65.html

<!doctype html>
<html lang=en id=release>
<meta charset=utf-8>

<title>OpenBSD 6.5</title>
<meta name="description" content="OpenBSD 6.5">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/65.html">

<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
6.5
</h2>

<table>
<tr>
<td>
<a href="images/Puffystock.gif">
<img width="227" height="343" src="images/Puffystock-s.gif" alt="Puffystock"></a>
<td>
Released May 1, 2019<br>
Copyright 1997-2019, Theo de Raadt.<br>
<br>
<br>
Artwork by Hans Tseng, Efrain Farias, and Natasha Allegri.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
    a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/6.5/</code> directory on
    one of the mirror sites.
<li>Have a look at <a href="errata65.html">the 6.5 errata page</a> for a list
    of bugs and workarounds.
<li>See a <a href="plus65.html">detailed log of changes</a> between the
    6.4 and 6.5 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
    pubkeys for this release:<p>

<table class=signify>
<tr><td>
openbsd-65-base.pub:
<td>
<a href="https://ftp.openbsd.org/pub/OpenBSD/6.5/openbsd-65-base.pub">
RWSZaRmt1LEQT9CtPygf9CvONu8kYPTlVEJdysNoUR62/NkeWgdkc3zY</a>
<tr><td>
openbsd-65-fw.pub:
<td>
RWQYdGVtTv5IvpH2c+TLQAC4iV7RjoGZ/v75q8MCuC9Mca7nFVCXRefy
<tr><td>
openbsd-65-pkg.pub:
<td>
RWS5D4+188RI6jULDOFzga0Cm1zrXYUAHT6xu0mLrZidbn6xrMB5aZeR
<tr><td>
openbsd-65-syspatch.pub:
<td>
RWT8U2yd3Aq5DnetILjmSoCQxmyt3VqfGS7GBh19oh4Xre4ywc31PEpw
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>

<hr>

<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 6.5.
For a comprehensive list, see the <a href="plus65.html">changelog</a> leading
to 6.5.

<ul>

<li>Improved hardware support, including:
    <ul>
    <li><a href="https://man.openbsd.org/clang.1">clang(1)</a>
        is now provided on mips64.
    <li>The default linker has been switched from the binutils bfd-based linker
        to lld on amd64 and i386.
    <li>octeon: Now the system automatically detects the number of available
        cores. However, manual setting of the numcores, or coremask,
        boot parameter is still needed to enable secondary cores.
    <li>octeon: It is now possible to use the root disk's DUID as the value
        of the rootdev boot parameter.
    <li>New <a href="https://man.openbsd.org/octeon/octgpio.4">octgpio(4)</a>
        driver for the OCTEON GPIO controller.
    <li>New <a href="https://man.openbsd.org/pvclock.4">pvclock(4)</a>
        driver for KVM paravirtual clock.
    <li>New <a href="https://man.openbsd.org/ixl.4">ixl(4)</a>
        driver for Intel Ethernet 700 series controller devices.
    <li>New <a href="https://man.openbsd.org/abcrtc.4">abcrtc(4)</a>
        driver for Abracon AB1805 real-time clock.
    <li>New <a href="https://man.openbsd.org/imxsrc.4">imxsrc(4)</a>
        driver for i.MX system reset controller.
    <li>New <a href="https://man.openbsd.org/uxrcom.4">uxrcom(4)</a>
        driver for Exar XR21V1410 USB serial adapters.
    <li>New <a href="https://man.openbsd.org/mvgicp.4">mvgicp(4)</a>
        driver for Marvell ARMADA 7K/8K GICP controller.
    <li>Support for QCA AR816x/AR817x in
        <a href="https://man.openbsd.org/alc.4">alc(4)</a>.
    <li>Support for isochronous transfers in
        <a href="https://man.openbsd.org/xhci.4">xhci(4)</a>.
    <li><a href="https://man.openbsd.org/uaudio.4">uaudio(4)</a> has
        been replaced by a new driver which supports USB audio class v2.0.
    <li>Improved support for <a href="https://man.openbsd.org/nmea.4">nmea(4)</a>
        devices, providing altitude and ground speed values as sensors.
    </ul>

<p>

<li>IEEE 802.11 wireless stack improvements:
  <ul>
  <li>Reduced usage of RTS frames improves overall throughput and latency.
  <li>Improved transmit rate selection in the
      <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> driver.
  <li>Improved radio hardware calibration in the
      <a href="https://man.openbsd.org/athn.4">athn(4)</a> driver.
  <li>The <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> driver now
      provides more accurate device configuration information to userland.
   <li>Added new routing socket message RTM_80211INFO to provide details
       of 802.11 interface state changes to
   <a href="https://man.openbsd.org/dhclient">dhclient(8)</a> and
   <a href="https://man.openbsd.org/route">route(8)</a>.
  <li>If an auto-join list is configured, wireless interfaces will no longer
      connect to unknown open networks by default. This behaviour must
      now be explicitly enabled by adding the empty network name to the
      auto-join list, e.g. <code>ifconfig iwm0 join ""</code>, or <code>join ""</code>
      in hostname.if files.
  <li>The <a href="https://man.openbsd.org/iwn.4">iwn(4)</a> and
      <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> drivers will now
      automatically try to connect to a network if the radio kill switch is
      toggled to allow radio transmissions while the interface is marked UP.
  </ul>
<p>

<li>Generic network stack improvements:
    <ul>
    <li>New <a href="https://man.openbsd.org/bpe.4">bpe(4)</a>
        Backbone Provider Edge pseudo-device.
    <li>New <a href="https://man.openbsd.org/mpip.4">mpip(4)</a>
        MPLS IP layer 2 pseudowire driver.
    <li>MPLS encapsulation interfaces support configuration of
        alternative MPLS route domains.
    <li>The <a href="https://man.openbsd.org/vlan.4">vlan(4)</a>
        driver bypasses queue processing and outputs directly to the
        parent interface.
    <li>New per SAD counters visible via
        <a href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a>.
    <li>The <a href="https://man.openbsd.org/bpf.4">bpf(4)</a>
	filter drop mechanism has been extended to allow dropping
	without capturing packets, and use of the mechanism with
	<a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> as
	a filtering mechanism early in the device receive path.
    <li><a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> gains
       <code>txprio</code> for controlling the encoding of priority in
       tunnel headers, and support in drivers including
        <a href="https://man.openbsd.org/vlan.4">vlan(4)</a>,
        <a href="https://man.openbsd.org/gre.4">gre(4)</a>,
        <a href="https://man.openbsd.org/gif.4">gif(4)</a>, and
        <a href="https://man.openbsd.org/etherip.4">etherip(4)</a>.
    </ul>
<p>

<li>Installer improvements:
    <ul>
    <li><a href="https://man.openbsd.org/rdsetroot.8">rdsetroot(8)</a>
	(a build-time tool) is now available for general use.
    <li>During upgrades, some components of old releases are deleted.
    </ul>
<p>

<li>Security improvements:
  <ul>
  <li><a href="https://man.openbsd.org/unveil.2">unveil(2)</a> has been
    improved to understand and find covering unveil matches above the
    working directory of the running process for relative path accesses.
    As a result many programs now can use unveil in broad ways such as
    unveil("/", "r").
  <li><a href="https://man.openbsd.org/unveil.2">unveil(2)</a> no longer
    silently allows
    <a href="https://man.openbsd.org/stat.2">stat(2)</a> and
    <a href="https://man.openbsd.org/access.2">access(2)</a> to work on any
    unveiled path component.
  <li>Now using <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> in
    <a href="https://man.openbsd.org/ospfd">ospfd(8)</a>,
    <a href="https://man.openbsd.org/ospf6d">ospf6d(8)</a>,
    <a href="https://man.openbsd.org/rebound">rebound(8)</a>,
    <a href="https://man.openbsd.org/getconf">getconf(1)</a>,
    <a href="https://man.openbsd.org/kvm_mkdb">kvm_mkdb(8)</a>,
    <a href="https://man.openbsd.org/bdftopcf">bdftopcf(1)</a>,
    <a href="https://man.openbsd.org/Xserver">Xserver(1)</a>,
    <a href="https://man.openbsd.org/passwd">passwd(1)</a>,
    <a href="https://man.openbsd.org/spamlogd">spamlogd(8)</a>,
    <a href="https://man.openbsd.org/spamd">spamd(8)</a>,
    <a href="https://man.openbsd.org/sensorsd">sensorsd(8)</a>,
    <a href="https://man.openbsd.org/snmpd">snmpd(8)</a>,
    <a href="https://man.openbsd.org/htpasswd">htpasswd(1)</a>,
    <a href="https://man.openbsd.org/ifstated">ifstated(8)</a>.
    Some <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>
    changes were required to accommodate unveil.
  <li>ROP mitigations in <a href="https://man.openbsd.org/clang-local.1">clang(1)</a>
    have been improved, resulting in a significant decrease in the number
    of polymorphic ROP gadgets in binaries on i386/amd64.
  <li>RETGUARD performance and security has been improved in
    <a href="https://man.openbsd.org/clang-local.1">clang(1)</a>
    by keeping data on registers instead of on the stack when possible,
    and lengthening the epilogue trapsled on amd64 to consume the rest
    of the cache line before the return.
  <li>RETGUARD replaces the stack protector on amd64 and arm64,
    since RETGUARD instruments every function that returns and provides
    better security properties than the traditional stack protector.
  </ul>
<p>

<li>Routing daemons and other userland network improvements:
    <ul>
    <li><a href="https://man.openbsd.org/pcap-filter.3">pcap-filter(3)</a> can
        now filter on MPLS packets.
    <li>The routing priority for
        <a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a>,
        <a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> and
        <a href="https://man.openbsd.org/ripd.8">ripd(8)</a>
        is now configurable.
    <li><a href="https://man.openbsd.org/ripd.8">ripd(8)</a> is now pledged.
    <li>First release of
        <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>, a validating,
        recursive nameserver for 127.0.0.1. It is particularly suitable for
        laptops moving between networks.
    <li><a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> gains
	<code>sff</code> and <code>sffdump</code> modes, displaying diagnostic
	information from fibre transceivers and similar modules.
	Currently
        <a href="https://man.openbsd.org/ix.4">ix(4)</a> and
        <a href="https://man.openbsd.org/ixl.4">ixl(4)</a> are supported.
    <li><a href="https://man.openbsd.org/ldpd.8">ldpd(8)</a> now
        supports <a href="https://man.openbsd.org/ldpd.conf.5">configuration
        of TCP MD5</a> for networks, not just specific neighbors.
    </ul>
<p>

<li><a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> improvements:
    <ul>
    <li><a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> has now a real
        Adj-RIB-Out which improved overall memory usage.
    <li>Implemented a simple ruleset optimizer that merges filter rules that
        differ only by filter sets.
    <li>First release of OpenBGPD-portable. There is currently no FIB support
        in the portable version and some other features are also disabled.
    <li>The configuration of BGP MPLS VPN changed and the config needs to be
        adjusted if VPNs are used.
    <li>Added support for IPv6 BGP MPLS VPNs.
    <li>Implemented <code>as-override</code> in <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>,
        a feature where the neighbor AS is replaced by the local AS in AS paths.
    <li>It is now possible to match multiple communities, ext-communities or
        large-communities per filter rule.
    <li>Added support for <code>*</code>, <code>local-as</code> and <code>neighbor-as</code>
        for ext-community matching and addition or removal.
    <li>Prevent <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>
        from being started more than once with the same config.
    <li><code>announce inet none</code> no longer clears announce settings of
        other address families.
    <li>Removed potential for a spurious End-of-RIB marker being sent.
    <li>Fixed mrt table dumps and the route collector mode.
    <li>Improved throttling of initial routing table dump.
    <li><a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> terminates RIB
        table walks if <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a>
        terminates early.
    <li>Improved handling of communities, large-communities and ext-communities
        in <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a>
    <li>It is now possible to use <code>neighbor group &lt;name&gt;</code> to run
        <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> commands
        against the specified group of neighbors:
	<div style="margin-left: 45px"><code>
            bgpctl neighbor group &lt;name> [clear|destroy|down|refresh|up]<br>
            bgpctl show neighbor group &lt;name> [messages|terse|timers]<br>
            bgpctl show rib neighbor group &lt;name> ...<br>
	</code></div>
    <li><a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> can now
        add networks into BGP VPN tables by specifying the route distinguisher
        <code>rd</code> on the <code>network</code> command.
    <li><a href="https://man.openbsd.org/bgplg.8">bgplg(8)</a> and
        <a href="https://man.openbsd.org/bgplgsh.8">bgplgsh(8)</a> can
        now filter on Origin Validation State and Extended Communities.
    <li><a href="https://man.openbsd.org/bgplgsh.8">bgplgsh(8)</a> can
        now [clear|destroy|down|refresh|up] and show groups of neighbors.
    </ul>
<p>

<li>Assorted improvements:
  <ul>
  <li>
    <a href="https://man.openbsd.org/kcov.4">kcov(4)</a>
    gained support for
    <a href="https://man.openbsd.org/kcov#KCOV_MODE_TRACE_CMP">KCOV_MODE_TRACE_CMP</a>.
  <li>
    A 'video' promise was added to <a href="https://man.openbsd.org/pledge.2">pledge(2)</a>.
  <li>
    The <code>kern.witnesswatch</code>
    <a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a>
    has been renamed to <code>kern.witness.watch</code>.
    <li>New pthread
        <a href="https://man.openbsd.org/pthread_rwlock_init">rwlock</a>
        implementation improving latency of threaded applications.
    <li>
      <a href="https://man.openbsd.org/kubsan.4">kubsan(4)</a>
      capable of detecting undefined behavior in the kernel.
    <li><a href="https://man.openbsd.org/signify.1">signify</a>
        -n option to zero date header in -z mode.
    <li>Remove OXTABS from default pty flags.
    <li><a href="https://man.openbsd.org/install.1">install(1)</a> now
      always copies files safely (as with -S), avoiding race conditions.
    <li><a href="https://man.openbsd.org/syslog.conf.5">syslog.conf(5)</a>
      now supports program names containing dots and underscores.
    <li><a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> already used
      privsep, <a href="https://man.openbsd.org/pledge.2">pledge(2)</a> and
      <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> containment.
      It now also drops root privileges completely (switching to a reserved uid).
    <li>The multi-threaded performance of
      <a href="https://man.openbsd.org/malloc.3">malloc(3)</a> has been improved.
    <li><a href="https://man.openbsd.org/malloc.3">malloc(3)</a> now uses
      <a href="https://man.openbsd.org/sysctl.2">sysctl(2)</a> to get its
      settings, making it respect the system-wide settings in chroots as well.
    <li>Various improvements to the
      <a href="https://man.openbsd.org/join.1">join</a> command.
    <li>Work has started on a ISC-licensed rsync-compatible program called
      <a href="https://www.openrsync.org">OpenRSYNC</a>.  In this release it
      has basic functionality such as <b>-a</b>, <b>--delete</b>, but lacks
      <b>--exclude</b>.  Work will continue.
    <li>New Spleen font 8x16, 12x24, 16x32 and 32x64 variants added and
      enabled in wsfont, along with font selection logic to allow selecting
      larger fonts when available at runtime in
      <a href="https://man.openbsd.org/rasops.9">rasops(9)</a>.
  </ul>
<p>

<li>OpenSMTPD 6.5.0
  <ul>
  <li>New Features
    <ul>
      <li>Added the new matching criteria "from rdns" to
	<a href="https://man.openbsd.org/smtpd.conf.5">smtpd.conf(5)</a>
	to allow matching of sessions based on the reverse DNS of the client.
      <li>Added
	<a href="https://man.openbsd.org/regex.3">regex(3)</a>
	support to table lookups in
	<a href="https://man.openbsd.org/smtpd.conf.5">smtpd.conf(5)</a>.
    </ul>
  </ul>
  <p>

<li>LibreSSL 2.9.1
  <ul>
    <li>API and Documentation Enhancements
    <ul>
      <li>
        CRYPTO_LOCK is now automatically initialized, with the legacy
        callbacks stubbed for compatibility.
      <li>
        Added the SM3 hash function from the Chinese standard GB/T 32905-2016.
      <li>
        Added the SM4 block cipher from the Chinese standard GB/T 32907-2016.
      <li>
        Added more OPENSSL_NO_* macros for compatibility with OpenSSL.
      <li>
        Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH.
      <li>
        Implemented further missing OpenSSL 1.1 API.
      <li>
        Added support for XChaCha20 and XChaCha20-Poly1305.
      <li>
	Added support for AES key wrap constructions via the EVP interface.
    </ul>

    <li>Compatibility Changes
    <ul>
      <li>
        Added pbkdf2 key derivation support
        to <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> enc.
      <li>
        Changed the default digest type of
        <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> enc
        to sha256.
      <li>
        Changed the default digest type of
        <a href="https://man.openbsd.org/openssl.1">openssl(1)</a> dgst
        to sha256.
      <li>
        Changed the default digest type of
        <a href="https://man.openbsd.org/openssl.1">openssl(1)</a>
        x509 -fingerprint to sha256.
      <li>
        Changed the default digest type of
        <a href="https://man.openbsd.org/openssl.1">openssl(1)</a>
        crl -fingerprint to sha256.
    </ul>

    <li>Testing and Proactive Security
    <ul>
      <li>
        Added extensive interoperability tests between LibreSSL and OpenSSL 1.0
        and 1.1.
      <li>
        Added additional Wycheproof tests and related bug fixes.
    </ul>

    <li>Internal Improvements
    <ul>
      <li>
        Simplified sigalgs option processing and handshake signing algorithm
        selection.
      <li>
        Added the ability to use the RSA PSS algorithm for handshake signatures.
      <li>
        Added bn_rand_interval() and use it in code needing ranges of random bn
        values.
      <li>
        Added functionality to derive early, handshake, and application secrets
        as per RFC8446.
      <li>
        Added handshake state machine from RFC8446.
      <li>
        Removed some ASN.1 related code from libcrypto that had not been used
        since around 2000.
      <li>
        Unexported internal symbols and internalized more record layer structs.
      <li>
        Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake.
    </ul>

    <li>Portable Improvements
    <ul>
      <li>
        Added support for assembly optimizations on 32-bit ARM ELF targets.
      <li>
        Added support for assembly optimizations on Mingw-w64 targets.
      <li>
        Improved Android compatibility
    </ul>

    <li>Bug Fixes
    <ul>
      <li>
        Improved protection against timing side channels in ECDSA signature
        generation.
      <li>
        Coordinate blinding was added to some elliptic curves.
        This is the last bit of the work by Brumley et al. to protect against
        the Portsmash vulnerability.
      <li>
        Ensure transcript handshake is always freed with TLS 1.2.
    </ul>
  </ul>
<p>

<li>OpenSSH 8.0
  <ul>
  <li>New Features
    <ul>
    <li>ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
    PKCS#11 tokens.
    <li>ssh(1), sshd(8): Add experimental quantum-computing resistant
    key exchange method, based on a combination of Streamlined NTRU
    Prime 4591^761 and X25519.
    <li>ssh-keygen(1): Increase the default RSA key size to 3072 bits,
    following NIST Special Publication 800-57's guidance for a
    128-bit equivalent symmetric security level.
    <li>ssh(1): Allow "PKCS11Provider=none" to override later instances of
    the PKCS11Provider directive in ssh_config; bz#2974
    <li>sshd(8): Add a log message for situations where a connection is
    dropped for attempting to run a command but a sshd_config
    ForceCommand=internal-sftp restriction is in effect; bz#2960
    <li>ssh(1): When prompting whether to record a new host key, accept
    the key fingerprint as a synonym for "yes". This allows the user
    to paste a fingerprint obtained out of band at the prompt and
    have the client do the comparison for you.
    <li>ssh-keygen(1): When signing multiple certificates on a single
    command-line invocation, allow automatically incrementing the
    certificate serial number.
    <li>scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
    the scp and sftp command-lines.
    <li>ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
    command-line flags to increase the verbosity of output; pass
    verbose flags though to subprocesses, such as ssh-pkcs11-helper
    started from ssh-agent.
    <li>ssh-add(1): Add a "-T" option to allowing testing whether keys in
    an agent are usable by performing a signature and a verification.
    <li>sftp-server(8): Add a "lsetstat@openssh.com" protocol extension
    that replicates the functionality of the existing SSH2_FXP_SETSTAT
    operation but does not follow symlinks. bz#2067
    <li>sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request
    they do not follow symlinks.
    <li>sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
    the connection 4-tuple available to PAM modules that wish to use
    it in decision-making. bz#2741
    <li>sshd(8): Add a ssh_config "Match final" predicate Matches in same
    pass as "Match canonical" but doesn't require hostname
    canonicalisation be enabled. bz#2906
    <li>sftp(1): Support a prefix of '@' to suppress echo of sftp batch
    commands; bz#2926
    <li>ssh-keygen(1): When printing certificate contents using
    "ssh-keygen -Lf /path/certificate", include the algorithm that
    the CA used to sign the cert.
    </ul>
  <li>Bugfixes
    <ul>
    <li>sshd(8): Fix authentication failures when sshd_config contains
    "AuthenticationMethods any" inside a Match block that overrides
    a more restrictive default.
    <li>sshd(8): Avoid sending duplicate keepalives when ClientAliveCount
    is enabled.
    <li>sshd(8): Fix two race conditions related to SIGHUP daemon restart.
    Remnant file descriptors in recently-forked child processes could
    block the parent sshd's attempt to listen(2) to the configured
    addresses. Also, the restarting parent sshd could exit before any
    child processes that were awaiting their re-execution state had
    completed reading it, leaving them in a fallback path.
    <li>ssh(1): Fix stdout potentially being redirected to /dev/null when
    ProxyCommand=- was in use.
    <li>sshd(8): Avoid sending SIGPIPE to child processes if they attempt
    to write to stderr after their parent processes have exited;
    bz#2071
    <li>ssh(1): Fix bad interaction between the ssh_config ConnectTimeout
    and ConnectionAttempts directives - connection attempts after the
    first were ignoring the requested timeout; bz#2918
    <li>ssh-keyscan(1): Return a non-zero exit status if no keys were
    found; bz#2903
    <li>scp(1): Sanitize scp filenames to allow UTF-8 characters without
    terminal control sequences;  bz#2434
    <li>sshd(8): Fix confusion between ClientAliveInterval and time-based
    RekeyLimit that could cause connections to be incorrectly closed.
    bz#2757
    <li>ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN
    handling at initial token login. The attempt to read the PIN
    could be skipped in some cases, particularly on devices with
    integrated PIN readers. This would lead to an inability to
    retrieve keys from these tokens. bz#2652
    <li>ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the
    CKA_ALWAYS_AUTHENTICATE flag by requiring a fresh login after the
    C_SignInit operation. bz#2638
    <li>ssh(1): Improve documentation for ProxyJump/-J, clarifying that
    local configuration does not apply to jump hosts.
    <li>ssh-keygen(1): Clarify manual - ssh-keygen -e only writes
    public keys, not private.
    <li>ssh(1), sshd(8): be more strict in processing protocol banners,
    allowing \r characters only immediately before \n.
    <li>Various: fix a number of memory leaks, including bz#2942 and
    bz#2938
    <li>scp(1), sftp(1): fix calculation of initial bandwidth limits.
    Account for bytes written before the timer starts and adjust the
    schedule on which recalculations are performed. Avoids an initial
    burst of traffic and yields more accurate bandwidth limits;
    bz#2927
    <li>sshd(8): Only consider the ext-info-c extension during the initial
    key eschange. It shouldn't be sent in subsequent ones, but if it
    is present we should ignore it. This prevents sshd from sending a
    SSH_MSG_EXT_INFO for REKEX for buggy these clients. bz#2929
    <li>ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in
    authorized_keys) and -R (remove host from authorized_keys) options
    may accept either a bare hostname or a [hostname]:port combo.
    bz#2935
    <li>ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK; bz#2936
    <li>sshd(8): Silence error messages when sshd fails to load some of
    the default host keys. Failure to load an explicitly-configured
    hostkey is still an error, and failure to load any host key is
    still fatal. pr/103
    <li>ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
    started with ControlPersist; prevents random ProxyCommand output
    from interfering with session output.
    <li>ssh(1): The ssh client was keeping a redundant ssh-agent socket
    (leftover from authentication) around for the life of the
    connection; bz#2912
    <li>sshd(8): Fix bug in HostbasedAcceptedKeyTypes and
    PubkeyAcceptedKeyTypes options. If only RSA-SHA2 signature types
    were specified, then authentication would always fail for RSA keys
    as the monitor checks only the base key (not the signature
    algorithm) type against *AcceptedKeyTypes. bz#2746
    <li>ssh(1): Request correct signature types from ssh-agent when
    certificate keys and RSA-SHA2 signatures are in use.
    </ul>
  </ul>
<p>

<li>Mandoc 1.14.5
  <ul>
    <li>
      Improved POSIX compliance in
      <a href="https://man.openbsd.org/apropos.1">apropos(1)</a> by
      accepting case-insensitive extended regular expressions by default.
    <li>
      New -O <a href="https://man.openbsd.org/mandoc.1#tag">tag</a>
      output option to open a page at the definition of a term.
    <li>
      Many <a href="https://man.openbsd.org/tbl.7">tbl(7)</a>
      improvements: line drawing, spanning, horizontal and vertical
      alignment in HTML output, improved column width calculations in
      terminal output, use of box drawing characters in UTF-8 output.
    <li>
      Much better HTML output, in particular with respect to
      paragraphs, line breaks, and vertical spacing in tagged lists.
      Tooltips are now implemented in pure CSS, the <code>title</code>
      attribute is no longer abused.
  </ul>
  <p>

<li>Xenocara
  <ul>
     <li>
       <a href="https://man.openbsd.org/Xorg.1">Xorg(1)</a>, the
       X window server, is no longer installed setuid.
       <a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a> should be
       used to start X.
     <li>
       The radeonsi Mesa driver is now included for hardware acceleration
       on Southern Islands and Sea Islands
       <a href="https://man.openbsd.org/radeondrm.4">radeondrm(4)</a> devices.
  </ul>
  <p>

<li>Ports and packages:
    <ul>
      <li>C++ ports for non-clang architectures are now compiled with
      ports gcc, so that more packages can be provided.
    </ul>
    <p>Many pre-built packages for each architecture:
    <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
    <ul style="column-count: 3">
      <li>aarch64:     9654
      <li>amd64:      10602
      <li>arm:         8721
      <li>i386:       10535
      <li>mips64:      8556
      <li>mips64el:    7677
      <li>powerpc:     9515
      <li>sparc64:     9495
    </ul>
    <p>Some highlights:
    <ul style="column-count: 3">
	<li>AFL 2.52b
	<li>Asterisk 16.2.1
	<li>Audacity 2.3.1
	<li>CMake 3.10.2
	<li>Chromium 73.0.3683.86
	<li>Emacs 26.1
	<li>FFmpeg 4.1.3
	<li>GCC 4.9.4 and 8.3.0
	<li>GHC 8.2.2
	<li>GNOME 3.30.2.1
	<li>Go 1.12.1
	<li>Groff 1.22.4
	<li>JDK 8u202 and 11.0.2+9-3
	<li>LLVM/Clang 7.0.1
	<li>LibreOffice 6.2.2.2
	<li>Lua 5.1.5, 5.2.4 and 5.3.5
	<li>MariaDB 10.0.38
	<li>Mono 5.18.1.0
	<li>Mozilla Firefox 66.0.2 and ESR 60.6.1
	<li>Mozilla Thunderbird 60.6.1
	<li>Mutt 1.11.4 and NeoMutt 20180716
	<li>Node.js 10.15.0
	<li>OCaml 4.07.1
	<li>OpenLDAP 2.3.43 and 2.4.47
	<li>PHP 7.1.28, 7.2.17 and 7.3.4
	<li>Postfix 3.3.3 and 3.4.20190106
	<li>PostgreSQL 11.2
	<li>Python 2.7.16 and 3.6.8
	<li>R 3.5.3
	<li>Ruby 2.4.6, 2.5.5 and 2.6.2
	<li>Rust 1.33.0
	<li>Sendmail 8.16.0.41
	<li>SQLite3 3.27.2
	<li>Sudo 1.8.27
	<li>Suricata 4.1.3
	<li>Tcl/Tk 8.5.19 and 8.6.8
	<li>TeX Live 2018
	<li>Vim 8.1.1048 and Neovim 0.3.4
	<li>Xfce 4.12
    </ul>
<p>

<li>As usual, steady improvements in manual pages and other documentation.
<p>

<li>The system includes the following major components from outside suppliers:
    <ul>
    <li>Xenocara (based on X.Org 7.7 with xserver 1.19.7 + patches,
      freetype 2.9.1, fontconfig 2.12.4, Mesa 18.3.5, xterm 344,
      xkeyboard-config 2.20 and more)
    <li>LLVM/Clang 7.0.1 (+ patches)
    <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    <li>Perl 5.28.1 (+ patches)
    <li>NSD 4.1.27
    <li>Unbound 1.9.1
    <li>Ncurses 5.7
    <li>Binutils 2.17 (+ patches)
    <li>Gdb 6.3 (+ patches)
    <li>Awk Aug 10, 2011 version
    <li>Expat 2.2.6
    </ul>
</ul>
</section>

<hr>

<section id=install>
<h3>How to install</h3>
<p>
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 6.5 on your machine:

<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.5/alpha/INSTALL.alpha">
	.../OpenBSD/6.5/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.5/amd64/INSTALL.amd64">
	.../OpenBSD/6.5/amd64/INSTALL.amd64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.5/arm64/INSTALL.arm64">
	.../OpenBSD/6.5/arm64/INSTALL.arm64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.5/armv7/INSTALL.armv7">
	.../OpenBSD/6.5/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.5/hppa/INSTALL.hppa">
	.../OpenBSD/6.5/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.5/i386/INSTALL.i386">
	.../OpenBSD/6.5/i386/INSTALL.i386</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.5/landisk/INSTALL.landisk">
	.../OpenBSD/6.5/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.5/loongson/INSTALL.loongson">
	.../OpenBSD/6.5/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.5/luna88k/INSTALL.luna88k">
	.../OpenBSD/6.5/luna88k/INSTALL.luna88k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.5/macppc/INSTALL.macppc">
	.../OpenBSD/6.5/macppc/INSTALL.macppc</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.5/octeon/INSTALL.octeon">
	.../OpenBSD/6.5/octeon/INSTALL.octeon</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.5/sgi/INSTALL.sgi">
	.../OpenBSD/6.5/sgi/INSTALL.sgi</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.5/sparc64/INSTALL.sparc64">
	.../OpenBSD/6.5/sparc64/INSTALL.sparc64</a>
</ul>
</section>

<hr>

<section id=quickinstall>
<p>
Quick installer information for people familiar with OpenBSD, and the use of
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!

<h3>OpenBSD/alpha:</h3>

<p>
Write <i>floppy65.fs</i> or <i>floppyB65.fs</i> (depending on your machine)
to a diskette and enter <i>boot dva0</i>.
Refer to INSTALL.alpha for more details.

<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.

<h3>OpenBSD/amd64:</h3>

<p>
If your machine can boot from CD, you can write <i>install65.iso</i> or
<i>cd65.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.

<p>
If your machine can boot from USB, you can write <i>install65.fs</i> or
<i>miniroot65.fs</i> to a USB stick and boot from it.

<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.

<p>
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.

<h3>OpenBSD/arm64:</h3>

<p>
Write <i>miniroot65.fs</i> to a disk and boot from it after connecting
to the serial console.  Refer to INSTALL.arm64 for more details.

<h3>OpenBSD/armv7:</h3>

<p>
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console.  Refer to INSTALL.armv7 for more details.

<h3>OpenBSD/hppa:</h3>

<p>
Boot over the network by following the instructions in INSTALL.hppa or the
<a href="hppa.html#install">hppa platform page</a>.

<h3>OpenBSD/i386:</h3>

<p>
If your machine can boot from CD, you can write <i>install65.iso</i> or
<i>cd65.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.

<p>
If your machine can boot from USB, you can write <i>install65.fs</i> or
<i>miniroot65.fs</i> to a USB stick and boot from it.

<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.

<p>
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.

<h3>OpenBSD/landisk:</h3>

<p>
Write <i>miniroot65.fs</i> to the start of the CF
or disk, and boot normally.

<h3>OpenBSD/loongson:</h3>

<p>
Write <i>miniroot65.fs</i> to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.

<h3>OpenBSD/luna88k:</h3>

<p>
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.

<h3>OpenBSD/macppc:</h3>

<p>
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the <i>C</i> key until the display turns on and
shows <i>OpenBSD/macppc boot</i>.

<p>
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
/6.5/macppc/bsd.rd</i>

<h3>OpenBSD/octeon:</h3>

<p>
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.

<h3>OpenBSD/sgi:</h3>

<p>
To install, burn cd65.iso on a CD-R, put it in the CD drive of your
machine and select <i>Install System Software</i> from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.

<p>
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.

<h3>OpenBSD/sparc64:</h3>

<p>
Burn the image from a mirror site to a CDROM, boot from it, and type
<i>boot cdrom</i>.

<p>
If this doesn't work, or if you don't have a CDROM drive, you can write
<i>floppy65.fs</i> or <i>floppyB65.fs</i>
(depending on your machine) to a floppy and boot it with <i>boot
floppy</i>. Refer to INSTALL.sparc64 for details.

<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.

<p>
You can also write <i>miniroot65.fs</i> to the swap partition on
the disk and boot with <i>boot disk:b</i>.

<p>
If nothing works, you can boot over the network as described in INSTALL.sparc64.
</section>

<hr>

<section id=upgrade>
<h3>How to upgrade</h3>
<p>
If you already have an OpenBSD 6.4 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
<a href="faq/upgrade65.html">Upgrade Guide</a>.
</section>

<hr>

<section id=sourcecode>
<h3>Notes about the source code</h3>
<p>
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
</pre></blockquote>
<p>
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src/sys</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
</pre></blockquote>
<p>
Both of these trees are a regular CVS checkout.  Using these trees it
is possible to get a head-start on using the anoncvs servers as
described <a href="anoncvs.html">here</a>.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
</section>

<hr>

<section id=ports>
<h3>Ports Tree</h3>
<p>
A ports tree archive is also provided.  To extract:
<blockquote><pre>
# <kbd>cd /usr</kbd>
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
</pre></blockquote>
<p>
Go read the <a href="faq/ports/index.html">ports</a> page
if you know nothing about ports
at this point.  This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
<p>
The <i>ports/</i> directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
<a href="anoncvs.html">AnonCVS</a>.
So, in order to keep up to date with the -stable branch, you must make
the <i>ports/</i> tree available on a read-write medium and update the tree
with a command like:
<blockquote><pre>
# <kbd>cd /usr/ports</kbd>
# <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_5</kbd>
</pre></blockquote>
<p>
[Of course, you must replace the server name here with a nearby anoncvs
server.]
<p>
Note that most ports are available as packages on our mirrors. Updated
ports for the 6.5 release will be made available if problems arise.
<p>
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
<a href="mail.html">ports@openbsd.org</a> is a good place to know.
</section>