BSDSec

deadsimple BSD Security Advisories and Announcements

OpenBSD 6.0 released, September 1, 2016

------------------------------------------------------------------------
- OpenBSD 6.0 RELEASED -------------------------------------------------

September 1, 2016.

We are pleased to announce the official release of OpenBSD 6.0.
This is our 40th release on CD-ROM (and 41st via FTP/HTTP).  We remain
proud of OpenBSD's record of more than twenty years with only two remote
holes in the default install.

As in our previous releases, 6.0 provides significant improvements,
including new features, in nearly all areas of the system:

 - New/extended platforms:
    o armv7:
       - EFI bootloader added, kernels are now loaded from FFS instead
         of FAT or EXT filesystems, without U-Boot headers.
       - A single kernel and ramdisk are now used for all SoCs.
       - Hardware is dynamically enumerated via Flattened Device Tree
         (FDT) instead of via static tables based on board id numbers.
       - Miniroot installer images include U-Boot 2016.07 with support
         for EFI payloads.
    o vax:
       - Removed.

 - Improved hardware support, including:
    o New bytgpio(4) driver for the Intel Bay Trail GPIO controller.
    o New chvgpio(4) driver for the Intel Cherry View GPIO controller.
    o New maxrtc(4) driver for the Maxim DS1307 real time clock.
    o New nvme(4) driver for the Non-Volatile Memory Express (NVMe) host
      controller interface.
    o New pcfrtc(4) driver for the NXP PCF8523 real time clock.
    o New umb(4) driver for the Mobile Broadband Interface Model (MBIM).
    o New ure(4) driver for RealTek RTL8152 based 10/100 USB Ethernet
      devices.
    o New utvfu(4) driver for audio/video capture devices based on the
      Fushicai USBTV007.
    o The iwm(4) driver now supports Intel Wireless 3165 and 8260
      devices, and works more reliably in RAMDISK kernels.
    o Support for I2C HID devices with GPIO signalled interrupts has
      been added to dwiic(4).
    o Support for larger bus widths, high speed modes, and DMA transfers
      has been added to sdmmc(4), rtsx(4), sdhc(4), and imxesdhc(4).
    o Support for EHCI and OHCI compliant USB controllers on Octeon II
      SoCs.
    o Many USB device drivers have been enabled on OpenBSD/octeon.
    o Improved support for hardware-reduced ACPI implementations.
    o Improved support for ACPI 5.0 implementations.
    o AES-NI crypto is now done without holding the kernel lock.
    o Improved AGP support on PowerPC G5 machines.
    o Added support for the SD card slot in Intel Bay Trail SoCs.
    o The ichiic(4) driver now ignores the SMBALERT# interrupt to
      prevent an interrupt storm with buggy BIOS implementations.
    o Device attachment problems with the axen(4) driver have been
      fixed.
    o The ral(4) driver is more stable under load with RT2860 devices.
    o Problems with dead keyboards after resume have been fixed in the
      pckbd(4) driver.
    o The rtsx(4) driver now supports RTS522A devices.
    o Initial support for MSI-X has been added.
    o Support MSI-X in the virtio(4) driver.
    o Added a workaround for hardware DMA overruns to the dc(4) driver.
    o The acpitz(4) driver now spins the fan down after cooling if ACPI
      uses hysteresis for active cooling.
    o The xhci(4) driver now performs handoff from an xHCI-capable BIOS
      correctly.
    o Support for multi-touch input has been added to the wsmouse(4)
      driver.
    o The uslcom(4) driver now supports the serial console of Aruba 7xxx
      wireless controllers.
    o The re(4) driver now works around broken LED configurations in
      APU1 EEPROMs.
    o The ehci(4) driver now works around problems with ATI USB
      controllers (e.g. SB700).
    o The xen(4) driver now supports domU configuration under Qubes OS.

 - IEEE 802.11 wireless stack improvements:
    o The HT block ack receive buffer logic follows the algorithm given
      in the 802.11-2012 spec more closely.
    o The iwn(4) driver now keeps track of HT protection changes while
      associated to an 11n AP.
    o The wireless stack and several drivers make more aggressive use of
      RTS/CTS to avoid interference from legacy devices and hidden
      nodes.
    o The netstat(1) -W command now shows information about 802.11n
      events.
    o In hostap mode, do not reuse association IDs of nodes which are
      still cached. Fixes a problem where an access point using the
      ral(4) driver would get stuck at 1 Mbps because Tx rate accounting
      happened on the wrong node object.

 - Generic network stack improvements:
    o The routing table is now based on ART offering a faster lookup.
    o The number of route lookup per packet has been reduced to 1 in the
      forwarding path.
    o The prio field on VLAN headers is now correctly set on each
      fragment of an IPv4 packet going out on a vlan(4) interface.
    o Enabled device cloning for bpf(4). This allows the system to have
      just one bpf device node in /dev that services all bpf consumers
      (up to 1024).
    o The Tx queue of the cnmac(4) driver can now be processed in
      parallel of the rest of the kernel.
    o Network input path is now run in thread context.

 - Installer improvements:
    o updated list of restricted usercodes
    o install.sh and upgrade.sh merged into install.sub
    o update automatically runs sysmerge(8) in batch mode before
      fw_update(1)
    o questions and answers are logged in a format that can be used as a
      response file for use by autoinstall(8)
    o /usr/local is set to wxallowed during install

 - Routing daemons and other userland network improvements:
    o Add routing table support to rc.d(8) and rcctl(8).
    o Let nc(1) support service names in addition to port numbers.
    o Add -M and -m TTL flags to nc(1).
    o Add AF_UNIX support to tcpbench(1).
    o Fixed a regression in rarpd(8). The daemon could hang if it was
      idle for a long time.
    o Added the llprio option in ifconfig(8).
    o Multiple programs that use bpf(4) have been modified to take
      advantage of bpf(4) device cloning by opening /dev/bpf0 instead of
      looping through /dev/bpf* devices. These programs include arp(8),
      dhclient(8), dhcpd(8), dhcrelay(8), hostapd(8), mopd(8), npppd(8),
      rarpd(8), rbootd(8), and tcpdump(8). The libpcap library has also
      been modified accordingly.

 - Security improvements:
    o W^X is now strictly enforced by default; a program can only
      violate it if the executable is marked with PT_OPENBSD_WXNEEDED
      and is located on a filesystem mounted with the wxallowed mount(8)
      option. Because there are still too many ports which violate W^X,
      the installer mounts the /usr/local filesystem with wxallowed.
      This allows the base system to be more secure as long as
      /usr/local is a separate filesystem. If you use no W^X violating
      programs, consider manually revoking that option.
    o The setjmp(3) family of functions now apply XOR cookies to stack
      and return-address values in the jmpbuf on amd64, hppa, i386,
      mips64, and powerpc.
    o SROP mitigation: sigreturn(2) can now only be used by the
      kernel-provided signal trampoline, with a cookie to detect
      attempts to reuse it.
    o To deter code reuse exploits, rc(8) re-links libc.so on startup,
      placing the objects in a random order.
    o In the getpwnam(3) family of functions, stop opening the shadow
      database by default.
    o Allow tcpdump(8) -r to be started without root privileges.
    o Remove systrace.
    o Remove Linux emulation support.
    o Remove support for the usermount option.
    o The TCP SYN cache reseeds its random hash function from time to
      time. This prevents an attacker from calculating the distribution
      of the hash function with a timing attack.
    o To work against SYN flooding attacks the administrator can change
      the size of the hash array now. netstat(1) -s -p tcp shows the
      relevant information to tune the SYN cache with sysctl(8)
      net.inet.tcp.
    o The administrator can require root privileges for binding to some
      TCP and UDP ports with sysctl(8) net.inet.tcp.rootonly and
      sysctl(8) net.inet.udp.rootonly.
    o Remove a function pointer from the mbuf(9) data structure and use
      an index into an array of acceptable functions instead.

 - Assorted improvements:
    o The thread library can now be loaded into a single-threaded
      process.
    o Improved symbol handling and standards compliance in libc. For
      example, defining an open() function will no longer interfere with
      the operation of fopen(3).
    o PT_TLS sections are now supported in initially loaded object.
    o Improved handling of "no paths" and "empty path" in fts(3).
    o In pcap(3), provide the functions pcap_free_datalinks() and
      pcap_offline_filter().
    o Many bugfixes and structural cleanup in the editline(3) library.
    o Remove ancient dbm(3) functions; ndbm(3) remains.
    o Add setenv keyword for more powerful environment handling in
      doas.conf(5).
    o Add -g and -p options to aucat.1 for time positioning.
    o Rewrite audioctl(1) with a simpler user interface.
    o Add -F option to install(1) to fsync(2) the file before closing
      it.
    o kdump(1) now dumps pollfd structures.
    o Improve various details of ksh(1) POSIX compliance.
    o mknod(8) rewritten in a pledge(2)-friendly style and to support
      creating multiple devices at once.
    o Implement rcctl(8) get all and getdef all.
    o Implement the rcs(1) -I (interactive) flag.
    o In rcs(1), implement Mdocdate keyword substitution.
    o In top(1), allow to filter process arguments if they are being
      displayed.
    o Added UTF-8 support to fold(1) and rev(1).
    o Enable UTF-8 by default in xterm(1) and pod2man(1).
    o Filter out non-ASCII characters in wall(1).
    o Handle the COLUMNS environment variable consistently across many
      programs.
    o The options -c and -k allow to provide TLS client certificates for
      syslogd(8) on the sending side. With that the receiving side can
      verify log messages are authentic. Note that syslogd does not have
      this check feature yet.
    o When the klog buffer overflows, syslogd will write a log message
      to show that some entries is missing.
    o On OpenBSD/octeon, CPU cache write buffering is enabled to improve
      performance.
    o pkg_add(1) and pkg_info(1) now understand a notion of branch to
      ease selection of some popular packages such as python or php,
      e.g., say pkg_add python%3.4 to select the 3.4 branch, and use
      pkg_info -zm to get a fuzzy listing with branch selection suitable
      for pkg_add -l.
    o fdisk(8) and pdisk(8) immediately exit unless passed a character
      special device
    o st(4) correctly tracks the current block count for variable sized
      blocks
    o fsck_ext2fs(8) works again
    o softraid(4) volumes can be constructed with disks that have a
      sector size other than 512 bytes
    o dhclient(8) DECLINE's and discards unused OFFER's.
    o dhclient(8) immediately exits if its interface (e.g. a bridge(4))
      returns EAFNOSUPPORT when a packet is sent.
    o httpd(8) returns 400 Bad Request for HTTP v0.9 requests.
    o ffs2's lazy node initialization avoids treating random disk data
      as an inode
    o fcntl(2) invocations in base programs use the idiom
      fcntl(n,F_GETFL) instead of fcntl(n,F_GETFL,0)
    o socket(2) and accept4(2) invocations in base programs use
      SOCK_NONBLOCK to eliminate the need for a separate fcntl(2).
    o tmpfs not enabled by default
    o the in-kernel semantics of pledge(2) were improved in numerous
      ways. Highlights include: a new chown promise that allows pledged
      programs to set setugid attributes, a stricter enforcement of the
      recvfd promise and chroot(2) is no longer allowed for pledged
      programs.
    o a number of pledge(2)-related bugs (missing promises, unintended
      changes of behavior, crashes) were fixed, notably in gzip(1),
      nc(1), sed(1), skeyinit(1), stty(1), and various disk-related
      utilities, such as disklabel(8) and fdisk(8).
    o Block size calculation errors in the audio(4) driver have been
      fixed.
    o The usb(4) driver now caches vendor and product IDs. Fixes an
      issue where usbdevs(8) called in a loop would cause a USB mass
      storage device to halt operation.
    o The rsu(4) and ural(4) drivers are now working again after they
      were accidentally broken in 5.9.

 - OpenSMTPD 6.0.0
    o Security:
       - Implement the fork+exec pattern in smtpd(8).
       - Fix a logic issue in the SMTP state machine that can lead to
         an invalid state and result in a crash.
       - Plug a file-pointer leak that can lead to resource exhaustion
         and result in a crash.
       - Use automatic DH parameters instead of fixed ones.
       - Disable DHE by default since it is computationally expensive
         and a potential DoS vector.
    o The following improvements were brought in this release:
       - Add the -r option to the smtpd(8) enqueuer for compatibility
         with mailx.
       - Add missing date or message-id when listening on the submit
         port.
       - Fix "smtpctl show queue" reporting "invalid" envelope state.
       - Rework the format of the "Received" header so that the TLS
         part does not violate the RFC.
       - Increase the number of connections a local address is allowed
         to establish, and decrease the delay between transactions in
         the same session.
       - Fix LMTP delivery to servers returning continuation lines.
       - Further improve the still experimental filer API and fix
         various related issues.
       - Start improving and unifying the format of log messages.
       - Fix several documentation discrepancies and typos in the man
         pages.

 - OpenSSH 7.3
    o Security:
       - sshd(8): Mitigate a potential denial-of-service attack
         against the system's crypt(3) function via sshd(8). An
         attacker could send very long passwords that would cause
         excessive CPU use in crypt(3). sshd(8) now refuses to accept
         password authentication requests of length greater than 1024
         characters.
       - sshd(8): Mitigate timing differences in password
         authentication that could be used to discern valid from
         invalid account names when long passwords were sent and
         particular password hashing algorithms are in use on the
         server. CVE-2016-6210.
       - ssh(1), sshd(8): Fix observable timing weakness in the CBC
         padding oracle countermeasures. Note that CBC ciphers are
         disabled by default and only included for legacy
         compatibility.
       - ssh(1), sshd(8): Improve ordering ordering of MAC
         verification for Encrypt-then-MAC (EtM) mode transport MAC
         algorithms to verify the MAC before decrypting any
         ciphertext. This removes the possibility of timing
         differences leaking facts about the plaintext, though no such
         leakage is known.
    o New/changed features:
       - ssh(1): Add a ProxyJump option and corresponding -J
         command-line flag to allow simplified indirection through a
         one or more SSH bastions or "jump hosts".
       - ssh(1): Add an IdentityAgent option to allow specifying
         specific agent sockets instead of accepting one from the
         environment.
       - ssh(1): Allow ExitOnForwardFailure and ClearAllForwardings to
         be optionally overridden when using ssh -W. (bz#2577)
       - ssh(1), sshd(8): Implement support for the IUTF8 terminal
         mode as per draft-sgtatham-secsh-iutf8-00.
       - ssh(1), sshd(8): Add support for additional fixed
         Diffie-Hellman 2K, 4K and 8K groups from
         draft-ietf-curdle-ssh-kex-sha2-03.
       - ssh-keygen(1), ssh(1), sshd(8): support SHA256 and SHA512 RSA
         signatures in certificates.
       - ssh(1): Add an Include directive for ssh_config(5) files.
       - ssh(1): Permit UTF-8 characters in pre-authentication banners
         sent from the server. (bz#2058)
    o The following significant bugs have been fixed in this release:
       - In scp(1) and sftp(1), prevent screwing up terminal settings
         by escaping bytes not forming ASCII or UTF-8 characters.
       - ssh(1), sshd(8): Reduce the syslog level of some relatively
         common protocol events from LOG_CRIT. (bz#2585)
       - sshd(8): Refuse AuthenticationMethods="" in configurations
         and accept AuthenticationMethods=any for the default
         behaviour of not requiring multiple authentication. (bz#2398)
       - sshd(8): Remove obsolete and misleading "POSSIBLE BREAK-IN
         ATTEMPT!" message when forward and reverse DNS don't match.
         (bz#2585)
       - ssh(1): Close ControlPersist background process stderr except
         in debug mode or when logging to syslog. (bz#1988)
       - misc: Make PROTOCOL description for
         direct-streamlocal@openssh.com channel open messages match
         deployed code. (bz#2529)
       - ssh(1): Deduplicate LocalForward and RemoteForward entries to
         fix failures when both ExitOnForwardFailure and hostname
         canonicalisation are enabled. (bz#2562)
       - sshd(8): Remove fallback from moduli to obsolete "primes"
         file that was deprecated in 2001. (bz#2559)
       - sshd_config(5): Correct description of UseDNS: it affects ssh
         hostname processing for authorized_keys, not known_hosts.
         (bz#2554)
       - ssh(1): Fix authentication using lone certificate keys in an
         agent without corresponding private keys on the filesystem.
         (bz#2550)
       - sshd(8): Send ClientAliveInterval pings when a time-based
         RekeyLimit is set; previously keepalive packets were not
         being sent. (bz#2252)

 - OpenNTPD 6.0
    o When a single "constraint" is specified, try all returned
      addresses until one succeeds, rather than the first returned
      address.
    o Relaxed the constraint error margin to be proportional to the
      number of NTP peers, avoid constant reconnections when there is a
      bad NTP peer.
    o Removed disabled hotplug(4) sensor support.
    o Added support for detecting crashes in constraint subprocesses.
    o Moved the execution of constraints from the ntp process to the
      parent process, allowing for better privilege separation since the
      ntp process can be further restricted.
    o Added pledge(2) support.
    o Fixed high CPU usage when the network is down.
    o Fixed various memory leaks.
    o Switched to RMS for jitter calculations.
    o Unified logging functions with other OpenBSD base programs.
    o Set MOD_MAXERROR to avoid unsynced time status when using
      ntp_adjtime.
    o Fixed HTTP Timestamp header parsing to use strptime(3) in a more
      portable fashion.
    o Hardened TLS for ntpd(8) constraints, enabling server name
      verification.

 - LibreSSL 2.4.2
    o User-visible features:
       - Fixed some broken manpage links in the install target.
       - cert.pem has been reorganized and synced with Mozilla's
         certificate store.
       - Reliability fix, correcting an error when parsing certain
         ASN.1 elements over 16k in size.
       - Implemented the IETF ChaCha20-Poly1305 cipher suites.
       - Fixed password prompts from openssl(1) to properly handle ^C.
    o Code improvements:
       - Fixed an nginx compatibility issue by adding an 'install_sw'
         build target.
       - Changed default EVP_aead_chacha20_poly1305(3) implementation
         to the IETF version, which is now the default.
       - Reworked error handling in libtls so that configuration
         errors are more visible.
       - Added missing error handling around bn_wexpand(3) calls.
       - Added explicit_bzero(3) calls for freed ASN.1 objects.
       - Fixed X509_*set_object functions to return 0 on allocation
         failure.
       - Deprecated internal use of
         EVP_[Cipher|Encrypt|Decrypt]_Final.
       - Fixed a problem that prevents the DSA signing algorithm from
         running in constant time even if the flag BN_FLG_CONSTTIME is
         set.
       - Fixed several issues in the OCSP code that could result in
         the incorrect generation and parsing of OCSP requests. This
         remediates a lack of error checking on time parsing in these
         functions, and ensures that only GENERALIZEDTIME formats are
         accepted for OCSP, as per RFC 6960.
    o The following CVEs have been fixed:
       - CVE-2016-2105--EVP_EncodeUpdate overflow.
       - CVE-2016-2106--EVP_EncryptUpdate overflow.
       - CVE-2016-2107--padding oracle in AES-NI CBC MAC check.
       - CVE-2016-2108--memory corruption in the ASN.1 encoder.
       - CVE-2016-2109--ASN.1 BIO excessive memory allocation.

 - Ports and packages:
    o New proot(1) tool in the ports tree for building packages in a
      chroot.
    o Many pre-built packages for each architecture:
       - alpha:  7422                  - mips64:   7921
       - amd64:  9433                  - mips64el: 7767
       - hppa:   6346                  - powerpc:  8318
       - i386:   9394                  - sparc64:  8750

 - Some highlights:

    o Afl 2.19b                       o Mozilla Thunderbird 45.2.0
    o Chromium 51.0.2704.106          o Mutt 1.6.2
    o Emacs 21.4 and 24.5             o Node.js 4.4.5
    o GCC 4.9.3                       o Ocaml 4.3.0
    o GHC 7.10.3                      o OpenLDAP 2.3.43 and 2.4.44
    o Gimp 2.8.16                     o PHP 5.5.37, 5.6.23, and 7.0.8
    o GNOME 3.20.2                    o Postfix 3.1.1 and 3.2-20160515
    o Go 1.6.3                        o PostgreSQL 9.5.3
    o Groff 1.22.3                    o Python 2.7.12, 3.4.5, and 3.5.2
    o JDK 7u80 and 8u72               o R 3.3.1
    o KDE 3.5.10 and 4.14.3 (plus     o Ruby 1.8.7.374, 2.0.0.648, 2.1.9,
      KDE4 core updates)                2.2.5, and 2.3.1
    o LLVM/Clang 3.8.0                o Rust 1.9.0-20160608
    o LibreOffice 5.1.4.2             o Sendmail 8.15.2
    o Lua 5.1.5, 5.2.4, and 5.3.3     o Sudo 1.8.17.1
    o MariaDB 10.0.25                 o Tcl/Tk 8.5.18 and 8.6.4
    o Mono 4.4.0.182                  o TeX Live 2015
    o Mozilla Firefox 45.2.0esr and   o Vim 7.4.1467
      47.0.1                          o Xfce 4.12

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches,
      freetype 2.6.3, fontconfig 2.11.1, Mesa 11.2.2, xterm 322,
      xkeyboard-config 2.18 and more)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.20.3 (+ patches)
    o SQLite 3.9.2 (+ patches)
    o NSD 4.1.10
    o Unbound 1.5.9
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk Aug 10, 2011 version
    o Expat 2.1.1

If you'd like to see a list of what has changed between OpenBSD 5.9
and 6.0, look at

        http://www.OpenBSD.org/plus60.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each CD release.  As usual, between the
creation of the OpenBSD 6.0 HTTP/CD-ROM binaries and the actual 6.0
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default).  Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible.  Therefore, we advise regular visits to

        http://www.OpenBSD.org/security.html
and
        http://www.OpenBSD.org/errata.html

------------------------------------------------------------------------
- MAILING LISTS --------------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please
see:

        http://www.OpenBSD.org/mail.html

------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------

OpenBSD 6.0 is also available on CD-ROM.  The 3-CD set costs 44 EUR and
is available via web order worldwide.

The CD set includes a colourful booklet which carefully explains the
installation of OpenBSD.  A new set of cute little stickers is also
included (sorry, but our HTTP mirror sites do not support STP, the Sticker
Transfer Protocol).  As an added bonus, the second CD contains audio tracks
for six songs: "Another Smash of the Stack", "Black Hat", "Money",
"Comfortably Dumb (the misc song)", "Mother", and "Goodbye".
MP3 and OGG versions of the audio tracks can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

    http://www.OpenBSD.org/lyrics.html#60

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 6.0 CD-ROMs are bootable on the following platforms:

  o i386
  o amd64
  o macppc
  o sparc64

(Other platforms must boot from network, floppy, or other method).

For more information on ordering CD-ROMs, see:

        http://www.OpenBSD.org/orders.html

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts.  Additionally, donations to the project are
highly appreciated, as described in more detail at:

        http://www.OpenBSD.org/donations.html

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.  There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs.  Contact the foundation directors at
directors@openbsdfoundation.org for more information.

------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------

The OpenBSD distribution company also sells T-shirts with new and old
designs and other merchandise, available from its web ordering system.

------------------------------------------------------------------------
- HTTP INSTALLS --------------------------------------------------------

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via HTTP downloads.  Typically you need a single
small piece of boot media (e.g., a USB flash drive) and then the rest
of the files can be installed from a number of locations, including
directly off the Internet.  Follow this simple set of instructions
to ensure that you find all of the documentation you will need
while performing an install via HTTP.  With the CD-ROMs,
the necessary documentation is easier to find.

1) Read either of the following two files for a list of HTTP
   mirrors which provide OpenBSD, then choose one near you:

        http://www.OpenBSD.org/ftp.html
        http://ftp.openbsd.org/pub/OpenBSD/ftplist

   As of September 1, 2016, the following HTTP mirror sites have the 6.0 release:

        http://ftp.eu.openbsd.org/pub/OpenBSD/6.0/      Stockholm, Sweden
        http://ftp.bytemine.net/pub/OpenBSD/6.0/        Oldenburg, Germany
        http://ftp.ch.openbsd.org/pub/OpenBSD/6.0/      Zurich, Switzerland
        http://ftp.fr.openbsd.org/pub/OpenBSD/6.0/      Paris, France
        http://ftp5.eu.openbsd.org/pub/OpenBSD/6.0/     Vienna, Austria
        http://mirror.aarnet.edu.au/pub/OpenBSD/6.0/    Brisbane, Australia
        http://ftp.usa.openbsd.org/pub/OpenBSD/6.0/     CO, USA
        http://ftp5.usa.openbsd.org/pub/OpenBSD/6.0/    CA, USA
        http://mirror.esc7.net/pub/OpenBSD/6.0/         TX, USA

        The release is also available at the master site:

        http://ftp.openbsd.org/pub/OpenBSD/6.0/          Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTP mirror site and go into the directory
   pub/OpenBSD/6.0/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     alpha/           luna88k/         sparc64/
        Changelogs/      amd64/           macppc/          src.tar.gz
        HARDWARE         armish/          octeon/          sys.tar.gz
        PACKAGES         armv7/           packages/        tools/
        PORTS            hppa/            ports.tar.gz     xenocara.tar.gz
        README           i386/            root.mail        zaurus/
        SHA256           landisk/         sgi/
        SHA256.sig       loongson/        socppc/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        HARDWARE        - list of hardware we support
        PORTS           - description of our ports tree
        PACKAGES        - description of pre-compiled packages
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        BOOTIA32.EFI*   bsd*            floppy60.fs     pxeboot*
        BOOTX62.EFI*    bsd.mp*         game60.tgz      xbase60.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont60.tgz
        INSTALL.amd64   cd60.iso        install60.fs    xserv60.tgz
        SHA256          cdboot*         install60.iso   xshare60.tgz
        SHA256.sig      cdbr*           man60.tgz
        base60.tgz      comp60.tgz      miniroot60.fs

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install60.iso.  The install60.iso file (roughly 240MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install60.fs and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        http://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 6.0 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily.  Be sure to try out xdm(1) and see how we have customized
it for OpenBSD.

------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------

The OpenBSD ports tree contains automated instructions for building
third party software.  The software has been verified to build and
run on the various OpenBSD architectures.  The 6.0 ports collection
is included on the 3-CD set.  Please see the PORTS file for more
information.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD.  Also, many popular ports have
been pre-compiled for those who do not desire to build their own binaries
(see BINARY PACKAGES, below).

------------------------------------------------------------------------
- BINARY PACKAGES ------------------------------------------------------

A large number of binary packages are provided.  Please see the PACKAGES
file (http://ftp.OpenBSD.org/pub/OpenBSD/6.0/PACKAGES) for more details.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The CD-ROMs contain source code for all the subsystems explained
above, and the README (http://ftp.OpenBSD.org/pub/OpenBSD/6.0/README)
file explains how to deal with these source files.  For those who
are doing an HTTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/6.0/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil,
Visa Hankala, Stuart Henderson, and Christian Weisgerber.  Base and X
system builds by Kenji Aoyama, Theo de Raadt, Jonathan Gray,
Visa Hankala, and Tobias Ulmer.  ISO-9660 filesystem layout by
Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 6.0 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

    Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
    Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
    Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
    Antoine Jacoutot, Benoit Lecocq, Bob Beck, Brandon Mercer,
    Brent Cook, Bret Lambert, Bryan Steele, Can Erkin Acar,
    Charles Longeau, Chris Cappuccio, Christian Weisgerber,
    Christopher Zimmermann, Claudio Jeker, Damien Miller, Daniel Boulet,
    Daniel Dickman, Daniel Jakots, Darren Tucker, David Coppa,
    David Gwynne, Dmitrij Czarkoff, Doug Hogan, Edd Barrett,
    Eric Faurot, Florian Obser, Gerhard Roth, Giannis Tsaraias,
    Gilles Chehade, Giovanni Bechis, Gleydson Soares,
    Gonzalo L. Rodriguez, Henning Brauer, Ian Darwin, Igor Sobrado,
    Ingo Feinerer, Ingo Schwarze, James Turner, Jason McIntyre,
    Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
    Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
    Jonathan Matthew, Joshua Stein, Juan Francisco Cantero Hurtado,
    Kazuya Goda, Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner,
    Kirill Bychkov, Kurt Miller, Landry Breuil, Lawrence Teo,
    Luke Tymowski, Marc Espie, Marcus Glocker, Mark Kettenis,
    Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano,
    Martin Pieuchot, Martynas Venckus, Mats O Jansson, Matthew Dempsky,
    Matthias Kilian, Matthieu Herrb, Mike Belopuhov, Mike Larkin,
    Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen,
    Otto Moerbeek, Pascal Stumpf, Patrick Wildt, Paul Irofti,
    Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre,
    Rafael Zalamena, Remi Pointel, Renato Westphal, Reyk Floeter,
    Ricardo Mestre, Robert Nagy, Robert Peichaer, Sasano Takayoshi,
    Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
    Stefan Fritsch, Stefan Kempf, Stefan Sperling, Steven Mestdagh,
    Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda, T.J. Townsend,
    Ted Unangst, Theo Buehler, Theo de Raadt, Tim van der Molen,
    Tobias Stoeckmann, Tobias Ulmer, Todd C. Miller, Tom Cosgrove,
    Ulf Brosziewski, Vadim Zhukov, Vincent Gross, Visa Hankala,
    Yasuoka Masahiko, Yojiro Uo