-
Notifications
You must be signed in to change notification settings - Fork 42
/
Copy path75.html
1252 lines (1155 loc) · 54.7 KB
/
75.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!doctype html>
<html lang=en id=release>
<head>
<meta charset=utf-8>
<title>OpenBSD 7.5</title>
<meta name="description" content="OpenBSD 7.5">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/75.html">
</head><body>
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
7.5
</h2>
<table>
<tr>
<td>
<a href="images/King_of_Kings.jpg">
<img width="227" height="303" src="images/King_of_Kings-s.gif" alt="King of Kings"></a>
<td>
Released Apr 5, 2024. (56th OpenBSD release)<br>
Copyright 1997-2024, Theo de Raadt.<br>
<br>
Artwork by Stipan Morian.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/7.5/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata75.html">the 7.5 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus75.html">detailed log of changes</a> between the
7.4 and 7.5 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<p>
<table class=signify>
<tr><td>
openbsd-75-base.pub:
<td>
<a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/openbsd-75-base.pub">
RWRGj1pRpprAfgeF/rgld4ubduChLvTkigA1Zj7WLDsVA4qfYSWOEI8q
</a><tr><td>
openbsd-75-fw.pub:
<td>
RWQ6EsXr4NMYvyLICug3dLHfmbpXlVasF1jbt3GVNQsosgB5+PgaufBu
<tr><td>
openbsd-75-pkg.pub:
<td>
RWS/sEFDvf+rjUmS1WROzxH05pB1kB7JRRq76DUGUhCE0Ks8AdpjP5pD
<tr><td>
openbsd-75-syspatch.pub:
<td>
RWRAAZC5WcFgn+8b5msDR+yDVCx4ziLaSQI2sy7e4GFY42nFW9p7mP2t
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 7.5.
For a comprehensive list, see the <a href="plus75.html">changelog</a> leading <!-- plus? XXX -->
to 7.5.
<ul>
<!--
<li>New/extended platforms:
<ul>
<li>...
</ul>
-->
<li>Various kernel improvements:
<ul>
<li>Added <a href="https://man.openbsd.org/bt.5">bt(5)</a> and <a
href="https://man.openbsd.org/btrace.8">btrace(8)</a> support for
binary modulo operator ('%').
<li>Added a TIMEOUT_MPSAFE flag to <a
href="https://man.openbsd.org/timeout.9">timeout(9)</a>.
<li>Added IBM encoded version of the "Spleen 8x16" font, usable as console font.
<li>Cleanup and machine-independent refactoring of three context
switch paths outside of mi_switch(): when a process forks and the new
proc needs to be scheduled by proc_trampoline, cpu_hatch: when booting
APs, and sched_exit: when a proc exits.
<li>Made <a href="https://man.openbsd.org/vscsi.4">vscsi(4)</a>
'vscsi_filtops' mpsafe and extended the 'sc_state_mtx' <a
href="https://man.openbsd.org/mutex.9">mutex(9)</a> to protect
'sc_klist' knotes list.
<li>Made out-of-swap checking more robust, preventing potential deadlocks.
<li>Eliminated the ioctl whitelist that <a
href="https://man.openbsd.org/bio.4">bio(4)</a> will tunnel for other
devices, allowing bio to be used with other (non-raid) related
devices.
<li>On msdos filesystems, ensure that a complete struct fsinfo is read
even if the filesystem sectors are smaller.
<li>Implemented per-CPU caching for the page table page (vp) pool and
the PTE descriptor (pted) pool in the arm64 pmap implementation. This
significantly reduces the side-effects of lock contention on the
kernel map lock and leads to significant speedups on machines with
many CPU cores.
<li>Implemented <a href="https://man.openbsd.org/acpi.4">acpi(4)</a>
RootPathString support in the LoadTable() AML function, fixing OpenBSD
boot on an older version of Hyper-V.
<li>Fixed Linux NFS clients freezing after five minutes of inactivity.
<li>Fixed core file writing when a file map into memory has later been
truncated to be smaller than the mapping.
<li>Disallow <a
href="https://man.openbsd.org/madvise.2">madvise(2)</a> and <a
href="https://man.openbsd.org/msync.2">msync(2)</a> memory/mapping
destructive operations on immutable memory regions. Instead return EPERM.
<li>Added new amd64-only sysctl machdep.retpoline which says whether
the cpu requires the retpoline branch target injection mitigation.
<li>Added new accounting flag ABTCFI to <a
href="https://man.openbsd.org/acct.5">acct(5)</a> to indicate SIGILL +
code ILL_BTCFI has occurred in the process.
</ul>
<li>SMP Improvements
<ul>
<li>Some network timers run without kernel lock.
<li>TCP syn cache timer runs with shared net lock.
<li><a href="https://man.openbsd.org/bind.2">bind(2)</a>
and <a href="https://man.openbsd.org/connect.2">connect(2)</a>
system calls can run in parallel.
<li>Packet counter for <a
href="https://man.openbsd.org/lo.4">lo(4)</a> loopback
interface are MP safe.
<li>Split protocol control block table for UDP into IPv4
and IPv6 tables to allow concurrent access.
<li>UDP packets can be sent in parallel by multiple threads.
</ul>
<li>Direct Rendering Manager and graphics drivers
<ul>
<li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
to Linux 6.6.19.
<li>New <a href="https://man.openbsd.org/arm64/apldcp.4">apldcp(4)</a> and
<a href="https://man.openbsd.org/arm64/apldrm.4">apldrm(4)</a> drivers
for Apple display coprocessor.
</ul>
<li>VMM/VMD improvements
<ul>
<li>Fixed IRQ storm caused by edge-triggered devices such as the UART.
<li>Fixed block size calculation for vioscsi devices.
<li>Added io instruction length to vm exit information, allowing
<a href="https://man.openbsd.org/vmd.8">vmd(8)</a> to perform validation
in userspace.
<li>Adopted new <a href="https://man.openbsd.org/imsg_init.3">imsg_get_*(3)</a>
api.
<li>Rewrote vionet devices to allow zero-copy data transfers between host and
guest.
<li>Improved error messages related to <a href="https://man.openbsd.org/getgrnam.3">
getgrnam(3)</a> usage and out of <a href="https://man.openbsd.org/tap.4">tap(4)
</a> device conditions.
<li>Fixed various things found by smatch static analyzer.
<li>Fixed various file descriptor lifecycle issues and leaks across
<a href="https://man.openbsd.org/fork.2">fork(2)</a>/
<a href="https://man.openbsd.org/execve.2">execve(2)</a> usage.
<li>Added multi-threading support to vionet device emulation, improving latency.
<li>Fixed <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> instability on Intel
VMX hosts by updating GDTR & TR if vcpu moves host cpus.
<li>Added EPT flushing upon <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>
enabling VMX mode.
<li>Added branch predictor flushing if IBPB is supported.
<li>Corrected restoring GDTR and IDTR limits upon VMX guest exit.
<li>Corrected handling of CPUID 0xd subleaves
<li>Added additional use of VERW and register clobbering to mitigate RFDS
vulnerabilities on Intel Atom cores.
</ul>
<li>Various new userland features:
<ul>
<li>Made <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> save
backtraces to show in leak dump with depth of backtrace set via malloc
option D (aka 1), 2, 3 or 4.
<li>Added support for <a
href="https://man.openbsd.org/cksum.1">cksum(1)</a> -c checking base64
digests in reverse mode.
<li>Added <a href="https://man.openbsd.org/kdump.1">kdump(1)</a> [-p
program] to filter dumps by basename.
<li>Made <a href="https://man.openbsd.org/ps.1">ps(1)</a> accept numerical user IDs.
<li>Built and provide the tzdata.zi and leap-seconds.list files from
zoneinfo. Some third-party software now expects these files to be
installed. Provide the zonenow.tab file, a table where each row
stands for a timezone where civil timestamps are predicted to agree
from now on.
<li>Added basic write support for <a
href="https://man.openbsd.org/pax.1">pax(1)</a> format archives.
<li>Added 'pax' format support for files over 8GB to <a
href="https://man.openbsd.org/tar.1">tar(1)</a>.
<li>Added 'pax' format support for mtime and atime to <a
href="https://man.openbsd.org/tar.1">tar(1)</a>.
<li>Extended <a href="https://man.openbsd.org/imsg_init.3">imsg</a>
and the <a href="https://man.openbsd.org/ibuf_add.3">ibuf</a> buffer
manipulation API with useful getter methods. Unified file descriptor
passing in all imsg using programs with the use of the imsg_get_fd()
function.
<li>Added <a
href="https://man.openbsd.org/mkdtemps.3">mkdtemps(3)</a>, identical
to <a href="https://man.openbsd.org/mkdtemp.3">mkdtemp(3)</a> except
that it permits a suffix to exist in the template.
<li>Added <a href="https://man.openbsd.org/mktemp.1">mktemp(1)</a>
suffix support for compatibility with the GNU version. It is now
possible to use templates where the Xs are not at the end.
</ul>
<li>Various bugfixes and tweaks in userland:
<ul>
<li>Silenced list of specific firmware not needing update in <a
href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>.
<li>Improved <a href="https://man.openbsd.org/ls.1">ls(1)</a> horizontal alignment in long format.
<li>Added <a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a> retry on empty passphrase.
<li>Fixed <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> in
<a href="https://man.openbsd.org/patch.1">patch(1)</a> with explicit
patchfile.
<li>Made gnu99 the default for gcc 3.3.6 and 4.2.1 rather than defaulting to gnu89.
<!-- fdisk -->
<li>Enhanced <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> 'flag' to accept hex values.
<li>Prevented <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
'flag' from altering other GPT partition attributes when flagging a
partition as the only bootable partition.
<li>Allow <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> to
add GPT partitions of protected types, making it possible to provision
virtual machine images that need a "BIOS Boot" partition.
<li>Added group handling matching <a
href="https://man.openbsd.org/fbtab.5">fbtab(5)</a> to xenodm.
<li>Made <a href="https://man.openbsd.org/grep.1">grep(1)</a> -m behavior match GNU grep.
<li>Tweaked the default memory limits in /etc/login.conf on several
architectures to account for increased memory requirements, for
example when compiling or linking under user pbuild.
<li>Initialize all terminals with "tset -I", thereby avoiding extra
newlines to be printed.
<li>Added <a href="https://man.openbsd.org/mkhybrid.8">mkhybrid(8)</a>
'-e' (-eltorito-boot-efi) option for writing an EFI eltorito boot
image, in addition to or instead of the x86 boot image, to the output
file.
<li>Added <a
href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>
--omit-dir-times (-O) to omit directories from --times, as well as
--no-O and --no-omit-dir-times options for compatibility.
<li>Implemented <a href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>
--omit-link-times (-J) option to omit symlinks from --times.
<li>Added accounting flag and <a
href="https://man.openbsd.org/lastcomm.1">lastcomm(1)</a> report for
<a href="https://man.openbsd.org/pinsyscalls.2">syscall pinning</a> violations.
<li>Added <a href="https://man.openbsd.org/ktrace.1">ktrace(1)</a> and
<a href="https://man.openbsd.org/kdump.1">kdump(1)</a> support to
observe <a
href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a>
violations.
<li>Changed <a href="https://man.openbsd.org/ftp.1">ftp(1)</a> to
avoid use of the interactive shell if -o is given.
<li>Moved non-daemon services to run in a different <a
href="https://man.openbsd.org/rc.8">rc(8)</a> process group to avoid
SIGHUP at boot.
<li>Changed <a
href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> to only load the first libc version encountered
requested and substituting it for all further loads, ensuring that the
libc version requested by an executable itself is the one loaded.
<li>Significantly (for small programs) reduce the size of statically
linked binaries by splitting several libc internal functions into
separate compilation and thus linkage units. Specifically <a
href="https://man.openbsd.org/getpwnam.3">getpwnam(3)</a> does not
need the full YP socket setup and does not use all possible <a
href="https://man.openbsd.org/dbopen.3">dbopen(3)</a> database
backends.
<li>Added <a href="https://man.openbsd.org/vi.1">vi(1)</a>
showfilename set option to display the file name in the lower left
corner.
<li>Added backup of disklabel for <a
href="https://man.openbsd.org/softraid.4">softraid(4)</a> chunks to <a
href="https://man.openbsd.org/security.8">security(8)</a>.
</ul>
<li>Improved hardware support and driver bugfixes, including:
<ul>
<li>New <a href="https://man.openbsd.org/arm64/ampchwm.4">ampchwm(4)</a>
driver for Ampere Altra power telemetry.
<li>New <a href="https://man.openbsd.org/rkspi.4">rkspi(4)</a>
driver for Rockchip SPI controller.
<li>Support for RK806 PMIC in
<a href="https://man.openbsd.org/rkpmic.4">rkpmic(4)</a>.
<li>Support for Allwinner H616 in
<a href="https://man.openbsd.org/sxisyscon.4">sxisyscon(4)</a>,
<a href="https://man.openbsd.org/sxiccmu.4">sxiccmu(4)</a>,
<a href="https://man.openbsd.org/sxipio.4">sxipio(4)</a>,
<a href="https://man.openbsd.org/sximmc.4">sximmc(4)</a> and
<a href="https://man.openbsd.org/ehci.4">ehci(4)</a>.
<li>Support for Allwinner D1 in
<a href="https://man.openbsd.org/sxidog.4">sxidog(4)</a>,
<a href="https://man.openbsd.org/sxiccmu.4">sxiccmu(4)</a>,
<a href="https://man.openbsd.org/sxipio.4">sxipio(4)</a>,
<a href="https://man.openbsd.org/sximmc.4">sximmc(4)</a> and
<a href="https://man.openbsd.org/ehci.4">ehci(4)</a>.
<li>Support for Aero and Sea SAS HBAs in
<a href="https://man.openbsd.org/mpii.4">mpii(4)</a>.
<li>Support for SAS3816 and SAS3916 in
<a href="https://man.openbsd.org/mfii.4">mfii(4)</a>.
<li>In <a href="https://man.openbsd.org/xbf.4">xbf(4)</a>, allowed Xen
to use backing store devices with 4K-byte sectors.
<li>Added <a href="https://man.openbsd.org/fanpwr.4">fanpwr(4)</a>
support for the Rockchip RK8602 and RK8603 voltage regulators.
<li>Support keyboard backlights on Apple Powerbooks.
<li>Added operating performance point info about each arm64 cpu and
expose the states of thermal zones as <a
href="https://man.openbsd.org/kstat.1">kstats(1)</a>.
<li>Overhauled <a
href="https://man.openbsd.org/ugold.4">ugold(4)</a> temperature sensor
identification logic and added support for additional devices.
<li>Made <a href="https://man.openbsd.org/uthum.4">uthum(4)</a>
TEMPer{1,2} devices display negative degC.
<li>Improve support for audio devices that via attach multiple <a
href="https://man.openbsd.org/uaudio.4">uaudio(4)</a> drivers.
<li>In <a href="https://man.openbsd.org/nvme.4">nvme(4)</a> don't create
<a href="https://man.openbsd.org/sd.4">sd(4)</a> devices larger than the namespace.
<li>Fix <a href="https://man.openbsd.org/nvme.4">nvme(4)</a> decoding of status fields.
</ul>
<li>New or improved network hardware support:
<ul>
<li>Utilize full checksum offload capabilities of
<a href="https://man.openbsd.org/vio.4">vio(4)</a> and
<a href="https://man.openbsd.org/vmx.4">vmx(4)</a>.
<li>TCP Segmentation Offload (TSO) is also used in
<a href="https://man.openbsd.org/bnxt.4">bnxt(4)</a> and
<a href="https://man.openbsd.org/em.4">em(4)</a>.
<li>Enabled TCP Segmentation Offload (TSO) in <a
href="https://man.openbsd.org/ixl.4">ixl(4)</a>.
<li>The Synopsys Ethernet Quality-of-Service Controller
(<a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>) is enabled for
amd64.
<li>Added initial support for Elkhart Lake Ethernet to <a
href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>.
<li>Support for AX88179A in
<a href="https://man.openbsd.org/axen.4">axen(4)</a>.
<li>Intel I225 and I226 Ethernet Controller
<a href="https://man.openbsd.org/igc.4">igc(4)</a> enabled for
sparc64.
<li>Allwinner EMAC Ethernet Controller
<a href="https://man.openbsd.org/dwxe.4">dwxe(4)</a> enabled for
riscv64.
<li>Corrected wrong register offset macros for <a
href="https://man.openbsd.org/dwqe.4">dwqe(4)</a> DMA burst length.
<li>Fixed Tx watchdog trigger and freeze in <a
href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>.
<li>Updated <a href="https://man.openbsd.org/rge.4">rge(4)</a>
microcode, initialization and reset behavior.
<li>Prevented a potential <a
href="https://man.openbsd.org/bnxt.4">bnxt(4)</a> crash after failure
to bring up a queue.
</ul>
<li>Added or improved wireless network drivers:
<ul>
<li>Introduce <a href="https://man.openbsd.org/qwx.4">qwx(4)</a>,
a port of the Linux ath11k driver for QCNFA765 devices.
Available on the amd64 and arm64 platforms.
<li>Fix Tx rate selection for management frames in
<a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
<li>Fix <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> loading the wrong
firmware image on some devices.
<li>Make <a href="https://man.openbsd.org/bfwm.4">bwfm(4)</a> work with MAC
addresses set via ifconfig lladdr.
<li>Ensure that <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> uses the
80MHz primary channel index announced in beacons.
<li>Avoid using MCS-9 in <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>
Tx rate selection if 40 MHz is disabled to prevent firmware errors.
<li>Ensure that <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
<a href="https://man.openbsd.org/iwx.4">iwx(4)</a> devices announce VHT
capabilities in probe requests.
<li>Fix bug in <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>,
<a href="https://man.openbsd.org/iwx.4">iwx(4)</a>, and
<a href="https://man.openbsd.org/iwn.4">iwn(4)</a> which could result
in some channels missing from scan results.
<li>Enable <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> on the
arm64 platform.
</ul>
<li>IEEE 802.11 wireless stack improvements and bugfixes:
<ul>
<li> Ignore 40/80 MHz wide channel configurations which do not appear
in the 802.11ac spec. This prevents device firmware errors which
occurred when an access point announced an invalid channel configuration.
</ul>
<li>Installer, upgrade and bootloader improvements:
<ul>
<li>Add support for disk encryption in unattended installations with
<a href="https://man.openbsd.org/autoinstall.8">autoinstall(8)</a>,
both with a plaintext passphrase or a keydisk.
<li>Removed default sets answer in <a
href="https://man.openbsd.org/autoinstall.8">autoinstall(8)</a>
response file such that it now populates only with non-defaults.
<li>Made <a
href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> verify but
not overwrite SHA256.sig.
<li>Improved <a
href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> output on
errors and improved ftp error handling.
<li>Added support in the installer to encrypt the root disk with a key disk.
<li>Prevent re-starting the automatic upgrade on octeon and
powerpc64, as is already done on other platforms.
<li>Added CD install images to arm64.
<li>Make the amd64 cdXX.iso and installXX.iso CD images bootable in
EFI mode (by creating an EFI system partition containing the EFI boot
loaders to be installed as an El Torito boot image).
</ul>
<li>Security improvements:
<ul>
<li>Introduce pinsyscalls(2): The kernel and <a
href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> register the
precise entry location of every system call used by a program, as
described in the new ELF section .openbsd.syscalls inside ld.so and
libc.so. ld.so uses the new syscall <a
href="https://man.openbsd.org/pinsyscalls.2">pinsyscalls(2)</a> to
tell the kernel the precise entry location of system calls in
libc.so.<br>
Attempting to use a different system call entry instruction to
perform a non-corresponding system call operation will fail and the
process will be terminated with signal SIGABRT.
<li>Removed support for <a
href="https://man.openbsd.org/syscall.2">syscall(2)</a>, the
"indirection system call," a dangerous alternative entry point for all
system calls.<br>
Together with <a
href="https://man.openbsd.org/pinsyscalls.2">pinsyscalls(2)</a> this
change makes it impossible to perform system call through any other
way than the libc system call wrapper functions.<br>
Users of syscall(2), such as Perl and the Go programming
language were converted to use the libc functions.
<li>Added <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>
stdio before parsing pfkey messages to <a
href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a> -m and -s.
<li>Tightened the <a
href="https://man.openbsd.org/pledge.2">pledge(2)</a> in <a
href="https://man.openbsd.org/pax.1">pax(1)</a> in List and Append
modes.
<li>Created __OpenBSD versions of llvm cxa guard implementation
using <a href="https://man.openbsd.org/futex.2">futex(2)</a> with the
correct number of arguments and without using <a
href="https://man.openbsd.org/syscall.2">syscall(2)</a>.
<li>Improvements in Pointer Authentication (PAC) and Branch Target
Identification (BTI) on arm64.
</ul>
<li>Changes in the network stack:
<ul>
<li>Enable IPv6 support in <a
href="https://man.openbsd.org/ppp.4">ppp(4)</a>
<li>Socket with sequenced packet type and control messages
handle end of record correctly.
<li>The routing table has a generation number. That means
cached routes at sockets will be invalidated when the routing
table changes. Especially with dynamic routing daemons
local connections use the up to date route.
<li>Route cache hits an misses are printed in
<a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
statistics.
<li>Prevented <a href="https://man.openbsd.org/wg.4">wg(4)</a>
getting stuck on peer destruction.
<li>Made <a href="https://man.openbsd.org/umb.4">umb(4)</a> delete any
existing v4 address before setting a new one, allowing keeping of a
working default route when the address changes.
<li>Forwarded TCP LRO disabling to parent devices and disabled TCP LR0
on bridged <a href="https://man.openbsd.org/vlan.4">vlan(4)</a> and
default for <a href="https://man.openbsd.org/bpe.4">bpe(4)</a>, <a
href="https://man.openbsd.org/nvgre.4">nvgre(4)</a> and <a
href="https://man.openbsd.org/vxlan.4">vxlan(4)</a>.
<li>Fixed race between <a
href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> destroy of
an interface and the ARP timer.
<li>Added statistics counters for the route cache, reporting cache
hits and misses. This is shown in <a
href="https://man.openbsd.org/netstat.1">netstat(1)</a> with
<code>netstat -s</code>.
</ul>
<li>The following changes were made to the <a
href="https://man.openbsd.org/pf.4">pf(4)</a> firewall:
<ul>
<li>tcpdump on <a
href="https://man.openbsd.org/pflog.4">pflog(4)</a> interface shows
packets dropped by the default rule with the "block" action. Although
the default rules is a "pass" rule, it blocks malformed packets. Now
this is correctly logged.
<li>Adjustments to keep up firewall aware of MP related changes in
the network stack.
<li>Fix handling of multiple <code>-K</code>(<code>-k</code>) options in
<a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>, so behavior
matches what's described in manual.
<li>Make <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> show
all tables in all anchors with <code>pfctl -a "*" -sT</code>.
<li>Added check to ensure <a
href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> -f won't accept a
directory and install an empty ruleset.
<li>Added validation for IPv4 packet options in <a
href="https://man.openbsd.org/divert.4">divert(4)</a>.
</ul>
<li>Routing daemons and other userland network improvements:
<ul>
<li>IPsec support was improved:
<ul>
<li>Made <a href="https://man.openbsd.org/iked.8">iked(8)</a> always
prefer group from the initial KE payload as responder if supported.
<li>Corrected renewal of expired certificates in <a
href="https://man.openbsd.org/iked.8">iked(8)</a>.
<li>Added an <a href="https://man.openbsd.org/iked.8">iked(8)</a>
debug message when no policy is found.
<li>Implemented a per connection peerid for <a
href="https://man.openbsd.org/iked.8">iked(8)</a> control replies.
<li>Made <a href="https://man.openbsd.org/iked.8">iked(8)</a>
trigger retransmission only for fragment 1/x to prevent each received
fragment triggering retransmission of the full fragment queue.
<li>Prevent routing loops by dropping already encrypted packets that are going through <a
href="https://man.openbsd.org/sec.4">sec(4)</a> again.
</ul>
<li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>,
<ul>
<li>Rewrite the internal message passing mechanism to use a new
memory-safe API.
<li>Rewrite most protocol parsers to use the new memory-safe API.
Convert the UPDATE parser, all of RTR, as well as both the MRT dump
code in bgpd and the parser in bgpctl.
<li>Improve RTR logging, error handling and version negotiation.
</ul>
<li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw these and more changes:
<ul>
<li>Add ability to constrain an RPKI Trust Anchor's effective signing
authority to a limited set of Internet numbers. This allows Relying
Parties to enjoy the potential benefits of assuming trust, but within
a bounded scope.
<li>Following a 'failed fetch' (described in RFC 9286), emit a warning and
continue with a previously cached Manifest file.
<li>Emit a warning when the remote repository presents a Manifest with an
unexpected manifestNumber.
<li>Improved CRL extension checking.
<li>Experimental support for the P-256 signature algorithm.
<!-- 8.8. -->
<li>A failed manifest fetch could result in a NULL pointer dereference or
a use after free.
<li>Reject non-conforming RRDP delta elements that contain neither publish
nor a withdraw element and fall back to the RRDP snapshot.
<li>Refactoring and minor bug fixes in the warning display functions.
<!-- 8.9 -->
<li>The handling of manifests fetched via rsync or RRDP was reworked to
fully conform to RFC 9286.
<li>Fix a race condition between closing an idle connection and scheduling a
new request on it.
<li>The evaluation time specified with -P now also applies to trust anchor
certificates.
<li>Check that the entire CMS eContent was consumed. Previously, trailing
data would be silently discarded on deserialization of products.
<li>In file mode do not consider overclaiming intermediate CA certificates
as invalid. OAA warning is still issued.
<li>Print the revocation time of certificates in file mode.
<li>Be more careful when converting OpenSSL numeric identifiers (NIDs)
to strings.
<!-- 9.0 -->
<li>Added support for RPKI Signed Prefix Lists.
<li>Added an -x flag to opt into parsing and evaluation of file types that are
still considered experimental.
<li>Added a metric to track the number of new files that were moved to the
validated cache.
<li>Ensure that the FileAndHashes list in a Manifest contains no duplicate
file names and no duplicate hashes.
</ul>
<li>In <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>,
<ul>
<li>Add <code>Message-Id</code> as needed for messages received on
the submission port.
<li>Added support for RFC 7505 "Null MX" handling and treat
an MX of "localhost" as it were a "Null MX".
<li>Allow inline tables and filter listings in
<a href="https://man.openbsd.org/smtpd.conf.5">smtpd.conf(5)</a>
to span over multiple lines.
<li>Enabled <abbr title="Delivery Status Notification">DSN</abbr>
for the implicit socket too.
<li>Added the
<a href="https://man.openbsd.org/smtpd.conf.5#no-dsn~2">no-dsn</a>
option for <code>listen on socket</code> too.
<li>Reject headers that start with a space or a tab.
<li>Fixed parsing of the <code>ORCPT</code> parameter.
<li>Fixed table lookups of IPv6 addresses.
<li>Fixed handling of escape characters in To, From and Cc headers.
<li>Run <abbr title="Local Mail Transfer Protocol">LMTP</abbr>
deliveries as the recipient user again.
<li>Disallow custom commands and file reading in root's
<code>.forward</code> file.
<li>Do not process other users <code>.forward</code> files when
an alternate delivery user is provided in a dispatcher.
<li>Unify the <a href="https://man.openbsd.org/table.5">table(5)</a>
parser used in
<a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> and
<a href="https://man.openbsd.org/makemap.8">makemap(8)</a>.
<li>Allow to use <a href="https://man.openbsd.org/table.5">table(5)</a>
mappings on various match constraints.
</ul>
<!-- OTHER -->
<li>Many other changes in various network programs and libraries:
<ul>
<!-- syslogd -->
<li>If a DNS name is configured as remote syslog server,
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
retries to resolve the loghost name periodically until it succeeds.
UDP packets that get lost during that period are counted and
logged later.
<li>Added counting of dropped UDP packets to <a
href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>.
<li>Prevented use after free of TLS context at <a
href="https://man.openbsd.org/syslogd.8">syslogd(8)</a> shutdown.
<!-- dhcp -->
<li>Introduced <a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>
log output to stderr and '-v' option to make this output more verbose.
<li>In <a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>, made <a
href="https://man.openbsd.org/dhcp-options.5">dhcp-options(5)</a>
recognize option ipv6-only-preferred (RFC8925).
<li>Allowed <a
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> to
request "IPv6-only preferred" and deconfigure IPv4 on the interface if
the server replies with this option.
<!-- more -->
<li>Fixed <a href="https://man.openbsd.org/radiusd.8">radiusd(8)</a>
to properly fixup MPPE-{Send,Recv}-Key and Tunnel-Password attributes of the
response.
<li>Added nochroot parameter to <a
href="https://man.openbsd.org/radiusd.8">radiusd(8)</a>
module_drop_privilege() so that modules can use <a
href="https://man.openbsd.org/unveil.2">unveil(2)</a> instead of <a
href="https://man.openbsd.org/chroot.2">chroot(2)</a> if needed.
<li>Ensured correct denominators when converting NTP fixed point
values to double and vice-versa in <a
href="https://man.openbsd.org/ntpd.8">ntpd(8)</a>.
<li>In the resolver, do not short-circuit resolution of localhost
when AI_NUMERICHOST is set. Ensure that a proper string is returned by <a
href="https://man.openbsd.org/getaddrinfo.3">getaddrinfo(3)</a> when
AI_CANONNAME or AI_FQDN is set.
<li>Added <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
support for specifying ports on the src address in tunnel endpoints of
<a href="https://man.openbsd.org/gif.4">gif(4)</a>, <a
href="https://man.openbsd.org/gre.4">gre(4)</a> and related
tunnel interfaces.
<li>Added an <a
href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> endpoint
command for "bridges" that use addresses as endpoints, usable to add
static entries on interfaces like <a
href="https://man.openbsd.org/vxlan.4">vxlan(4)</a>.
<li>Tightened up <a
href="https://man.openbsd.org/relayd.8">relayd(8)</a> HTTP header parsing.
<li>Deferred <a href="https://man.openbsd.org/relayd.8">relayd(8)</a>
relay_read_http header parsing until after line continuation,
preventing potential request smuggling attacks.
<li>Improved <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
auto-index, adding human-readable file sizes and allowing per-column
sorting.
<li>Switched to using whois.internic.net for <a
href="https://man.openbsd.org/whois.1">whois(1)</a> -i.
</ul>
</ul><!-- Routing daemons and other userland network improvements -->
<li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes:
<ul>
<li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> unzoom
a window at the start of destroy so it doesn't happen later after the
layout has been freed.
<li>Prevented <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> use
of combined UTF-8 characters that are too long.
<li>Corrected <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>
handling of window ops with no pane.
<li>Removed flags from the prefix before comparing with the received
key so that <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>
modifier keys with flags work correctly.
<li>Increased buffer size to avoid truncating styles in <a
href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
<li>Added two new values for the <a
href="https://man.openbsd.org/tmux.1">tmux(1)</a> destroy-unattached
option to destroy sessions only if they are not members of sessions
groups.
</ul>
<li>LibreSSL version 3.9.0
<ul>
<li>Portable changes
<ul>
<li>libcrypto no longer exports compat symbols in cmake builds.
<li>Most compatibility symbols are prefixed with <code>libressl_</code>
to avoid symbol clashes in static links.
<li>Fixed various warnings on Windows.
<li>Removed assert pop-ups with Windows debug builds.
<li>Fixed crashes and hangs in Windows ARM64 builds.
<li>Improved control-flow enforcement (CET) support.
</ul>
<li>Internal improvements
<ul>
<li>Converted uses of <code>OBJ_bsearch_()</code> to standard
<a href="https://man.openbsd.org/bsearch">bsearch(3)</a>.
<li>Greatly simplified <code>by_file_ctrl()</code>.
<li>Simplified and cleaned up the OBJ_ API.
<li>Cleaned up the <a href="https://man.openbsd.org/EVP_CipherInit">EVP_Cipher{Init,Update,Final}(3)</a> implementations.
<li>Removed unused function pointers from X.509 stores and contexts.
<li>A lot of cleanup and reorganization in EVP.
<li>Removed all remaining <code>ENGINE</code> tentacles.
<li>Simplified internals of <code>X509_TRUST</code> handling.
<li>Made deletion from a <a href="https://man.openbsd.org/lh_delete">lhash</a>
doall callback safe.
<li>Rewrote <a href="https://man.openbsd.org/BIO_dump">BIO_dump*(3)</a> internals
to be less bad.
</ul>
<li>Documentation improvements
<ul>
<li><code>ENGINE</code> documentation was updated to reflect reality.
<li>Made EVP API documentation more accurate and less incoherent.
<li>Call out some shortcomings of the <code>EC_KEY_set_*</code> API explicitly.
</ul>
<li>Testing and proactive security
<ul>
<li>Bug fixes and simplifications in the Wycheproof tests.
</ul>
<li>Compatibility changes
<ul>
<li>Added ChaCha20 and chacha20 aliases for ChaCha.
<li><a href="https://man.openbsd.org/SSL_library_init">SSL_library_init(3)</a>
now has the same effect as OPENSSL_init_ssl().
<li><code>EVP_add_{cipher,digest}()</code> were removed. From the <code>OBJ_NAME</code> API,
only <a href="https://man.openbsd.org/OBJ_NAME_do_all">OBJ_NAME_do_all*()</a> remain.
In particular, it is no longer possible to add aliases for ciphers and digests.
<li>The thread unsafe global tables are no longer supported. It is no
longer possible to add aliases for ciphers and digests, custom ASN.1
strings table entries, ASN.1 methods, PKEY methods, digest methods,
CRL methods, purpose and trust identifiers, or X.509 extensions.
<li>Removed the _cb() and _fp() versions of
<a href="https://man.openbsd.org/BIO_dump">BIO_dump{,_indent}()</a>.
<li><code>BIO_set()</code> was removed.
<li><code>BIO_{sn,v,vsn}printf()</code> were removed.
<li>Turn the long dysfunctional
<a href="https://man.openbsd.org/openssl(1)">openssl(1)</a>
<code>s_client -pause</code> into a noop.
<li><a href="https://man.openbsd.org/openssl(1)">openssl(1)</a> <code>x509</code>
now supports <code>-new</code>, <code>-force_pubkey</code>, <code>-multivalue-rdn</code>,
<code>-set_issuer</code> <code>-set_subject</code>, and <code>-utf8</code>.
<li>Support ECDSA with SHA-3 signature algorithms.
<li>Support HMAC with truncated SHA-2 and SHA-3 as PBE PRF.
<li>GOST and STREEBOG support was removed.
<li><code>CRYPTO_THREADID</code>, <code>_LHASH</code>, <code>_STACK</code> and
<code>X509_PURPOSE</code> are now opaque, <code>X509_CERT_AUX</code> and
<code>X509_TRUST</code> were removed from the public API.
<li><a href="https://man.openbsd.org/ASN1_STRING_TABLE_get()">ASN1_STRING_TABLE_get(3)</a>
and <a href="https://man.openbsd.org/X509_PURPOSE_get0">X509_PURPOSE_get0*(3)</a> now
return const pointers.
<li><code>EVP_{CIPHER,MD}_CTX_init()</code>'s signatures and semantics now match
OpenSSL's behavior.
<li><code>sk_find_ex()</code> and <code>OBJ_bsearch_()</code> were removed.
<li><a href="https://man.openbsd.org/CRYPTO_malloc">CRYPTO_malloc(3)</a> was fixed to use
<code>size_t</code> argument. <code>CRYPTO_malloc()</code>
and <code>CRYPTO_free()</code> now accept file and line arguments.
<li>A lot of decrepit CRYPTO memory API was removed.
</ul>
<li>Bug fixes
<ul>
<li>Fixed aliasing issues in <code>BN_mod_exp_simple()</code> and <code>BN_mod_exp_recp()</code>.
<li>Fixed numerous misuses of
<a href="https://man.openbsd.org/X509_ALGOR_set0">X509_ALGOR_set0(3)</a>
resulting in leaks and potentially incorrect encodings.
<li>Fixed potential double free in
<a href="https://man.openbsd.org/X509v3_asid_add_id_or_range">X509v3_asid_add_id_or_range(3)</a>.
<li>Stopped using <code>ASN1_time_parse()</code> outside of libcrypto.
<li>Prepared <a href="https://man.openbsd.org/OPENSSL_gmtime">OPENSSL_gmtime(3)</a> and
<a href="https://man.openbsd.org/OPENSSL_timegm">OPENSSL_timegm(3)</a> as public API
wrappers of internal functions compatible with BoringSSL API.
<li>Removed <code>print_bin()</code> to avoid overwriting the stack with 5 bytes
of <code>" "</code> when ECPK parameters are printed with large
indentation.
<li>Avoid a <code>NULL</code> dereference after memory allocation failure during TLS
version downgrade.
<li>Fixed various bugs in CMAC internals.
<li>Fixed 4-byte overreads in GHASH assembly on amd64 and i386.
<li>Fixed various NULL dereferences in PKCS #12 code due to mishandling
of OPTIONAL content in PKCS #7 ContentInfo.
<li>Aligned <a href="https://man.openbsd.org/SSL_shutdown">SSL_shutdown(3)</a>
behavior in TLSv1.3 with the legacy stack.
<li>Fixed the new X.509 verifier to find trust anchors in the trusted
stack.
</ul>
</ul>
<li>OpenSSH 9.6 and OpenSSH 9.7
<ul>
<li>Security fixes
<ul>
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: implement protocol extensions to thwart the
so-called "Terrapin attack" discovered by Fabian Bäumer, Marcus
Brinkmann and Jörg Schwenk. This attack allows a MITM to effect a
limited break of the integrity of the early encrypted SSH transport
protocol by sending extra messages prior to the commencement of
encryption, and deleting an equal number of consecutive messages
immediately after encryption starts. A peer SSH client/server
would not be able to detect that messages were deleted.
<br>While cryptographically novel, the security impact of this attack
is fortunately very limited as it only allows deletion of
consecutive messages, and deleting most messages at this stage of
the protocol prevents user authentication from proceeding and
results in a stuck connection.
<br>The most serious identified impact is that it lets a MITM to
delete the SSH2_MSG_EXT_INFO message sent before authentication
starts, allowing the attacker to disable a subset of the keystroke
timing obfuscation features introduced in OpenSSH 9.5. There is no
other discernable impact to session secrecy or session integrity.
<li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: when adding PKCS#11-hosted private keys while
specifying destination constraints, if the PKCS#11 token returned
multiple keys then only the first key had the constraints applied.
Use of regular private keys, FIDO tokens and unconstrained keys
are unaffected.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: if an invalid user or hostname that contained shell
metacharacters was passed to <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, and a ProxyCommand,
LocalCommand directive or "match exec" predicate referenced the
user or hostname via %u, %h or similar expansion token, then
an attacker who could supply arbitrary user/hostnames to <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>
could potentially perform command injection depending on what
quoting was present in the user-supplied <a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> directive.
<br>OpenSSH 9.6 now
bans most shell metacharacters from user and hostnames supplied
via the command-line. This countermeasure is not guaranteed to be
effective in all situations, as it is infeasible for <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> to
universally filter shell metacharacters potentially relevant to
user-supplied commands.
<br>User/hostnames provided via <a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a> are not subject to these
restrictions, allowing configurations that use strange names to
continue to be used, under the assumption that the user knows what
they are doing in their own configuration files.
</ul>
<li>New features
<ul>
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: add a "global" ChannelTimeout type that watches
all open channels and will close all open channels if there is no
traffic on any of them for the specified interval. This is in
addition to the existing per-channel timeouts added recently.
<br>This supports situations like having both session and x11
forwarding channels open where one may be idle for an extended
period but the other is actively used. The global timeout could
close both channels when both have been idle for too long.
<li>All: make DSA key support compile-time optional, defaulting to on.
</ul>
<li>Bugfixes
<ul>
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: don't append an unnecessary space to the end of subsystem
arguments (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3667'>bz3667</a>)
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fix the multiplexing "channel proxy" mode, broken when
keystroke timing obfuscation was added. (<a href='https://github.com/openssh/openssh-portable/pull/463'>GHPR#463</a>)
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: fix spurious configuration parsing errors when
options that accept array arguments are overridden (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3657'>bz3657</a>).
<li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: fix potential spin in signal handler (<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3670'>bz3670</a>)
<li>Many fixes to manual pages and other documentation, including
<a href='https://github.com/openssh/openssh-portable/pull/462'>GHPR#462</a>, <a href='https://github.com/openssh/openssh-portable/pull/454'>GHPR#454</a>, <a href='https://github.com/openssh/openssh-portable/pull/442'>GHPR#442</a> and <a href='https://github.com/openssh/openssh-portable/pull/441'>GHPR#441</a>.
<li>Greatly improve interop testing against PuTTY.
</ul>
</ul>
<li>Ports and packages:
<p>Many pre-built packages for each architecture:
<!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
<ul style="column-count: 3">
<li>aarch64: 12145
<li>amd64: 12309
<li>arm: 8144
<li>i386: 10830
<li>mips64: 8674
<li>powerpc: 9980
<li>powerpc64: 8469
<li>riscv64: 10508
<li>sparc64: 9432
</ul>
<p>Some highlights:
<ul style="column-count: 3"><!-- XXX all need to be checked/updated 2024-03-02 -->
<li>Asterisk 16.30.1, 18.21.0 and 20.6.0
<li>Audacity 3.4.2
<li>CMake 3.28.3
<li>Chromium 122.0.6261.111
<li>Emacs 29.2
<li>FFmpeg 4.4.4
<li>GCC 8.4.0 and 11.2.0
<li>GHC 9.6.4
<li>GNOME 45
<li>Go 1.22.1
<li>JDK 8u402, 11.0.22, 17.0.10 and 21.0.2
<li>KDE Applications 23.08.4
<li>KDE Frameworks 5.115.0
<li>KDE Plasma 5.27.10
<li>Krita 5.2.2
<li>LLVM/Clang 13.0.0, 16.0.6 and 17.0.6
<li>LibreOffice 24.2.1.2
<li>Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.6
<li>MariaDB 10.9.8
<li>Mono 6.12.0.199
<li>Mozilla Firefox 123.0.1 and ESR 115.8.0
<li>Mozilla Thunderbird 115.8.1
<li>Mutt 2.2.13 and NeoMutt 20240201
<li>Node.js 18.19.1
<li>OCaml 4.14.1
<li>OpenLDAP 2.6.7
<li>PHP 7.4.33, 8.0.30, 8.1.27, 8.2.16 and 8.3.3
<li>Postfix 3.8.6
<li>PostgreSQL 16.2
<li>Python 2.7.18, 3.9.18, 3.10.13 and 3.11.8
<li>Qt 5.15.12 (+ kde patches) and 6.6.1
<li>R 4.2.3
<li>Ruby 3.1.4, 3.2.3 and 3.3.0
<li>Rust 1.76.0
<li>SQLite 3.44.2
<li>Shotcut 23.07.29
<li>Sudo 1.9.15.5
<li>Suricata 7.0.3
<li>Tcl/Tk 8.5.19 and 8.6.13
<li>TeX Live 2023
<li>Vim 9.1.139 and Neovim 0.9.5
<li>Xfce 4.18.1
</ul>
<p>
<li>As usual, steady improvements in manual pages and other documentation.
<li>The system includes the following major components from outside suppliers:
<ul><!-- XXX all need to be checked/updated 2024-03-02 -->
<li>Xenocara (based on X.Org 7.7 with xserver 21.1.11 + patches,
freetype 2.13.0, fontconfig 2.14.2, Mesa 23.1.9, xterm 378,
xkeyboard-config 2.20, fonttosfnt 1.2.3 and more)
<li>LLVM/Clang 16.0.6 (+ patches)
<li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
<li>Perl 5.36.3 (+ patches)
<li>NSD 4.8.0
<li>Unbound 1.18.0
<li>Ncurses 6.4
<li>Binutils 2.17 (+ patches)
<li>Gdb 6.3 (+ patches)
<li>Awk January 22, 2024
<li>Expat 2.6.0
<li>zlib 1.3.1 (+ patches)
</ul>
</ul>
</section>
<hr>
<section id=install>
<h3>How to install</h3>
<p>
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 7.5 on your machine:
<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/alpha/INSTALL.alpha">
.../OpenBSD/7.5/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/amd64/INSTALL.amd64">
.../OpenBSD/7.5/amd64/INSTALL.amd64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/arm64/INSTALL.arm64">
.../OpenBSD/7.5/arm64/INSTALL.arm64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/armv7/INSTALL.armv7">
.../OpenBSD/7.5/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/hppa/INSTALL.hppa">
.../OpenBSD/7.5/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/i386/INSTALL.i386">
.../OpenBSD/7.5/i386/INSTALL.i386</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/landisk/INSTALL.landisk">
.../OpenBSD/7.5/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/loongson/INSTALL.loongson">
.../OpenBSD/7.5/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.5/luna88k/INSTALL.luna88k">
.../OpenBSD/7.5/luna88k/INSTALL.luna88k</a>