Free Download OpenBSD for Linux ::: Operating Systems & Updates

Software Screenshot:

Software Details:

Version: 6.3 ^updated

Upload Date: 17 Aug 18

Developer: OpenBSD Team

Distribution Type: Freeware

Downloads: 177

Download

Currently 4.00/5
1
2
3
4
5

Rating: 4.0/5 (Total Votes: 1)

OpenBSD is a free project that delivers a multi-platform UNIX-like operating system that is portable, efficient, secure, and based on the 4.4BSD platform. It is a powerful server product used on hundreds of thousands of computers worldwide.

Availability, boot options, supported platforms

The operating system is freely available for download from the dedicated section (see above) as ISO images or binary packages that allow users to install it over the network. The ISO images can be burned onto CD discs, bootable directly from the BIOS of most PCs.

OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD, SunOS and HP-UX. It can be installed on a wide range of architectures, including i386, sparc64, alpha, m68k, sh, amd64, PowerPC, m88k, sparc, ARM, hppa, vax, mips64, and mips64el.

The CD image boots automatically without user interaction and will ask them if they want to manually install, upgrade or automatically install the operating system, as well as to drop to a shell prompt.

Manual or automatic installation

A standard (read: manual) installation will require users to choose a keyboard layout, set the hostname, choose a network interface and configure it with IPv4 and/or IPv6, as well as to set a new password for the root (system administrator) account.

In addition, you can choose to start the SSH and NTP services when the system starts, choose if you want to use the X Window System or not, setup a user, choose a timezone, partition the disk drive, and install sets.

Among the included software packages available for OpenBSD, we can mention the GNOME, KDE and Xfce desktop environments, the MySQL, PostgreSQL, Postfix and OpenLDAP servers, the Mozilla Firefox, Mozilla Thunderbird, LibreOffice, Emacs, Vim and Chromium apps, as well as the PHP, Python, Ruby, Tcl/Tk, JDK, Mono and Go programming languages.

Bottom line

Summing up, OpenBSD is a powerful and highly acclaimed server-oriented BSD/UNIX operating system that provides us with state-of-the-art software, including OpenSSH, OpenNTPD, OpenSMTPD, OpenBGPD, OpenIKED, and mandoc.

What is new in this release:

Improved hardware support, including:
SMP support on OpenBSD/arm64 platforms.
VFP and NEON support on OpenBSD/armv7 platforms.
New acrtc(4) driver for X-Powers AC100 audio codec and Real Time Clock.
New axppmic(4) driver for X-Powers AXP Power Management ICs.
New bcmrng(4) driver for Broadcom BCM2835/BCM2836/BCM2837 random number generator.
New bcmtemp(4) driver for Broadcom BCM2835/BCM2836/BCM2837 temperature monitor.
New bgw(4) driver for Bosch motion sensor.
New bwfm(4) driver for Broadcom and Cypress FullMAC 802.11 devices (still experimental and not compiled into the kernel by default)
New efi(4) driver for EFI runtime services.
New imxanatop(4) driver for i.MX6 integrated regulator.
New rkpcie(4) driver for Rockchip RK3399 Host/PCIe bridge.
New sxirsb(4) driver for Allwinner Reduced Serial Bus controller.
New sxitemp(4) driver for Allwinner temperature monitor.
New sxits(4) driver for temperature sensor on Allwinner A10/A20 touchpad controller.
New sxitwi(4) driver for two-wire bus found on several Allwinner SoCs.
New sypwr(4) driver for the Silergy SY8106A regulator.
Support for Rockchip RK3328 SoCs has been added to the dwge(4), rkgrf(4), rkclock(4) and rkpinctrl(4) drivers.
Support for Rockchip RK3288/RK3328 SoCs has been added to the rktemp(4) driver.
Support for Allwinner A10/A20, A23/A33, A80 and R40/V40 SoCs has been added to the sxiccmu(4) driver.
Support for Allwinner A33, GR8 and R40/V40 SoCs has been added to the sxipio(4) driver.
Support for SAS3.5 MegaRAIDs has been added to the mfii(4) driver.
Support for Intel Cannon Lake and Ice Lake integrated Ethernet has been added to the em(4) driver.
cnmac(4) ports are now assigned to different CPU cores for distributed interrupt processing.
The pms(4) driver now detects and handles reset announcements.
On amd64 Intel CPU microcode is loaded on boot and installed/updated by fw_update(1).
Support the sun4v hypervisor interrupt cookie API, adding support for SPARC T7-1/2/4 machines.
Hibernate support has been added for SD/MMC storage attached to sdhc(4) controllers.
clang(1) is now used as the system compiler on armv7, and it is also provided on sparc64.
vmm(4)/ vmd(8) improvements:
Add CD-ROM/DVD ISO support to vmd(8) via vioscsi(4).
vmd(8) no longer creates an underlying bridge interface for virtual switches defined in vm.conf(5).
vmd(8) receives switch information (rdomain, etc) from underlying switch interface in conjunction of settings in vm.conf(5).
Time Stamp Counter (TSC) support in guest VMs.
Support ukvm/Solo5 unikernels in vmm(4).
Handle valid (but uncommon) instruction encodings better.
Better PAE paging support for 32-bit Linux guest VMs.
vmd(8) now allows up to four network interfaces in each VM.
Add paused migration and snapshotting support to vmm(4) for AMD SVM/RVI hosts.
BREAK commands sent over a pty(4) are now understood by vmd(8).
Many fixes to vmctl(8) and vmd(8) error handling.
IEEE 802.11 wireless stack improvements:
The iwm(4) and iwn(4) drivers will automatically roam between access points which share an ESSID. Forcing a particular AP's MAC address with ifconfig's bssid command disables roaming.
Automatically clear configured WEP/WPA keys when a new network ESSID is configured.
Removed the ability for userland to read configured WEP/WPA keys back from the kernel.
The iwm(4) driver can now connect to networks with a hidden SSID.
USB devices supported by the athn(4) driver now use an open source firmware, and hostap mode now works with these devices.
Generic network stack improvements:
The network stack no longer runs with the KERNEL_LOCK() when IPsec is enabled.
Processing of incoming TCP/UDP packets is now done without KERNEL_LOCK().
The socket splicing task runs without KERNEL_LOCK().
Cleanup and removal of code in sys/netinet6 since autoconfiguration runs in userland now.
bridge(4) members can now be prevented to talk to each others with the new protected option.
The pf divert-packet feature has been simplified. The IP_DIVERTFL socket option has been removed from divert(4).
Various corner cases of pf divert-to and divert-reply are more consistent now.
Enforce in pf(4) that all neighbor discovery packets have 255 in their IPv6 header hop limit field.
New set syncookies option in pf.conf(5).
Support for GRE over IPv6.
New egre(4) driver for Ethernet over GRE tunnels.
Support for the optional GRE key header and GRE key entropy in gre(4) and egre(4).
New nvgre(4) driver for Network Virtualization using Generic Routing Encapsulation.
Support for configuring the Don't Fragment flag packets encapsulated by tunnel interfaces.
Installer improvements:
if install.site or upgrade.site fails, notify the user and error out after storing rand.seed.
allow CIDR notation when entering IPv4 and IPv6 addresses.
repair selection of a HTTP mirror from the list of mirrors.
allow '-' in usernames.
ask a question at the end of the install/upgrade process so carriage return causes the appropriate action, e.g. reboot.
display the mode (install or upgrade) shell prompts as long as no hostname is known.
correctly detect which interface has the default route and if it was configured via DHCP.
ensure sets can be read from the prefetch area.
ensure URL redirection is effective for entire install/upgrade.
add the HTTP proxy used when fetching sets to rc.firsttime, where fw_update and syspatch can find and use it.
add logic to support RFC 7217 with SLAAC.
ensure that IPv6 is configured for dynamically created network interfaces like vlan(4).
create correct hostname when both domain-name and domain-search options are provided in the DHCP lease.
Routing daemons and other userland network improvements:
bgpctl(8) has a new ssv option which outputs rib entries as a single semicolon-separated like for selection before output.
slaacd(8) generates random but stable IPv6 stateless autoconfiguration addresses according to RFC 7217. These are enabled per default in accordance with RFC 8064.
slaacd(8) follows RFC 4862 by removing an artificial limitation on /64 sized prefixes using RFC 7217 (random but stable) and RFC 4941 (privacy) style stateless autoconfiguration addresses.
ospfd(8) can now set the metric for a route depending on the status of an interface.
ifconfig(8) has a new staticarp option to make interfaces reply to ARP requests only.
ipsecctl(8) can now collapse flow outputs having the same source or destination.
The -n option in netstart(8) no longer messes with the default route. It is now documented as well.
Security improvements:
Use even more trap-sleds on various architectures.
More use of .rodata for constant variables in assembly source.
Stop using x86 "repz ret" in dusty corners of the tree.
Introduce "execpromises" in pledge(2).
The elfrdsetroot utility used to build ramdisks and the rebound(8) monitoring process now use pledge(2).
Prepare for the introduction of MAP_STACK to mmap(2) after 6.3.
Push a small piece of KARL-linked kernel text into the random number generator as entropy at startup.
Put a small random gap at the top of thread stacks, so that attackers have yet another calculation to perform for their ROP work.
Mitigation for Meltdown vulnerability for Intel brand amd64 CPUs.
OpenBSD/arm64 now uses kernel page table isolation to mitigate Spectre variant 3 (Meltdown) attacks.
OpenBSD/armv7 and OpenBSD/arm64 now flush the Branch Target Buffer (BTB) on processors that do speculative execution to mitigate Spectre variant 2 attacks.
pool_get(9) perturbs the order of items on newly allocated pages, making the kernel heap layout harder to predict.
The fktrace(2) system call was deleted.
dhclient(8) improvements:
Parsing dhclient.conf(5) no longer leaks SSID strings, strings that are too long for the parsing buffer or repeated string options and commands.
Storing leases in dhclient.conf(5) is no longer supported.
'DENY' is no longer valid in dhclient.conf(5).
dhclient.conf(5) and dhclient.leases(5) parsing error messages have been simplified and clarified, with improved behaviour in the presence of unexpected semicolons.
More care is taken to only use configuration information that was successfully parsed.
'-n' has been added, which causes dhclient(8) to exit after parsing dhclient.conf(5).
Default routes in options classless-static-routes (121) and classless-ms-static-routes (249) are now correctly represented in dhclient.leases(5) files.
Overwrite the file specified with '-L' rather than appending to it.
Leases in dhclient.leases(5) now contain an 'epoch' attribute recording the time the lease was accepted, which is used to calculate correct renewal, rebinding and expiry times.
No longer nag about underscores in names violating RFC 952.
Unconditionally send host-name information when requesting a lease, eliminating the need for dhclient.conf(5) in the default installation.
Be quiet by default. '-q' has been removed and '-v' added to enable verbose logging.
Decline duplicate offers for the requested address.
Unconditionally go into the background after link-timeout seconds.
Significantly reduce logging when being quiet, but make '-v' log all debug information without needing to compile a custom executable.
Ignore 'interface' statements in dhclient.leases(5) and assume all leases in the file are for the interface being configured.
Display the source of the lease bound to the interface.
'ignore', 'request' and 'require' declarations in dhclient.conf(5) now add the specified options to the relevant list rather than replacing the list.
Eliminate a startup race that could result in dhclient(8) exiting without configuring the interface.
Assorted improvements:
Code reorganization and other improvements to malloc(3) and friends to make them more efficient.
When performing suspend or hibernate operations, ensure all filesystems are properly synchronized and marked clean, or if they cannot be put into perfectly clean state on disk (due to open+unlinked files) then mark them dirty, so that a failed resume/unhibernate is guaranteed to perform fsck(8).
acme-client(1) autodetects the agreement URL and follows 30x HTTP redirects.
Added __cxa_thread_atexit() to support modern C++ tool chains.
Added EVFILT_DEVICE support to kqueue(2) for monitoring changes to drm(4) devices.
ldexp(3) now handles the sign of denormal numbers correctly on mips64.
New sincos(3) functions in libm.
fdisk(8) now ensures the validity of MBR partition offsets entered while editing.
fdisk(8) now ensures that default values lie within the valid range.
less(1) now splits only the environment variable LESS on '$'.
less(1) no longer creates a spurious file when encountering '$' in the initial command.
softraid(4) now validates the number of chunks when assembling a volume, ensuring the on-disk and in-memory metadata are in sync.
disklabel(8) now always offers to edit an FFS partition's fragment size before offering to edit the blocksize.
disklabel(8) now allows editing the cylinders/group (cpg) attribute whenever the partition blocksize can be edited.
disklabel(8) now detects ^D and invalid input during (R)esize commands.
disklabel(8) now detects underflows and overflows when -/+ operators are used.
disklabel(8) now avoids an off-by-one when calculating the number of cylinders in a free chunk.
disklabel(8) now validates the requested partition size against the size of the largest free chunk instead of the total free space.
Support for dumping USB transfers via bpf(4).
tcpdump(8) can now understand dumps of USB transfers in the USBPcap format.
The default prompts of csh(1), ksh(1) and sh(1) now include the hostname.
Memory allocation in ksh(1) was switched from calloc(3) back to malloc(3), making it easier to recognize uninitialized memory. As a result, a history-related bug in emacs editing mode was discovered and fixed.
New script(1) -c option to run a command instead of a shell.
New grep(1) -m option to limit the number of matches.
New uniq(1) -i option for case-insensitive comparison.
The printf(3) format string is no longer validated when looking for % formats. Based on a commit by android and following most other operating systems.
Improved error checking in vfwprintf(3).
Many base programs have been audited and fixed for stale file descriptors, including cron(8), ftp(1), mandoc(1), openssl(1), ssh(1) and sshd(8).
Various bug fixes and improvements in jot(1):
Arbitrary length limits for the arguments for the -b, -s, -w options were removed.
The %F format specifier is now supported and a bug in the %D format was fixed.
Better code coverage in regression tests.
Several buffer overruns were fixed.
The patch(1) utility now copes better with git diffs that create or delete files.
pkg_add(1) now has improved support for HTTP(S) redirectors such as cdn.openbsd.org.
ftp(1) and pkg_add(1) now support HTTPS session resumption for improved speed.
mandoc(1) -T ps output file size reduced by more than 50%.
syslogd(8) logs if there were warnings during startup.
syslogd(8) stopped logging to files in a full filesystem. Now it writes a warning and continues after space has been made available.
vmt(4) now allows cloning and taking disk-only snapshots of running guests.
OpenSMTPD 6.0.4
Add spf walk option to smtpctl(8).
Assorted cleanups and improvements.
Numerous manual page fixes and improvements.
OpenSSH 7.7
New/changed features:
All: Add experimental support for PQC XMSS keys (Extended Hash- Based Signatures) based on the algorithm described in https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12 The XMSS signature code is experimental and not compiled in by default.
sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword to allow conditional configuration that depends on which routing domain a connection was received on (currently supported on OpenBSD and Linux).
sshd_config(5): Add an optional rdomain qualifier to the ListenAddress directive to allow listening on different routing domains. This is supported only on OpenBSD and Linux at present.
sshd_config(5): Add RDomain directive to allow the authenticated session to be placed in an explicit routing domain. This is only supported on OpenBSD at present.
sshd(8): Add "expiry-time" option for authorized_keys files to allow for expiring keys.
ssh(1): Add a BindInterface option to allow binding the outgoing connection to an interface's address (basically a more usable BindAddress).
ssh(1): Expose device allocated for tun/tap forwarding via a new %T expansion for LocalCommand. This allows LocalCommand to be used to prepare the interface.
sshd(8): Expose the device allocated for tun/tap forwarding via a new SSH_TUNNEL environment variable. This allows automatic setup of the interface and surrounding network configuration automatically on the server.
ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g. ssh://user@host or sftp://user@host/path. Additional connection parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not implemented since the ssh fingerprint format in the draft uses the deprecated MD5 hash with no way to specify the any other algorithm.
ssh-keygen(1): Allow certificate validity intervals that specify only a start or stop time (instead of both or neither).
sftp(1): Allow "cd" and "lcd" commands with no explicit path argument. lcd will change to the local user's home directory as usual. cd will change to the starting directory for session (because the protocol offers no way to obtain the remote user's home directory). bz#2760
sshd(8): When doing a config test with sshd -T, only require the attributes that are actually used in Match criteria rather than (an incomplete list of) all criteria.
The following significant bugs have been fixed in this release:
ssh(1)/sshd(8): More strictly check signature types during key exchange against what was negotiated. Prevents downgrade of RSA signatures made with SHA-256/512 to SHA-1.
sshd(8): Fix support for client that advertise a protocol version of "1.99" (indicating that they are prepared to accept both SSHv1 and SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1 support. bz#2810
ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when a rsa-sha2-256/512 signature was requested. This condition is possible when an old or non-OpenSSH agent is in use. bz#2799
ssh-agent(1): Fix regression introduce in 7.6 that caused ssh-agent to fatally exit if presented an invalid signature request message.
sshd_config(5): Accept yes/no flag options case-insensitively, as has been the case in ssh_config(5) for a long time. bz#2664
ssh(1): Improve error reporting for failures during connection. Under some circumstances misleading errors were being shows. bz#2814
ssh-keyscan(1): Add -D option to allow printing of results directly in SSHFP format. bz#2821
regress tests: fix PuTTY interop test broken in last release's SSHv1 removal. bz#2823
ssh(1): Compatibility fix for some servers that erroneously drop the connection when the IUTF8 (RFC8160) option is sent.
scp(1): Disable RemoteCommand and RequestTTY in the ssh session started by scp (sftp was already doing this.)
ssh-keygen(1): Refuse to create a certificate with an unusable number of principals.
ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the public key during key generation. Previously it would silently ignore errors writing the comment and terminating newline.
ssh(1): Do not modify hostname arguments that are addresses by automatically forcing them to lower-case. Instead canonicalise them to resolve ambiguities (e.g. ::0001 => ::1) before they are matched against known_hosts. bz#2763
ssh(1): Don't accept junk after "yes" or "no" responses to hostkey prompts. bz#2803
sftp(1): Have sftp print a warning about shell cleanliness when decoding the first packet fails, which is usually caused by shells polluting stdout of non-interactive startups. bz#2800
ssh(1)/sshd(8): Switch timers in packet code from using wall-clock time to monotonic time, allowing the packet layer to better function over a clock step and avoiding possible integer overflows during steps.
Numerous manual page fixes and improvements.
LibreSSL 2.7.2
Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on observations of real-world usage in applications. These are implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility changes have not been made to existing structs, allowing code written for older OpenSSL APIs to continue working.
Extensive corrections, improvements, and additions to the API documentation, including new public APIs from OpenSSL that had no pre-existing documentation.
Added support for automatic library initialization in libcrypto, libssl, and libtls. Support for pthread_once or a compatible equivalent is now required of the target operating system. As a side-effect, minimum Windows support is Vista or higher.
Converted more packet handling methods to CBB, which improves resiliency when generating TLS messages.
Completed TLS extension handling rewrite, improving consistency of checks for malformed and duplicate extensions.
Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1. This removes the last remaining use of the old M_ASN1_* macros (asn1_mac.h) from API that needs to continue to exist.
Added support for client-side session resumption in libtls. A libtls client can specify a session file descriptor (a regular file with appropriate ownership and permissions) and libtls will manage reading and writing of session data across TLS handshakes.
Improved support for strict alignment on ARMv7 architectures, conditionally enabling assembly in those cases.
Fixed a memory leak in libtls when reusing a tls_config.
Merged more DTLS support into the regular TLS code path, removing duplicated code.
Ports and packages:
dpb(1) and normal ports(7) can now enjoy the same privilege separated model by setting PORTS_PRIVSEP=Yes
Many pre-built packages for each architecture:
aarch64: 7990
alpha: 1
amd64: 9912
arm: XXXX
hppa: XXXX
i386: 9861
mips64: 8149
mips64el: XXXX
powerpc: XXXX
sh: 1
sparc64: XXXX
Some highlights:
AFL 2.52b
CMake 3.10.2
Chromium 65.0.3325.181
Emacs 21.4 and 25.3
GCC 4.9.4
GHC 8.2.2
Gimp 2.8.22
GNOME 3.26.2
Go 1.10
Groff 1.22.3
JDK 8u144
KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
LLVM/Clang 5.0.1
LibreOffice 6.0.2.1
Lua 5.1.5, 5.2.4 and 5.3.4
MariaDB 10.0.34
Mozilla Firefox 52.7.3esr and 59.0.2
Mozilla Thunderbird 52.7.0
Mutt 1.9.4 and NeoMutt 20180223
Node.js 8.9.4
Ocaml 4.03.0
OpenLDAP 2.3.43 and 2.4.45
PHP 5.6.34 and 7.0.28
Postfix 3.3.0 and 3.4-20180203
PostgreSQL 10.3
Python 2.7.14 and 3.6.4
R 3.4.4
Ruby 2.3.6, 2.4.3 and 2.5.0
Rust 1.24.0
Sendmail 8.16.0.21
SQLite3 3.22.0
Sudo 1.8.22
Tcl/Tk 8.5.19 and 8.6.8
TeX Live 2017
Vim 8.0.1589
Xfce 4.12
As usual, steady improvements in manual pages and other documentation.
The system includes the following major components from outside suppliers:
Xenocara (based on X.Org 7.7 with xserver 1.19.6 + patches, freetype 2.8.1, fontconfig 2.12.4, Mesa 13.0.6, xterm 330, xkeyboard-config 2.20 and more)
LLVM/Clang 5.0.1 (+ patches)
GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
Perl 5.24.3 (+ patches)
NSD 4.1.20
Unbound 1.6.8
Ncurses 5.7
Binutils 2.17 (+ patches)
Gdb 6.3 (+ patches)
Awk Aug 10, 2011 version
Expat 2.2.5

What is new in version 6.2:

New/extended platforms:
armv7:
EFI bootloader added, kernels are now loaded from FFS instead of FAT or EXT filesystems, without U-Boot headers.
A single kernel and ramdisk are now used for all SoCs.
Hardware is dynamically enumerated via Flattened Device Tree (FDT) instead of via static tables based on board id numbers.
Miniroot installer images include U-Boot 2016.07 with support for EFI payloads.
vax:
Removed.
Improved hardware support, including:
New bytgpio(4) driver for the Intel Bay Trail GPIO controller.
New chvgpio(4) driver for the Intel Cherry View GPIO controller.
New maxrtc(4) driver for the Maxim DS1307 real time clock.
New nvme(4) driver for the Non-Volatile Memory Express (NVMe) host controller interface.
New pcfrtc(4) driver for the NXP PCF8523 real time clock.
New umb(4) driver for the Mobile Broadband Interface Model (MBIM).
New ure(4) driver for RealTek RTL8152 based 10/100 USB Ethernet devices.
New utvfu(4) driver for audio/video capture devices based on the Fushicai USBTV007.
The iwm(4) driver now supports Intel Wireless 3165 and 8260 devices, and works more reliably in RAMDISK kernels.
Support for I2C HID devices with GPIO signalled interrupts has been added to dwiic(4).
Support for larger bus widths, high speed modes, and DMA transfers has been added to sdmmc(4), rtsx(4), sdhc(4), and imxesdhc(4).
Support for EHCI and OHCI compliant USB controllers on Octeon II SoCs.
Many USB device drivers have been enabled on OpenBSD/octeon.
Improved support for hardware-reduced ACPI implementations.
Improved support for ACPI 5.0 implementations.
AES-NI crypto is now done without holding the kernel lock.
Improved AGP support on PowerPC G5 machines.
Added support for the SD card slot in Intel Bay Trail SoCs.
The ichiic(4) driver now ignores the SMBALERT# interrupt to prevent an interrupt storm with buggy BIOS implementations.
Device attachment problems with the axen(4) driver have been fixed.
The ral(4) driver is more stable under load with RT2860 devices.
Problems with dead keyboards after resume have been fixed in the pckbd(4) driver.
The rtsx(4) driver now supports RTS522A devices.
Initial support for MSI-X has been added.
Support MSI-X in the virtio(4) driver.
Added a workaround for hardware DMA overruns to the dc(4) driver.
The acpitz(4) driver now spins the fan down after cooling if ACPI uses hysteresis for active cooling.
The xhci(4) driver now performs handoff from an xHCI-capable BIOS correctly.
Support for multi-touch input has been added to the wsmouse(4) driver.
The uslcom(4) driver now supports the serial console of Aruba 7xxx wireless controllers.
The re(4) driver now works around broken LED configurations in APU1 EEPROMs.
The ehci(4) driver now works around problems with ATI USB controllers (e.g. SB700).
The xen(4) driver now supports domU configuration under Qubes OS.
IEEE 802.11 wireless stack improvements:
The HT block ack receive buffer logic follows the algorithm given in the 802.11-2012 spec more closely.
The iwn(4) driver now keeps track of HT protection changes while associated to an 11n AP.
The wireless stack and several drivers make more aggressive use of RTS/CTS to avoid interference from legacy devices and hidden nodes.
The netstat(1) -W command now shows information about 802.11n events.
In hostap mode, do not reuse association IDs of nodes which are still cached. Fixes a problem where an access point using the ral(4) driver would get stuck at 1 Mbps because Tx rate accounting happened on the wrong node object.
Generic network stack improvements:
The routing table is now based on ART offering a faster lookup.
The number of route lookup per packet has been reduced to 1 in the forwarding path.
The prio field on VLAN headers is now correctly set on each fragment of an IPv4 packet going out on a vlan(4) interface.
Enabled device cloning for bpf(4). This allows the system to have just one bpf device node in /dev that services all bpf consumers (up to 1024).
The Tx queue of the cnmac(4) driver can now be processed in parallel of the rest of the kernel.
Network input path is now run in thread context.
Installer improvements:
updated list of restricted usercodes
install.sh and upgrade.sh merged into install.sub
update automatically runs sysmerge(8) in batch mode before fw_update(1)
questions and answers are logged in a format that can be used as a response file for use by autoinstall(8)
/usr/local is set to wxallowed during install
Routing daemons and other userland network improvements:
Add routing table support to rc.d(8) and rcctl(8).
Let nc(1) support service names in addition to port numbers.
Add -M and -m TTL flags to nc(1).
Add AF_UNIX support to tcpbench(1).
Fixed a regression in rarpd(8). The daemon could hang if it was idle for a long time.
Added the llprio option in ifconfig(8).
Multiple programs that use bpf(4) have been modified to take advantage of bpf(4) device cloning by opening /dev/bpf0 instead of looping through /dev/bpf* devices. These programs include arp(8), dhclient(8), dhcpd(8), dhcrelay(8), hostapd(8), mopd(8), npppd(8), rarpd(8), rbootd(8), and tcpdump(8). The libpcap library has also been modified accordingly.
Security improvements:
W^X is now strictly enforced by default; a program can only violate it if the executable is marked with PT_OPENBSD_WXNEEDED and is located on a filesystem mounted with the wxallowed mount(8) option. Because there are still too many ports which violate W^X, the installer mounts the /usr/local filesystem with wxallowed. This allows the base system to be more secure as long as /usr/local is a separate filesystem. If you use no W^X violating programs, consider manually revoking that option.
The setjmp(3) family of functions now apply XOR cookies to stack and return-address values in the jmpbuf on amd64, hppa, i386, mips64, and powerpc.
SROP mitigation: sigreturn(2) can now only be used by the kernel-provided signal trampoline, with a cookie to detect attempts to reuse it.
To deter code reuse exploits, rc(8) re-links libc.so on startup, placing the objects in a random order.
In the getpwnam(3) family of functions, stop opening the shadow database by default.
Allow tcpdump(8) -r to be started without root privileges.
Remove systrace.
Remove Linux emulation support.
Remove support for the usermount option.
The TCP SYN cache reseeds its random hash function from time to time. This prevents an attacker from calculating the distribution of the hash function with a timing attack.
To work against SYN flooding attacks the administrator can change the size of the hash array now. netstat(1) -s -p tcp shows the relevant information to tune the SYN cache with sysctl(8) net.inet.tcp.
The administrator can require root privileges for binding to some TCP and UDP ports with sysctl(8) net.inet.tcp.rootonly and sysctl(8) net.inet.udp.rootonly.
Remove a function pointer from the mbuf(9) data structure and use an index into an array of acceptable functions instead.
Assorted improvements:
The thread library can now be loaded into a single-threaded process.
Improved symbol handling and standards compliance in libc. For example, defining an open() function will no longer interfere with the operation of fopen(3).
PT_TLS sections are now supported in initially loaded object.
Improved handling of "no paths" and "empty path" in fts(3).
In pcap(3), provide the functions pcap_free_datalinks() and pcap_offline_filter().
Many bugfixes and structural cleanup in the editline(3) library.
Remove ancient dbm(3) functions; ndbm(3) remains.
Add setenv keyword for more powerful environment handling in doas.conf(5).
Add -g and -p options to aucat.1 for time positioning.
Rewrite audioctl(1) with a simpler user interface.
Add -F option to install(1) to fsync(2) the file before closing it.
kdump(1) now dumps pollfd structures.
Improve various details of ksh(1) POSIX compliance.
mknod(8) rewritten in a pledge(2)-friendly style and to support creating multiple devices at once.
Implement rcctl(8) get all and getdef all.
Implement the rcs(1) -I (interactive) flag.
In rcs(1), implement Mdocdate keyword substitution.
In top(1), allow to filter process arguments if they are being displayed.
Added UTF-8 support to fold(1) and rev(1).
Enable UTF-8 by default in xterm(1) and pod2man(1).
Filter out non-ASCII characters in wall(1).
Handle the COLUMNS environment variable consistently across many programs.
The options -c and -k allow to provide TLS client certificates for syslogd(8) on the sending side. With that the receiving side can verify log messages are authentic. Note that syslogd does not have this check feature yet.
When the klog buffer overflows, syslogd will write a log message to show that some entries is missing.
On OpenBSD/octeon, CPU cache write buffering is enabled to improve performance.
pkg_add(1) and pkg_info(1) now understand a notion of branch to ease selection of some popular packages such as python or php, e.g., say pkg_add python%3.4 to select the 3.4 branch, and use pkg_info -zm to get a fuzzy listing with branch selection suitable for pkg_add -l.
fdisk(8) and pdisk(8) immediately exit unless passed a character special device
st(4) correctly tracks the current block count for variable sized blocks
fsck_ext2fs(8) works again
softraid(4) volumes can be constructed with disks that have a sector size other than 512 bytes
dhclient(8) DECLINE's and discards unused OFFER's.
dhclient(8) immediately exits if its interface (e.g. a bridge(4)) returns EAFNOSUPPORT when a packet is sent.
httpd(8) returns 400 Bad Request for HTTP v0.9 requests.
ffs2's lazy node initialization avoids treating random disk data as an inode
fcntl(2) invocations in base programs use the idiom fcntl(n,F_GETFL) instead of fcntl(n,F_GETFL,0)
socket(2) and accept4(2) invocations in base programs use SOCK_NONBLOCK to eliminate the need for a separate fcntl(2).
tmpfs not enabled by default
the in-kernel semantics of pledge(2) were improved in numerous ways. Highlights include: a new chown promise that allows pledged programs to set setugid attributes, a stricter enforcement of the recvfd promise and chroot(2) is no longer allowed for pledged programs.
a number of pledge(2)-related bugs (missing promises, unintended changes of behavior, crashes) were fixed, notably in gzip(1), nc(1), sed(1), skeyinit(1), stty(1), and various disk-related utilities, such as disklabel(8) and fdisk(8).
Block size calculation errors in the audio(4) driver have been fixed.
The usb(4) driver now caches vendor and product IDs. Fixes an issue where usbdevs(8) called in a loop would cause a USB mass storage device to halt operation.
The rsu(4) and ural(4) drivers are now working again after they were accidentally broken in 5.9.
OpenSMTPD 6.0.0
Security:
Implement the fork+exec pattern in smtpd(8).
Fix a logic issue in the SMTP state machine that can lead to an invalid state and result in a crash.
Plug a file-pointer leak that can lead to resource exhaustion and result in a crash.
Use automatic DH parameters instead of fixed ones.
Disable DHE by default since it is computationally expensive and a potential DoS vector.
The following improvements were brought in version 6.2:
Add the -r option to the smtpd(8) enqueuer for compatibility with mailx.
Add missing date or message-id when listening on the submit port.
Fix "smtpctl show queue" reporting "invalid" envelope state.
Rework the format of the "Received" header so that the TLS part does not violate the RFC.
Increase the number of connections a local address is allowed to establish, and decrease the delay between transactions in the same session.
Fix LMTP delivery to servers returning continuation lines.
Further improve the still experimental filter API and fix various related issues.
Start improving and unifying the format of log messages.
Fix several documentation discrepancies and typos in the man pages.
OpenSSH 7.3
Security:
sshd(8): Mitigate a potential denial-of-service attack against the system's crypt(3) function via sshd(8). An attacker could send very long passwords that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept password authentication requests of length greater than 1024 characters.
sshd(8): Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210.
ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle countermeasures. Note that CBC ciphers are disabled by default and only included for legacy compatibility.
ssh(1), sshd(8): Improve ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC before decrypting any ciphertext. This removes the possibility of timing differences leaking facts about the plaintext, though no such leakage is known.
New/changed features:
ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".
ssh(1): Add an IdentityAgent option to allow specifying specific agent sockets instead of accepting one from the environment.
ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be optionally overridden when using ssh -W. (bz#2577)
ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per draft-sgtatham-secsh-iutf8-00.
ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman 2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA signatures in certificates.
ssh(1): Add an Include directive for ssh_config(5) files.
ssh(1): Permit UTF-8 characters in pre-authentication banners sent from the server. (bz#2058)
The following significant bugs have been fixed in version 6.2:
In scp(1) and sftp(1), prevent screwing up terminal settings by escaping bytes not forming ASCII or UTF-8 characters.
ssh(1), sshd(8): Reduce the syslog level of some relatively common protocol events from LOG_CRIT. (bz#2585)
sshd(8): Refuse AuthenticationMethods="" in configurations and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication. (bz#2398)
sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!" message when forward and reverse DNS don't match. (bz#2585)
ssh(1): Close ControlPersist background process stderr except in debug mode or when logging to syslog. (bz#1988)
misc: Make PROTOCOL description for direct-streamlocal@openssh.com channel open messages match deployed code. (bz#2529)
ssh(1): Deduplicate LocalForward and RemoteForward entries to fix failures when both ExitOnForwardFailure and hostname canonicalisation are enabled. (bz#2562)
sshd(8): Remove fallback from moduli to obsolete "primes" file that was deprecated in 2001. (bz#2559)
sshd_config(5): Correct description of UseDNS: it affects ssh hostname processing for authorized_keys, not known_hosts. (bz#2554)
ssh(1): Fix authentication using lone certificate keys in an agent without corresponding private keys on the filesystem. (bz#2550)
sshd(8): Send ClientAliveInterval pings when a time-based RekeyLimit is set; previously keepalive packets were not being sent. (bz#2252)
OpenNTPD 6.0
When a single "constraint" is specified, try all returned addresses until one succeeds, rather than the first returned address.
Relaxed the constraint error margin to be proportional to the number of NTP peers, avoid constant reconnections when there is a bad NTP peer.
Removed disabled hotplug(4) sensor support.
Added support for detecting crashes in constraint subprocesses.
Moved the execution of constraints from the ntp process to the parent process, allowing for better privilege separation since the ntp process can be further restricted.
Fixed high CPU usage when the network is down.
Fixed various memory leaks.
Switched to RMS for jitter calculations.
Unified logging functions with other OpenBSD base programs.
Set MOD_MAXERROR to avoid unsynced time status when using ntp_adjtime.
Fixed HTTP Timestamp header parsing to use strptime(3) in a more portable fashion.
Hardened TLS for ntpd(8) constraints, enabling server name verification.
LibreSSL 2.4.2
User-visible features:
Fixed some broken manpage links in the install target.
cert.pem has been reorganized and synced with Mozilla's certificate store.
Reliability fix, correcting an error when parsing certain ASN.1 elements over 16k in size.
Implemented the IETF ChaCha20-Poly1305 cipher suites.
Fixed password prompts from openssl(1) to properly handle ^C.
Code improvements:
Fixed an nginx compatibility issue by adding an 'install_sw' build target.
Changed default EVP_aead_chacha20_poly1305(3) implementation to the IETF version, which is now the default.
Reworked error handling in libtls so that configuration errors are more visible.
Added missing error handling around bn_wexpand(3) calls.
Added explicit_bzero(3) calls for freed ASN.1 objects.
Fixed X509_*set_object functions to return 0 on allocation failure.
Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
Fixed a problem that prevents the DSA signing algorithm from running in constant time even if the flag BN_FLG_CONSTTIME is set.
Fixed several issues in the OCSP code that could result in the incorrect generation and parsing of OCSP requests. This remediates a lack of error checking on time parsing in these functions, and ensures that only GENERALIZEDTIME formats are accepted for OCSP, as per RFC 6960.
The following CVEs have been fixed:
CVE-2016-2105-EVP_EncodeUpdate overflow.
CVE-2016-2106-EVP_EncryptUpdate overflow.
CVE-2016-2107-padding oracle in AES-NI CBC MAC check.
CVE-2016-2108-memory corruption in the ASN.1 encoder.
CVE-2016-2109-ASN.1 BIO excessive memory allocation.
Ports and packages:
New proot(1) tool in the ports tree for building packages in a chroot.
Many pre-built packages for each architecture:
alpha: 7422
amd64: 9433
hppa: 6346
i386: 9394
mips64: 7921
mips64el: 7767
powerpc: 8318
sparc64: 8570
Some highlights:
Afl 2.19b
Chromium 51.0.2704.106
Emacs 21.4 and 24.5
GCC 4.9.3
GHC 7.10.3
Gimp 2.8.16
GNOME 3.20.2
Go 1.6.3
Groff 1.22.3
JDK 7u80 and 8u72
KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
LLVM/Clang 3.8.0
LibreOffice 5.1.4.2
Lua 5.1.5, 5.2.4, and 5.3.3
MariaDB 10.0.25
Mono 4.4.0.182
Mozilla Firefox 45.2.0esr and 47.0.1
Mozilla Thunderbird 45.2.0
Mutt 1.6.2
Node.js 4.4.5
Ocaml 4.3.0
OpenLDAP 2.3.43 and 2.4.44
PHP 5.5.37, 5.6.23, and 7.0.8
Postfix 3.1.1 and 3.2-20160515
PostgreSQL 9.5.3
Python 2.7.12, 3.4.5, and 3.5.2
R 3.3.1
Ruby 1.8.7.374, 2.0.0.648, 2.1.9, 2.2.5, and 2.3.1
Rust 1.9.0-20160608
Sendmail 8.15.2
Sudo 1.8.17.1
Tcl/Tk 8.5.18 and 8.6.4
TeX Live 2015
Vim 7.4.1467
Xfce 4.12
As usual, steady improvements in manual pages and other documentation.
The system includes the following major components from outside suppliers:
Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches, freetype 2.6.3, fontconfig 2.11.1, Mesa 11.2.2, xterm 322, xkeyboard-config 2.18 and more)
GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
Perl 5.20.3 (+ patches)
SQLite 3.9.2 (+ patches)
NSD 4.1.10
Unbound 1.5.9
Ncurses 5.7
Binutils 2.17 (+ patches)
Gdb 6.3 (+ patches)
Awk Aug 10, 2011 version
Expat 2.1.1

What is new in version 6.1:

New/extended platforms:
armv7:
EFI bootloader added, kernels are now loaded from FFS instead of FAT or EXT filesystems, without U-Boot headers.
A single kernel and ramdisk are now used for all SoCs.
Hardware is dynamically enumerated via Flattened Device Tree (FDT) instead of via static tables based on board id numbers.
Miniroot installer images include U-Boot 2016.07 with support for EFI payloads.
vax:
Removed.
Improved hardware support, including:
New bytgpio(4) driver for the Intel Bay Trail GPIO controller.
New chvgpio(4) driver for the Intel Cherry View GPIO controller.
New maxrtc(4) driver for the Maxim DS1307 real time clock.
New nvme(4) driver for the Non-Volatile Memory Express (NVMe) host controller interface.
New pcfrtc(4) driver for the NXP PCF8523 real time clock.
New umb(4) driver for the Mobile Broadband Interface Model (MBIM).
New ure(4) driver for RealTek RTL8152 based 10/100 USB Ethernet devices.
New utvfu(4) driver for audio/video capture devices based on the Fushicai USBTV007.
The iwm(4) driver now supports Intel Wireless 3165 and 8260 devices, and works more reliably in RAMDISK kernels.
Support for I2C HID devices with GPIO signalled interrupts has been added to dwiic(4).
Support for larger bus widths, high speed modes, and DMA transfers has been added to sdmmc(4), rtsx(4), sdhc(4), and imxesdhc(4).
Support for EHCI and OHCI compliant USB controllers on Octeon II SoCs.
Many USB device drivers have been enabled on OpenBSD/octeon.
Improved support for hardware-reduced ACPI implementations.
Improved support for ACPI 5.0 implementations.
AES-NI crypto is now done without holding the kernel lock.
Improved AGP support on PowerPC G5 machines.
Added support for the SD card slot in Intel Bay Trail SoCs.
The ichiic(4) driver now ignores the SMBALERT# interrupt to prevent an interrupt storm with buggy BIOS implementations.
Device attachment problems with the axen(4) driver have been fixed.
The ral(4) driver is more stable under load with RT2860 devices.
Problems with dead keyboards after resume have been fixed in the pckbd(4) driver.
The rtsx(4) driver now supports RTS522A devices.
Initial support for MSI-X has been added.
Support MSI-X in the virtio(4) driver.
Added a workaround for hardware DMA overruns to the dc(4) driver.
The acpitz(4) driver now spins the fan down after cooling if ACPI uses hysteresis for active cooling.
The xhci(4) driver now performs handoff from an xHCI-capable BIOS correctly.
Support for multi-touch input has been added to the wsmouse(4) driver.
The uslcom(4) driver now supports the serial console of Aruba 7xxx wireless controllers.
The re(4) driver now works around broken LED configurations in APU1 EEPROMs.
The ehci(4) driver now works around problems with ATI USB controllers (e.g. SB700).
The xen(4) driver now supports domU configuration under Qubes OS.
IEEE 802.11 wireless stack improvements:
The HT block ack receive buffer logic follows the algorithm given in the 802.11-2012 spec more closely.
The iwn(4) driver now keeps track of HT protection changes while associated to an 11n AP.
The wireless stack and several drivers make more aggressive use of RTS/CTS to avoid interference from legacy devices and hidden nodes.
The netstat(1) -W command now shows information about 802.11n events.
In hostap mode, do not reuse association IDs of nodes which are still cached. Fixes a problem where an access point using the ral(4) driver would get stuck at 1 Mbps because Tx rate accounting happened on the wrong node object.
Generic network stack improvements:
The routing table is now based on ART offering a faster lookup.
The number of route lookup per packet has been reduced to 1 in the forwarding path.
The prio field on VLAN headers is now correctly set on each fragment of an IPv4 packet going out on a vlan(4) interface.
Enabled device cloning for bpf(4). This allows the system to have just one bpf device node in /dev that services all bpf consumers (up to 1024).
The Tx queue of the cnmac(4) driver can now be processed in parallel of the rest of the kernel.
Network input path is now run in thread context.
Installer improvements:
updated list of restricted usercodes
install.sh and upgrade.sh merged into install.sub
update automatically runs sysmerge(8) in batch mode before fw_update(1)
questions and answers are logged in a format that can be used as a response file for use by autoinstall(8)
/usr/local is set to wxallowed during install
Routing daemons and other userland network improvements:
Add routing table support to rc.d(8) and rcctl(8).
Let nc(1) support service names in addition to port numbers.
Add -M and -m TTL flags to nc(1).
Add AF_UNIX support to tcpbench(1).
Fixed a regression in rarpd(8). The daemon could hang if it was idle for a long time.
Added the llprio option in ifconfig(8).
Multiple programs that use bpf(4) have been modified to take advantage of bpf(4) device cloning by opening /dev/bpf0 instead of looping through /dev/bpf* devices. These programs include arp(8), dhclient(8), dhcpd(8), dhcrelay(8), hostapd(8), mopd(8), npppd(8), rarpd(8), rbootd(8), and tcpdump(8). The libpcap library has also been modified accordingly.
Security improvements:
W^X is now strictly enforced by default; a program can only violate it if the executable is marked with PT_OPENBSD_WXNEEDED and is located on a filesystem mounted with the wxallowed mount(8) option. Because there are still too many ports which violate W^X, the installer mounts the /usr/local filesystem with wxallowed. This allows the base system to be more secure as long as /usr/local is a separate filesystem. If you use no W^X violating programs, consider manually revoking that option.
The setjmp(3) family of functions now apply XOR cookies to stack and return-address values in the jmpbuf on amd64, hppa, i386, mips64, and powerpc.
SROP mitigation: sigreturn(2) can now only be used by the kernel-provided signal trampoline, with a cookie to detect attempts to reuse it.
To deter code reuse exploits, rc(8) re-links libc.so on startup, placing the objects in a random order.
In the getpwnam(3) family of functions, stop opening the shadow database by default.
Allow tcpdump(8) -r to be started without root privileges.
Remove systrace.
Remove Linux emulation support.
Remove support for the usermount option.
The TCP SYN cache reseeds its random hash function from time to time. This prevents an attacker from calculating the distribution of the hash function with a timing attack.
To work against SYN flooding attacks the administrator can change the size of the hash array now. netstat(1) -s -p tcp shows the relevant information to tune the SYN cache with sysctl(8) net.inet.tcp.
The administrator can require root privileges for binding to some TCP and UDP ports with sysctl(8) net.inet.tcp.rootonly and sysctl(8) net.inet.udp.rootonly.
Remove a function pointer from the mbuf(9) data structure and use an index into an array of acceptable functions instead.
Assorted improvements:
The thread library can now be loaded into a single-threaded process.
Improved symbol handling and standards compliance in libc. For example, defining an open() function will no longer interfere with the operation of fopen(3).
PT_TLS sections are now supported in initially loaded object.
Improved handling of "no paths" and "empty path" in fts(3).
In pcap(3), provide the functions pcap_free_datalinks() and pcap_offline_filter().
Many bugfixes and structural cleanup in the editline(3) library.
Remove ancient dbm(3) functions; ndbm(3) remains.
Add setenv keyword for more powerful environment handling in doas.conf(5).
Add -g and -p options to aucat.1 for time positioning.
Rewrite audioctl(1) with a simpler user interface.
Add -F option to install(1) to fsync(2) the file before closing it.
kdump(1) now dumps pollfd structures.
Improve various details of ksh(1) POSIX compliance.
mknod(8) rewritten in a pledge(2)-friendly style and to support creating multiple devices at once.
Implement rcctl(8) get all and getdef all.
Implement the rcs(1) -I (interactive) flag.
In rcs(1), implement Mdocdate keyword substitution.
In top(1), allow to filter process arguments if they are being displayed.
Added UTF-8 support to fold(1) and rev(1).
Enable UTF-8 by default in xterm(1) and pod2man(1).
Filter out non-ASCII characters in wall(1).
Handle the COLUMNS environment variable consistently across many programs.
The options -c and -k allow to provide TLS client certificates for syslogd(8) on the sending side. With that the receiving side can verify log messages are authentic. Note that syslogd does not have this check feature yet.
When the klog buffer overflows, syslogd will write a log message to show that some entries is missing.
On OpenBSD/octeon, CPU cache write buffering is enabled to improve performance.
pkg_add(1) and pkg_info(1) now understand a notion of branch to ease selection of some popular packages such as python or php, e.g., say pkg_add python%3.4 to select the 3.4 branch, and use pkg_info -zm to get a fuzzy listing with branch selection suitable for pkg_add -l.
fdisk(8) and pdisk(8) immediately exit unless passed a character special device
st(4) correctly tracks the current block count for variable sized blocks
fsck_ext2fs(8) works again
softraid(4) volumes can be constructed with disks that have a sector size other than 512 bytes
dhclient(8) DECLINE's and discards unused OFFER's.
dhclient(8) immediately exits if its interface (e.g. a bridge(4)) returns EAFNOSUPPORT when a packet is sent.
httpd(8) returns 400 Bad Request for HTTP v0.9 requests.
ffs2's lazy node initialization avoids treating random disk data as an inode
fcntl(2) invocations in base programs use the idiom fcntl(n,F_GETFL) instead of fcntl(n,F_GETFL,0)
socket(2) and accept4(2) invocations in base programs use SOCK_NONBLOCK to eliminate the need for a separate fcntl(2).
tmpfs not enabled by default
the in-kernel semantics of pledge(2) were improved in numerous ways. Highlights include: a new chown promise that allows pledged programs to set setugid attributes, a stricter enforcement of the recvfd promise and chroot(2) is no longer allowed for pledged programs.
a number of pledge(2)-related bugs (missing promises, unintended changes of behavior, crashes) were fixed, notably in gzip(1), nc(1), sed(1), skeyinit(1), stty(1), and various disk-related utilities, such as disklabel(8) and fdisk(8).
Block size calculation errors in the audio(4) driver have been fixed.
The usb(4) driver now caches vendor and product IDs. Fixes an issue where usbdevs(8) called in a loop would cause a USB mass storage device to halt operation.
The rsu(4) and ural(4) drivers are now working again after they were accidentally broken in 5.9.
OpenSMTPD 6.0.0
Security:
Implement the fork+exec pattern in smtpd(8).
Fix a logic issue in the SMTP state machine that can lead to an invalid state and result in a crash.
Plug a file-pointer leak that can lead to resource exhaustion and result in a crash.
Use automatic DH parameters instead of fixed ones.
Disable DHE by default since it is computationally expensive and a potential DoS vector.
The following improvements were brought in version 6.1:
Add the -r option to the smtpd(8) enqueuer for compatibility with mailx.
Add missing date or message-id when listening on the submit port.
Fix "smtpctl show queue" reporting "invalid" envelope state.
Rework the format of the "Received" header so that the TLS part does not violate the RFC.
Increase the number of connections a local address is allowed to establish, and decrease the delay between transactions in the same session.
Fix LMTP delivery to servers returning continuation lines.
Further improve the still experimental filter API and fix various related issues.
Start improving and unifying the format of log messages.
Fix several documentation discrepancies and typos in the man pages.
OpenSSH 7.3
Security:
sshd(8): Mitigate a potential denial-of-service attack against the system's crypt(3) function via sshd(8). An attacker could send very long passwords that would cause excessive CPU use in crypt(3). sshd(8) now refuses to accept password authentication requests of length greater than 1024 characters.
sshd(8): Mitigate timing differences in password authentication that could be used to discern valid from invalid account names when long passwords were sent and particular password hashing algorithms are in use on the server. CVE-2016-6210.
ssh(1), sshd(8): Fix observable timing weakness in the CBC padding oracle countermeasures. Note that CBC ciphers are disabled by default and only included for legacy compatibility.
ssh(1), sshd(8): Improve ordering of MAC verification for Encrypt-then-MAC (EtM) mode transport MAC algorithms to verify the MAC before decrypting any ciphertext. This removes the possibility of timing differences leaking facts about the plaintext, though no such leakage is known.
New/changed features:
ssh(1): Add a ProxyJump option and corresponding -J command-line flag to allow simplified indirection through a one or more SSH bastions or "jump hosts".
ssh(1): Add an IdentityAgent option to allow specifying specific agent sockets instead of accepting one from the environment.
ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to be optionally overridden when using ssh -W. (bz#2577)
ssh(1), sshd(8): Implement support for the IUTF8 terminal mode as per draft-sgtatham-secsh-iutf8-00.
ssh(1), sshd(8): Add support for additional fixed Diffie-Hellman 2K, 4K and 8K groups from draft-ietf-curdle-ssh-kex-sha2-03.
ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA signatures in certificates.
ssh(1): Add an Include directive for ssh_config(5) files.
ssh(1): Permit UTF-8 characters in pre-authentication banners sent from the server. (bz#2058)
The following significant bugs have been fixed in version 6.1:
In scp(1) and sftp(1), prevent screwing up terminal settings by escaping bytes not forming ASCII or UTF-8 characters.
ssh(1), sshd(8): Reduce the syslog level of some relatively common protocol events from LOG_CRIT. (bz#2585)
sshd(8): Refuse AuthenticationMethods="" in configurations and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication. (bz#2398)
sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN ATTEMPT!" message when forward and reverse DNS don't match. (bz#2585)
ssh(1): Close ControlPersist background process stderr except in debug mode or when logging to syslog. (bz#1988)
misc: Make PROTOCOL description for direct-streamlocal@openssh.com channel open messages match deployed code. (bz#2529)
ssh(1): Deduplicate LocalForward and RemoteForward entries to fix failures when both ExitOnForwardFailure and hostname canonicalisation are enabled. (bz#2562)
sshd(8): Remove fallback from moduli to obsolete "primes" file that was deprecated in 2001. (bz#2559)
sshd_config(5): Correct description of UseDNS: it affects ssh hostname processing for authorized_keys, not known_hosts. (bz#2554)
ssh(1): Fix authentication using lone certificate keys in an agent without corresponding private keys on the filesystem. (bz#2550)
sshd(8): Send ClientAliveInterval pings when a time-based RekeyLimit is set; previously keepalive packets were not being sent. (bz#2252)
OpenNTPD 6.0
When a single "constraint" is specified, try all returned addresses until one succeeds, rather than the first returned address.
Relaxed the constraint error margin to be proportional to the number of NTP peers, avoid constant reconnections when there is a bad NTP peer.
Removed disabled hotplug(4) sensor support.
Added support for detecting crashes in constraint subprocesses.
Moved the execution of constraints from the ntp process to the parent process, allowing for better privilege separation since the ntp process can be further restricted.
Fixed high CPU usage when the network is down.
Fixed various memory leaks.
Switched to RMS for jitter calculations.
Unified logging functions with other OpenBSD base programs.
Set MOD_MAXERROR to avoid unsynced time status when using ntp_adjtime.
Fixed HTTP Timestamp header parsing to use strptime(3) in a more portable fashion.
Hardened TLS for ntpd(8) constraints, enabling server name verification.
LibreSSL 2.4.2
User-visible features:
Fixed some broken manpage links in the install target.
cert.pem has been reorganized and synced with Mozilla's certificate store.
Reliability fix, correcting an error when parsing certain ASN.1 elements over 16k in size.
Implemented the IETF ChaCha20-Poly1305 cipher suites.
Fixed password prompts from openssl(1) to properly handle ^C.
Code improvements:
Fixed an nginx compatibility issue by adding an 'install_sw' build target.
Changed default EVP_aead_chacha20_poly1305(3) implementation to the IETF version, which is now the default.
Reworked error handling in libtls so that configuration errors are more visible.
Added missing error handling around bn_wexpand(3) calls.
Added explicit_bzero(3) calls for freed ASN.1 objects.
Fixed X509_*set_object functions to return 0 on allocation failure.
Deprecated internal use of EVP_[Cipher|Encrypt|Decrypt]_Final.
Fixed a problem that prevents the DSA signing algorithm from running in constant time even if the flag BN_FLG_CONSTTIME is set.
Fixed several issues in the OCSP code that could result in the incorrect generation and parsing of OCSP requests. This remediates a lack of error checking on time parsing in these functions, and ensures that only GENERALIZEDTIME formats are accepted for OCSP, as per RFC 6960.
The following CVEs have been fixed:
CVE-2016-2105-EVP_EncodeUpdate overflow.
CVE-2016-2106-EVP_EncryptUpdate overflow.
CVE-2016-2107-padding oracle in AES-NI CBC MAC check.
CVE-2016-2108-memory corruption in the ASN.1 encoder.
CVE-2016-2109-ASN.1 BIO excessive memory allocation.
Ports and packages:
New proot(1) tool in the ports tree for building packages in a chroot.
Many pre-built packages for each architecture:
alpha: 7422
amd64: 9433
hppa: 6346
i386: 9394
mips64: 7921
mips64el: 7767
powerpc: 8318
sparc64: 8570
Some highlights:
Afl 2.19b
Chromium 51.0.2704.106
Emacs 21.4 and 24.5
GCC 4.9.3
GHC 7.10.3
Gimp 2.8.16
GNOME 3.20.2
Go 1.6.3
Groff 1.22.3
JDK 7u80 and 8u72
KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
LLVM/Clang 3.8.0
LibreOffice 5.1.4.2
Lua 5.1.5, 5.2.4, and 5.3.3
MariaDB 10.0.25
Mono 4.4.0.182
Mozilla Firefox 45.2.0esr and 47.0.1
Mozilla Thunderbird 45.2.0
Mutt 1.6.2
Node.js 4.4.5
Ocaml 4.3.0
OpenLDAP 2.3.43 and 2.4.44
PHP 5.5.37, 5.6.23, and 7.0.8
Postfix 3.1.1 and 3.2-20160515
PostgreSQL 9.5.3
Python 2.7.12, 3.4.5, and 3.5.2
R 3.3.1
Ruby 1.8.7.374, 2.0.0.648, 2.1.9, 2.2.5, and 2.3.1
Rust 1.9.0-20160608
Sendmail 8.15.2
Sudo 1.8.17.1
Tcl/Tk 8.5.18 and 8.6.4
TeX Live 2015
Vim 7.4.1467
Xfce 4.12
As usual, steady improvements in manual pages and other documentation.
The system includes the following major components from outside suppliers:
Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches, freetype 2.6.3, fontconfig 2.11.1, Mesa 11.2.2, xterm 322, xkeyboard-config 2.18 and more)
GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
Perl 5.20.3 (+ patches)
SQLite 3.9.2 (+ patches)
NSD 4.1.10
Unbound 1.5.9
Ncurses 5.7
Binutils 2.17 (+ patches)
Gdb 6.3 (+ patches)
Awk Aug 10, 2011 version
Expat 2.1.1

17 Aug 18 in System Utilities, Operating Systems & Updates

Search by Category

OpenBSD

Availability, boot options, supported platforms

Manual or automatic installation

Bottom line

Similar Software

DruidBSD

TBD Stock Sensation XL Gen3 EU & TMO

Redux2 HD2

Inferno Operating System

Comments to OpenBSD

Comments not found

Add Comment

Search by Category

Search by Category

Popular software

Longene 12 May 15

SmartOS 17 Aug 18

OpenIndiana 19 Jun 17

Dorimanx-ROM-HIGH-END 14 Apr 15

TeX Live 20 Feb 15

NexentaStor Enterprise Edition 18 Jul 15

OpenSXCE 20 Feb 15

OpenBSD

Availability, boot options, supported platforms

Manual or automatic installation

Bottom line

Similar Software

DruidBSD

TBD Stock Sensation XL Gen3 EU & TMO

Redux2 HD2

Inferno Operating System

Comments to OpenBSD

Comments not found

Add Comment

Search by Category

Popular software

Haiku 20 Feb 15

LightBSD 20 Feb 15

AROS 3 Jun 15

NuttX 10 May 15

0MQ 15 Apr 15

LinuxConsole 20 Jan 18

Linux Kernel 17 Aug 18