Upgrading... ;)
------- Original Message ------- On Monday, October 16th, 2023 at 09:53, Theo de Raadt <dera...@openbsd.org> wrote: > > > > ------------------------------------------------------------------------ > - OpenBSD 7.4 RELEASED ------------------------------------------------- > > October 16, 2023. > > We are pleased to announce the official release of OpenBSD 7.4. > This is our 55th release. We remain proud of OpenBSD's record of more > than twenty years with only two remote holes in the default install. > > As in our previous releases, 7.4 provides significant improvements, > including new features, in nearly all areas of the system: > > - Various kernel improvements: > o On arm64, show BTI and SBSS features in dmesg(8). > o New kqueue1(2) system call supporting the O_CLOEXEC flag. > o Map device tree read/write to unbreak root on softraid(4). > o Correctly recognize umass(4) floppy disk devices as floppy disks. > o In wscons(4), catch up with box drawing characters which have been > standardized in unicode after the original wscons code was written > and chose placeholder values. > o In wscons(4), make sure we do not increase the escape sequence > argument count beyond usable bounds. > o Implement dt(4) utrace(2) support on amd64 and i386. > o Correct undefined behavior when using MS-DOS filesystems, fixes > imported from FreeBSD. > o Make the softdep mount(8) option a no-op. Softdep was a > significant impediment to improving the vfs layer. > o Allow unveil(2)ed programs to dump core(5) into the current > working directory. > o Address incomplete validation of ELF program headers in execve(2). > o On arm64, use the deep idle state available on Apple M1/M2 cores > in the idle loop and for suspend, resulting in power savings. > o Update AMD CPU microcode if a newer patch is available. > o Enable a workaround for the 'Zenbleed' AMD CPU bug. > o Report speculation control bits in dmesg(8) CPU lines. > o To give the primary CPU an opportunity to perform clock interrupt > preparation in a machine-independent manner we need to separate > the "initialization" parts of cpu_initclocks() from the "start the > clock interrupt" parts. Separate cpu_initclocks() from > cpu_startclock(). > o Fix a problem where CPU time accounting and RLIMIT_CPU was > unreliable on idle systems. > o Improve the output of the "show proc" command of the kernel > debugger ddb(4) and show both the PID and TID of the proc. > > - SMP Improvements > o Rewrite pfsync(4), in particular to improve locking and to help > with unlocking more of pf(4) and with parallelisation of the > network stack in the future. The protocol remains compatible with > the older version. > o Remove kernel locks from the ARP input path. > o Pull MP-safe arprequest() out of kernel lock. > o Remove the kernel lock from IPv6 neighbor discovery. > o Unlock more parts of ioctl(2) and the routing code in the network > stack. > > - Direct Rendering Manager and graphics drivers > o Update drm(4) to Linux 6.1.55. > o Don't change end marker in sg_set_page(). Caused bad memory > accesses when using page flipping on Alder Lake and Raptor Lake. > > - VMM/VMD improvements > o Allowed vmm(4) guests to enable and use supervisor IBT. > o Suppressed AMD hardware p-state visibility to vmm(4) guests. > o Avoid use of uninitialised memory in vmd(8). > o Migrate vmd_vm.vm_ttyname to char array allowing a vmd_vm object > to be transmitted over an ipc channel. > o Cleaned up file descriptor closing in vmd(8) vmm process. > o Fixed vm send/receive, restoring device virtqueue addresses on > receive. > o Introduced execvp(3) after fork for child vm processes. > o No longer generate an error in vmd(8) if vm.conf(5) is absent. > o Split vmm(4) into MI/MD parts. > o Introduced multi-process model for vmd(8) virtio block and network > devices. > o Allowed vm owners to override boot kernel when using vmctl(8) to > start a vm. > o Changed staggered start of vms to number of online CPUs. > o Fixed a segfault on vm creation. > o Switched to anonymous shared memory mappings for vmd(8) vm > processes, introducing a new vmm(4) ioctl(2). > o Relaxed absolute path requirements for vmd(8) configtest mode > (-n). > o Adjusted shutdown logic by vm id to function similarly as by name. > o Moved validation of local network prefixes for the internal vmd(8) > DHCP service into the config parser. > o Fixed QCOW2 base images when used with the vmd(8) multi-process > device model. > o Fixed setting verbose logging in child processes. > o Fixed a race condition related to the emulated i8259 interrupt > controller by ignoring interrupt masks on assert. > o Inlined pending interrupts in the vmm(4) ioctl(2) for running the > vcpu, reducing vm latency. > o Added zero-copy, vectored io to the vmd(8) virtio block device. > o Changed to logging vmd(8) vm ids in the vcpu run loop on error and > not the ids used by vmm(4). > o Fixed a vm pause deadlock. > o Changed vmd(8) logging format to disambiguate vm and device > process by names and indices. > o Fixed dynamically toggling verbose logging mode with vmctl(8). > > - Various new userland features: > o New ISO C11 header <uchar.h> declaring the types char32_t and > > char16_t and the functions c32rtomb(3), mbrtoc32(3), c16rtomb(3), > and mbrtoc16(3). > o Introduce a new malloc(3) option D for memory leak detection with > ktrace(1) and kdump(1). > o Support ${.VARIABLES} in make(1), listing the names of all global > variables that have been set. > o New kdump(1) -u option to select utrace(2) tracepoints by label. > o In openrsync(1), support the options --size-only and > --ignore-times. > o Update zoneinfo to tzdata2023c. > o Accept the ucom(4) fixed name format as a valid format for the > cu(1) -l option. > o In cron(8) and crontab(5), add support for random offsets when > using ranges with a step value in cron. This extends the random > range syntax to support step values. Instead of choosing a random > number between the high and low values, the field is treated as a > range with a random offset less than the step value. This can be > used to avoid thundering herd problems where multiple machines > contact a server all at the same time via cron jobs. > o Extend and improve the ibuf API in libutil and add functions for > more specific data types, for modifying data at specific offsets, > for getting and setting the file descriptor stored on the ibuf and > for efficient wrapping of ibufs into imsgs. The ibuf API is mostly > used in network daemons. > o In wsconsctl(8), add button mappings for two- and three-finger > clicks on clickpads. > > - Various bugfixes and tweaks in userland: > o In pax(1) and tar(1), do not open files that will be skipped, > speeding up archive creation when many files are skipped. > o In pax(1), tar(1), and cpio(1) terminal output, escape > non-printable characters in messages that may include file names, > and truncate times to the correct maximum value. > o Better diagnostics from make(1) when a makefile exists but cannot > be opened. > o Prevent a buffer underflow in patch(1) that could occur with lines > longer than 32kB. > o Prevent a segmentation fault in patch(1) that occurred when a > patch specified a file name so long that basename(3) failed. > o Prevent a read buffer overrun in patch(1) that could occur when a > patch specified a file name ending in a slash. > o Let stat(1) correctly print mtimes after 2038. > o Refactoring and documenting of fdisk(8) code, to make it easier to > maintain. > o fdisk(8) no longer adds extra blanks at the end of lines, > eliminating spurious line wrapping. > o In clang(1), allow out-of-class defaulting of comparison > operators, by ways of backporting an upstream commit. > o Many changes in mg(1): > - New command set-tab-width to change the tabulator width on a > per-buffer basis. > - Let the space-to-tabstop command move to the right position > even if the line contains tabs, control characters, or > non-ASCII bytes. > - Fall back to /bin/sh if $SHELL is undefined. > - Fix parsing of tag files with duplicate entries. Instead of > erroring out, ignore duplicates. Fixes using > /var/db/libc.tags again. > - Change the visit-tags-table command to immediately load the > tag file, and drop the lazy mechanics. > - Do not leak memory in pop-tag-mark if it fails to switch > buffers. > - Fix a read buffer overrun caused by -u arguments longer than > 1023 bytes. > - Fix a write buffer overrun on the stack caused by > blink-and-insert matching a very long line that is not > currently visible in the window. > - Skip checking permissions of conffile with access(2). > - Resurrect no-tab-mode and add it to the list of modes that > can be set with set-default-mode. > o Fix a segfault when the disklabel(8) simple editor encounters an > incomplete partition line. > o Fix disklabel(8) handling of templates with partitions after a > "N-* 100" entry. > o Enable disklabel(8) regress tests to work on sparc64. > o Fix fdisk(8) initialization of CHS/LBA fields in an MBR, allowing > machines with a BIOS that uses CHS to boot from disks >8G. > > o Retire disklabel(8) -E expert mode. > o When displaying GPT partition attributes fdisk(8) prefixes > Microsoft partition attribute names with 'MS'. > o In the absence of the 'disktype' command line parameter > disklabel(8) always uses the current media type provided by the > kernel. > o Ensure fdisk(8) handles the case where a GPT partition name is not > a valid C string. > o When creating new crypto volumes with bioctl(8), by default use a > hardware based number of KDF rounds for passphrases. > o Let bioctl(8) gracefully prompt again during interactive creation > and passphrase change on CRYPTO and 1C volumes. > o Let bioctl(8) read passphrases without prompts or confirmation in > -s mode, allowing non-interactive use. > o Allow the atactl(8) command readattr to succeed even for disks > where ATA_SMART_READ and ATA_SMART_THRESHOLD revisions mismatch, > as long as checksums are OK. > o In ld.so(1), treat symlinks in $ORIGIN determination the same way > as other OS linkers do. > o In ld.so(1), avoid an overflow in the ELF SYSV ABI hash function. > o Make sure modf(3) and modff(3) return correct values for > infinities. > o Do not fail in ober_scanf_elements(3) when encountering empty > sequences. > o Remove broken special handling of test -t in ksh(1). > o The caching mechanism used by pkg_add(1) to speed up pkg_add -u > now also works if -stable packages are available. > o Significantly increase the speed of pkg-config(1). > o In seq(1), fix a check for rounding error and truncation. > o In cron(8), introduce upstream fixes in the handling of @yearly, > @monthly, @weekly, @daily and @hourly entries. > o Fix a bug in cron(8) where whitespace after usernames would not be > completely skipped while parsing the crontab(5) file. > o Make rcctl(8) check if a daemon exists before trying to disable > it, thereby avoiding parsing and printing of bogus characters. > o Print to the console the fingerprint of a newly generated ssh(1) > host key of the preferred type (currently ED25519), typically when > booting for the first time. This simplifies a secure first ssh > connection to a freshly installed machine. > > - Improved hardware support and driver bugfixes, including: > o Add rkiovd(4), a driver for the I/O voltage domains on Rockchip > SoCs. > o Add support for TEMPerGold 3.4 temperature sensor to ugold(4). > o Add qcrng(4), a driver for the Qualcomm RNG device found on the > ThinkPad X13s. > o Add rkusbphy(4), a driver for the usb2phy on Rockchip SoCs. > o Support AP806/CP110 SoCs in mvtemp(4). > o Add dwmshc(4) to support Designware Mobile Storage Host > Controllers found on rk356x and rk3588 SoCs. > o Add iosf(4), a driver for the Intel OnChip System Fabric. > o Add support for the RTL8153D chipset in ure(4). > o Add support for the Peripheral Authentication Service SMC > interface in qcscm(4). > o Add qcmtx(4), a driver for the hardware spinlock on Qualcomm SoCs > that is used to synchronize access to the shared memory table. > o Add qcsmptp(4), a driver to share 32-bit values between > (co-)processors. > o Add qcaoss(4), a driver for the Always On Subsystem found on > Qualcomm SoCs. > o Add qcpas(4), a driver for the Peripheral Authentication Service > found on Qualcomm SoCs. Enable AC detection. > o Add qctsens(4), a driver for the Temperature Sensor found on > Qualcomm SoCs. > o Add driver qccpu(4) for QC CPU Power States. > o Add qcsdam(4), a driver for the PMIC Shared Direct Access Memory > found on Qualcomm SoCs. > o Add stfrng(4), a driver for the random number generator on the > StarFive JH7110 SoC. > o Add support for the PCIe controller on the JH7110 SoC with > stfpciephy(4) > o New sysctl(2) nodes for battery management, hw.battery.charge*. > Support them with acpithinkpad(4) and aplsmc(4). > o Define fixed names for ucom(4) USB serial ports, display them in > attach messages and via the new hw.ucomnames sysctl(2). > o Add support for the RK3568 32k RTC, RK3588, and other clocks in > rkclock(4). > o In dwpcie(4), attach Baikal-M PCIe. > o In openfirmware, implement regulator notifiers which get called > when the voltage/current for a regulator is changed or when the > regulator gets initialized when it attaches for the first time. > The latter makes it possible to register a notifier for a > regulator that hasn't attached yet. > o Ignore duplicate ACPI lid transitions as they can happen on Dell > Precision 5510 systems. > o Make RK3568 PCIe controllers run at the maximum possible speed by > using dwpcie_link_config() when initializing. > o In the Universal Flash Storage Host Controller Interface > (ufshci(4)), enable Force Unit Access (FUA) for write commands. > o Make SATA (ahci(4)) work on a Banana Pi BPI-R2 Pro. > o In umcs(4), set parity bits correctly. > o Enable the caps lock LED on modern Apple laptop keyboards. > o Add support for Rockchip "cryptov2-rng" random number generator in > rkrng(4). > o Fix cpuperf on the Apple M2 Pro/Max. > o Add support for the PCIe controller found on Apple M2 Pro/Max > SoCs. > o Add support for enabling both the USB2 and USB3 PHYs in xhci(4) > with device tree. > o In the SCSI tape driver st(4), add support for I/O statistics so > that tape speeds can be observed with iostat(8). > o Fix use of MMC/SD/SDIO on RK3588 ARM SoC in dwmmc(4). > o Support thermal sensors on Ryzen 9 79xx in ksmn(4). > o Add support for JH7110 to dwmmc(4), making eMMC and microSD mostly > work on the Starfive VisionFive 2. > o Add support for the RK3588 PCIe3 PHY to rkpciephy(4). The PHY > controls 4 lanes that can be routed to 4 of 5 PCIe controllers. > o Add mute control to sncodec(4). This makes the mute button work on > laptops using this driver. > o Add mute control to tascodec(4). This makes the mute button on > laptops that use tascodec(4) work. > o Improve the suspend/resume behavior of several drivers, reducing > power consumption during suspend. > o Add support for the Synopsys DesignWare I2C controller (dwiic(4)) > and the X-Powers AXP Power Management IC (axppmic(4)). > o Enable the mbg(4) timedelta sensor on amd64 and match the Meinberg > PZF180PEX. > > - New or improved network hardware support: > o Fix dwqe(4) on several boards that use rgephy(4) by configuring > the RGMII interface before taking the PHY out of reset. > o Improve dwqe(4) and determine PHY mode and pass the appropriate > flags down to the PHY when attaching. > o Report in dmesg(8) on which gmac the dwqe(4) driver is attaching > to. > o Document that Intel i226 adapters are supported by igc(4). > o Add ngbe(4), a driver for WangXun WX1860 PCI Express 10/100/1Gb > Ethernet devices. Also support it on amd64 install media. > o Add support for the RTL8211F-VD PHY in rgephy(4). > o In openfirmware, add glue for network interfaces to be found by > fdt/ofw node or phandle in order to support "switch chips" like > the marvell link street. > o Add support for RTL8153D devices to ure(4). > o Provide byte and packet counter statistics in some dwge(4) > implementations. > o On bge(4), make hardware counters available via kstats for BCM5705 > and newer controller chips. > o Make several improvements to vmx(4), the VMware VMXNET3 Virtual > Interface Controller. > o In em(4), stop putting multicast addresses into the Receive > Address Registers. Instead hash them all into the Multicast Table > Array. > o Support Mellanox ConnectX-6 Lx in mcx(4). > o In mcx(4), add 100GB LR4 Ethernet capability and map it to > IFM_100G_LR4. > o Add initial support for Atlantic 2 hardware in aq(4). > > - Added or improved wireless network drivers: > o Improve how Quectel LTE&5G devices attach to umb(4). > > - IEEE 802.11 wireless stack improvements and bugfixes: > o Add support for RTL8188FTV devices to the urtwn(4) driver. > o Attach Intel wireless devices with PCI product ID 0x51f1 to > iwx(4). > o Fix a bug where iwm(4) and iwx(4) background scan tasks were added > to the wrong task queue. > o Fix a firmware error that occurred when an iwx(4) interface was > brought down. > o Fix iwx(4) firmware errors triggered during background scans. > o Fix a crash in the iwm(4) driver when userland attempts to inject > frames via bpf in monitor mode. > > - Installer, upgrade and bootloader improvements: > o In the arm64 ramdisk, simplify apple firmware copying to make it > easier to add new firmware. > o On armv7 and arm64, silence informational messages from dd(1) when > zeroing a disk's first 1MB. Use character not block devices with > dd(1) like on other architectures. > o Refactor the code of md_installboot() on armv7 and arm64 to be > more in line with other architectures. > o Improve the dialogue of the installer without affecting > autoinstall(8) files. > o Enable ufshci(4) on arm64 install media. > o On arm64 pine64 boards, stop writing pine64 firmware to disk. > o When media has neither a GPT nor an MBR installboot(8), assume > OpenBSD occupies the entire disk starting at sector 0. > o Attempt to not overflow the ramdisk when extracting firmware on > Apple arm64 systems. > o Add support for loading files from the EFI System Partition. > o Fix a bug in the handling of SCSI drives in the bootloader on the > luna88k architecture. > o On luna88k, implement the chmod() signaling mechanism for > /bsd.upgrade to prevent re-upgrade, like other architectures. > o Support for softraid(4) disks in the installer was improved: > - Make root on softraid(4) installations boot out of the box on > Raspberry Pis (arm64). > - Support installations with root on softraid(4) on arm64, > tested on Pinebook Pro, Raspberry Pi 4b, and SolidRun CEX7. > - On riscv64, enable softraid(4) in the ramdisk kernel and > support installations with root on softraid(4) > - When installing on encrypted softraid(4), determine the disk > for placing the root device automatically and make it default > as it is the only legit choice. > - Add arm64 to the list of architectures with support for > guided disk encryption. > - Retain existing EFI System partitions on systems with APFSISC > partitions (arm64 Apple M1/M2) during installation with root > on softraid(4). > - Enable softraid(4) in ramdisk on the powerpc64 architecture. > > - Security improvements: > o Enable indirect branch tracking (IBT) on amd64 and branch target > identification (BTI) on arm64 in both the kernel and in userland. > On hardware that supports this feature, it helps enforcing control > flow integrity by making sure malicious code cannot jump into the > middle of a function. > o On the arm64 architecture, enable pointer authentication (PAC) in > userland on those machines where it works correctly. It helps > enforcing control flow integrity by making sure malicious code > cannot manipulate a function's return address. > o Together with retguard these two features protect against ROP > attacks. Compiler defaults for base clang, ports clang and ports > gcc (as well as some other non-C language family compilers in > ports) have been changed to enable these features by default. As a > result the vast majority of programs on OpenBSD (and all programs > in the base system) run with these security features enabled. > o Change malloc(3) chunk sizes to be fine grained: chunk sizes are > closer to the requested allocation size. > o In malloc(3), check all chunks in the delayed free list for > write-after-free. > o The shutdown(8) program can now only be executed by members of the > new shutdown group. The idea is that system administrators can > now remove most users from the excessively powerful operator > group, which in particular provides read access to disk device > nodes. > o Using unveil(2), restrict patch(1) filesystem access to the > current directory including subdirectories, TMPDIR, and file names > given on the command line. > o In ksh(1), consistently escape control characters when displaying > file name completions, even when there are multiple matches. > > - Changes in the network stack: > o Sync the use of getuptime(9) in the Neighbour Discovery (ND) code > with ARP. > o In the IPv6 forwarding code, call getuptime(9) once for > consistency with IPv4. > o ARP has a queue of packets that should be sent after name > resolution. Neighbor discovery (ND6) did only hold a single > packet. Unified the code, added a queue to ND6 and made the code > MP safe. > o Implement a new sysctl(2) net.inet6.icmp6.nd6_queued to show the > number of packets waiting for an ND6 response, analogous to ARP. > o When configuring a new IPv6 address on an interface, an upstream > router doesn't know where to send traffic. Send an unsolicited > neighbor advertisement, as described in RFC9131, to the > all-routers multicast address so all routers on the same link will > learn the path back to the address. > o Implement the inbound portion of RFC9131. Let routers create new > neighbor cache entries when receiving valid neighbor > advertisements. > o Initial support for TCP segmentation offload (TSO) and TCP large > receive offload (LRO) was implemented: > - If the driver of a network interface supports TSO, do not > chop the packet in the network stack, but pass it down to the > interface layer for TSO. > - Provide a software TSO implementation, to be used as a > fallback if network hardware does not support TSO. > - Provide a new sysctl(2) node net.inet.tcp.tso such that TSO > can be globally disabled. By default, it is enabled on all > interfaces supporting it. > - In ifconfig(8), display separate hwfeatures for TSOv4, TSOv6, > and LRO and provide a -tcplro parameter to disable LRO on a > per-interface basis. > - Enable TSO and forwarding of LRO packets via TSO in ix(4). > - In ix(4), allocate less memory for tx buffers. > - Speed up TCP transfer on lo(4) interfaces by using TSO and > LRO. > - Enable LRO per default in network drivers. LRO allows to > receive aggregated packets larger than the MTU. Receiving TCP > streams becomes much faster. Currently only ix(4) and lo(4) > devices support LRO, and ix(4) is limited to IPv4 and > hardware newer than the old 82598 model. > o The following changes were made to the pf(4) firewall: > - Speed up the ioctl(2) request DIOCGETRULE such that pfctl(8) > can retrieve all pf(4) rules from the kernel in linear rather > than in quadratic time. To protect the kernel from memory > exhaustion, userland processes now have to release tickets > obtained with DIOCGETRULES by issuing the new ioctl(2) > request DIOCXEND. In particular, snmpd(8) and systat(1) now > do that. > - Relax the implementation of the pass all rule so all forms of > neighbor advertisements are allowed in either direction. > - When redirecting locally generated IP packets to userland > with divert-packet rules, the packets may have no checksum > due to hardware offloading. Calculate the checksum in that > case. > - Fix a bug where nat-to could fail to insert a state due to > conflict on chosen source port number. > - No longer ignore keep state and nat-to actions for > unsolicited ICMP error responses. Tighten the rule matching > logic so ICMP error responses no longer match keep state > rule. In typical scenarios, ICMP errors (if solicited) should > match existing state. The change is going to bite firewalls > which deal with asymmetric routes. In those cases the keep > state action should be relaxed to sloppy or new no state rule > to explicitly match ICMP errors should be added. > o Do not calculate IP, TCP, and UDP checksums on lo(4) interfaces. > o Convert the tcp_now() time counter to 64 bits to avoid 32 bits > wrap around after changing tcp_now() ticks to milliseconds. > o Add initial support for route-based IPsec VPNs. > Rather than use IPsec flows (aka, entries in the IPsec security > policy database) to decide which traffic should be encapsulated in > IPsec and sent to a peer, this changes security associations (SAs) > so they can also refer to a tunnel interface. When traffic is > routed over that tunnel interface, an IPsec SA is looked up and > used to encapsulate traffic before being sent to the peer on the > SA. When traffic is received from a peer using an interface SA, > the specified interface is looked up and the packet is handed to > it so it looks like packets come out of the tunnel. > o Add sec(4) to support route-based IPsec VPNs. > o Introduce reference counting for TCP syn cache entries. > o Have wg(4) copy the priority from the inner packet to the outer > encrypted packet, so that higher priority packets are picked from > hfsc queues for earlier transmission. > > - Routing daemons and other userland network improvements: > o IPsec support was improved: > - In iked(8), support route-based sec(4) tunnels. > - In iked(8), add support to verify X.509 chain from CERT > payloads. > - In iked(8), do not leak memory when receiving a CERT payload > for pubkey auth or for an invalid CERT Encoding. > - In iked(8), do not leak a file descriptor if > open_memstream(3) fails while trying to enable a child SA. > - While trying to verify an ECDSA signature in iked(8), > correctly detect failure of DER encoding with > i2d_ECDSA_SIG(3). > - In ipsecctl(8), support route-based IPsec VPN negotiation > with sec(4). > - In isakmpd(8), support configuring interface SAs for > route-based IPsec VPNs. > - In isakmpd(8) quick mode, do not crash with a NULL pointer > access when a group description is specified but it is > invalid, unsupported, or memory allocation or key generation > fails. > - In isakmpd(8), avoid a double free in the unlikely event that > EC_KEY_check_key(3) fails right after generating a new key > pair. > - Allow building isakmpd(8) with a libcrypto library that has > binary field support ("GF2m") removed. > o In bgpd(8), > - Add first version of flowspec support. Right now only > announcement of flowspec rules is possible. > - Update ASPA support to follow > draft-ietf-sidrops-aspa-verification-16 and > draft-ietf-sidrops-aspa-profile-16 by making the ASPA lookup > tables AFI-agnostic. > - Rework UPDATE message generation to use the new ibuf API > instead of the hand-rolled solution before. > - Fix ext-community * * matching which also affects filters > removing all ext-communities. > - Improve and extend the bgpctl parser to handle commands like > bgpctl show rib 192.0.2.0/24 detail. Also add various > flowspec specific commands. > - Introduce a semaphore to protect intermittent RTR session > data from being published to the RDE. > - Limit the socket buffer size to 64k for all sessions. > Limiting the buffer size to a reasonable size ensures that > not too many updates end up queued in the TCP stack. > - Adjust example GRACEFUL_SHUTDOWN filter rule in the example > config to only match on ebgp sessions. > o rpki-client(8) saw some changes: > - A 30%-50% performance improvement was achieved through > libcrypto's partial chains certificate validation feature. > Already validated non-inheriting CA certificates are now > marked as trusted roots. This way it can be ensured that a > leaf's delegated resources are properly covered, and at the > same time most validation paths are significantly shortened. > - Support for gzip and deflate HTTP Content-Encoding > compression was added. This allows web servers to send RRDP > XML in compressed form, saving around 50% of bandwidth. > - ASPA support was updated to > draft-ietf-sidrops-aspa-profile-16. As part of supporting > AFI-agnostic ASPAs, the JSON syntax for Validated ASPA > Payloads changed in both filemode and normal output. > - In filemode (-f option) the applicable manifests are now > shown as part of the signature path. > - A new -P option was added to manually specify a moment in > time to use when parsing the validity window of certificates. > Useful for regression testing. Default is invocation time of > rpki-client. > - The -A option will now also exclude ASPA data from the JSON > output. > - The synchronisation protocol used to sync the repository is > now included in the OpenMetrics output. > - Improved accounting by tracking objects both by repo and tal. > - Check whether products listed on a manifest were issued by > the same authority as the manifest itself. > - File modification timestamps of objects retrieved via RRDP > are now deterministically set to prepare the on-disk cache > for seamless failovers from RRDP to RSYNC. > - Improved detection of RRDP session desynchronization: a check > was added to compare whether the delta hashes associated to > previously seen serials are different in newly fetched > notification files. > - Improved handling of RRDP deltas in which objects are > published, withdrawn, and published again. > - Disallow X.509 v2 issuer and subject unique identifiers in > certs. RPKI CAs will never issue certificates with V2 unique > identifiers. > - A check to disallow duplicate X.509 certificate extensions > was added. > - A check to disallow empty sets of IP Addresses or AS numbers > in RFC 3779 extensions was added. > - A warning is printed when the CMS signing-time attribute in a > Signed Object is missing. > - Warnings about unrecoverable message digest mismatches now > include the manifestNumber to aid debugging the cause. > - A check was added to disallow multiple RRDP publish elements > for the same file in RRDP snapshots. If this error condition > is encountered, the RRDP transfer is failed and the RP falls > back to rsync. > - A compliance check for the proper X.509 Certificate version > and CRL version was added. > - A compliance check was added to ensure CMS Signed Objects > contain SignedData, in accordance to RFC 6488 section 3 > checklist item 1a. > - Compliance checks were added for the version, KeyUsage, and > ExtendedKeyUsage of EE certificates in Manifest, TAK, and GBR > Signed Objects. > - A CMS signing-time value being after the X.509 notAfter > timestamp was downgraded from an error to a warning. > - A bug was fixed in the handling of CA certificates which > inherit IP resources. > - A compliance check was added to ensure the X.509 Subject only > contains commonName and optionally serialNumber. > - A compliance check was added to ensure the CMS SignedData and > SignerInfo versions to be 3. > - Fisher-Yates shuffle the order in which Manifest entries are > processed. Previously, work items were enqueued in the order > the CA intended them to appear on a Manifest. However, there > is no obvious benefit to third parties deciding the order in > which things are processed. > o In smtpd(8), > - Swapped link-auth filter arguments to avoid ambiguities with > user names containing a "|" character. > - Bumped smtpd-filters(7) protocol version. > - Fixed potential truncation of filtered data lines. > - Allowed arguments on NOOP. > o Many other changes in various network programs and libraries: > - Allow libpcap to read files with some additional link-layer > type values. > - Let pcap_fopen_offline(3) correctly interpret some LINKTYPE* > values in pcap headers written on foreign operating systems. > - Make dig(1) use less deprecated LibreSSL API. > - Remove stylistic differences between arp(8) and ndp(8) > delete() function. This makes it easier to spot real changes > in behavior. > - Make ndp(8) not remove cloning routes when no neighbor entry > is found with ndp -d. > - Improved error handling in the asr resolver. > - In unwind(8), handle SERVFAIL results on name resolution > better. > - In unwind(8), fix a use-after-free bug triggered by fatal > write errors while sending TCP responses. > - In the router advertisement daemon rad(8), update the default > timers for prefix preferred and valid lifetimes to use the > values from RFC 9096. > - In slaacd(8), remove artificial limit of 2 hours on a PIO > lifetime. > - In ypldap(8), reduce memory usage when updating larger > directories. > - Make ypldap(8) more resilient when some servers are > misbehaving: keep trying LDAP servers until full results > arrive rather than just until one accepts the TCP connection. > - New wgdescription parameter to ifconfig(8) to set a string > describing the wg(4) peer. > - Let ifconfig(8) prefix the interface name to many error and > warning messages. > - Make the tlsv1.0 and tlsv1.1 options in relayd(8) do nothing, > as one should use the default tlsv1.2 instead. > - Fix IPv6 routes being changed by relayd(8) with Routers > configuration. > - In dhcrelay6(8), do not ignore the AF_LINK entries of carp(4) > interfaces. > - Improve the config parser of radiusd(8) to better handle > comments, improve error messages and plug a memory leak. > - In radiusd(8), add request or response decoration feature > which is used through the radiusd module interface. This > makes additional modules can modify RADIUS request or > response messages. Also add new "radius_standard" module > which uses this new feature, provides some generic features > like "strip-atmark-realm" which removes the realm part from > the User-Name attribute. > - Allow UDP for built-in inetd(8) services on 127.0.0.1. This > restriction was added in year 2000 due to IPv6 compatible and > mapped addresses. Nowadays our kernel does not support these > IPv6 features and blocks localhost addresses on non-loopback > interfaces. Make IPv4 127.0.0.1/8 and IPv6 ::1 behave > identically and provide local services if configured. > - In spamd(8), log a dummy "" IP address in the unlikely event > that getnameinfo(3) fails. > > - tmux(1) improvements and bug fixes: > o For passthrough, don't write to clients attached to different > sessions. > o Add a format to show if there are unseen changes while in a mode. > o Discard mouse sequences that have the right form but actually are > invalid. > o Invalidate cached tty state after changing features since they may > change what the terminal can do and need mouse sequences or > similar to be sent again. > o Add options to change the confirm key and default behaviour of > confirm-before. > o Add an option menu-selected-style to configure the currently > selected menu item. > o Add -c to run-shell to set working directory. > o Add detach-on-destroy previous and next, > o Set visited flag on last windows when linking session. > > - LibreSSL version 3.8.2 > o Security fixes > - Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no > longer be selected for use. > - BN_is_prime{,_fasttest}ex() refuse to check numbers larger > than 32 kbits for primality. This mitigates various DoS > vectors. > - Restricted the RFC 3779 code to IPv4 and IPv6. It was not > written to be able to deal with anything else. > o Portable changes > - Extended the endian.h compat header with hto* and *toh > macros. > - Adapted more tests to the portable framework. > - Internal tools are now statically linked. > - Applications bundled as part of the LibreSSL package > internally, nc(1) and openssl(1), now are linked statically > if static libraries are built. > - Internal compatibility function symbols are no longer > exported from libcrypto. Instead, the libcompat library is > linked to libcrypto, libssl, and libtls separately. This > increases size a little, but ensures that the libraries are > not exporting symbols to programs unintentionally. > - Selective removal of CET implementation on platforms where it > is not supported (macOS). > - Integrated four more tests. > - Added Windows ARM64 architecture to tested platforms. > - Removed Solaris 10 support, fixed Solaris 11. > - libtls no longer links statically to libcrypto / libssl > unless --enable-libtls-only is specified at configure time. > - Improved Windows compatibility library, namely handling of > files vs sockets, correcting an exception when operating on a > closed socket. > - CMake builds no longer hardcode -O2 into the compiler flags, > instead using flags from the CMake build type instead. > - Set the CMake default build type to Release. This can be > overridden during configuration. > - Fixed broken ASM support with MinGW builds. > o New features > - Added support for truncated SHA-2 and for SHA-3. > - The BPSW primality test performs additional Miller-Rabin > rounds with random bases to reduce the likelihood of > composites passing. > - Allow testing of ciphers and digests using badly aligned > buffers in openssl speed using -unalign. > - Ed25519 certificates are now supported in openssl(1) ca and > req. Prepared Ed25519 support in libssl. > - Add branch target information (BTI) support to amd64 and > arm64 assembly. > o Compatibility changes > - Added a workaround for a poorly thought-out change in OpenSSL > 3 that broke privilege separation support in libtls. > - Moved libtls from ECDSA_METHOD to EC_KEY_METHOD. > - Removed GF2m support: BIGNUM no longer supports binary > extension field arithmetic and all binary elliptic builtin > curves were removed. > - Removed dangerous, "fast" NIST prime and elliptic curve > implementations. In particular, EC_GFp_nist_method() is no > longer available. > - Removed most public symbols that were deprecated in OpenSSL > 0.9.8. > - Removed the public X9.31 API (RSA_X931_PADDING is still > available). > - Removed Cipher Text Stealing mode. > - Removed ENGINE support, including ECDH_METHOD and > ECDSA_METHOD. > - Removed COMP, DSO, dynamic loading of conf modules and > support for custom ex_data and error stacks. > - Removed proxy certificate (RFC 3820) support. > - Removed SXNET and NETSCAPE_CERT_SEQUENCE support including > the openssl(1) nseq command. > - ENGINE support was removed and OPENSSL_NO_ENGINE is set. In > spite of this, some stub functions are provided to avoid > patching some applications that do not honor > OPENSSL_NO_ENGINE. > - The POLICY_TREE and its related structures and API were > removed. > - In X509_VERIFY_PARAM_inherit() copy hostflags independently > of the host list. > - Made CRYPTO_get_ex_new_index() not return 0 to allow > applications to use *{get,set}app_data() and > *{get,set}ex_data() alongside each other. > - X509_NAME_get_text_by{NID,OBJ}() now only succeed if they > contain valid UTF-8 without embedded NUL. > - The explicitText user notice uses UTF8String instead of > VisibleString to reduce the risk of emitting certificates > with invalid DER-encoding. > - Initial fixes for RSA-PSS support to make the TLSv1.3 stack > more compliant with RFC 8446. > - Fixed EVP_CIPHER_CTX_iv_length() to return what was set with > EVP_CTRL_AEAD_SET_IVLEN or one of its aliases. > o Internal improvements > - Improved sieve of Eratosthenes script used for generating a > table of small primes. > - Removed incomplete and dangerous BN_RECURSION code. > - Imported RFC 5280 policy checking code from BoringSSL and > used it to replace the old exponential time code. > - Converted more of libcrypto to use CBB/CBS. > - Started cleaning up and rewriting SHA internals. > - Reduced the dependency of hash implementations on many layers > of macros. This results in significant speedups since modern > compilers are now less confused. > - Improved BIGNUM internals and performance. > - Significantly simplified the BN_BLINDING internals used in > RSA. > - Made BN_num_bits() independent of bn->top. > > - Rewrote and simplified bn_sqr(). > - Significantly improved Montgomery multiplication performance. > - Rewrote and improved BN_exp() and BN_copy(). > - Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work > with Ed25519 and fixed a few bugs in there. > - Lots of cleanup for DH, DSA, EC, RSA internals. Plugged > numerous memory leaks, fixed logic errors and > inconsistencies. > - Cleaned up and simplified various ECDH and ECDSA internals. > - Removed EC_GROUP precomp machinery. > - Fixed various issues with EVP_PKEY_CTX_{new,dup}(). > - Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs(). > - Improved X.509 certificate version checks. > - Ensure no X.509v3 extensions appear more than once in > certificates. > - Replaced ASN1_bn_print with a cleaner internal > implementation. > - Fix OPENSSL_cpuid_setup() invocations on arm/aarch64. > - Improved checks for commonName in libtls. > - Fixed error check for X509_get_ext_d2i() failure in libtls. > - Removed code guarded by #ifdef ZLIB. > - Plug a potential memory leak in ASN1_TIME_normalize(). > - Fixed a use of uninitialized in i2r_IPAddrBlocks(). > - Rewrote CMS_SignerInfo_{sign,verify}(). > o Bug fixes > - Correctly handle negative input to various BIGNUM functions. > - Ensure ERR_load_ERR_strings() does not set errno > unexpectedly. > - Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign(). > - Fixed aliasing issue in BN_mod_inverse(). Disallowed aliasing > of result and modulus in various BN_mod_* functions. > - Fixed detection of extended operations (XOP) on AMD hardware. > - Ensure Montgomery exponentiation is used for the initial RSA > blinding. > - Policy is always checked in X509 validation. Critical policy > extensions are no longer silently ignored. > - Fixed error handling in tls_check_common_name(). > - Add missing pointer invalidation in SSL_free(). > - Fixed X509err() and X509V3err() and their internal versions. > - Ensure that OBJ_obj2txt() always returns a C string again. > - Made EVP_PKEY_set1_hkdf_key() fail on a NULL key. > - On socket errors in the poll loop, netcat could issue system > calls on invalidated file descriptors. > - Allow IP addresses to be specified in a URI. > - Fixed a copy-paste error in ASN1_TIME_compare() that could > lead to two UTCTimes or two GeneralizedTimes incorrectly > being compared as equal. > o Documentation improvements > - Improved documentation of BIO_ctrl(3), > BIO_set_info_callback(3), BIO_get_info_callback(3), > BIO_method_type(3), and BIO_method_name(3). > - Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as > intentionally undocumented. > - Made it very explicit that the verify callback should not be > used. > - Called out that the CRL lastUpdate is standardized as > thisUpdate. > - Documented the RFC 3779 API and its shortcomings. > o Testing and Proactive Security > - Significantly improved test coverage of BN_mod_sqrt() and > GCD. > - As always, new test coverage is added as bugs are fixed and > subsystems are cleaned up. > > - OpenSSH 9.5 and OpenSSH 9.4 > o Potentially incompatible changes > - ssh-keygen(1): generate Ed25519 keys by default. Ed25519 > public keys are very convenient due to their small size. > Ed25519 keys are specified in RFC 8709 and OpenSSH has > supported them since version 6.5 (January 2014). > - sshd(8): the Subsystem directive now accurately preserves > quoting of subsystem commands and arguments. This may change > behaviour for exotic configurations, but the most common > subsystem configuration (sftp-server) is unlikely to be > affected. > - ssh-agent(1): PKCS#11 modules must now be specified by their > full paths. Previously dlopen(3) could search for them in > system library directories. > o New features > - ssh(1): add keystroke timing obfuscation to the client. This > attempts to hide inter-keystroke timings by sending > interactive traffic at fixed intervals (default: every 20ms) > when there is only a small amount of data being sent. It also > sends fake "chaff" keystrokes for a random interval after the > last real keystroke. These are controlled by a new ssh_config > ObscureKeystrokeTiming keyword. > - ssh(1), sshd(8): Introduce a transport-level ping facility. > This adds a pair of SSH transport protocol messages > SSH2_MSG_PING/PONG to implement a ping capability. These > messages use numbers in the "local extensions" number space > and are advertised using a "p...@openssh.com" ext-info > message with a string version number of "0". > - sshd(8): allow override of Subsystem directives in sshd Match > blocks. > - ssh(1): allow forwarding Unix Domain sockets via ssh -W. > - ssh(1): add support for configuration tags to ssh(1). This > adds a ssh_config(5) "Tag" directive and corresponding "Match > tag" predicate that may be used to select blocks of > configuration similar to the pf.conf(5) keywords of the same > name. > - ssh(1): add a "match localnetwork" predicate. This allows > matching on the addresses of available network interfaces and > may be used to vary the effective client configuration based > on network location. > - ssh(1), sshd(8), ssh-keygen(1): infrastructure support for > KRL extensions. This defines wire formats for optional KRL > extensions and implements parsing of the new submessages. No > actual extensions are supported at this point. > - sshd(8): AuthorizedPrincipalsCommand and > AuthorizedKeysCommand now accept two additional %-expansion > sequences: %D which expands to the routing domain of the > connected session and %C which expands to the addresses and > port numbers for the source and destination of the > connection. > - ssh-keygen(1): increase the default work factor (rounds) for > the bcrypt KDF used to derive symmetric encryption keys for > passphrase protected key files by 50%. > o Bugfixes > - scp(1): fix scp in SFTP mode recursive upload and download of > directories that contain symlinks to other directories. In > scp mode, the links would be followed, but in SFTP mode they > were not. > - ssh-keygen(1): handle cr+lf (instead of just cr) line endings > in sshsig signature files. > - ssh(1): interactive mode for ControlPersist sessions if they > originally requested a tty. > - sshd(8): make PerSourceMaxStartups first-match-wins > - sshd(8): limit artificial login delay to a reasonable maximum > (5s) and don't delay at all for the "none" authentication > mechanism. > - sshd(8): Log errors in kex_exchange_identification() with > level verbose instead of error to reduce preauth log spam. > All of those get logged with a more generic error message by > sshpkt_fatal(). > - sshd(8): correct math for ClientAliveInterval that caused the > probes to be sent less frequently than configured. > - ssh-agent(1): improve isolation between loaded PKCS#11 > modules by running separate ssh-pkcs11-helpers for each > loaded provider. > - ssh(1): make -f (fork after authentication) work correctly > with multiplexed connections, including ControlPersist. > - ssh(1): make ConnectTimeout apply to multiplexing sockets and > not just to network connections. > - ssh-agent(1), ssh(1): improve defences against invalid > PKCS#11 modules being loaded by checking that the requested > module contains the required symbol before loading it. > - sshd(8): fix AuthorizedPrincipalsCommand when > AuthorizedKeysCommand appears before it in sshd_config. Since > OpenSSH 8.7 the AuthorizedPrincipalsCommand directive was > incorrectly ignored in this situation. > - sshd(8), ssh(1), ssh-keygen(1): remove vestigial support for > KRL signatures When the KRL format was originally defined, it > included support for signing of KRL objects. However, the > code to sign KRLs and verify KRL signatures was never > completed in OpenSSH. This release removes the > partially-implemented code to verify KRLs. All OpenSSH tools > now ignore KRL_SECTION_SIGNATURE sections in KRL files. > - All: fix a number of memory leaks and unreachable/harmless > integer overflows. > - ssh-agent(1), ssh(1): don't truncate strings logged from > PKCS#11 modules > - sshd(8), ssh(1): better validate CASignatureAlgorithms in > ssh_config and sshd_config. Previously this directive would > accept certificate algorithm names, but these were unusable > in practice as OpenSSH does not support CA chains. > - ssh(1): make ssh -Q CASignatureAlgorithms only list signature > algorithms that are valid for CA signing. Previous behaviour > was to list all signing algorithms, including certificate > algorithms. > - ssh-keyscan(1): gracefully handle systems where rlimits or > the maximum number of open files is larger than INT_MAX > - ssh-keygen(1): fix "no comment" not showing on when running > ssh-keygen -l on multiple keys where one has a comment and > other following keys do not. > - scp(1), sftp(1): adjust ftruncate() logic to handle servers > that reorder requests. Previously, if the server reordered > requests then the resultant file would be erroneously > truncated. > - ssh(1): don't incorrectly disable hostname canonicalization > when CanonicalizeHostname=yes and ProxyJump was explicitly > set to "none". > - scp(1): when copying local to remote, check that the source > file exists before opening an SFTP connection to the server. > > - Ports and packages: > o Pre-built packages are available for the following architectures on > the day of release: > - aarch64 (arm64): 11508 > - amd64: 11845 > - i386: 10603 > - sparc64: 8469 > o Packages for the following architectures will be made available as > their builds complete: > - arm > - mips64 > - powerpc > - powerpc64 > - riscv64 > > - Some highlights: > > o Asterisk 16.30.1, 18.19.0 and o Mozilla Thunderbird 115.3.1 > 20.4.0 o Mutt 2.2.12 and NeoMutt 20230517 > o Audacity 3.3.3 o Node.js 18.18.0 > o CMake 3.27.5 o OCaml 4.12.1 > o Chromium 117.0.5938.149 o OpenLDAP 2.6.6 > o Emacs 29.1 o PHP 7.4.33, 8.0.30, 8.1.24 and > o FFmpeg 4.4.4 8.2.11 > o GCC 8.4.0 and 11.2.0 o Postfix 3.7.3 > o GHC 9.2.7 o PostgreSQL 15.4 > o GNOME 44 o Python 2.7.18, 3.9.18, 3.10.13 > o Go 1.21.1 and 3.11.5 > o JDK 8u382, 11.0.20 and 17.0.8 o Qt 5.15.10 and 6.5.2 > o KDE Applications 23.08.0 o R 4.2.3 > o KDE Frameworks 5.98.0 o Ruby 3.0.6, 3.1.4 and 3.2.2 > o Krita 5.1.5 o Rust 1.72.1 > o LLVM/Clang 13.0.0 and 16.0.6 o SQLite 3.42.0 > o LibreOffice 7.6.2.1 o Shotcut 23.07.29 > o Lua 5.1.5, 5.2.4, 5.3.6 and o Sudo 1.9.14.2 > 5.4.6 o Suricata 6.0.12 > o MariaDB 10.9.6 o Tcl/Tk 8.5.19 and 8.6.13 > o Mono 6.12.0.199 o TeX Live 2022 > o Mozilla Firefox 118.0.1 and o Vim 9.0.1897 and Neovim 0.9.1 > ESR 115.3.1 o Xfce 4.18 > > - As usual, steady improvements in manual pages and other documentation. > > - The system includes the following major components from outside suppliers: > o Xenocara (based on X.Org 7.7 with xserver 21.1.8 + patches, > freetype 2.13.0, fontconfig 2.14.2, Mesa 22.3.7, xterm 378, > xkeyboard-config 2.20, fonttosfnt 1.2.2, and more) > o LLVM/Clang 13.0.0 (+ patches) > o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches) > o Perl 5.36.1 (+ patches) > o NSD 4.7.0 > o Unbound 1.18.0 > o Ncurses 5.7 > o Binutils 2.17 (+ patches) > o Gdb 6.3 (+ patches) > o Awk September 12, 2023 version > o Expat 2.5.0 > > ------------------------------------------------------------------------ > - SECURITY AND ERRATA -------------------------------------------------- > > We provide patches for known security threats and other important > issues discovered after each release. Our continued research into > security means we will find new security problems -- and we always > provide patches as soon as possible. Therefore, we advise regular > visits to > > https://www.OpenBSD.org/security.html > and > https://www.OpenBSD.org/errata.html > > ------------------------------------------------------------------------ > - MAILING LISTS AND FAQ ------------------------------------------------ > > Mailing lists are an important means of communication among users and > developers of OpenBSD. For information on OpenBSD mailing lists, please > see: > > https://www.OpenBSD.org/mail.html > > You are also encouraged to read the Frequently Asked Questions (FAQ) at: > > https://www.OpenBSD.org/faq/ > > ------------------------------------------------------------------------ > - DONATIONS ------------------------------------------------------------ > > The OpenBSD Project is a volunteer-driven software group funded by > donations. Besides OpenBSD itself, we also develop important software > like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet > filter, the quality work of our ports development process, and many > others. This ecosystem is all handled under the same funding umbrella. > > We hope our quality software will result in contributions that maintain > our build/development infrastructure, pay our electrical/internet costs, > and allow us to continue operating very productive developer hackathon > events. > > All of our developers strongly urge you to donate and support our future > efforts. Donations to the project are highly appreciated, and are > described in more detail at: > > https://www.OpenBSD.org/donations.html > > ------------------------------------------------------------------------ > - OPENBSD FOUNDATION --------------------------------------------------- > > For those unable to make their contributions as straightforward gifts, > the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian > not-for-profit corporation that can accept larger contributions and > issue receipts. In some situations, their receipt may qualify as a > business expense write-off, so this is certainly a consideration for > some organizations or businesses. > > There may also be exposure benefits since the Foundation may be > interested in participating in press releases. In turn, the Foundation > then uses these contributions to assist OpenBSD's infrastructure needs. > Contact the foundation directors at direct...@openbsdfoundation.org for > more information. > > ------------------------------------------------------------------------ > - HTTPS INSTALLS ------------------------------------------------------- > > OpenBSD can be easily installed via HTTPS downloads. Typically you need > a single small piece of boot media (e.g., a USB flash drive) and then > the rest of the files can be installed from a number of locations, > including directly off the Internet. Follow this simple set of > instructions to ensure that you find all of the documentation you will > need while performing an install via HTTPS. > > 1) Read either of the following two files for a list of HTTPS mirrors > which provide OpenBSD, then choose one near you: > > https://www.OpenBSD.org/ftp.html > https://ftp.openbsd.org/pub/OpenBSD/ftplist > > As of October 16, 2023, the following HTTPS mirror sites have the > 7.4 release: > > https://cdn.openbsd.org/pub/OpenBSD/7.4/ Global > https://ftp.eu.openbsd.org/pub/OpenBSD/7.4/ Stockholm, Sweden > https://ftp.hostserver.de/pub/OpenBSD/7.4/ Frankfurt, Germany > https://ftp.bytemine.net/pub/OpenBSD/7.4/ Oldenburg, Germany > https://ftp.fr.openbsd.org/pub/OpenBSD/7.4/ Paris, France > https://mirror.aarnet.edu.au/pub/OpenBSD/7.4/ Brisbane, Australia > https://ftp.usa.openbsd.org/pub/OpenBSD/7.4/ CO, USA > https://ftp5.usa.openbsd.org/pub/OpenBSD/7.4/ CA, USA > https://mirror.esc7.net/pub/OpenBSD/7.4/ TX, USA > https://openbsd.cs.toronto.edu/pub/OpenBSD/7.4/ Toronto, Canada > https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.4/ Global > https://fastly.cdn.openbsd.org/pub/OpenBSD/7.4/ Global > > The release is also available at the master site: > > https://ftp.openbsd.org/pub/OpenBSD/7.4/ Alberta, Canada > > However it is strongly suggested you use a mirror. > > Other mirror sites may take a day or two to update. > > 2) Connect to that HTTPS mirror site and go into the directory > pub/OpenBSD/7.4/ which contains these files and directories. > This is a list of what you will see: > > ANNOUNCEMENT armv7/ octeon/ root.mail > README hppa/ openbsd-74-base.pub sparc64/ > SHA256 i386/ packages/ src.tar.gz > SHA256.sig landisk/ packages-stable/ sys.tar.gz > alpha/ loongson/ ports.tar.gz xenocara.tar.gz > amd64/ luna88k/ powerpc64/ > arm64/ macppc/ riscv64/ > > It is quite likely that you will want at LEAST the following > files which apply to all the architectures OpenBSD supports. > > README - generic README > root.mail - a copy of root's mail at initial login. > (This is really worthwhile reading). > > 3) Read the README file. It is short, and a quick read will make > sure you understand what else you need to fetch. > > 4) Next, go into the directory that applies to your architecture, > for example, amd64. This is a list of what you will see: > > BOOTIA32.EFI* bsd* floppy74.img pxeboot* > BOOTX64.EFI* bsd.mp* game74.tgz xbase74.tgz > BUILDINFO bsd.rd* index.txt xfont74.tgz > INSTALL.amd64 cd74.iso install74.img xserv74.tgz > SHA256 cdboot* install74.iso xshare74.tgz > SHA256.sig cdbr* man74.tgz > base74.tgz comp74.tgz miniroot74.img > > If you are new to OpenBSD, fetch at least the file INSTALL.amd64 > and install74.iso. The install74.iso file (roughly 633MB in size) > is a one-step ISO-format install CD image which contains the various > *.tgz files so you do not need to fetch them separately. > > If you prefer to use a USB flash drive, fetch install74.img and > follow the instructions in INSTALL.amd64. > > 5) If you are an expert, follow the instructions in the file called > README; otherwise, use the more complete instructions in the > file called INSTALL.amd64. INSTALL.amd64 may tell you that you > need to fetch other files. > > 6) Just in case, take a peek at: > > https://www.OpenBSD.org/errata.html > > This is the page where we talk about the mistakes we made while > creating the 7.4 release, or the significant bugs we fixed > post-release which we think our users should have fixes for. > Patches and workarounds are clearly described there. > > ------------------------------------------------------------------------ > - X.ORG FOR MOST ARCHITECTURES ----------------------------------------- > > X.Org has been integrated more closely into the system. This release > contains X.Org 7.7. Most of our architectures ship with X.Org, including > amd64, sparc64 and macppc. During installation, you can install X.Org > quite easily using xenodm(1), our simplified X11 display manager forked > from xdm(1). > > ------------------------------------------------------------------------ > - PACKAGES AND PORTS --------------------------------------------------- > > Many third party software applications have been ported to OpenBSD and > can be installed as pre-compiled binary packages on the various OpenBSD > architectures. Please see https://www.openbsd.org/faq/faq15.html for > more information on working with packages and ports. > > Note: a few popular ports, e.g., NSD, Unbound, and several X > applications, come standard with OpenBSD and do not need to be installed > separately. > > ------------------------------------------------------------------------ > - SYSTEM SOURCE CODE --------------------------------------------------- > > The source code for all four subsystems can be found in the > pub/OpenBSD/7.4/ directory: > > xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz > > The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.4/README) file > explains how to deal with these source files. > > ------------------------------------------------------------------------ > - THANKS --------------------------------------------------------------- > > Ports tree and package building by Jeremie Courreges-Anglas, > Visa Hankala, Stuart Henderson, Peter Hessler, George Koehler, > Kurt Mosiejczuk, and Christian Weisgerber. Base and X system builds by > Kenji Aoyama, Theo de Raadt, and Miod Vallat. Release art by > Jessica Scott. > > We would like to thank all of the people who sent in bug reports, bug > fixes, donation cheques, and hardware that we use. We would also like > to thank those who bought our previous CD sets. Those who did not > support us financially have still helped us with our goal of improving > the quality of the software. > > Our developers are: > > Aaron Bieber, Adam Wolk, Aisha Tammy, Alexander Bluhm, > Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin, > Alexandre Ratchov, Andrew Fresh, Anil Madhavapeddy, > Anthony J. Bentley, Antoine Jacoutot, Anton Lindqvist, Asou Masato, > Ayaka Koshibe, Benoit Lecocq, Bjorn Ketelaars, Bob Beck, > Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele, > Can Erkin Acar, Caspar Schutijser, Charlene Wendling, > Charles Longeau, Chris Cappuccio, Christian Weisgerber, > Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller, > Daniel Dickman, Daniel Jakots, Darren Tucker, Dave Voutila, > David Coppa, David Gwynne, David Hill, Denis Fondras, Edd Barrett, > Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus, > George Koehler, George Rosamond, Gerhard Roth, Giannis Tsaraias, > Gilles Chehade, Giovanni Bechis, Gleydson Soares, > Gonzalo L. Rodriguez, Greg Steuck, Helg Bredow, Henning Brauer, > Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze, > Inoguchi Kinichiro, James Hastings, James Turner, Jan Klemkow, > Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, > Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, > Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Josh Rickmar, > Joshua Sing, Joshua Stein, Juan Francisco Cantero Hurtado, > Kazuya Goda, Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner, > Kevin Lo, Kirill Bychkov, Klemens Nanni, Kurt Miller, > Kurt Mosiejczuk, Landry Breuil, Lawrence Teo, Lucas Raab, > Marc Espie, Marcus Glocker, Mark Kettenis, Mark Lumsden, > Markus Friedl, Martijn van Duren, Martin Natano, Martin Pieuchot, > Martin Reindl, Martynas Venckus, Matthew Dempsky, Matthias Kilian, > Matthieu Herrb, Michael Mikonos, Mike Belopuhov, Mike Larkin, > Miod Vallat, Moritz Buhl, Nam Nguyen, Nayden Markatchev, > Nicholas Marriott, Nigel Taylor, Okan Demirmen, Omar Polo, > Ori Bernstein, Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk, > Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin, > Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas, > Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer, > Remi Pointel, Renato Westphal, Ricardo Mestre, Richard Procter, > Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha, > Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie, > Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf, > Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson, > Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler, > Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider, > Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove, > Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov, > Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Volker Schlecht, > Yasuoka Masahiko, Yojiro Uo