Congratulations to Theo and everyone involved in making OpenBSD 7.4 a reality and for this awesome project altogether! I also love the artwork (big thanks also to the artist that created it). so I'll be getting some 7.4 merch soon!
Claudio Miranda On Mon, Oct 16, 2023 at 9:37 AM pela0 <[email protected]> wrote: > > Upgrading... > > ;) > > > > > ------- Original Message ------- > On Monday, October 16th, 2023 at 09:53, Theo de Raadt <[email protected]> > wrote: > > > > > > > > > > ------------------------------------------------------------------------ > > - OpenBSD 7.4 RELEASED ------------------------------------------------- > > > > October 16, 2023. > > > > We are pleased to announce the official release of OpenBSD 7.4. > > This is our 55th release. We remain proud of OpenBSD's record of more > > than twenty years with only two remote holes in the default install. > > > > As in our previous releases, 7.4 provides significant improvements, > > including new features, in nearly all areas of the system: > > > > - Various kernel improvements: > > o On arm64, show BTI and SBSS features in dmesg(8). > > o New kqueue1(2) system call supporting the O_CLOEXEC flag. > > o Map device tree read/write to unbreak root on softraid(4). > > o Correctly recognize umass(4) floppy disk devices as floppy disks. > > o In wscons(4), catch up with box drawing characters which have been > > standardized in unicode after the original wscons code was written > > and chose placeholder values. > > o In wscons(4), make sure we do not increase the escape sequence > > argument count beyond usable bounds. > > o Implement dt(4) utrace(2) support on amd64 and i386. > > o Correct undefined behavior when using MS-DOS filesystems, fixes > > imported from FreeBSD. > > o Make the softdep mount(8) option a no-op. Softdep was a > > significant impediment to improving the vfs layer. > > o Allow unveil(2)ed programs to dump core(5) into the current > > working directory. > > o Address incomplete validation of ELF program headers in execve(2). > > o On arm64, use the deep idle state available on Apple M1/M2 cores > > in the idle loop and for suspend, resulting in power savings. > > o Update AMD CPU microcode if a newer patch is available. > > o Enable a workaround for the 'Zenbleed' AMD CPU bug. > > o Report speculation control bits in dmesg(8) CPU lines. > > o To give the primary CPU an opportunity to perform clock interrupt > > preparation in a machine-independent manner we need to separate > > the "initialization" parts of cpu_initclocks() from the "start the > > clock interrupt" parts. Separate cpu_initclocks() from > > cpu_startclock(). > > o Fix a problem where CPU time accounting and RLIMIT_CPU was > > unreliable on idle systems. > > o Improve the output of the "show proc" command of the kernel > > debugger ddb(4) and show both the PID and TID of the proc. > > > > - SMP Improvements > > o Rewrite pfsync(4), in particular to improve locking and to help > > with unlocking more of pf(4) and with parallelisation of the > > network stack in the future. The protocol remains compatible with > > the older version. > > o Remove kernel locks from the ARP input path. > > o Pull MP-safe arprequest() out of kernel lock. > > o Remove the kernel lock from IPv6 neighbor discovery. > > o Unlock more parts of ioctl(2) and the routing code in the network > > stack. > > > > - Direct Rendering Manager and graphics drivers > > o Update drm(4) to Linux 6.1.55. > > o Don't change end marker in sg_set_page(). Caused bad memory > > accesses when using page flipping on Alder Lake and Raptor Lake. > > > > - VMM/VMD improvements > > o Allowed vmm(4) guests to enable and use supervisor IBT. > > o Suppressed AMD hardware p-state visibility to vmm(4) guests. > > o Avoid use of uninitialised memory in vmd(8). > > o Migrate vmd_vm.vm_ttyname to char array allowing a vmd_vm object > > to be transmitted over an ipc channel. > > o Cleaned up file descriptor closing in vmd(8) vmm process. > > o Fixed vm send/receive, restoring device virtqueue addresses on > > receive. > > o Introduced execvp(3) after fork for child vm processes. > > o No longer generate an error in vmd(8) if vm.conf(5) is absent. > > o Split vmm(4) into MI/MD parts. > > o Introduced multi-process model for vmd(8) virtio block and network > > devices. > > o Allowed vm owners to override boot kernel when using vmctl(8) to > > start a vm. > > o Changed staggered start of vms to number of online CPUs. > > o Fixed a segfault on vm creation. > > o Switched to anonymous shared memory mappings for vmd(8) vm > > processes, introducing a new vmm(4) ioctl(2). > > o Relaxed absolute path requirements for vmd(8) configtest mode > > (-n). > > o Adjusted shutdown logic by vm id to function similarly as by name. > > o Moved validation of local network prefixes for the internal vmd(8) > > DHCP service into the config parser. > > o Fixed QCOW2 base images when used with the vmd(8) multi-process > > device model. > > o Fixed setting verbose logging in child processes. > > o Fixed a race condition related to the emulated i8259 interrupt > > controller by ignoring interrupt masks on assert. > > o Inlined pending interrupts in the vmm(4) ioctl(2) for running the > > vcpu, reducing vm latency. > > o Added zero-copy, vectored io to the vmd(8) virtio block device. > > o Changed to logging vmd(8) vm ids in the vcpu run loop on error and > > not the ids used by vmm(4). > > o Fixed a vm pause deadlock. > > o Changed vmd(8) logging format to disambiguate vm and device > > process by names and indices. > > o Fixed dynamically toggling verbose logging mode with vmctl(8). > > > > - Various new userland features: > > o New ISO C11 header <uchar.h> declaring the types char32_t and > > > > char16_t and the functions c32rtomb(3), mbrtoc32(3), c16rtomb(3), > > and mbrtoc16(3). > > o Introduce a new malloc(3) option D for memory leak detection with > > ktrace(1) and kdump(1). > > o Support ${.VARIABLES} in make(1), listing the names of all global > > variables that have been set. > > o New kdump(1) -u option to select utrace(2) tracepoints by label. > > o In openrsync(1), support the options --size-only and > > --ignore-times. > > o Update zoneinfo to tzdata2023c. > > o Accept the ucom(4) fixed name format as a valid format for the > > cu(1) -l option. > > o In cron(8) and crontab(5), add support for random offsets when > > using ranges with a step value in cron. This extends the random > > range syntax to support step values. Instead of choosing a random > > number between the high and low values, the field is treated as a > > range with a random offset less than the step value. This can be > > used to avoid thundering herd problems where multiple machines > > contact a server all at the same time via cron jobs. > > o Extend and improve the ibuf API in libutil and add functions for > > more specific data types, for modifying data at specific offsets, > > for getting and setting the file descriptor stored on the ibuf and > > for efficient wrapping of ibufs into imsgs. The ibuf API is mostly > > used in network daemons. > > o In wsconsctl(8), add button mappings for two- and three-finger > > clicks on clickpads. > > > > - Various bugfixes and tweaks in userland: > > o In pax(1) and tar(1), do not open files that will be skipped, > > speeding up archive creation when many files are skipped. > > o In pax(1), tar(1), and cpio(1) terminal output, escape > > non-printable characters in messages that may include file names, > > and truncate times to the correct maximum value. > > o Better diagnostics from make(1) when a makefile exists but cannot > > be opened. > > o Prevent a buffer underflow in patch(1) that could occur with lines > > longer than 32kB. > > o Prevent a segmentation fault in patch(1) that occurred when a > > patch specified a file name so long that basename(3) failed. > > o Prevent a read buffer overrun in patch(1) that could occur when a > > patch specified a file name ending in a slash. > > o Let stat(1) correctly print mtimes after 2038. > > o Refactoring and documenting of fdisk(8) code, to make it easier to > > maintain. > > o fdisk(8) no longer adds extra blanks at the end of lines, > > eliminating spurious line wrapping. > > o In clang(1), allow out-of-class defaulting of comparison > > operators, by ways of backporting an upstream commit. > > o Many changes in mg(1): > > - New command set-tab-width to change the tabulator width on a > > per-buffer basis. > > - Let the space-to-tabstop command move to the right position > > even if the line contains tabs, control characters, or > > non-ASCII bytes. > > - Fall back to /bin/sh if $SHELL is undefined. > > - Fix parsing of tag files with duplicate entries. Instead of > > erroring out, ignore duplicates. Fixes using > > /var/db/libc.tags again. > > - Change the visit-tags-table command to immediately load the > > tag file, and drop the lazy mechanics. > > - Do not leak memory in pop-tag-mark if it fails to switch > > buffers. > > - Fix a read buffer overrun caused by -u arguments longer than > > 1023 bytes. > > - Fix a write buffer overrun on the stack caused by > > blink-and-insert matching a very long line that is not > > currently visible in the window. > > - Skip checking permissions of conffile with access(2). > > - Resurrect no-tab-mode and add it to the list of modes that > > can be set with set-default-mode. > > o Fix a segfault when the disklabel(8) simple editor encounters an > > incomplete partition line. > > o Fix disklabel(8) handling of templates with partitions after a > > "N-* 100" entry. > > o Enable disklabel(8) regress tests to work on sparc64. > > o Fix fdisk(8) initialization of CHS/LBA fields in an MBR, allowing > > machines with a BIOS that uses CHS to boot from disks >8G. > > > > o Retire disklabel(8) -E expert mode. > > o When displaying GPT partition attributes fdisk(8) prefixes > > Microsoft partition attribute names with 'MS'. > > o In the absence of the 'disktype' command line parameter > > disklabel(8) always uses the current media type provided by the > > kernel. > > o Ensure fdisk(8) handles the case where a GPT partition name is not > > a valid C string. > > o When creating new crypto volumes with bioctl(8), by default use a > > hardware based number of KDF rounds for passphrases. > > o Let bioctl(8) gracefully prompt again during interactive creation > > and passphrase change on CRYPTO and 1C volumes. > > o Let bioctl(8) read passphrases without prompts or confirmation in > > -s mode, allowing non-interactive use. > > o Allow the atactl(8) command readattr to succeed even for disks > > where ATA_SMART_READ and ATA_SMART_THRESHOLD revisions mismatch, > > as long as checksums are OK. > > o In ld.so(1), treat symlinks in $ORIGIN determination the same way > > as other OS linkers do. > > o In ld.so(1), avoid an overflow in the ELF SYSV ABI hash function. > > o Make sure modf(3) and modff(3) return correct values for > > infinities. > > o Do not fail in ober_scanf_elements(3) when encountering empty > > sequences. > > o Remove broken special handling of test -t in ksh(1). > > o The caching mechanism used by pkg_add(1) to speed up pkg_add -u > > now also works if -stable packages are available. > > o Significantly increase the speed of pkg-config(1). > > o In seq(1), fix a check for rounding error and truncation. > > o In cron(8), introduce upstream fixes in the handling of @yearly, > > @monthly, @weekly, @daily and @hourly entries. > > o Fix a bug in cron(8) where whitespace after usernames would not be > > completely skipped while parsing the crontab(5) file. > > o Make rcctl(8) check if a daemon exists before trying to disable > > it, thereby avoiding parsing and printing of bogus characters. > > o Print to the console the fingerprint of a newly generated ssh(1) > > host key of the preferred type (currently ED25519), typically when > > booting for the first time. This simplifies a secure first ssh > > connection to a freshly installed machine. > > > > - Improved hardware support and driver bugfixes, including: > > o Add rkiovd(4), a driver for the I/O voltage domains on Rockchip > > SoCs. > > o Add support for TEMPerGold 3.4 temperature sensor to ugold(4). > > o Add qcrng(4), a driver for the Qualcomm RNG device found on the > > ThinkPad X13s. > > o Add rkusbphy(4), a driver for the usb2phy on Rockchip SoCs. > > o Support AP806/CP110 SoCs in mvtemp(4). > > o Add dwmshc(4) to support Designware Mobile Storage Host > > Controllers found on rk356x and rk3588 SoCs. > > o Add iosf(4), a driver for the Intel OnChip System Fabric. > > o Add support for the RTL8153D chipset in ure(4). > > o Add support for the Peripheral Authentication Service SMC > > interface in qcscm(4). > > o Add qcmtx(4), a driver for the hardware spinlock on Qualcomm SoCs > > that is used to synchronize access to the shared memory table. > > o Add qcsmptp(4), a driver to share 32-bit values between > > (co-)processors. > > o Add qcaoss(4), a driver for the Always On Subsystem found on > > Qualcomm SoCs. > > o Add qcpas(4), a driver for the Peripheral Authentication Service > > found on Qualcomm SoCs. Enable AC detection. > > o Add qctsens(4), a driver for the Temperature Sensor found on > > Qualcomm SoCs. > > o Add driver qccpu(4) for QC CPU Power States. > > o Add qcsdam(4), a driver for the PMIC Shared Direct Access Memory > > found on Qualcomm SoCs. > > o Add stfrng(4), a driver for the random number generator on the > > StarFive JH7110 SoC. > > o Add support for the PCIe controller on the JH7110 SoC with > > stfpciephy(4) > > o New sysctl(2) nodes for battery management, hw.battery.charge*. > > Support them with acpithinkpad(4) and aplsmc(4). > > o Define fixed names for ucom(4) USB serial ports, display them in > > attach messages and via the new hw.ucomnames sysctl(2). > > o Add support for the RK3568 32k RTC, RK3588, and other clocks in > > rkclock(4). > > o In dwpcie(4), attach Baikal-M PCIe. > > o In openfirmware, implement regulator notifiers which get called > > when the voltage/current for a regulator is changed or when the > > regulator gets initialized when it attaches for the first time. > > The latter makes it possible to register a notifier for a > > regulator that hasn't attached yet. > > o Ignore duplicate ACPI lid transitions as they can happen on Dell > > Precision 5510 systems. > > o Make RK3568 PCIe controllers run at the maximum possible speed by > > using dwpcie_link_config() when initializing. > > o In the Universal Flash Storage Host Controller Interface > > (ufshci(4)), enable Force Unit Access (FUA) for write commands. > > o Make SATA (ahci(4)) work on a Banana Pi BPI-R2 Pro. > > o In umcs(4), set parity bits correctly. > > o Enable the caps lock LED on modern Apple laptop keyboards. > > o Add support for Rockchip "cryptov2-rng" random number generator in > > rkrng(4). > > o Fix cpuperf on the Apple M2 Pro/Max. > > o Add support for the PCIe controller found on Apple M2 Pro/Max > > SoCs. > > o Add support for enabling both the USB2 and USB3 PHYs in xhci(4) > > with device tree. > > o In the SCSI tape driver st(4), add support for I/O statistics so > > that tape speeds can be observed with iostat(8). > > o Fix use of MMC/SD/SDIO on RK3588 ARM SoC in dwmmc(4). > > o Support thermal sensors on Ryzen 9 79xx in ksmn(4). > > o Add support for JH7110 to dwmmc(4), making eMMC and microSD mostly > > work on the Starfive VisionFive 2. > > o Add support for the RK3588 PCIe3 PHY to rkpciephy(4). The PHY > > controls 4 lanes that can be routed to 4 of 5 PCIe controllers. > > o Add mute control to sncodec(4). This makes the mute button work on > > laptops using this driver. > > o Add mute control to tascodec(4). This makes the mute button on > > laptops that use tascodec(4) work. > > o Improve the suspend/resume behavior of several drivers, reducing > > power consumption during suspend. > > o Add support for the Synopsys DesignWare I2C controller (dwiic(4)) > > and the X-Powers AXP Power Management IC (axppmic(4)). > > o Enable the mbg(4) timedelta sensor on amd64 and match the Meinberg > > PZF180PEX. > > > > - New or improved network hardware support: > > o Fix dwqe(4) on several boards that use rgephy(4) by configuring > > the RGMII interface before taking the PHY out of reset. > > o Improve dwqe(4) and determine PHY mode and pass the appropriate > > flags down to the PHY when attaching. > > o Report in dmesg(8) on which gmac the dwqe(4) driver is attaching > > to. > > o Document that Intel i226 adapters are supported by igc(4). > > o Add ngbe(4), a driver for WangXun WX1860 PCI Express 10/100/1Gb > > Ethernet devices. Also support it on amd64 install media. > > o Add support for the RTL8211F-VD PHY in rgephy(4). > > o In openfirmware, add glue for network interfaces to be found by > > fdt/ofw node or phandle in order to support "switch chips" like > > the marvell link street. > > o Add support for RTL8153D devices to ure(4). > > o Provide byte and packet counter statistics in some dwge(4) > > implementations. > > o On bge(4), make hardware counters available via kstats for BCM5705 > > and newer controller chips. > > o Make several improvements to vmx(4), the VMware VMXNET3 Virtual > > Interface Controller. > > o In em(4), stop putting multicast addresses into the Receive > > Address Registers. Instead hash them all into the Multicast Table > > Array. > > o Support Mellanox ConnectX-6 Lx in mcx(4). > > o In mcx(4), add 100GB LR4 Ethernet capability and map it to > > IFM_100G_LR4. > > o Add initial support for Atlantic 2 hardware in aq(4). > > > > - Added or improved wireless network drivers: > > o Improve how Quectel LTE&5G devices attach to umb(4). > > > > - IEEE 802.11 wireless stack improvements and bugfixes: > > o Add support for RTL8188FTV devices to the urtwn(4) driver. > > o Attach Intel wireless devices with PCI product ID 0x51f1 to > > iwx(4). > > o Fix a bug where iwm(4) and iwx(4) background scan tasks were added > > to the wrong task queue. > > o Fix a firmware error that occurred when an iwx(4) interface was > > brought down. > > o Fix iwx(4) firmware errors triggered during background scans. > > o Fix a crash in the iwm(4) driver when userland attempts to inject > > frames via bpf in monitor mode. > > > > - Installer, upgrade and bootloader improvements: > > o In the arm64 ramdisk, simplify apple firmware copying to make it > > easier to add new firmware. > > o On armv7 and arm64, silence informational messages from dd(1) when > > zeroing a disk's first 1MB. Use character not block devices with > > dd(1) like on other architectures. > > o Refactor the code of md_installboot() on armv7 and arm64 to be > > more in line with other architectures. > > o Improve the dialogue of the installer without affecting > > autoinstall(8) files. > > o Enable ufshci(4) on arm64 install media. > > o On arm64 pine64 boards, stop writing pine64 firmware to disk. > > o When media has neither a GPT nor an MBR installboot(8), assume > > OpenBSD occupies the entire disk starting at sector 0. > > o Attempt to not overflow the ramdisk when extracting firmware on > > Apple arm64 systems. > > o Add support for loading files from the EFI System Partition. > > o Fix a bug in the handling of SCSI drives in the bootloader on the > > luna88k architecture. > > o On luna88k, implement the chmod() signaling mechanism for > > /bsd.upgrade to prevent re-upgrade, like other architectures. > > o Support for softraid(4) disks in the installer was improved: > > - Make root on softraid(4) installations boot out of the box on > > Raspberry Pis (arm64). > > - Support installations with root on softraid(4) on arm64, > > tested on Pinebook Pro, Raspberry Pi 4b, and SolidRun CEX7. > > - On riscv64, enable softraid(4) in the ramdisk kernel and > > support installations with root on softraid(4) > > - When installing on encrypted softraid(4), determine the disk > > for placing the root device automatically and make it default > > as it is the only legit choice. > > - Add arm64 to the list of architectures with support for > > guided disk encryption. > > - Retain existing EFI System partitions on systems with APFSISC > > partitions (arm64 Apple M1/M2) during installation with root > > on softraid(4). > > - Enable softraid(4) in ramdisk on the powerpc64 architecture. > > > > - Security improvements: > > o Enable indirect branch tracking (IBT) on amd64 and branch target > > identification (BTI) on arm64 in both the kernel and in userland. > > On hardware that supports this feature, it helps enforcing control > > flow integrity by making sure malicious code cannot jump into the > > middle of a function. > > o On the arm64 architecture, enable pointer authentication (PAC) in > > userland on those machines where it works correctly. It helps > > enforcing control flow integrity by making sure malicious code > > cannot manipulate a function's return address. > > o Together with retguard these two features protect against ROP > > attacks. Compiler defaults for base clang, ports clang and ports > > gcc (as well as some other non-C language family compilers in > > ports) have been changed to enable these features by default. As a > > result the vast majority of programs on OpenBSD (and all programs > > in the base system) run with these security features enabled. > > o Change malloc(3) chunk sizes to be fine grained: chunk sizes are > > closer to the requested allocation size. > > o In malloc(3), check all chunks in the delayed free list for > > write-after-free. > > o The shutdown(8) program can now only be executed by members of the > > new shutdown group. The idea is that system administrators can > > now remove most users from the excessively powerful operator > > group, which in particular provides read access to disk device > > nodes. > > o Using unveil(2), restrict patch(1) filesystem access to the > > current directory including subdirectories, TMPDIR, and file names > > given on the command line. > > o In ksh(1), consistently escape control characters when displaying > > file name completions, even when there are multiple matches. > > > > - Changes in the network stack: > > o Sync the use of getuptime(9) in the Neighbour Discovery (ND) code > > with ARP. > > o In the IPv6 forwarding code, call getuptime(9) once for > > consistency with IPv4. > > o ARP has a queue of packets that should be sent after name > > resolution. Neighbor discovery (ND6) did only hold a single > > packet. Unified the code, added a queue to ND6 and made the code > > MP safe. > > o Implement a new sysctl(2) net.inet6.icmp6.nd6_queued to show the > > number of packets waiting for an ND6 response, analogous to ARP. > > o When configuring a new IPv6 address on an interface, an upstream > > router doesn't know where to send traffic. Send an unsolicited > > neighbor advertisement, as described in RFC9131, to the > > all-routers multicast address so all routers on the same link will > > learn the path back to the address. > > o Implement the inbound portion of RFC9131. Let routers create new > > neighbor cache entries when receiving valid neighbor > > advertisements. > > o Initial support for TCP segmentation offload (TSO) and TCP large > > receive offload (LRO) was implemented: > > - If the driver of a network interface supports TSO, do not > > chop the packet in the network stack, but pass it down to the > > interface layer for TSO. > > - Provide a software TSO implementation, to be used as a > > fallback if network hardware does not support TSO. > > - Provide a new sysctl(2) node net.inet.tcp.tso such that TSO > > can be globally disabled. By default, it is enabled on all > > interfaces supporting it. > > - In ifconfig(8), display separate hwfeatures for TSOv4, TSOv6, > > and LRO and provide a -tcplro parameter to disable LRO on a > > per-interface basis. > > - Enable TSO and forwarding of LRO packets via TSO in ix(4). > > - In ix(4), allocate less memory for tx buffers. > > - Speed up TCP transfer on lo(4) interfaces by using TSO and > > LRO. > > - Enable LRO per default in network drivers. LRO allows to > > receive aggregated packets larger than the MTU. Receiving TCP > > streams becomes much faster. Currently only ix(4) and lo(4) > > devices support LRO, and ix(4) is limited to IPv4 and > > hardware newer than the old 82598 model. > > o The following changes were made to the pf(4) firewall: > > - Speed up the ioctl(2) request DIOCGETRULE such that pfctl(8) > > can retrieve all pf(4) rules from the kernel in linear rather > > than in quadratic time. To protect the kernel from memory > > exhaustion, userland processes now have to release tickets > > obtained with DIOCGETRULES by issuing the new ioctl(2) > > request DIOCXEND. In particular, snmpd(8) and systat(1) now > > do that. > > - Relax the implementation of the pass all rule so all forms of > > neighbor advertisements are allowed in either direction. > > - When redirecting locally generated IP packets to userland > > with divert-packet rules, the packets may have no checksum > > due to hardware offloading. Calculate the checksum in that > > case. > > - Fix a bug where nat-to could fail to insert a state due to > > conflict on chosen source port number. > > - No longer ignore keep state and nat-to actions for > > unsolicited ICMP error responses. Tighten the rule matching > > logic so ICMP error responses no longer match keep state > > rule. In typical scenarios, ICMP errors (if solicited) should > > match existing state. The change is going to bite firewalls > > which deal with asymmetric routes. In those cases the keep > > state action should be relaxed to sloppy or new no state rule > > to explicitly match ICMP errors should be added. > > o Do not calculate IP, TCP, and UDP checksums on lo(4) interfaces. > > o Convert the tcp_now() time counter to 64 bits to avoid 32 bits > > wrap around after changing tcp_now() ticks to milliseconds. > > o Add initial support for route-based IPsec VPNs. > > Rather than use IPsec flows (aka, entries in the IPsec security > > policy database) to decide which traffic should be encapsulated in > > IPsec and sent to a peer, this changes security associations (SAs) > > so they can also refer to a tunnel interface. When traffic is > > routed over that tunnel interface, an IPsec SA is looked up and > > used to encapsulate traffic before being sent to the peer on the > > SA. When traffic is received from a peer using an interface SA, > > the specified interface is looked up and the packet is handed to > > it so it looks like packets come out of the tunnel. > > o Add sec(4) to support route-based IPsec VPNs. > > o Introduce reference counting for TCP syn cache entries. > > o Have wg(4) copy the priority from the inner packet to the outer > > encrypted packet, so that higher priority packets are picked from > > hfsc queues for earlier transmission. > > > > - Routing daemons and other userland network improvements: > > o IPsec support was improved: > > - In iked(8), support route-based sec(4) tunnels. > > - In iked(8), add support to verify X.509 chain from CERT > > payloads. > > - In iked(8), do not leak memory when receiving a CERT payload > > for pubkey auth or for an invalid CERT Encoding. > > - In iked(8), do not leak a file descriptor if > > open_memstream(3) fails while trying to enable a child SA. > > - While trying to verify an ECDSA signature in iked(8), > > correctly detect failure of DER encoding with > > i2d_ECDSA_SIG(3). > > - In ipsecctl(8), support route-based IPsec VPN negotiation > > with sec(4). > > - In isakmpd(8), support configuring interface SAs for > > route-based IPsec VPNs. > > - In isakmpd(8) quick mode, do not crash with a NULL pointer > > access when a group description is specified but it is > > invalid, unsupported, or memory allocation or key generation > > fails. > > - In isakmpd(8), avoid a double free in the unlikely event that > > EC_KEY_check_key(3) fails right after generating a new key > > pair. > > - Allow building isakmpd(8) with a libcrypto library that has > > binary field support ("GF2m") removed. > > o In bgpd(8), > > - Add first version of flowspec support. Right now only > > announcement of flowspec rules is possible. > > - Update ASPA support to follow > > draft-ietf-sidrops-aspa-verification-16 and > > draft-ietf-sidrops-aspa-profile-16 by making the ASPA lookup > > tables AFI-agnostic. > > - Rework UPDATE message generation to use the new ibuf API > > instead of the hand-rolled solution before. > > - Fix ext-community * * matching which also affects filters > > removing all ext-communities. > > - Improve and extend the bgpctl parser to handle commands like > > bgpctl show rib 192.0.2.0/24 detail. Also add various > > flowspec specific commands. > > - Introduce a semaphore to protect intermittent RTR session > > data from being published to the RDE. > > - Limit the socket buffer size to 64k for all sessions. > > Limiting the buffer size to a reasonable size ensures that > > not too many updates end up queued in the TCP stack. > > - Adjust example GRACEFUL_SHUTDOWN filter rule in the example > > config to only match on ebgp sessions. > > o rpki-client(8) saw some changes: > > - A 30%-50% performance improvement was achieved through > > libcrypto's partial chains certificate validation feature. > > Already validated non-inheriting CA certificates are now > > marked as trusted roots. This way it can be ensured that a > > leaf's delegated resources are properly covered, and at the > > same time most validation paths are significantly shortened. > > - Support for gzip and deflate HTTP Content-Encoding > > compression was added. This allows web servers to send RRDP > > XML in compressed form, saving around 50% of bandwidth. > > - ASPA support was updated to > > draft-ietf-sidrops-aspa-profile-16. As part of supporting > > AFI-agnostic ASPAs, the JSON syntax for Validated ASPA > > Payloads changed in both filemode and normal output. > > - In filemode (-f option) the applicable manifests are now > > shown as part of the signature path. > > - A new -P option was added to manually specify a moment in > > time to use when parsing the validity window of certificates. > > Useful for regression testing. Default is invocation time of > > rpki-client. > > - The -A option will now also exclude ASPA data from the JSON > > output. > > - The synchronisation protocol used to sync the repository is > > now included in the OpenMetrics output. > > - Improved accounting by tracking objects both by repo and tal. > > - Check whether products listed on a manifest were issued by > > the same authority as the manifest itself. > > - File modification timestamps of objects retrieved via RRDP > > are now deterministically set to prepare the on-disk cache > > for seamless failovers from RRDP to RSYNC. > > - Improved detection of RRDP session desynchronization: a check > > was added to compare whether the delta hashes associated to > > previously seen serials are different in newly fetched > > notification files. > > - Improved handling of RRDP deltas in which objects are > > published, withdrawn, and published again. > > - Disallow X.509 v2 issuer and subject unique identifiers in > > certs. RPKI CAs will never issue certificates with V2 unique > > identifiers. > > - A check to disallow duplicate X.509 certificate extensions > > was added. > > - A check to disallow empty sets of IP Addresses or AS numbers > > in RFC 3779 extensions was added. > > - A warning is printed when the CMS signing-time attribute in a > > Signed Object is missing. > > - Warnings about unrecoverable message digest mismatches now > > include the manifestNumber to aid debugging the cause. > > - A check was added to disallow multiple RRDP publish elements > > for the same file in RRDP snapshots. If this error condition > > is encountered, the RRDP transfer is failed and the RP falls > > back to rsync. > > - A compliance check for the proper X.509 Certificate version > > and CRL version was added. > > - A compliance check was added to ensure CMS Signed Objects > > contain SignedData, in accordance to RFC 6488 section 3 > > checklist item 1a. > > - Compliance checks were added for the version, KeyUsage, and > > ExtendedKeyUsage of EE certificates in Manifest, TAK, and GBR > > Signed Objects. > > - A CMS signing-time value being after the X.509 notAfter > > timestamp was downgraded from an error to a warning. > > - A bug was fixed in the handling of CA certificates which > > inherit IP resources. > > - A compliance check was added to ensure the X.509 Subject only > > contains commonName and optionally serialNumber. > > - A compliance check was added to ensure the CMS SignedData and > > SignerInfo versions to be 3. > > - Fisher-Yates shuffle the order in which Manifest entries are > > processed. Previously, work items were enqueued in the order > > the CA intended them to appear on a Manifest. However, there > > is no obvious benefit to third parties deciding the order in > > which things are processed. > > o In smtpd(8), > > - Swapped link-auth filter arguments to avoid ambiguities with > > user names containing a "|" character. > > - Bumped smtpd-filters(7) protocol version. > > - Fixed potential truncation of filtered data lines. > > - Allowed arguments on NOOP. > > o Many other changes in various network programs and libraries: > > - Allow libpcap to read files with some additional link-layer > > type values. > > - Let pcap_fopen_offline(3) correctly interpret some LINKTYPE* > > values in pcap headers written on foreign operating systems. > > - Make dig(1) use less deprecated LibreSSL API. > > - Remove stylistic differences between arp(8) and ndp(8) > > delete() function. This makes it easier to spot real changes > > in behavior. > > - Make ndp(8) not remove cloning routes when no neighbor entry > > is found with ndp -d. > > - Improved error handling in the asr resolver. > > - In unwind(8), handle SERVFAIL results on name resolution > > better. > > - In unwind(8), fix a use-after-free bug triggered by fatal > > write errors while sending TCP responses. > > - In the router advertisement daemon rad(8), update the default > > timers for prefix preferred and valid lifetimes to use the > > values from RFC 9096. > > - In slaacd(8), remove artificial limit of 2 hours on a PIO > > lifetime. > > - In ypldap(8), reduce memory usage when updating larger > > directories. > > - Make ypldap(8) more resilient when some servers are > > misbehaving: keep trying LDAP servers until full results > > arrive rather than just until one accepts the TCP connection. > > - New wgdescription parameter to ifconfig(8) to set a string > > describing the wg(4) peer. > > - Let ifconfig(8) prefix the interface name to many error and > > warning messages. > > - Make the tlsv1.0 and tlsv1.1 options in relayd(8) do nothing, > > as one should use the default tlsv1.2 instead. > > - Fix IPv6 routes being changed by relayd(8) with Routers > > configuration. > > - In dhcrelay6(8), do not ignore the AF_LINK entries of carp(4) > > interfaces. > > - Improve the config parser of radiusd(8) to better handle > > comments, improve error messages and plug a memory leak. > > - In radiusd(8), add request or response decoration feature > > which is used through the radiusd module interface. This > > makes additional modules can modify RADIUS request or > > response messages. Also add new "radius_standard" module > > which uses this new feature, provides some generic features > > like "strip-atmark-realm" which removes the realm part from > > the User-Name attribute. > > - Allow UDP for built-in inetd(8) services on 127.0.0.1. This > > restriction was added in year 2000 due to IPv6 compatible and > > mapped addresses. Nowadays our kernel does not support these > > IPv6 features and blocks localhost addresses on non-loopback > > interfaces. Make IPv4 127.0.0.1/8 and IPv6 ::1 behave > > identically and provide local services if configured. > > - In spamd(8), log a dummy "" IP address in the unlikely event > > that getnameinfo(3) fails. > > > > - tmux(1) improvements and bug fixes: > > o For passthrough, don't write to clients attached to different > > sessions. > > o Add a format to show if there are unseen changes while in a mode. > > o Discard mouse sequences that have the right form but actually are > > invalid. > > o Invalidate cached tty state after changing features since they may > > change what the terminal can do and need mouse sequences or > > similar to be sent again. > > o Add options to change the confirm key and default behaviour of > > confirm-before. > > o Add an option menu-selected-style to configure the currently > > selected menu item. > > o Add -c to run-shell to set working directory. > > o Add detach-on-destroy previous and next, > > o Set visited flag on last windows when linking session. > > > > - LibreSSL version 3.8.2 > > o Security fixes > > - Disabled TLSv1.0 and TLSv1.1 in libssl so that they may no > > longer be selected for use. > > - BN_is_prime{,_fasttest}ex() refuse to check numbers larger > > than 32 kbits for primality. This mitigates various DoS > > vectors. > > - Restricted the RFC 3779 code to IPv4 and IPv6. It was not > > written to be able to deal with anything else. > > o Portable changes > > - Extended the endian.h compat header with hto* and *toh > > macros. > > - Adapted more tests to the portable framework. > > - Internal tools are now statically linked. > > - Applications bundled as part of the LibreSSL package > > internally, nc(1) and openssl(1), now are linked statically > > if static libraries are built. > > - Internal compatibility function symbols are no longer > > exported from libcrypto. Instead, the libcompat library is > > linked to libcrypto, libssl, and libtls separately. This > > increases size a little, but ensures that the libraries are > > not exporting symbols to programs unintentionally. > > - Selective removal of CET implementation on platforms where it > > is not supported (macOS). > > - Integrated four more tests. > > - Added Windows ARM64 architecture to tested platforms. > > - Removed Solaris 10 support, fixed Solaris 11. > > - libtls no longer links statically to libcrypto / libssl > > unless --enable-libtls-only is specified at configure time. > > - Improved Windows compatibility library, namely handling of > > files vs sockets, correcting an exception when operating on a > > closed socket. > > - CMake builds no longer hardcode -O2 into the compiler flags, > > instead using flags from the CMake build type instead. > > - Set the CMake default build type to Release. This can be > > overridden during configuration. > > - Fixed broken ASM support with MinGW builds. > > o New features > > - Added support for truncated SHA-2 and for SHA-3. > > - The BPSW primality test performs additional Miller-Rabin > > rounds with random bases to reduce the likelihood of > > composites passing. > > - Allow testing of ciphers and digests using badly aligned > > buffers in openssl speed using -unalign. > > - Ed25519 certificates are now supported in openssl(1) ca and > > req. Prepared Ed25519 support in libssl. > > - Add branch target information (BTI) support to amd64 and > > arm64 assembly. > > o Compatibility changes > > - Added a workaround for a poorly thought-out change in OpenSSL > > 3 that broke privilege separation support in libtls. > > - Moved libtls from ECDSA_METHOD to EC_KEY_METHOD. > > - Removed GF2m support: BIGNUM no longer supports binary > > extension field arithmetic and all binary elliptic builtin > > curves were removed. > > - Removed dangerous, "fast" NIST prime and elliptic curve > > implementations. In particular, EC_GFp_nist_method() is no > > longer available. > > - Removed most public symbols that were deprecated in OpenSSL > > 0.9.8. > > - Removed the public X9.31 API (RSA_X931_PADDING is still > > available). > > - Removed Cipher Text Stealing mode. > > - Removed ENGINE support, including ECDH_METHOD and > > ECDSA_METHOD. > > - Removed COMP, DSO, dynamic loading of conf modules and > > support for custom ex_data and error stacks. > > - Removed proxy certificate (RFC 3820) support. > > - Removed SXNET and NETSCAPE_CERT_SEQUENCE support including > > the openssl(1) nseq command. > > - ENGINE support was removed and OPENSSL_NO_ENGINE is set. In > > spite of this, some stub functions are provided to avoid > > patching some applications that do not honor > > OPENSSL_NO_ENGINE. > > - The POLICY_TREE and its related structures and API were > > removed. > > - In X509_VERIFY_PARAM_inherit() copy hostflags independently > > of the host list. > > - Made CRYPTO_get_ex_new_index() not return 0 to allow > > applications to use *{get,set}app_data() and > > *{get,set}ex_data() alongside each other. > > - X509_NAME_get_text_by{NID,OBJ}() now only succeed if they > > contain valid UTF-8 without embedded NUL. > > - The explicitText user notice uses UTF8String instead of > > VisibleString to reduce the risk of emitting certificates > > with invalid DER-encoding. > > - Initial fixes for RSA-PSS support to make the TLSv1.3 stack > > more compliant with RFC 8446. > > - Fixed EVP_CIPHER_CTX_iv_length() to return what was set with > > EVP_CTRL_AEAD_SET_IVLEN or one of its aliases. > > o Internal improvements > > - Improved sieve of Eratosthenes script used for generating a > > table of small primes. > > - Removed incomplete and dangerous BN_RECURSION code. > > - Imported RFC 5280 policy checking code from BoringSSL and > > used it to replace the old exponential time code. > > - Converted more of libcrypto to use CBB/CBS. > > - Started cleaning up and rewriting SHA internals. > > - Reduced the dependency of hash implementations on many layers > > of macros. This results in significant speedups since modern > > compilers are now less confused. > > - Improved BIGNUM internals and performance. > > - Significantly simplified the BN_BLINDING internals used in > > RSA. > > - Made BN_num_bits() independent of bn->top. > > > > - Rewrote and simplified bn_sqr(). > > - Significantly improved Montgomery multiplication performance. > > - Rewrote and improved BN_exp() and BN_copy(). > > - Changed ASN1_item_sign_ctx() and ASN1_item_verify() to work > > with Ed25519 and fixed a few bugs in there. > > - Lots of cleanup for DH, DSA, EC, RSA internals. Plugged > > numerous memory leaks, fixed logic errors and > > inconsistencies. > > - Cleaned up and simplified various ECDH and ECDSA internals. > > - Removed EC_GROUP precomp machinery. > > - Fixed various issues with EVP_PKEY_CTX_{new,dup}(). > > - Rewrote OBJ_find_sigid_algs() and OBJ_find_sigid_by_algs(). > > - Improved X.509 certificate version checks. > > - Ensure no X.509v3 extensions appear more than once in > > certificates. > > - Replaced ASN1_bn_print with a cleaner internal > > implementation. > > - Fix OPENSSL_cpuid_setup() invocations on arm/aarch64. > > - Improved checks for commonName in libtls. > > - Fixed error check for X509_get_ext_d2i() failure in libtls. > > - Removed code guarded by #ifdef ZLIB. > > - Plug a potential memory leak in ASN1_TIME_normalize(). > > - Fixed a use of uninitialized in i2r_IPAddrBlocks(). > > - Rewrote CMS_SignerInfo_{sign,verify}(). > > o Bug fixes > > - Correctly handle negative input to various BIGNUM functions. > > - Ensure ERR_load_ERR_strings() does not set errno > > unexpectedly. > > - Fix error checking of i2d_ECDSA_SIG() in ossl_ecdsa_sign(). > > - Fixed aliasing issue in BN_mod_inverse(). Disallowed aliasing > > of result and modulus in various BN_mod_* functions. > > - Fixed detection of extended operations (XOP) on AMD hardware. > > - Ensure Montgomery exponentiation is used for the initial RSA > > blinding. > > - Policy is always checked in X509 validation. Critical policy > > extensions are no longer silently ignored. > > - Fixed error handling in tls_check_common_name(). > > - Add missing pointer invalidation in SSL_free(). > > - Fixed X509err() and X509V3err() and their internal versions. > > - Ensure that OBJ_obj2txt() always returns a C string again. > > - Made EVP_PKEY_set1_hkdf_key() fail on a NULL key. > > - On socket errors in the poll loop, netcat could issue system > > calls on invalidated file descriptors. > > - Allow IP addresses to be specified in a URI. > > - Fixed a copy-paste error in ASN1_TIME_compare() that could > > lead to two UTCTimes or two GeneralizedTimes incorrectly > > being compared as equal. > > o Documentation improvements > > - Improved documentation of BIO_ctrl(3), > > BIO_set_info_callback(3), BIO_get_info_callback(3), > > BIO_method_type(3), and BIO_method_name(3). > > - Marked BIO_CB_return(), BIO_cb_pre(), and BIO_cb_post() as > > intentionally undocumented. > > - Made it very explicit that the verify callback should not be > > used. > > - Called out that the CRL lastUpdate is standardized as > > thisUpdate. > > - Documented the RFC 3779 API and its shortcomings. > > o Testing and Proactive Security > > - Significantly improved test coverage of BN_mod_sqrt() and > > GCD. > > - As always, new test coverage is added as bugs are fixed and > > subsystems are cleaned up. > > > > - OpenSSH 9.5 and OpenSSH 9.4 > > o Potentially incompatible changes > > - ssh-keygen(1): generate Ed25519 keys by default. Ed25519 > > public keys are very convenient due to their small size. > > Ed25519 keys are specified in RFC 8709 and OpenSSH has > > supported them since version 6.5 (January 2014). > > - sshd(8): the Subsystem directive now accurately preserves > > quoting of subsystem commands and arguments. This may change > > behaviour for exotic configurations, but the most common > > subsystem configuration (sftp-server) is unlikely to be > > affected. > > - ssh-agent(1): PKCS#11 modules must now be specified by their > > full paths. Previously dlopen(3) could search for them in > > system library directories. > > o New features > > - ssh(1): add keystroke timing obfuscation to the client. This > > attempts to hide inter-keystroke timings by sending > > interactive traffic at fixed intervals (default: every 20ms) > > when there is only a small amount of data being sent. It also > > sends fake "chaff" keystrokes for a random interval after the > > last real keystroke. These are controlled by a new ssh_config > > ObscureKeystrokeTiming keyword. > > - ssh(1), sshd(8): Introduce a transport-level ping facility. > > This adds a pair of SSH transport protocol messages > > SSH2_MSG_PING/PONG to implement a ping capability. These > > messages use numbers in the "local extensions" number space > > and are advertised using a "[email protected]" ext-info > > message with a string version number of "0". > > - sshd(8): allow override of Subsystem directives in sshd Match > > blocks. > > - ssh(1): allow forwarding Unix Domain sockets via ssh -W. > > - ssh(1): add support for configuration tags to ssh(1). This > > adds a ssh_config(5) "Tag" directive and corresponding "Match > > tag" predicate that may be used to select blocks of > > configuration similar to the pf.conf(5) keywords of the same > > name. > > - ssh(1): add a "match localnetwork" predicate. This allows > > matching on the addresses of available network interfaces and > > may be used to vary the effective client configuration based > > on network location. > > - ssh(1), sshd(8), ssh-keygen(1): infrastructure support for > > KRL extensions. This defines wire formats for optional KRL > > extensions and implements parsing of the new submessages. No > > actual extensions are supported at this point. > > - sshd(8): AuthorizedPrincipalsCommand and > > AuthorizedKeysCommand now accept two additional %-expansion > > sequences: %D which expands to the routing domain of the > > connected session and %C which expands to the addresses and > > port numbers for the source and destination of the > > connection. > > - ssh-keygen(1): increase the default work factor (rounds) for > > the bcrypt KDF used to derive symmetric encryption keys for > > passphrase protected key files by 50%. > > o Bugfixes > > - scp(1): fix scp in SFTP mode recursive upload and download of > > directories that contain symlinks to other directories. In > > scp mode, the links would be followed, but in SFTP mode they > > were not. > > - ssh-keygen(1): handle cr+lf (instead of just cr) line endings > > in sshsig signature files. > > - ssh(1): interactive mode for ControlPersist sessions if they > > originally requested a tty. > > - sshd(8): make PerSourceMaxStartups first-match-wins > > - sshd(8): limit artificial login delay to a reasonable maximum > > (5s) and don't delay at all for the "none" authentication > > mechanism. > > - sshd(8): Log errors in kex_exchange_identification() with > > level verbose instead of error to reduce preauth log spam. > > All of those get logged with a more generic error message by > > sshpkt_fatal(). > > - sshd(8): correct math for ClientAliveInterval that caused the > > probes to be sent less frequently than configured. > > - ssh-agent(1): improve isolation between loaded PKCS#11 > > modules by running separate ssh-pkcs11-helpers for each > > loaded provider. > > - ssh(1): make -f (fork after authentication) work correctly > > with multiplexed connections, including ControlPersist. > > - ssh(1): make ConnectTimeout apply to multiplexing sockets and > > not just to network connections. > > - ssh-agent(1), ssh(1): improve defences against invalid > > PKCS#11 modules being loaded by checking that the requested > > module contains the required symbol before loading it. > > - sshd(8): fix AuthorizedPrincipalsCommand when > > AuthorizedKeysCommand appears before it in sshd_config. Since > > OpenSSH 8.7 the AuthorizedPrincipalsCommand directive was > > incorrectly ignored in this situation. > > - sshd(8), ssh(1), ssh-keygen(1): remove vestigial support for > > KRL signatures When the KRL format was originally defined, it > > included support for signing of KRL objects. However, the > > code to sign KRLs and verify KRL signatures was never > > completed in OpenSSH. This release removes the > > partially-implemented code to verify KRLs. All OpenSSH tools > > now ignore KRL_SECTION_SIGNATURE sections in KRL files. > > - All: fix a number of memory leaks and unreachable/harmless > > integer overflows. > > - ssh-agent(1), ssh(1): don't truncate strings logged from > > PKCS#11 modules > > - sshd(8), ssh(1): better validate CASignatureAlgorithms in > > ssh_config and sshd_config. Previously this directive would > > accept certificate algorithm names, but these were unusable > > in practice as OpenSSH does not support CA chains. > > - ssh(1): make ssh -Q CASignatureAlgorithms only list signature > > algorithms that are valid for CA signing. Previous behaviour > > was to list all signing algorithms, including certificate > > algorithms. > > - ssh-keyscan(1): gracefully handle systems where rlimits or > > the maximum number of open files is larger than INT_MAX > > - ssh-keygen(1): fix "no comment" not showing on when running > > ssh-keygen -l on multiple keys where one has a comment and > > other following keys do not. > > - scp(1), sftp(1): adjust ftruncate() logic to handle servers > > that reorder requests. Previously, if the server reordered > > requests then the resultant file would be erroneously > > truncated. > > - ssh(1): don't incorrectly disable hostname canonicalization > > when CanonicalizeHostname=yes and ProxyJump was explicitly > > set to "none". > > - scp(1): when copying local to remote, check that the source > > file exists before opening an SFTP connection to the server. > > > > - Ports and packages: > > o Pre-built packages are available for the following architectures on > > the day of release: > > - aarch64 (arm64): 11508 > > - amd64: 11845 > > - i386: 10603 > > - sparc64: 8469 > > o Packages for the following architectures will be made available as > > their builds complete: > > - arm > > - mips64 > > - powerpc > > - powerpc64 > > - riscv64 > > > > - Some highlights: > > > > o Asterisk 16.30.1, 18.19.0 and o Mozilla Thunderbird 115.3.1 > > 20.4.0 o Mutt 2.2.12 and NeoMutt 20230517 > > o Audacity 3.3.3 o Node.js 18.18.0 > > o CMake 3.27.5 o OCaml 4.12.1 > > o Chromium 117.0.5938.149 o OpenLDAP 2.6.6 > > o Emacs 29.1 o PHP 7.4.33, 8.0.30, 8.1.24 and > > o FFmpeg 4.4.4 8.2.11 > > o GCC 8.4.0 and 11.2.0 o Postfix 3.7.3 > > o GHC 9.2.7 o PostgreSQL 15.4 > > o GNOME 44 o Python 2.7.18, 3.9.18, 3.10.13 > > o Go 1.21.1 and 3.11.5 > > o JDK 8u382, 11.0.20 and 17.0.8 o Qt 5.15.10 and 6.5.2 > > o KDE Applications 23.08.0 o R 4.2.3 > > o KDE Frameworks 5.98.0 o Ruby 3.0.6, 3.1.4 and 3.2.2 > > o Krita 5.1.5 o Rust 1.72.1 > > o LLVM/Clang 13.0.0 and 16.0.6 o SQLite 3.42.0 > > o LibreOffice 7.6.2.1 o Shotcut 23.07.29 > > o Lua 5.1.5, 5.2.4, 5.3.6 and o Sudo 1.9.14.2 > > 5.4.6 o Suricata 6.0.12 > > o MariaDB 10.9.6 o Tcl/Tk 8.5.19 and 8.6.13 > > o Mono 6.12.0.199 o TeX Live 2022 > > o Mozilla Firefox 118.0.1 and o Vim 9.0.1897 and Neovim 0.9.1 > > ESR 115.3.1 o Xfce 4.18 > > > > - As usual, steady improvements in manual pages and other documentation. > > > > - The system includes the following major components from outside suppliers: > > o Xenocara (based on X.Org 7.7 with xserver 21.1.8 + patches, > > freetype 2.13.0, fontconfig 2.14.2, Mesa 22.3.7, xterm 378, > > xkeyboard-config 2.20, fonttosfnt 1.2.2, and more) > > o LLVM/Clang 13.0.0 (+ patches) > > o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches) > > o Perl 5.36.1 (+ patches) > > o NSD 4.7.0 > > o Unbound 1.18.0 > > o Ncurses 5.7 > > o Binutils 2.17 (+ patches) > > o Gdb 6.3 (+ patches) > > o Awk September 12, 2023 version > > o Expat 2.5.0 > > > > ------------------------------------------------------------------------ > > - SECURITY AND ERRATA -------------------------------------------------- > > > > We provide patches for known security threats and other important > > issues discovered after each release. Our continued research into > > security means we will find new security problems -- and we always > > provide patches as soon as possible. Therefore, we advise regular > > visits to > > > > https://www.OpenBSD.org/security.html > > and > > https://www.OpenBSD.org/errata.html > > > > ------------------------------------------------------------------------ > > - MAILING LISTS AND FAQ ------------------------------------------------ > > > > Mailing lists are an important means of communication among users and > > developers of OpenBSD. For information on OpenBSD mailing lists, please > > see: > > > > https://www.OpenBSD.org/mail.html > > > > You are also encouraged to read the Frequently Asked Questions (FAQ) at: > > > > https://www.OpenBSD.org/faq/ > > > > ------------------------------------------------------------------------ > > - DONATIONS ------------------------------------------------------------ > > > > The OpenBSD Project is a volunteer-driven software group funded by > > donations. Besides OpenBSD itself, we also develop important software > > like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet > > filter, the quality work of our ports development process, and many > > others. This ecosystem is all handled under the same funding umbrella. > > > > We hope our quality software will result in contributions that maintain > > our build/development infrastructure, pay our electrical/internet costs, > > and allow us to continue operating very productive developer hackathon > > events. > > > > All of our developers strongly urge you to donate and support our future > > efforts. Donations to the project are highly appreciated, and are > > described in more detail at: > > > > https://www.OpenBSD.org/donations.html > > > > ------------------------------------------------------------------------ > > - OPENBSD FOUNDATION --------------------------------------------------- > > > > For those unable to make their contributions as straightforward gifts, > > the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian > > not-for-profit corporation that can accept larger contributions and > > issue receipts. In some situations, their receipt may qualify as a > > business expense write-off, so this is certainly a consideration for > > some organizations or businesses. > > > > There may also be exposure benefits since the Foundation may be > > interested in participating in press releases. In turn, the Foundation > > then uses these contributions to assist OpenBSD's infrastructure needs. > > Contact the foundation directors at [email protected] for > > more information. > > > > ------------------------------------------------------------------------ > > - HTTPS INSTALLS ------------------------------------------------------- > > > > OpenBSD can be easily installed via HTTPS downloads. Typically you need > > a single small piece of boot media (e.g., a USB flash drive) and then > > the rest of the files can be installed from a number of locations, > > including directly off the Internet. Follow this simple set of > > instructions to ensure that you find all of the documentation you will > > need while performing an install via HTTPS. > > > > 1) Read either of the following two files for a list of HTTPS mirrors > > which provide OpenBSD, then choose one near you: > > > > https://www.OpenBSD.org/ftp.html > > https://ftp.openbsd.org/pub/OpenBSD/ftplist > > > > As of October 16, 2023, the following HTTPS mirror sites have the > > 7.4 release: > > > > https://cdn.openbsd.org/pub/OpenBSD/7.4/ Global > > https://ftp.eu.openbsd.org/pub/OpenBSD/7.4/ Stockholm, Sweden > > https://ftp.hostserver.de/pub/OpenBSD/7.4/ Frankfurt, Germany > > https://ftp.bytemine.net/pub/OpenBSD/7.4/ Oldenburg, Germany > > https://ftp.fr.openbsd.org/pub/OpenBSD/7.4/ Paris, France > > https://mirror.aarnet.edu.au/pub/OpenBSD/7.4/ Brisbane, Australia > > https://ftp.usa.openbsd.org/pub/OpenBSD/7.4/ CO, USA > > https://ftp5.usa.openbsd.org/pub/OpenBSD/7.4/ CA, USA > > https://mirror.esc7.net/pub/OpenBSD/7.4/ TX, USA > > https://openbsd.cs.toronto.edu/pub/OpenBSD/7.4/ Toronto, Canada > > https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.4/ Global > > https://fastly.cdn.openbsd.org/pub/OpenBSD/7.4/ Global > > > > The release is also available at the master site: > > > > https://ftp.openbsd.org/pub/OpenBSD/7.4/ Alberta, Canada > > > > However it is strongly suggested you use a mirror. > > > > Other mirror sites may take a day or two to update. > > > > 2) Connect to that HTTPS mirror site and go into the directory > > pub/OpenBSD/7.4/ which contains these files and directories. > > This is a list of what you will see: > > > > ANNOUNCEMENT armv7/ octeon/ root.mail > > README hppa/ openbsd-74-base.pub sparc64/ > > SHA256 i386/ packages/ src.tar.gz > > SHA256.sig landisk/ packages-stable/ sys.tar.gz > > alpha/ loongson/ ports.tar.gz xenocara.tar.gz > > amd64/ luna88k/ powerpc64/ > > arm64/ macppc/ riscv64/ > > > > It is quite likely that you will want at LEAST the following > > files which apply to all the architectures OpenBSD supports. > > > > README - generic README > > root.mail - a copy of root's mail at initial login. > > (This is really worthwhile reading). > > > > 3) Read the README file. It is short, and a quick read will make > > sure you understand what else you need to fetch. > > > > 4) Next, go into the directory that applies to your architecture, > > for example, amd64. This is a list of what you will see: > > > > BOOTIA32.EFI* bsd* floppy74.img pxeboot* > > BOOTX64.EFI* bsd.mp* game74.tgz xbase74.tgz > > BUILDINFO bsd.rd* index.txt xfont74.tgz > > INSTALL.amd64 cd74.iso install74.img xserv74.tgz > > SHA256 cdboot* install74.iso xshare74.tgz > > SHA256.sig cdbr* man74.tgz > > base74.tgz comp74.tgz miniroot74.img > > > > If you are new to OpenBSD, fetch at least the file INSTALL.amd64 > > and install74.iso. The install74.iso file (roughly 633MB in size) > > is a one-step ISO-format install CD image which contains the various > > *.tgz files so you do not need to fetch them separately. > > > > If you prefer to use a USB flash drive, fetch install74.img and > > follow the instructions in INSTALL.amd64. > > > > 5) If you are an expert, follow the instructions in the file called > > README; otherwise, use the more complete instructions in the > > file called INSTALL.amd64. INSTALL.amd64 may tell you that you > > need to fetch other files. > > > > 6) Just in case, take a peek at: > > > > https://www.OpenBSD.org/errata.html > > > > This is the page where we talk about the mistakes we made while > > creating the 7.4 release, or the significant bugs we fixed > > post-release which we think our users should have fixes for. > > Patches and workarounds are clearly described there. > > > > ------------------------------------------------------------------------ > > - X.ORG FOR MOST ARCHITECTURES ----------------------------------------- > > > > X.Org has been integrated more closely into the system. This release > > contains X.Org 7.7. Most of our architectures ship with X.Org, including > > amd64, sparc64 and macppc. During installation, you can install X.Org > > quite easily using xenodm(1), our simplified X11 display manager forked > > from xdm(1). > > > > ------------------------------------------------------------------------ > > - PACKAGES AND PORTS --------------------------------------------------- > > > > Many third party software applications have been ported to OpenBSD and > > can be installed as pre-compiled binary packages on the various OpenBSD > > architectures. Please see https://www.openbsd.org/faq/faq15.html for > > more information on working with packages and ports. > > > > Note: a few popular ports, e.g., NSD, Unbound, and several X > > applications, come standard with OpenBSD and do not need to be installed > > separately. > > > > ------------------------------------------------------------------------ > > - SYSTEM SOURCE CODE --------------------------------------------------- > > > > The source code for all four subsystems can be found in the > > pub/OpenBSD/7.4/ directory: > > > > xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz > > > > The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.4/README) file > > explains how to deal with these source files. > > > > ------------------------------------------------------------------------ > > - THANKS --------------------------------------------------------------- > > > > Ports tree and package building by Jeremie Courreges-Anglas, > > Visa Hankala, Stuart Henderson, Peter Hessler, George Koehler, > > Kurt Mosiejczuk, and Christian Weisgerber. Base and X system builds by > > Kenji Aoyama, Theo de Raadt, and Miod Vallat. Release art by > > Jessica Scott. > > > > We would like to thank all of the people who sent in bug reports, bug > > fixes, donation cheques, and hardware that we use. We would also like > > to thank those who bought our previous CD sets. Those who did not > > support us financially have still helped us with our goal of improving > > the quality of the software. > > > > Our developers are: > > > > Aaron Bieber, Adam Wolk, Aisha Tammy, Alexander Bluhm, > > Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin, > > Alexandre Ratchov, Andrew Fresh, Anil Madhavapeddy, > > Anthony J. Bentley, Antoine Jacoutot, Anton Lindqvist, Asou Masato, > > Ayaka Koshibe, Benoit Lecocq, Bjorn Ketelaars, Bob Beck, > > Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele, > > Can Erkin Acar, Caspar Schutijser, Charlene Wendling, > > Charles Longeau, Chris Cappuccio, Christian Weisgerber, > > Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller, > > Daniel Dickman, Daniel Jakots, Darren Tucker, Dave Voutila, > > David Coppa, David Gwynne, David Hill, Denis Fondras, Edd Barrett, > > Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus, > > George Koehler, George Rosamond, Gerhard Roth, Giannis Tsaraias, > > Gilles Chehade, Giovanni Bechis, Gleydson Soares, > > Gonzalo L. Rodriguez, Greg Steuck, Helg Bredow, Henning Brauer, > > Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze, > > Inoguchi Kinichiro, James Hastings, James Turner, Jan Klemkow, > > Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, > > Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, > > Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Josh Rickmar, > > Joshua Sing, Joshua Stein, Juan Francisco Cantero Hurtado, > > Kazuya Goda, Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner, > > Kevin Lo, Kirill Bychkov, Klemens Nanni, Kurt Miller, > > Kurt Mosiejczuk, Landry Breuil, Lawrence Teo, Lucas Raab, > > Marc Espie, Marcus Glocker, Mark Kettenis, Mark Lumsden, > > Markus Friedl, Martijn van Duren, Martin Natano, Martin Pieuchot, > > Martin Reindl, Martynas Venckus, Matthew Dempsky, Matthias Kilian, > > Matthieu Herrb, Michael Mikonos, Mike Belopuhov, Mike Larkin, > > Miod Vallat, Moritz Buhl, Nam Nguyen, Nayden Markatchev, > > Nicholas Marriott, Nigel Taylor, Okan Demirmen, Omar Polo, > > Ori Bernstein, Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk, > > Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin, > > Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas, > > Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer, > > Remi Pointel, Renato Westphal, Ricardo Mestre, Richard Procter, > > Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha, > > Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie, > > Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf, > > Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson, > > Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler, > > Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider, > > Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove, > > Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov, > > Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Volker Schlecht, > > Yasuoka Masahiko, Yojiro Uo >
