OpenBSD 6.7--- Wann?

dettus

Bicycle User
Hallo!

Bin mal wieder da.
Frage: Weiss jemand was sich da bei OpenBSD verzoegert? Die sind doch sonst immer vor dem 1.Mai fertig gewesen mit der neuen Variante?
 
Hi

Nein, mich das aber auch gefragt ... seitdem "die" den Zyklus verlassen haben und immer eher etwas "vorher" abgeliefert haben, wars zwar für mich klar das es auch mal "später" sein wird, trotzdem merkwürdig.
 
Das habe ich mich auch schon gefragt, vor allem da die Erratas schon seit Ende April auf 6.7 umgestellt wurden. Irgendwas ist wohl vermutlich kurzfristig dazwischen gekommen.
 
Ich finde es schon sehr ungewöhnlich, dass noch nicht mal die https://www.openbsd.org/67.html existiert, normal kam die afaik auch schon einige Tage vor dem release… Der ftp Folder 6.7 wurde auch erst am 01.05. angelegt.
Allerdings hab ich was von wegen Hardware Problemen in den letzten Wochen gehört. Von Corona und der Auswirkung ganz zu schweigen.
 
Cool, so richtig spannende Neuerungen die mich interessieren sind glaub ich nicht drinne, wobei etwas mehr SMP Performance ist ja immer gut :)
 
OpenBSD 6.7 wurde released.

https://www.openbsd.org/67.html

Nachfolgend die Release Notes:
------------------------------------------------------------------------
- OpenBSD 6.7 RELEASED -------------------------------------------------

May 19, 2020.

We are pleased to announce the official release of OpenBSD 6.7.
This is our 48th release. We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 6.7 provides significant improvements,
including new features, in nearly all areas of the system:

- General improvements and bugfixes:
o Reduced the minimum allowed number of chunks in a CONCAT volume
from 2 to 1, increasing the number of volumes which can be created
on a single disk with bioctl(8) from 7 to 15. This can be used to
create more partitions than previously.
o Rewrote the cron(8) flag-parsing code to be getopt-like, allowing
tight formations like -ns and flag repetition. Renamed the
"options" field in crontab(5) to "flags".
o Added crontab(5) -s flag to the command field, indicating that
only a single instance of the job should run concurrently.
o Added cron(8) support for random time values using the ~ operator.
o Allowed cwm(1) configuration of window size based on percentage of
the master window during horizontal and vertical tiling actions.
o Allowed use of window-htile and window-vtile with the "empty"
group clients in cwm(1).
o Switched powerpc to a machine-independent mplock implementation,
allowing use of witness(4).
o Added acpi(4) support for the _CCA method, indicating whether DMA
is cache-coherent.
o Switched the default compiler on powerpc to clang.
o Bumped nvme(4) max physio() i/o size to 128K.
o Improved apmd(8) support for automatic suspend/hibernate (-z/-Z).
The daemon now reacts to power changes messages sent by the
battery driver. Those messages are ignored for 60 seconds after a
resume, so that the user can take control before the machine goes
back to sleep.
o Prevented a kernel hang when no unlocked ffs_softdep worklist
items could be processed.
o Stopped counting pages mapped as PROT_NONE against the RLIMIT_DATA
limit, helping code which reserves large chunks of address space
but populates it sparsely.
o Added the $REQUEST_SCHEME variable to httpd.conf(5), allowing
preservation of the original connection type (http or https) for
redirect locations
o Implemented "strip" option in httpd.conf(5) for fastcgi to be able
to have multiple chroots under /var/www for FastCGI servers.
o Changed httpd(8) to send a 408 response when a timeout happens
while headers are being received, but close the connection if no
request is received.
o Updated en_US.UTF-8.src to Unicode 12.1.
o Added a new __tmpfd system call which creates a new, unnamed file
in /tmp, intended for shm/fd passing, but in programs that may
otherwise lack filesystem access (due to restrictions imposed by
unveil(2) or pledge(2)).
o Imported dt(4), a driver and framework for Dynamic Profiling, and
an accompanying bug tracer that speaks the bt(5) language.
o Added a human-readable mode (-h) to systat(1).
o Implemented scrolling in top(1) using the 9 and 0 keys.
o Added timeout_set_flags(9) and TIMEOUT_INITIALIZER_FLAGS(9) to the
timeout API, allowing the caller to initialize timeouts with
arbitrary flags.
o Introduced TIMEOUT_SCHEDULED flag and tos_scheduled statistic to
timeout(9).
o Switched to tickless backend in timeout(9), adding new interface
timeout_at_ts(9) to avoid backwardly compatible behavior.
o Added the system clock interface nanoboottime(9), returning the
UTC time at which the system booted in seconds and nanoseconds.
o Introduced efficient page freeing in reverse order from uvm,
greatly improving cases of massive page freeing.
o Added uvm_objfree to uvm to efficiently free all pages from a uvm
object, used in the buffer cache for considerable speedup when
freeing pages.
o Modified buffer cache to use individual uvm_objs per buffer to
speed page lookups.
o Speed up sort(1) by not performing a top-level sort when -c is
used with a -k field.
o Modified -z mode verification in signify(1) to save the header and
output it, so signify -zV >saved.tgz will keep the signature for
later checks.
o Enabled DNSSEC validation in unbound(8) by default.
o ntpd(8) now does constraint validation against 9.9.9.9 and
2620:fe::fe by default.
o Fixed arp(4) issues created by dhclient(8) modifying existing
routes.
o Fixed route.conf(5) handling by dhclient(8) when an interface
loses link.
o Restored previous dhclient(8) behaviour of rejecting leases that
lack a subnet mask.
o Enabled dhclient(8) to configure carp(4) interfaces.
o Fixed dhclient(8) releasing leases without a server identifier.
o Improved dhclient(8) NAK handling in various corner cases.
o Fixed dhclient(8) endlessly sending REQUEST messages when an ACK
is never received.
o Prevented dhcpd(8) from referencing freed memory when releasing a
lease with an unusually long uid.
o Corrected parsing of classless static default route "0/0" in
dhcpd.conf(5).
o Increased to 15 the number of softraid(4) CONCAT volumes that can
be created on a single disk.
o Fixed softraid(4) CRYPTO volumes on 4K-sector disks.

- The FFS2 filesystem, which uses 64bit timestamps and block numbers is
now the default for new installs on nearly all architectures:
o Enabled ffs2 in sgi bootblocks and ramdisks.
o Made ffs2 the default filesystem type on installs except for
landisk, luna88k and sgi.
o Changed the sparc64 bootblocks to be able to read from ffs1, ffs2
and softraid, and enabled the ffs2 option for both floppies.
o Enabled FFS2 on the landisk ramdisk.
o Taught i386 boot(8), cdboot(8) and pxeboot(8) about ffs2.
o Taught macppc boot(8) about ffs2.
o Taught sparc64 boot(8) about ffs2.
o Allowed hppa boot(8) to read from an ffs2 filesystem.
o Allowed alpha boot(8) to read from an ffs2 filesystem and adapted
its custom installboot to deal with ffs2. Also fixed the partition
read code to deal with offsets greater than 2G.
o Adapted biosboot(8) so that it can read boot(8) from an ffs2
filesystem.
o Allowed amd64 boot(8) to read from an ffs2 filesystem. Enabled
ffs2 for floppy.
o Allowed loongson boot(8) to read from an ffs2 filesystem.
o Allowed arm64 and armv7 efiboot(8) to read from an ffs2
filesystem.

- SMP-Improvements:
o __thrsleep(2), __thrwakeup(2), close(2), closefrom(2), dup(2),
dup2(2), dup3(2), flock(2), fcntl(2), kqueue(2), pipe(2), pipe2(2)
and nanosleep(2) are run without KERNEL_LOCK.
o The generic part of ioctl(2) is run without KERNEL_LOCK.
o Reworked AMD smt/core/package detection, helping prevent cores
being misidentified as threads.
o Avoided false positives in witness(4) when detecting lock order
reversals by using separate rwlock initializations for userland
and kernel maps.
o Allowed sleeping inside kqueue event filters.
o Made vmx(4) transmit MP-safe.

- Improved hardware support, including:
o Improvements in the em(4) driver.
o Added dsxrtc(4), a driver for the Maxim DS3231/DS3232 I2C RTC.
o Added ure(4) support for Lenovo OneLine Plus Dock Ethernet.
o Improved ucom(4) to fix firmware upload on some microcontroller
boards using DTR and RTS as signaling lines to reset the device
and enter the bootloader.
o Added a PCI attachment driver for com(4) to support memory-mapped
PCI devices which are part of a Low Power Subsystem (LPSS).
o Implemented microsecond resolution using microuptime(9) to avoid a
hard hang when starting X on Intel Cherry Trail Atom processors.
o Added support for X553 controllers to ix(4).
o Added usb(4) device support for an AMD hub on the APU2 and a
Synaptics vendor id and two fingerprint readers.
o Prevented buffer overflows with uthum(4) by not assuming the
report length given by the hardware is necessarily smaller than
the length of the on-stack buffer.
o Added rge(4), a driver for the Realtek 8125 PCI Express 2.5Gb
Ethernet devices.
o Fixed cursor issues and suspend/resume on amdgpu(4) and
radeondrm(4).
o Fixed support for additional I2C busses in piixpm(4) for older
SB800 SMBus controllers. Prevented sensors from attaching four
times on old AMD machines.
o Invalidated the knote(9) list of uhid(4) after device detach,
preventing a crash that can happen when kqueue still holds
references to knotes pointing to the device.
o Prevented a use-after-free causing crashes with uhidev(4) devices.
o Prevented mcx(4) interface lockups due to completion queue
overflow.
o Fixed brightness keys on various laptops with AMD graphics.
o Fixed brightness controls on machines where the initial brightness
values are returned out of range.
o Set the default brightness level on attachment for pwmbl(4).
o Fixed acpivout(4) screen brightness adjustment through function
keys, better supporting machines using exponential brightness
scaling.
o Changed acpivout(4) to increment and decrement screen brightness
based only on brightness level changes of 5% or higher.
o Fixed Etron EJ168 USB 3.0 Host Controllers via USB 2 devices.
o Added support for the SIERRA MC7700 to umsm(4) UMTS and LTE modem
device.
o Fixed RAID volume WWIDs for mpii(4) LSI controllers on sparc64,
allowing autoconf(9) to identify the volume as the root device and
boot off hardware RAID.
o Populated logical disk port WWNs with their RAID volume's WWID in
mpii(4).
o Added fido(4), an HID driver for FIDO/U2F security keys.
o Added parsing of DDR4 and LPDDDR3/4 SPD memories to spdmem(4).
o Added support to lm(4) for NCT6775F, NCT5104D, NCT6779D and
NCT679[1235]D sensors.
o Updated piixpm(4) to support newer AMD chips like Hudson-2 and
KERNCZ and implemented multi-bus support for SB800, Hudson-2 and
KERNCZ.
o Extended the expected SPD types to include DDR4 and low-power
DDR3/DDR4.
o Enabled full use of jumbo frames on bnx(4) devices.
o Fixed scsi(8) softraid crypto volumes on 4K-sector disks.
o Faked disk info to match expected boot disk when EFI bootloader
has been received via TFTP, fixing a hang during HP Elitebook UEFI
boot.
o Implemented a hexdump command in the bootloader, helping to
inspect the memory layout created by the firmware and useful for
UEFI debugging.
o Improved ksmn(4) temperature conversion precision.
o Added a quirk to handle Apollo Lake, Gemini Lake and 100 Series
Intel SD/MMC sdhc(4) controllers which should not have voltages
set to 0V.
o Prevented a local user from causing the system to hang by reading
specific registers when Intel Gen8/Gen9 graphics hardware is in a
low power state.
o Prevented writes to memory allowed by the Intel Gen9 graphics
hardware.
o Added support for buttons 2 and 3 to imt(4).
o Added ogx(4), a driver for the OCTEON III network processor.
o Fixed endian swapping in xhci(4), allowing it to work again on
octeon and other big endian architectures.
o Implemented the "parallel boot" feature on compatible sparc64
firmware.
o Introduced iwx(4), a driver for Intel AX200 WiFi devices.
o Added iwm(4) support for Intel 9260 and 9560 wifi devices.
o Updated firmware for all devices supported by the iwm(4) driver.
o Fixed iwm(4) support for Intel 3168 wifi devices.
o Added support for the tp-link tl-wn823n to the urtwn(4) driver.
o The athn(4) driver now offloads CCMP (WPA2) encryption and
decryption to hardware.
o Prevented an overflow due to xen(4) failing to release the
interrupt source when unmasking the interrupt.
o Fixed usb(4) handling USB 2.0 devices on various USB 3.0
controllers.
o Fixed usb(4) handling of controllers that STALL to indicate a
short read.
o Fixed xhci(4) handling of i/o's that are exact multiples of the
max packet size.
o Bumped nvme(4) maximum physio i/o size to 128K.
o Fixed probing of modern scsi(4) devices to ignore the SYNC and
WIDE flags used by parallel SCSI.

- Removed hardware support
o Removed the rtfps(4) driver, a multiplexing serial communications
interface for IBM RT PC boards
o Removed the dpt(4) driver for DPT EATA SCSI RAID.
o Removed gpr(4), a driver for GemPlus GPR400 PCMCIA smartcard
readers.
o Removed mesh(4), a driver for old world Apple Power Macintosh SCSI
cards.

- Improvements in audio drivers and the sndio(7) framework:
o Introduced the sioctl_open(3) API to manipulate audio controls
exposed by sndiod(8).
o Modified sndiod(8) to use and expose hardware volume controls if
available.
o Modified all ports manipulating audio controls to use sndio(7)
instead of the kernel mixer(4) interface.
o Introduced the sndioctl(1) utility to manipulate audio controls
exposed by sndiod(8).
o Exposed the first 4 audio(4) devices and the first 8 midi(4)
devices through sndiod(8) by default.
o Disabled access for regular users to /dev/audio* and /dev/rmidi*,
for improved security.
o Modified mixerctl(1) to use /dev/audioctl* instead of /dev/mixer*.
o Removed /dev/mixer*
o Fixed support for uaudio(4) devices with different recording and
playback rate sets.
o Fixed volume control of many uaudio(4) devices.
o Fixed channel duplication (-j option) in sndiod(8).
o Allowed rc.d(8) script to reload sndiod(8).
o Added an azalia(4) quirk for the ALC285 on the X1C7 to avoid a
clicking noise on the headphone output.
o Disabled MSI for the AMD Hudson2 azalia(4) HDA to fix random lock
ups.

- A large number of drivers were written to improve arm64 and armv7
hardware support, including:
o Better hardware support for the i.MX8MM platform.
o Support for the Raspberry Pi 4 on arm64.
o Better support for the Raspberry Pi 3 on arm64.
o Proper support for the Raspberry Pi 2 and 3 on armv7.
o Better support for Rockchip based systems, especially the Pinebook
Pro.
o Switched USB to use non-coherent buffers for data transfers,
dramatically improving performance on some ARM SoCs where the USB
controller is not coherent with the caches.
o Allowed switching to framebuffer "glass" console on armv7 in the
bootloader, mirroring previous changes to arm64.
o Corrected cache flush operations on arm64 which were being
incorrectly treated as write operations. This fixes a bug where
cache flushing caused Firefox to abort.
o Added the capability for armv7 boot from another block device than
the one from which efiboot was loaded.

Specifically the following device drivers were added or fixed:
o Added bcmbsc(4), a driver for the Broadcom Serial Control (BSC)
controller.
o Added bcmgpio(4), a driver for the Broadcom BCM283x GPIO
controller.
o Added bcmsdhost(4), a driver for the Broadcom "sdhost" SD
controller found on the Raspberry Pi.
o Added bcmdmac(4), a driver for the DMA controller found on BCM283x
SoCs.
o Added support for the additional sdhc(4) controller found on the
Raspberry Pi.
o Added quirks for the sdhc(4) controller on the Raspberry Pi,
providing microSD card or WiFi support depending on the firmware
configuration.
o Added support for hardware with sdhc(4) controllers on busses only
supporting 32-bit access.
o Added bcmirng(4), a driver for the RNG200 random number generator
found on the Raspberry Pi 4.
o Added bcmclock(4), a driver for the BCM283X CPRMAN clock
controller.
o Added bcmmbox(4), a driver for the VideoCore messagebox interface
on BCM283X.
o Added bcmpcie(4), a driver for the PCIe controller found on the
Raspberry Pi 4.
o Added bse(4), a driver for the Broadcom GENET v5 network interface
found on the Raspberry Pi 4.
o Added brgphy(4) support for the Broadcom BCM54210E.
o Added support for the Armada 3720 CPU clock to mvclock(4).
o Fixed address filter in mvneta(4).
o Added omcm(4), omclock(4) and omsysc(4) drivers that support the
new bus structure used in current mainline Linux device trees.
o Added omrng(4), a driver for the random number generator found on
TI OMAP SoCs.
o Fixed the MAC address on Pandaboard-ES by increasing smsc(4)
buffer size used to fetch device tree properties.
o Added support for additional Allwinner A80 clocks and resets in
sxiccmu(4).
o Fixed amlpciephy(4) USB3 support when USB has not been initialized
by U-Boot.
o Added clock support for i.MX8MM.
o Fixed CPU frequency scaling support on the Librem5 Devkit.
o Added imxpwm(4), a driver for the PWM controller found on various
NXP i.MX SoCs.
o Added support for reading the i.MX8MM temperature sensors to
imxtmu(4).
o Added bdpmic(4), a driver for the ROHM BD71837 and BD71847 Power
Management IC.
o Allowed ipmi(4) to attach using mmio.
o Added rkrng(4), a driver for the random number generator found on
various Rockchip SoCs.
o Added glass console support to rkdrm(4) in Rockchip SoCs,
including kernel modesetting support.
o Added rkdrm(4), a driver providing kernel mode setting (KMS)
functionality for the graphics hardware integrated on Rockchip
SoCs.
o Added rkdwhdmi(4), a driver for the HDMI transmitter found on the
Rockchip RK3399 SoC.
o Added rkanxdp(4), a driver for the Analogix Display Port
controller on the RK3399.
o Added rkvop(4), a driver for the RK3399's Video Output Processors.
o Added rkpwm(4), a driver for the RK3399's PWM controller.
o Added rkemmcphy(4), a driver for the RK3399's eMMC PHY.
o Added support for gen2 negotiation to rkpcie(4) and enabled gen2
link state training when the dtb is configured with max-link-speed
= 2.
o Enabled backlight control use on the Pinebook Pro via
wsconsctl(8).
o Fixed the Pinebook Pro's trackpad by ensuring only hid_input items
are accepted when walking the HID descriptor.
o Fixed pwmbl(4) attachment on the Pinebook Pro.
o Added simplepanel(4), a driver for simple display panels such as
the one found on the Pinebook Pro.
o Recognized BCM4345 rev 9 as shipped with the Pinebook Pro as an
AMPAK AP6256 module in bwfm(4).
o Improved bwfm(4) on the Pinebook Pro by acking SDIO interrupts
earlier on dwmmc(4).
o Added amltemp(4), a driver for the temperature sensors on various
Amlogic SoCs.
o Added pwmfan(4), a driver for PWM-regulated fans.
o Enabled umt(4) (USB HID multitouch touchpad devices) on arm64.

- IEEE 802.11 wireless stack improvements and bugfixes:
o Stop connecting to any available unencrypted wifi networks when an
interface is marked up. This behavior must now be explicitly
enabled with ifconfig(8) join "".
o A background scan is now triggered when root runs the ifconfig(8)
scan command. This updates the list of cached APs displayed by the
scan command and forces a search for a better AP to roam to.
o Add nwflag nomimo which can be set with ifconfig(8) to work around
packet loss in 11n mode if the wireless network device has unused
antenna connectors.
o Increased the net80211 node cache size to allow more APs to be
viewed during scans.
o Fixed the ifconfig(8) "media:" line displayed during and after a
background scan in 11n mode.
o Made background scans less frequent if they keep choosing the same
AP.
o Fix kernel crashes in net80211 hostap mode due to mbuf corruption
which occurred if a relatively long SSID was configured.
o Added support for active scanning to bwfm(4).
o Fix bwfm(4) behavior which could trigger the ifq pressure drop
mechanism under moderate load.
o Improved error handling for bwfm(4) connection attempts.
o Improved automatic switching between wifi networks by lowering the
priority of networks in the ifconfig(8) join list which fail to
connect.
o Avoid repeated switching between APs in areas where APs are tuned
for low transmit range.
o Raised net80211's "beacon miss" threshold to avoid frequent
reconnects under conditions which cause loss of beacons.
o Reduced stalls on packet loss in 11n mode by improving net80211
handling of the Rx block ack sequence number window and queue.
o Fixed a bug where outstanding frames on the iwn(4) aggregation
queue interfered with roaming to another AP.
o Fixed a race condition in iwm(4) Rx interrupt handling.
o Implemented a workaround for missing Tx completion interrupts in
iwm(4) which could lead to failures when roaming to another AP.
o Re-enabled firmware-based Tx retries at lower rates for iwm(4),
reducing packet loss.
o Fixed automatic Tx rate control issues in iwn(4), and iwm(4).
o Fixed a use-after-free that caused a kernel crash during zyd(4)
device detach.

- Generic network stack improvements and bugfixes:
o Fixed a panic when using pppac(4) without pipex(4).
o Fixed a "route contains no arp information" bug where a kernel
routing table entry was incorrectly deleted upon insertion of a
new entry.
o Stopped processing packets under non-exclusive netlock, preventing
concurrency in the socket layer.
o Prevented data corruption on UDP receive socket buffers by
grabbing the exclusive NET_LOCK() in the softnet thread.
o Fixed a kernel crash due to unlimited recursion caused by local
outbound UDP broadcast/multicast packets sent by a spliced socket.
o Added IPv6 support to umb(4).
o Added support for very old firmware umsm devices with umsm(4)
rather than umb(4).
o Added pppac(4) code for a dedicated PPP Access Concentrator
interface and switched npppd.conf(5) to use pppac(4) instead of
tun(4).
o Added a check when IP forwarding is disabled to ensure packet
destination address matches interface address.
o Fixed kernel crash in pf_ioctl with WITH_PF_LOCK and NET_TASKQ >
1.
o Ensured proper kernel stack alignment on mips64, fixing a panic on
octeon related to pppoe(4).
o Added rge(4), a new driver for Realtek 8125 PCI Express 2.5Gb
ethernet devices.
o Repaired the "set delay" option for pf(4) to function as specified
in pf.conf(5).
o Prevented non-root users from using ioctl(2) to alter the address
of a network interface.
o Prevented non-root users from setting the parameters of pppoe(4)
interfaces.
o Removed mobileip(4).
o Stopped checking whether the IPv6 source address of a neighbor
advertisement is from a neighbor's address, not required in
accordance with RFC 4861.

- Installer improvements:
o Simplified sysupgrade(8) directory check and creation
(/home/_syspatch). It can now be a symlink.
o Printed the URL when sysupgrade(8) fetches new sets.
o Added an opportunistic run of fw_update(1) to sysupgrade(8) before
rebooting to run the upgrade.

- Security improvements:
o unveil(2) is now used in 82 userland programs to redact filesystem
access.
o Used unveil(2) to reduce filesystem access in vmstat(8), iostat(8)
and systat(1).
o Extracted dig(1), host(1) and nslookup(1) from the bind(8) source
code and cleaned up the source code by removing not needed
features and auditing it. The kernel API accessible to these
programs is now restricted through pledge(2).
o System calls may now only be performed from selected code regions:
the main program, ld.so(1), libc.so and the signal trampoline. A
new system call msyscall(2) indicates the libc range, and
activates the locking. This change hardens against some attack
methods.
o Prevented stack trace saving from inspecting untrusted data on
amd64, arm64 and i386.
o Used lfence in place of stac/clac on pre-SMAP CPUs to protect
against Load-Value-Injection attacks against the kernel.
o Prevented a panic due to missing sysctl(2) input validation.
o Injected failure to fetch entropy with an rdrand() timeout as an
entropic event, along with an additional rdtsc measuring the
vmexit latency.
o Enforced that ksh(1) TMOUT is an integer literal to prevent
command execution from the environment at shell initialization
time.
o Ensured the first 2MB page of the amd64 kernel is correctly mapped
read-only in the direct map.
o Addressed an armv7/arm64 speculative execution issue by changing
the system call ABI to skip two instructions and inserting a
barrier after each system call.
o Fixed arm64 speculative execution of instructions after ERET,
which had led to spectre-like effects on some processors.
o Tightened permissions for USB device nodes.
o Ensured that ld.so(1) removed the LD_LIBRARY_PATH environment
variable for set-user-ID and set-group-ID executables in low
memory conditions.
o Added support for RSA-PSS to crypto(3).
o Added retguard for octeon/mips64.
o The following security bugs were addressed:
- Reset the login class each time through the loop when using
-L (loop) mode with su(1). Fixes CVE-2019-19519.
- Fixed insufficient username validation performed by libc's
authentication privilege separation layer and added
additional validation points, further validating in login(1)
and su(1).
- Prevented escalation to the auth group in xlock(1) through
path-related environment variables and disabled mesa and
opengl functionality.

- Routing daemons and other userland network improvements:
o Add initial support for JSON output in bgpctl(8).
o Allow setting both IPv4 and IPv6 local-addresses at the same time
in bgpd.conf(5) group blocks. Introduced no local-address to reset
a previously set local address.
o Properly aggregate duplicate bgpd(8) roa table prefix/source-as
combinations into a single entry with the longest maxlen length.
o Implemented bgpd.conf(5) max-prefix NUM out to limit the number of
announced prefixes, avoiding leaks of full tables to upstreams and
peers.
o Extended bgpctl(8) show neighbor to include the received and set
prefix count, as well as the max-prefix out limit if set.
o Improved reporting of notifications to include the suberror cause.
o Also report the last received error cause in bgpctl(8) show
neighbor output.
o Fix softreconfig out handling to also work for neighbors using
export default-route.
o Mark stale prefixes in the Adj-RIB-Out so that graceful reload
operates properly.
o Allowed configuration of the ospfd(8) interface setting "type p2p"
to be configured globally or per area.
o Added point-to-point ospf6d(8) support for broadcast interfaces.
o Validated authentication lengths in ripd(8) before use to prevent
crashes.
o Fixed empty response packages sent out by ripd(8) when entries are
skipped due to split-horizon simple.
o Reduced temporary address valid lifetime to 2 days in slaacd(8).
o Made slaacd(8) honor the rdomain in which it runs when configuring
the default route.
o Withdrew all proposals on slaacd(8) startup to prevent indefinite
retention of nameservers on interfaces no longer flagged for
autoconf.
o Modified ldpd(8) to lookup the adjacency by LSR id as well as
source IP address, as the remote peer may change its LSR id.
o Added support for printing RFC 2332 NBMA Next Hop Resolution
Protocol (NHRP) to tcpdump(8).
o Added tcpdump(8) support for printing RFC 8300 Network Service
Header (NSH).
o Added tcpdump(8) support for VXLAN-GPE.
o Fixed a tcpdump(8) crash when printing the contents of a malformed
packet where the packet length was smaller than the size of the
usbpcap header.
o Rewrote dhcpv6 parsing in tcpdump(8) to match the RFC, correctly
handling dhcpv6 messages.
o Accept netmask for IPv6 in ifconfig(8) instead of ignoring it and
using only the prefixlen argument.
o Fixed snmp(1) agent address parsing to allow IPv6 addresses to be
used based on format, allow those without brackets to skip the
port if it results in a nonsensical address (allowing use of ::1),
and try to connect to the address immediately.
o Implemented a df subcommand for snmp(1) which outputs disk and
memory information in a df(1) format.
o Implemented a -Cs option in snmp(1) for snmp walk and bulkwalk,
allowing subsections of a tree to be skipped.
o Introduced option filter-pf-addresses to snmpd.conf(5), allowing
the OPENBSD-PF-MIB::pfTblAddrTable tree to be filtered out when
many prefixes are stored in pf tables, reducing CPU usage during
bulk walks.
o Added retries and timeouts for test packets to radiusctl(8).
o Corrected http auth combined with proxy auth in ftp(1).
o Corrected ftp(1) access to an https server with user/password
through the "http_proxy" environment variable.
o Prevented ftp(1) from following remote redirects to local files.
o Implemented HTTP/1.1 in ftp(1).
o Added new -N name option to ftp(1), allowing calling scripts to
change the progname and produce better error messages.
o Allowed pfctl(8) to recursively flush rules and tables.
o In pf(4), ensured rdr-to with loopback destination will work even
when IP forwarding is disabled.
o Enabled rpki-client(8), a free, easy-to-use implementation of the
Resource Public Key Infrastructure (RPKI) for Relying Parties (RP)
to facilitate validation of the Route Origin of a BGP
announcement. The program queries the RPKI repository system and
outputs Validated ROA Payloads in the configuration format of
OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by
other routing stacks.
o Modified root's crontab(1) to run rpki-client(8) and reload
bgpd(8) configuration, enabling RPKI ROA filtering.
o Stopped hardcoding the cache directory in rpki-client(8). Cache
and output directory will use defaults for root users and must be
specified by non-root users.
o Made rpki-client(8) use the existing cache and not exit if
rsync(1) exits non-zero.
o Fixed rpki-client(8) -j option, which had not been producing any
output.
o Rewrote the time validity check for mtfs in rpki-client(8) to
correctly account for the timezone.
o Added rpki-client(8) output formats for the BIRD routing daemon
and CSV.
o For BIRD rpki-client(8) can generate three different output
formats with the option -B: v1 with IPv4 and IPv6 routes, and v2.

- unwind(8) improvements:
o Implemented unwindctl(8) status memory to show cache memory usage.
o Allowed forcing specific domains to be resolved by specific
resolvers in unwind.conf(5), handling typical split-horizon
setups.
o Measured performance of resolving strategies in unwind(8), sorting
them and choosing the next best strategy when one fails.
Performance data decays over time.
o Switched captive portal detection from HTTP probing to DNS probing
in unwind(8).
o Implemented DNS proposals in unwind(8) to learn nameservers from
network autoconfiguration daemons.
o Added opportunistic DoT support to unwind(8).
o Added an ASR resolver type to unwind(8), using the libc
asynchronous resolver directly with DHCP-provided nameservers to
work around broken middle boxes.

- ipsec(4) improvements and bugfixes:
o Added support for automatically moving traffic between rdomains on
ipsec(4) encryption or decryption, reducing the attack surface for
network sidechannel attacks.
o Added iked(8) support for switching rdomain on ipsec(4)
encryption/decryption, configurable per policy with the new
'rdomain' option in iked.conf(5).
o Changed the default ipsec level set by iked(8) and isakmpd(8) to
IPSEC_LEVEL_REQUIRE. Unencrypted packets matching incoming ipsec
flows are no longer accepted by default.
o Added curve25519, ecp256, ecp384, ecp521, modp3072 and modp4096 to
the default Diffie-Hellman group configuration for IKE SAs in
iked(8).
o Removed support for the insecure EC2N Diffie-Hellman groups in
iked(8).
o Changed the default authentication method in iked(8) to generic
signature authentication (RFC 7427).
o Added ESN configuration options for ikesa in iked.conf(5).
o Added transport mode for child SAs to iked(8).
o Added active probing for lost connection in iked(8) resulting in a
faster connection reset.
o Added a -p command line option to iked(8) allow configuration of a
non-standard UDP encapsulation port.
o Added support for multiple x509 extensions and multiple
subjectAltName fields in certificates used with iked(8).
o Added support for certificates with uppercase subjectAltNames in
iked(8).
o Removed automatically installed ipsec(4) flow blocking unencrypted
IPv6 traffic in iked(8).
o Reduced size of IKE_AUTH message by eliminating duplicate traffic
selectors in iked(8).
o Added an ikectl(8) "show sa" command to print information about
the state of negotiated IKE SAs, their child SAs and the resulting
IPsec flows.
o Added an ikectl(8) "reset id" command to reset all SAs from
policies with matching destination IDs.
o Added support for UDP encapsulation in manual SAs set up with
ipsec.conf(5).
o Fixed an iked(8) bug that lead to connection loss after
simultaneous rekeying.
o Fixed an iked(8) public key leak in the CA process for ASN-DN IDs.
o Fixed a bug that lead to a lost EAP ID after rekeying in iked(8).
o Fixed EAP user database corruption resulting from use of the
ikectl(8) reload command.
o Corrected iked(8) calculation of IPv6 address leases from small
address pools.
o Fixed several bugs that could lead to iked(8) selecting a false
policy for incoming requests, resulting in a failed handshake.
o Fixed a bug that broke PSK authentication against Strongswan.
o Enabled UDP-encapsulation in Child SAs if iked(8) was started with
-t.
o Fixed isakmpd(8) IKE pcap file creation.

- tmux(1) improvements and bug fixes:
o Indicated the marked pane in tmux(1) choose mode in reverse, and
added keys to set (m) and clear it (M), and to jump to the
starting pane (H).
o Allowed tmux(1) main-pane-width and height to be specified as
percentages.
o Added a -f filter argument to the tmux(1) list commands like
choose-tree.
o Added an -s flag to tmux(1) copy-mode to specify a different pane
for the source content.
o Added a -T flag to tmux(1) resize-pane to trim lines below the
cursor.
o Added support for tmux(1) overlay popup boxes, created with the
display-popup command.
o Added a tmux(1) -d flag to run-shell to wait for delay before
running the command (or delay with no command).
o Added a tmux(1) copy-mode -H flag to hide the position marker in
the top right.
o Added tmux(1) C-g to cancel command prompt with vi(1) keys as well
as emacs, and q in command mode.
o Modified tmux(1) -S server socket to be created with umask 177
rather than 117.
o Introduced a tmux(1) selection_active format for when the
selection is present but not moving with the cursor.
o Added -a to the list-keys command in tmux(1) to also list keys
without notes with -N.
o Added tmux(1) support for adding a note to a key binding with
bind-key -N and using this to add descriptions to the default key
binding. Using list-keys -N shows key bindings with notes. Changed
the default ? binding to show a readable summary of keys.
o Added -Z to the default tmux(1) switch-client command in tree
mode.
o Prevented read-only tmux(1) clients from limiting the size of
other clients.
o Added support for regex searches in tmux(1) copy mode.
o Modified tmux(1) source-file to allow reading from stdin.
o Added a tmux(1) p format modifier for padding to width.
o Added -f for full size to join-pane in tmux(1).
o Changed tmux(1) new-session -A to attach to the best existing
session when a session name is not specified, rather than creating
a new session.
o Added an option to tmux(1) to set the key sent by backspace for
systems using ^H.
o Added -F flag to tmux(1) send-keys to expand formats in
search-backward and forward copy mode commands.
o Added support for percentage sizes to tmux(1) resize-pane ("-x
10%") and changed split-window and join-pane -l to accept similar
percentages, deprecating the -p option.

- VMM/VMD improvements
o Added vmm(4) IOCTL handler to set the access protections of the
ept.
o Added a check in vmm(4) for pvclock(4) struct crossing of page
boundaries, which could potentially corrupt host memory.
o Tightened rdmsr on svm in vmm(4).
o Fixed an issue where a vmm(4) guest could write to host memory by
passing bogus addresses in pvclock(4).
o Run cu(1) in restricted mode using -r in vmctl(8) and ldomctl(8).
o Started virtual machines defined in vm.conf(5) in a staggered
fashion, helping prevent overload of the host and improper tsc
calibration in guests.
o Provided proper concurrency control when pausing a vm in vmd(8).
o Fixed a panic when tearing down vms with vmm(4).

- ldom/sparc64 virtualization improvements
o Added support for devaliases for vnet in ldom.conf(5).
o Implemented ldomctl(8) "panic -c" to panic a guest domain (and
enter ddb(4)).
o Implemented "start -c" in ldomctl(8) to automatically connect to
the console.
o Introduced a -n option to ldomctl(8) to validate the configuration
file and exit.
o Added a create-vdisk command to ldomctl(8) analogous to amd64's
vmctl(8) create.
o Added the "console" command to ldomctl(8) which executes cu(1) on
the domain's console.
o Printed guest domain vcctty(4) devices in status output in
ldomctl(8).
o Added list-io command to ldomctl(8), listing the available PCIe
devices to be used with the iodevice parameter in ldom.conf(5).

- OpenSMTPD 6.7.0
o New Features
- Allowed use of the smtpd(8) session username in built-in
filters when available.
- Introduced a bypass keyword to smtpd(8) so that built-in
filters can bypass processing when a condition is met.
- Allowed use of 'auth' as an origin in smtpd.conf(5).
- Allowed use of mail-from and rctp-to as for and from
parameters in smtpd.conf(5).
o Bug fixes
- Ensured legacy ssl(8) session ID is persistent during a
client TLS session, fixing an issue using TLSv1.3 with
smtp.mail.yahoo.com.
- Fixed security vulnerabilities in smtpd(8). Corrected an
out-of-bounds read in smtpd allowing an attacker to inject
arbitrary commands into the envelope file to be executed as
root, and ensured privilege revocation in smtpctl(8) to
prevent arbitrary commands from being run with the _smtpq
group.
- Allowed mail.local(8) to be run as non-root, opening a pipe
to lockspool(1) for file locking.
- Fixed a security vulnerability in smtpd(8) which could lead
to a privilege escalation on mbox deliveries and unprivileged
code execution on lmtp deliveries.
- Added support for CIDR in a: spf atoms in smtpd(8).
- Fixed a possible crash in smtpd(8) when combining "from rdns"
with nested virtual aliases under a particular configuration.
o Experimental Features
- Introduced smtp-out event reporting.
- Improved filtering protocol.

- LibreSSL 3.1.1
o New Features
- Completed initial TLS 1.3 implementation with a completely
new state machine and record layer. TLS 1.3 is now enabled by
default for the client side, with the server side to be
enabled in a future release. Note that the OpenSSL TLS 1.3
API is not yet visible/available.
- Improved cipher suite handling to automatically include
TLSv1.3 cipher suites when they are not explicitly referred
to in the cipher string.
- Provided TLSv1.3 cipher suite aliases to match the names used
in RFC 8446.
- Added cms subcommand to openssl(1).
- Added -addext option to openssl(1) req subcommand.
- Added -groups option to openssl(1) s_server subcommand.
- Added TLSv1.3 extension types to openssl(1) -tlsextdebug.
o API and Documentation Enhancements
- Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1.
- Ported Cryptographic Message Syntax (CMS) implementation from
OpenSSL 1.1.1 and enabled by default.
o Compatibility Changes
- Improved compatibility by backporting functionality and
documentation from OpenSSL 1.1.1.
- Adjusted EVP_chacha20()'s behavior to match OpenSSL's
semantics.
o Testing and Proactive Security
- Added many new additional crypto test vectors.
- Fix to disallow setting the AES-GCM IV length to zero.
o Internal Improvements
- Many more code cleanups, fixes, and improvements to memory
handling and protocol parsing.
o Portable Improvements
- Default CA bundle location is now configurable in portable
builds.
- Improved portable builds to support for use of static MSVC
runtimes.
- Fixed portable builds to avoid exporting a sleep() symbol.
o Bug Fixes
- Fixed printing the serialNumber with X509_print_ex() fall
back to the colon separated hex bytes in case greater than
int value.

- OpenSSH 8.3
o Potentially incompatible changes.
- sftp(1): reject an argument of "-1" in the same way as ssh(1)
and scp(1) do instead of accepting and silently ignoring it.
- Removed ssh-rsa (SHA1) from the list of allowed CA signature
algorithms.
- Removed diffie-hellman-group14-sha1 from the default ssh(1)
key exchange.
- ssh-keygen(1): the command-line options related to the
generation and screening of safe prime numbers used by the
diffie-hellman-group-exchange-* key exchange algorithms have
changed. Most options have been folded under the -O flag.
- sshd(8): the sshd listener process title visible to ps(1) has
changed to include information about the number of
connections that are currently attempting authentication and
the limits configured by MaxStartups.
- ssh-sk-helper(8): this is a new binary. It is used by the
FIDO/U2F support to provide address-space isolation for token
middleware libraries (including the internal one). It needs
to be installed in the expected path under /usr/libexec.
o New Features
- Allowed use of the IgnoreRhosts directive anywhere in an
sshd_config(5) file, not just before Match blocks, and made
it a tri-state option.
- Added TOKEN percent expansion (i.e. userid, hostnames etc.)
to ssh(1) LocalForward and RemoteForward when used for Unix
domain socket forwarding.
- all: allow loading public keys from the unencrypted envelope
of a private key file if no corresponding public key file is
present.
- Gave ssh-keygen(1) the ability to dump the contents of a
binary key revocation list with ssh-keygen -lQf /path.
- Added ssh(1) -Q key-sig option for all key and signature
types, teaching ssh -Q to accept ssh_config(5) and
sshd_config(5) algorithm keywords as an alias for the
corresponding query.
- Updated to libfido2 780ad3c25.
- Added an sshd_config(5) "Include" directive to allow
inclusion of files.
- Renamed ssh-add(1) -O to -K to load resident keys from a FIDO
authenticator.
- Added the ability to download FIDO2 resident keys from a
token via the ssh-keygen(1) -K option and save public/private
keys into the current directory.
- Implemented support for generating FIDO2 resident keys.
"ssh-add -O" will load resident keys from a FIDO2 token and
add them to an ssh-agent. Removed the -x option currently
used for the FIDO/U2F-specific key flags, now under -O.
- Removed single letter flags for moduli generation in
ssh-keygen(1) and moved all moduli generation options to
under the -O flag. Breaks existing ssh-keygen commandline
syntax for moduli-related operations.
- Allowed forwarding of a different agent socket to a specified
path in ssh(1).
- Allowed ssh(1) security keys to act as host keys as well as
user keys.
- Used ssh-sk-helper for all security key signing operations
and security key enrollment. Most ssh(1) tools no longer need
to link against libfido2 or interact with /dev/uhid*
directly.
- Added "no-touch-required" options to ssh-keygen(1) and
sshd(8) to disable touch requirement for authorized_keys and
certificates.
- Added an sshd_config(5) PubkeyAuthOptions directive allowing
specification of whether sshd(8) should check whether user
presence was tested before a security key was made.
- Added direct support for U2F/FIDO2 security keys in ssh(1).
- Added initial infrastructure for U2F/FIDO support in ssh(1).
- Notified the user via TTY or $SSH_ASKPASS when ssh(1)
security keys must be tapped/touched in order to perform a
signature operation.
- Enabled ed25519 support in ssh(1).
o Bugfixes
- Detected and prevented simple ssh(1) configuration loops when
using ProxyJump.
- Fixed PIN entry bugs on FIDO in ssh-keygen(1).
- Fixed ssh-keygen(1) not displaying the authenticator touch
prompt.
- Prevented a timeout in ssh(1) when the server doesn't
immediately send a banner, such as with multiplexers like
sslh.
- Adjusted on-wire signature encoding for ecdsh-sk ssh(1) keys
to better match ec25519-sk keys.
- Fixed a potential NULL dereference for revoked hostkeys in
ssh(1).
- ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded
from a PKCS11Provider
- ssh-keygen(1): avoid NULL dereference when trying to convert
an invalid RFC4716 private key.
- scp(2): when performing remote-to-remote copies using "scp
-3", start the second ssh(1) channel with BatchMode=yes
enabled to avoid confusing and non-deterministic ordering of
prompts.
- ssh(1): fix incorrect error message for "too many known hosts
files."
- ssh(1): make failures when establishing "Tunnel" forwarding
terminate the connection when ExitOnForwardFailure is enabled
- ssh-keygen(1): fix printing of fingerprints on private keys
and add a regression test for same.
- sshd(8): document order of checking AuthorizedKeysFile
(first) and AuthorizedKeysCommand (subsequently, if the file
doesn't match)
- sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv
are not considered for HostbasedAuthentication when the
target user is root
- ssh(1), ssh-keygen(1): fix NULL dereference in private
certificate key parsing (oss-fuzz #20074).
- ssh(1), sshd(8): more consistency between sets of %TOKENS are
accepted in various configuration options.
- ssh(1), ssh-keygen(1): improve error messages for some common
PKCS#11 C_Login failure cases
- ssh(1), sshd(8): make error messages for problems during SSH
banner exchange consistent with other SSH transport-layer
error messages and ensure they include the relevant IP
addresses
- various: fix a number of spelling errors in comments and
debug/error messages
- ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident
keys from a token, don't prompt for a PIN until the token has
told us that it needs one. Avoids double-prompting on devices
that implement on-device authentication.
- sshd(8), ssh-keygen(1): no-touch-required FIDO certificate
option should be an extension, not a critical option.
- ssh(1), ssh-keygen(1), ssh-add(1): offer a better error
message when trying to use a FIDO key function and
SecurityKeyProvider is empty.
- ssh-add(1), ssh-agent(8): ensure that a key lifetime fits
within the values allowed by the wire format (u32). Prevents
integer wraparound of the timeout values

- Mandoc 1.14.6
o Introduced a new mdoc(7) macro .Tg ("tag") to explicitly mark a
place as defining a term, and improved automatic tagging in
various ways.
o Print the manpath when the man(1) -w option is given without an
argument, for compatibility with the man-1.6 and man-db
implementations.
o Deleted support for the _whatdb configuration directive from
man.conf(5) five years after it was declared obsolete; use manpath
instead.
o Added a Content-Security-Policy HTTP header to man.cgi(8) that
allows only CSS.
o Provide a STYLE message when mandoc(1) knows the filename and the
extension disagrees with the section number given in the .Dt or
.TH macro.
o When the mdoc(7) .Dd macro lacks an argument, use the empty
string, and always concatenate all arguments, no matter their
number. The same change was applied to groff.

- Ports and packages:
The package system provides an easy way to install 3rd party software.
New features include:
o Provide debug package information that can be installed alongside
packages and used to provide better bug reports.
o Added DEBUG_PKG_CACHE functionality to pkg_add(1), fetching debug
patches when packages are installed.
o Added a -d option to pkg_add(1) to add debug packages if present
alongside intended updates or additions.
o Added support for "alpha" suffixes in packages-specs(7), removing
the need for workarounds in certain ports distfiles.
o Pre-built packages are available for the following architectures on
the day of release:
- aarch64 (arm64): 10848
- amd64: 11268
- i386: 10715
- mips64: 9281
- sparc64: 9850
o Packages for the following architectures will be made available as
their builds complete:
- arm
- mips64el
- powerpc

- As usual, steady improvements in manual pages and other documentation.

- The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.7 with xserver 1.20.8 + patches,
freetype 2.10.1, fontconfig 2.12.4, Mesa 19.2.8, xterm 351,
xkeyboard-config 2.20 and more)
o LLVM/Clang 8.0.1 (+ patches)
o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
o Perl 5.30.2 (+ patches)
o NSD 4.2.4
o Unbound 1.10.0
o Ncurses 5.7
o Binutils 2.17 (+ patches)
o Gdb 6.3 (+ patches)
o Awk Dec 20, 2012 version
o Expat 2.2.8

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each release. Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible. Therefore, we advise regular
visits to

https://www.OpenBSD.org/security.html
and
https://www.OpenBSD.org/errata.html

------------------------------------------------------------------------
- MAILING LISTS AND FAQ ------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD. For information on OpenBSD mailing lists, please
see:

https://www.OpenBSD.org/mail.html

You are also encouraged to read the Frequently Asked Questions (FAQ) at:

https://www.OpenBSD.org/faq/

------------------------------------------------------------------------
- DONATIONS ------------------------------------------------------------

The OpenBSD Project is a volunteer-driven software group funded by
donations. Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others. This ecosystem is all handled under the same funding umbrella.

We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon
events.

All of our developers strongly urge you to donate and support our future
efforts. Donations to the project are highly appreciated, and are
described in more detail at:

https://www.OpenBSD.org/donations.html

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.

There may also be exposure benefits since the Foundation may be
interested in participating in press releases. In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at directors@openbsdfoundation.org for
more information.

------------------------------------------------------------------------
- HTTPS INSTALLS -------------------------------------------------------

OpenBSD can be easily installed via HTTPS downloads. Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet. Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.

1) Read either of the following two files for a list of HTTPS mirrors
which provide OpenBSD, then choose one near you:

https://www.OpenBSD.org/ftp.html
https://ftp.openbsd.org/pub/OpenBSD/ftplist

As of May 19, 2020, the following HTTPS mirror sites have the
6.7 release:

https://cdn.openbsd.org/pub/OpenBSD/6.7/ Global
https://ftp.eu.openbsd.org/pub/OpenBSD/6.7/ Stockholm, Sweden
https://ftp.hostserver.de/pub/OpenBSD/6.7/ Frankfurt, Germany
https://ftp.bytemine.net/pub/OpenBSD/6.7/ Oldenburg, Germany
https://ftp.fr.openbsd.org/pub/OpenBSD/6.7/ Paris, France
https://mirror.aarnet.edu.au/pub/OpenBSD/6.7/ Brisbane, Australia
https://ftp.usa.openbsd.org/pub/OpenBSD/6.7/ CO, USA
https://ftp5.usa.openbsd.org/pub/OpenBSD/6.7/ CA, USA
https://mirror.esc7.net/pub/OpenBSD/6.7/ TX, USA
https://openbsd.cs.toronto.edu/pub/OpenBSD/6.7/ Toronto, Canada
https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.7/ Global
https://fastly.cdn.openbsd.org/pub/OpenBSD/6.7/ Global

The release is also available at the master site:

https://ftp.openbsd.org/pub/OpenBSD/6.7/ Alberta, Canada

However it is strongly suggested you use a mirror.

Other mirror sites may take a day or two to update.

2) Connect to that HTTPS mirror site and go into the directory
pub/OpenBSD/6.7/ which contains these files and directories.
This is a list of what you will see:

ANNOUNCEMENT armv7/ octeon/ sparc64/
README hppa/ openbsd-67-base.pub src.tar.gz
SHA256 i386/ packages/ sys.tar.gz
SHA256.sig landisk/ packages-stable/ xenocara.tar.gz
alpha/ loongson/ ports.tar.gz
amd64/ luna88k/ root.mail
arm64/ macppc/ sgi/

It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.

README - generic README
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).

3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
for example, amd64. This is a list of what you will see:

BOOTIA32.EFI* bsd* floppy67.fs pxeboot*
BOOTX64.EFI* bsd.mp* game67.tgz xbase67.tgz
BUILDINFO bsd.rd* index.txt xfont67.tgz
INSTALL.amd64 cd67.iso install67.fs xserv67.tgz
SHA256 cdboot* install67.iso xshare67.tgz
SHA256.sig cdbr* man67.tgz
base67.tgz comp67.tgz miniroot67.fs

If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
and install67.iso. The install67.iso file (roughly 470MB in size)
is a one-step ISO-format install CD image which contains the various
*.tgz files so you do not need to fetch them separately.

If you prefer to use a USB flash drive, fetch install67.fs and
follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.amd64. INSTALL.amd64 may tell you that you
need to fetch other files.

6) Just in case, take a peek at:

https://www.OpenBSD.org/errata.html

This is the page where we talk about the mistakes we made while
creating the 6.7 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system. This release
contains X.Org 7.7. Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc. During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).

------------------------------------------------------------------------
- PACKAGES AND PORTS ---------------------------------------------------

Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures. Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed
separately.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The source code for all four subsystems can be found in the
pub/OpenBSD/6.7/ directory:

xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz

The README (https://ftp.OpenBSD.org/pub/OpenBSD/6.7/README) file
explains how to deal with these source files.

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Pierre-Emmanuel Andre, Visa Hankala,
Stuart Henderson, Peter Hessler, Kurt Mosiejczuk, Christian Weisgerber,
and Charlene Wendling. Base and X system builds by Kenji Aoyama and
Theo de Raadt. Release art contributed by Jonni Phillips.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who bought our previous CD sets. Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.

Our developers are:

Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe,
Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer,
Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar,
Carlos Cardenas, Charlene Wendling, Charles Longeau,
Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman,
Daniel Jakots, Darren Tucker, David Coppa, David Gwynne, David Hill,
Denis Fondras, Doug Hogan, Edd Barrett, Elias M. Mariani,
Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus,
George Koehler, Gerhard Roth, Giannis Tsaraias, Gilles Chehade,
Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez, Helg Bredow,
Henning Brauer, Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer,
Ingo Schwarze, Inoguchi Kinichiro, James Turner, Jan Klemkow,
Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas,
Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani,
Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Joris Vink,
Joshua Stein, Juan Francisco Cantero Hurtado, Kazuya Goda,
Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner, Kevin Lo,
Kirill Bychkov, Klemens Nanni, Kurt Miller, Kurt Mosiejczuk,
Landry Breuil, Lawrence Teo, Marc Espie, Marco Pfatschbacher,
Marcus Glocker, Mark Kettenis, Mark Lumsden, Markus Friedl,
Martijn van Duren, Martin Natano, Martin Pieuchot, Martin Reindl,
Martynas Venckus, Mats O Jansson, Matthew Dempsky, Matthias Kilian,
Matthieu Herrb, Michael Mikonos, Mike Belopuhov, Miod Vallat,
Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen,
Ori Bernstein, Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk,
Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin,
Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas,
Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer,
Remi Pointel, Renato Westphal, Reyk Floeter, Ricardo Mestre,
Richard Procter, Rob Pierce, Robert Nagy, Sasano Takayoshi,
Scott Soule Cheloha, Sebastian Benoit, Sebastian Reitenbach,
Sebastien Marie, Solene Rapenne, Stefan Fritsch, Stefan Kempf,
Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider,
Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
Vincent Gross, Visa Hankala, Yasuoka Masahiko, Yojiro Uo
 
Wie gewohnt (toi-toi-toi) ein völlig problemloses Update. Das hat keiner so schön und einfach gelöst wie OpenBSD, finde ich.
Mal wieder hoch die Daumen!
 
Hab jetzt den Web(v)Server im Internet, mein "NAS", mein "Haupt" Notebook sowie das Diskettenauslesenotebook ohne jedes Problem aktualisiert.

Der Upgradeprozess ist inzwischen einfacher und stabiler als von jedem anderen System das ich so kenne und auch der Zeitaufwand hält sich in sehr enge Grenzen.
 
Laeuft!
 

Anhänge

  • openbsd67.png
    openbsd67.png
    354,7 KB · Aufrufe: 503
Zurück
Oben