Upgrading...
;)
------- Original Message -------
On Monday, October 16th, 2023 at 09:53, Theo de Raadt <dera...@openbsd.org>
wrote:
>
>
>
> ------------------------------------------------------------------------
> - OpenBSD 7.4 RELEASED -------------------------------------------------
>
> October 16, 2023.
>
> We are pleased to announce the official release of OpenBSD 7.4.
> This is our 55th release. We remain proud of OpenBSD's record of more
> than twenty years with only two remote holes in the default install.
>
> As in our previous releases, 7.4 provides significant improvements,
> including new features, in nearly all areas of the system:
>
> - Various kernel improvements:
> o On arm64, show BTI and SBSS features in dmesg(8).
> o New kqueue1(2) system call supporting the O_CLOEXEC flag.
> o Map device tree read/write to unbreak root on softraid(4).
> o Correctly recognize umass(4) floppy disk devices as floppy disks.
> o In wscons(4), catch up with box drawing characters which have been
> standardized in unicode after the original wscons code was written
> and chose placeholder values.
> o In wscons(4), make sure we do not increase the escape sequence
> argument count beyond usable bounds.
> o Implement dt(4) utrace(2) support on amd64 and i386.
> o Correct undefined behavior when using MS-DOS filesystems, fixes
> imported from FreeBSD.
> o Make the softdep mount(8) option a no-op. Softdep was a
> significant impediment to improving the vfs layer.
> o Allow unveil(2)ed programs to dump core(5) into the current
> working directory.
> o Address incomplete validation of ELF program headers in execve(2).
> o On arm64, use the deep idle state available on Apple M1/M2 cores
> in the idle loop and for suspend, resulting in power savings.
> o Update AMD CPU microcode if a newer patch is available.
> o Enable a workaround for the 'Zenbleed' AMD CPU bug.
> o Report speculation control bits in dmesg(8) CPU lines.
> o To give the primary CPU an opportunity to perform clock interrupt
> preparation in a machine-independent manner we need to separate
> the "initialization" parts of cpu_initclocks() from the "start the
> clock interrupt" parts. Separate cpu_initclocks() from
> cpu_startclock().
> o Fix a problem where CPU time accounting and RLIMIT_CPU was
> unreliable on idle systems.
> o Improve the output of the "show proc" command of the kernel
> debugger ddb(4) and show both the PID and TID of the proc.
>
> - SMP Improvements
> o Rewrite pfsync(4), in particular to improve locking and to help
> with unlocking more of pf(4) and with parallelisation of the
> network stack in the future. The protocol remains compatible with
> the older version.
> o Remove kernel locks from the ARP input path.
> o Pull MP-safe arprequest() out of kernel lock.
> o Remove the kernel lock from IPv6 neighbor discovery.
> o Unlock more parts of ioctl(2) and the routing code in the network
> stack.
>
> - Direct Rendering Manager and graphics drivers
> o Update drm(4) to Linux 6.1.55.
> o Don't change end marker in sg_set_page(). Caused bad memory
> accesses when using page flipping on Alder Lake and Raptor Lake.
>
> - VMM/VMD improvements
> o Allowed vmm(4) guests to enable and use supervisor IBT.
> o Suppressed AMD hardware p-state visibility to vmm(4) guests.
> o Avoid use of uninitialised memory in vmd(8).
> o Migrate vmd_vm.vm_ttyname to char array allowing a vmd_vm object
> to be transmitted over an ipc channel.
> o Cleaned up file descriptor closing in vmd(8) vmm process.
> o Fixed vm send/receive, restoring device virtqueue addresses on
> receive.
> o Introduced execvp(3) after fork for child vm processes.
> o No longer generate an error in vmd(8) if vm.conf(5) is absent.
> o Split vmm(4) into MI/MD parts.
> o Introduced multi-process model for vmd(8) virtio block and network
> devices.
> o Allowed vm owners to override boot kernel when using vmctl(8) to
> start a vm.
> o Changed staggered start of vms to number of online CPUs.
> o Fixed a segfault on vm creation.
> o Switched to anonymous shared memory mappings for vmd(8) vm
> processes, introducing a new vmm(4) ioctl(2).
> o Relaxed absolute path requirements for vmd(8) configtest mode
> (-n).
> o Adjusted shutdown logic by vm id to function similarly as by name.
> o Moved validation of local network prefixes for the internal vmd(8)
> DHCP service into the config parser.
> o Fixed QCOW2 base images when used with the vmd(8) multi-process
> device model.
> o Fixed setting verbose logging in child processes.
> o Fixed a race condition related to the emulated i8259 interrupt
> controller by ignoring interrupt masks on assert.
> o Inlined pending interrupts in the vmm(4) ioctl(2) for running the
> vcpu, reducing vm latency.
> o Added zero-copy, vectored io to the vmd(8) virtio block device.
> o Changed to logging vmd(8) vm ids in the vcpu run loop on error and
> not the ids used by vmm(4).
> o Fixed a vm pause deadlock.
> o Changed vmd(8) logging format to disambiguate vm and device
> process by names and indices.
> o Fixed dynamically toggling verbose logging mode with vmctl(8).
>
> - Various new userland features:
> o New ISO C11 header <uchar.h> declaring the types char32_t and
>
> char16_t and the functions c32rtomb(3), mbrtoc32(3), c16rtomb(3),
> and mbrtoc16(3).
> o Introduce a new malloc(3) option D for memory leak detection with
> ktrace(1) and kdump(1).
> o Support ${.VARIABLES} in make(1), listing the names of all global
> variables that have been set.
> o New kdump(1) -u option to select utrace(2) tracepoints by label.
> o In openrsync(1), support the options --size-only and
> --ignore-times.
> o Update zoneinfo to tzdata2023c.
> o Accept the ucom(4) fixed name format as a valid format for the
> cu(1) -l option.
> o In cron(8) and crontab(5), add support for random offsets when
> using ranges with a step value in cron. This extends the random
> range syntax to support step values. Instead of choosing a random
> number between the high and low values, the field is treated as a
> range with a random offset less than the step value. This can be
> used to avoid thundering herd problems where multiple machines
> contact a server all at the same time via cron jobs.
> o Extend and improve the ibuf API in libutil and add functions for
> more specific data types, for modifying data at specific offsets,
> for getting and setting the file descriptor stored on the ibuf and
> for efficient wrapping of ibufs into imsgs. The ibuf API is mostly
> used in network daemons.
> o In wsconsctl(8), add button mappings for two- and three-finger
> clicks on clickpads.
>
> - Various bugfixes and tweaks in userland:
> o In pax(1) and tar(1), do not open files that will be skipped,
> speeding up archive creation when many files are skipped.
> o In pax(1), tar(1), and cpio(1) terminal output, escape
> non-printable characters in messages that may include file names,
> and truncate times to the correct maximum value.
> o Better diagnostics from make(1) when a makefile exists but cannot
> be opened.
> o Prevent a buffer underflow in patch(1) that could occur with lines
> longer than 32kB.
> o Prevent a segmentation fault in patch(1) that occurred when a
> patch specified a file name so long that basename(3) failed.
> o Prevent a read buffer overrun in patch(1) that could occur when a
> patch specified a file name ending in a slash.
> o Let stat(1) correctly print mtimes after 2038.
> o Refactoring and documenting of fdisk(8) code, to make it easier to
> maintain.
> o fdisk(8) no longer adds extra blanks at the end of lines,
> eliminating spurious line wrapping.
> o In clang(1), allow out-of-class defaulting of comparison
> operators, by ways of backporting an upstream commit.
> o Many changes in mg(1):
> - New command set-tab-width to change the tabulator width on a
> per-buffer basis.
> - Let the space-to-tabstop command move to the right position
> even if the line contains tabs, control characters, or
> non-ASCII bytes.
> - Fall back to /bin/sh if $SHELL is undefined.
> - Fix parsing of tag files with duplicate entries. Instead of
> erroring out, ignore duplicates. Fixes using
> /var/db/libc.tags again.
> - Change the visit-tags-table command to immediately load the
> tag file, and drop the lazy mechanics.
> - Do not leak memory in pop-tag-mark if it fails to switch
> buffers.
> - Fix a read buffer overrun caused by -u arguments longer than
> 1023 bytes.
> - Fix a write buffer overrun on the stack caused by
> blink-and-insert matching a very long line that is not
> currently visible in the window.
> - Skip checking permissions of conffile with access(2).
> - Resurrect no-tab-mode and add it to the list of modes that
> can be set with set-default-mode.
> o Fix a segfault when the disklabel(8) simple editor encounters an
> incomplete partition line.
> o Fix disklabel(8) handling of templates with partitions after a
> "N-* 100" entry.
> o Enable disklabel(8) regress tests to work on sparc64.
> o Fix fdisk(8) initialization of CHS/LBA fields in an MBR, allowing
> machines with a BIOS that uses CHS to boot from disks >8G.
>
> o Retire disklabel(8) -E expert mode.
> o When displaying GPT partition attributes fdisk(8) prefixes
> Microsoft partition attribute names with 'MS'.
> o In the absence of the 'disktype' command line parameter
> disklabel(8) always uses the current media type provided by the
> kernel.
> o Ensure fdisk(8) handles the case where a GPT partition name is not
> a valid C string.
> o When creating new crypto volumes with bioctl(8), by default use a
> hardware based number of KDF rounds for passphrases.
> o Let bioctl(8) gracefully prompt again during interactive creation
> and passphrase change on CRYPTO and 1C volumes.
> o Let bioctl(8) read passphrases without prompts or confirmation in
> -s mode, allowing non-interactive use.
> o Allow the atactl(8) command readattr to succeed even for disks
> where ATA_SMART_READ and ATA_SMART_THRESHOLD revisions mismatch,
> as long as checksums are OK.
> o In ld.so(1), treat symlinks in $ORIGIN determination the same way
> as other OS linkers do.
> o In ld.so(1), avoid an overflow in the ELF SYSV ABI hash function.
> o Make sure modf(3) and modff(3) return correct values for
> infinities.
> o Do not fail in ober_scanf_elements(3) when encountering empty
> sequences.
> o Remove broken special handling of test -t in ksh(1).
> o The caching mechanism used by pkg_add(1) to speed up pkg_add -u
> now also works if -stable packages are available.
> o Significantly increase the speed of pkg-config(1).
> o In seq(1), fix a check for rounding error and truncation.
> o In cron(8), introduce upstream fixes in the handling of @yearly,
> @monthly, @weekly, @daily and @hourly entries.
> o Fix a bug in cron(8) where whitespace after usernames would not be
> completely skipped while parsing the crontab(5) file.
> o Make rcctl(8) check if a daemon exists before trying to disable
> it, thereby avoiding parsing and printing of bogus characters.
> o Print to the console the fingerprint of a newly generated ssh(1)
> host key of the preferred type (currently ED25519), typically when
> booting for the first time. This simplifies a secure first ssh
> connection to a freshly installed machine.
>
> - Improved hardware support and driver bugfixes, including:
> o Add rkiovd(4), a driver for the I/O voltage domains on Rockchip
> SoCs.
> o Add support for TEMPerGold 3.4 temperature sensor to ugold(4).
> o Add qcrng(4), a driver for the Qualcomm RNG device found on the
> ThinkPad X13s.
> o Add rkusbphy(4), a driver for the usb2phy on Rockchip SoCs.
> o Support AP806/CP110 SoCs in mvtemp(4).
> o Add dwmshc(4) to support Designware Mobile Storage Host
> Controllers found on rk356x and rk3588 SoCs.
> o Add iosf(4), a driver for the Intel OnChip System Fabric.
> o Add support for the RTL8153D chipset in ure(4).
> o Add support for the Peripheral Authentication Service SMC
> interface in qcscm(4).
> o Add qcmtx(4), a driver for the hardware spinlock on Qualcomm SoCs
> that is used to synchronize access to the shared memory table.
> o Add qcsmptp(4), a driver to share 32-bit values between
> (co-)processors.
> o Add qcaoss(4), a driver for the Always On Subsystem found on
> Qualcomm SoCs.
> o Add qcpas(4), a driver for the Peripheral Authentication Service
> found on Qualcomm SoCs. Enable AC detection.
> o Add qctsens(4), a driver for the Temperature Sensor found on
> Qualcomm SoCs.
> o Add driver qccpu(4) for QC CPU Power States.
> o Add qcsdam(4), a driver for the PMIC Shared Direct Access Memory
> found on Qualcomm SoCs.
> o Add stfrng(4), a driver for the random number generator on the
> StarFive JH7110 SoC.
> o Add support for the PCIe controller on the JH7110 SoC with
> stfpciephy(4)
> o New sysctl(2) nodes for battery management, hw.battery.charge*.
> Support them with acpithinkpad(4) and aplsmc(4).
> o Define fixed names for ucom(4) USB serial ports, display them in
> attach messages and via the new hw.ucomnames sysctl(2).
> o Add support for the RK3568 32k RTC, RK3588, and other clocks in
> rkclock(4).
> o In dwpcie(4), attach Baikal-M PCIe.
> o In openfirmware, implement regulator notifiers which get called
> when the voltage/current for a regulator is changed or when the
> regulator gets initialized when it attaches for the first time.
> The latter makes it possible to register a notifier for a
> regulator that hasn't attached yet.
> o Ignore duplicate ACPI lid transitions as they can happen on Dell
> Precision 5510 systems.
> o Make RK3568 PCIe controllers run at the maximum possible speed by
> using dwpcie_link_config() when initializing.
> o In the Universal Flash Storage Host Controller Interface
> (ufshci(4)), enable Force Unit Access (FUA) for write commands.
> o Make SATA (ahci(4)) work on a Banana Pi BPI-R2 Pro.
> o In umcs(4), set parity bits correctly.
> o Enable the caps lock LED on modern Apple laptop keyboards.
> o Add support for Rockchip "cryptov2-rng" random number generator in
> rkrng(4).
> o Fix cpuperf on the Apple M2 Pro/Max.
> o Add support for the PCIe controller found on Apple M2 Pro/Max
> SoCs.
> o Add support for enabling both the USB2 and USB3 PHYs in xhci(4)
> with device tree.
> o In the SCSI tape driver st(4), add support for I/O statistics so
> that tape speeds can be observed with iostat(8).
> o Fix use of MMC/SD/SDIO on RK3588 ARM SoC in dwmmc(4).
> o Support thermal sensors on Ryzen 9 79xx in ksmn(4).
> o Add support for JH7110 to dwmmc(4), making eMMC and microSD mostly
> work on the Starfive VisionFive 2.
> o Add support for the RK3588 PCIe3 PHY to rkpciephy(4). The PHY
> controls 4 lanes that can be routed to 4 of 5 PCIe controllers.
> o Add mute control to sncodec(4). This makes the mute button work on
> laptops using this driver.
> o Add mute control to tascodec(4). This makes the mute button on
> laptops that use tascodec(4) work.
> o Improve the suspend/resume behavior of several drivers, reducing
> power consumption during suspend.
> o Add support for the Synopsys DesignWare I2C controller (dwiic(4))
> and the X-Powers AXP Power Management IC (axppmic(4)).
> o Enable the mbg(4) timedelta sensor on amd64 and match the Meinberg
> PZF180PEX.
>
> - New or improved network hardware support:
> o Fix dwqe(4) on several boards that use rgephy(4) by configuring
> the RGMII interface before taking the PHY out of reset.
> o Improve dwqe(4) and determine PHY mode and pass the appropriate
> flags down to the PHY when attaching.
> o Report in dmesg(8) on which gmac the dwqe(4) driver is attaching
> to.
> o Document that Intel i226 adapters are supported by igc(4).
> o Add ngbe(4), a driver for WangXun WX1860 PCI Express 10/100/1Gb
> Ethernet devices. Also support it on amd64 install media.
> o Add support for the RTL8211F-VD PHY in rgephy(4).
> o In openfirmware, add glue for network interfaces to be found by
> fdt/ofw node or phandle in order to support "switch chips" like
> the marvell link street.
> o Add support for RTL8153D devices to ure(4).
> o Provide byte and packet counter statistics in some dwge(4)
> implementations.
> o On bge(4), make hardware counters available via kstats for BCM5705
> and newer controller chips.
> o Make several improvements to vmx(4), the VMware VMXNET3 Virtual
> Interface Controller.
> o In em(4), stop putting multicast addresses into the Receive
> Address Registers. Instead hash them all into the Multicast Table
> Array.
> o Support Mellanox ConnectX-6 Lx in mcx(4).
> o In mcx(4), add 100GB LR4 Ethernet capability and map it to
> IFM_100G_LR4.
> o Add initial support for Atlantic 2 hardware in aq(4).
>
> - Added or improved wireless network drivers:
> o Improve how Quectel LTE&5G devices attach to umb(4).
>
> - IEEE 802.11 wireless stack improvements and bugfixes:
> o Add support for RTL8188FTV devices to the urtwn(4) driver.
> o Attach Intel wireless devices with PCI product ID 0x51f1 to
> iwx(4).
> o Fix a bug where iwm(4) and iwx(4) background scan tasks were added
> to the wrong task queue.
> o Fix a firmware error that occurred when an iwx(4) interface was
> brought down.
> o Fix iwx(4) firmware errors triggered during background scans.
> o Fix a crash in the iwm(4) driver when userland attempts to inject
> frames via bpf in monitor mode.
>
> - Installer, upgrade and bootloader improvements:
> o In the arm64 ramdisk, simplify apple firmware copying to make it
> easier to add new firmware.
> o On armv7 and arm64, silence informational messages from dd(1) when
> zeroing a disk's first 1MB. Use character not block devices with
> dd(1) like on other architectures.
> o Refactor the code of md_installboot() on armv7 and arm64 to be
> more in line with other architectures.
> o Improve the dialogue of the installer without affecting
> autoinstall(8) files.
> o Enable ufshci(4) on arm64 install media.
> o On arm64 pine64 boards, stop writing pine64 firmware to disk.
> o When media has neither a GPT nor an MBR installboot(8), assume
> OpenBSD occupies the entire disk starting at sector 0.
> o Attempt to not overflow the ramdisk when extracting firmware on
> Apple arm64 systems.
> o Add support for loading files from the EFI System Partition.
> o Fix a bug in the handling of SCSI drives in the bootloader on the
> luna88k architecture.
> o On luna88k, implement the chmod() signaling mechanism for
> /bsd.upgrade to prevent re-upgrade, like other architectures.
> o Support for softraid(4) disks in the installer was improved:
> - Make root on softraid(4) installations boot out of the box on
> Raspberry Pis (arm64).
> - Support installations with root on softraid(4) on arm64,
> tested on Pinebook Pro, Raspberry Pi 4b, and SolidRun CEX7.
> - On riscv64, enable softraid(4) in the ramdisk kernel and
> support installations with root on softraid(4)
> - When installing on encrypted softraid(4), determine the disk
> for placing the root device automatically and make it default
> as it is the only legit choice.
> - Add arm64 to the list of architectures with support for
> guided disk encryption.
> - Retain existing EFI System partitions on systems with APFSISC
> partitions (arm64 Apple M1/M2) during installation with root
> on softraid(4).
> - Enable softraid(4) in ramdisk on the powerpc64 architecture.
>
> - Security improvements:
> o Enable indirect branch tracking (IBT) on amd64 and branch target
> identification (BTI) on arm64 in both the kernel and in userland.
> On hardware that supports this feature, it helps enforcing control
> flow integrity by making sure malicious code cannot jump into the
> middle of a function.
> o On the arm64 architecture, enable pointer authentication (PAC) in
> userland on those machines where it works correctly. It helps
> enforcing control flow integrity by making sure malicious code
> cannot manipulate a function's return address.
> o Together with retguard these two features protect against ROP
> attacks. Compiler defaults for base clang, ports clang and ports
> gcc (as well as some other non-C language family compilers in
> ports) have been changed to enable these features by default. As a
> result the vast majority of programs on OpenBSD (and all programs
> in the base system) run with these security features enabled.
> o Change malloc(3) chunk sizes to be fine grained: chunk sizes are
> closer to the requested allocation size.
> o In malloc(3), check all chunks in the delayed free list for
> write-after-free.
> o The shutdown(8) program can now only be executed by members of the
> new shutdown group. The idea is that system administrators can
> now remove most users from the excessively powerful operator
> group, which in particular provides read access to disk device
> nodes.
> o Using unveil(2), restrict patch(1) filesystem access to the
> current directory including subdirectories, TMPDIR, and file names
> given on the command line.
> o In ksh(1), consistently escape control characters when displaying
> file name completions, even when there are multiple matches.
>
> - Changes in the network stack:
> o Sync the use of getuptime(9) in the Neighbour Discovery (ND) code
> with ARP.
> o In the IPv6 forwarding code, call getuptime(9) once for
> consistency with IPv4.
> o ARP has a queue of packets that should be sent after name
> resolution. Neighbor discovery (ND6) did only hold a single
> packet. Unified the code, added a queue to ND6 and made the code
> MP safe.
> o Implement a new sysctl(2) net.inet6.icmp6.nd6_queued to show the
> number of packets waiting for an ND6 response, analogous to ARP.
> o When configuring a new IPv6 address on an interface, an upstream
> router doesn't know where to send traffic. Send an unsolicited
> neighbor advertisement, as described in RFC9131, to the
> all-routers multicast address so all routers on the same link will
> learn the path back to the address.
> o Implement the inbound portion of RFC9131. Let routers create new
> neighbor cache entries when receiving valid neighbor
> advertisements.
> o Initial support for TCP segmentation offload (TSO) and TCP large
> receive offload (LRO) was implemented:
> - If the driver of a network interface supports TSO, do not
> chop the packet in the network stack, but pass it down to the
> interface layer for TSO.
> - Provide a software TSO implementation, to be used as a
> fallback if network hardware does not support TSO.
> - Provide a new sysctl(2) node net.inet.tcp.tso such that TSO
> can be globally disabled. By default, it is enabled on all
> interfaces supporting it.
> - In ifconfig(8), display separate hwfeatures for TSOv4, TSOv6,
> and LRO and provide a -tcplro parameter to disable LRO on a
> per-interface basis.
> - Enable TSO and forwarding of LRO packets via TSO in ix(4).
> - In ix(4), allocate less memory for tx buffers.
> - Speed up TCP transfer on lo(4) interfaces by using TSO and
> LRO.
> - Enable LRO per default in network drivers. LRO allows to
> receive aggregated packets larger than the MTU. Receiving TCP
> streams becomes much faster. Currently only ix(4) and lo(4)
> devices support LRO, and ix(4) is limited to IPv4 and
> hardware newer than the old 82598 model.
> o The following changes were made to the pf(4) firewall:
> - Speed up the ioctl(2) request DIOCGETRULE such that pfctl(8)
> can retrieve all pf(4) rules from the kernel in linear rather
> than in quadratic time. To protect the kernel from memory
> exhaustion, userland processes now have to release tickets
> obtained with DIOCGETRULES by issuing the new ioctl(2)
> request DIOCXEND. In particular, snmpd(8) and systat(1) now
> do that.
> - Relax the implementation of the pass all rule so all forms of
> neighbor advertisements are allowed in either direction.
> - When redirecting locally generated IP packets to userland
> with divert-packet rules, the packets may have no checksum
> due to hardware offloading. Calculate the checksum in that
> case.
> - Fix a bug where nat-to could fail to insert a state due to
> conflict on chosen source port number.
> - No longer ignore keep state and nat-to actions for
> unsolicited ICMP error responses. Tighten the rule matching
> logic so ICMP error responses no longer match keep state
> rule. In typical scenarios, ICMP errors (if solicited) should
> match existing state. The change is going to bite firewalls
> which deal with asymmetric routes. In those cases the keep
> state action should be relaxed to sloppy or new no state rule
> to explicitly match ICMP errors should be added.
> o Do not calculate IP, TCP, and UDP checksums on lo(4) interfaces.
> o Convert the tcp_now() time counter to 64 bits to avoid 32 bits
> wrap around after changing tcp_now() ticks to milliseconds.
> o Add initial support for route-based IPsec VPNs.
> Rather than use IPsec flows (aka, entries in the IPsec security
> policy database) to decide which traffic should be encapsulated in
> IPsec and sent to a peer, this changes security associations (SAs)
> so they can also refer to a tunnel interface. When traffic is
> routed over that tunnel interface, an IPsec SA is looked up and
> used to encapsulate traffic before being sent to the peer on the
> SA. When traffic is received from a peer using an interface SA,
> the specified interface is looked up and the packet is handed to
> it so it looks like packets come out of the tunnel.
> o Add sec(4) to support route-based IPsec VPNs.
> o Introduce reference counting for TCP syn cache entries.
> o Have wg(4) copy the priority from the inner packet to the outer
> encrypted packet, so that higher priority packets are picked from
> hfsc queues for earlier transmission.
>
> - Routing daemons and other userland network improvements:
> o IPsec support was improved:
> - In iked(8), support route-based sec(4) tunnels.
> - In iked(8), add support to verify X.509 chain from CERT
> payloads.
> - In iked(8), do not leak memory when receiving a CERT payload
> for pubkey auth or for an invalid CERT Encoding.
> - In iked(8), do not leak a file descriptor if
> open_memstream(3) fails while trying to enable a child SA.
> - While trying to verify an ECDSA signature in iked(8),
> correctly detect failure of DER encoding with
> i2d_ECDSA_SIG(3).
> - In ipsecctl(8), support route-based IPsec VPN negotiation
> with sec(4).
> - In isakmpd(8), support configuring interface SAs for
> route-based IPsec VPNs.
> - In isakmpd(8) quick mode, do not crash with a NULL pointer
> access when a group description is specified but it is
> invalid, unsupported, or memory allocation or key generation
> fails.
> - In isakmpd(8), avoid a double free in the unlikely event that
> EC_KEY_check_key(3) fails right after generating a new key
> pair.
> - Allow building isakmpd(8) with a libcrypto library that has
> binary field support ("GF2m") removed.
> o In bgpd(8),
> - Add first version of flowspec support. Right now only
> announcement of flowspec rules is possible.
> - Update ASPA support to follow
> draft-ietf-sidrops-aspa-verification-16 and
> draft-ietf-sidrops-aspa-profile-16 by making the ASPA lookup
> tables AFI-agnostic.
> - Rework UPDATE message generation to use the new ibuf API
> instead of the hand-rolled solution before.
> - Fix ext-community * * matching which also affects filters
> removing all ext-communities.
> - Improve and extend the bgpctl parser to handle commands like
> bgpctl show rib 192.0.2.0/24 detail. Also add various
> flowspec specific commands.
> - Introduce a semaphore to protect intermittent RTR session
> data from being published to the RDE.
> - Limit the socket buffer size to 64k for all sessions.
> Limiting the buffer size to a reasonable size ensures that
> not too many updates end up queued in the TCP stack.
> - Adjust example GRACEFUL_SHUTDOWN filter rule in the example
> config to only match on ebgp sessions.
> o rpki-client(8) saw some changes:
> - A 30%-50% performance improvement was achieved through
> libcrypto's partial chains certificate validation feature.
> Already validated non-inheriting CA certificates are now
> marked as trusted roots. This way it can be ensured that a
> leaf's delegated resources are properly covered, and at the
> same time most validation paths are significantly shortened.
> - Support for gzip and deflate HTTP Content-Encoding
> compression was added. This allows web servers to send RRDP
> XML in compressed form, saving around 50% of bandwidth.
> - ASPA support was updated to
> draft-ietf-sidrops-aspa-profile-16. As part of supporting
> AFI-agnostic ASPAs, the JSON syntax for Validated ASPA
> Payloads changed in both filemode and normal output.
> - In filemode (-f option) the applicable manifests are now
> shown as part of the signature path.
> - A new -P option was added to manually specify a moment in
> time to use when parsing the validity window of certificates.
> Useful for regression testing. Default is invocation time of
> rpki-client.
> - The -A option will now also exclude ASPA data from the JSON
> output.
> - The synchronisation protocol used to sync the repository is
> now included in the OpenMetrics output.
> - Improved accounting by tracking objects both by repo and tal.
> - Check whether products listed on a manifest were issued by
> the same authority as the manifest itself.
> - File modification timestamps of objects retrieved via RRDP
> are now deterministically set to prepare the on-disk cache
> for seamless failovers from RRDP to RSYNC.
> - Improved detection of RRDP session desynchronization: a check
> was added to compare whether the delta hashes associated to
> previously seen serials are different in newly fetched
> notification files.
> - Improved handling of RRDP deltas in which objects are
> published, withdrawn, and published again.
> - Disallow X.509 v2 issuer and subject unique identifiers in
> certs. RPKI CAs will never issue certificates with V2 unique
> identifiers.
> - A check to disallow duplicate X.509 certificate extensions
> was added.
> - A check to disallow empty sets of IP Addresses or AS numbers
> in RFC 3779 extensions was added.
> - A warning is printed when the CMS signing-time attribute in a
> Signed Object is missing.
> - Warnings about unrecoverable message digest mismatches now
> include the manifestNumber to aid debugging the cause.
> - A check was added to disallow multiple RRDP publish elements
> for the same file in RRDP snapshots. If this error condition
> is encountered, the RRDP transfer is failed and the RP falls
> back to rsync.
> - A compliance check for the proper X.509 Certificate version
> and CRL version was added.
> - A compliance check was added to ensure CMS Signed Objects
> contain SignedData, in accordance to RFC 6488 section 3
> checklist item 1a.
> - Compliance checks were added for the version, KeyUsage, and
> ExtendedKeyUsage of EE certificates in Manifest, TAK, and GBR
> Signed Objects.
> - A CMS signing-time value being after the X.509 notAfter
> timestamp was downgraded from an error to a warning.
> - A bug was fixed in the handling of CA certificates which
> inherit IP resources.
> - A compliance check was added to ensure the X.509 Subject only
> contains commonName and optionally serialNumber.
> - A compliance check was added to ensure the CMS SignedData and
> SignerInfo versions to be 3.
> - Fisher-Yates shuffle the order in which Manifest entries are
> processed. Previously, work items were enqueued in the order
> the CA intended them to appear on a Manifest. However, there
> is no obvious benefit to third parties deciding the order in
> which things are processed.
> o In smtpd(8),
> - Swapped link-auth filter arguments to avoid ambiguities with
> user names containing a "|" character.
> - Bumped smtpd-filters(7) protocol version.
> - Fixed potential truncation of filtered data lines.
> - Allowed arguments on NOOP.
> o Many other changes in various network programs and libraries:
> - Allow libpcap to read files with some additional link-layer
> type values.
> - Let pcap_fopen_offline(3) correctly interpret some LINKTYPE*
> values in pcap headers written on foreign operating systems.
> - Make dig(1) use less deprecated LibreSSL API.
> - Remove stylistic differences between arp(8) and ndp(8)
> delete() function. This makes it easier to spot real changes
> in behavior.
> - Make ndp(8) not remove cloning routes when no neighbor entry
> is found with ndp -d.
> - Improved error handling in the asr resolver.
> - In unwind(8), handle SERVFAIL results on name resolution
> better.
> - In unwind(8), fix a use-after-free bug triggered by fatal
> write errors while sending TCP responses.
> - In the router advertisement daemon rad(8), update the default
> timers for prefix preferred and valid lifetimes to use the
> values from RFC 9096.
> - In slaacd(8), remove artificial limit of 2 hours on a PIO
> lifetime.
> - In ypldap(8), reduce memory usage when updating larger
> directories.
> - Make ypldap(8) more resilient when some servers are
> misbehaving: keep trying LDAP servers until full results
> arrive rather than just until one accepts the TCP connection.
> - New wgdescription parameter to ifconfig(8) to set a string
> describing the wg(4) peer.
> - Let ifconfig(8) prefix the interface name to many error and
> warning messages.
> - Make the tlsv1.0 and tlsv1.1 options in relayd(8) do nothing,
> as one should use the default tlsv1.2 instead.
> - Fix IPv6 routes being changed by relayd(8) with Routers
> configuration.
> - In dhcrelay6(8), do not ignore the AF_LINK entries of carp(4)
> interfaces.
> - Improve the config parser of radiusd(8) to better handle
> comments, improve error messages and plug a memory leak.
> - In radiusd(8), add request or response decoration feature
> which is used through the radiusd module interface. This
> makes additional modules can modify RADIUS request or
> response messages. Also add new "radius_standard" module
> which uses this new feature, provides some generic features
> like "strip-atmark-realm" which removes the realm part from
> the User-Name attribute.
> - Allow UDP for built-in inetd(8) services on 127.0.0.1. This
> restriction was added in year 2000 due to IPv6 compatible and
> mapped addresses. Nowadays our kernel does not support these
> IPv6 features and blocks localhost addresses on non-loopback
> interfaces. Make IPv4 127.0.0.1/8 and IPv6 ::1 behave
> identically and provide local services if configured.
> - In spamd(8), log a dummy "" IP address in the unlikely event
> that getnameinfo(3) fails.
>
> - tmux(1) improvements and bug fixes:
> o For passthrough, don't write to clients attached to different
> sessions.
> o Add a format to show if there are unseen changes while in a mode.
> o Discard mouse sequences that have the right form but actually are
> invalid.
> o Invalidate cached tty state after changing features since they may
> change what the terminal can do and need mouse sequences or
> similar to be sent again.
> o Add options to change the confirm key and default behaviour of
> confirm-before.
> o Add an option menu-selected-style to configure the currently
> selected menu item.
> o Add -c to run-shell to set working directory.
> o Add detach-on-destroy previous and next,
> o Set visited flag on last windows when linking session.
>
> - LibreSSL version 3.8.2
> o Security fixes
> - Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no
> longer be selected for use.
> - BN_is_prime{,_fasttest}ex() refuse to check numbers larger
> than 32 kbits for primality. This mitigates various DoS
> vectors.
> - Restricted the RFC 3779 code to IPv4 and IPv6. It was not
> written to be able to deal with anything else.
> o Portable changes
> - Extended the endian.h compat header with hto* and *toh
> macros.
> - Adapted more tests to the portable framework.
> - Internal tools are now statically linked.
> - Applications bundled as part of the LibreSSL package
> internally, nc(1) and openssl(1), now are linked statically
> if static libraries are built.
> - Internal compatibility function symbols are no longer
> exported from libcrypto. Instead, the libcompat library is
> linked to libcrypto, libssl, and libtls separately. This
> increases size a little, but ensures that the libraries are
> not exporting symbols to programs unintentionally.
> - Selective removal of CET implementation on platforms where it
> is not supported (macOS).
> - Integrated four more tests.
> - Added Windows ARM64 architecture to tested platforms.
> - Removed Solaris 10 support, fixed Solaris 11.
> - libtls no longer links statically to libcrypto / libssl
> unless --enable-libtls-only is specified at configure time.
> - Improved Windows compatibility library, namely handling of
> files vs sockets, correcting an exception when operating on a
> closed socket.
> - CMake builds no longer hardcode -O2 into the compiler flags,
> instead using flags from the CMake build type instead.
> - Set the CMake default build type to Release. This can be
> overridden during configuration.
> - Fixed broken ASM support with MinGW builds.
> o New features
> - Added support for truncated SHA-2 and for SHA-3.
> - The BPSW primality test performs additional Miller-Rabin
> rounds with random bases to reduce the likelihood of
> composites passing.
> - Allow testing of ciphers and digests using badly aligned
> buffers in openssl speed using -unalign.
> - Ed25519 certificates are now supported in openssl(1) ca and
> req. Prepared Ed25519 support in libssl.
> - Add branch target information (BTI) support to amd64 and
> arm64 assembly.
> o Compatibility changes
> - Added a workaround for a poorly thought-out change in OpenSSL
> 3 that broke privilege separation support in libtls.
> - Moved libtls from ECDSA_METHOD to EC_KEY_METHOD.
> - Removed GF2m support: BIGNUM no longer supports binary
> extension field arithmetic and all binary elliptic builtin
> curves were removed.
> - Removed dangerous, "fast" NIST prime and elliptic curve
> implementations. In particular, EC_GFp_nist_method() is no
> longer available.
> - Removed most public symbols that were deprecated in OpenSSL
> 0.9.8.
> - Removed the public X9.31 API (RSA_X931_PADDING is still
> available).
> - Removed Cipher Text Stealing mode.
> - Removed ENGINE support, including ECDH_METHOD and
> ECDSA_METHOD.
> - Removed COMP, DSO, dynamic loading of conf modules and
> support for custom ex_data and error stacks.
> - Removed proxy certificate (RFC 3820) support.
> - Removed SXNET and NETSCAPE_CERT_SEQUENCE support including
> the openssl(1) nseq command.
> - ENGINE support was removed and OPENSSL_NO_ENGINE is set. In
> spite of this, some stub functions are provided to avoid
> patching some applications that do not honor
> OPENSSL_NO_ENGINE.
> - The POLICY_TREE and its related structures and API were
> removed.
> - In X509_VERIFY_PARAM_inherit() copy hostflags independently
> of the host list.
> - Made CRYPTO_get_ex_new_index() not return 0 to allow
> applications to use *{get,set}app_data() and
> *{get,set}ex_data() alongside each other.
> - X509_NAME_get_text_by{NID,OBJ}() now only succeed if they
> contain valid UTF-8 without embedded NUL.
> - The explicitText user notice uses UTF8String instead of
> VisibleString to reduce the risk of emitting certificates
> with invalid DER-encoding.
> - Initial fixes for RSA-PSS support to make the TLSv1.3 stack
> more compliant with RFC 8446.
> - Fixed EVP_CIPHER_CTX_iv_length() to return what was set with
> EVP_CTRL_AEAD_SET_IVLEN or one of its aliases.
> o Internal improvements
> - Improved sieve of Eratosthenes script used for generating a
> table of small primes.
> - Removed incomplete and dangerous BN_RECURSION code.
> - Imported RFC 5280 policy checking code from BoringSSL and
> used it to replace the old exponential time code.
> - Converted more of libcrypto to use CBB/CBS.
> - Started cleaning up and rewriting SHA internals.
> - Reduced the dependency of hash implementations on many layers
> of macros. This results in significant speedups since modern
> compilers are now less confused.
> - Improved BIGNUM internals and performance.
> - Significantly simplified the BN_BLINDING internals used in
> RSA.
> - Made BN_num_bits() independent of bn->top.
>
> - Rewrote and simplified bn_sqr().
> - Significantly improved Montgomery multiplication performance.
> - Rewrote and improved BN_exp() and BN_copy().
> - Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work
> with Ed25519 and fixed a few bugs in there.
> - Lots of cleanup for DH, DSA, EC, RSA internals. Plugged
> numerous memory leaks, fixed logic errors and
> inconsistencies.
> - Cleaned up and simplified various ECDH and ECDSA internals.
> - Removed EC_GROUP precomp machinery.
> - Fixed various issues with EVP_PKEY_CTX_{new,dup}().
> - Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs().
> - Improved X.509 certificate version checks.
> - Ensure no X.509v3 extensions appear more than once in
> certificates.
> - Replaced ASN1_bn_print with a cleaner internal
> implementation.
> - Fix OPENSSL_cpuid_setup() invocations on arm/aarch64.
> - Improved checks for commonName in libtls.
> - Fixed error check for X509_get_ext_d2i() failure in libtls.
> - Removed code guarded by #ifdef ZLIB.
> - Plug a potential memory leak in ASN1_TIME_normalize().
> - Fixed a use of uninitialized in i2r_IPAddrBlocks().
> - Rewrote CMS_SignerInfo_{sign,verify}().
> o Bug fixes
> - Correctly handle negative input to various BIGNUM functions.
> - Ensure ERR_load_ERR_strings() does not set errno
> unexpectedly.
> - Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign().
> - Fixed aliasing issue in BN_mod_inverse(). Disallowed aliasing
> of result and modulus in various BN_mod_* functions.
> - Fixed detection of extended operations (XOP) on AMD hardware.
> - Ensure Montgomery exponentiation is used for the initial RSA
> blinding.
> - Policy is always checked in X509 validation. Critical policy
> extensions are no longer silently ignored.
> - Fixed error handling in tls_check_common_name().
> - Add missing pointer invalidation in SSL_free().
> - Fixed X509err() and X509V3err() and their internal versions.
> - Ensure that OBJ_obj2txt() always returns a C string again.
> - Made EVP_PKEY_set1_hkdf_key() fail on a NULL key.
> - On socket errors in the poll loop, netcat could issue system
> calls on invalidated file descriptors.
> - Allow IP addresses to be specified in a URI.
> - Fixed a copy-paste error in ASN1_TIME_compare() that could
> lead to two UTCTimes or two GeneralizedTimes incorrectly
> being compared as equal.
> o Documentation improvements
> - Improved documentation of BIO_ctrl(3),
> BIO_set_info_callback(3), BIO_get_info_callback(3),
> BIO_method_type(3), and BIO_method_name(3).
> - Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as
> intentionally undocumented.
> - Made it very explicit that the verify callback should not be
> used.
> - Called out that the CRL lastUpdate is standardized as
> thisUpdate.
> - Documented the RFC 3779 API and its shortcomings.
> o Testing and Proactive Security
> - Significantly improved test coverage of BN_mod_sqrt() and
> GCD.
> - As always, new test coverage is added as bugs are fixed and
> subsystems are cleaned up.
>
> - OpenSSH 9.5 and OpenSSH 9.4
> o Potentially incompatible changes
> - ssh-keygen(1): generate Ed25519 keys by default. Ed25519
> public keys are very convenient due to their small size.
> Ed25519 keys are specified in RFC 8709 and OpenSSH has
> supported them since version 6.5 (January 2014).
> - sshd(8): the Subsystem directive now accurately preserves
> quoting of subsystem commands and arguments. This may change
> behaviour for exotic configurations, but the most common
> subsystem configuration (sftp-server) is unlikely to be
> affected.
> - ssh-agent(1): PKCS#11 modules must now be specified by their
> full paths. Previously dlopen(3) could search for them in
> system library directories.
> o New features
> - ssh(1): add keystroke timing obfuscation to the client. This
> attempts to hide inter-keystroke timings by sending
> interactive traffic at fixed intervals (default: every 20ms)
> when there is only a small amount of data being sent. It also
> sends fake "chaff" keystrokes for a random interval after the
> last real keystroke. These are controlled by a new ssh_config
> ObscureKeystrokeTiming keyword.
> - ssh(1), sshd(8): Introduce a transport-level ping facility.
> This adds a pair of SSH transport protocol messages
> SSH2_MSG_PING/PONG to implement a ping capability. These
> messages use numbers in the "local extensions" number space
> and are advertised using a "p...@openssh.com" ext-info
> message with a string version number of "0".
> - sshd(8): allow override of Subsystem directives in sshd Match
> blocks.
> - ssh(1): allow forwarding Unix Domain sockets via ssh -W.
> - ssh(1): add support for configuration tags to ssh(1). This
> adds a ssh_config(5) "Tag" directive and corresponding "Match
> tag" predicate that may be used to select blocks of
> configuration similar to the pf.conf(5) keywords of the same
> name.
> - ssh(1): add a "match localnetwork" predicate. This allows
> matching on the addresses of available network interfaces and
> may be used to vary the effective client configuration based
> on network location.
> - ssh(1), sshd(8), ssh-keygen(1): infrastructure support for
> KRL extensions. This defines wire formats for optional KRL
> extensions and implements parsing of the new submessages. No
> actual extensions are supported at this point.
> - sshd(8): AuthorizedPrincipalsCommand and
> AuthorizedKeysCommand now accept two additional %-expansion
> sequences: %D which expands to the routing domain of the
> connected session and %C which expands to the addresses and
> port numbers for the source and destination of the
> connection.
> - ssh-keygen(1): increase the default work factor (rounds) for
> the bcrypt KDF used to derive symmetric encryption keys for
> passphrase protected key files by 50%.
> o Bugfixes
> - scp(1): fix scp in SFTP mode recursive upload and download of
> directories that contain symlinks to other directories. In
> scp mode, the links would be followed, but in SFTP mode they
> were not.
> - ssh-keygen(1): handle cr+lf (instead of just cr) line endings
> in sshsig signature files.
> - ssh(1): interactive mode for ControlPersist sessions if they
> originally requested a tty.
> - sshd(8): make PerSourceMaxStartups first-match-wins
> - sshd(8): limit artificial login delay to a reasonable maximum
> (5s) and don't delay at all for the "none" authentication
> mechanism.
> - sshd(8): Log errors in kex_exchange_identification() with
> level verbose instead of error to reduce preauth log spam.
> All of those get logged with a more generic error message by
> sshpkt_fatal().
> - sshd(8): correct math for ClientAliveInterval that caused the
> probes to be sent less frequently than configured.
> - ssh-agent(1): improve isolation between loaded PKCS#11
> modules by running separate ssh-pkcs11-helpers for each
> loaded provider.
> - ssh(1): make -f (fork after authentication) work correctly
> with multiplexed connections, including ControlPersist.
> - ssh(1): make ConnectTimeout apply to multiplexing sockets and
> not just to network connections.
> - ssh-agent(1), ssh(1): improve defences against invalid
> PKCS#11 modules being loaded by checking that the requested
> module contains the required symbol before loading it.
> - sshd(8): fix AuthorizedPrincipalsCommand when
> AuthorizedKeysCommand appears before it in sshd_config. Since
> OpenSSH 8.7 the AuthorizedPrincipalsCommand directive was
> incorrectly ignored in this situation.
> - sshd(8), ssh(1), ssh-keygen(1): remove vestigial support for
> KRL signatures When the KRL format was originally defined, it
> included support for signing of KRL objects. However, the
> code to sign KRLs and verify KRL signatures was never
> completed in OpenSSH. This release removes the
> partially-implemented code to verify KRLs. All OpenSSH tools
> now ignore KRL_SECTION_SIGNATURE sections in KRL files.
> - All: fix a number of memory leaks and unreachable/harmless
> integer overflows.
> - ssh-agent(1), ssh(1): don't truncate strings logged from
> PKCS#11 modules
> - sshd(8), ssh(1): better validate CASignatureAlgorithms in
> ssh_config and sshd_config. Previously this directive would
> accept certificate algorithm names, but these were unusable
> in practice as OpenSSH does not support CA chains.
> - ssh(1): make ssh -Q CASignatureAlgorithms only list signature
> algorithms that are valid for CA signing. Previous behaviour
> was to list all signing algorithms, including certificate
> algorithms.
> - ssh-keyscan(1): gracefully handle systems where rlimits or
> the maximum number of open files is larger than INT_MAX
> - ssh-keygen(1): fix "no comment" not showing on when running
> ssh-keygen -l on multiple keys where one has a comment and
> other following keys do not.
> - scp(1), sftp(1): adjust ftruncate() logic to handle servers
> that reorder requests. Previously, if the server reordered
> requests then the resultant file would be erroneously
> truncated.
> - ssh(1): don't incorrectly disable hostname canonicalization
> when CanonicalizeHostname=yes and ProxyJump was explicitly
> set to "none".
> - scp(1): when copying local to remote, check that the source
> file exists before opening an SFTP connection to the server.
>
> - Ports and packages:
> o Pre-built packages are available for the following architectures on
> the day of release:
> - aarch64 (arm64): 11508
> - amd64: 11845
> - i386: 10603
> - sparc64: 8469
> o Packages for the following architectures will be made available as
> their builds complete:
> - arm
> - mips64
> - powerpc
> - powerpc64
> - riscv64
>
> - Some highlights:
>
> o Asterisk 16.30.1, 18.19.0 and o Mozilla Thunderbird 115.3.1
> 20.4.0 o Mutt 2.2.12 and NeoMutt 20230517
> o Audacity 3.3.3 o Node.js 18.18.0
> o CMake 3.27.5 o OCaml 4.12.1
> o Chromium 117.0.5938.149 o OpenLDAP 2.6.6
> o Emacs 29.1 o PHP 7.4.33, 8.0.30, 8.1.24 and
> o FFmpeg 4.4.4 8.2.11
> o GCC 8.4.0 and 11.2.0 o Postfix 3.7.3
> o GHC 9.2.7 o PostgreSQL 15.4
> o GNOME 44 o Python 2.7.18, 3.9.18, 3.10.13
> o Go 1.21.1 and 3.11.5
> o JDK 8u382, 11.0.20 and 17.0.8 o Qt 5.15.10 and 6.5.2
> o KDE Applications 23.08.0 o R 4.2.3
> o KDE Frameworks 5.98.0 o Ruby 3.0.6, 3.1.4 and 3.2.2
> o Krita 5.1.5 o Rust 1.72.1
> o LLVM/Clang 13.0.0 and 16.0.6 o SQLite 3.42.0
> o LibreOffice 7.6.2.1 o Shotcut 23.07.29
> o Lua 5.1.5, 5.2.4, 5.3.6 and o Sudo 1.9.14.2
> 5.4.6 o Suricata 6.0.12
> o MariaDB 10.9.6 o Tcl/Tk 8.5.19 and 8.6.13
> o Mono 6.12.0.199 o TeX Live 2022
> o Mozilla Firefox 118.0.1 and o Vim 9.0.1897 and Neovim 0.9.1
> ESR 115.3.1 o Xfce 4.18
>
> - As usual, steady improvements in manual pages and other documentation.
>
> - The system includes the following major components from outside suppliers:
> o Xenocara (based on X.Org 7.7 with xserver 21.1.8 + patches,
> freetype 2.13.0, fontconfig 2.14.2, Mesa 22.3.7, xterm 378,
> xkeyboard-config 2.20, fonttosfnt 1.2.2, and more)
> o LLVM/Clang 13.0.0 (+ patches)
> o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
> o Perl 5.36.1 (+ patches)
> o NSD 4.7.0
> o Unbound 1.18.0
> o Ncurses 5.7
> o Binutils 2.17 (+ patches)
> o Gdb 6.3 (+ patches)
> o Awk September 12, 2023 version
> o Expat 2.5.0
>
> ------------------------------------------------------------------------
> - SECURITY AND ERRATA --------------------------------------------------
>
> We provide patches for known security threats and other important
> issues discovered after each release. Our continued research into
> security means we will find new security problems -- and we always
> provide patches as soon as possible. Therefore, we advise regular
> visits to
>
> https://www.OpenBSD.org/security.html
> and
> https://www.OpenBSD.org/errata.html
>
> ------------------------------------------------------------------------
> - MAILING LISTS AND FAQ ------------------------------------------------
>
> Mailing lists are an important means of communication among users and
> developers of OpenBSD. For information on OpenBSD mailing lists, please
> see:
>
> https://www.OpenBSD.org/mail.html
>
> You are also encouraged to read the Frequently Asked Questions (FAQ) at:
>
> https://www.OpenBSD.org/faq/
>
> ------------------------------------------------------------------------
> - DONATIONS ------------------------------------------------------------
>
> The OpenBSD Project is a volunteer-driven software group funded by
> donations. Besides OpenBSD itself, we also develop important software
> like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
> filter, the quality work of our ports development process, and many
> others. This ecosystem is all handled under the same funding umbrella.
>
> We hope our quality software will result in contributions that maintain
> our build/development infrastructure, pay our electrical/internet costs,
> and allow us to continue operating very productive developer hackathon
> events.
>
> All of our developers strongly urge you to donate and support our future
> efforts. Donations to the project are highly appreciated, and are
> described in more detail at:
>
> https://www.OpenBSD.org/donations.html
>
> ------------------------------------------------------------------------
> - OPENBSD FOUNDATION ---------------------------------------------------
>
> For those unable to make their contributions as straightforward gifts,
> the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
> not-for-profit corporation that can accept larger contributions and
> issue receipts. In some situations, their receipt may qualify as a
> business expense write-off, so this is certainly a consideration for
> some organizations or businesses.
>
> There may also be exposure benefits since the Foundation may be
> interested in participating in press releases. In turn, the Foundation
> then uses these contributions to assist OpenBSD's infrastructure needs.
> Contact the foundation directors at direct...@openbsdfoundation.org for
> more information.
>
> ------------------------------------------------------------------------
> - HTTPS INSTALLS -------------------------------------------------------
>
> OpenBSD can be easily installed via HTTPS downloads. Typically you need
> a single small piece of boot media (e.g., a USB flash drive) and then
> the rest of the files can be installed from a number of locations,
> including directly off the Internet. Follow this simple set of
> instructions to ensure that you find all of the documentation you will
> need while performing an install via HTTPS.
>
> 1) Read either of the following two files for a list of HTTPS mirrors
> which provide OpenBSD, then choose one near you:
>
> https://www.OpenBSD.org/ftp.html
> https://ftp.openbsd.org/pub/OpenBSD/ftplist
>
> As of October 16, 2023, the following HTTPS mirror sites have the
> 7.4 release:
>
> https://cdn.openbsd.org/pub/OpenBSD/7.4/ Global
> https://ftp.eu.openbsd.org/pub/OpenBSD/7.4/ Stockholm, Sweden
> https://ftp.hostserver.de/pub/OpenBSD/7.4/ Frankfurt, Germany
> https://ftp.bytemine.net/pub/OpenBSD/7.4/ Oldenburg, Germany
> https://ftp.fr.openbsd.org/pub/OpenBSD/7.4/ Paris, France
> https://mirror.aarnet.edu.au/pub/OpenBSD/7.4/ Brisbane, Australia
> https://ftp.usa.openbsd.org/pub/OpenBSD/7.4/ CO, USA
> https://ftp5.usa.openbsd.org/pub/OpenBSD/7.4/ CA, USA
> https://mirror.esc7.net/pub/OpenBSD/7.4/ TX, USA
> https://openbsd.cs.toronto.edu/pub/OpenBSD/7.4/ Toronto, Canada
> https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.4/ Global
> https://fastly.cdn.openbsd.org/pub/OpenBSD/7.4/ Global
>
> The release is also available at the master site:
>
> https://ftp.openbsd.org/pub/OpenBSD/7.4/ Alberta, Canada
>
> However it is strongly suggested you use a mirror.
>
> Other mirror sites may take a day or two to update.
>
> 2) Connect to that HTTPS mirror site and go into the directory
> pub/OpenBSD/7.4/ which contains these files and directories.
> This is a list of what you will see:
>
> ANNOUNCEMENT armv7/ octeon/ root.mail
> README hppa/ openbsd-74-base.pub sparc64/
> SHA256 i386/ packages/ src.tar.gz
> SHA256.sig landisk/ packages-stable/ sys.tar.gz
> alpha/ loongson/ ports.tar.gz xenocara.tar.gz
> amd64/ luna88k/ powerpc64/
> arm64/ macppc/ riscv64/
>
> It is quite likely that you will want at LEAST the following
> files which apply to all the architectures OpenBSD supports.
>
> README - generic README
> root.mail - a copy of root's mail at initial login.
> (This is really worthwhile reading).
>
> 3) Read the README file. It is short, and a quick read will make
> sure you understand what else you need to fetch.
>
> 4) Next, go into the directory that applies to your architecture,
> for example, amd64. This is a list of what you will see:
>
> BOOTIA32.EFI* bsd* floppy74.img pxeboot*
> BOOTX64.EFI* bsd.mp* game74.tgz xbase74.tgz
> BUILDINFO bsd.rd* index.txt xfont74.tgz
> INSTALL.amd64 cd74.iso install74.img xserv74.tgz
> SHA256 cdboot* install74.iso xshare74.tgz
> SHA256.sig cdbr* man74.tgz
> base74.tgz comp74.tgz miniroot74.img
>
> If you are new to OpenBSD, fetch at least the file INSTALL.amd64
> and install74.iso. The install74.iso file (roughly 633MB in size)
> is a one-step ISO-format install CD image which contains the various
> *.tgz files so you do not need to fetch them separately.
>
> If you prefer to use a USB flash drive, fetch install74.img and
> follow the instructions in INSTALL.amd64.
>
> 5) If you are an expert, follow the instructions in the file called
> README; otherwise, use the more complete instructions in the
> file called INSTALL.amd64. INSTALL.amd64 may tell you that you
> need to fetch other files.
>
> 6) Just in case, take a peek at:
>
> https://www.OpenBSD.org/errata.html
>
> This is the page where we talk about the mistakes we made while
> creating the 7.4 release, or the significant bugs we fixed
> post-release which we think our users should have fixes for.
> Patches and workarounds are clearly described there.
>
> ------------------------------------------------------------------------
> - X.ORG FOR MOST ARCHITECTURES -----------------------------------------
>
> X.Org has been integrated more closely into the system. This release
> contains X.Org 7.7. Most of our architectures ship with X.Org, including
> amd64, sparc64 and macppc. During installation, you can install X.Org
> quite easily using xenodm(1), our simplified X11 display manager forked
> from xdm(1).
>
> ------------------------------------------------------------------------
> - PACKAGES AND PORTS ---------------------------------------------------
>
> Many third party software applications have been ported to OpenBSD and
> can be installed as pre-compiled binary packages on the various OpenBSD
> architectures. Please see https://www.openbsd.org/faq/faq15.html for
> more information on working with packages and ports.
>
> Note: a few popular ports, e.g., NSD, Unbound, and several X
> applications, come standard with OpenBSD and do not need to be installed
> separately.
>
> ------------------------------------------------------------------------
> - SYSTEM SOURCE CODE ---------------------------------------------------
>
> The source code for all four subsystems can be found in the
> pub/OpenBSD/7.4/ directory:
>
> xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
>
> The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.4/README) file
> explains how to deal with these source files.
>
> ------------------------------------------------------------------------
> - THANKS ---------------------------------------------------------------
>
> Ports tree and package building by Jeremie Courreges-Anglas,
> Visa Hankala, Stuart Henderson, Peter Hessler, George Koehler,
> Kurt Mosiejczuk, and Christian Weisgerber. Base and X system builds by
> Kenji Aoyama, Theo de Raadt, and Miod Vallat. Release art by
> Jessica Scott.
>
> We would like to thank all of the people who sent in bug reports, bug
> fixes, donation cheques, and hardware that we use. We would also like
> to thank those who bought our previous CD sets. Those who did not
> support us financially have still helped us with our goal of improving
> the quality of the software.
>
> Our developers are:
>
> Aaron Bieber, Adam Wolk, Aisha Tammy, Alexander Bluhm,
> Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin,
> Alexandre Ratchov, Andrew Fresh, Anil Madhavapeddy,
> Anthony J. Bentley, Antoine Jacoutot, Anton Lindqvist, Asou Masato,
> Ayaka Koshibe, Benoit Lecocq, Bjorn Ketelaars, Bob Beck,
> Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele,
> Can Erkin Acar, Caspar Schutijser, Charlene Wendling,
> Charles Longeau, Chris Cappuccio, Christian Weisgerber,
> Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller,
> Daniel Dickman, Daniel Jakots, Darren Tucker, Dave Voutila,
> David Coppa, David Gwynne, David Hill, Denis Fondras, Edd Barrett,
> Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus,
> George Koehler, George Rosamond, Gerhard Roth, Giannis Tsaraias,
> Gilles Chehade, Giovanni Bechis, Gleydson Soares,
> Gonzalo L. Rodriguez, Greg Steuck, Helg Bredow, Henning Brauer,
> Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
> Inoguchi Kinichiro, James Hastings, James Turner, Jan Klemkow,
> Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas,
> Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani,
> Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Josh Rickmar,
> Joshua Sing, Joshua Stein, Juan Francisco Cantero Hurtado,
> Kazuya Goda, Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner,
> Kevin Lo, Kirill Bychkov, Klemens Nanni, Kurt Miller,
> Kurt Mosiejczuk, Landry Breuil, Lawrence Teo, Lucas Raab,
> Marc Espie, Marcus Glocker, Mark Kettenis, Mark Lumsden,
> Markus Friedl, Martijn van Duren, Martin Natano, Martin Pieuchot,
> Martin Reindl, Martynas Venckus, Matthew Dempsky, Matthias Kilian,
> Matthieu Herrb, Michael Mikonos, Mike Belopuhov, Mike Larkin,
> Miod Vallat, Moritz Buhl, Nam Nguyen, Nayden Markatchev,
> Nicholas Marriott, Nigel Taylor, Okan Demirmen, Omar Polo,
> Ori Bernstein, Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk,
> Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin,
> Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas,
> Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer,
> Remi Pointel, Renato Westphal, Ricardo Mestre, Richard Procter,
> Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
> Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
> Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf,
> Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
> Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
> Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider,
> Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
> Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
> Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Volker Schlecht,
> Yasuoka Masahiko, Yojiro Uo
