-
Notifications
You must be signed in to change notification settings - Fork 43
/
74.html
1765 lines (1659 loc) · 81.3 KB
/
74.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!doctype html>
<html lang=en id=release>
<head>
<meta charset=utf-8>
<title>OpenBSD 7.4</title>
<meta name="description" content="OpenBSD 7.4">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/74.html">
</head><body>
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
7.4
</h2>
<table>
<tr>
<td>
<a href="images/ImHappyBecauseEveryoneLovesMe.jpg">
<img width="227" height="303" src="images/ImHappyBecauseEveryoneLovesMe-s.gif" alt="I'm mHappy Because Everyone Loves Me"></a>
<td>
Released Oct 16, 2023. (55th OpenBSD release)<br>
Copyright 1997-2023, Theo de Raadt.<br>
<br>
Artwork by Jessica Scott.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/7.4/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata74.html">the 7.4 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus74.html">detailed log of changes</a> between the
7.3 and 7.4 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<p>
<table class=signify>
<tr><td>
openbsd-74-base.pub:
<td>
<a href="https://ftp.openbsd.org/pub/OpenBSD/7.4/openbsd-74-base.pub">
RWRoyQmAD08ajTqgzK3UcWaVlwaJMckH9/CshU8Md5pN1GoIrcBdTF+c</a>
<tr><td>
openbsd-74-fw.pub:
<td>
RWTRA9KXRuZKunpXYK0ed5OxbE0K7rYWpDnTu+M8wZdqzRroFqed0U6I
<tr><td>
openbsd-74-pkg.pub:
<td>
RWR/h7gubZ9M/O46RNy3PzLTPevOCK24LGCPca41IHMwSH4YuVA+jnWO
<tr><td>
openbsd-74-syspatch.pub:
<td>
RWQqty2voy8V8afR9/v2RzuNr7r4y9cKwljABN7Tytd7JcPdBjnXg0Ue
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 7.4.
For a comprehensive list, see the <a href="plus74.html">changelog</a> leading
to 7.4.
<ul>
<!--
<li>New/extended platforms:
<ul>
<li>...
</ul>
-->
<li>Various kernel improvements:
<ul>
<li>On arm64, show BTI and SBSS features in
<a href="https://man.openbsd.org/dmesg.8">dmesg(8)</a>.
<li>New <a href="https://man.openbsd.org/kqueue1">kqueue1(2)</a>
system call supporting the <code>O_CLOEXEC</code> flag.
<li>Map device tree read/write to unbreak root on
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a>.
<li>Correctly recognize <a href="https://man.openbsd.org/umass.4">umass(4)</a>
floppy disk devices as floppy disks.
<li>In <a href="https://man.openbsd.org/wscons.4">wscons(4)</a>,
catch up with box drawing characters which have
been standardized in unicode after the original wscons code was
written and chose placeholder values.
<li>In <a href="https://man.openbsd.org/wscons.4">wscons(4)</a>,
make sure we do not increase the escape sequence argument count beyond
usable bounds.
<li>Implement <a href="https://man.openbsd.org/dt.4">dt(4)</a>
<a href="https://man.openbsd.org/utrace.2">utrace(2)</a>
support on amd64 and i386.
<li>Correct undefined behavior when using MS-DOS filesystems, fixes imported from FreeBSD.
<li>Make the <a href="https://man.openbsd.org/fstab.5">softdep</a>
<a href="https://man.openbsd.org/mount.8">mount(8)</a> option a no-op.
Softdep was a significant impediment to improving the vfs layer.
<li>Allow <a href="https://man.openbsd.org/unveil.2">unveil(2)</a>ed
programs to dump <a href="https://man.openbsd.org/core.5">core(5)</a>
into the current working directory.
<li>Address incomplete validation of ELF program headers in <a
href="https://man.openbsd.org/execve.2">execve(2)</a>.
<li>On arm64, use the deep idle state available on Apple M1/M2 cores
in the idle loop and for suspend, resulting in power savings.
<li>Update AMD CPU microcode if a newer patch is available.
<li>Enable a workaround for the 'Zenbleed' AMD CPU bug.
<li>Report speculation control bits in
<a href="https://man.openbsd.org/dmesg.8">dmesg(8)</a> CPU lines.
<li>To give the primary CPU an opportunity to perform clock interrupt
preparation in a machine-independent manner we need to separate the
"initialization" parts of cpu_initclocks() from the "start the clock
interrupt" parts. Separate cpu_initclocks() from cpu_startclock().
<li>Fix a problem where CPU time accounting and RLIMIT_CPU was
unreliable on idle systems.
<li>Improve the output of the "show proc" command of the kernel
debugger <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> and show
both the PID and TID of the proc.
</ul>
<li>SMP Improvements
<ul>
<li>Rewrite <a href="https://man.openbsd.org/pfsync.4">pfsync(4)</a>,
in particular to improve locking and to help with unlocking more
of <a href="https://man.openbsd.org/pf.4">pf(4)</a> and with
parallelisation of the network stack in the future.
The protocol remains compatible with the older version.
<li>Remove kernel locks from the ARP input path.
<li>Pull MP-safe arprequest() out of kernel lock.
<li>Remove the kernel lock from IPv6 neighbor discovery.
<li>Unlock more parts of <a
href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> and the <a
href="https://man.openbsd.org/route.4">routing</a> code in the network
stack.
</ul>
<li>Direct Rendering Manager and graphics drivers
<ul>
<li>Update <a href="https://man.openbsd.org/drm.4">drm(4)</a>
to Linux 6.1.55.
<li>Don't change end marker in sg_set_page(). Caused bad memory accesses
when using page flipping on Alder Lake and Raptor Lake.
</ul>
<li>VMM/VMD improvements
<ul>
<li>Allowed <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> guests to
enable and use supervisor IBT.
<li>Suppressed AMD hardware p-state visibility to
<a href="https://man.openbsd.org/vmm.4">vmm(4)</a> guests.
<li>Avoid use of uninitialised memory in
<a href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
<li>Migrate vmd_vm.vm_ttyname to char array allowing a vmd_vm
object to be transmitted over an ipc channel.
<li>Cleaned up file descriptor closing in
<a href="https://man.openbsd.org/vmd.8">vmd(8)</a> vmm process.
<li>Fixed vm send/receive, restoring device virtqueue addresses on
receive.
<li>Introduced <a href="https://man.openbsd.org/execvp.3">execvp(3)</a>
after fork for child vm processes.
<li>No longer generate an error in
<a href="https://man.openbsd.org/vmd.8">vmd(8)</a> if
<a href="https://man.openbsd.org/vm.conf.5">vm.conf(5)</a> is absent.
<li>Split <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> into MI/MD
parts.
<li>Introduced multi-process model for
<a href="https://man.openbsd.org/vmd.8">vmd(8)</a> virtio block and
network devices.
<li>Allowed vm owners to override boot kernel when using
<a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a> to start a
vm.
<li>Changed staggered start of vms to number of online CPUs.
<li>Fixed a segfault on vm creation.
<li>Switched to anonymous shared memory mappings for
<a href="https://man.openbsd.org/vmd.8">vmd(8)</a> vm processes,
introducing a new <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>
<a href="https://man.openbsd.org/ioctl.2">ioctl(2)</a>.
<li>Relaxed absolute path requirements for
<a href="https://man.openbsd.org/vmd.8">vmd(8)</a> configtest mode (-n).
<li>Adjusted shutdown logic by vm id to function similarly as by name.
<li>Moved validation of local network prefixes for the internal
<a href="https://man.openbsd.org/vmd.8">vmd(8)</a> DHCP service into
the config parser.
<li>Fixed QCOW2 base images when used with the
<a href="https://man.openbsd.org/vmd.8">vmd(8)</a> multi-process device
model.
<li>Fixed setting verbose logging in child processes.
<li>Fixed a race condition related to the emulated i8259 interrupt controller
by ignoring interrupt masks on assert.
<li>Inlined pending interrupts in the
<a href="https://man.openbsd.org/vmm.4">vmm(4)</a>
<a href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> for running the
vcpu, reducing vm latency.
<li>Added zero-copy, vectored io to the
<a href="https://man.openbsd.org/vmd.8">vmd(8)</a> virtio block device.
<li>Changed to logging <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>
vm ids in the vcpu run loop on error and not the ids used by
<a href="https://man.openbsd.org/vmm.4">vmm(4)</a>.
<li>Fixed a vm pause deadlock.
<li>Changed <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> logging format
to disambiguate vm and device process by names and indices.
<li>Fixed dynamically toggling verbose logging mode with
<a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a>.
</ul>
<li>Various new userland features:
<ul>
<li>New ISO C11 header <code><uchar.h></code> declaring the
types <code>char32_t</code> and <code>char16_t</code> and the
functions <a href="https://man.openbsd.org/c32rtomb.3">c32rtomb(3)</a>,
<a href="https://man.openbsd.org/mbrtoc32.3">mbrtoc32(3)</a>,
<a href="https://man.openbsd.org/c16rtomb.3">c16rtomb(3)</a>, and
<a href="https://man.openbsd.org/mbrtoc16.3">mbrtoc16(3)</a>.
<li>Introduce a new <a href="https://man.openbsd.org/malloc.3">malloc(3)</a>
option <a href="https://man.openbsd.org/malloc.3#D">D</a>
for memory leak detection with
<a href="https://man.openbsd.org/ktrace.1">ktrace(1)</a> and
<a href="https://man.openbsd.org/kdump.1">kdump(1)</a>.
<li>Support <code>${.VARIABLES}</code> in
<a href="https://man.openbsd.org/make.1">make(1)</a>,
listing the names of all global variables that have been set.
<li>New <a href="https://man.openbsd.org/kdump.1">kdump(1)</a>
<code>-u</code> option to select
<a href="https://man.openbsd.org/utrace.2">utrace(2)</a>
tracepoints by label.
<li>In <a href="https://man.openbsd.org/openrsync.1">openrsync(1)</a>,
support the options <code>--size-only</code> and
<code>--ignore-times</code>.
<li>Update <a href="https://man.openbsd.org/tzset.3">zoneinfo</a>
to tzdata2023c.
<li>Accept the <a href="https://man.openbsd.org/ucom.4">ucom(4)</a> fixed
name format as a valid format for the
<a href="https://man.openbsd.org/cu.1">cu(1)</a> -l option.
<li>In <a href="https://man.openbsd.org/cron.8">cron(8)</a> and
<a href="https://man.openbsd.org/crontab.5">crontab(5)</a>,
add support for random offsets when
using ranges with a step value in cron. This extends the random range
syntax to support step values. Instead of choosing a random number
between the high and low values, the field is treated as a range with
a random offset less than the step value. This can be used to avoid
thundering herd problems where multiple machines contact a server all
at the same time via cron jobs.
<li>Extend and improve the
<a href="https://man.openbsd.org/ibuf_add.3">ibuf</a> API in libutil
and add functions for more specific data types,
for modifying data at specific
offsets, for getting and setting the file descriptor stored on the ibuf
and for efficient wrapping of ibufs into imsgs. The ibuf API is
mostly used in network daemons.
<li>In <a href="https://man.openbsd.org/wsconsctl.8">wsconsctl(8)</a>,
add button mappings for two- and three-finger clicks on clickpads.
</ul>
<li>Various bugfixes and tweaks in userland:
<ul>
<li>In <a href="https://man.openbsd.org/pax.1">pax(1)</a> and
<a href="https://man.openbsd.org/tar.1">tar(1)</a>,
do not open files that will be skipped,
speeding up archive creation when many files are skipped.
<li>In <a href="https://man.openbsd.org/pax.1">pax(1)</a>,
<a href="https://man.openbsd.org/tar.1">tar(1)</a>, and
<a href="https://man.openbsd.org/cpio.1">cpio(1)</a> terminal
output, escape non-printable characters in messages that may
include file names, and truncate times to the correct maximum value.
<li>Better diagnostics from
<a href="https://man.openbsd.org/make.1">make(1)</a>
when a makefile exists but cannot be opened.
<li>Prevent a buffer underflow in
<a href="https://man.openbsd.org/patch.1">patch(1)</a>
that could occur with lines longer than 32kB.
<li>Prevent a segmentation fault in
<a href="https://man.openbsd.org/patch.1">patch(1)</a>
that occurred when a patch specified a file name so long that
<a href="https://man.openbsd.org/basename.3">basename(3)</a> failed.
<li>Prevent a read buffer overrun in
<a href="https://man.openbsd.org/patch.1">patch(1)</a>
that could occur when a patch specified a file name ending in a slash.
<li>Let <a href="https://man.openbsd.org/stat.1">stat(1)</a>
correctly print mtimes after 2038.
<li>Refactoring and documenting of
<a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> code,
to make it easier to maintain.
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
no longer adds extra blanks at the end of lines, eliminating
spurious line wrapping.
<li>In <a href="https://man.openbsd.org/clang.1">clang(1)</a>,
allow out-of-class defaulting of comparison operators,
by ways of backporting an upstream commit.
<li>Many changes in <a href="https://man.openbsd.org/mg.1">mg(1)</a>:
<ul>
<li>New command
<a href="https://man.openbsd.org/mg.1#set-tab-width">set-tab-width</a>
to change the tabulator width on a per-buffer basis.
<li>Let the <a href="https://man.openbsd.org/mg.1#space-to-tabstop"
>space-to-tabstop</a> command move to the right
position even if the line contains tabs, control characters,
or non-ASCII bytes.
<li>Fall back to <code>/bin/sh</code> if <code>$SHELL</code> is undefined.
<li>Fix parsing of <a href="https://man.openbsd.org/mg.1#TAGS">tag
files</a> with duplicate entries.
Instead of erroring out, ignore duplicates. Fixes using
<code>/var/db/libc.tags</code> again.
<li>Change the <a href="https://man.openbsd.org/mg.1#visit-tags-table"
>visit-tags-table</a> command to immediately
load the tag file, and drop the lazy mechanics.
<li>Do not leak memory in
<a href="https://man.openbsd.org/mg.1#pop-tag-mark">pop-tag-mark</a>
if it fails to switch buffers.
<li>Fix a read buffer overrun caused by
<a href="https://man.openbsd.org/mg.1#u">-u</a> arguments
longer than 1023 bytes.
<li>Fix a write buffer overrun on the stack caused by
<a href="https://man.openbsd.org/mg.1#blink-and-insert"
>blink-and-insert</a> matching a very long line
that is not currently visible in the window.
<li>Skip checking permissions of conffile with
<a href="https://man.openbsd.org/access.2">access(2)</a>.
<li>Resurrect
<a href="https://man.openbsd.org/mg.1#no-tab-mode">no-tab-mode</a>
and add it to the list of modes that can
be set with
<a href="https://man.openbsd.org/mg.1#set-default-mode"
>set-default-mode</a>.
</ul>
<li>Fix a segfault when the
<a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
simple editor encounters an incomplete partition line.
<li>Fix <a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
handling of templates with partitions after a "N-* 100" entry.
<li>Enable <a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
regress tests to work on sparc64.
<li>Fix <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
initialization of CHS/LBA fields in an MBR, allowing machines with
a BIOS that uses CHS to boot from disks >8G.
<li>Retire <a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
-E expert mode.
<li>When displaying GPT partition attributes
<a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> prefixes
Microsoft partition attribute names with 'MS'.
<li>In the absence of the 'disktype' command line parameter
<a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
always uses the current media type provided by the kernel.
<li>Ensure <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> handles
the case where a GPT partition name is not a valid C string.
<li>When creating new crypto volumes with
<a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>,
by default use a hardware based number of KDF rounds for passphrases.
<li>Let <a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>
gracefully prompt again during interactive creation and
passphrase change on CRYPTO and 1C volumes.
<li>Let <a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>
read passphrases without prompts or confirmation
in <code>-s</code> mode, allowing non-interactive use.
<li>Allow the <a href="https://man.openbsd.org/atactl.8">atactl(8)</a>
command <a href="https://man.openbsd.org/atactl.8#readattr">readattr</a>
to succeed even for disks where <code>ATA_SMART_READ</code> and
<code>ATA_SMART_THRESHOLD</code> revisions mismatch, as long as
checksums are OK.
<li>In <a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a>, treat
symlinks in $ORIGIN determination the same way as other OS linkers do.
<li>In <a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a>,
avoid an overflow in the ELF SYSV ABI hash function.
<li>Make sure <a href="https://man.openbsd.org/modf.3">modf(3)</a> and
<a href="https://man.openbsd.org/modff.3">modff(3)</a>
return correct values for infinities.
<li>Do not fail in
<a href="https://man.openbsd.org/ober_scanf_elements.3"
>ober_scanf_elements(3)</a> when encountering empty sequences.
<li>Remove broken special handling of <code>test -t</code> in
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a>.
<li>The caching mechanism used by
<a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>
to speed up <code>pkg_add -u</code> now also works if -stable packages
are available.
<li>Significantly increase the speed of <a
href="https://man.openbsd.org/pkg-config.1">pkg-config(1)</a>.
<li>In <a href="https://man.openbsd.org/seq.1">seq(1)</a>,
fix a check for rounding error and truncation.
<li>In <a href="https://man.openbsd.org/cron.8">cron(8)</a>,
introduce upstream fixes in the handling of @yearly, @monthly,
@weekly, @daily and @hourly entries.
<li>Fix a bug in <a
href="https://man.openbsd.org/cron.8">cron(8)</a> where whitespace
after usernames would not be completely skipped while parsing the
<a href="https://man.openbsd.org/crontab.5">crontab(5)</a> file.
<li>Make <a href="https://man.openbsd.org/rcctl.8">rcctl(8)</a>
check if a daemon exists before trying to disable it, thereby avoiding
parsing and printing of bogus characters.
<li>Print to the console the fingerprint of a newly generated <a
href="https://man.openbsd.org/ssh.1">ssh(1)</a> host key of the
preferred type (currently ED25519), typically when booting for the
first time. This simplifies a secure first ssh connection to a
freshly installed machine.
</ul>
<li>Improved hardware support and driver bugfixes, including:
<ul>
<!-- new drivers -->
<li>Add <a href="https://man.openbsd.org/rkiovd.4">rkiovd(4)</a>,
a driver for the I/O voltage domains on Rockchip SoCs.
<li>Add support for TEMPerGold 3.4 temperature sensor to
<a href="https://man.openbsd.org/ugold.4">ugold(4)</a>.
<li>Add <a href="https://man.openbsd.org/qcrng.4">qcrng(4)</a>,
a driver for the Qualcomm RNG device found on the ThinkPad X13s.
<li>Add <a href="https://man.openbsd.org/rkusbphy.4">rkusbphy(4)</a>,
a driver for the usb2phy on Rockchip SoCs.
<li>Support AP806/CP110 SoCs in
<a href="https://man.openbsd.org/mvtemp.4">mvtemp(4)</a>.
<li>Add <a href="https://man.openbsd.org/dwmshc.4">dwmshc(4)</a>
to support Designware Mobile Storage Host Controllers
found on rk356x and rk3588 SoCs.
<li>Add <a href="https://man.openbsd.org/iosf.4">iosf(4)</a>,
a driver for the Intel OnChip System Fabric.
<li>Add support for the RTL8153D chipset in
<a href="https://man.openbsd.org/ure.4">ure(4)</a>.
<li>Add support for the Peripheral Authentication Service SMC
interface in <a href="https://man.openbsd.org/qcscm.4">qcscm(4)</a>.
<li>Add <a href="https://man.openbsd.org/qcmtx.4">qcmtx(4)</a>,
a driver for the hardware spinlock on Qualcomm
SoCs that is used to synchronize access to the shared memory table.
<li>Add <a href="https://man.openbsd.org/qcsmptp.4">qcsmptp(4)</a>,
a driver to share 32-bit values between (co-)processors.
<li>Add <a href="https://man.openbsd.org/qcaoss.4">qcaoss(4)</a>,
a driver for the Always On Subsystem found on Qualcomm SoCs.
<li>Add <a href="https://man.openbsd.org/qcpas.4">qcpas(4)</a>,
a driver for the Peripheral Authentication Service
found on Qualcomm SoCs. Enable AC detection.
<li>Add <a href="https://man.openbsd.org/qctsens.4">qctsens(4)</a>,
a driver for the Temperature Sensor found on Qualcomm SoCs.
<li>Add driver <a href="https://man.openbsd.org/qccpu.4">qccpu(4)</a>
for QC CPU Power States.
<li>Add <a href="https://man.openbsd.org/qcsdam.4">qcsdam(4)</a>,
a driver for the PMIC Shared Direct Access Memory found on
Qualcomm SoCs.
<li>Add <a href="https://man.openbsd.org/stfrng.4">stfrng(4)</a>, a
driver for the random number generator on the StarFive JH7110 SoC.
<li>Add support for the PCIe controller on the JH7110 SoC with <a
href="https://man.openbsd.org/stfpciephy.4">stfpciephy(4)</a>
<!-- other -->
<li>New <a href="https://man.openbsd.org/sysctl.2">sysctl(2)</a>
nodes for battery management, <code>hw.battery.charge*</code>.
Support them with
<a href="https://man.openbsd.org/acpithinkpad.4">acpithinkpad(4)</a>
and <a href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a>.
<li>Define fixed names for
<a href="https://man.openbsd.org/ucom.4">ucom(4)</a> USB serial
ports, display them in attach messages and via the new
<code>hw.ucomnames</code>
<a href="https://man.openbsd.org/sysctl.2#HW_UCOMNAMES~2">sysctl(2)</a>.
<li>Add support for the RK3568 32k RTC, RK3588, and other clocks in
<a href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>.
<li>In <a href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>,
attach Baikal-M PCIe.
<li>In openfirmware, implement regulator notifiers which get called
when the voltage/current for a regulator is changed or when the
regulator gets initialized when it attaches for the first time. The
latter makes it possible to register a notifier for a regulator that
hasn't attached yet.
<li>Ignore duplicate ACPI lid transitions as they can happen on Dell
Precision 5510 systems.
<li>Make RK3568 PCIe controllers run at the maximum possible speed
by using dwpcie_link_config() when initializing.
<li>In the Universal Flash Storage Host Controller Interface
(<a href="https://man.openbsd.org/ufshci.4">ufshci(4)</a>),
enable Force Unit Access (FUA) for write commands.
<li>Make SATA (<a href="https://man.openbsd.org/ahci.4">ahci(4)</a>)
work on a Banana Pi BPI-R2 Pro.
<li>In <a href="https://man.openbsd.org/umcs.4">umcs(4)</a>, set
parity bits correctly.
<li>Enable the caps lock LED on modern Apple laptop keyboards.
<li>Add support for Rockchip "cryptov2-rng" random number generator in
<a href="https://man.openbsd.org/rkrng.4">rkrng(4)</a>.
<li>Fix cpuperf on the Apple M2 Pro/Max.
<li>Add support for the PCIe controller found on Apple M2 Pro/Max SoCs.
<li>Add support for enabling both the USB2 and USB3 PHYs in
<a href="https://man.openbsd.org/xhci.4">xhci(4)</a> with device tree.
<li>In the SCSI tape driver
<a href="https://man.openbsd.org/st.4">st(4)</a>, add support
for I/O statistics so that tape speeds can be observed with
<a href="https://man.openbsd.org/iostat.8">iostat(8)</a>.
<li>Fix use of MMC/SD/SDIO on RK3588 ARM SoC in
<a href="https://man.openbsd.org/dwmmc.4">dwmmc(4)</a>.
<li>Support thermal sensors on Ryzen 9 79xx in
<a href="https://man.openbsd.org/ksmn.4">ksmn(4)</a>.
<li>Add support for JH7110 to
<a href="https://man.openbsd.org/dwmmc.4">dwmmc(4)</a>,
making eMMC and microSD mostly work on the Starfive VisionFive 2.
<li>Add support for the RK3588 PCIe3 PHY to
<a href="https://man.openbsd.org/rkpciephy.4">rkpciephy(4)</a>.
The PHY controls 4 lanes that can be routed to 4 of 5 PCIe controllers.
<li>Add mute control to
<a href="https://man.openbsd.org/sncodec.4">sncodec(4)</a>.
This makes the mute button work on laptops using this driver.
<li>Add mute control to <a
href="https://man.openbsd.org/tascodec.4">tascodec(4)</a>. This makes
the mute button on laptops that use tascodec(4) work.
<li>Improve the suspend/resume behavior of several drivers, reducing
power consumption during suspend.
<li>Add support for the Synopsys DesignWare I2C controller
(<a href="https://man.openbsd.org/dwiic.4">dwiic(4)</a>) and the
X-Powers AXP Power Management IC
(<a href="https://man.openbsd.org/axppmic.4">axppmic(4)</a>).
<li>Enable the <a href="https://man.openbsd.org/mbg.4">mbg(4)</a>
timedelta sensor on amd64 and match the Meinberg PZF180PEX.
</ul>
<li>New or improved network hardware support:
<ul>
<li>Fix <a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>
on several boards that use
<a href="https://man.openbsd.org/rgephy.4">rgephy(4)</a> by configuring
the RGMII interface before taking the PHY out of reset.
<li>Improve <a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a> and
determine PHY mode and pass the appropriate flags down to the PHY when
attaching.
<li>Report in <a href="https://man.openbsd.org/dmesg.8">dmesg(8)</a> on
which gmac the <a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>
driver is attaching to.
<li>Document that Intel i226 adapters are supported by
<a href="https://man.openbsd.org/igc.4">igc(4)</a>.
<li>Add <a href="https://man.openbsd.org/ngbe.4">ngbe(4)</a>,
a driver for WangXun WX1860 PCI Express 10/100/1Gb Ethernet devices.
Also support it on amd64 install media.
<li>Add support for the RTL8211F-VD PHY in
<a href="https://man.openbsd.org/rgephy.4">rgephy(4)</a>.
<li>In openfirmware, add glue for network interfaces to be found by
fdt/ofw node or phandle in order to support "switch chips" like the
marvell link street.
<li>Add support for RTL8153D devices to
<a href="https://man.openbsd.org/ure.4">ure(4)</a>.
<li>Provide byte and packet counter statistics in some
<a href="https://man.openbsd.org/dwge.4">dwge(4)</a> implementations.
<li>On <a href="https://man.openbsd.org/bge.4">bge(4)</a>, make hardware
counters available via kstats for BCM5705 and newer controller chips.
<li>Make several improvements to <a
href="https://man.openbsd.org/vmx.4">vmx(4)</a>, the VMware VMXNET3
Virtual Interface Controller.
<li>In <a href="https://man.openbsd.org/em.4">em(4)</a>, stop
putting multicast addresses into the Receive Address Registers.
Instead hash them all into the Multicast Table Array.
<li>Support Mellanox ConnectX-6 Lx in <a
href="https://man.openbsd.org/mcx.4">mcx(4)</a>.
<li>In <a href="https://man.openbsd.org/mcx.4">mcx(4)</a>, add 100GB
LR4 Ethernet capability and map it to IFM_100G_LR4.
<li>Add initial support for Atlantic 2 hardware in
<a href="https://man.openbsd.org/aq.4">aq(4)</a>.
</ul>
<li>Added or improved wireless network drivers:
<ul>
<li>Improve how Quectel LTE&5G devices attach to
<a href="https://man.openbsd.org/umb.4">umb(4)</a>.
</ul>
<li>IEEE 802.11 wireless stack improvements and bugfixes:
<ul>
<li> Add support for RTL8188FTV devices to the
<a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> driver.
<li>Attach Intel wireless devices with PCI product ID 0x51f1 to
<a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
<li>Fix a bug where <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
<a href="https://man.openbsd.org/iwx.4">iwx(4)</a> background
scan tasks were added to the wrong task queue.
<li>Fix a firmware error that occurred when an
<a href="https://man.openbsd.org/iwx.4">iwx(4)</a> interface
was brought down.
<li>Fix <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> firmware errors
triggered during background scans.
<li>Fix a crash in the <a href="https://man.openbsd.org/iwm.4">iwm(4)</a>
driver when userland attempts to inject frames via bpf in monitor mode.
</ul>
<li>Installer, upgrade and bootloader improvements:
<ul>
<li>In the arm64 ramdisk, simplify apple firmware copying to make it
easier to add new firmware.
<li>On armv7 and arm64, silence informational messages from
<a href="https://man.openbsd.org/dd.1">dd(1)</a>
when zeroing a disk's first 1MB. Use character not block devices with
dd(1) like on other architectures.
<li>Refactor the code of md_installboot() on armv7 and arm64 to be
more in line with other architectures.
<li>Improve the dialogue of the installer without affecting
<a href="https://man.openbsd.org/autoinstall.8">autoinstall(8)</a>
files.
<li>Enable <a href="https://man.openbsd.org/ufshci.4">ufshci(4)</a>
on arm64 install media.
<li>On arm64 pine64 boards, stop writing pine64 firmware to disk.
<li>When media has neither a GPT nor an MBR
<a href="https://man.openbsd.org/installboot.8">installboot(8)</a>,
assume OpenBSD occupies the entire disk starting at sector 0.
<li>Attempt to not overflow the ramdisk when extracting firmware on
Apple arm64 systems.
<li>Add support for loading files from the EFI System Partition.
<li>Fix a bug in the handling of SCSI drives in the bootloader on the luna88k architecture.
<li>On luna88k, implement the chmod() signaling mechanism for
<code>/bsd.upgrade</code> to prevent re-upgrade, like other
architectures.
<li>Support for <a
href="https://man.openbsd.org/softraid.4">softraid(4)</a> disks in the
installer was improved:
<ul>
<li>Make root on
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a>
installations boot out of the box on Raspberry Pis (arm64).
<li>Support installations with root on
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a>
on arm64, tested on Pinebook Pro, Raspberry Pi 4b, and SolidRun CEX7.
<li>On riscv64, enable softraid(4) in the ramdisk kernel and support
installations with root on
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a>
<li>When installing on encrypted
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a>, determine
the disk for placing the root device automatically and make it default
as it is the only legit choice.
<li>Add arm64 to the list of architectures with support for guided disk
encryption.
<li>Retain existing EFI System partitions on systems with APFSISC
partitions (arm64 Apple M1/M2) during installation with root on
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a>.
<li>Enable <a
href="https://man.openbsd.org/softraid.4">softraid(4)</a> in ramdisk
on the powerpc64 architecture.
</ul>
</ul>
<li>Security improvements:
<ul>
<li>Enable indirect branch tracking (IBT) on amd64 and branch target
identification (BTI) on arm64 in both the kernel and in userland.
On hardware that supports this feature, it helps enforcing
control flow integrity by making sure malicious code
cannot jump into the middle of a function.
<li>On the arm64 architecture, enable pointer authentication (PAC)
in userland on those machines where it works correctly.
It helps enforcing control flow integrity by making sure
malicious code cannot manipulate a function's return address.
<li>Together with retguard these two features protect against ROP attacks.
Compiler defaults for base clang, ports clang and ports gcc (as well
as some other non-C language family compilers in ports) have been
changed to enable these features by default. As a result the vast
majority of programs on OpenBSD (and all programs in the base system)
run with these security features enabled.
<li>Change <a href="https://man.openbsd.org/malloc.3">malloc(3)</a>
chunk sizes to be fine grained: chunk sizes are closer to the
requested allocation size.
<li>In <a href="https://man.openbsd.org/malloc.3">malloc(3)</a>,
check all chunks in the delayed free list for write-after-free.
<li>The <a href="https://man.openbsd.org/shutdown.8">shutdown(8)</a>
program can now only be executed by members of the new
<code>_shutdown</code> group. The idea is that system
administrators can now remove most users from the excessively
powerful <code>operator</code> group, which in particular
provides read access to disk device nodes.
<li>Using <a href="https://man.openbsd.org/unveil.2">unveil(2)</a>,
restrict <a href="https://man.openbsd.org/patch.1">patch(1)</a>
filesystem access to the current directory including subdirectories,
TMPDIR, and file names given on the command line.
<li>In <a href="https://man.openbsd.org/ksh.1">ksh(1)</a>, consistently
escape control characters when displaying file name completions,
even when there are multiple matches.
</ul>
<li>Changes in the network stack:
<ul>
<li>Sync the use of
<a href="https://man.openbsd.org/getuptime.9">getuptime(9)</a>
in the Neighbour Discovery (ND) code with ARP.
<li>In the IPv6 forwarding code, call
<a href="https://man.openbsd.org/getuptime.9">getuptime(9)</a>
once for consistency with IPv4.
<li>ARP has a queue of packets that should be sent after name
resolution. Neighbor discovery (ND6) did only hold a single packet.
Unified the code, added a queue to ND6 and made the code MP safe.
<li>Implement a new <a href="https://man.openbsd.org/sysctl.2">sysctl(2)</a>
<code>net.inet6.icmp6.nd6_queued</code> to show the number of packets
waiting for an ND6 response, analogous to ARP.
<li>When configuring a new IPv6 address on an interface, an upstream router
doesn't know where to send traffic. Send an unsolicited
neighbor advertisement, as described in RFC9131, to the all-routers
multicast address so all routers on the same link will learn the path
back to the address.
<li>Implement the inbound portion of RFC9131. Let routers create new
neighbor cache entries when receiving valid neighbor advertisements.
<li>Initial support for TCP segmentation offload (TSO) and TCP large receive offload (LRO) was implemented:
<ul>
<li>If the driver of a network interface supports TSO,
do not chop the packet in the network stack,
but pass it down to the interface layer for TSO.
<li>Provide a software TSO implementation, to be used as a fallback
if network hardware does not support TSO.
<li>Provide a new <a href="https://man.openbsd.org/sysctl.2">sysctl(2)</a>
node <a href="https://man.openbsd.org/sysctl.2#tcp.tso"
>net.inet.tcp.tso</a> such that TSO can be globally disabled.
By default, it is enabled on all interfaces supporting it.
<li>In <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>,
display separate
<a href="https://man.openbsd.org/ifconfig.8#hwfeatures">hwfeatures</a>
for TSOv4, TSOv6, and LRO and provide a
<a href="https://man.openbsd.org/ifconfig.8#tcplro">-tcplro</a>
parameter to disable LRO on a per-interface basis.
<li>Enable TSO and forwarding of LRO packets via TSO in
<a href="https://man.openbsd.org/ix.4">ix(4)</a>.
<li>In <a href="https://man.openbsd.org/ix.4">ix(4)</a>, allocate
less memory for tx buffers.
<li>Speed up TCP transfer on
<a href="https://man.openbsd.org/lo.4">lo(4)</a>
interfaces by using TSO and LRO.
<li>Enable LRO per default in network
drivers. LRO allows to receive aggregated packets larger than the MTU.
Receiving TCP streams becomes much faster. Currently only <a
href="https://man.openbsd.org/ix.4">ix(4)</a> and <a
href="https://man.openbsd.org/lo.4">lo(4)</a> devices support LRO, and
ix(4) is limited to IPv4 and hardware newer than the old 82598 model.
</ul>
<li>The following changes were made to the <a
href="https://man.openbsd.org/pf.4">pf(4)</a> firewall:
<ul>
<li>Speed up the
<a href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> request
<a href="https://man.openbsd.org/pf.4#DIOCGETRULE">DIOCGETRULE</a>
such that <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>
can retrieve all <a href="https://man.openbsd.org/pf.4">pf(4)</a>
rules from the kernel in linear rather than in quadratic time.
To protect the kernel from memory exhaustion,
userland processes now have to release tickets obtained with
<a href="https://man.openbsd.org/pf.4#DIOCGETRULES">DIOCGETRULES</a>
by issuing the new
<a href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> request
<a href="https://man.openbsd.org/pf.4#DIOCXEND">DIOCXEND</a>.
In particular, <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a>
and <a href="https://man.openbsd.org/systat.1">systat(1)</a>
now do that.
<li>Relax the implementation of the <code>pass all</code> rule so all
forms of neighbor advertisements are allowed in either direction.
<li>When redirecting locally generated IP packets to userland with
<a href="https://man.openbsd.org/pf.conf.5#divert-packet"
>divert-packet</a> rules, the packets may have no checksum
due to hardware offloading. Calculate the checksum in that case.
<li>Fix a bug where
<a href="https://man.openbsd.org/pf.conf.5#nat-to">nat-to</a>
could fail to insert a state
due to conflict on chosen source port number.
<li>No longer ignore <code>keep state</code> and <code>nat-to</code>
actions for unsolicited ICMP error responses.
Tighten the rule matching logic so ICMP error responses
no longer match <code>keep state</code> rule.
In typical scenarios, ICMP errors (if solicited) should match
existing state. The change is going to bite firewalls which deal
with asymmetric routes. In those cases the <code>keep state</code>
action should be relaxed to sloppy or new <code>no state</code>
rule to explicitly match ICMP errors should be added.
</ul>
<li>Do not calculate IP, TCP, and UDP checksums on
<a href="https://man.openbsd.org/lo.4">lo(4)</a> interfaces.
<li>Convert the tcp_now() time counter to 64 bits to avoid 32 bits
wrap around after changing tcp_now() ticks to milliseconds.
<li>Add initial support for route-based IPsec VPNs.<br>
Rather than use IPsec flows (aka, entries in the IPsec security
policy database) to decide which traffic should be encapsulated in
IPsec and sent to a peer, this changes security associations (SAs)
so they can also refer to a tunnel interface. When traffic is routed
over that tunnel interface, an IPsec SA is looked up and used to
encapsulate traffic before being sent to the peer on the SA. When
traffic is received from a peer using an interface SA, the specified
interface is looked up and the packet is handed to it so it looks
like packets come out of the tunnel.
<li>Add <a href="https://man.openbsd.org/sec.4">sec(4)</a> to support
route-based IPsec VPNs.
<li>Introduce reference counting for TCP syn cache entries.
<li>Have <a href="https://man.openbsd.org/wg.4">wg(4)</a> copy the
priority from the inner packet to the outer encrypted packet, so that
higher priority packets are picked from hfsc queues for earlier
transmission.
</ul>
<li>Routing daemons and other userland network improvements:
<ul>
<li>IPsec support was improved:
<ul>
<li>In <a href="https://man.openbsd.org/iked.8">iked(8)</a>,
support route-based
<a href="https://man.openbsd.org/sec.4">sec(4)</a> tunnels.
<li>In <a href="https://man.openbsd.org/iked.8">iked(8)</a>,
add support to verify X.509 chain from CERT payloads.
<li>In <a href="https://man.openbsd.org/iked.8">iked(8)</a>,
do not leak memory when receiving a CERT payload for pubkey auth
or for an invalid CERT Encoding.
<li>In <a href="https://man.openbsd.org/iked.8">iked(8)</a>,
do not leak a file descriptor if
<a href="https://man.openbsd.org/open_memstream.3"
>open_memstream(3)</a> fails while trying to enable a child SA.
<li>While trying to verify an ECDSA signature in
<a href="https://man.openbsd.org/iked.8">iked(8)</a>,
correctly detect failure of DER encoding with
<a href="https://man.openbsd.org/i2d_ECDSA_SIG.3"
>i2d_ECDSA_SIG(3)</a>.
<li>In <a href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a>,
support route-based IPsec VPN negotiation with
<a href="https://man.openbsd.org/sec.4">sec(4)</a>.
<li>In <a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a>,
support configuring interface SAs for route-based IPsec VPNs.
<li>In <a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a>
quick mode, do not crash with a <code>NULL</code> pointer
access when a group description is specified but it is invalid,
unsupported, or memory allocation or key generation fails.
<li>In <a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a>,
avoid a double free in the unlikely event that
<a href="https://man.openbsd.org/EC_KEY_check_key.3"
>EC_KEY_check_key(3)</a> fails right after generating
a new key pair.
<li>Allow building
<a href="https://man.openbsd.org/isakmpd.8">isakmpd(8)</a>
with a libcrypto library that has
<a href="https://man.openbsd.org/OpenBSD-7.3/EC_GROUP_new.3"
>binary field support</a> ("GF2m") removed.
</ul>
<li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>,
<ul>
<li>Add first version of flowspec support. Right now only announcement
of flowspec rules is possible.
<li>Update ASPA support to follow draft-ietf-sidrops-aspa-verification-16
and draft-ietf-sidrops-aspa-profile-16 by making the ASPA lookup
tables AFI-agnostic.
<li>Rework UPDATE message generation to use the new ibuf API instead
of the hand-rolled solution before.
<li>Fix <code>ext-community * *</code> matching which also affects
filters removing all ext-communities.
<li>Improve and extend the bgpctl parser to handle commands like
<code>bgpctl show rib 192.0.2.0/24 detail</code>.
Also add various flowspec specific commands.
<li>Introduce a semaphore to protect intermittent RTR session data
from being published to the RDE.
<li>Limit the socket buffer size to 64k for all sessions.
Limiting the buffer size to a reasonable size ensures that not
too many updates end up queued in the TCP stack.
<li>Adjust example <code>GRACEFUL_SHUTDOWN</code> filter rule in
the example config to only match on ebgp sessions.
</ul>
<li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw some changes:
<ul>
<li>A 30%-50% performance improvement was achieved through libcrypto's
partial chains certificate validation feature. Already validated
non-inheriting CA certificates are now marked as trusted roots. This
way it can be ensured that a leaf's delegated resources are properly
covered, and at the same time most validation paths are
significantly shortened.
<li>Support for gzip and deflate HTTP Content-Encoding compression was
added. This allows web servers to send RRDP XML in compressed form,
saving around 50% of bandwidth.
<li>ASPA support was updated to draft-ietf-sidrops-aspa-profile-16.
As part of supporting AFI-agnostic ASPAs, the JSON syntax for
Validated ASPA Payloads changed in both filemode and normal output.
<li>In filemode (-f option) the applicable manifests are now shown as
part of the signature path.
<li>A new -P option was added to manually specify a moment in time
to use when parsing the validity window of certificates. Useful
for regression testing. Default is invocation time of rpki-client.
<li>The -A option will now also exclude ASPA data from the JSON output.
<li>The synchronisation protocol used to sync the repository is now
included in the OpenMetrics output.
<li>Improved accounting by tracking objects both by repo and tal.
<li>Check whether products listed on a manifest were issued by the same
authority as the manifest itself.
<li>File modification timestamps of objects retrieved via RRDP are now
deterministically set to prepare the on-disk cache for seamless
failovers from RRDP to RSYNC.
<li>Improved detection of RRDP session desynchronization: a check was
added to compare whether the delta hashes associated to previously
seen serials are different in newly fetched notification files.
<li>Improved handling of RRDP deltas in which objects are published,
withdrawn, and published again.
<li>Disallow X.509 v2 issuer and subject unique identifiers in certs.
RPKI CAs will never issue certificates with V2 unique identifiers.
<li>A check to disallow duplicate X.509 certificate extensions was
added.
<li>A check to disallow empty sets of IP Addresses or AS numbers in RFC
3779 extensions was added.
<li>A warning is printed when the CMS signing-time attribute in a Signed
Object is missing.
<li>Warnings about unrecoverable message digest mismatches now include
the manifestNumber to aid debugging the cause.
<li>A check was added to disallow multiple RRDP publish elements for the
same file in RRDP snapshots. If this error condition is encountered,
the RRDP transfer is failed and the RP falls back to rsync.
<li>A compliance check for the proper X.509 Certificate version and CRL
version was added.
<li>A compliance check was added to ensure CMS Signed Objects contain
SignedData, in accordance to RFC 6488 section 3 checklist item 1a.
<li>Compliance checks were added for the version, KeyUsage, and
ExtendedKeyUsage of EE certificates in Manifest, TAK, and GBR Signed
Objects.
<li>A CMS signing-time value being after the X.509 notAfter timestamp
was downgraded from an error to a warning.
<li>A bug was fixed in the handling of CA certificates which inherit IP
resources.
<li>A compliance check was added to ensure the X.509 Subject only
contains commonName and optionally serialNumber.
<li>A compliance check was added to ensure the CMS SignedData and
SignerInfo versions to be 3.
<li>Fisher-Yates shuffle the order in which Manifest entries are
processed. Previously, work items were enqueued in the order the CA
intended them to appear on a Manifest. However, there is no obvious
benefit to third parties deciding the order in which things are
processed.
</ul>
<li>In <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>,
<ul>
<li>Swapped link-auth filter arguments to avoid ambiguities with user
names containing a "|" character.
<li>Bumped <a href="https://man.openbsd.org/smtpd-filters.7">smtpd-filters(7)</a>
protocol version.
<li>Fixed potential truncation of filtered data lines.
<li>Allowed arguments on NOOP.
</ul>
<li>Many other changes in various network programs and libraries:
<ul>
<li>Let <a href="https://man.openbsd.org/pcap_fopen_offline.3"
>pcap_fopen_offline(3)</a> correctly interpret some
<code>LINKTYPE_*</code> values in pcap headers written
on foreign operating systems.
<li>Make <a href="https://man.openbsd.org/dig.1">dig(1)</a>
use less deprecated LibreSSL API.
<li>Remove stylistic differences between
<a href="https://man.openbsd.org/arp.8">arp(8)</a> and
<a href="https://man.openbsd.org/ndp.8">ndp(8)</a> delete()
function. This makes it easier to spot real changes in behavior.
<li>Make <a href="https://man.openbsd.org/ndp.8">ndp(8)</a>
not remove cloning routes when no neighbor entry is
found with <code>ndp -d</code>.
<li>Improved error handling in the <a
href="https://man.openbsd.org/asr_run.3">asr</a> resolver.
<li>In <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>,
handle SERVFAIL results on name resolution better.
<li>In <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>,
fix a use-after-free bug triggered by fatal write errors
while sending TCP responses.
<li>In the router advertisement daemon
<a href="https://man.openbsd.org/rad.8">rad(8)</a>, update the default
timers for prefix preferred and valid lifetimes to use the values from
RFC 9096.
<li>In <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>,
remove artificial limit of 2 hours on a PIO lifetime.
<li>In <a href="https://man.openbsd.org/ypldap.8">ypldap(8)</a>,
reduce memory usage when updating larger directories.
<li>Make <a href="https://man.openbsd.org/ypldap.8">ypldap(8)</a>
more resilient when some servers are
misbehaving: keep trying LDAP servers until full results arrive
rather than just until one accepts the TCP connection.
<li>New <a href="https://man.openbsd.org/ifconfig.8#wgdescription"
>wgdescription</a> parameter to
<a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
to set a string describing the
<a href="https://man.openbsd.org/wg.4">wg(4)</a> peer.
<li>Let <a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a>
prefix the interface name to many error and warning messages.
<li>Make the <code>tlsv1.0</code> and <code>tlsv1.1</code> options
in <a href="https://man.openbsd.org/relayd.8">relayd(8)</a>
do nothing, as one should use the default <code>tlsv1.2</code>
instead.
<li>Fix IPv6 routes being changed by
<a href="https://man.openbsd.org/relayd.8">relayd(8)</a>
with Routers configuration.
<li>In <a
href="https://man.openbsd.org/dhcrelay6.8">dhcrelay6(8)</a>, do not