-
Notifications
You must be signed in to change notification settings - Fork 42
/
70.html
1361 lines (1264 loc) · 69.3 KB
/
70.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!doctype html>
<html lang=en id=release>
<meta charset=utf-8>
<title>OpenBSD 7.0</title>
<meta name="description" content="OpenBSD 7.0">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/70.html">
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
7.0
</h2>
<table>
<tr>
<td>
<a href="images/StarryPointers.png">
<img width="227" height="303" src="images/StarryPointers-s.png" alt="Starry Pointers"></a>
<td>
Released Oct 14, 2021. (51st OpenBSD release)<br>
Copyright 1997-2021, Theo de Raadt.<br>
<br>
7.0 Song:
<a href="lyrics.html#70">"The Style Hymn"</a>.
<br>
Artwork by Natasha Allegri.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/7.0/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata70.html">the 7.0 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus70.html">detailed log of changes</a> between the
6.9 and 7.0 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<p>
<table class=signify>
<tr><td>
openbsd-70-base.pub:
<td>
<a href="https://ftp.openbsd.org/pub/OpenBSD/7.0/openbsd-70-base.pub">
RWR3KL+gSr4QZ5mOvKhcOOgGe61ogHp5PyBOj2RrmyCpqchk9A7NVPzh</a>
<tr><td>
openbsd-70-fw.pub:
<td>
RWS8nd7vy+I+fRHtnpxVBeX+P+9rBqJMPvSU6z8LYyAv5p73WcdFXs3B
<tr><td>
openbsd-70-pkg.pub:
<td>
RWR3iauEtA8/bLN/zfIQhOc5ramL/fARX72S6xw8BwAUebxik7KioCvL
<tr><td>
openbsd-70-syspatch.pub:
<td>
RWSD33kMDKsQH8j0Q8FzfYk+vsgTKiP8Q5DcrkQQtrZoWg48yxUQgLxU
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 7.0.
For a comprehensive list, see the <a href="plus70.html">changelog</a> leading
to 7.0.
<ul>
<li>New/extended platforms:
<ul>
<li>Added new <a href="riscv64.html">riscv64</a> platform for 64-bit RISC-V systems.
<li>The <a href="arm64.html">arm64</a> platform support was improved with the following changes:
<ul>
<li>Support for Apple Silicon Macs has improved but is not ready for general use yet:
<ul>
<li>Added support for installing on a disk with a GPT.
<li>Added <a href="https://man.openbsd.org/apldart.4">apldart(4)</a> support for a DART with two sets of registers, needed to support the Synopsis DesignWare USB 3 controller.
<li>Added <a href="https://man.openbsd.org/apldwusb.4">apldwusb(4)</a>, a glue driver for the Synopsys DesignWare USB 3 controllers found on the Apple M1 SoC.
<li>Added <a href="https://man.openbsd.org/aplns.4">aplns(4)</a> to provide support for Apple NVME storage as found in Apple M1 devices.
<li>Added <a href="https://man.openbsd.org/aplpinctrl.4">aplpinctrl(4)</a>, a driver for the Apple GPIO controller found on the M1 SoCs.
<li>Added <a href="https://man.openbsd.org/aplpmu.4">aplpmu(4)</a>, a driver for the Apple "sera" SPMI power management unit that contains the RTC on Apple M1 systems.
<li>Added <a href="https://man.openbsd.org/aplspmi.4">aplspmi(4)</a>, a driver for the Apple SPMI controller.
</ul>
<li>Enabled LEDs for the <a href="https://man.openbsd.org/mue.4">mue(4)</a> LAN7800 chip as found on the Raspberry Pi 3 Model B+.
<li>Added <a href="https://man.openbsd.org/rktcphy.4">rktcphy(4)</a>, a driver for the Type-C PHY controller found on the Rockchip RK3399.
<li>Implemented multicast support in <a href="https://man.openbsd.org/mvpp.4">mvpp(4)</a>.
</ul>
<li>Changes on other architectures:
<ul>
<li>Switched <a href="macppc.html">macppc</a> to use <a href="https://man.openbsd.org/ld.lld">ld.lld(1)</a>.
<li>Fixed an issue preventing applications from selecting the non-ALTIVEC code path on macppc.
<li>Made <a href="amd64.html">amd64</a> hw.setperf percentages proportional to the enhanced
speed step frequencies on Intel processors. The default hw.setperf=99
corresponds to the maximum ordinary speed, and setting it to 100
enables turbo mode.
<li>Enabled <a href="https://man.openbsd.org/cy.4">cy(4)</a> on amd64.
<li>Disabled base-gcc on amd64.
<li>Prevented crashes on amd64 when TLB entries which should have been invalidated were used.
<li>Prevented a kernel panic in sparc64 due to page boundary misalignment.
<li>Forced <a href="luna88k.html">luna88k</a> to use the serial console when no graphics board is found.
<li>Made additional free inodes on luna88k bsd.rd by specifying density=4096.
<li>Fixed strchr() and strrchr() on <a href="mips64.html">mips64</a>.
<li>Prevented watchdog resets on some i.MX 64-bit machines with a
recent U-Boot and watchdog enabled on boot in <a
href="https://man.openbsd.org/imxdog.8">imxdog(8)</a>.
<li>Created audio devices on <a href="armv7.html">armv7</a>.
<li>Retired OpenBSD/<a href="sgi.html">sgi</a> platform.
<li>Enabled MSI-X support for <a href="powerpc64.html">powerpc64</a>.
<li>Fixed __ppc_lock for page faults that recursively grab the lock on powerpc.
<li>Increased the maximum data size on powerpc64 to 32GB.
<li>Disabled global page table mappings when using PCID to prevent crashes when not flushed from TLB on amd64.
<li>Added <a href="https://man.openbsd.org/cduart.4">cduart(4)</a> driver for Cadence Universal Asynchronous Receiver/Transmitter on armv7.
<li>Added <a href="https://man.openbsd.org/armv7/zqclock.4">zqclock(4)</a> driver for Xilinx Zynq-7000 clock controller on armv7.
<li>Added <a href="https://man.openbsd.org/armv7/zqreset.4">zqreset(4)</a> driver for Xilinx Zynq-7000 reset controller on armv7.
</ul>
</ul>
<li>Various kernel improvements:
<ul>
<li>Unlocked the top part of the VM fault handler on i386.
<li>Enabled <a href="https://man.openbsd.org/dt.4">dt(4)</a> for GENERIC kernels on amd64, arm64, i386, sparc64, and powerpc64.
<li>Added kprobes provider for <a href="https://man.openbsd.org/dt.4">dt(4)</a>.
<li>Implemented < and > operators in <a href="https://man.openbsd.org/btrace.8">btrace(8)</a> filters.
<li>Added <a href="https://man.openbsd.org/btrace.8">btrace(8)</a>
display of time spent in userland when analyzing the kernel stack in
the flame graph tool and fixed a parsing bug.
<li>Introduced /etc/<a
href="https://man.openbsd.org/bsd.re-config.5">bsd.re-config(5)</a>,
which can be used to configure the kernel using <a
href="https://man.openbsd.org/config.8">config(8)</a>, allowing use of
KARL while making changes to the GENERIC kernel.
<li>Identify TPM 2.0 devices and perform the 2.0-specific
suspend command, allowing the ThinkPad X1 Carbon Gen 9 and
ThinkPad X1 Nano with the latest BIOS (which added S3) to resume.
<li>Changed the printing of the hibernate image size from bytes to megabytes.
<li>Increased hibernate writeout speed.
<li>Added "machine sysregs" command to <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> on amd64.
<li>Prevented interleaved stack traces in <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> from multiple CPUs.
<li>Delayed installation of sensors until a device with battery
support is connected, allowing <a
href="https://man.openbsd.org/sensorsd.8">sensorsd(8)</a> to pick up
hotplugged <a href="https://man.openbsd.org/uhidpp.4">uhidpp(4)</a>
devices.
<li>Prevented a kernel panic after VFS shutdown.
<li>Increased the <a href="https://man.openbsd.org/setitimer.2">setitimer(2)</a> timer limit to UINT_MAX seconds.
<li>Serialized the internals of <a href="https://man.openbsd.org/kqueue.2">kqueue(2)</a> with a mutex.
<li>Enabled pool cache on <a href="https://man.openbsd.org/knote.9">knote(9)</a> pool.
<li>Fixed <a href="https://man.openbsd.org/futex.2">futex(2)</a>
errno handling to match what Mesa expects and prevent failure to
properly report timeouts.
<li>Fixed a kernel crash in <a href="https://man.openbsd.org/tty.4">tty(4)</a>.
<li>Increased the default buffer space on PF_UNIX sockets to 8k and
made the values tuneable via <a
href="https://man.openbsd.org/sysctl.2">sysctl(2)</a>.
<li>Made <a href="https://man.openbsd.org/kqueue.2">kqueue(2)</a>
timer re-addition reset an existing timer to use the new timeout
period.
<li>In the build system, pass make flags to kernel and lib builds,
making hacking on ramdisks/the installer much faster.
</ul>
<li>SMP Improvements
<ul>
<li>Made pmap_extract() mpsafe on hppa and amd64.
<li>Introduced CPU_IS_RUNNING() and used it in scheduler-related code
to prevent waiting on non-running CPUs.
<li>Made anonymous object reference counting independent from the KERNEL_LOCK().
<li>Unlocked <a href="https://man.openbsd.org/connect.2">connect(2)</a>.
<li>Unlocked <a href="https://man.openbsd.org/setrtable.2">setrtable(2)</a>.
<li>Introduced per-CPU <a href="https://man.openbsd.org/panic.9">panic(9)</a> message buffers.
<li>Used so_lock to protect key management (PF_KEY) sockets.
<li>Used so_lock to protect routing (PF_ROUTE) sockets.
<li>Unlocked <a href="https://man.openbsd.org/lseek.2">lseek(2)</a>.
<li>Unlocked the top part of the fault handler.
</ul>
<li>Direct Rendering Manager
<ul>
<li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
to Linux 5.10.65
<li><a href="https://man.openbsd.org/inteldrm.4">inteldrm(4)</a>:
better support for Tiger Lake
<li><a href="https://man.openbsd.org/drm.4">amdgpu(4)</a>:
support for Navi 12, Navi 21 "Sienna Cichlid", Arcturus
<li><a href="https://man.openbsd.org/drm.4">amdgpu(4)</a>:
support for Cezanne "Green Sardine" Ryzen 5000 APU
</ul>
<li>VMM/VMD improvements
<ul>
<li>Added a theoretical limit of 512 to the number of allocated vcpus
in <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>.
<li>Fixed <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> vcpu locking issues.
<li>Added <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> support for variable length vionet rx descriptor chains.
<li>Prevented stack overflow in <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> due to large DHCP packets on local interfaces.
<li>Allowed locking of a randomly assigned lladdr in <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
<li>Skipped inspecting non-udp packets on local interfaces for <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
<li>Prevented guest virtio drivers from causing stack and buffer overflows in <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
<li>Fixed a race condition in <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> relating to incorrect physical cpu tracking.
<li>Fixed <a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a>
client "wait" state corruption in <a
href="https://man.openbsd.org/vmd.8">vmd(8)</a> when a wait is
canceled and restarted, allowing multiple waiting clients.
<li>Added protections against guests with bad virtio drivers to <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>
<li>Unlocked the kernel in <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> ioctl handlers and introduced vcpu locks
</ul>
<li>Various new userland features:
<ul>
<li>Imported <a
href="https://man.openbsd.org/timeout.1">timeout(1)</a> utility from
NetBSD. timeout(1) can be used to run commands with a time limit.
<li>Added include and exclude options to <a
href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>.
<li>Implemented reporting of supplemental groups in <a
href="https://man.openbsd.org/ps.1">ps(1)</a>.
<li>Added indication of whether an <a
href="https://man.openbsd.org/mg.1">mg(1)</a> function is unsuitable
for a startup file.
<li>Added "dired-jump" command to <a
href="https://man.openbsd.org/mg.1">mg(1)</a> to open a dired buffer
containing the current buffer's directory location.
</ul>
<li>Various bugfixes and tweaks in userland:
<ul>
<li>Modified <a href="https://man.openbsd.org/doas">doas(1)</a> to
retry up to 3 times on password authentication failure.
<li>Made all <a href="https://man.openbsd.org/vi.1">vi(1)</a> signal
handler functions async-signal-safe.
<li>Changed <a href="https://man.openbsd.org/diff.1">diff(1)</a> to
consider two files sharing the same inode identical.
<li>Allowed <a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>
login when ~/.Xauthority does not exist.
<li>Disabled building all of the non-unicode fonts in Xenocara
except for ISO8859-1.
<li>Altered <a href="https://man.openbsd.org/passwd.1">passwd(1)</a>
to use stderr for printer error and informational messages. This
allows easier parsing of what passwd(1) is doing if spawned from a
GUI.
<li>Fixed <a href="https://man.openbsd.org/iostat.8">iostat(8)</a>
per-device values when <a
href="https://man.openbsd.org/systat.1">systat(1)</a> is in boot time
mode ('b'), not normalizing based on the sleep interval.
<li>Made <a href="https://man.openbsd.org/jot.1">jot(1)</a> -b, -c and -w mutually exclusive.
<li>Made <a href="https://man.openbsd.org/cdio.1">cdio(1)</a> discard
the current input line when Ctrl-C is used during line editing and
provide a fresh prompt rather than exiting the program.
<li>Let <a href="https://man.openbsd.org/el_gets.3">el_gets(3)</a>
honour the first Ctrl-C typed by the user rather than
ignoring it.
<li>Corrected <a href="https://man.openbsd.org/awk.1">awk(1)</a> -F
null string behavior to ensure -F '' behaves consistently with -v
FS="".
<li>Avoided a potential buffer overflow in backslash escaping in <a
href="https://man.openbsd.org/awk.1">awk(1)</a>.
<li>Disallowed the use of an empty list between "while" and "do" in
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a>.
<li>Changed <a href="https://man.openbsd.org/cwm.1">cwm(1)</a>
maximization and full-screen mode toggling to keep the cursor within
the window, preventing focus loss.
<li>Made <a href="https://man.openbsd.org/rc.8">rc(8)</a> quietly
attempt an early mount of /var/log in case someone has created
it as a separate filesystem to avoid /var overflow issues.
<li>Improved <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
to retain essential partitions on various platforms.
<li>Improved <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
for disks with 4K sectors.
<li>Cleaned up the <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> MBR/GPT
initialization code, making -g independent of -i, leaving four
mutually exclusive initialization options (-i, -g, -u and -A) with the
last option specified executed (allowing the existing -i -g to work as
intended).
<li>Relaxed criteria for recognizing GPT formatted media, allowing
GPT disk images added with <a href="https://man.openbsd.org/dd.1">dd(1)</a> onto larger physical
media to be recognized by <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> and the kernel.
<li>Added the ability for <a
href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> to recognize
"BIOS Boot", "APFS", "APFS ISC", "APFS Recovry" (sic), "HiFive FSBL" and "HiFive BBL" GPT partitions.
<li>Ensured the values for <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
-b and -l are treated as 512-byte block counts.
<li>Added an <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
-A option to initialize a GPT without removing special boot
partitions.
<li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
-b option available to architectures other than amd64 and i386 and extended the
syntax to allow specification of the boot partition type and offset.
<li>Adjusted density for partitions on a 4k disk in <a
href="https://man.openbsd.org/newfs.8">newfs(8)</a> when fragsize and
density are not passed on the command line to ensure sufficient inodes
to hold a src tree on a 2G fs.
<li>Fixed <a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> generation on sparc64.
<li>Fixed overlap check in <a href="https://man.openbsd.org/disklabel.1">disklabel(1)</a>
autoalloc code.
<li>Corrected various min/max cluster numbers for FAT12/16/32 in <a
href="https://man.openbsd.org/newfs_msdos.8">newfs_msdos(8)</a>.
<li>Added libexecinfo, a library providing backtrace functions.
<li>Updated C library support for character classification
to Unicode 13.0.
<li>Let <a href="https://man.openbsd.org/wcwidth.3">wcwidth(3)</a>
treat all characters in Unicode private use areas
as single-width, even those in planes 15 and 16.
<li>Limited the <a href="https://man.openbsd.org/printf.1">printf(1)</a> \x escape sequence to two characters.
<li>Corrected the output of
<a href="https://man.openbsd.org/date.1">date(1)</a> -f %s
which was wrongly affected by the local timezone.
<li>Turn printing additional information into toggles for <a href="https://man.openbsd.org/systat.1">systat(1)</a>.
</ul>
<li>Improved hardware support and driver bugfixes, including:
<ul>
<li>Added a workaround to <a href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> for machines where the framebuffer size reported by the hardware is incorrect.
<li>In <a href="https://man.openbsd.org/pchgpio.4">pchgpio(4)</a>, worked around a BIOS bug on Lenovo ThinkPads based on Intel's Tiger Lake platform to properly restore the GPIO pin used for the touchpad interrupt upon resume.
<li>Stopped setting the highspeed bit on bcm2835-sdhci <a href="https://man.openbsd.org/sdhc.4">sdhc(4)</a> controllers, fixing <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> wifi on the Raspberry Pi 3 Model B+.
<li>Added support for obtaining sense status and source slot of a media to <a href="https://man.openbsd.org/chio.1">chio(1)</a> and <a href="https://man.openbsd.org/ch.4">ch(4)</a>.
<li>Fixed <a href="https://man.openbsd.org/dwiic.4">dwiic(4)</a> timeouts requesting data from at least one touchpad.
<li>Added
<a href="https://man.openbsd.org/ucc.4">ucc(4)</a>,
a driver for USB HID Consumer Control keyboards.
Often used to expose volume, audio and application launch keys.
Volume keys are handled by the kernel and all other keys are
propagated to X11 and the console through
<a href="https://man.openbsd.org/wscons.4">wscons(4)</a>.
<li>Set the <a href="https://man.openbsd.org/uhidpp.4">uhidpp(4)</a> battery level sensor status to unknown while charging to handle devices reporting zero during charge, preventing certain <a href="https://man.openbsd.org/sensorsd.conf.5">sensorsd.conf(5)</a> actions from triggering inappropriately.
<li>Added Tiger Lake LP (INT34C5) support to <a href="https://man.openbsd.org/pchgpio.4">pchgpio(4)</a>.
<li>Fixed a panic at shutdown relating to <a href="https://man.openbsd.org/azalia.4">azalia(4)</a> on the X1 Extreme Gen 1.
<li>Fixed a panic reported in <a href="https://man.openbsd.org/upd.4">upd(4)</a>.
<li>Fixed display of incorrect patterns on LUNA's <a href="https://man.openbsd.org/wscons.4">wscons(4)</a> with 1bpp framebuffer when backspace is typed.
<li>Fixed an attachment problem for <a href="https://man.openbsd.org/dwctwo.4">dwctwo(4)</a> for certain devices issuing NAK interrupts during split transactions.
<li>Added AMD 17h/6xh Root Complex to <a href="https://man.openbsd.org/ksmn.4">ksmn(4)</a>.
<li>Ensured the TX FIFO isn't overrun for longer transfers in <a href="https://man.openbsd.org/dwiic.4">dwiic(4)</a>.
<li>Added <a href="https://man.openbsd.org/titmp.4">titmp(4)</a>, a driver for the TI TMP451 temperature sensor.
<li>Ensured a USB mouse will attach if otherwise qualified even if the usage report does not include X and Y usages.
<li>Attached unsupported video devices to <a href="https://man.openbsd.org/uvideo.4">uvideo(4)</a> but not <a href="https://man.openbsd.org/video.1">video(1)</a>, rather than leaving it unmatched.
<li>Added a -R flag to <a href="https://man.openbsd.org/usbhidctl.1">usbhidctl(1)</a> to dump the raw report descriptor bytes.
<li>Added hid_get_report_desc_data() to <a href="https://man.openbsd.org/usbhid.3">usbhid(3)</a> to access raw report descriptor data.
<li>Fixed overflows when reading multiple bytes from AML over an i2c bus in <a href="https://man.openbsd.org/acpi.4">acpi(4)</a>.
<li>Fixed <a href="https://man.openbsd.org/uaudio.4">uaudio(4)</a> on certain machines such as the RPI4 by adding a pre-DMA-write barrier after data is stored to memory.
<li>Worked around x86 machines that advertise the "hardware reduced" ACPI feature, advertise S4 and S5 support, but fail to populate the SLEEP_CONTROL_REG and SLEEP_STATUS_REG descriptions in the FADT. This fixed the ASUS Zenbook 14.
<li>Added quirk to enable ThinkPad X1 Extreme 1 speakers and Dolby Atmos in <a href="https://man.openbsd.org/azalia.4">azalia(4)</a>.
<li>Fixed <a href="https://man.openbsd.org/pchgpio.4">pchgpio(4)</a> issues with dead touchpads after resume.
<li>Fixed an mbuf leak in <a href="https://man.openbsd.org/xnf.4">xnf(4)</a>.
</ul>
<li>New or improved network hardware support:
<ul>
<li>Fixed <a href="https://man.openbsd.org/ix.4">ix(4)</a> with older amd64 and current riscv64 hardware if MSI is not enabled for the device.
<li>Added the <a href="https://man.openbsd.org/uaq.4">uaq(4)</a> driver for Aquantia AQC111U/AQC112U USB Ethernet devices.
<li>Added the <a href="https://man.openbsd.org/aq.4">aq(4)</a> driver to support Aquantia 1/2.5/5/10Gb/s PCIe Ethernet adapters.
<li>Synced <a href="https://man.openbsd.org/dwctwo.4">dwctwo(4)</a> with the NetBSD-current code base, enabling the USB on-board Ethernet controller through <a href="https://man.openbsd.org/mue.4">mue(4)</a>, fixing <a href="https://man.openbsd.org/uvideo.4">uvideo(4)</a>, and enabling the two USB uhub3 ports on the Raspberry Pi 3 Model B+.
<li>Added <a href="https://man.openbsd.org/cad.4">cad(4)</a>, a driver for Cadence GEM.
<li>Added Broadcom BCM5725 to <a href="https://man.openbsd.org/brgphy.4">brgphy(4)</a>.
<li>Added support for RTL8168FP/RTL8111FP/RTL8117 to <a href="https://man.openbsd.org/re.4">re(4)</a>.
<li>Fixed <a href="https://man.openbsd.org/ure.4">ure(4)</a> after a media link change on RTL8153/B devices.
<li>Fixed <a href="https://man.openbsd.org/bnxt.4">bnxt(4)</a> with a single queue in MSI-X mode.
</ul>
<li>Added or improved wireless network drivers:
<ul>
<li>Zeroed out <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> Tx descriptors of frames which is done to prevent the device from writing to the former DMA address of a buffer which has been taken off the Tx ring.
<li>Fixed a bug in <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> Tx done interrupt processing which could cause fatal firmware errors under load and memory corruption.
<li>Changed <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> to sleep for 1 second while loading firmware to match what <a href="https://man.openbsd.org/iwn.4">iwn(4)</a> does. This fixes some issues with suspend/resume.
<li>Ensured that <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> will reload firmware from disk on down/up and not during resume.
<li>Fixed <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> crystal latency values to match those used by Linux iwlwifi.
<li>Fixed an off-by-one error in <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>.
<li>Changed <a href="https://man.openbsd.org/iwn.4">iwn(4)</a>, <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>, and <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> devices to hide detailed firmware error reports by default.
<li>Prevented a loop when <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> receives an unsolicited association status event right after successful association.
<li>Fixed a leak with <a href="https://man.openbsd.org/wg.4">wg(4)</a> keepalive.
<li>Switched <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> to -63 firmware images as shipped in iwx-firmware-20210512, including fixes addressing fragattacks vulnerabilities.
<li>Supported the new <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> firmware session protection command, required for successful associations with new firmware.
<li>Stopped asking <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> to send probe requests on passive channels, fixing firmware going unresponsive after association.
<li>Fixed an <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> edge case where devices failed to resume after system suspend.
<li>Switched <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> to newer firmware images available in iwm-firmware-20210512. This provides FragAttacks fixes for the updated devices.
<li>Fixed <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> against access points using TKIP as the group cipher.
<li>Prevented <a href="https://man.openbsd.org/athn.4">athn(4)</a> from calling ieee80211_find_rxnode() on bad frames in an attempt to prevent creation of bogus node cache entries.
<li>Implemented various fixes addressing firmware errors in <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
<li>Fixed node leaks in <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> which caused the drivers to get stuck when roaming between access points.
<li>Fixed <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> firmware reloading after a failure to parse the firmware file.
<li>Avoided "mac clock not ready" panics in <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
<li>Worked around a problem between certain <a href="https://man.openbsd.org/athn.4">athn(4)</a> hardware running in HostAP mode and clients that use Tx aggregation.
<li>Corrected multicast decryption for <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
<li>Added 802.11n Tx aggregation support to <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>.
<li>Made <a href="https://man.openbsd.org/iwn.4">iwn(4)</a>, <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> keep track of beacon parameters at run-time.
<li>Implemented support for Rx aggregation offload in <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> and re-enabled de-aggregation of A-MSDUs in net80211 for all drivers capable of 11n mode.
<li>Changed error reporting for <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> to use the long version of the firmware path. This makes it easier to find the correct files to add to the bwfm-firmware port.
</ul>
<li>IEEE 802.11 wireless stack improvements and bugfixes:
<ul>
<li>Drop fragmented 802.11 frames.
<li>Prevent frame injection via forged 802.11n A-MSDUs.
<li>Tweaked net80211 RA heuristics to avoid picking Tx rate choices that may be too optimistic.
</ul>
<li>Generic network stack improvements and bugfixes:
<ul>
<li>Implemented reception of "VLAN 0 priority tagged" packets.
<li>Fixed an alignment fault observed on an octeon machine while <a href="https://man.openbsd.org/pppoe.4">pppoe(4)</a> negotiated a large MTU.
<li>Display provider ID for a <a href="https://man.openbsd.org/umb.4">umb(4)</a> SIM in <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>.
</ul>
<li>Installer and upgrade improvements:
<ul>
<li>Checked the installer's /tmp/i/hostname.* files for a configured
IP address so that configurations without a broadcast address are
detected as well.
<li>Handled "inet autoconf" in the ramdisk.
<li>Introduced a short wait in <a
href="https://man.openbsd.org/rc.8">rc(8)</a> after <a
href="https://man.openbsd.org/netstart.8">netstart(8)</a> finishes
until an IPv4 or IPv6 default route is present before continuing boot.
Fixed setups depending on working network and DNS resolution during
early boot when using autoconfiguration (<a
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> or <a
href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>).
<li>Made <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
always create an EFI SYS partition if the -b option is specified when
initializing a GPT.
<li>Allowed (w)hole disk allocation for GPT disks in arm64, using <a
href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> -A when an Apple
APFS ISC partition is detected and fdisk -ig otherwise. Created EFI
SYS boot partitions only on ROOTDISK GPT disks.
<li>Added <a
href="https://man.openbsd.org/installboot.8">installboot(8)</a> "-p"
to prepare by creating a new filesystem on the partition reserved for
the bootloader on relevant architectures.
<li>Added GPT support to <a href="armv7.html">armv7</a> <a
href="https://man.openbsd.org/installboot.8">installboot(8)</a>.
<li>Added the Spleen 12x24 and 16x32 font on amd64's RAMDISK_CD and
RAMDISK kernels.
<li>Use <a
href="https://man.openbsd.org/installboot.8">installboot(8)</a> on
arm64 ramdisks.
<li>Enable <a
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> on
ramdisks, and activate <a
href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>, replacing <a
href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>.
<li>Enable <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>
to configure nameservers on ramdisks.
</ul>
<li>Security improvements:
<ul>
<li>Moved objcopy to base set to allow KARL to work on all installs.
<li>Added <a href="https://man.openbsd.org/unveil.2">unveil(2)</a>
calls to xterm in the case where there are no exec-formatted or
exec-selected resources set.
<li>Changed usage of %n from a syslog warning to syslog and abort for
<a href="https://man.openbsd.org/printf.3">printf(3)</a> (and
associated variants).
<li>Made kernel stop all threads when terminating via pledge_fail().
</ul>
<li>Routing daemons and other userland network improvements:
<ul>
<li>The <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>
daemon saw the following changes:
<ul>
<li>Stop processing queued UPDATES when the max-prefix limit was reached.
<li>Improved negotiation for route refresh, graceful restart and
multi-protocol capabilities
<li>Correctly track 'rde evaluate all' and 'export' settings during reload.
<li>Properly withdraw prefixes when 'rde evaluate all' is used.
<li>Fixed MRT handling on initial startup for message dump types.
<li>Fixed and use non-blocking connect for RTR sessions.
<li>Fully implemented RFC 6286 by checking for BGP ID collisions.
<li>Adjusted the 4-byte AS number handling to RFC 6793 by changing error
behaviour from prefix withdraw to attribute discard.
<li>In <a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> print out both the sent "Neighbor capabilities" and the
"Negotiated capabilities" for a session.
<li>Print timestamps both as a formatted and a pure time in seconds
field in various JSON objects.
<li>Fixed a bug, where during <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> config reloads prefixes of the
wrong address family could leak to peers resulting in session resets.
<li>Added support for RFC 7313 - Enhanced Route Refresh.
Disabled by default. To enable, use 'announce enhanced refresh yes'.
<li>Improved output of Adj-RIB-Out by updating nexthop and ASPATH before
adding the prefix to the RIB. This improves `bgpctl show rib out`
output.
<li>Added command line option to both <a
href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> and <a
href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> to show the
version.
<li>Added support for RFC 9072 - Extended Optional Parameters Length for
BGP OPEN Message
<li>Added support for RFC 8050 - MRT Format with BGP Additional Path Extensions
<li>Implemented receive side of RFC 7911 - Advertisement of Multiple Paths
in BGP. OpenBGPD is currently not able to send multiple paths out.
<li>Improved checks of VRPs loaded via RTR or from the roa-set table.
<li>Allowed optionally specifying an expiry time for roa-set entries to
mitigate BGP route decision making based on outdated RPKI data.
OpenBGPD's companion rpki-client(8) produces roa-sets with the
new 'expires' property
</ul>
<li>The <a href="https://man.openbsd.org/pf.4">pf(4)</a> packet filter and its userland utility:
<ul>
<li>Corrected a potential memory leak associated with <a href="https://man.openbsd.org/pfsync.4">pfsync(4)</a> update requests.
<li>Introduced locks around the global <a href="https://man.openbsd.org/pf.4">pf(4)</a> state list.
<li>Fixed a panic due to <a href="https://man.openbsd.org/pfsync.4">pfsync(4)</a> deferral timeout handling.
<li>Added support for <a href="https://man.openbsd.org/pf.4">pf(4)</a> divert-to on <a href="https://man.openbsd.org/tpmr.4">tpmr(4)</a> and <a href="https://man.openbsd.org/veb.4">veb(4)</a>.
<li>Fixed state key reference underflow when both state keys are identical in <a href="https://man.openbsd.org/pf.4">pf(4)</a>.
<li>Only skipped <a href="https://man.openbsd.org/pf.4">pf(4)</a> once for packets injected by a divert-packet socket, allowing pf to still act later on a diverted packet.
</ul>
<li>IPSEC support in the kernel and the <a href="https://man.openbsd.org/iked.8">iked(8)</a> userland daemon:
<ul>
<li>Zeroed out potential passwords when freeing memory or handling parsing errors in <a href="https://man.openbsd.org/iked.8">iked(8)</a>.
<li>Added client-side support for DNS configuration to <a href="https://man.openbsd.org/iked.8">iked(8)</a>.
<li>Increased <a href="https://man.openbsd.org/iked.8">iked(8)</a> default data bytes limit for Child SAs to 4 GB, preventing excessive rekeying and lost data in high performance setups.
<li>Fixed an <a href="https://man.openbsd.org/iked.8">iked(8)</a> bug where no flows are added if a single address is configured in the config address instead of a pool.
<li>Fixed a problem in <a href="https://man.openbsd.org/iked.8">iked(8)</a> where no flows are loaded when a single config address without pool is configured.
<li>Added an experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519) to <a href="https://man.openbsd.org/iked.8">iked(8)</a> as sntrup761x25519.
<li>Fixed races which were slowing <a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> throughput.
<li>Fixed <a href="https://man.openbsd.org/ipsec.4">ipsec(4)</a> NAT-T to work with <a href="https://man.openbsd.org/pipex.4">pipex(4)</a>.
</ul>
<li><a
href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>
received the following new features and bugfixes:
<ul>
<li>Added keep-alive support to the HTTP client code for RRDP.
<li>Reference-count and delete unused files synced via RRDP, as far as
possible.
<li>In the JSON output, changed the AS Number from a string ("AS123") to
an integer ("123") to make processing of the output easier.
<li>Added an 'expires' column to CSV & JSON output, based on certificate
and CRL validity times. The 'expires' value can be used to avoid route
selection based on stale data when generating VRP sets, when faced
with loss of communication between consumer and validator, or
validator and CA repository.
<li>Made the runtime timeout (-s option) also trigger in
child processes.
<li>Improved RRDP support and make RRDP the default protocol for
synchronizing the RPKI repository data, with <a
href="https://man.openbsd.org/openrsync.1">openrsync(1)</a> used as secondary.
<li>At startup, warn if the filesystem containing the cache directory
is probably too small.
<li>Handle running out of disk space more gracefully, including cleanup
of temporary and old files before exiting.
<li>Improved the HTTP/1.1 request headers being sent.
<li>Improved validation checks for ROA and MFT objects.
<li>Improved the HTTP client code (status code handling, http proxy
support, keep-alive).
<li>In RRDP, do not access URI with userinfo (@-sign)
<li>Improved RRDP syncing by considering a notification file serial
jumping backwards as synced repository.
<li>Made -R (rsync only) also apply to the fetching of TA files.
<li>Only sync *.{cer,crl,gbr,mft,roa} files via rsync and exclude all others.
<li>When producing output for <a
href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, make use of the
'roa-set expires' attribute to prevent machines from loading outdated
roa-sets.
<li>In RRDP, limited the number of deltas to 300 per repo. If more deltas
exist, downloading a full snapshot is faster.
<li>Limited the validation depth of X.509 certificate chains to 12, double
the current depth seen in RPKI.
</ul>
<li><a href="https://man.openbsd.org/traceroute.8">traceroute(8)</a> was improved:
<ul>
<li>Probe packets are now sent in quick succession and responses handled asynchronously.</li>
<li>DNS lookups are performed asynchronously.
This speeds up the time required to display results considerably.
</ul>
<li><a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> was made
the default program for configuring IPv4 addresses via DHCP. <a
href="https://man.openbsd.org/resolvd.8">resolvd(8)</a> was activated
to handle concurrent changes to <a
href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a> by
both dhcpleased(8) and <a
href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>.<br>
Additionally these programs saw the following improvements and bugfixes:
<ul>
<li>Changed <a
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> client
identifier transmission to match other DHCP client implementations.
<li>Simplified <a
href="https://man.openbsd.org/dhcpleasectl.8">dhcpleasectl(8)</a> and
added syntax to match <a
href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> (interface),
allowing one to be aliased to the other.
<li>Retried broadcast with <a
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> when the
DHCP server is unreachable via unicast UDP.
<li>Made <a href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>
accept DNS proposals for the loopback addresses.
<li>Added to <a
href="https://man.openbsd.org/dhcpleased.conf.5">dhcpleased.conf(5)</a>
the ability to ignore routes or nameservers from a lease and to ignore
servers entirely.
<li>Made <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
defer to <a
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> when the
inet autoconf flag is set. When run, dhclient will signal dhcpleased
to request a new lease rather than requesting one itself.
<li>Fixed potential races in <a
href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> and <a
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> when two
processes are configuring the same IP.
<li>Added the possibility to send vendor class identifier and client
identifier using <a
href="https://man.openbsd.org/dhcpleased.conf.5">dhcpleased.conf(5)</a>.
<li>Made <a
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> always
configure provided routes, regardless of whether the address received
in the lease is already configured.
<li>Used exclusive locks under /dev/ to ensure single instances of <a
href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>, <a
href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> and <a
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>.
<li>Implemented classless static routes DHCP option in <a
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>.
<li>Added a new "nameserver" command to <a
href="https://man.openbsd.org/route.8">route(8)</a>, sending
nameserver proposals to <a
href="https://man.openbsd.org/resolvd.8">resolvd(8)</a> using the DNS
proposal protocol over the route socket. This command is intended be
used to integrate userland triggered nameserver changes, for example
by VPN software.
</ul>
<li>Changes to snmp related tools:
<ul>
<li>Disable SNMPv1 and SNMPv2c by default in <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>.
<li>Remove default communities from <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>.
<li>Switched default seclevel to enc for <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>.
<li>Changed the default <a href="https://man.openbsd.org/snmp.1">snmp(1)</a> version to -v3 and removed the default community.
<li>Switched default <a href="https://man.openbsd.org/snmp.1">snmp(1)</a> auth to hmac-sha1.
<li>Switched default <a href="https://man.openbsd.org/snmp.1">snmp(1)</a> and <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> privacy protocol to AES.
<li>Added the ability for <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> to send SNMPv3 traps.
<li>Allowed "any" to be used as a listen on address in <a href="https://man.openbsd.org/snmpd.conf.5">snmpd.conf(5)</a>.
<li>Allowed setting of the engineid in <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>.
</ul>
<li>Other userland network changes:
<ul>
<li>Fixed <a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a> SAN generation for CSRs.
<li>Added <a href="https://man.openbsd.org/pledge.2">pledge(2)</a> for <a href="https://man.openbsd.org/ftpd.8">ftpd(8)</a> user processes.
<li>Allowed router solicitations from the unspecified address (::) in <a href="https://man.openbsd.org/rad.8">rad(8)</a>.
<li>Altered <a href="https://man.openbsd.org/slowcgi.8">slowcgi(8)</a> so it no longer sends debug logging to syslog unless debug logging is requested via the new -v flag.
<li>Prevented <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> from trying to chunk encode an empty http body coming from an fcgi upstream.
<li>Used relative reference URIs in Location header on directory redirects in <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>, adding support for front-ending httpd with a TLS-terminating gateway that forwards unencrypted http traffic.
<li>Prevented a crash on strict alignment architectures of <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> WireGuard printer.
<li>Made <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> split the 802.11 sequence number field into its sequence number and fragment number components rather than printing the whole field in decimal.
<li>Added simple BGP enhanced route refresh message decoding to <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a>.
</ul>
</ul>
<li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes:
<ul>
<li>Added a -B flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> to remove borders from popups and added a menu to popups as well as options to convert a popup into a pane.
<li>Added pipe variants of the <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> line copy commands.
<li>Added basic support for zero width joiners to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
<li>Added client focus hooks to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
<li>Made window-linked and window-unlinked window options in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
<li>Added -F for <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> command-prompt and used it to fix "Rename" on the window menu.
<li>Added different <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> command histories for different types of prompts.
<li>Fixed <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> problems with xterm in VT340 mode.
<li>Added an "always" value to the extended-keys option to always forward those keys to applications inside <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
</ul>
<li>OpenSMTPD 7.0.0
<ul>
<li>Fixed incorrect status code for expired mails resulting in a misleading bounce report in <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>.
<li>Added TLS options cafile=(path), nosni, noverify and servername=(name) to <a href="https://man.openbsd.org/smtp.1">smtp(1)</a>.
<li>Allowed specification of TLS ciphers and protocols in <a href="https://man.openbsd.org/smtp.1">smtp(1)</a>.
</ul>
<li>LibreSSL 3.4.1
<ul>
<li>New Features
<ul>
<li>Added support for OpenSSL 1.1.1 TLSv1.3 APIs.</li>
<li>Enabled the new X.509 validator to allow verification of modern certificate chains.
</ul>
<li>Portable Improvements
<ul>
<li>Ported continuous integration and test infrastructure to Github actions.</li>
<li>Added Universal Windows Platform (UWP) build support.</li>
<li>Fixed mingw-w64 builds on newer versions with missing SSP support.</li>
<li>Added non-executable stack annotations for CMake builds.</li>
</ul>
<li>API and Documentation Enhancements
<ul>
<li>Added the following APIs from OpenSSL
<ul>
<li>BN_bn2binpad</li>
<li>BN_bn2lebinpad</li>
<li>BN_lebin2bn</li>
<li>EC_GROUP_get_curve</li>
<li>EC_GROUP_order_bits</li>
<li>EC_GROUP_set_curve</li>
<li>EC_POINT_get_affine_coordinates</li>
<li>EC_POINT_set_affine_coordinates</li>
<li>EC_POINT_set_compressed_coordinates</li>
<li>EVP_DigestSign</li>
<li>EVP_DigestVerify</li>
<li>SSL_CIPHER_find</li>
<li>SSL_CTX_get0_privatekey</li>
<li>SSL_CTX_get_max_early_data</li>
<li>SSL_CTX_get_ssl_method</li>
<li>SSL_CTX_set_ciphersuites</li>
<li>SSL_CTX_set_max_early_data</li>
<li>SSL_CTX_set_post_handshake_auth</li>
<li>SSL_SESSION_get0_cipher</li>
<li>SSL_SESSION_get_max_early_data</li>
<li>SSL_SESSION_is_resumable</li>
<li>SSL_SESSION_set_max_early_data</li>
<li>SSL_get_early_data_status</li>
<li>SSL_get_max_early_data</li>
<li>SSL_read_early_data</li>
<li>SSL_set0_rbio</li>
<li>SSL_set_ciphersuites</li>
<li>SSL_set_max_early_data</li>
<li>SSL_set_post_handshake_auth</li>
<li>SSL_set_psk_use_session_callback</li>
<li>SSL_verify_client_post_handshake</li>
<li>SSL_write_early_data</li>
</ul>
<li>Added AES-GCM constants from RFC 7714 for SRTP.</li>
</ul>
<li>Compatibility Changes
<ul>
<li>Implement flushing for TLSv1.3 handshakes behavior, needed for Apache.</li>
<li>Call the info callback on connect/accept exit in TLSv1.3, needed for p5-Net-SSLeay.</li>
<li>Default to using named curve parameter encoding from pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE.</li>
<li>Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback.</li>
</ul>
<li>Testing and Proactive Security
<ul>
<li>Added additional state machine test coverage.</li>
<li>Improved integration test support with ruby/openssl tests.</li>
<li>Error codes and callback support in new X.509 validator made compatible with p5-Net_SSLeay tests.</li>
</ul>
<li>Internal Improvements
<ul>
<li>Numerous fixes and improvements to the new X.509 validator to ensure compatible error codes
and callback support compatible with the legacy OpenSSL validator.
</ul>
</ul>
<li>OpenSSH 8.8
<ul>
<li>Security
<ul>
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: OpenSSH
8.5 introduced the LogVerbose keyword. When this option was
enabled with a set of patterns that activated logging in code
that runs in the low-privilege sandboxed sshd process, the log
messages were constructed in such a way that printf(3) format
strings could effectively be specified the low-privilege code.
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a> from
OpenSSH 6.2 through 8.7 failed to correctly initialise
supplemental groups when executing an AuthorizedKeysCommand or
AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser
or AuthorizedPrincipalsCommandUser directive has been set to
run the command as a different user.
</ul>
<li>Potentially incompatible changes
<ul>
<li>A near-future release of OpenSSH will switch <a
href='https://man.openbsd.org/scp.1'>scp(1)</a> from using
the legacy scp/rcp protocol to using SFTP by default.
<li>This release disables RSA signatures using the SHA-1 hash
algorithm by default.
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: this
release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the
local host by default. This was previously available via the
-3 flag. This mode avoids the need to expose credentials on
the origin hop, avoids triplicate interpretation of filenames
by the shell (by the local system, the copy origin and the
destination) and, in conjunction with the SFTP support for
<a href='https://man.openbsd.org/scp.1'>scp(1)</a> mentioned
below, allows use of all authentication methods to the remote
hosts (previously, only non-interactive methods could be
used). A -R flag has been added to select the old behaviour.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/<a
href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: both the
client and server are now using a stricter configuration file
parser. The new parser uses more shell-like rules for quotes,
space and escape characters. It is also more strict in
rejecting configurations that include options lacking
arguments. Previously some options (e.g. DenyUsers) could
appear on a line with no subsequent arguments. This release
will reject such configurations. The new parser will also
reject configurations with unterminated quotes and multiple
'=' characters after the option name.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: when using
SSHFP DNS records for host key verification, <a
href='https://man.openbsd.org/ssh.1'>ssh(1)</a> will verify
all matching records instead of just those with the specific
signature type requested. This may cause host key verification
problems if stale SSHFP records of a different or legacy
signature type exist alongside other records for a particular
host.
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
when generating a FIDO key and specifying an explicit
attestation challenge (using -Ochallenge), the challenge will
now be hashed by the builtin security key middleware. This
removes the (undocumented) requirement that challenges be
exactly 32 bytes in length and matches the expectations of
libfido2.
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>:
environment="..." directives in authorized_keys files are now
first-match-wins and limited to 1024 discrete environment
variable names.
</ul>
<li>New features
<ul>
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>:
experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used. SFTP offers more predictable filename
handling and does not require expansion of glob(3) patterns
via the shell on the remote side.
<li><a href='https://man.openbsd.org/sftp-server.8'>sftp-server(8)</a>:
add a protocol extension to support expansion of ~/ and ~user/
prefixed paths. This was added to support these paths when
used by <a href='https://man.openbsd.org/scp.1'>scp(1)</a>
while in SFTP mode.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add a
ForkAfterAuthentication
<a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a>
counterpart to the <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> -f flag.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add a
StdinNull directive to
<a href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a>
that allows the config file to do the same thing as -n does on
the <a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>
command- line.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add a
SessionType directive to ssh_config, allowing the
configuration file to offer equivalent control to the -N (no
session) and -s (subsystem) command-line flags.
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
allowed signers files used by
<a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>
signatures now support listing key validity intervals
alongside the keys, and
<a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>
can optionally check during signature verification whether a
specified time falls inside this interval. This feature is
intended for use by git to support signing and verifying
objects using ssh keys.
<li><a href='https://man.openbsd.org/ssh-keygen.8'>ssh-keygen(8)</a>:
support printing of the full public key in a sshsig signature
via a -Oprint-pubkey flag.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: allow the
<a
href='https://man.openbsd.org/ssh_config.5'>ssh_config(5)</a>
CanonicalizePermittedCNAMEs directive to accept a "none"
argument to specify the default behaviour.
</ul>
<li>Bugfixes
<ul>
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/
<a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: start
time-based re-keying exactly on schedule in the client and
server mainloops. Previously the re-key timeout could expire
but re-keying would not start until a packet was sent or
received, causing a spin in select() if the connection was
quiescent.
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
avoid Y2038 problem in printing certificate validity
lifetimes. Dates past 2^31-1 seconds since epoch were
displayed incorrectly on some platforms.
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: allow
spaces to appear in usernames for local to remote and scp -3
remote to remote copies.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/
<a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: remove
references to ChallengeResponseAuthentication in favour of
KbdInteractiveAuthentication. The former is what was in SSHv1,
the latter is what is in SSHv2 (<a href='https://tools.ietf.org/html/rfc4256'>RFC4256</a>)
and they were treated as somewhat but not entirely equivalent. We
retain the old name as a deprecated alias so configuration
files continue to work as well as a reference in the man page
for people looking for it.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/
<a href='https://man.openbsd.org/ssh-add.1'>ssh-add(1)</a>/
<a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
fix decoding of X.509 subject name when extracting a key from
a PKCS#11 certificate.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: restore
blocking status on stdio fds before close.
<a href='https://man.openbsd.org/ssh.1'>ssh(1)</a> needs file
descriptors in non-blocking mode to operate but it was not
restoring the original state on exit. This could cause
problems with fds shared with other programs via the shell.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>/
<a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: switch both
client and server mainloops from select(3) to
pselect(3). Avoids race conditions where a signal may arrive
immediately before select(3) and not be processed until an
event fires.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: sessions
started with ControlPersist were incorrectly executing a shell
when the -N (no shell) option was specified.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: check if
IPQoS or TunnelDevice are already set before
overriding. Prevents values in config files from overriding
values supplied on the command line.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fix debug
message when finding a private key to match a certificate
being attempted for user authentication. Previously it would
print the certificate's path, whereas it was supposed to be
showing the private key's path.
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: match
host certificates against host public keys, not private
keys. Allows use of certificates with private keys held in a
ssh-agent.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add a
workaround for a bug in OpenSSH 7.4 <a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>,
which allows RSA/SHA2 signatures for public key authentication but
fails to advertise this correctly via SSH2_MSG_EXT_INFO. This
causes clients of these server to incorrectly match
PubkeyAcceptedAlgorithms and potentially refuse to offer
valid keys.
<li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>/
<a href='https://man.openbsd.org/scp.1'>scp(1)</a>: degrade
gracefully if a sftp-server offers the [email protected]
extension but fails when the client tries to invoke it.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: allow
ssh_config SetEnv to override $TERM, which is otherwise
handled specially by the protocol. Useful in ~/.ssh/config to
set TERM to something generic (e.g. "xterm" instead of
"xterm-256color") for destinations that lack terminfo entries.
<li><a href='https://man.openbsd.org/sftp-server.8'>sftp-server(8)</a>:
the [email protected] extension was incorrectly marked as an
operation that writes to the filesystem, which made it
unavailable in sftp-server read-only mode.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fix SEGV
in UpdateHostkeys debug() message, triggered when the update
removed more host keys than remained present.
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: when using
the SFTP protocol, continue transferring files after a
transfer error occurs, better matching original scp/rcp
behaviour.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: fixed a
number of memory leaks in multiplexing,
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
avoid crash when using the -Y find-principals command.
<li>A number of documentation and manual improvements.
</ul>
</ul>
<li>mandoc 1.14.6
<ul>
<li>Added a style message about overlong text input lines.
<li>Made "-W style" check .Xr links along the full manpath
to help validation of non-base manual pages.
<li>Supported auto-tagging for ".It Va" in
<a href="https://man.openbsd.org/mdoc.7">mdoc(7)</a> documents.
<li>Stopped printing two extra blank lines at the top and bottom of
<a href="https://man.openbsd.org/man.7">man(7)</a> documents.
<li>Supported the CB and CI fonts in
<a href="https://man.openbsd.org/roff.7">roff(7)</a>
\f font escapes and .ft font requests.
<li>Added support for two-character font names (BI, CW, CR, CB, CI)
to the <a href="https://man.openbsd.org/tbl.7">tbl(7)</a>
layout font modifier.
<li>Implemented the
<a href="https://man.openbsd.org/tbl.7">tbl(7)</a>
layout modifiers "b" (bold) and "i" (italic)
in HTML output mode.
<li>Completed support for the "nospaces" option in the
<a href="https://man.openbsd.org/tbl.7">tbl(7)</a> parser.
<li>Fixed an infinite loop in the
<a href="https://man.openbsd.org/tbl.7">tbl(7)</a> parser
for some cases of horizontally overlapping horizontal spans.
<li>Added a meta viewport element to "-T html" output.
<li>Fixed a crash with "-T man" when an input file contains
<a href="https://man.openbsd.org/tbl.7">tbl(7)</a> or
<a href="https://man.openbsd.org/eqn.7">eqn(7)</a> input.
<li>Fixed a crash in <a
href="https://man.openbsd.org/makewhatis.8">makewhatis(8)</a>