mirror of https://github.com/openbsd/www.git
1211 lines
54 KiB
HTML
1211 lines
54 KiB
HTML
<!doctype html>
|
|
<html lang=en id=release>
|
|
<meta charset=utf-8>
|
|
|
|
<title>OpenBSD 6.1</title>
|
|
<meta name="description" content="OpenBSD 6.1">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
|
<link rel="stylesheet" type="text/css" href="openbsd.css">
|
|
<link rel="canonical" href="https://www.openbsd.org/61.html">
|
|
|
|
<h2 id=OpenBSD>
|
|
<a href="index.html">
|
|
<i>Open</i><b>BSD</b></a>
|
|
6.1
|
|
</h2>
|
|
|
|
<table>
|
|
<tr>
|
|
<td>
|
|
<a href="images/Fugu.gif">
|
|
<img width="227" height="343" src="images/Fugu.gif" alt="Fugu"></a>
|
|
<td>
|
|
Released April 11, 2017<br>
|
|
Copyright 1997-2017, Theo de Raadt.<br>
|
|
<br>
|
|
6.1 Song:
|
|
<a href="lyrics.html#61">"Winter of 95"</a>.
|
|
<br>
|
|
<br>
|
|
<ul>
|
|
<li>See the information on <a href="ftp.html">the FTP page</a> for
|
|
a list of mirror machines.
|
|
<li>Go to the <code class=reldir>pub/OpenBSD/6.1/</code> directory on
|
|
one of the mirror sites.
|
|
<li>Have a look at <a href="errata61.html">the 6.1 errata page</a> for a list
|
|
of bugs and workarounds.
|
|
<li>See a <a href="plus61.html">detailed log of changes</a> between the
|
|
6.0 and 6.1 releases.
|
|
<p>
|
|
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
|
|
pubkeys for this release:<p>
|
|
|
|
<table class=signify>
|
|
<tr><td>
|
|
openbsd-61-base.pub:
|
|
<td>
|
|
RWQEQa33SgQSEsMwwVV1+GjzdcQfRNV2Bgo48Ztd2KiZ9bAodz9c+Maa
|
|
<tr><td>
|
|
openbsd-61-fw.pub:
|
|
<td>
|
|
RWS91POk0QZXfsqi4aI7MotYz8CPzoHjYg4a1IDi56cftacjsq+ZL/KY
|
|
<tr><td>
|
|
openbsd-61-pkg.pub:
|
|
<td>
|
|
RWQbTjGFHEvnOckqY7u9iABhXAkEpF/6TQ3Mr6bMrWbT1wOM/HnbV9ov
|
|
</table>
|
|
</ul>
|
|
<p>
|
|
All applicable copyrights and credits are in the src.tar.gz,
|
|
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
|
|
files fetched via <code>ports.tar.gz</code>.
|
|
</table>
|
|
|
|
<hr>
|
|
|
|
<section id=new>
|
|
<h3>What's New</h3>
|
|
<p>
|
|
This is a partial list of new features and systems included in OpenBSD 6.1.
|
|
For a comprehensive list, see the <a href="plus61.html">changelog</a> leading
|
|
to 6.1.
|
|
|
|
<ul>
|
|
<li>New/extended platforms:
|
|
<ul>
|
|
<li>New <a href="https://www.openbsd.org/arm64.html">arm64</a> platform,
|
|
using <a href="https://man.openbsd.org/clang-local.1">clang(1)</a>
|
|
as the base system compiler.
|
|
<li>The <a href="https://www.openbsd.org/armv7.html">armv7</a> platform
|
|
has seen some major improvements, including a switch to EABI and
|
|
support for a lot more hardware.
|
|
<li>The <a href="https://www.openbsd.org/loongson.html">loongson</a>
|
|
platform now supports systems with Loongson 3A CPU and RS780E chipset.
|
|
<li>The following platforms were retired:
|
|
<a href="https://www.openbsd.org/armish.html">armish</a>,
|
|
<a href="https://www.openbsd.org/sparc.html">sparc</a>,
|
|
<a href="https://www.openbsd.org/zaurus.html">zaurus</a>.
|
|
</ul>
|
|
<p>
|
|
|
|
<li>Improved hardware support, including:
|
|
<ul>
|
|
<li>New <a href="https://man.openbsd.org/acpials.4">acpials(4)</a>
|
|
driver for ACPI ambient light sensor devices.
|
|
<li>New <a href="https://man.openbsd.org/acpihve.4">acpihve(4)</a>
|
|
driver for feeding Hyper-V entropy into the kernel pool.
|
|
<li>New <a href="https://man.openbsd.org/acpisbs.4">acpisbs(4)</a>
|
|
driver for ACPI Smart Battery devices.
|
|
<li>New <a href="https://man.openbsd.org/dwge.4">dwge(4)</a>
|
|
driver for Designware GMAC 10/100/Gigabit Ethernet devices.
|
|
<li>New <a href="https://man.openbsd.org/loongson/htb.4">htb(4)</a>
|
|
driver for Loongson 3A PCI host bridges.
|
|
<li>New <a href="https://man.openbsd.org/hvn.4">hvn(4)</a>
|
|
driver for Hyper-V networking interfaces.
|
|
<li>New <a href="https://man.openbsd.org/hyperv.4">hyperv(4)</a>
|
|
driver for the Hyper-V guest nexus device.
|
|
<li>New <a href="https://man.openbsd.org/iatp.4">iatp(4)</a>
|
|
driver for the Atmel maXTouch touchpad and touchscreen.
|
|
<li>New <a href="https://man.openbsd.org/armv7/imxtemp.4">imxtemp(4)</a>
|
|
driver for Freescale i.MX6 temperature sensors.
|
|
<li>New <a href="https://man.openbsd.org/loongson/leioc.4">leioc(4)</a>
|
|
driver for the Loongson 3A low-end IO controller.
|
|
<li>New <a href="https://man.openbsd.org/octeon/octmmc.4">octmmc(4)</a>
|
|
driver for the OCTEON MMC host controller.
|
|
<li>New <a href="https://man.openbsd.org/armv7/ompinmux.4">ompinmux(4)</a>
|
|
driver for OMAP pin multiplexing.
|
|
<li>New <a href="https://man.openbsd.org/armv7/omwugen.4">omwugen(4)</a>
|
|
driver for OMAP wake-up generators.
|
|
<li>New <a href="https://man.openbsd.org/armv7/psci.4">psci(4)</a>
|
|
driver for the ARM Power State Coordination Interface.
|
|
<li>New <a href="https://man.openbsd.org/simplefb.4">simplefb(4)</a>
|
|
driver for the simple frame buffer on systems
|
|
using a device tree.
|
|
<li>New <a href="https://man.openbsd.org/armv7/sximmc.4">sximmc(4)</a>
|
|
driver for Allwinner A1X/A20 MMC/SD/SDIO controllers.
|
|
<li>New <a href="https://man.openbsd.org/tpm.4">tpm(4)</a>
|
|
driver for Trusted Platform Module devices.
|
|
<li>New <a href="https://man.openbsd.org/uwacom.4">uwacom(4)</a>
|
|
driver for Wacom USB tablets.
|
|
<li>New <a href="https://man.openbsd.org/vmmci.4">vmmci(4)</a>
|
|
VMM control interface.
|
|
<li>New <a href="https://man.openbsd.org/xbf.4">xbf(4)</a>
|
|
driver for Xen Blkfront virtual disks.
|
|
<li>New <a href="https://man.openbsd.org/luna88k/xp.4">xp(4)</a>
|
|
driver for the LUNA-88K HD647180X I/O processor.
|
|
<li>Support for Kaby Lake and Lewisburg PCH Ethernet MACs with I219 PHYs
|
|
has been added to the
|
|
<a href="https://man.openbsd.org/em">em(4)</a> driver.
|
|
<li>Support for RTL8153 USB 3.0 Gigabit Ethernet based devices
|
|
has been added to the
|
|
<a href="https://man.openbsd.org/ure">ure(4)</a> driver.
|
|
<li>Improved ACPI support for modern Apple hardware, including S3 suspend
|
|
and resume.
|
|
<li>Support for X550 family of 10 Gigabit Ethernet based devices
|
|
has been added to the
|
|
<a href="https://man.openbsd.org/ix">ix(4)</a> driver.
|
|
</ul>
|
|
|
|
<p>
|
|
<li>New <a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a>/
|
|
<a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a>:
|
|
<ul>
|
|
<li>Support was partially integrated in 6.0, but disabled.
|
|
<li>Support for amd64 and i386 hosts.
|
|
<li>BIOS payload provided via vmm-firmware, delivered via
|
|
<a href="https://man.openbsd.org/fw_update.1">fw_update(1)</a>.
|
|
<li>Support for Linux guest VMs.
|
|
<li>Better interrupt handling and legacy device emulation.
|
|
<li><a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a> no longer
|
|
requires VMX unrestricted guest capability (Nehalem and later CPUs
|
|
are sufficient).
|
|
<li>Removed bounce buffers previously used by
|
|
<a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> for
|
|
<a href="https://man.openbsd.org/vio.4">vio(4)</a> and
|
|
<a href="https://man.openbsd.org/vioblk.4">vioblk(4)</a> devices.
|
|
<li>Support VMs with > 2GB RAM.
|
|
<li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> uses
|
|
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a> and the
|
|
fork+exec model.
|
|
<li><a href="https://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>
|
|
expanded to include VM ownership rules (uid/gid).
|
|
<li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a>/
|
|
<a href="https://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>
|
|
supports automatic
|
|
<a href="https://man.openbsd.org/bridge.4">bridge(4)</a> and
|
|
<a href="https://man.openbsd.org/switch.4">switch(4)</a> configuration
|
|
for VM network interfaces.
|
|
<li><a href="https://man.openbsd.org/amd64/vmctl.8">vmctl(8)</a> supports
|
|
graceful VM shutdown via
|
|
<a href="https://man.openbsd.org/amd64/vmmci.4">vmmci(4)</a>.
|
|
</ul>
|
|
<p>
|
|
|
|
<li>IEEE 802.11 wireless stack improvements:
|
|
<ul>
|
|
<li>The <a href="https://man.openbsd.org/ral.4">ral(4)</a> driver
|
|
now supports Ralink RT3900E (RT5390, RT3292) devices.
|
|
<li>The <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
|
|
<a href="https://man.openbsd.org/iwn.4">iwn(4)</a> drivers
|
|
now support the short guard interval (SGI) in 11n mode.
|
|
<li>Added a new implementation of MiRa, a rate adapation algorithm
|
|
designed for 802.11n.
|
|
<li>The <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> driver
|
|
now supports 802.11n MIMO (MCS 0-15).
|
|
<li>The <a href="https://man.openbsd.org/athn.4">athn(4)</a> driver
|
|
now supports 802.11n, featuring MIMO (MCS 0-15) and hostap mode.
|
|
<li>The <a href="https://man.openbsd.org/iwn.4">iwn(4)</a> driver
|
|
now receives MIMO frames in monitor mode.
|
|
<li>The <a href="https://man.openbsd.org/rtwn.4">rtwn(4)</a> and
|
|
<a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> drivers
|
|
now use AMRR rate adaptation (8188EU and 8188CE devices only).
|
|
<li>TKIP/WPA1 was disabled by default because of inherent weaknesses
|
|
in this protocol.
|
|
</ul>
|
|
<p>
|
|
|
|
<li>Generic network stack improvements:
|
|
<ul>
|
|
<li>New <a href="https://man.openbsd.org/switch.4">switch(4)</a>
|
|
pseudo-device together with new
|
|
<a href="https://man.openbsd.org/switchd.8">switchd(8)</a> and
|
|
<a href="https://man.openbsd.org/switchctl.8">switchctl(8)</a>
|
|
programs.
|
|
<li>New <a href="https://man.openbsd.org/mobileip.4">mobileip(4)</a>
|
|
operation mode for the
|
|
<a href="https://man.openbsd.org/gre.4">gre(4)</a>
|
|
pseudo-device.
|
|
<li>Multipoint-to-multipoint mode in
|
|
<a href="https://man.openbsd.org/vxlan.4">vxlan(4)</a>.
|
|
<li><a href="https://man.openbsd.org/route.8">route(8)</a>
|
|
and netstat -r display all routing flags correctly and they
|
|
are completely documented in the
|
|
<a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
|
|
man page.
|
|
<li>When sending TCP streams they are locally stored in large
|
|
mbuf clusters to improve memory management.
|
|
The maximum TCP send and receive buffer size has been
|
|
increased from 256KB to 2MB.
|
|
Note that this results in a different
|
|
<a href="https://man.openbsd.org/pf.4">pf(4)</a>
|
|
OS fingerprint for OpenBSD.
|
|
The default limit for mbuf clusters has been increased.
|
|
You can check the values with
|
|
<a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
|
|
-m and adjust them with
|
|
<a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a>
|
|
kern.maxclusters.
|
|
<li>Make the TCP_NOPUSH flag work for
|
|
<a href="https://man.openbsd.org/listen.2">listen(2)</a>
|
|
sockets.
|
|
It is inherited by the socket returned from
|
|
<a href="https://man.openbsd.org/accept.2">accept(2)</a>.
|
|
<li>A lot of code has been removed or simplified to make the
|
|
transition to multi-processor easier.
|
|
Redesign the interrupt and multi-processor locks in the
|
|
network stack.
|
|
<li>When passing packets from the network stack to the
|
|
interface layer, make sure that they have no pointers to
|
|
<a href="https://man.openbsd.org/pf.4">pf(4)</a>
|
|
which could result in a memory free operation at the wrong
|
|
protection level.
|
|
<li>Fix checksum calculation in
|
|
<a href="https://man.openbsd.org/pf.4">pf(4)</a>
|
|
af-to ICMP packet conversions.
|
|
Simplify af-to processing in and fix path MTU discovery in
|
|
some corner cases.
|
|
<li>Improve IPv6 fragment processing.
|
|
Drop empty atomic fragments early.
|
|
Be more paranoid when IPv6 hop-by-hop headers appear after
|
|
fragment headers.
|
|
Follow RFC 5722 "Handling of Overlapping IPv6 Fragments"
|
|
more strictly in
|
|
<a href="https://man.openbsd.org/pf.4">pf(4)</a>.
|
|
RFC 8021 "IPv6 Atomic Fragments Considered Harmful" deprecates
|
|
generating atomic fragments, so do not send them anymore.
|
|
<li>Depending on the addresses,
|
|
<a href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a>
|
|
may automatically group SA bundles together.
|
|
To make clear what is going on, the kernel provides this
|
|
information and ipsecctl -s sa prints IPsec SA bundles.
|
|
<li>A new routing socket message type, RTM_PROPOSAL, was added to
|
|
facilitate future improvements to the network configuration process.
|
|
</ul>
|
|
<p>
|
|
|
|
<li>Installer improvements:
|
|
<ul>
|
|
<li>The installer now uses privilege separation for fetching and
|
|
verifying the install sets.
|
|
<li>Install sets are now fetched over an HTTPS connection by default
|
|
when using a <a href="ftp.html">mirror</a> that supports it.
|
|
<li>The installer now considers all of the DHCP information in filename,
|
|
bootfile-name, server-name, tftp-server-name, and next-server when
|
|
attempting to do automatic installs or upgrades.
|
|
<li>The installer no longer adds a route to an alias IP via 127.0.0.1, due
|
|
to improvements in the kernel routing components.
|
|
</ul>
|
|
<p>
|
|
|
|
<li>Routing daemons and other userland network improvements:
|
|
<ul>
|
|
<li><a href="https://man.openbsd.org/ping.8">ping(8)</a> and
|
|
<a href="https://man.openbsd.org/ping6.8">ping6(8)</a> are now the same
|
|
binary and share the engine.
|
|
<li><a href="https://man.openbsd.org/ripd.8">ripd(8)</a> now supports
|
|
p2p links with addresses in different subnets.
|
|
<li>UDP speakers can specify an IPv4 source address using
|
|
<code>IP_SENDSRCADDR</code>.
|
|
<a href="https://man.openbsd.org/iked.8">iked(8)</a>
|
|
and <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> now
|
|
use the proper source address when sending replies.
|
|
<li><a href="https://man.openbsd.org/iked.8">iked(8)</a> now
|
|
supports ECDSA and RFC 7427 signatures for authentication.
|
|
<li><a href="https://man.openbsd.org/iked.8">iked(8)</a> now
|
|
supports replying to IKEv2 responder cookies.
|
|
<li>Many fixes and improvements for
|
|
<a href="https://man.openbsd.org/iked.8">iked(8)</a> and
|
|
<a href="https://man.openbsd.org/ikectl.8">ikectl(8)</a>, including
|
|
various fixes for rekeying.
|
|
<li><a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> and
|
|
<a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> now cope
|
|
with interface MTU change at runtime.
|
|
<li><a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> now supports
|
|
BGP Large Communities
|
|
(<a href="https://www.rfc-editor.org/rfc/rfc8092.txt">RFC 8092</a>).
|
|
<li><a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> now supports
|
|
BGP Administrative Shutdown Communication
|
|
(<a href="https://www.ietf.org/id/draft-ietf-idr-shutdown.txt">draft-ietf-idr-shutdown</a>).
|
|
</ul>
|
|
<p>
|
|
|
|
<li>Security improvements:
|
|
<ul>
|
|
<li>Enforcement of userland W^X on OCTEON Plus and later.
|
|
<li>All shared libraries, all dynamic and static-PIE executables, and
|
|
<a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> itself use
|
|
the RELRO ("read-only after relocation") design such that
|
|
more of the initial data is protected as read-only.
|
|
<li>The size of user virtual address space has been increased
|
|
from 2GB to 1TB on mips64.
|
|
<li>PIE and -static -pie on arm.
|
|
<li><a href="https://man.openbsd.org/route6d.8">route6d(8)</a> now
|
|
runs with fewer privileges.
|
|
<li>For incoming TLS connections
|
|
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
|
|
can validate client certificates with a given CA file.
|
|
<li>The privileged parent process of
|
|
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
|
|
calls
|
|
<a href="https://man.openbsd.org/execve.2">exec(2)</a>
|
|
to reshuffle its random memory layout.
|
|
<li>New function
|
|
<a href="https://man.openbsd.org/recallocarray.3">recallocarray(3)</a>
|
|
to reduce the risk of incorrect clearing of memory before and after
|
|
<a href="https://man.openbsd.org/reallocarray.3">reallocarray(3)</a>.
|
|
<li><a href="https://man.openbsd.org/sha2.3">SHA512_256</a> family
|
|
of functions added to libc.
|
|
<li>arm added to the list of archs where the
|
|
<a href="https://man.openbsd.org/setjmp.3">setjmp(3)</a>
|
|
family of functions apply XOR cookies to stack and return-address
|
|
values in the jmpbuf.
|
|
<li><a href="https://man.openbsd.org/printf.3">printf(3)</a> family
|
|
of formatting functions now report to syslog when the %s
|
|
format is used with a NULL pointer.
|
|
<li>Heap buffer overflow detection has been improved when the C
|
|
<a href="https://man.openbsd.org/malloc.3">malloc(3)</a> option is used.
|
|
The existing S option now includes C.
|
|
<li>Support for permitting non-root users to
|
|
<a href="https://man.openbsd.org/mount.8">mount(8)</a> filesystems
|
|
has been removed.
|
|
<li><a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a> now uses
|
|
<a href="https://man.openbsd.org/bcrypt_pbkdf.3">bcrypt PBKDF</a> to
|
|
derive keys for
|
|
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> crypto
|
|
volumes.
|
|
</ul>
|
|
<p>
|
|
|
|
<li><a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>/
|
|
<a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>/
|
|
<a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a> improvements:
|
|
<ul>
|
|
<li>Add DHO_BOOTFILE_NAME and DHO_TFTP_SERVER to the options requested by default.
|
|
<li>Add support for RFC 6842 (Client Identifier Option in DHCP Server Replies).
|
|
<li>Stop leaking option data received on the udp socket.
|
|
<li>Stop pretending we use RFC 3046/Option 82/Relay Agent Information.
|
|
<li>Stop recording ignored DHO_ROUTERS and DHO_STATIC_ROUTES options in the effective lease.
|
|
<li>Use only leases from no SSID or the current SSID when restarting.
|
|
<li>Reduce default values for various timeouts to something more
|
|
appropriate to modern networks.
|
|
<li>Fix issues with redundant dhcpd servers and CARP'd interfaces.
|
|
<li>Switch to standard logging functions
|
|
<li>Fix vis/unvis of strings in
|
|
<a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> leases files.
|
|
</ul>
|
|
<p>
|
|
|
|
<li>Assorted improvements:
|
|
<ul>
|
|
<li>New <a href="https://man.openbsd.org/syspatch.8">syspatch(8)</a>
|
|
utility for security and reliability binary updates to the base
|
|
system.
|
|
<li><a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>, a
|
|
privilege separated Automatic Certificate Management Environment
|
|
(ACME) client written by Kristaps Dzonsons has been imported.
|
|
<li>New, simplified
|
|
<a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>
|
|
X11 display manager forked from
|
|
<a href="https://man.openbsd.org/OpenBSD-6.0/xdm.1">xdm(1)</a>.
|
|
<li>Unicode version 8 character properties in the C library.
|
|
<li>Partial UTF-8 line editing support for
|
|
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a> Vi input mode.
|
|
<li>UTF-8 support in
|
|
<a href="https://man.openbsd.org/column.1">column(1)</a>.
|
|
<li>The performance and concurrency of the
|
|
<a href="https://man.openbsd.org/malloc.3">malloc(3)</a> family
|
|
in multi-threaded processes has been improved.
|
|
<li>Estonian keyboard support.
|
|
<li><a href="https://man.openbsd.org/read.2">read(2)</a> on
|
|
directories now fails instead of returning 0.
|
|
<li>Support for the <code>RES_USE_EDNS0</code> and <code>RES_USE_DNSSEC</code>
|
|
flags has been added to the
|
|
<a href="https://man.openbsd.org/resolver.3">resolver(3)</a>
|
|
implementation.
|
|
<li><a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
|
|
limits the socket buffer for TCP and TLS connections to 64K
|
|
to avoid wasting kernel memory.
|
|
<li><a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
|
|
supports the option -Z to print the timestamp in RFC 5424
|
|
ISO format.
|
|
This logs everything in UTC including the year, timezone
|
|
and fractions of seconds.
|
|
The default is still RFC 3164 BSD syslog time format.
|
|
<li>When log files are rotated,
|
|
<a href="https://man.openbsd.org/newsyslog.8">newsyslog(8)</a>
|
|
writes the creation time in UTC ISO format into the first line.
|
|
<li>The
|
|
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
|
|
options -a, -T, and -U can be given more than once to specify
|
|
multiple input sources.
|
|
<li>Improve the
|
|
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
|
|
output and diagnostics in case the klog buffer
|
|
overflows.
|
|
<li>Make SIGHUP handling in
|
|
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
|
|
more reliable.
|
|
<li>Let <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
|
|
tolerate most errors on startup.
|
|
Keep running and receive messages from all working subsystems,
|
|
but do not die.
|
|
<li>The <a href="https://man.openbsd.org/syslog.3">syslog(3)</a>
|
|
priority of fatal and warning messages of various daemons
|
|
has been adjusted.
|
|
<li>An NMI sends the amd64 kernel into
|
|
<a href="https://man.openbsd.org/ddb.4">ddb(4)</a>
|
|
more reliably.
|
|
<li><a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> now
|
|
supports the DT_PREINITARRAY, DT_INITARRAY, DT_FINIARRAY, DT_FLAGS,
|
|
and DT_RUNPATH dynamic tags.
|
|
<li><a href="https://man.openbsd.org/kdump.1">kdump(1)</a>
|
|
now dumps the fds returned by
|
|
<a href="https://man.openbsd.org/pipe.2">pipe(2)</a> and
|
|
<a href="https://man.openbsd.org/socketpair.2">socketpair(2)</a>.
|
|
<li>Added support to <a href="https://man.openbsd.org/doas.1">doas(1)</a>
|
|
for session-locked persistent authentication.
|
|
<li>Use a hardware register for the thread pointer on arm for improved
|
|
performance in multi-threaded processes.
|
|
<li>SGI boot blocks now consult the OpenBSD
|
|
<a href="https://man.openbsd.org/disklabel.5">disklabel(5)</a>
|
|
to locate the root filesystem.
|
|
This reduces constraints on disk partitioning.
|
|
<li><a href="https://man.openbsd.org/iec.4">iec(4)</a>
|
|
no longer hangs when its transmit ring gets full.
|
|
<li><a href="https://man.openbsd.org/sq.4">sq(4)</a>
|
|
has been fixed to accept broadcast frames in non-promiscuous mode
|
|
when no IP address is configured.
|
|
This lets the interface work with DHCP.
|
|
<li>Multiprocessor-safe PCI interrupt handlers are run
|
|
without the kernel lock on OpenBSD/sgi.
|
|
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> now unconditionally
|
|
sets the size of the protective MBR's EFI GPT partition to UINT32_MAX.
|
|
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> now respects the
|
|
current MBR or GPT format when initializing a disk.
|
|
<li><a href="https://man.openbsd.org/softraid.4">softraid(4)</a> now uses
|
|
sufficient parallel i/o's to efficiently rebuild RAID5 volumes.
|
|
<li><a href="https://man.openbsd.org/asr_run.3">asr</a> now accepts UDP
|
|
packets of up to 4096 bytes to account for broken DNS servers.
|
|
<li><a href="https://man.openbsd.org/umass.4">umass(4)</a> no longer assumes
|
|
that ATAPI or UFI devices have only 1 LUN.
|
|
<li><a href="https://man.openbsd.org/scsi.4">scsi(4)</a> now correctly
|
|
detects end of tape on LTO5 devices.
|
|
<li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a> supports
|
|
SNI
|
|
via <a href="https://man.openbsd.org/tls_config_add_keypair_ocsp_mem.3">libtls</a>
|
|
to allow for multiple https sites on a single IP address.
|
|
<li><a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a>
|
|
has been added, and can be used to check the OCSP status of
|
|
certificates. The corresponding responses can be saved for later use in OCSP stapling.
|
|
<li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a> supports
|
|
OCSP stapling
|
|
via <a href="https://man.openbsd.org/tls_config_add_keypair_ocsp_mem.3">libtls</a>
|
|
to permit OCSP responses to be stapled to the tls handshake
|
|
<li><a href="https://man.openbsd.org/nc.1">nc(1)</a> now also
|
|
supports OCSP stapling server side, and will show the stapling information
|
|
client side.
|
|
<li>Both <a href="https://man.openbsd.org/relayd.8">relayd(8)</a> and
|
|
<a href="https://man.openbsd.org/httpd.8">httpd(8)</a> support now
|
|
TLS session resumption using TLS session tickets.
|
|
See the respective configuration man page for more information.
|
|
<li>With the -f option
|
|
<a href="https://man.openbsd.org/sensorsd.8">sensorsd(8)</a>
|
|
can use an alternative config file.
|
|
</ul>
|
|
<p>
|
|
|
|
<li>OpenSMTPD 6.0.0
|
|
<ul>
|
|
<li>Added support for providing an alternate subaddressing delimiter
|
|
<li>Made the daemon less verbose in logs when exiting
|
|
<li>Improved the io layer to simplify code across the daemon
|
|
<li>Added support for matching authenticated sessions in the ruleset
|
|
<li>Assorted code and documentation cleanups
|
|
</ul>
|
|
<p>
|
|
|
|
<li>OpenSSH 7.4
|
|
<ul>
|
|
<li>Security:
|
|
<ul>
|
|
<li>ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
|
|
outside a trusted whitelist (run-time configurable). Requests to
|
|
load modules could be passed via agent forwarding and an attacker
|
|
could attempt to load a hostile PKCS#11 module across the forwarded
|
|
agent channel: PKCS#11 modules are shared libraries, so this would
|
|
result in code execution on the system running the ssh-agent if the
|
|
attacker has control of the forwarded agent-socket (on the host
|
|
running the sshd server) and the ability to write to the filesystem
|
|
of the host running ssh-agent (usually the host running the ssh
|
|
client).
|
|
<li>sshd(8): When privilege separation is disabled, forwarded Unix-
|
|
domain sockets would be created by sshd(8) with the privileges of
|
|
'root' instead of the authenticated user. This release refuses
|
|
Unix-domain socket forwarding when privilege separation is disabled
|
|
(Privilege separation has been enabled by default for 14 years).
|
|
<li>sshd(8): Avoid theoretical leak of host private key material to
|
|
privilege-separated child processes via realloc() when reading
|
|
keys. No such leak was observed in practice for normal-sized keys,
|
|
nor does a leak to the child processes directly expose key material
|
|
to unprivileged users.
|
|
<li>sshd(8): The shared memory manager used by pre-authentication
|
|
compression support had a bounds checks that could be elided by
|
|
some optimising compilers. Additionally, this memory manager was
|
|
incorrectly accessible when pre-authentication compression was
|
|
disabled. This could potentially allow attacks against the
|
|
privileged monitor process from the sandboxed privilege-separation
|
|
process (a compromise of the latter would be required first).
|
|
This release removes support for pre-authentication compression
|
|
from sshd(8).
|
|
<li>sshd(8): Fix denial-of-service condition where an attacker who
|
|
sends multiple KEXINIT messages may consume up to 128MB per
|
|
connection.
|
|
<li>sshd(8): Validate address ranges for AllowUser and DenyUsers
|
|
directives at configuration load time and refuse to accept invalid
|
|
ones. It was previously possible to specify invalid CIDR address
|
|
ranges (e.g. user@127.1.2.3/55) and these would always match,
|
|
possibly resulting in granting access where it was not intended.
|
|
<li>ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
|
|
that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
|
|
</ul>
|
|
<li>New/changed features:
|
|
<ul>
|
|
<li>Server support for the SSH v.1 protocol has been removed.
|
|
<li>ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
|
|
block ciphers are not safe in 2016 and we don't want to wait until
|
|
attacks like SWEET32 are extended to SSH. As 3des-cbc was the
|
|
only mandatory cipher in the SSH RFCs, this may cause problems
|
|
connecting to older devices using the default configuration,
|
|
but it's highly likely that such devices already need explicit
|
|
configuration for key exchange and hostkey algorithms already
|
|
anyway.
|
|
<li>sshd(8): Remove support for pre-authentication compression.
|
|
Doing compression early in the protocol probably seemed reasonable
|
|
in the 1990s, but today it's clearly a bad idea in terms of both
|
|
cryptography (cf. multiple compression oracle attacks in TLS) and
|
|
attack surface. Pre-auth compression support has been disabled by
|
|
default for >10 years. Support remains in the client.
|
|
<li>ssh-agent will refuse to load PKCS#11 modules outside a whitelist
|
|
of trusted paths by default. The path whitelist may be specified
|
|
at run-time.
|
|
<li>sshd(8): When a forced-command appears in both a certificate and
|
|
an authorized keys/principals command= restriction, sshd will now
|
|
refuse to accept the certificate unless they are identical.
|
|
The previous (documented) behaviour of having the certificate
|
|
forced-command override the other could be a bit confusing and
|
|
error-prone.
|
|
<li>sshd(8): Remove the UseLogin configuration directive and support
|
|
for having /bin/login manage login sessions.
|
|
<li>ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
|
|
version in PuTTY by Simon Tatham. This allows a multiplexing
|
|
client to communicate with the master process using a subset of
|
|
the SSH packet and channels protocol over a Unix-domain socket,
|
|
with the main process acting as a proxy that translates channel
|
|
IDs, etc. This allows multiplexing mode to run on systems that
|
|
lack file- descriptor passing (used by current multiplexing
|
|
code) and potentially, in conjunction with Unix-domain socket
|
|
forwarding, with the client and multiplexing master process on
|
|
different machines. Multiplexing proxy mode may be invoked using
|
|
"ssh -O proxy ..."
|
|
<li>sshd(8): Add a sshd_config DisableForwarding option that disables
|
|
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
|
|
as anything else we might implement in the future. Like the
|
|
'restrict' authorized_keys flag, this is intended to be a simple
|
|
and future-proof way of restricting an account.
|
|
<li>sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
|
|
method. This is identical to the currently-supported method named
|
|
"curve25519-sha256@libssh.org".
|
|
<li>sshd(8): Improve handling of SIGHUP by checking to see if sshd is
|
|
already daemonised at startup and skipping the call to daemon(3)
|
|
if it is. This ensures that a SIGHUP restart of sshd(8) will
|
|
retain the same process-ID as the initial execution. sshd(8) will
|
|
also now unlink the PidFile prior to SIGHUP restart and re-create
|
|
it after a successful restart, rather than leaving a stale file in
|
|
the case of a configuration error.
|
|
<li>sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
|
|
directives to appear in sshd_config Match blocks.
|
|
<li>sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match
|
|
those supported by AuthorizedKeysCommand (key, key type,
|
|
fingerprint, etc.) and a few more to provide access to the
|
|
contents of the certificate being offered.
|
|
<li>Added regression tests for string matching, address matching and
|
|
string sanitisation functions.
|
|
<li>Improved the key exchange fuzzer harness.
|
|
<li>Deprecate the sshd_config UsePrivilegeSeparation
|
|
option, thereby making privilege separation mandatory. Privilege
|
|
separation has been on by default for almost 15 years and
|
|
sandboxing has been on by default for almost the last five.
|
|
<li>ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
|
|
algorithm lists, e.g. Ciphers=-*cbc.
|
|
</ul>
|
|
<li>The following significant bugs have been fixed in this release:
|
|
<ul>
|
|
<li>ssh(1): Allow IdentityFile to successfully load and use
|
|
certificates that have no corresponding bare public key.
|
|
certificate id_rsa-cert.pub (and no id_rsa.pub).
|
|
<li>ssh(1): Fix public key authentication when multiple
|
|
authentication is in use and publickey is not just the first
|
|
method attempted.
|
|
<li>ssh-agent(1), ssh(1): improve reporting when attempting to load
|
|
keys from PKCS#11 tokens with fewer useless log messages and more
|
|
detail in debug messages.
|
|
<li>ssh(1): When tearing down ControlMaster connections, don't
|
|
pollute stderr when LogLevel=quiet.
|
|
<li>sftp(1): On ^Z wait for underlying ssh(1) to suspend before
|
|
suspending sftp(1) to ensure that ssh(1) restores the terminal mode
|
|
correctly if suspended during a password prompt.
|
|
<li>ssh(1): Avoid busy-wait when ssh(1) is suspended during a password
|
|
prompt.
|
|
<li>ssh(1), sshd(8): Correctly report errors during sending of ext-
|
|
info messages.
|
|
<li>sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
|
|
sequence NEWKEYS message.
|
|
<li>sshd(8): Correct list of supported signature algorithms sent in
|
|
the server-sig-algs extension.
|
|
<li>sshd(8): Fix sending ext_info message if privsep is disabled.
|
|
<li>sshd(8): more strictly enforce the expected ordering of privilege
|
|
separation monitor calls used for authentication and allow them
|
|
only when their respective authentication methods are enabled
|
|
in the configuration
|
|
<li>sshd(8): Fix uninitialised optlen in getsockopt() call; harmless
|
|
on Unix/BSD but potentially crashy on Cygwin.
|
|
<li>Fix false positive reports caused by explicit_bzero(3) not being
|
|
recognised as a memory initialiser when compiled with
|
|
-fsanitize-memory.
|
|
<li>sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for
|
|
configuration examples.
|
|
<li>sshd(1): Fix NULL dereference crash when key exchange start
|
|
messages are sent out of sequence.
|
|
<li>ssh(1), sshd(8): Allow form-feed characters to appear in
|
|
configuration files.
|
|
<li>sshd(8): Fix regression in OpenSSH 7.4 support for the
|
|
server-sig-algs extension, where SHA2 RSA signature methods were
|
|
not being correctly advertised.
|
|
<li>ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
|
|
known_hosts processing.
|
|
<li>ssh(1): Allow ssh to use certificates accompanied by a private key
|
|
file but no corresponding plain *.pub public key.
|
|
<li>ssh(1): When updating hostkeys using the UpdateHostKeys option,
|
|
accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
|
|
Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
|
|
methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
|
|
method.
|
|
<li>ssh(1): Detect and report excessively long configuration file
|
|
lines.
|
|
<li>Merge a number of fixes found by Coverity and reported via Redhat
|
|
and FreeBSD. Includes fixes for some memory and file descriptor
|
|
leaks in error paths.
|
|
<li>ssh-keyscan(1): Correctly hash hosts with a port number.
|
|
<li>ssh(1), sshd(8): When logging long messages to stderr, don't truncate
|
|
"\r\n" if the length of the message exceeds the buffer.
|
|
<li>ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
|
|
line; avoid confusion over IPv6 addresses and shells that treat
|
|
square bracket characters specially.
|
|
<li>ssh-keygen(1): Fix corruption of known_hosts when running
|
|
"ssh-keygen -H" on a known_hosts containing already-hashed entries.
|
|
<li>Fix various fallout and sharp edges caused by removing SSH protocol
|
|
1 support from the server, including the server banner string being
|
|
incorrectly terminated with only \n (instead of \r\n), confusing
|
|
error messages from ssh-keyscan a segfault in sshd
|
|
if protocol v.1 was enabled for the client and sshd_config
|
|
contained references to legacy keys.
|
|
<li>ssh(1), sshd(8): Free fd_set on connection timeout.
|
|
<li>sshd(8): Fix Unix domain socket forwarding for root (regression in
|
|
OpenSSH 7.4).
|
|
<li>sftp(1): Fix division by zero crash in "df" output when server
|
|
returns zero total filesystem blocks/inodes.
|
|
<li>ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
|
|
encountered during key loading to more meaningful error codes.
|
|
<li>ssh-keygen(1): Sanitise escape sequences in key comments sent to
|
|
printf but preserve valid UTF-8 when the locale supports it.
|
|
<li>ssh(1), sshd(8): Return reason for port forwarding failures where
|
|
feasible rather than always "administratively prohibited".
|
|
<li>sshd(8): Fix deadlock when AuthorizedKeysCommand or
|
|
AuthorizedPrincipalsCommand produces a lot of output and a key is
|
|
matched early.
|
|
<li>ssh(1): Fix typo in ~C error message for bad port forward
|
|
cancellation.
|
|
<li>ssh(1): Show a useful error message when included config files
|
|
can't be opened.
|
|
<li>sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
|
|
(previously incorrectly) advertised.
|
|
<li>sshd_config(5): Repair accidentally-deleted mention of %k token
|
|
in AuthorizedKeysCommand.
|
|
<li>sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
|
|
<li>ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
|
|
common 32-bit compatibility library directories.
|
|
<li>sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
|
|
response handling.
|
|
<li>ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted
|
|
keys. It was not possible to delete them except by specifying
|
|
their full physical path.
|
|
</ul>
|
|
</ul>
|
|
<p>
|
|
|
|
<li>LibreSSL 2.5.3
|
|
<ul>
|
|
<li>libtls now supports ALPN and SNI
|
|
<li>libtls adds a new callback interface for integrating custom IO
|
|
functions. Thanks to Tobias Pape.
|
|
<li>libtls now handles 4 cipher suite groups:
|
|
<ul>
|
|
<li>"secure" (TLSv1.2+AEAD+PFS)
|
|
<li>"compat" (HIGH:!aNULL)
|
|
<li>"legacy" (HIGH:MEDIUM:!aNULL)
|
|
<li>"insecure" (ALL:!aNULL:!eNULL)
|
|
</ul>
|
|
This allows for flexibility and finer grained control, rather than
|
|
having two extremes (an issue raised by Marko Kreen some time ago).
|
|
<li>Tightened error handling for tls_config_set_ciphers().
|
|
<li>libtls now always loads CA, key and certificate files at the time the
|
|
configuration function is called. This simplifies code and results in
|
|
a single memory based code path being used to provide data to libssl.
|
|
<li>Added support for OCSP intermediate certificates.
|
|
<li>Added X509_check_host(), X509_check_email(), X509_check_ip(), and
|
|
X509_check_ip_asc() functions, via BoringSSL.
|
|
<li>Added initial support for iOS, thanks to Jacob Berkman.
|
|
<li>Improved behavior of arc4random on Windows when using memory leak
|
|
analysis software.
|
|
<li>Correctly handle an EOF that occurs prior to the TLS handshake
|
|
completing. Reported by Vasily Kolobkov, based on a diff from Marko
|
|
Kreen.
|
|
<li>Limit the support of the "backward compatible" SSLv2 handshake to
|
|
only be used if TLS 1.0 is enabled.
|
|
<li>Fix incorrect results in certain cases on 64-bit systems when
|
|
BN_mod_word() can return incorrect results. BN_mod_word() now can
|
|
return an error condition. Thanks to Brian Smith.
|
|
<li>Added constant-time updates to address CVE-2016-0702.
|
|
<li>Fixed undefined behavior in BN_GF2m_mod_arr().
|
|
<li>Removed unused Cryptographic Message Support (CMS).
|
|
<li>More conversions of long long idioms to time_t.
|
|
<li>Improved compatibility by avoiding printing NULL strings with
|
|
printf.
|
|
<li>Reverted change that cleans up the EVP cipher context in
|
|
EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
|
|
previous behaviour.
|
|
<li>Avoid unbounded memory growth in libssl, which can be triggered
|
|
by a TLS client repeatedly renegotiating and sending OCSP Status
|
|
Request TLS extensions.
|
|
<li>Avoid falling back to a weak digest for (EC)DH when using SNI
|
|
with libssl.
|
|
<li>X509_cmp_time() now passes a malformed GeneralizedTime field as
|
|
an error. Reported by Theofilos Petsios.
|
|
<li>Check for and handle failure of HMAC_{Update,Final} or
|
|
EVP_DecryptUpdate().
|
|
<li>Massive update and normalization of manpages, conversion to
|
|
mandoc format. Many pages were rewritten for clarity and accuracy.
|
|
Portable doc links are up-to-date with a new conversion tool.
|
|
<li>Curve25519 and TLS X25519 Key Exchange support.
|
|
<li>Support for alternate chains for certificate verification.
|
|
<li>Code cleanups, CBB conversions, further unification of DTLS/SSL
|
|
handshake code, further ASN1 macro expansion and removal.
|
|
<li>Private symbols are now hidden in libssl and libcrypto.
|
|
<li>Friendly certificate verification error messages in libtls, peer
|
|
verification is now always enabled.
|
|
<li>Added OCSP stapling support to libtls and nc.
|
|
<li>Added ocspcheck utility to validate a certificate against its OCSP
|
|
responder and save the reply for stapling
|
|
<li>Enhanced regression tests and error handling for libtls.
|
|
<li>Added explicit constant and non-constant time BN functions,
|
|
defaulting to constant time wherever possible.
|
|
<li>Moved many leaked implementation details in public structs behind
|
|
opaque pointers.
|
|
<li>Added ticket support to libtls.
|
|
<li>Added support for setting the supported EC curves via
|
|
SSL{_CTX}_set1_groups{_list}() - also provide defines for the
|
|
previous SSL{_CTX}_set1_curves{_list} names. This also changes
|
|
the default list of curves to be X25519, P-256 and P-384. All
|
|
other curves must be manually enabled.
|
|
<li>Added -groups option to openssl(1) s_client for specifying the
|
|
curves to be used in a colon-separated list.
|
|
<li>Merged client/server version negotiation code paths into one,
|
|
reducing much duplicate code.
|
|
<li>Removed error function codes from libssl and libcrypto.
|
|
<li>Fixed an issue where a truncated packet could crash via an OOB
|
|
read.
|
|
<li>Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
|
|
client-initiated renegotiation. This is the default for libtls
|
|
servers.
|
|
<li>Avoid a side-channel cache-timing attack that can leak the ECDSA
|
|
private keys when signing. This is due to BN_mod_inverse() being
|
|
used without the constant time flag being set. Reported by Cesar
|
|
Pereida Garcia and Billy Brumley (Tampere University of
|
|
Technology). The fix was developed by Cesar Pereida Garcia.
|
|
<li>iOS and MacOS compatibility updates from Simone Basso and Jacob
|
|
Berkman.
|
|
<li>Added the recallocarray(3) memory allocation function, and
|
|
converted various places in the library to use it, such as CBB
|
|
and BUF_MEM_grow. recallocarray(3) is similar to
|
|
reallocarray. Newly allocated memory is cleared similar to
|
|
calloc(3). Memory that becomes unallocated while shrinking or
|
|
moving existing allocations is explicitly discarded by unmapping
|
|
or clearing to 0.
|
|
<li>Added new root CAs from SECOM Trust Systems / Security
|
|
Communication of Japan.
|
|
<li>Added EVP interface for MD5+SHA1 hashes.
|
|
<li>Improved nc(1) TLS handshake CPU usage and server-side error
|
|
reporting.
|
|
<li>Added a constant time version of BN_gcd and use it default for
|
|
BN_gcd to avoid the possibility of sidechannel timing attacks
|
|
against RSA private key generation - Thanks to Alejandro
|
|
Cabrera <aldaya@gmail.com>
|
|
</ul>
|
|
<p>
|
|
|
|
<li>mandoc 1.14.1
|
|
<ul>
|
|
<li>New <a href="https://man.openbsd.org/mandoc.db.5">mandoc.db(5)</a>
|
|
file format: <a href="https://man.openbsd.org/man.1">man(1)</a>,
|
|
<a href="https://man.openbsd.org/apropos.1">apropos(1)</a>, and
|
|
<a href="https://man.openbsd.org/makewhatis.8">makewhatis(8)</a>
|
|
no longer need SQLite3.
|
|
<li>Much improved HTML output and CSS.
|
|
<li>In <a href="https://man.openbsd.org/man.1">man(1)</a>, internal
|
|
searching with <a href="https://man.openbsd.org/less.1">less(1)</a>
|
|
<code>:t</code> has been improved.
|
|
<li>New <a href="https://man.openbsd.org/mandoc.1">mandoc(1)</a>
|
|
<code>-mdoc -T markdown</code> output mode
|
|
(already a post-1.14.1 feature).
|
|
</ul>
|
|
<p>
|
|
|
|
<li><p>Ports and packages:
|
|
<p>Many pre-built packages for each architecture:
|
|
<!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
|
|
<ul style="column-count: 3">
|
|
<li>alpha: 7413
|
|
<li>amd64: 9714
|
|
<li>arm: 7501
|
|
<li>hppa: 6422
|
|
<li>i386: 9697
|
|
<li>mips64: 8072
|
|
<li>mips64el: 6880
|
|
<li>powerpc: 7703
|
|
<li>sparc64: 8606
|
|
</ul>
|
|
<p>Some highlights:
|
|
<ul style="column-count: 2">
|
|
<li>AFL 2.39b
|
|
<li>Chromium 57.0.2987.133
|
|
<li>Emacs 21.4 and 25.1
|
|
<li>GCC 4.9.4
|
|
<li>GHC 7.10.3
|
|
<li>Gimp 2.8.18
|
|
<li>GNOME 3.22.2
|
|
<li>Go 1.8
|
|
<li>Groff 1.22.3
|
|
<li>JDK 7u80 and 8u121
|
|
<li>KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
|
|
<li>LLVM/Clang 4.0.0
|
|
<li>LibreOffice 5.2.4.2
|
|
<li>Lua 5.1.5, 5.2.4, and 5.3.4
|
|
<li>MariaDB 10.0.30
|
|
<li>Mono 4.6.2.6
|
|
<li>Mozilla Firefox 52.0.2esr and 52.0.2
|
|
<li>Mozilla Thunderbird 45.8.0
|
|
<li>Mutt 1.8.0
|
|
<li>Node.js 6.10.1
|
|
<li>Ocaml 4.03.0
|
|
<li>OpenLDAP 2.3.43 and 2.4.44
|
|
<li>PHP 5.5.38, 5.6.30, and 7.0.16
|
|
<li>Postfix 3.2.0 and 3.3-20170218
|
|
<li>PostgreSQL 9.6.2
|
|
<li>Python 2.7.13, 3.4.5, 3.5.2 and 3.6.0
|
|
<li>R 3.3.3
|
|
<li>Ruby 1.8.7.374, 2.1.9, 2.2.6, 2.3.3 and 2.4.1
|
|
<li>Rust 1.16.0
|
|
<li>Sendmail 8.15.2
|
|
<li>SQLite3 3.17.0
|
|
<li>Sudo 1.8.19.2
|
|
<li>Tcl/Tk 8.5.18 and 8.6.4
|
|
<li>TeX Live 2015
|
|
<li>Vim 8.0.0388
|
|
<li>Xfce 4.12
|
|
</ul>
|
|
<p>
|
|
|
|
<li>As usual, steady improvements in manual pages and other documentation.
|
|
<p>
|
|
|
|
<li>The system includes the following major components from outside suppliers:
|
|
<ul>
|
|
<li>Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches,
|
|
freetype 2.7.1, fontconfig 2.12.1, Mesa 13.0.6, xterm 327,
|
|
xkeyboard-config 2.20 and more)
|
|
<li>LLVM/Clang 4.0.0 (+ patches)
|
|
<li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
|
|
<li>Perl 5.24.1 (+ patches)
|
|
<li>NSD 4.1.15
|
|
<li>Unbound 1.6.1
|
|
<li>Ncurses 5.7
|
|
<li>Binutils 2.17 (+ patches)
|
|
<li>Gdb 6.3 (+ patches)
|
|
<li>Awk Aug 10, 2011 version
|
|
<li>Expat 2.1.1
|
|
</ul>
|
|
</ul>
|
|
</section>
|
|
|
|
<hr>
|
|
|
|
<section id=install>
|
|
<h3>How to install</h3>
|
|
<p>
|
|
Please refer to the following files on the mirror site for
|
|
extensive details on how to install OpenBSD 6.1 on your machine:
|
|
|
|
<ul>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/alpha/INSTALL.alpha">
|
|
.../OpenBSD/6.1/alpha/INSTALL.alpha</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/amd64/INSTALL.amd64">
|
|
.../OpenBSD/6.1/amd64/INSTALL.amd64</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/arm64/INSTALL.arm64">
|
|
.../OpenBSD/6.1/arm64/INSTALL.arm64</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/armv7/INSTALL.armv7">
|
|
.../OpenBSD/6.1/armv7/INSTALL.armv7</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/hppa/INSTALL.hppa">
|
|
.../OpenBSD/6.1/hppa/INSTALL.hppa</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/i386/INSTALL.i386">
|
|
.../OpenBSD/6.1/i386/INSTALL.i386</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/landisk/INSTALL.landisk">
|
|
.../OpenBSD/6.1/landisk/INSTALL.landisk</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/loongson/INSTALL.loongson">
|
|
.../OpenBSD/6.1/loongson/INSTALL.loongson</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/luna88k/INSTALL.luna88k">
|
|
.../OpenBSD/6.1/luna88k/INSTALL.luna88k</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/macppc/INSTALL.macppc">
|
|
.../OpenBSD/6.1/macppc/INSTALL.macppc</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/octeon/INSTALL.octeon">
|
|
.../OpenBSD/6.1/octeon/INSTALL.octeon</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/sgi/INSTALL.sgi">
|
|
.../OpenBSD/6.1/sgi/INSTALL.sgi</a>
|
|
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/sparc64/INSTALL.sparc64">
|
|
.../OpenBSD/6.1/sparc64/INSTALL.sparc64</a>
|
|
</ul>
|
|
</section>
|
|
|
|
<hr>
|
|
|
|
<section id=quickinstall>
|
|
<p>
|
|
Quick installer information for people familiar with OpenBSD, and the use of
|
|
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
|
|
If you are at all confused when installing OpenBSD, read the relevant
|
|
INSTALL.* file as listed above!
|
|
|
|
<h3>OpenBSD/alpha:</h3>
|
|
|
|
<p>
|
|
Write <i>floppy61.fs</i> or <i>floppyB61.fs</i> (depending on your machine)
|
|
to a diskette and enter <i>boot dva0</i>.
|
|
Refer to INSTALL.alpha for more details.
|
|
|
|
<p>
|
|
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
|
|
will most likely fail.
|
|
|
|
<h3>OpenBSD/amd64:</h3>
|
|
|
|
<p>
|
|
If your machine can boot from CD, you can write <i>install61.iso</i> or
|
|
<i>cd61.iso</i> to a CD and boot from it.
|
|
You may need to adjust your BIOS options first.
|
|
|
|
<p>
|
|
If your machine can boot from USB, you can write <i>install61.fs</i> or
|
|
<i>miniroot61.fs</i> to a USB stick and boot from it.
|
|
|
|
<p>
|
|
If you can't boot from a CD, floppy disk, or USB,
|
|
you can install across the network using PXE as described in the included
|
|
INSTALL.amd64 document.
|
|
|
|
<p>
|
|
If you are planning to dual boot OpenBSD with another OS, you will need to
|
|
read INSTALL.amd64.
|
|
|
|
<h3>OpenBSD/arm64:</h3>
|
|
|
|
<p>
|
|
Write <i>miniroot61.fs</i> to a disk and boot from it after connecting
|
|
to the serial console. Refer to INSTALL.arm64 for more details.
|
|
|
|
<h3>OpenBSD/armv7:</h3>
|
|
|
|
<p>
|
|
Write a system specific miniroot to an SD card and boot from it after connecting
|
|
to the serial console. Refer to INSTALL.armv7 for more details.
|
|
|
|
<h3>OpenBSD/hppa:</h3>
|
|
|
|
<p>
|
|
Boot over the network by following the instructions in INSTALL.hppa or the
|
|
<a href="hppa.html#install">hppa platform page</a>.
|
|
|
|
<h3>OpenBSD/i386:</h3>
|
|
|
|
<p>
|
|
If your machine can boot from CD, you can write <i>install61.iso</i> or
|
|
<i>cd61.iso</i> to a CD and boot from it.
|
|
You may need to adjust your BIOS options first.
|
|
|
|
<p>
|
|
If your machine can boot from USB, you can write <i>install61.fs</i> or
|
|
<i>miniroot61.fs</i> to a USB stick and boot from it.
|
|
|
|
<p>
|
|
If you can't boot from a CD, floppy disk, or USB,
|
|
you can install across the network using PXE as described in
|
|
the included INSTALL.i386 document.
|
|
|
|
<p>
|
|
If you are planning on dual booting OpenBSD with another OS, you will need to
|
|
read INSTALL.i386.
|
|
|
|
<h3>OpenBSD/landisk:</h3>
|
|
|
|
<p>
|
|
Write <i>miniroot61.fs</i> to the start of the CF
|
|
or disk, and boot normally.
|
|
|
|
<h3>OpenBSD/loongson:</h3>
|
|
|
|
<p>
|
|
Write <i>miniroot61.fs</i> to a USB stick and boot bsd.rd from it
|
|
or boot bsd.rd via tftp.
|
|
Refer to the instructions in INSTALL.loongson for more details.
|
|
|
|
<h3>OpenBSD/luna88k:</h3>
|
|
|
|
<p>
|
|
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
|
|
from the PROM, and then bsd.rd from the bootloader.
|
|
Refer to the instructions in INSTALL.luna88k for more details.
|
|
|
|
<h3>OpenBSD/macppc:</h3>
|
|
|
|
<p>
|
|
Burn the image from a mirror site to a CDROM, and power on your machine
|
|
while holding down the <i>C</i> key until the display turns on and
|
|
shows <i>OpenBSD/macppc boot</i>.
|
|
|
|
<p>
|
|
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
|
|
/6.1/macppc/bsd.rd</i>
|
|
|
|
<h3>OpenBSD/octeon:</h3>
|
|
|
|
<p>
|
|
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
|
|
Refer to the instructions in INSTALL.octeon for more details.
|
|
|
|
<h3>OpenBSD/sgi:</h3>
|
|
|
|
<p>
|
|
To install, burn cd61.iso on a CD-R, put it in the CD drive of your
|
|
machine and select <i>Install System Software</i> from the System Maintenance
|
|
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
|
|
CD-ROM, and need a proper invocation from the PROM prompt.
|
|
Refer to the instructions in INSTALL.sgi for more details.
|
|
|
|
<p>
|
|
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
|
|
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
|
|
system type. Refer to the instructions in INSTALL.sgi for more details.
|
|
|
|
<h3>OpenBSD/sparc64:</h3>
|
|
|
|
<p>
|
|
Burn the image from a mirror site to a CDROM, boot from it, and type
|
|
<i>boot cdrom</i>.
|
|
|
|
<p>
|
|
If this doesn't work, or if you don't have a CDROM drive, you can write
|
|
<i>floppy61.fs</i> or <i>floppyB61.fs</i>
|
|
(depending on your machine) to a floppy and boot it with <i>boot
|
|
floppy</i>. Refer to INSTALL.sparc64 for details.
|
|
|
|
<p>
|
|
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
|
|
will most likely fail.
|
|
|
|
<p>
|
|
You can also write <i>miniroot61.fs</i> to the swap partition on
|
|
the disk and boot with <i>boot disk:b</i>.
|
|
|
|
<p>
|
|
If nothing works, you can boot over the network as described in INSTALL.sparc64.
|
|
</section>
|
|
|
|
<hr>
|
|
|
|
<section id=upgrade>
|
|
<h3>How to upgrade</h3>
|
|
<p>
|
|
If you already have an OpenBSD 6.0 system, and do not want to reinstall,
|
|
upgrade instructions and advice can be found in the
|
|
<a href="faq/upgrade61.html">Upgrade Guide</a>.
|
|
</section>
|
|
|
|
<hr>
|
|
|
|
<section id=sourcecode>
|
|
<h3>Notes about the source code</h3>
|
|
<p>
|
|
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
|
|
This file contains everything you need except for the kernel sources,
|
|
which are in a separate archive.
|
|
To extract:
|
|
<blockquote><pre>
|
|
# <kbd>mkdir -p /usr/src</kbd>
|
|
# <kbd>cd /usr/src</kbd>
|
|
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
|
|
</pre></blockquote>
|
|
<p>
|
|
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
|
|
This file contains all the kernel sources you need to rebuild kernels.
|
|
To extract:
|
|
<blockquote><pre>
|
|
# <kbd>mkdir -p /usr/src/sys</kbd>
|
|
# <kbd>cd /usr/src</kbd>
|
|
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
|
|
</pre></blockquote>
|
|
<p>
|
|
Both of these trees are a regular CVS checkout. Using these trees it
|
|
is possible to get a head-start on using the anoncvs servers as
|
|
described <a href="anoncvs.html">here</a>.
|
|
Using these files
|
|
results in a much faster initial CVS update than you could expect from
|
|
a fresh checkout of the full OpenBSD source tree.
|
|
</section>
|
|
|
|
<hr>
|
|
|
|
<section id=ports>
|
|
<h3>Ports Tree</h3>
|
|
<p>
|
|
A ports tree archive is also provided. To extract:
|
|
<blockquote><pre>
|
|
# <kbd>cd /usr</kbd>
|
|
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
|
|
</pre></blockquote>
|
|
<p>
|
|
Go read the <a href="faq/ports/index.html">ports</a> page
|
|
if you know nothing about ports
|
|
at this point. This text is not a manual of how to use ports.
|
|
Rather, it is a set of notes meant to kickstart the user on the
|
|
OpenBSD ports system.
|
|
<p>
|
|
The <i>ports/</i> directory represents a CVS checkout of our ports.
|
|
As with our complete source tree, our ports tree is available via
|
|
<a href="anoncvs.html">AnonCVS</a>.
|
|
So, in order to keep up to date with the -stable branch, you must make
|
|
the <i>ports/</i> tree available on a read-write medium and update the tree
|
|
with a command like:
|
|
<blockquote><pre>
|
|
# <kbd>cd /usr/ports</kbd>
|
|
# <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_1</kbd>
|
|
</pre></blockquote>
|
|
<p>
|
|
[Of course, you must replace the server name here with a nearby anoncvs
|
|
server.]
|
|
<p>
|
|
Note that most ports are available as packages on our mirrors. Updated
|
|
ports for the 6.1 release will be made available if problems arise.
|
|
<p>
|
|
If you're interested in seeing a port added, would like to help out, or just
|
|
would like to know more, the mailing list
|
|
<a href="mail.html">ports@openbsd.org</a> is a good place to know.
|
|
</section>
|