
         before the prime-group DH ones).
       - ssh-keygen(1): when downloading resident keys from a FIDO
         token, pass back the user ID that was used when the key was
         created and append it to the filename the key is written to
         (if it is not the default). Avoids keys being clobbered if
         the user created multiple resident keys with the same
         application string but different user IDs.
       - ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO
         keys on tokens that provide user verification (UV) on the
         device itself, including biometric keys, avoiding unnecessary
         PIN prompts.
       - ssh-keygen(1): add "ssh-keygen -Y match-principals" operation
         to perform matching of principals names against an allowed
         signers file. To be used towards a TOFU model for SSH
         signatures in git.
       - ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be
         added to ssh-agent(1). $SSH_ASKPASS will be used to request
         the PIN at authentication time.
       - ssh-keygen(1): allow selection of hash at sshsig signing time
         (either sha512 (default) or sha256).
       - ssh(1), sshd(8): read network data directly to the packet
         input buffer instead of indirectly via a small stack buffer.
         Provides a modest performance improvement.
       - ssh(1), sshd(8): read data directly to the channel input
         buffer, providing a similar modest performance improvement.
       - ssh(1): extend the PubkeyAuthentication configuration
         directive to accept yes|no|unbound|host-bound to allow
         control over one of the protocol extensions used to implement
         agent-restricted keys.
       - ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime +
         x25519 key exchange method by default
         ("sntrup761x25519-sha...@openssh.com"). The NTRU algorithm is
         believed to resist attacks enabled by future quantum
         computers and is paired with the X25519 ECDH key exchange
         (the previous default) as a backstop against any weaknesses
         in NTRU Prime that may be discovered in the future. The
         combination ensures that the hybrid exchange offers at least
         as good security as the status quo.
         We are making this change now (i.e. ahead of
         cryptographically- relevant quantum computers) to prevent
         "capture now, decrypt later" attacks where an adversary who
         can record and store SSH session ciphertext would be able to
         decrypt it once a sufficiently advanced quantum computer is
       - sftp-server(8): support the "copy-data" extension to allow
         server- side copying of files/data, following the design in
       - sftp(1): add a "cp" command to allow the sftp client to
         perform server-side file copies.
    o Bugfixes
       - sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo
         and PubkeyAuthOptions can be used in a Match block.
       - sshd(8): fix possible string truncation when constructing
         paths to .rhosts/.shosts files with very long user home
         directory names.
       - ssh-keysign(1): unbreak for KEX algorithms that use
         SHA384/512 exchange hashes
       - ssh(1): don't put the TTY into raw mode when
         SessionType=none, avoids ^C being unable to kill such a
       - scp(1): fix some corner-case bugs in SFTP-mode handling of
         ~-prefixed paths.
       - ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1)
         to select RSA keys when only RSA/SHA2 signature algorithms
         are configured (this is the default case). Previously RSA
         keys were not being considered in the default case.
       - ssh-keysign(1): make ssh-keysign use the requested signature
         algorithm and not the default for the key type. Part of
         unbreaking hostbased auth for RSA/SHA2 keys.
       - ssh(1): stricter UpdateHostkey signature verification logic
         on the client- side. Require RSA/SHA2 signatures for RSA
         hostkeys except when RSA/SHA1 was explicitly negotiated
         during initial KEX
       - ssh(1), sshd(8): fix signature algorithm selection logic for
         UpdateHostkeys on the server side. The previous code tried to
         prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed
         some cases. This will use RSA/SHA2 signatures for RSA keys if
         the client proposed these algorithms in initial KEX.
       - All: convert all uses of select(2)/ pselect(2) to poll(2)/
         ppoll(2). This includes the mainloops in ssh(1),
         ssh-agent(1), ssh-agent(1) and sftp-server(8), as well as the
         sshd(8) listen loop and all other FD read/writability checks.
       - ssh-keygen(1): the "-Y find-principals" command was verifying
         key validity when using ca certs but not with simple key
         lifetimes within the allowed signers file.
       - ssh-keygen(1): make sshsig verify-time argument parsing
       - sshd(8): fix truncation in rhosts/shosts path construction.
       - ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for
         ECDSA keys (we already did this for RSA keys). Avoids fatal
         errors for PKCS#11 libraries that return empty keyid, e.g.
         Microchip ATECC608B "cryptoauthlib"
       - ssh(1), ssh-agent(1): improve the testing of credentials
         against inserted FIDO: ask the token whether a particular key
         belongs to it in cases where the token supports on-token
         user-verification (e.g. biometrics) rather than just assuming
         that it will accept it.
         Will reduce spurious "Confirm user presence" notifications
         for key handles that relate to FIDO keys that are not
         currently inserted in at least some cases.
       - ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to
         allow for the preceding two ECN bits.
       - ssh-keygen(1): add missing -O option to usage() for the "-Y
         sign" option.
       - ssh-keygen(1): fix a NULL deref when using the
         find-principals function, when matching an allowed_signers
         line that contains a namespace restriction, but no
         restriction specified on the command-line
       - ssh-agent(1): fix memleak in process_extension(); oss-fuzz
         issue #42719
       - ssh(1): suppress "Connection to xxx closed" messages when
         LogLevel is set to "error" or above.
       - ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing
         compressed packet data.
       - scp(1): when recursively transferring files in SFTP mode,
         create the destination directory if it doesn't already exist
         to match scp(1) in legacy RCP mode behaviour.
       - scp(1): many improvements in error message consistency
         between scp(1) in SFTP mode vs legacy RCP mode.
       - sshd(8): fix potential race in SIGTERM handling
       - ssh(1), sshd(8)): since DSA keys are deprecated, move them to
         the end of the default list of public keys so that they will
         be tried last.
       - ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match
         wildcard principals in allowed_signers files
       - ssh(1), sshd(8): fix poll(2) spin when a channel's output fd
         closes without data in the channel buffer.
       - sshd(8): pack pollfd array in server listen/accept loop.
         Could cause the server to hang/spin when MaxStartups >
       - ssh-keygen(1): avoid NULL deref via the find-principals and
         check-novalidate operations.
       - scp(1): fix a memory leak in argument processing.
       - sshd(8): don't try to resolve ListenAddress directives in the
         sshd re-exec path. They are unused after re-exec and parsing
         errors (possible for example if the host's network
         configuration changed) could prevent connections from being
       - sshd(8): when refusing a public key authentication request
         from a client for using an unapproved or unsupported
         signature algorithm include the algorithm name in the log
         message to make debugging easier.

 - mandoc 1.14.6 plus several bugfixes, including:
    o Fixed man(1) to always read the configuration file and respect the
      other directives contained in it, even when the manpath is
      overridden by other means.
    o Fixed a memory leak in man(1) that mattered when many names were
      given on the command line.
    o Fixed a small memory leak in the roff(7) parser that occurred each
      time a user-defined macro was called.
    o Fixed the width of the \h (horizontal motion) roff(7) escape
      sequence in the PostScript and PDF output modes.

 - Ports and packages:
    o Pre-built packages are available for the following architectures on
      the day of release:
       - aarch64 (arm64): 11081
       - amd64: 11301
       - i386: 10136
       - mips64: 8708
       - powerpc64: 9132
       - riscv64: 9108
       - sparc64: 9288
    o Packages for the following architectures will be made available as
      their builds complete:
       - arm
       - powerpc

 - Some highlights:

    o Asterisk 16.25.1, 18.11.1 and   o Mozilla Thunderbird 91.8.0
      19.3.1                          o Mutt 2.2.2 and NeoMutt 20211029
    o Audacity 2.4.2                  o Node.js 16.14.2
    o CMake 3.20.3                    o OCaml 4.12.1
    o Chromium 100.0.4896.75          o OpenLDAP 2.4.59
    o Emacs 27.2                      o PHP 7.4.28, 8.0.17 and 8.1.4
    o FFmpeg 4.4.1                    o Postfix 3.5.14
    o GCC 8.4.0 and 11.2.0            o PostgreSQL 14.2
    o GHC 8.10.6                      o Python 2.7.18, 3.8.13, 3.9.12
    o GNOME 41.5                        and 3.10.4
    o Go 1.17.7                       o Qt 5.15.2 and 6.0.4
    o JDK 8u322, 11.0.14 and 17.0.2   o R 4.1.2
    o KDE Applications 21.12.2        o Ruby 2.7.5, 3.0.3 and 3.1.1
    o KDE Frameworks 5.91.0           o Rust 1.59.0
    o Krita 5.0.2                     o SQLite 2.8.17 and 3.38.2
    o LLVM/Clang 13.0.0               o Shotcut 21.10.31
    o LibreOffice             o Sudo 1.9.10
    o Lua 5.1.5, 5.2.4 and 5.3.6      o Suricata 6.0.4
    o MariaDB 10.6.7                  o Tcl/Tk 8.5.19 and 8.6.8
    o Mono                 o TeX Live 2021
    o Mozilla Firefox 99.0 and        o Vim 8.2.4600 and Neovim 0.6.1
      ESR 91.8.0                      o Xfce 4.16

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver + patches,
      freetype 2.11.0, fontconfig 2.12.94, Mesa 21.3.7, xterm 369,
      xkeyboard-config 2.20, fonttosfnt 1.2.2, and more)
    o LLVM/Clang 13.0.0 (+ patches)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.32.1 (+ patches)
    o NSD 4.4.0
    o Unbound 1.15.0
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk October 12, 2021 version
    o Expat 2.4.7

- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each release.  Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible.  Therefore, we advise regular
visits to


- MAILING LISTS AND FAQ ------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please


You are also encouraged to read the Frequently Asked Questions (FAQ) at:


- DONATIONS ------------------------------------------------------------

The OpenBSD Project is a volunteer-driven software group funded by
donations.  Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others.  This ecosystem is all handled under the same funding umbrella.

We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon

All of our developers strongly urge you to donate and support our future
efforts.  Donations to the project are highly appreciated, and are
described in more detail at:


- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.

There may also be exposure benefits since the Foundation may be
interested in participating in press releases.  In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at direct...@openbsdfoundation.org for
more information.

- HTTPS INSTALLS -------------------------------------------------------

OpenBSD can be easily installed via HTTPS downloads.  Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet.  Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.

1) Read either of the following two files for a list of HTTPS mirrors
   which provide OpenBSD, then choose one near you:


   As of April 21, 2022, the following HTTPS mirror sites have the
   7.1 release:

        https://cdn.openbsd.org/pub/OpenBSD/7.1/            Global
        https://ftp.eu.openbsd.org/pub/OpenBSD/7.1/         Stockholm, Sweden
        https://ftp.hostserver.de/pub/OpenBSD/7.1/          Frankfurt, Germany
        https://ftp.bytemine.net/pub/OpenBSD/7.1/           Oldenburg, Germany
        https://ftp.fr.openbsd.org/pub/OpenBSD/7.1/         Paris, France
        https://mirror.aarnet.edu.au/pub/OpenBSD/7.1/       Brisbane, Australia
        https://ftp.usa.openbsd.org/pub/OpenBSD/7.1/        CO, USA
        https://ftp5.usa.openbsd.org/pub/OpenBSD/7.1/       CA, USA
        https://mirror.esc7.net/pub/OpenBSD/7.1/            TX, USA
        https://openbsd.cs.toronto.edu/pub/OpenBSD/7.1/     Toronto, Canada
        https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.1/ Global
        https://fastly.cdn.openbsd.org/pub/OpenBSD/7.1/     Global

        The release is also available at the master site:

        https://ftp.openbsd.org/pub/OpenBSD/7.1/            Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTPS mirror site and go into the directory
   pub/OpenBSD/7.1/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     armv7/        openbsd-71-base.pub sparc64/
        README           hppa/         packages/           src.tar.gz
        SHA256           i386/         packages-stable/    sys.tar.gz
        SHA256.sig       landisk/      ports.tar.gz        xenocara.tar.gz
        alpha/           luna88k/      powerpc64/
        amd64/           macppc/       riscv64/
        arm64/           octeon/       root.mail

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        BOOTIA32.EFI*   bsd*            floppy71.img    pxeboot*
        BOOTX64.EFI*    bsd.mp*         game71.tgz      xbase71.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont71.tgz
        INSTALL.amd64   cd71.iso        install71.img   xserv71.tgz
        SHA256          cdboot*         install71.iso   xshare71.tgz
        SHA256.sig      cdbr*           man71.tgz
        base71.tgz      comp71.tgz      miniroot71.img

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install71.iso.  The install71.iso file (roughly 588MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install71.img and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:


   This is the page where we talk about the mistakes we made while
   creating the 7.1 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).

- PACKAGES AND PORTS ---------------------------------------------------

Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures.  Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed

- SYSTEM SOURCE CODE ---------------------------------------------------

The source code for all four subsystems can be found in the
pub/OpenBSD/7.1/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.1/README) file
explains how to deal with these source files.

- THANKS ---------------------------------------------------------------

Ports tree and package building by Jasper Lievisse Adriaanse,
Jeremie Courreges-Anglas, Visa Hankala, Stuart Henderson, Peter Hessler,
George Koehler, Kurt Mosiejczuk, and Christian Weisgerber.  Base and X
system builds by Kenji Aoyama and Theo de Raadt.  Release art
contributed by Luc Houweling.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who bought our previous CD sets.  Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.

Our developers are:

    Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
    Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
    Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
    Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe,
    Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer,
    Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar,
    Charlene Wendling, Charles Longeau, Chris Cappuccio,
    Christian Weisgerber, Christopher Zimmermann, Claudio Jeker,
    Dale Rahn, Damien Miller, Daniel Dickman, Daniel Jakots,
    Darren Tucker, Dave Voutila, David Coppa, David Gwynne, David Hill,
    Denis Fondras, Edd Barrett, Elias M. Mariani, Eric Faurot,
    Florian Obser, Florian Riehm, Frederic Cambus, George Koehler,
    Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis,
    Gleydson Soares, Gonzalo L. Rodriguez, Greg Steuck, Helg Bredow,
    Henning Brauer, Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer,
    Ingo Schwarze, Inoguchi Kinichiro, James Hastings, James Turner,
    Jan Klemkow, Jason McIntyre, Jasper Lievisse Adriaanse,
    Jeremie Courreges-Anglas, Jeremy Evans, Job Snijders, Joel Sing,
    Joerg Jung, Jonathan Armani, Jonathan Gray, Jonathan Matthew,
    Jordan Hargrave, Joris Vink, Joshua Stein,
    Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama,
    Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov,
    Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil,
    Lawrence Teo, Marc Espie, Marcus Glocker, Mark Kettenis,
    Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano,
    Martin Pieuchot, Martin Reindl, Martynas Venckus, Matthew Dempsky,
    Matthias Kilian, Matthieu Herrb, Michael Mikonos, Mike Belopuhov,
    Mike Larkin, Miod Vallat, Moritz Buhl, Nam Nguyen,
    Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen,
    Omar Polo, Ori Bernstein, Otto Moerbeek, Paco Esteban,
    Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt, Paul Irofti,
    Pavel Korovin, Peter Hessler, Philip Guenther,
    Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski,
    Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel,
    Renato Westphal, Ricardo Mestre, Richard Procter, Rob Pierce,
    Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
    Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
    Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf,
    Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
    Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
    Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider,
    Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
    Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
    Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Yasuoka Masahiko,
    Yojiro Uo

Reply via email to