Congratulations on another release and thanks for bringing us quality stuff!
-ag On Thu, Oct 17, 2019 at 6:49 AM Theo de Raadt <[email protected]> wrote: > > ------------------------------------------------------------------------ > - OpenBSD 6.6 RELEASED ------------------------------------------------- > > October 17, 2019. > > We are pleased to announce the official release of OpenBSD 6.6. > This is our 47th release. We remain proud of OpenBSD's record of more > than twenty years with only two remote holes in the default install. > > As in our previous releases, 6.6 provides significant improvements, > including new features, in nearly all areas of the system: > > - General improvements and bugfixes: > o Fixed support for amd64 machines with greater than 1023GB physical > memory. > o drm(4) updates. > o The octeon platform is now using clang(1) as the base system > compiler. > o The powerpc architecture is now provided with clang(1), in > addition to aarch64, amd64, armv7, i386, mips64el, sparc64. > o Disabled gcc in base on armv7 and i386. > o Prevented dhclient(8) from repeatedly obtaining a new lease when > the mtu is given in a lease. > o Prevented more than one thread from opening a wscons(4) device in > read/write mode. > o Allowed non-root users to become owner of the drm(4) device when > they are the first to open it. > o Added regular expression support for the format search, match and > substitute modifiers in tmux(1). > o Added a -v flag to source-file in tmux(1) to show the commands and > line numbers. > o Added simple menus usable with mouse or keyboard in tmux(1). > Introduced the command "display-menu" to show a menu bound to the > mouse on status line by default, and added menus in tree, client > and buffer modes. > o Changed the behavior of swap-window -d in tmux(1) to match > swap-pane. > o Allow panes to be empty in tmux(1), and enabling output to be > piped to them with split-window or display-message -I. > o Adjusted tmux(1) to automatically scroll when dragging to create a > selection with the mouse when the cursor reaches the top or bottom > line. > o Fixed a tmux(1) crash when killing the current window, and other > bugfixes. > > - SMP-Improvements, System call unlocking: > o Unlocked getrlimit(2) and setrlimit(2) syscalls. > o Unlocked read(2) and write(2) syscalls. > o Removed the KERNEL_LOCK from the bridge(4) output fast-path. > o Made resource limit access MP-safe. > o Made file(9) offset access MP-safe. > > - Improved hardware support, including: > o Implemented Linux compatible acpi(4) interfaces and enabled the > ACPI support code in radeon(4) and amdgpu(4). > o Implemented backlight control for amdgpu(4), allowing setting of > the backlight using wsconsctl(8). > o Both sets of speakers work by default on the ThinkPad X1C7. > o Added amdgpu(4), an AMD Radeon GPU video driver. > o Added TSC synchronization for multiprocessor machines and > re-enabled TSC as the default amd64 time source. > o Added support for Realtek ALC285 in azalia(4). > o Added uvideo(4) support for the KSMedia 8-bit IR format and for > dual functions on integrated USB cameras. > o Added the aplgpio(4) driver for the GPIO controllers on Intel's > Apollo Lake SoC. > o Implemented MSI-X support on sparc64. > o Skipped PCI host bridges and devices not present with acpi(1) when > establishing the mapping between ACPI device nodes and PCI > devices. > o Added the ukspan(4) driver for the Keyspan USA19HS USB serial > adapter. > o Improved support for SAS3 controllers, made device enumeration > during boot more reliable, and enabled 64bit DMA for io in > mpii(4). > o Fixed MSI/MSI-X on arm64 machines with agintc(4). > o Added MSI-X support in acpipci(4), pciecam, dwpcie(4) and > rkpcie(4). > o Improved support for type4 devices in the ubcmtp(4) multi-touch > trackpad driver. > o Support for virtio(4) 1.0 specification for PCI devices. > o Improved support for the AR9271 chipset in athn(4) . > o Repaired support for athn(4) 9280 1T2R devices (broken since > OpenBSD 6.5). > o Added support for the trackpad and trackpoint of the Dell > Precision 7520 laptop. > o Added the Colemak keyboard layout. > o New fusbtc(4) driver for the Fairchild FUSB302 USB Type-C > controller. > o Added a fallback to ehci(4) which enables the USB ports on the > RockPro64. > o Added support for more Intel 300 Series PCH devices to ichiic(4). > o Added mcx(4) driver for Mellanox ConnectX-4 (and later) Ethernet > controllers. > o Added support for the cryptographic coprocessor found on newer AMD > Ryzen CPUs/APUs. > o Improved the envy(4) codec API and used it on ESI Juli@ cards. > o Enabled EnvyHT-specific sample rates (above 96kHz) on the host > controller for envy(4) devices. > o Added support for the USB serial adapter found in Juniper SRX 300 > to uslcom(4). > o Updated shared drm code, inteldrm(4) and radeondrm(4) to linux > 4.19.78. This adds support for Intel Broxton/Apollo Lake, Amber > Lake, Gemini Lake, Coffee Lake, Whiskey Lake, and Comet Lake > hardware. > o Made startx(1) and xinit(1) work again on modern systems using > inteldrm(4), radeondrm(4) and amdgpu(4). > o Added mcprtc(4), a driver for the Microchip MCP79400 RTC and > similar. > o Added I2C clock gates to mvclock(4). > o Added support for MSI-X to bnxt(4). > o Added octpip(4), a driver for the Octeon packet input processing > unit. > o Added the octiic(4) driver for OCTEON two-wire serial interfaces. > o Enabled nvme(4) on octeon. > o Added octpcie(4), a driver for the PCIe controller found on OCTEON > II and OCTEON III. > o Fixed random kernel hangs on some sparc64 machines by blocking > interrupts while sending an IPI on sunv4 (as on sun4u). > o ure(4) now supports RTL8153B devices, adding support for Ethernet > on Lenovo USB-C docks. > o Added new ksmn(4) driver for temperature sensor on AMD Family 17h > CPUs. > o Explicitly disable BCM4331 wifi chips present in 2011-2012 Apple > Mac systems. Fixes an interrupt storm that consumes about 50% of > CPU0 on affected machines. > > - Improved arm64 hardware support, including: > o Added support for Ampere eMAG CPU based systems. > o Added support to amlclock(4) for obtaining CPU clock frequency. > o Enabled amlmmc(4), a driver for the SD/MMC controller found on > various Amlogic SoCs. > o Implemented setting the CPU clock for Allwinner A64 SoCs in > sxiccmu(4). > o Added amldwusb(4), amlusbphy(4) and amlpciephy(4), drivers for the > USB controller and PHYs on the Amlogic G12A/B SoCs. > o Added imxtmu(4), a driver to support the temperature sensors on > i.MX8M SoCs. > o Added amlrng(4), a simple random number generator driver for > Amlogic SoCs. > o Added amclock(4), a driver for the Amlogic SoC clocks. > o Added amluart(4), a driver for the UARTs found on various Amlogic > SoCs. > o Added support for the SMBus System Interfaces (SSIF) to ipmi(4). > o PXE booting using U-Boot works now. > o Added clock support to sxisyscon(4), a driver for the system > controller found on various Allwinner SoCs. > o Implemented smbios(4) support on arm64. > o Added ucrcom(4), a driver for the serial console of chromebooks. > o Enabled mvmdio(4) and mvneta(4) on arm64. > o Added pinctrl(4) support for 'pinconf-single' devices and support > for bias and drive-strength properties, needed for HiSilicon SoCs. > o Added mvdog(4), a driver to support the watchdog on the Armada > 3700 SoC. > o Added support for the Allwinner H6 to sxipio(4) and sxiccmu(4). > o Added mviic(4), a driver to support the I2C controller on the > Armada 3700 SoC. > o Added mvuart(4) to support the Armada 3720's serial console. > o Added support for the Armada 3720 clocks to mvclock(4). > o Added support for the Armada 3720 pinctrl controller to > mvpinctrl(4). This controller also includes GPIO controller > functionality. > o Added the RK3328 and RK3399 GMAC clocks to rkclock(4). > o Increased MAXCPUs to 32 in arm64, allowing use of all cores on the > Ampere eMAG. > o Added support for the Cortex-A65 CPU. > o Implemented interrupt controller functionality in rkgpio(4), > allowing use of the fusbtc(4) interrupt on the RockPro64. > > - IEEE 802.11 wireless stack improvements: > o Repaired the ifconfig(8) 'nwflag' command (broken since OpenBSD > 6.4). > o Added a new 'stayauth' nwflag which can be set to ignore deauth > frames. This is useful when deauth frames are being spoofed by an > attacker. > o Repaired the ifconfig(8) 'mode' command to properly force a > wireless interface into 11a/b/g/n mode. > o Made 11n Tx rate selection more sensitive to transmission > failures. > o Fixed automatic use of HT protection in 11n hostap mode. > o Fixed WPA APs occasionally appearing as non-WPA APs during AP > selection. > o Fixed some eligible APs being ignored during AP selection after a > roaming failure. > o Added support for 802.11n Tx aggregation to net80211 and the > iwn(4) driver. > o Made net80211 expose reasons for association failures to have > ifconfig(8) display them in "scan" output and on the ieee80211(9) > status line. > o Made all wireless drivers submit a batch of received packets to > the network stack during one interrupt if possible, rather than > submitting each packet individually. Prevents packet loss under > high load due to backpressure from the network stack. > > - Generic network stack improvements: > o Enabled TCP and UDP checksum offloading by default for ix(4). > o Added tpmr(4), a 802.1Q two-port MAC relay implementation. > o Added iavf(4), a driver for Intel SR-IOV Virtual Functions of > Intel 700 series Ethernet controllers. > o Added aggr(4), a dedicated driver to implement 802.1AX link > aggregration. > o Added port protection support to switch(4). Domain membership is > checked for unicast, flooded (broadcast) and local > (host-network-bound, e.g. trunk) traffic. > o Disabled mobileip(4). > o Added support to ifconfig(8) for getting and setting rxprio, > finishing support for RFC 2983. Implemented configuring rxprio in > vlan(4), gre(4), mpw(4), mpe(4), mpip(4), etherip(4) and bpe(4). > o Implemented Tx mitigation by calling the hardware transmit routine > per several packets rather than for individual packets. Defers > calls to the transmit routine to a network taskq, or until a > backlog of packets has built up. > o Stopped using splnet(9) when running the network stack now that it > is using the NET_LOCK for protection, reducing latency spikes. > o Added support for reading SFPs to some ethernet cards. > > - Installer improvements: > o Allowed quoted SSIDs in the installer, rather than ignoring those > containing whitespace. > o Introduced sysupgrade(8) that can be used to upgrade OpenBSD > unattended. > o A syspatch was provided which adds sysupgrade(8) to 6.5, so > unattended upgrades to 6.6 can be performed on amd64/arm64/i386 > with '# syspatch && sysupgrade'. > o Created an octeon bootloader which is a modified kernel. To use > this bootloader, the firmware must be configured to load file > "boot" instead of "bsd". > o Included mount_nfs(8) on the amd64 CD ramdisk. > o Added tee(1) to the ramdisk, and display a moving progress bar > during auto upgrade/install. > o Repaired and improved v6 default route selection, fixing > autoinstalls. > o Added sysupgrade(8) support to the sparc64 bootloader. > o The DHCP configuration is now preserved when restarting an > install. > o The installer now remembers 'autoconf' when restarting an install. > o Stopped prompting for disks that do not contain a root partition > during upgrades. This defaults to the correct disk when full disk > encryption is in use, and will be useful for future unattended > upgrades. > > - Security improvements: > o unveil(2) is now used in 77 userland programs to redact filesystem > access. > o Various changes in unveil(2) to improve application behavior when > encountering hidden filesystem paths. > o ps(1) can show which processes have called unveil(2) with the u > and U flags in STATE field. > o ps(1) can show the list of pledge(2) options processes use with > the -o pledge option. > o Further and improved mitigations against Spectre side-channel > vulnerability in Intel CPUs built since 2012. > o Mitigations for Intel's Microarchitectural Data Sampling > vulnerability, using the new CPU VERW behavior if available or by > using the proper sequence from Intel's "Deep Dive" doc in the > return-to-userspace and enter-VMM-guest paths. Updated vmm(4) to > pass through the MSR bits so that guests can apply the optimal > mitigation. > o Rewrote doas(1) environment inheritance not to inherit, and > instead reset to the target user's values by default. > o Prepare the amd64 BIOS bootloader for loading the kernel at a > random virtual address (future work). > o Introduced malloc_conceal(3) and calloc_conceal(3), which return > memory in pages marked MAP_CONCEAL and call freezero(3) on > free(3). > o Make 'systat pf' not require root permissions (systat(8)). > o Added support for the EFI Random Number Generator Protocol, using > it to XOR random data into the buffer we feed the kernel for > amd64. > o Added information about system call memory write protection and > stack mapping violations to system accounting. Now daily(8) will > print a list of affected processes and lastcomm(1) will flag > violations with 'M'. > > - Routing daemons and other userland network improvements: > o The ntpd(8) daemon now gets and sets the clock in a secure way > when booting even when a battery-backed clock is absent. > o slaacd(8) now removes IPv6 addresses when it detects a link-state > change but no new router advertisement is received. > o ifconfig(8) now reports SFP, SFP+ and QSFP module information when > using the sff option. > o Imported snmp(1), a new SNMP client which aims to be > netsnmp-compatible for supported features, and removed snmpctl(8). > o Improvements in ntpd(8) DNS resolving and constraints checking, > especially during startup. Unreliable NTP peers are removed from > the pool and DNS resolving is repeated to add replacements. > o Changed the bgpd(8) Adj-RIB-Out to a per-peer set of RB trees, > improving speed. > o Rewrote bgpd(8) community matching and handling code and improved > performance for setups using many communities. > o Checked the type of a network statement when looking for > duplicates in bgpd(8). This fixes added network 0.0.0.0/0 after > 'network inet static'. > o Made improvements to bgpd(8) speed when configuring many peers. > o Implemented bgpctl(8) 'show mrt neighbors', to print the neighbor > table of MRT TABLE_DUMP_V2 dumps. > o Moved bgpd(8) pfkey socket to the parent process. The refreshing > of the keys for MD5 and IPSEC is done whenever the session state > changes to IDLE or ACTIVE, which should behave better when > reloading configs with auth changes. > o In bgpd(8), fixed reloading of network statements that have no > fixed prefix specification. > o Extended the maximum size of the bgpd(8) shutdown communication > message to 255 bytes. > o Improvements in pfctl(8), to always check for namespace collisions > on table commands. Introduced 'pfctl -FR' to reset pfctl(8) > settings to defaults. > o Imported Kristaps Dzonsons' RPKI validator, rpki-client(8). > o relayd(8) now supports binary protocol health checking. See > relayd.conf(5). > o Added support for OCSP stapling to relayd(8). > o Added relayd(8) support for SNI with new 'tls keypair' option to > load additional certificates. > o Added support for 'from/to address[/prefix]' in relayd(8) filter > rules. > o Implemented RFC 8555 "Automatic Certificate Management Environment > (ACME)" to enable acme-client(1) to communicate with the v02 Let's > Encrypt API. Read the upgrade guide for more information. > o tcpdump(8) support for '-T erspan' and arbitrary gre(4) protocols. > o Allowed specifying area by number as well as id in ospf6d(8). > o ospfctl(8) now accepts both address and number format for 'ospfctl > show database area XXX'. > o ospfd(8) reload improvements. > o Added a check to ospfd(8) and ospf6d(8) that any "depend on" > interfaces are in the same rdomain. > o Make 'passive' (announce a network configured on an interface as a > stub network) work with P2P interfaces in ospfd(8). > o Shutdown the service port when behind a captive portal with > unwind(8), allowing bypass of captive portals that correctly > answer SOA queries for the root zone and return NXDOMAIN for the > captive portal redirect domain if edns0 is present. > o Implemented DNS block lists in unwind(8). > o Added support for IKEv2 Message Fragmentation (RFC 7383) to > iked(8). > o Enabled switching between wireless and wired interfaces in > dhclient(8), setting the default route with the interface address > and allowing two default routes in the routing table. A wired > interface will be preferred when connected. > o Added consistent use of 'ifconfig $_if [-inet| -inet6]' to clear > existing configurations completely after restarting an install. > o Added 'forwarded' log format extending the 'combined' log format > in httpd(8). > > - Assorted improvements: > o The filesystem buffer cache now more aggressively uses memory > outside the DMA region, to improve cache performance on amd64 > machines. > o The BER API previously internal to ldap(1), ldapd(8), ypldap(8), > and snmpd(8) has been moved into libutil. See > ber_read_elements(3). > o Removed the old userland realpath(3) and replaced it with > __realpath(2), a kernel implementation. This will prevent calling > readlink(2) on every component of a path and improve performance > for unveil(2). > o ld.so(1) speedups, improving dynamic linker performance for large > objects. > o Modified systat(1) to allow the use of 'b' to switch to stats > since boot. > o From perldoc(1), always produce man(7) output in UTF-8, which > gives better results with our mandoc(1) renderer no matter which > LC_CTYPE the user selected. > > - VMM/VMD improvements > o Added support for 'boot device' to vm.conf(5) grammar, the '-B > device' counterpart from vmctl(8). > o Emulated kvm pvclock in vmm(4), compatible with pvclock(4) in > OpenBSD. > o Enabled reporting of the vm state through use of the vmctl(8) > 'status' command. > o Synced vm state in vmd(8) when (un)pausing a vm to ensure both > vmm(4) and vmd(8) processes know the vm is paused. > o Handled some unhandled instructions for SVM which led to vmm(4) > guest termination, as well as RDTSCP and INVLPGA instructions. > o Modified vmm(4) to flush guest TLB entries if the guest disables > paging. > > - OpenSMTPD 6.6.0 > o New Features > - Introduced support for ECDSA certificates with an ECDSA > privsep engine. > - Introduced builtin filters to allow basic filtering of > incoming sessions in smtpd(8). > - Introduced option to deliver junk to a Junk folder in > mail.maildir(8). > o Bug fixes > - Fixed the smtp(1) client so it uses correct default port for > SMTPS. > - Fixed an smtpd(8) crash on excessively large input. > - Ensured mail rejected by an LMTP server will stay queued > rather than bouncing. > o Experimental Features > - Introduced a filters API to allow writing standalone filters > for smtpd(8), with multiple filters made available in ports. > - Introduced support for proxy-v2 protocol allowing smtpd(8) to > operate behind proxy. > > - LibreSSL 3.0.2 > o API and Documentation Enhancements > - Completed the port of RSA_METHOD accessors from the OpenSSL > 1.1 API. > - Documented undescribed options and removed unfunctional > options description in openssl(1) manual. > o Compatibility Changes > o Testing and Proactive Security > - A plethora of small fixes due to regular oss-fuzz testing. > - Various side channels in DSA and ECDSA were addressed. These > are some of the many issues found in an extensive systematic > analysis of bignum usage by Samuel Weiser, David Schrammel et > al. > - Try to compute the cofactor if a nonsensical value was > provided for ECC parameters. Fix from Billy Brumley. > o Internal Improvements > o Portable Improvements > - Enabled performance optimizations when building with Visual > Studio on Windows. > - Enabled openssl(1) speed subcommand on Windows platform. > o Bug Fixes > - Fixed issue where SRTP extension would not be sent by server. > - Fixed incorrect carry operation in 512 addition for Streebog. > - Fixed -modulus option with openssl(1) dsa subcommand. > - Fixed PVK format output issue with openssl(1) dsa and rsa > subcommand. > - Fixed a padding oracle attack in PKCS7_dataDecode() and > CMS_decrypt_set1_pkey() (CMS is currently disabled). From > Bernd Edlinger. > > - OpenSSH 8.1 > o New Features > - ssh(1): Allow %n to be expanded in ProxyCommand strings > - ssh(1), sshd(8): Allow prepending a list of algorithms to the > default set by starting the list with the '^' character, E.g. > "HostKeyAlgorithms ^ssh-ed25519" > - ssh-keygen(1): add an experimental lightweight signature and > verification ability. Signatures may be made using regular > ssh keys held on disk or stored in a ssh-agent and verified > against an authorized_keys-like list of allowed keys. > Signatures embed a namespace that prevents confusion and > attacks between different usage domains (e.g. files vs > email). > - ssh-keygen(1): print key comment when extracting public key > from a private key. bz#3052 > - ssh-keygen(1): accept the verbose flag when searching for > host keys in known hosts (i.e. "ssh-keygen -vF host") to > print the matching host's random-art signature too. bz#3003 > - All: support PKCS8 as an optional format for storage of > private keys to disk. The OpenSSH native key format remains > the default, but PKCS8 is a superior format to PEM if > interoperability with non-OpenSSH software is required, as it > may use a less insecure key derivation function than PEM's. > o Bugfixes > - ssh(1): if a PKCS#11 token returns no keys then try to login > and refetch them. Based on patch from Jakub Jelen; bz#2430 > - ssh(1): produce a useful error message if the user's shell is > set incorrectly during "match exec" processing. bz#2791 > - sftp(1): allow the maximum uint32 value for the argument > passed to -b which allows better error messages from later > validation. bz#3050 > - ssh(1): avoid pledge sandbox violations in some combinations > of remote forwarding, connection multiplexing and > ControlMaster. > - ssh-keyscan(1): include SHA2-variant RSA key algorithms in > KEX proposal; allows ssh-keyscan to harvest keys from servers > that disable old SHA1 ssh-rsa. bz#3029 > - sftp(1): print explicit "not modified" message if a file was > requested for resumed download but was considered already > complete. bz#2978 > - sftp(1): fix a typo and make <esc><right> move right to the > closest end of a word just like <esc><left> moves left to the > closest beginning of a word. > - sshd(8): cap the number of permitopen/permitlisten directives > allowed to appear on a single authorized_keys line. > - All: fix a number of memory leaks (one-off or on exit paths). > - Regression tests: a number of fixes and improvements, > including fixes to the interop tests, adding the ability to > run most tests on builds that disable OpenSSL support, better > support for running tests under Valgrind and a number of > bug-fixes. > - ssh(1), sshd(8): check for convtime() refusing to accept > times that resolve to LONG_MAX Reported by Kirk Wolf bz2977 > - ssh(1): slightly more instructive error message when the user > specifies multiple -J options on the command-line. bz3015 > - ssh-agent(1): process agent requests for RSA certificate > private keys using correct signature algorithm when > requested. bz3016 > - sftp(1): check for user@host when parsing sftp target. This > allows user@[1.2.3.4] to work without a path. bz#2999 > - sshd(8): enlarge format buffer size for certificate serial > number so the log message can record any 64-bit integer > without truncation. bz#3012 > - sshd(8): for PermitOpen violations add the remote host and > port to be able to more easily ascertain the source of the > request. Add the same logging for PermitListen violations > which where not previously logged at all. > - scp(1), sftp(1): use the correct POSIX format style for left > justification for the transfer progress meter. bz#3002 > - sshd(8) when examining a configuration using sshd -T, assume > any attribute not provided by -C does not match, which allows > it to work when sshd_config contains a Match directive with > or without -C. bz#2858 > - ssh(1), ssh-keygen(1): downgrade PKCS#11 "provider returned > no slots" warning from log level error to debug. This is > common when attempting to enumerate keys on smartcard readers > with no cards plugged in. bz#3058 > - ssh(1), ssh-keygen(1): do not unconditionally log in to > PKCS#11 tokens. Avoids spurious PIN prompts for keys not > selected for authentication in ssh(1) and when listing public > keys available in a token using ssh-keygen(1). bz#3006 > > - Mandoc > o Slowly start implementing tagging support for man(7) pages: tag > alphabetic arguments of .IP, .TP, and .TQ macros. > o In HTML output, wrap text and phrasing elements in paragraphs > unless already contained in flow containers; never put them > directly into sections. This helps to format paragraphs with the > CSS class selector .Pp. > o Implement the roff(7) .break request to break out of a .while > loop. > o If messages are shown and output is printed without a pager, > display a heads-up on standard error output at the end because > otherwise, users may easily miss the messages. > o Let mandoc.css support prefers-color-scheme: dark. > o For pages lacking a SYNOPSIS, let man(1) show the NAME section. > > - Ports and packages: > o Pre-built packages are available for the following architectures on > the day of release: > - aarch64 (arm64): 10075 > - amd64: 10736 > - i386: 10682 > - sparc64: 9685 > - mips64: 7921 > o Packages for the following architectures will be made available as > their builds complete: > - arm > - mips64el > - powerpc > > - As usual, steady improvements in manual pages and other documentation. > > - The system includes the following major components from outside suppliers: > o Xenocara (based on X.Org 7.7 with xserver 1.20.5 + patches, > freetype 2.10.1, fontconfig 2.12.4, Mesa 19.0.8, xterm 344, > xkeyboard-config 2.20 and more) > o LLVM/Clang 8.0.1 (+ patches) > o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches) > o Perl 5.28.2 (+ patches) > o NSD 4.2.2 > o Unbound 1.9.4 > o Ncurses 5.7 > o Binutils 2.17 (+ patches) > o Gdb 6.3 (+ patches) > o Awk Aug 10, 2011 version > o Expat 2.2.8 > > ------------------------------------------------------------------------ > - SECURITY AND ERRATA -------------------------------------------------- > > We provide patches for known security threats and other important > issues discovered after each release. Our continued research into > security means we will find new security problems -- and we always > provide patches as soon as possible. Therefore, we advise regular > visits to > > https://www.OpenBSD.org/security.html > and > https://www.OpenBSD.org/errata.html > > ------------------------------------------------------------------------ > - MAILING LISTS AND FAQ ------------------------------------------------ > > Mailing lists are an important means of communication among users and > developers of OpenBSD. For information on OpenBSD mailing lists, please > see: > > https://www.OpenBSD.org/mail.html > > You are also encouraged to read the Frequently Asked Questions (FAQ) at: > > https://www.OpenBSD.org/faq/ > > ------------------------------------------------------------------------ > - DONATIONS ------------------------------------------------------------ > > The OpenBSD Project is a volunteer-driven software group funded by > donations. Besides OpenBSD itself, we also develop important software > like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet > filter, the quality work of our ports development process, and many > others. This ecosystem is all handled under the same funding umbrella. > > We hope our quality software will result in contributions that maintain > our build/development infrastructure, pay our electrical/internet costs, > and allow us to continue operating very productive developer hackathon > events. > > All of our developers strongly urge you to donate and support our future > efforts. Donations to the project are highly appreciated, and are > described in more detail at: > > https://www.OpenBSD.org/donations.html > > ------------------------------------------------------------------------ > - OPENBSD FOUNDATION --------------------------------------------------- > > For those unable to make their contributions as straightforward gifts, > the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian > not-for-profit corporation that can accept larger contributions and > issue receipts. In some situations, their receipt may qualify as a > business expense write-off, so this is certainly a consideration for > some organizations or businesses. > > There may also be exposure benefits since the Foundation may be > interested in participating in press releases. In turn, the Foundation > then uses these contributions to assist OpenBSD's infrastructure needs. > Contact the foundation directors at [email protected] for > more information. > > ------------------------------------------------------------------------ > - HTTPS INSTALLS ------------------------------------------------------- > > OpenBSD can be easily installed via HTTPS downloads. Typically you need > a single small piece of boot media (e.g., a USB flash drive) and then > the rest of the files can be installed from a number of locations, > including directly off the Internet. Follow this simple set of > instructions to ensure that you find all of the documentation you will > need while performing an install via HTTPS. > > 1) Read either of the following two files for a list of HTTPS mirrors > which provide OpenBSD, then choose one near you: > > https://www.OpenBSD.org/ftp.html > https://ftp.openbsd.org/pub/OpenBSD/ftplist > > As of October 17, 2019, the following HTTPS mirror sites have the > 6.6 release: > > https://cdn.openbsd.org/pub/OpenBSD/6.6/ Global > https://ftp.eu.openbsd.org/pub/OpenBSD/6.6/ Stockholm, Sweden > https://ftp.hostserver.de/pub/OpenBSD/6.6/ Frankfurt, Germany > https://ftp.bytemine.net/pub/OpenBSD/6.6/ Oldenburg, Germany > https://ftp.fr.openbsd.org/pub/OpenBSD/6.6/ Paris, France > https://mirror.aarnet.edu.au/pub/OpenBSD/6.6/ Brisbane, > Australia > https://ftp.usa.openbsd.org/pub/OpenBSD/6.6/ CO, USA > https://ftp5.usa.openbsd.org/pub/OpenBSD/6.6/ CA, USA > https://mirror.esc7.net/pub/OpenBSD/6.6/ TX, USA > https://openbsd.cs.toronto.edu/pub/OpenBSD/6.6/ Toronto, Canada > https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.6/ Global > https://fastly.cdn.openbsd.org/pub/OpenBSD/6.6/ Global > > The release is also available at the master site: > > https://ftp.openbsd.org/pub/OpenBSD/6.6/ Alberta, Canada > > However it is strongly suggested you use a mirror. > > Other mirror sites may take a day or two to update. > > 2) Connect to that HTTPS mirror site and go into the directory > pub/OpenBSD/6.6/ which contains these files and directories. > This is a list of what you will see: > > ANNOUNCEMENT arm64/ luna88k/ ports.tar.gz > README armv7/ macppc/ root.mail > SHA256 hppa/ octeon/ sparc64/ > SHA256.sig i386/ openbsd-66-base.pub src.tar.gz > alpha/ landisk/ packages/ sys.tar.gz > amd64/ loongson/ packages-stable/ xenocara.tar.gz > > It is quite likely that you will want at LEAST the following > files which apply to all the architectures OpenBSD supports. > > README - generic README > root.mail - a copy of root's mail at initial login. > (This is really worthwhile reading). > > 3) Read the README file. It is short, and a quick read will make > sure you understand what else you need to fetch. > > 4) Next, go into the directory that applies to your architecture, > for example, amd64. This is a list of what you will see: > > BOOTIA32.EFI* bsd* floppy66.fs pxeboot* > BOOTX64.EFI* bsd.mp* game66.tgz xbase66.tgz > BUILDINFO bsd.rd* index.txt xfont66.tgz > INSTALL.amd64 cd66.iso install66.fs xserv66.tgz > SHA256 cdboot* install66.iso xshare66.tgz > SHA256.sig cdbr* man66.tgz > base66.tgz comp66.tgz miniroot66.fs > > If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64 > and install66.iso. The install66.iso file (roughly 463MB in size) > is a one-step ISO-format install CD image which contains the various > *.tgz files so you do not need to fetch them separately. > > If you prefer to use a USB flash drive, fetch install66.fs and > follow the instructions in INSTALL.amd64. > > 5) If you are an expert, follow the instructions in the file called > README; otherwise, use the more complete instructions in the > file called INSTALL.amd64. INSTALL.amd64 may tell you that you > need to fetch other files. > > 6) Just in case, take a peek at: > > https://www.OpenBSD.org/errata.html > > This is the page where we talk about the mistakes we made while > creating the 6.6 release, or the significant bugs we fixed > post-release which we think our users should have fixes for. > Patches and workarounds are clearly described there. > > ------------------------------------------------------------------------ > - X.ORG FOR MOST ARCHITECTURES ----------------------------------------- > > X.Org has been integrated more closely into the system. This release > contains X.Org 7.7. Most of our architectures ship with X.Org, including > amd64, sparc64 and macppc. During installation, you can install X.Org > quite easily using xenodm(1), our simplified X11 display manager forked > from xdm(1). > > ------------------------------------------------------------------------ > - PACKAGES AND PORTS --------------------------------------------------- > > Many third party software applications have been ported to OpenBSD and > can be installed as pre-compiled binary packages on the various OpenBSD > architectures. Please see https://www.openbsd.org/faq/faq15.html for > more information on working with packages and ports. > > Note: a few popular ports, e.g., NSD, Unbound, and several X > applications, come standard with OpenBSD and do not need to be installed > separately. > > ------------------------------------------------------------------------ > - SYSTEM SOURCE CODE --------------------------------------------------- > > The source code for all four subsystems can be found in the > pub/OpenBSD/6.6/ directory: > > xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz > > The README (https://ftp.OpenBSD.org/pub/OpenBSD/6.6/README) file > explains how to deal with these source files. > > ------------------------------------------------------------------------ > - THANKS --------------------------------------------------------------- > > Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil, > Visa Hankala, Stuart Henderson, Peter Hessler, and Christian Weisgerber. > Base and X system builds by Kenji Aoyama and Theo de Raadt. Release art > contributed by Natasha Allegri. > > We would like to thank all of the people who sent in bug reports, bug > fixes, donation cheques, and hardware that we use. We would also like > to thank those who bought our previous CD sets. Those who did not > support us financially have still helped us with our goal of improving > the quality of the software. > > Our developers are: > > Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall, > Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov, > Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley, > Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe, > Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer, > Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar, > Carlos Cardenas, Charlene Wendling, Charles Longeau, > Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann, > Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman, > Daniel Jakots, Darren Tucker, David Coppa, David Gwynne, David Hill, > Denis Fondras, Doug Hogan, Edd Barrett, Elias M. Mariani, > Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus, > Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis, > Gleydson Soares, Gonzalo L. Rodriguez, Helg Bredow, Henning Brauer, > Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze, > Inoguchi Kinichiro, James Turner, Jan Klemkow, Jason McIntyre, > Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans, > Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray, > Jonathan Matthew, Joris Vink, Joshua Stein, > Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama, > Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov, > Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil, > Lawrence Teo, Marc Espie, Marco Pfatschbacher, Marcus Glocker, > Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren, > Martin Natano, Martin Pieuchot, Martynas Venckus, Mats O Jansson, > Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos, > Mike Belopuhov, Mike Larkin, Miod Vallat, Nayden Markatchev, > Nicholas Marriott, Nigel Taylor, Okan Demirmen, Ori Bernstein, > Otto Moerbeek, Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt, > Paul Irofti, Pavel Korovin, Peter Hessler, Philip Guenther, > Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski, > Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel, > Renato Westphal, Reyk Floeter, Ricardo Mestre, Richard Procter, > Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha, > Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie, > Solene Rapenne, Stefan Fritsch, Stefan Kempf, Stefan Sperling, > Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda, > T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt, > Thomas Frohwein, Tim van der Molen, Tobias Heider, > Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove, > Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov, Vincent Gross, > Visa Hankala, Yasuoka Masahiko, Yojiro Uo >
