-
Notifications
You must be signed in to change notification settings - Fork 42
/
Copy path72.html
1583 lines (1492 loc) · 71.1 KB
/
72.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!doctype html>
<html lang=en id=release>
<head>
<meta charset=utf-8>
<title>OpenBSD 7.2</title>
<meta name="description" content="OpenBSD 7.2">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/72.html">
</head><body>
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
7.2
</h2>
<table>
<tr>
<td>
<a href="images/OneFishTwoFish.png">
<img width="227" height="303" src="images/OneFishTwoFish-s.gif" alt="One Fish, Two Fish, Blowfish..."></a>
<td>
Released Oct 20, 2022. (53rd OpenBSD release)<br>
Copyright 1997-2022, Theo de Raadt.<br>
<br>
Artwork by Jon Chad.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/7.2/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata72.html">the 7.2 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus72.html">detailed log of changes</a> between the
7.1 and 7.2 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<p>
<table class=signify>
<tr><td>
openbsd-72-base.pub:
<td>
<a href="https://ftp.openbsd.org/pub/OpenBSD/7.2/openbsd-72-base.pub">
RWQTKNnK3CZZ8Lid7/kWPO1WxjEsTeuxiXbJSSg6RDir9OJmV+t7GrOo</a>
<tr><td>
openbsd-72-fw.pub:
<td>
RWRvwsB/ZxwZxiQBgNVhuCnEacKE1MhrcDX25jFccqaj0pxsY9oIPJq4
<tr><td>
openbsd-72-pkg.pub:
<td>
RWSyNc+EwQQo5bZ5XtDpnk0FUl8NrIl+Ocq4FV/5VTvP9rOgHzKEnBx0
<tr><td>
openbsd-72-syspatch.pub:
<td>
RWQuBB7PRAc2Zy+C7VAynLuan8WDVtQ9R4xLpl8yjf1zxfqEBRRJ+66w
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 7.2.
For a comprehensive list, see the <a href="plus72.html">changelog</a> leading
to 7.2.
<ul>
<li>New/extended platforms:
<ul>
<li>Added support for Ampere Altra
<li>Added support for Apple M2
<li>Added support for Lenovo ThinkPad x13s and other machines using
the Qualcomm Snapdragon 8cx Gen 3 (SC8280XP) SoC.
</ul>
<li>Various kernel improvements:
<ul>
<li>Allowed bsd.rd and bsd/bsd.mp to boot on Oracle Cloud amd64 instances.
<li>Added support for switching from glass console to serial console
on arm64 systems that default to glass console.
<li><a href="https://man.openbsd.org/pf.4">pf(4)</a> automatically allows
IGMP and ICMP6 MLD packets with the router alert option.
Special allow-opts rules are no longer needed for multicast
discovery.
<li>Fixed a <a href="https://man.openbsd.org/pf.4">pf(4)</a> NULL
dereference panic triggered by <a
href="https://man.openbsd.org/relayd.8">relayd(8)</a>.
<li>Implement "show all routes" to print routing tables in
<a href="https://man.openbsd.org/ddb.4">ddb(4)</a>.
<li>Added a method (ESC D) to enter <a
href="https://man.openbsd.org/ddb.4">ddb(4)</a> on serial drivers that
do not have a true BREAK mechanism.
<li>Added "show all routes" and the ability to show individual routes
(e.g. "show route 0xfffffd807e9b0000") to <a
href="https://man.openbsd.org/ddb.4">ddb(4)</a>.
<li>Added a "show swap" command to <a
href="https://man.openbsd.org/ddb.4">ddb(4)</a> to help debugging.
<li>Count dropped network packets due to low memory in
<a href="https://man.openbsd.org/netstat.1">netstat(1)</a>.
<li>Simplified machine command handling in <a
href="https://man.openbsd.org/ddb.4">ddb(4)</a>.
<li>Changed to a simpler formula to calculate a default kern.maxthread
value: 2*NPROCESS.
<li>Enabled <a href="https://man.openbsd.org/kstat.4">kstat(4)</a>, a
device that exports kernel statistics that can be read by <a
href="https://man.openbsd.org/kstat.1">kstat(1)</a>.
<li>Added CPU frequency sensors for each core on CPUs that have MPERF/APERF support.
<li>Merged the UVM swap-backed and object-backed inactive page lists.
<li>Fixed <a href="https://man.openbsd.org/rwlock.9">rwlock(9)</a>
implementation to be fair to writers. Previously, readers could grab
the lock even if writers were waiting first.
<li>Made the CPU frequency scaling duration relative to the load
when in automatic mode on battery.
<li>Fixed luna88k MULTIPROCESSOR kernels booting with CPU modules
installed in arbitrary slots.
<li>Added a missing <a
href="https://man.openbsd.org/kqueue.2">kqueue(2)</a> wakeup, found by
a Go testcase hang.
<li>Bumped the maximum number of supported CPUs to 256 on arm64.
<!-- XXX should the following be here (swapper, pmem...) or maybe one entry describing them together? -->
<li>Ensure uvm_swap_io() can succeed, even in out of memory
situations, by reserving a second segment for the page daemon.
<li>Ensured progress in the swapper by pre-allocating pages in a DMA-reachable region.
<li>Made the page daemon consider pmemrange regions when trying to
free pages from the inactive list. Previously the page daemon could
use a lot of CPU without freeing a page because the global limits were
satisfied.
<li>Ensured that uvm_swap_get() will always sleep rather than
returning an error. Previously an error could be returned to the fault
handler which would result in processes dying when a system was under
a lot of memory pressure.
<!-- ... up to here -->
<li>Added support for using non-standard UARTs (such as the Synopsys
DesignWare UART) as an early console.
<li>Remove NexGen CPU identification code as the kernel cannot run on these CPUs anyway.
<li>Remove Rise CPU identification code.
<li>Dropped detection code for 386sx/386dx CPUs. OpenBSD/i386 hasn't
actually supported running on either for some time.
<li>Dropped detection code for Cyrix CPUs older than the Cyrix M2.
<li>Implemented the fundamentals for suspend/resume on arm64.
<li>Simplified TSC synchronization testing on amd64.
<li>Corrected sparc64 ofwboot to default to the <a
href="https://man.openbsd.org/softraid.4">softraid(4)</a> volume on the
boot device to make root on softraid work out of the box on sparc64
and be more consistent with softraid boot on other architectures.
<li>Removed the obsolete kern.nselcoll <a
href="https://man.openbsd.org/sysctl.2">sysctl(2)</a>.
<li>Changed mips64, octeon, and loongson to trigger deferred clock
interrupts from <a href="https://man.openbsd.org/splx.9">splx(9)</a>.
This isolates the clock interrupt schedule from the MD clock interrupt
code.
<li>Fixed a potential kernel panic when an msdos partition is out
of space by fixing instances where msdosfs passed a NULL proc pointer
to detrunc().
<li>Add a delay_init() function that helps on i386 and amd64
architectures in setting up delay_func for different timers and
switching between them depending on their quality properties. This
improves how timers backing <a
href="https://man.openbsd.org/delay.9">delay(9)</a> are managed.
<li>Ensured <a href="https://man.openbsd.org/disklabel.5">disklabel(5)</a> is
read from/written to disk only from/to unused space or an OpenBSD partition.
<li>Ensured GPT header data is not used until all validity checks are passed.
<li>Corrected handling of GPT usable LBA start/end values, preventing incorrect fallback to
MBR partitioning.
<li>Ignored size of OpenBSD GPT partition when searching for the
<a href="https://man.openbsd.org/disklabel.5">disklabel(5)</a>,
as has always been done for MBR OpenBSD partition.
</ul>
<li>SMP Improvements
<ul>
<li>Make route timer MP safe and use rttimer pool.
<li>Use kernel lock to protect parts of ARP, ND6 and PPPoE that
are not MP safe.
Lookup of existing ARP entries is MP safe and can run in parallel.
<li>Start up to 4 softnet tasks to run IP input and forwarding
in parallel on multiple cores.
<li>Run IPv4 packet reassembly in parallel.
<li>Run IPv6 hop-by-hop options processing in parallel.
<li>Add a mutex to rate limiting functions to make them MP safe.
<li>Introduce mutex and reference counter for internet protocol
control block.
<li>Protect <a href="https://man.openbsd.org/udp.4">UDP</a>, raw <a
href="https://man.openbsd.org/ip.4">IP</a>, and <a
href="https://man.openbsd.org/divert.4">divert</a> packet input
routines with a per-socket mutex.
<li>Protect <a href="https://man.openbsd.org/recv.2">recv(2)</a> system call
for UDP and raw IP packets with a per-socket mutex and shared netlock.
Allows to receive packets while forwarding in parallel.
<li>Protect multicast deliver loop for UDP and raw IP sockets with rwlock.
<li>Only grab netlock in IGMP and MLD timer when necessary.
<li>TCP slow timer runs without netlock.
<li>Rework rwlock so that a writer will get the lock eventually.
Readers cannot share the lock forever.
This prevents starvation of the writer.
<li>Run interface media ioctl with shared netlock so packets
can be processed while running
<a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>.
<li><a href="https://man.openbsd.org/btrace.8">btrace(8)</a> can be used
to debug reference counting.
<li>Use MP safe refcount for interface addresses.
<li>Unlocked <a href="https://man.openbsd.org/kbind.2">kbind(2)</a>.
<li>Unlocked the <a href="https://man.openbsd.org/pledge.2">pledge(2)</a> system call.
<li>Made <a href="https://man.openbsd.org/unix.4">UNIX</a> domain
sockets locking per-socket rather than coarse locking of the entire
domain sockets layer.
</ul>
<li>Direct Rendering Manager and graphics drivers
<ul>
<li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
to Linux 5.15.69
<li><a href="https://man.openbsd.org/inteldrm.4">inteldrm(4)</a>:
support for Alder Lake, Raptor Lake
<li>Reimplemented the TTM page allocation code using <a
href="https://man.openbsd.org/bus_dma.9">bus_dma(9)</a> APIs to make
sure DMA addresses are translated properly on architectures with an
IOMMU. This fixed <a
href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> and <a
href="https://man.openbsd.org/radeondrm.4">radeondrm(4)</a> on
powerpc64, sparc64, and arm64 machines with SMMU.
<li>Implemented support for framebuffers that don't start on a page
boundary (like those on the 2021 14" and 16" MacBook Pro).
<li>Added handling for framebuffers where the first pixel isn't
page-aligned to <a href="https://man.openbsd.org/wsfb.4">wsfb(4)</a>.
<li>Fixed <a href="https://man.openbsd.org/Xorg.1">Xorg(1)</a> when
using the luna88k 1bpp framebuffer hardware.
</ul>
<li>VMM/VMD improvements
<ul>
<li>Improved error handling and logging in <a
href="https://man.openbsd.org/vmd.8">vmd(8)</a>
<li>Unify all internal structures and interfaces between <a
href="https://man.openbsd.org/vmd.8">vmd(8)</a>, <a
href="https://man.openbsd.org/vmctl.8">vmctl(8)</a> and <a
href="https://man.openbsd.org/vmm.4">vmm(4)</a> to use bytes for
memory and disk sizes.
<li>Fix rebooting a received VM in <a
href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
<li>Have <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> provide
a copy of bios at 4g boundary. SeaBIOS and newer Linux kernels expect
it there.
<li>In <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>, fix off by
one in VM memory range check.
<li>In <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>, add
support for MMIO assist. In <a
href="https://man.openbsd.org/vmm.4">vmm(4)</a>, send all port I/O
emulation to userland.
<li>Have <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> compute
i8254 read-back command latch from singular timestamp.
<li>Improve the command line parsing in <a
href="https://man.openbsd.org/vmctl.8">vmctl(8)</a>.
<li>Let <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> allow
reading MSR_TSC on Intel hosts.
<li>In <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>, reference
count VMs and VCPUs.
<li>In <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>, zero
virtual addresses of VCPU state pages after freeing.
<li>Fix `vmctl send` on Intel hosts by load the vmcs before reading
VCPU registers in <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>.
<li>Fix `vmctl receive` on Intel hosts by adding an additional fault
type in <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>.
<li>Add additional <a href="https://man.openbsd.org/dt.4">dt(4)</a>
tracepoints in various <a
href="https://man.openbsd.org/vmm.4">vmm(4)</a> codepaths.
<li>Add <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>
AgentX support based around VM-MIB (RFC7666).
</ul>
<li>Various new userland features:
<ul>
<li>Replaced <a href="https://man.openbsd.org/rc.d.8">rc.d(8)</a>
$rcexec variable with an rc_exec function. <em>This will require a
mechanical change from <code>${rcexec}</code> to <code>rc_exec</code>
in rc.d scripts.</em> Kept compatibility to give people a chance to
fix their custom scripts.
<li>Introduced a new daemon_execdir variable to <a
href="https://man.openbsd.org/rc.d.8">rc.d(8)</a> for changing to a
specified directory before running rc_exec.
<li>Added <a href="https://man.openbsd.org/ts.1">ts(1)</a>, a
timestamp utility.
<li>Add a new <i>configtest</i> action to <a
href="https://man.openbsd.org/rc.d.8">rc.d(8)</a> and <a
href="https://man.openbsd.org/rcctl.8">rcctl(8)</a> to check
configuration syntax of a daemon.
<li>Added forest (-f) mode to <a
href="https://man.openbsd.org/ps.1">ps(1)</a>.
</ul>
<li>Various bugfixes and tweaks in userland:
<ul>
<!-- openrsync -->
<li>Fixed <a href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>
on sparc64 by eliminating a redundant second conversion of the int
value from little to host endian.
<li>Added connection timeout functionality to <a
href="https://man.openbsd.org/openrsync.1">openrsync(1)</a> via the
--contimeout option.
<li>Set the default <a
href="https://man.openbsd.org/openrsync.1">openrsync(1)</a> connection
timeout that <a
href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> uses
to 15 seconds.
<!-- pkg_add -->
<li>Made use of the fact that repositories are unique objects in <a
href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a> and annotated
the quirks repository as cached, allowing for a large speed increase.
<li>Enabled <a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a> caching by default.
<li>Changed the tied algorithm in <a
href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a> to prevent
O(n^2) behavior when packages contain several hundred copies of the
same file.
<li>Added a "processing" message for when <a
href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a> is
transferring data to inform the user that pkg_add is still working.
<!-- fdisk -->
<li>Added missing uuid_dec_le() to init_gp() so <a
href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> -A works on
big-endian architectures.
<li>Aligned <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
logic with that used in the kernel to allow the protective EFI GPT
partition to be in MBR partitions 0-3, not just 0.
<li>Prevented use of "-u" when <a
href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> is operating on
GPT formatted disks.
<li>Stopped telling <a
href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> that macppc
HAS_MBR.
<li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
reject input of excessive length.
<li>Fixed an <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
regression to allow editing an MBR of all zeroes.
<li>Changed <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> to
restrict user actions if neither GPT nor MBR structures can be found
on the disk.
<li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> print
a warning when an MBR partition starts or extends past the end of the
device.
<li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> print
a warning when a GPT partition start or end is outside the usable LBA
area of the device.
<li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
display "Microsoft basic data" instead of
"FAT12" for GPT_UUID_MSDOS partitions.
<li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> print
GPT attributes in verbose output.
<li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> use the
correct GPT bootable attribute bit.
<li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> not
spoof GPT partitions with the attribute REQUIRED.
<li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
ensure GPT headers, table entries and usable area don't
overlap each other.
<!-- disklabel/disktab -->
<li>Removed <a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
ability to edit disk geometry information.
<li>Removed <a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
and <a href="https://man.openbsd.org/disktab.5">disktab(5)</a> support
for 'bs' (bootblock size) and 'sb' (superblock size) attributes.
<li>Added keyword 'raid' to
<a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
template files, allowing auto-allocation of RAID partitions.
<li>Removed <a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
support for <a href="https://man.openbsd.org/disktab.5">disktab(5)</a>
'd[0-4]' (drive data) attributes.
<!-- btrace -->
<li>Installed useful <a
href="https://man.openbsd.org/btrace.8">btrace(8)</a> scripts in
/usr/share/btrace.
<li>Made <a href="https://man.openbsd.org/btrace.8">btrace(8)</a>
execute the END probe upon receiving a SIGTERM signal.
<!-- netstart/rc -->
<li>Moved the wait for autoconf interfaces from <a
href="https://man.openbsd.org/rc.8">rc(8)</a> to <a
href="https://man.openbsd.org/netstart.8">netstart(8)</a> to fix
tunnel interfaces that depend on working autoconf interfaces.
<li>Made <a href="https://man.openbsd.org/netstart.8">netstart(8)</a>
create virtual interfaces up front if specified on the command line.
<li>Changed <a
href="https://man.openbsd.org/rc.subr.8">rc.subr(8)</a> to copy the
message to stdout when using <a
href="https://man.openbsd.org/logger.1">logger(1)</a> to avoid needing
to check syslog when running in debug mode.
<li>Fixed <a href="https://man.openbsd.org/kbd.8">kbd(8)</a> so it
doesn't fail silently when executed by a regular user.
<li>In the <i>sndio</i> library, added the function <a
href="https://man.openbsd.org/sio_flush.3">sio_flush(3)</a> to stop
playback immediately. Altered <a
href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> to wait until
the buffer is drained before closing the device.
<li>Made <a href="https://man.openbsd.org/xterm.1">xterm(1)</a> use a
much safer FD-passing idiom for updating <a
href="https://man.openbsd.org/utmp.5">utmp(5)</a>.
<li>Prevented a crash in <a
href="https://man.openbsd.org/vi.1">vi(1)</a> when cursor key support is
disabled.
<li>Updated <a href="https://man.openbsd.org/vi.1">vi(1)</a> to apply
expandtab to the output of a ! command.
<li>Made <a href="https://man.openbsd.org/mg.1">mg(1)</a>
automatically delete trailing whitespace on RET in c-mode and
auto-indent-mode.
<li>Made <a href="https://man.openbsd.org/grep.1">grep(1)</a> provide
full context when using match count (<code>-m</code>)
<li>Added the --null flag to <a
href="https://man.openbsd.org/grep.1">grep(1)</a> which makes grep
print an ASCII NUL byte after the file name to make the output
unambiguous.
<li>Fixed multiple memory leaks in <a
href="https://man.openbsd.org/awk.1">awk(1)</a>.
<li>Changed <a href="https://man.openbsd.org/compress.1">compress(1)</a>
to print a more accurate message when -v is used with -k.
<li>Fixed <a href="https://man.openbsd.org/gzip.1">gzip(1)</a> byte
counts with 32-bit integers.
<li>Fixed the growth check in <a
href="https://man.openbsd.org/compress.1">compress(1)</a> and <a
href="https://man.openbsd.org/gzip.1">gzip(1)</a> in cases of small
files or files with sufficiently random data.
<li>Made <a href="https://man.openbsd.org/timeout.1">timeout(1)</a> -s
accept HUP like <a href="https://man.openbsd.org/kill.1">kill(1)</a>
and GNU timeout(1) do.
<li>Updated capitals and countries in the game <a
href="https://man.openbsd.org/quiz.6">quiz(6)</a>.
<li>Set default sleep value of <a
href="https://man.openbsd.org/ico.1">ico(1)</a> to 10ms.
<li>Fixed a bug in <a
href="https://man.openbsd.org/cron.8">cron(8)</a> where it could exit
silently if <a href="https://man.openbsd.org/ppoll.2">ppoll(2)</a>
exited. Now it will log to <a
href="https://man.openbsd.org/syslog.3">syslog(3)</a> instead of
stderr.
<li>Added <a
href="https://man.openbsd.org/llvm-profdata.1">llvm-profdata(1)</a> to
base so that ports can benefit from profiled builds.
<li>Changed <a href="https://man.openbsd.org/rc.8">rc(8)</a> to only
attempt to set the <a href="https://man.openbsd.org/yp.8">yp(8)</a>
domainname if it has not been set yet.
<li>Raised the "staff" login class data-size-cur on arm64 to be the
same as that for amd64 in <a
href="https://man.openbsd.org/login.conf.5">login.conf(5)</a> (1536M).
<li>Fixed <a href="https://man.openbsd.org/patch.1">patch(1)</a>
locate-hunk in empty files.
<li>Fixed <a href="https://man.openbsd.org/patch.1">patch(1)</a> in
the case of reversing a patch that creates a file.
<li>Added seconds to the uptime display of <a
href="https://man.openbsd.org/top.1">top(1)</a>.
<li>Made <a href="https://man.openbsd.org/putenv.3">putenv(3)</a>
return an error if the string starts with the '=' character. This
matches the behavior on FreeBSD and NetBSD.
<li>Fixed overflow of the number of errors in <a
href="https://man.openbsd.org/renice.8">renice(8)</a> by setting error
instead of incrementing it.
<li>Removed the "-c" compatibility option from <a
href="https://man.openbsd.org/vnconfig.8">vnconfig(8)</a>.
<li>Stopped <a
href="https://man.openbsd.org/vnconfig.8">vnconfig(8)</a> from
printing the device name on failure.
<li>Print a message when <a
href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> fails inside <a
href="https://man.openbsd.org/execve.2">execve(2)</a> to clarify the
failure mode when a dynamic executable is run while /usr isn't
mounted.
<li>Improved <a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>
RAID level parsing to check numeric levels before checking single
character levels. This allows recognition of RAID 10 as a valid but
unsupported level.
<li>Fixed <a
href="https://man.openbsd.org/installboot.8">installboot(8)</a>
messaging when verbose (-v) and dry-run (-n) modes are combined with
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a>.
<li>Sped up <a href="https://man.openbsd.org/wc.1">wc(1)</a> word counting.
</ul>
<li>Improved hardware support and driver bugfixes, including:
<ul>
<li>New <a href="https://man.openbsd.org/arm64/aplaudio.4">aplaudio(4)</a>
driver for Apple audio subsystem.
<li>New <a href="https://man.openbsd.org/arm64/aplmca.4">aplmca(4)</a>
driver for Apple MCA controller.
<li>New <a href="https://man.openbsd.org/arm64/aplsart.4">aplsart(4)</a>
driver for Apple SART address filter.
<li>New alpdc, apldchidev, apldckbd, apldcms, and aplrtk drivers for
keyboard and trackpad on Apple M2 laptops.
<li>New <a href="https://man.openbsd.org/arm64/qcgpio.4">qcgpio(4)</a>
driver for Qualcomm Snapdragon GPIO controller.
<li>New <a href="https://man.openbsd.org/arm64/qciic.4">qciic(4)</a>
driver for Qualcomm Snapdragon GENI I2C controller.
<li>New <a href="https://man.openbsd.org/riscv64/sfgpio.4">sfgpio(4)</a>
driver for SiFive GPIO controller.
<li>New <a href="https://man.openbsd.org/riscv64/stfclock.4">stfclock(4)</a>
driver for StarFive JH7100 clock controller.
<li>New <a href="https://man.openbsd.org/riscv64/stfpinctrl.4">stfpinctrl(4)</a>
driver for StarFive JH7100 pin configuration.
<li>New stftemp
driver for StarFive JH7100 temperature sensor.
<li>New <a href="https://man.openbsd.org/sxirintc.4">sxirintc(4)</a>
driver for Allwinner wakeup interrupt controller.
<li>New gpiorestart
driver for system reset via GPIO pin.
<li>Added support for more power sensors to <a
href="https://man.openbsd.org/ipmi.4">ipmi(4)</a>.
<li>Added support for the <a
href="https://man.openbsd.org/ehci.4">ehci(4)</a> controller on
Marvell 3720 boards.
<li>Extended <a href="https://man.openbsd.org/ksmn.4">ksmn(4)</a> to
show CCD temperatures if available.
<li>Fixed missing interrupts for trackpads on some machines after
resume by making sure <a
href="https://man.openbsd.org/amdgpio.4">amdgpio(4)</a> restores pin
configuration on resume.
<li>Added FIFO support and allow baud rate changes to
<a href="https://man.openbsd.org/pluart.4">pluart(4)</a>.
<li>Added support for the Synopsys DesignWare UART found on the Ryzen
Embedded V1000 SoCs to <a
href="https://man.openbsd.org/com.4">com(4)</a>.
<li>Added <a href="https://man.openbsd.org/xhci.4">xhci(4)</a> support
for the dual role controllers integrated on the Qualcomm Snapdragon
8cx gen 3 SoC.
<li>Added support for using the power button to wake up from suspend
to <a href="https://man.openbsd.org/axppmic.4">axppmic(4)</a>.
<li>Modified <a href="https://man.openbsd.org/pms.4">pms(4)</a> to
discard relative movement packets outside of the [-127, 127] range to
prevent cursor jumps when using the trackpoint on some Lenovo laptops.
<li>Allowed <a href="https://man.openbsd.org/spdmem.4">spdmem(4)</a>
to attach to <a
href="https://man.openbsd.org/loongson/gdiumiic.4">gdiumiic(4)</a>.
<li>Make <a href="https://man.openbsd.org/spdmem.4">spdmem(4)</a>
attach on 2F-based loongson systems.
<li>Added power button support to <a
href="https://man.openbsd.org/arm64/aplsmc.4">aplsmc(4)</a>.
<li>Changed the <a href="https://man.openbsd.org/mfii.4">mfii(4)</a>
RAID controller driver to allow the firmware more time to transition
out of the UNDEFINED state.
<li>Added Wacom One S (CTL-472) support to <a
href="https://man.openbsd.org/uwacom.4">uwacom(4)</a>.
</ul>
<li>New or improved network hardware support:
<ul>
<li>Increased rx buffer size on <a
href="https://man.openbsd.org/uaq.4">uaq(4)</a> to 62kB.
<li>Repaired <a href="https://man.openbsd.org/rge.4">rge(4)</a>
hardware VLAN tagging.
<li>Provide statistics via kstats for <a
href="https://man.openbsd.org/mvneta.4">mvneta(4)</a>.
<li>Enabled <a href="https://man.openbsd.org/aq.4">aq(4)</a> on arm64.
<li>Implemented and enabled IPv4, TCP, and UDP checksum offloading for
<a href="https://man.openbsd.org/igc.4">igc(4)</a>.
<li>Fixed a panic triggered by ifconfig bnxt0 down by changing <a
href="https://man.openbsd.org/bnxt.4">bnxt(4)</a> devices to not run
rx and tx interrupt handlers when the interface is not running.
<li>Introduced Large Receive Offloading of TCP segment offloading in
<a href="https://man.openbsd.org/ix.4">ix(4)</a>. Also added a tso
option to <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
to enable and disable this feature.
</ul>
<li>Added or improved wireless network drivers:
<ul>
<li>Made device matching in <a
href="https://man.openbsd.org/iwx.4">iwx(4)</a> more similar to Linux
iwlwifi in order to recognize more devices.
<li>Added support for AX210/AX211 devices to <a
href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
<li>Fixed <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> setting
of HT/VHT bits in rate flags of the Tx command that could cause a
firmware panic.
<li>Added handling of 9k devices which do not support antenna B to <a
href="https://man.openbsd.org/iwm.4">iwm(4)</a>.
<li>Fixed <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>
ifconfig media display on devices with sta_info command version 3.
<li>Fixed a <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> crash during USB detach.
<li>Fixed detection of the Rx data rate on rtl8192eu <a
href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> devices.
<li>Fixed integer overflows in the <a
href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a
href="https://man.openbsd.org/iwx.4">iwx(4)</a> firmware file parsers.
</ul>
<li>IEEE 802.11 wireless stack improvements and bugfixes:
<ul>
<li>Make sure drivers initialize all of ieee80211_rxinfo struct.
</ul>
<li>Installer, upgrade and bootloader improvements:
<ul>
<li>Fixed the watchdog in the installer so that it is reset
after each download and each set installation.
<li>Ensured that running <a
href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> on
-stable will move to the next release, not -current.
<li>Added the -b option to <a
href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> to set
an alternative base directory to which the installation files will be
downloaded.
<li>Increased the <a
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> auto
partitioner's maximum size for /usr to 30G.
<li>Altered installer behavior so the <a
href="https://man.openbsd.org/vlan.4">vlan(4)</a> question won't be
asked unless another network interface exists.
<li>Added support for wildcards in <a
href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> patterns.
<!-- bootblock stuff -->
<li>Added support for booting from RAID 1C <a
href="https://man.openbsd.org/softraid.4">softraid(4)</a> volumes on
amd64, sparc64 and arm64.
<li>Added NFS client support to the luna88k RAMDISK kernel.
<li>Made the EFI bootloader provide the extra parameters necessary to
use non-standard UARTs on the AMD Ryzen Embedded V1000 SoCs as console.
<li>Switched bootloaders to the extended BOOTARG_CONSDEV struct.
<li>Added UFS2 support to landisk boot blocks.
<li>Removed "force CHS" capability from <a href="https://man.openbsd.org/biosboot.8">biosboot(8)</a>
</ul>
<li>Security improvements:
<ul>
<li>Implemented privilege separation in <a
href="https://man.openbsd.org/xlock.1">xlock(1)</a>.
<li>Added privilege separation to <a
href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>.
<li>The TZ environment variable no longer supports absolute paths,
to fit better into the <a
href="https://man.openbsd.org/pledge.2">pledge(2)</a> bypass model.
<li>AF_UNIX socket <a
href="https://man.openbsd.org/bind.2">bind(2)</a> and <a
href="https://man.openbsd.org/connect.2">connect(2)</a> now follow <a
href="https://man.openbsd.org/unveil.2">unveil(2)</a> configuration.
<li>New <a
href="https://man.openbsd.org/ypconnect.2">ypconnect(2)</a> system
call creates a socket based upon the IP address encoded directly in a
locked ypbinding file, thereby removing a horrible hack to support YP
lookups in programs using strong
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a> rules.
<li>Processes that pledge("vminfo") may now use the read-only <a
href="https://man.openbsd.org/swapctl.2">swapctl(2)</a> operations
SWAP_NSWAP and SWAP_STATS providing information on swap devices.
<li>Randomized the rekey interval of <a
href="https://man.openbsd.org/arc4random.3">arc4random(3)</a>.
<li>Reduce the attack surface by introducing a 'local bind' mode to
<a href="https://man.openbsd.org/ypldap.8">ypldap(8)</a>. In this mode
ypldap binds its RPC sockets to loopback, so YP services are only
available to the host it's running on. ypldap writes the YP binding
file in /var/yp/binding itself and replaces <a
href="https://man.openbsd.org/ypbind.8">ypbind(8)</a> and <a
href="https://man.openbsd.org/ypserv.8">ypserv(8)</a>. This also
implies that <a
href="https://man.openbsd.org/portmap.8">portmap(8)</a> doesn't need
to be running anymore when local bind mode is used.
<li>Changed the /sbin daemons <a
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>, <a
href="https://man.openbsd.org/mountd.8">mountd(8)</a>, <a
href="https://man.openbsd.org/nfsd.8">nfsd(8)</a>, <a
href="https://man.openbsd.org/pflogd.8">pflogd(8)</a>, <a
href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>, <a
href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>, and <a
href="https://man.openbsd.org/unwind.8">unwind(8)</a> to be
dynamically linked to allow them to benefit from all the additional
mitigations that dynamically linked executables gain. NFS mounting of
/usr must now use statically configured IP addresses.
</ul>
<li>Changes in the network stack:
<ul>
<li>Added the <a
href="https://man.openbsd.org/recvmmsg.2">recvmmsg(2)</a> system call
that allows receiving multiple msghdrs at once, and the <a
href="https://man.openbsd.org/sendmmsg.2">sendmmsg</a> syscall that
allows sending multiple msghdrs at once.
<li>Relaxed address availability check for <a
href="https://man.openbsd.org/multicast.4">multicast(4)</a> binds so
processes listening for the same multicast address do not need to be
the same UID.
<li>Introduced dedicated link entries for snapshots to <a
href="https://man.openbsd.org/pfsync.4">pfsync(4)</a>.
<li>Changed <a href="https://man.openbsd.org/pf.4">pf(4)</a> handling
of IGMP and ICMP6 MLD packets to allow multicast control packets to
work by default.
<li>Made <a href="https://man.openbsd.org/pf.4">pf(4)</a> more paranoid about
IGMP/MLD messages.
<li>Fixed a logic bug in pf_find_state() that could cause <a
href="https://man.openbsd.org/pf.4">pf(4)</a> to incorrectly block a
packet.
<li>Fixed <a href="https://man.openbsd.org/pf.4">pf(4)</a> syncookies during fast TCP port reuse.
<li>Fixed a bug in <a href="https://man.openbsd.org/pf.4">pf(4)</a>
where a pool defined like "172.16.0.0/16" would count as a pool size
of one address. Also fixed random selection of source address to be
uniform across the whole pool.
<li>Fixed a kernel panic in <a
href="https://man.openbsd.org/pf.4">pf(4)</a> if IP options with an
ICMP payload were truncated. Such packets will now be dropped instead.
<li>Allow forwarding to and from IPs in the 240/4 range.
<li>Corrected the Virtual Ethernet Bridge <a
href="https://man.openbsd.org/veb.4">veb(4)</a> to avoid calling
if_enqueue from an smr critical section.
<li>Reworked the kroute rttimer code to fix icmp_pmtu_timeout crashes.
<li>Fixed an interrupt storm upon suspend on Amlogic arm64 boards.
<li>Fixed a race between pflow_output_process() and
pflow_clone_destroy() in <a
href="https://man.openbsd.org/pflow.4">pflow(4)</a>.
<li>Added a missing input validation step to <a
href="https://man.openbsd.org/pipex.4">pipex(4)</a> MPPE keylenbits.
</ul>
<li>Routing daemons and other userland network improvements:
<ul>
<li>IPsec support was improved:
<ul>
<li>Made <a href="https://man.openbsd.org/iked.8">iked(8)</a> ignore
any CERT payload after the first rather than failing the exchange when
more than one CERT payload is received.
<li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a> support
for sending certificate chains with intermediate CAs in multiple CERT
payloads.
<li>Added an OpenIKED Vendor ID payload in the <a
href="https://man.openbsd.org/iked.8">iked(8)</a> initial handshake to
make it easier to handle interoperability problems with older versions
in the future.
<li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
connection statistics for successful and failed connections, error
types, and other events that can be printed with "ikectl show stats".
</ul>
<li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>,
<ul>
<li>Implement max-communities filter to limit the number of allowed
communities, ext-communities and large-communities.
<li>Fix insertion of additional non-transitive extended communities when
sending out prefixes.
<li>Relax IP address limitation by allowing prefixes in 240/4.
<li>Implement RFC 9234 - Route Leak Prevention and Detection Using Roles
in UPDATE and OPEN Messages.
<li>Full support for RFC 7911 - Advertisement of Multiple Paths in BGP (ADD-PATH).
<li>Improve FIB code, handle IPv6 scoped addresses properly.
<li>Add <a href="https://man.openbsd.org/bgplgd.8">bgplgd(8)</a>,
a FastCGI server providing a REST API to execute
<a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> commands.
<li>Bugfix: <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> could
fail to invalidate nexthops and incorrectly leave them in the FIB or
Adj-RIB-Out.
<li>Speedup <a href="https://man.openbsd.org/bgpctl.8">bgpctl</a>
<code>show rib 10/8 or-longer</code> and <code>show rib 10/8
or-shorter</code>
<li>Switch various static hash tables to RB trees improving
performance on large systems
<li>Export per neighbor pending update and withdraw statistics
<li>Fix race between a neighbor session reset and its update message
backlog
<li>Improve handling of nexthop reachability state changes
<li>Made sure only one <a
href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> roa softreconfig
runner is run at any time.
</ul>
<li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw some changes:
<ul>
<li>Allowed more than one CRL URI in certificates.
<li>Do not apply timezone offsets when converting X509 times. X509
times are in UTC and comparing them to times in different timezones
would cause validity problems.
<li>Add support for an operator-configurable skiplist facility.
Operators can specify a list of FQDNs which should not be contacted
when synchronizing the local cache to the network.
<li>Emit a warning when a RRDP session serial number decreases.
<li>DER decoding functions were refactored to leverage ASN.1 templates.
<li>Add support to validate & inspect .sig files containing RPKI Signed
Checklists in filemode (-f). (draft-ietf-sidrops-rpki-rsc-08)
<li>Print various statistics after the completion of the main process.
<li>Add support to decode & print TAL (RFC 8630) details in filemode (-f).
<li>Emit objects in Concatenated JSON format when filemode (-f) and the JSON
output flag (-j) are combined.
<li>Add support for validating Autonomous System Provider Authorization
(ASPA) objects conforming to draft-ietf-sidrops-aspa-profile-10.
Validated ASPA payloads are visible in JSON and filemode (-f) output.
<li>Set <a href="https://man.openbsd.org/openrsync.1">rsync(1)</a> connection I/O idle timeout to 15 seconds.
<li>Unify the maximum idle I/O and connect timeouts for <a href="https://man.openbsd.org/openrsync.1">rsync(1)</a> & HTTPS.
<li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> now performs stricter EE certificate validation:
<ul>
<li>Disallow AS Resources extensions in ROA EE certificates.
<li>Disallow Subject Information Access (SIA) extensions in RPKI
Signed Checklist (RSC) EE certs.
<li>Check the resources in ROAs and RSCs against EE certs.
</ul>
<li>Improve readability and add various information being printed in
verbose mode.
<li>Extend filemode (-f) output and print X.509 certificates in PEM
format when increased verbosity (-vv) is specified.
<li>Shorten the RRDP I/O idle timeout.
<li>Introduce a deadline timer that aborts all repository synchronization
after seven eights of timeout (-s). With this rpki-client has improved
chances to complete and produce an output even when a CA is excessively
slow.
<li>Abort a currently running RRDP request process when the per-repository
timeout is reached.
<li>Permit multiple AccessDescription entries in SIA X.509 extensions. While
fetching from secondary locations is not yet supported, rpki-client will
not treat occurrence as a fatal error.
<li>Resolve a potential for a race condition in non-atomic RRDP deltas.
<li>Fix some memory leaks.
<li>Improve compliance with the HTTP protocol specification.
</ul>
<li>In <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>,
<ul>
<li>Allow object names to be used in addition to OIDs in
<a href="https://man.openbsd.org/snmpd.conf.5">snmpd.conf(5)</a>.
<li>Better type hinting for debug logging.
<li>Introduce a blocklist feature, which removes subtrees from view.
<li>Reintroduce AgentX master support.
<li>Move non-SNMP related metrics to their own AgentX based backend.
<li>The snmpe process is now pledged <code>stdio recvfd inet unix</code>.
<li>Imported <a
href="https://man.openbsd.org/snmpd_metrics.8">snmpd_metrics(8)</a>.
This allows those who need to use net-snmpd the ability to access base
<a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> metrics.
</ul>
<li>In <a href="https://man.openbsd.org/ldapd.8">ldapd(8)</a>,
match password schemas case sensitive.
<li>In <a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a>,
relax the limitations on what is an acceptable unicast IP. There are no
more experiments in IPv4 and so there is less reason for network
daemons to deny formerly experimental IP space. Multicast IPs
(224/4) and loopback (127/8) are still disallowed.
<li>Added check to <a
href="https://man.openbsd.org/acme-client.1">acme-client(1)</a> to
ensure the challenge token is turned into a filename that is base64url
encoded.
<li>Added RFC 9234 "BGP Role" support to <a
href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a>
<li>Have <a
href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> print
ASnumbers in 'asplain' format instead of the old 'asdot' format.
<li>Fixed a crash in libpcap when it would walk off the end of the array performing frees.
<li>Made -X connect SOCKS work with IPv6 addresses in <a href="https://man.openbsd.org/nc.1">nc(1)</a>.
<li>Introduced a blocklist backend and keyword to <a
href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>, this deprecates
filter-pf-addresses.
<li>Changed <a
href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> to defer to
<a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> by
doing execve ifconfig and providing syslog warnings about deprecated
options.
<li>Implemented <a href="https://man.openbsd.org/dig.1">dig(1)</a>
support for SVCB and HTTPS record types.
<li>Made <a href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>
write /etc/resolv.conf in a more atomic manner.
<li>Added a <a href="https://man.openbsd.org/slowcgi.8">slowcgi(8)</a>
-t flag to change the request timeout.
<li>Corrected handling of an abnormal FastCGI termination in <a
href="https://man.openbsd.org/httpd.8">httpd(8)</a>.
<li>Made newer MIME type definitions take precedence over existing
ones in <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>.
<li>Moved the <a href="https://man.openbsd.org/relayd.8">relayd(8)</a>
<a href="https://man.openbsd.org/daemon.3">daemon(3)</a> call to just
before forking the children so the parent disassociates from its
controlling terminal and shell, but not from its children.
<li>Changed <a href="https://man.openbsd.org/ftp.1">ftp(1)</a> to use
non-blocking <a
href="https://man.openbsd.org/connect.2">connect(2)</a> with <a
href="https://man.openbsd.org/ppoll.2">ppoll(2)</a> and timeout
instead of <a href="https://man.openbsd.org/alarm.3">alarm(3)</a>.
This allows failing over to another IP address for hosts that have
more than one.
</ul>
<li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes:
<ul>
<li>Added an ACL list for multiple users attaching to the <a
href="https://man.openbsd.org/tmux.1">tmux(1)</a> socket.
<li>Ensured cursor remains on selected item on menu.
<li>Added support for OSC 8 hyperlinks.
<li>Added support for hyperlinks with capture-pane -e and a
mouse_hyperlink format.
<li>Added an "all" state to allow-passthrough to work even in invisible panes.
<li>Fixed a crash when searching for .* with extremely long lines.
<li>Added <a href="https://man.openbsd.org/vi.1">vi(1)</a> Home/End
bindings.
<li>Added a Nobr terminfo capability to tell <a
href="https://man.openbsd.org/tmux.1">tmux(1)</a> the terminal does
not use bright colors for bold.
<li>Added a notification when a paste buffer is deleted.
<li>Fixed window size reporting.
</ul>
<li>LibreSSL version 3.6.0
<ul>
<li>New features
<ul>
<li>EVP API for HKDF ported from OpenSSL and subsequently cleaned up.
<li>The security level API (SSL_{,CTX}_{get,set}_security_level()) is
now available. Callbacks and ex_data are not supported. Sane
software will not be using this.
<li>Experimental support for the BoringSSL QUIC API.
<li>Add initial support for TS ESSCertIDv2 verification.
<li>LibreSSL now uses the Baillie-PSW primality test instead of
Miller-Rabin.
</ul>
<li>Compatibility changes
<ul>
<li>The ASN.1 time parser has been refactored and rewritten using CBS.
It has been made stricter in that it now enforces the rules from
RFC 5280.
<li>ASN1_AFLG_BROKEN was removed.
<li>Error check tls_session_secret_cb() like OpenSSL.
<li>Added ASN1_INTEGER_{get,set}_{u,}int64()
<li>Move leaf certificate checks to the last thing after chain
validation.
<li>Added -s option to <a
href="https://man.openbsd.org/openssl.1">openssl(1)</a> ciphers
that only shows the ciphers supported by the specified protocol.
<li>Use <a href="https://man.openbsd.org/TLS_client_method.3">TLS_client_method(3)</a>
instead of <a href="https://man.openbsd.org/TLSv1_client_method.3">TLSv1_client_method(3)</a> in
the <a
href="https://man.openbsd.org/openssl.1">openssl(1)</a> ciphers command.
<li>Validate the protocols in <a
href="https://man.openbsd.org/SSL_CTX_set_alpn_protos.3">SSL{_CTX,}_set_alpn_protos()</a>.
<li>Made TS and PKCS12 opaque.
<li>Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF.
<li>Align PKCS12_key_gen_uni() with OpenSSL
<li>Various PKCS12 and TS accessors were added. In particular, the
TS_RESP_CTX_set_time_cb() function was added back.
<li>Allow a NULL header in <a
href="https://man.openbsd.org/PEM_write.3">PEM_write{,_bio}()</a>
<li>Allow empty attribute sets in CSRs.
<li>Adjust signatures of <a
href="https://man.openbsd.org/BIO_ctrl.3">BIO_ctrl</a> functions.
<li>Provide additional defines for EVP AEAD.
<li>Provide OPENSSL_cleanup().
<li>Make <a
href="https://man.openbsd.org/BIO_info_cb.3">BIO_info_cb()</a> identical to bio_info_cb().
</ul>
<li>Bug fixes
<ul>
<li>Avoid use of uninitialized in BN_mod_exp_recp().
<li>Fix <a
href="https://man.openbsd.org/X509_get_extension_flags.3">X509_get_extension_flags()</a>
by ensuring that EXFLAG_INVALID is
set on X509_get_purpose() failure.
<li>Fix <a
href="https://man.openbsd.org/HMAC.3">HMAC()</a> with NULL key.
<li>Add ERR_load_{COMP,CT,KDF}_strings() to <a
href="https://man.openbsd.org/ERR_load_crypto_strings.3">ERR_load_crypto_strings()</a>.
<li>Avoid strict aliasing violations in BN_nist_mod_*().
<li>Do not return X509_V_ERR_UNSPECIFIED from <a
href="https://man.openbsd.org/X509_check_ca.3">X509_check_ca()</a>.
No return value of X509_check_ca() indicates failure. Application
code should therefore issue a checked call to X509_check_purpose()
before calling X509_check_ca().
<li>Rewrite and fix X509v3_asid_subset() to avoid segfaults on some
valid input.
<li>Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new().
<li>Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly.
<li>Avoid use of uninitialized in <a
href="https://man.openbsd.org/ASN1_STRING_to_UTF8.3">ASN1_STRING_to_UTF8()</a>.
<li>Do not pass uninitialized pointer to <a
href="https://man.openbsd.org/ASN1_STRING_to_UTF8.3">ASN1_STRING_to_UTF8()</a>.
<li>Do not refuse valid IPv6 addresses in <a
href="https://man.openbsd.org/nc.1">nc(1)</a>'s HTTP CONNECT proxy.
<li>Do not reject primes in trial divisions.
<li>Error out on negative shifts in BN_{r,l}shift() instead of
accessing arrays out of bounds.
<li>Fix URI name constraints, allow for URIs with no host part.
<li>Fix the legacy verifier callback behaviour for untrusted certs.
<li>Correct serfver-side handling of TLSv1.3 key updates.
<li>Plug leak in PKCS12_setup_mac().
<li>Plug leak in <a
href="https://man.openbsd.org/X509V3_add1_i2d.3">X509V3_add1_i2d()</a>.
<li>Only print X.509 versions we know about.
<li>Avoid signed integer overflow due to unary negation
<li>Initialize readbytes in <a
href="https://man.openbsd.org/BIO_gets.3">BIO_gets()</a>.
<li>Plug memory leak in CMS_add_simple_smimecap().
<li>Plug memory leak in <a
href="https://man.openbsd.org/X509_REQ_print_ex.3">X509_REQ_print_ex()</a>.
<li>Check <a
href="https://man.openbsd.org/HMAC.3">HMAC()</a> return value to avoid a later use of uninitialized.
<li>Avoid potential NULL dereference in ssl_set_pkey().
<li>Check return values in ssl_print_tmp_key().
<li>Switch loop bounds from size_t to int in check_hosts().
<li>Avoid division by zero if no connection was made in s_time.c.
<li>Check sk_SSL_CIPHER_push() return value
<li>Avoid out-of-bounds read in ssl_cipher_process_rulestr().