deadsimple BSD Security Advisories and Announcements

OpenBSD 6.2 released: Oct 9, 2017

- OpenBSD 6.2 RELEASED -------------------------------------------------

October 9, 2017.

We are pleased to announce the official release of OpenBSD 6.2.
This is our 43rd release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 6.2 provides significant improvements,
including new features, in nearly all areas of the system:

 - Improved hardware support, including:
    o arm: New rkgrf(4) driver for the Rockchip RK3399/RK3288 register
    o arm: New rkclock(4) driver for Rockchip RK3399/RK3288 clocks.
    o arm: New rkpinctrl(4) driver for controlling Rockchip
      RK3399/RK3288 pins.
    o arm: New rkgpio(4) driver for GPIO on Rockchip SoCs.
    o arm: New rktemp(4) driver for Rockchip RK3399 temperature sensors.
    o arm: New rkiic(4) driver for Rockchip RK3399 I2C controllers.
    o arm: New rkpmic(4) driver for the RK808 Power Management IC.
    o arm: New dwmmc(4) driver for Synopsis DesignWare SD/MMC
    o arm: New dwdog(4) driver for the Synopsys DesignWare watchdog
    o arm: New dwxe(4) driver for the Synopsys DesignWare Ethernet
    o arm: New sxitwi(4) driver for the two-wire bus on Allwinner SoCs.
    o arm: New axppmic(4) driver for the AXP209 I2C PMIC.
    o arm: New bcmaux(4) driver for clocks and interrupts on the
      auxilliary UART on BCM2835 devices.
    o arm: New mvmpic(4) driver for an interrupt controller on Marvell
      ARMADA 38x.
    o arm: New mvpxa(4) driver for the SD Host Controller on Marvell
      ARMADA 38x.
    o arm: New mvpinctrl(4) driver to configure pins on Marvell ARMADA
    o arm: New mvneta(4) driver the Ethernet controller on Marvell
      ARMADA 38x.
    o arm: New amdisplay(4) & nxphdmi(4) drivers for the Texas
      Instruments AM335x LCD controller.
    o octeon: New octcib(4) driver for the interrupt bus widget on
    o octeon: New octcit(4) driver for the central interrupt unit
      version 3 on CN72xx/CN73xx/CN77xx/CN78xx.
    o octeon: New octsctl(4) driver for the OCTEON SATA controller
    o octeon: New octxctl(4) driver for the OCTEON USB3 controller
    o octeon: Rhino Labs Inc. SDNA Shasta, and Ubiquiti Networks
      EdgeRouter 4 and 6 are now supported.
    o New hvs(4) driver for Hyper-V storage.
    o New pcxrtc(4) driver for the NXP PCF8563 Real Time Clock.
    o New urng(4) driver for USB random number generator devices.
    o Intel 8265 and 3168 support was added to the iwm(4) driver.
    o RTL8192CE support was added to the rtwn(4) driver.
    o RT5360 support was added to the ral(4) driver.
    o RTS525A support was added to the rtsx(4) driver.
    o The acpibat(4) driver now supports _BIX entries from ACPI 4.0.
    o ACPI hibernate support was added to the nvme(4) driver.
    o Substantially improved ACPI hibernate performance in the ahci(4)
    o The inteldrm(4) driver was updated to code based on Linux 4.4.70 -
      it now supports Skylake, Kaby Lake, and Cherryview devices and has
      better support for Broadwell and Valleyview devices.
    o The puc(4) driver now supports ASIX AX99100 devices.
    o Xen platform support and the xbf(4) driver in particular have been
      substantially improved.
    o The nvme(4) driver now reports correct last sector address to
      SCSI, allowing a valid GPT to be created.
    o Repair ioapic(4) misconfigurations.

 - vmm(4)/ vmd(8) improvements:
    o vmctl(8) supports paused VM migration and memory snapshotting
      using send and receive commands.
    o VPID/ASID reuse/rollover in vmm(4).
    o SGABIOS imported as an option ROM payload in SeaBIOS (for VGA to
      serial console redirection).
    o vmd(8) resets the guest VM RTC (real time clock) on host resume
      from suspend/hibernate (OpenBSD guests only).
    o Allow guest VMs access to AVX/AVX2 host CPU features.
    o Support for AMD SVM/RVI hosts.
    o Allow larger guest VM memory sizes (up to MAXDSIZ sized guests -
      e.g. 32GB on amd64 hosts).
    o Better handling of guest VM MONITOR/MWAIT and HLT instructions.
    o Various device emulation improvements in vmd(8).
    o Increase the virtio(4) queue size provided by vmd(8) from 64 to
      128 entries, to increase performance.
    o Many fixes to vmctl(8) and vmd(8) error handling.

 - IEEE 802.11 wireless stack improvements:
    o MiRA 802.11n TX rate scaling now supports devices with unequal
      numbers of Tx and Rx streams. Fixes 11n mode for some athn(8)
    o The iwn(8) and iwm(8) drivers will now start scanning for a new
      access point if they no longer receive beacons from the current
    o Prefer the 5GHz band over the 2GHz band during access point
    o Improved debug output in dmesg(8) when a wireless interface is put
      into debug mode with ifconfig(8).

 - Generic network stack improvements:
    o Incoming and forwarded IP packets are now processed without
      KERNEL_LOCK, resulting in better performances and reduced latency.
    o The kernel no longer handles IPv6 Stateless Address
      Autoconfiguration (RFC 4862), allowing cleanup and simplification
      of the IPv6 network stack.
    o The kernel sends IPv6 router solicitations for link local
      addresses with a link local source address.
    o FQ-CoDel algorithm has been implemented for use with pf(4)
    o Improved IPv6 checks for IPsec policies and made them consistent
      with IPv4.
    o Refactored local IP delivery to process IPsec packets in a flow
      and avoid enqueueing a second time.
    o pf(4) now inspects AH packets and matches on the inner protocol.
      This makes IPv4 authentication headers work like IPv6.
    o The length of extension header chains in pf(4) is limited. This
      prevents spending excessive CPU time on crafted packets.
    o Block IPv6 packets in pf(4) that have a hop-by-hop options header
      or a destination options header. Such packets can be passed by
      adding "allow-opts" to the rule. This makes IPv6 option handling
      consistent with IPv4.
    o If the IPv4 ID gets reused too fast, pf(4) fragment reassembly
      uses a smarter strategy to drop packets.
    o Enabled the use of per-CPU caches in the network packet

 - Installer improvements:
    o The installer now uses the Allotment Routing Table (ART).
    o A unique kernel is now created by the installer to boot from after
    o On release installs of architectures supported by syspatch,
      "syspatch -c" is now added to rc.firsttime.
    o Backwards compatibility code to support the 'rtsol' keyword in
      hostname.if(5) has been removed.
    o The and scripts are now executed at the
      end of the install/upgrade process.
    o More detailed information is shown to identify disks.
    o The IPv6 default router selection has been fixed.
    o On the amd64 platform, AES-NI is used if present.

 - Routing daemons and other userland network improvements:
    o A new daemon, slaacd(8) handles IPv6 Stateless Address
      Autoconfiguration (RFC 4862).
    o rtadvd(8) now supports "Reducing Energy Consumption of Router
      Advertisements" (RFC 7772).
    o rtadvd(8) has been fixed to quickly handle IPv6 prefix changes on
      the system.
    o ipsecctl(8) can now show SA bundles and the "bundle" keyword
      allows them to be explicitly created. This avoids confusion as
      they were previously used implicitly.
    o nc(1) now has a -W recvlimit option to terminate netcat after
      receiving the specified number of packets. This allows for a UDP
      request to be sent, a reply to be received and the result checked
      on the command line.
    o nc(1) now has a -Z option, allowing the peer certificate and chain
      to be saved to a file in PEM format.
    o A new -T tlscompat option was added to nc(1), which enables the
      use of all TLS protocols and libtls "compat" ciphers.
    o Various races have been fixed in relayd(8), expecially in HTTP
      chunked mode.
    o ndp(8) now shows the relevant NDP information when run in a
      non-default routing domain.
    o ifstated(8) now copes with interface departures/arrivals.
    o bgpd(8) can now be started multiple times in different routing
      domains, this provides virtual router functionality.

 - Security improvements:
    o A new function freezero(3) to easily clear and free memory holding
      sensitive data has been added.
    o Double free detection has been improved when the F malloc(3)
      option is used. The existing S option now includes F.
    o The TIOCSTI tty ioctl has been removed. The I/O-loops in the last
      two consumers csh(1) and mail(1) were rewritten to cope with the
    o Trapsleds, a new mitigation that significantly reduces the amount
      of nops in the instruction stream, replacing them with trap
      instructions or jump-over-trap sequences, thereby requiring
      greater accuracy for targetting potential gadgets.
    o Kernel Address Randomized Link (KARL), a new "link-kit" allows the
      .o files of the kernel to be relinked in a random order, creating
      a unique kernel for each boot. /bsd is now non-readable to users,
      to try to keep the secret.
    o Like with libc previously, rc(8) re-links libcrypto on startup,
      placing the objects in a random order.
    o In addition to libcrypto, to deter code reuse exploits, rc(8)
      re-links on startup, placing the objects in a random order.
    o If process accounting is activated with accton(8), the daily mail
      shows pledge violations and program crashes. lastcomm(1) uses the
      flags P and T for such processes.
    o pflogd(8) uses the fork+exec model.
    o tcpdump(8) uses the fork+exec model.
    o ifstated(8) uses pledge(2).
    o snmpd(8) and snmpctl(8) now use pledge(2).
    o Tighter pledge for at(1).
    o Fixed and simplified pledge logic for nc(1).
    o More application of recallocarray(3) in userland, and tracked
      sizes to free(9) in the kernel.
    o Achieve higher levels of paranoia regarding structure packing, and
      clear many kernel objects before passing to userland.
    o Disable some optimizations in clang(1) due to incompatibility with
    o For instance, cope with clang(1)'s assumption that static or const
      objects placed in unknown sections (such as .openbsd.randomdata)
      are surely always 0, and therefore such memory accesses can be
      optimized away.
    o In kernel, randomly bias down the top-of-stack per kthread.

 - dhcpd(8)/ dhcrelay(8) improvements:
    o Add support for echo-client-id statement to dhclient.conf(5).
    o Take greater care to process all data read, and only data read,
      from the bpf(4) socket.
    o Use /dev/bpf instead of /dev/bpf0.
    o Handle DHCPINFORM messages from clients behind a DHCP relay.
    o Fix handling of carp(4) interfaces in dhcrelay(8).
    o Don't stop dhcrelay(8) logging to stderr when it is started with
      the -d option.

 - dhclient(8) improvements:
    o Log messages reworked and clarified, in particular by prefixing
      the name of the relevant network interface.
    o Treat SSID as 0 to 32 bytes of binary data, not a string.
    o Use RTM_PROPOSAL to take control of an interface rather than
      flipping interface down and up in the hope that other dhclient(8)
      instances notice.
    o Reduce file operations needed by -L option by opening file at
      startup and using it throughout process lifetime.
    o Improve resolv.conf(5) handling by reducing writes and more
      reliably determining which interface has the current default
    o Take greater care to process all data read, and only data read,
      from the bpf(4) socket.
    o Improve the determination of the link state of an interface.
    o Decline inappropriate lease offers as soon as they are deemed
    o Drop support for the timestamp formats used in lease files created
      more than four years ago.
    o Accept an offer from the server that sent the first copy of the
      offer, not the server that sent the last copy.
    o Don't delete addresses and routes when exiting.
    o Ensure IPv6 packets are not read from sockets.
    o Don't silently ignore obsolete keywords in dhclient.conf(5).
    o Reduce memory footprint by shrinking oversized static buffers.
    o Eliminate repeated socket opens by opening the required sockets
      during startup.
    o Fix construction of unicast UDP packets, broken in 5.6.
    o Improve determination of when a renewed lease requires interface
      configuration changes.
    o Don't exit when addresses are manually added or deleted from an
    o Don't support option 33, classfull IP addresses.
    o Fix configuration of default routes supplied by classless route
    o Consider dhclient.conf(5) contents when determining what MTU value
      to configure.
    o Consider dhclient.conf(5) contents when creating the content of
    o Delete direct routes when routes are flushed.
    o Don't label routes with "DHCLIENT nnnn".
    o Don't delete addresses or routes that will be immediately added
    o Delete addresses and routes only when a renewal request is NAK'ed.
    o Don't wait forever for requested information on the default route.
    o Don't exit when an attempt to send a packet fails.
    o Don't log a packet send when the send fails.
    o Remove the -u option, broken since 2013 without complaints.
    o Use /dev/bpf instead of /dev/bpf0.

 - Assorted improvements:
    o The i386 and amd64 platforms have switched to using clang(1) as
      the base system compiler.
    o Improved UTF-8 line editing support for ksh(1) Emacs and Vi input
    o The HISTFILE of ksh(1) now uses a plain text format. Support for
      the HISTCONTROL environment variable was added.
    o The performance of the memory deallocator used by ksh(1) has been
    o The emacs-usemeta ksh(1) flag is no longer needed and is now
    o New futex(2) syscall.
    o New pthread mutex and condition variable implementations improving
      latency of threaded applications.
    o New POSIX xlocale implementation written from scratch, complete in
      the sense that all POSIX *locale(3) and *_l(3) functions are
      included, but in OpenBSD, we of course only really care about
      LC_CTYPE and we only support ASCII and UTF-8.
    o Automatic hibernation and suspend by apmd when battery is low.
    o New ctfdump(1) and ctfconv(1) tools to manipulate CTF (Compact C
      Type Format).
    o The error handling in syslogd(8) has been improved. Even if
      internal errors occur, the daemon tries to keep unaffected
      subsystems active. So as many messages as possible are logged.
      They can be filtered by severity and facility "syslog".
    o syslogd(8) can now suppress "last message repeated" which is
      useful for remote logging.
    o syslogd(8) can listen on multiple TLS sockets.
    o syslogd(8) closes the *.514 UDP sockets when they are not needed.
    o Truncate log messages at 8192 bytes everywhere.
    o newsyslog(8) now skips and logs invalid config lines.
    o Nested mount points are umounted in correct order.
    o Fix creation of softraid(4) CONCAT volumes.
    o Include softraid(4) volume and backing disk information in i/o
      error messages.
    o Make vioscsi(4) a normal scsi(4) device by eliminating its use of
      the obsolete XS_NO_CCB mechanism.
    o Remove last vestiges of now unused XS_NO_CCB mechanism.
    o Userspace can now get the address of the thread control block
      without a system call on OCTEON II and later.
    o FPU is enabled on OCTEON III.
    o GENERIC kernels now include a .SUNW_ctf section containing CTF
    o New ddb(4) kill command, send an uncatchable SIGABRT to a process.
    o New ddb(4) pprint command, using CTF information to "pretty print"
      global symbols.
    o New ddb(4) show struct command, using CTF information to display
      the content of in memory C structures.
    o x86: ddb(4) uses CTF data to display the correct number of
      function arguments in backtraces.
    o Power off all codecs in azalia(4) to avoid static noise in
      speakers and headphones on reboot.
    o Fix i386 boot regression seen on very old 486DX CPUs.
    o New witness(4) tool for debugging lock order issues in the kernel.
      The tool is not built in by default, and only amd64, hppa and i386
      are supported.
    o Modernize some bizzare tty behaviours of getty(8).
    o Some subtle changes to pledge(2) to satisfy requirements observed
      in real life.
    o Prefer use of waitpid(2) rather than wait(3) where possible, to
      avoid problems with pre-existing children.
    o Rewrite swaths of machine-dependent system call stub code in in a more portable fashion.
    o Per-CPU caches implemented in pools.
    o Mutex, condition-variable, thread-specific data, pthread_once(3),
      and pthread_exit(3) routines moved to libc from libpthread for
      ease of library use and compatibility with other OSes.
    o Added getptmfd(3), fdopenpty(3), and fdforkpty(3) to simplify
      privilege separation and use of pledge(2).
    o Improved computational complexity in various cases of strstr(3),
      qsort(3), and glob(3).
    o Added support for EV_RECEIPT and EV_DISPATCH to kqueue(2).
    o Added fktrace(2).

 - OpenSMTPD 6.0.0
    o Fix an off-by-one in the config parser that made 65535 an invalid
    o Fix a fd leak in the session congestion mechanism.
    o Fix a possible crash when relaying with smtps.
    o Remove support for the "listen secure" syntax (expicitely define
      two listeners for tls and smtps instead).
    o Remove experimental support for filters.
    o Assorted code and documentation cleanups and improvements.

 - OpenSSH 7.6
    o Security:
       - sftp-server(8): in read-only mode, sftp-server was
         incorrectly permitting creation of zero-length files.
    o New/changed features:
       - Add RemoteCommand option to specify a command in the ssh(1)
         config file instead of giving it on the client's command
         line. The feature allows to automate tasks using ssh config.
       - sshd(8): add ExposeAuthInfo option that enables writing
         details of the authentication methods used (including public
         keys where applicable) to a file that is exposed via a
         $SSH_USER_AUTH environment variable in the subsequent
       - ssh(1): add support for reverse dynamic forwarding. In this
         mode, ssh will act as a SOCKS4/5 proxy and forward
         connections to destinations requested by the remote SOCKS
         client. This mode is requested using extended syntax for the
         -R and RemoteForward options and, because it is implemented
         solely at the client, does not require the server be updated
         to be supported.
       - sshd(8): allow LogLevel directive in sshd_config Match
       - ssh-keygen(1): allow inclusion of arbitrary string or flag
         certificate extensions and critical options.
       - ssh-keygen(1): allow ssh-keygen to use a key held in
         ssh-agent as a CA when signing certificates.
       - ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an
         explicit ToS/DSCP value and just use the operating system
       - ssh-add(1): added -q option to make ssh-add quiet on success.
       - ssh(1): expand the StrictHostKeyChecking option with two new
         settings. The first "accept-new" will automatically accept
         hitherto-unseen keys but will refuse connections for changed
         or invalid hostkeys. This is a safer subset of the current
         behaviour of StrictHostKeyChecking=no. The second setting
         "off", is a synonym for the current behaviour of
         StrictHostKeyChecking=no: accept new host keys, and continue
         connection for hosts with incorrect hostkeys. A future
         release will change the meaning of StrictHostKeyChecking=no
         to the behaviour of "accept-new".
       - ssh(1): add SyslogFacility option to ssh(1) matching the
         equivalent option in sshd(8).
    o The following significant bugs have been fixed in this release:
       - ssh(1): use HostKeyAlias if specified instead of hostname for
         matching host certificate principal names.
       - sftp(1): implement sorting for globbed ls.
       - ssh(1): add a user@host prefix to client's "Permission
         denied" messages, useful in particular when using "stacked"
         connections (e.g. ssh -J) where it's not clear which host is
       - ssh(1): accept unknown EXT_INFO extension values that contain
         \0 characters. These are legal, but would previously cause
         fatal connection errors if received.
       - ssh(1)/sshd(8): repair compression statistics printed at
         connection exit.
       - sftp(1): print '?' instead of incorrect link count (that the
         protocol doesn't provide) for remote listings.
       - ssh(1): return failure rather than fatal() for more cases
         during session multiplexing negotiations. Causes the session
         to fall back to a non-mux connection if they occur.
       - ssh(1): mention that the server may send debug messages to
         explain public key authentication problems under some
       - Translate OpenSSL error codes to better report incorrect
         passphrase errors when loading private keys.
       - sshd(8): adjust compatibility patterns for WinSCP to
         correctly identify versions that implement only the legacy DH
         group exchange scheme.
       - ssh(1): print the "Killed by signal 1" message only at
         LogLevel verbose so that it is not shown at the default
         level; prevents it from appearing during ssh -J and
         equivalent ProxyCommand configs.
       - ssh-keygen(1): when generating all hostkeys (ssh-keygen -A),
         clobber existing keys if they exist but are zero length.
         zero-length keys could previously be made if ssh-keygen
         failed or was interrupted part way through generating them.
       - ssh(1): fix pledge(2) violation in the escape sequence "~&"
         used to place the current session in the background.
       - ssh-keyscan(1): avoid double-close() on file descriptors.
       - sshd(8): avoid reliance on shared use of pointers shared
         between monitor and child sshd processes.
       - sshd_config(8): document available AuthenticationMethods.
       - ssh(1): avoid truncation in some login prompts.
       - ssh(1): make "--" before the hostname terminate argument
         processing after the hostname too.
       - ssh-keygen(1): switch from aes256-cbc to aes256-ctr for
         encrypting new-style private keys. Fixes problems related to
         private key handling for no-OpenSSL builds.
       - ssh(1): warn and do not attempt to use keys when the public
         and private halves do not match.
       - sftp(1): don't print verbose error message when ssh
         disconnects from under sftp.
       - sshd(8): fix keepalive scheduling problem: activity on a
         forwarded port from preventing the keepalive from being sent.
       - sshd(8): when started without root privileges, don't require
         the privilege separation user or path to exist. Makes running
         the regression tests easier without touching the filesystem.
       - Make regression tests more robust against
       - ssh(1)/sshd(8): correctness fix for channels implementation:
         accept channel IDs greater than 0x7FFFFFFF.

 - LibreSSL 2.6.3
    o Added support for providing CRLs to libtls - once a CRL is
      provided via tls_config_set_crl_file(3) or
      tls_config_set_crl_mem(3), CRL checking is enabled and required
      for the full certificate chain.
    o Reworked TLS certificate name verification code to more strictly
      follow RFC 6125.
    o Cleaned up and simplified server key exchange EC point handling.
    o Removed inconsistent IPv6 handling from BIO_get_accept_socket(),
      simplified BIO_get_host_ip() and BIO_accept().
    o Added definitions for three OIDs used in EV certificates.
    o Relaxed SNI validation to allow non-RFC-compliant clients using
      literal IP addresses with SNI to connect to a libtls-based TLS
    o Added tls_peer_cert_chain_pem() to libtls, useful in private
      certificate validation callbacks such as those in relayd.
    o Converted explicit clear/free sequences to use freezero(3).
    o Fixed the openssl(1) ca command so that it generates certificates
      with RFC 5280-conformant time.
    o Added ASN1_TIME_set_tm(3) to set an ASN.1 time from a struct tm *.
    o Added SSL{,_CTX}_set_{min,max}_proto_version(3) functions.
    o Imported HKDF (HMAC Key Derivation Function) from BoringSSL.
    o Provided a tls_unload_file(3) function that frees the memory
      returned from a tls_load_file(3) call, ensuring that the contents
      become inaccessible.
    o Implemented reference counting for libtls tls_config, allowing
      tls_config_free(3) to be called as soon as it has been passed to
      the final tls_configure(3) call, simplifying lifetime tracking for
      the application.
    o Dropped cipher suites using DSS authentication.
    o Removed support for DSS/DSA from libssl.
    o Distinguish between self-issued certificates and self-signed
      certificates. The certificate verification code has special cases
      for self-signed certificates and without this change, self-issued
      certificates (which it seems are common place with
      openvpn/easyrsa) were also being included in this category.
    o Added a new TLS extension handling framework and converted all TLS
      extensions to use it.
    o Improved and added many new manpages. Updated
      SSL_{CTX_,}check_private_key(3) manpages with additional cautions
      regarding their use.
    o Cleaned up and simplified EC key/curve configuration handling.
    o Added tls_config_set_ecdhecurves(3) to libtls, which allows the
      names of the elliptical curves that may be used during client and
      server key exchange to be specified.
    o Converted more code paths to use CBB/CBS.
    o Removed NPN support - NPN was never standardised and the last
      draft expired in October 2012.
    o Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
      CryptoPro clients.
    o Removed support for the TLS padding extension, which was added as
      a workaround for an old bug in F5's TLS termination.
    o Added ability to clamp notafter values in certificates for systems
      with 32-bit time_t. This is necessary to conform to RFC 5280
    o Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
    o Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.
    o Provide a useful error with libtls if there are no OCSP URLs in a
      peer certificate.
    o Keep track of which keypair is in use by a TLS context, fixing a
      bug where a TLS server with SNI would only return the OCSP staple
      for the default keypair.
    o If tls_config_parse_protocols(3) is called with a NULL pointer it
      now returns the default protocols.

 - mandoc 1.14.3
    o Full mandoc.db(5) databases are now enabled by default, allowing
      semantic searching with apropos(1) without any local configuration
    o Full integration of the former mdoclint(1) utility into mandoc(1)
      -Wall, new -Wstyle and -Wopenbsd message levels, and many new
      messages, for example about typos in .Sh lines, unknown .Xr
      targets, and links to self.
    o Additional steps unifying the mdoc(7), man(7), and roff(7)
      parsers: use one common data type and ohash_init(3) for all
      requests and macros and support creation of syntax tree nodes in
      the roff(7) parser, allowing support for many new low-level
      roff(7) features. Only about 25 ports still need USE_GROFF now.
    o Many improvements to tbl(7) parsing and formatting, including
      automatic line wrapping inside table columns.
    o Many improvements to eqn(7) parsing and formatting, including
      better font selection, recognition of well-known mathematical
      function names, and writing of <mn> and <mo> HTML tags.
    o Intelligible rendering of mathematical symbols in -Tascii output.
    o Several parsing and rendering improvements for the mdoc(7) .Lk
    o Some CSS improvements in HTML output, in particular for the
      mdoc(7) .Bl macro.

 - Ports and packages:
    o A massive amount of clang-related fixes happened between 6.1 and 6.2.
    o Pre-built packages are available for the following architectures on
      the day of release:
       - amd64: 9728
       - i386:  9285
    o Packages for the following architectures will be made available as
      their builds complete:
       - alpha
       - arm
       - hppa
       - mips64
       - mips64el
       - powerpc
       - sparc64

 - Some highlights:

    o AFL 2.51b                       o Mutt 1.9.1 and NeoMutt 20170912
    o Cmake 3.9.3                     o Node.js 6.11.2
    o Chromium 61.0.3163.100          o Ocaml 4.03.0
    o Emacs 21.4 and 25.3             o OpenLDAP 2.3.43 and 2.4.45
    o GCC 4.9.4                       o PHP 5.6.31 and 7.0.23
    o GHC 7.10.3                      o Postfix 3.2.2 and 3.3-20170910
    o Gimp 2.8.22                     o PostgreSQL 9.6.5
    o GNOME 3.24.2                    o Python 2.7.14 and 3.6.2
    o Go 1.9                          o R 3.4.1
    o Groff 1.22.3                    o Ruby, 2.1.9, 2.2.8,
    o JDK 8u144                         2.3.5 and 2.4.2
    o KDE 3.5.10 and 4.14.3 (plus     o Rust 1.20.0
      KDE4 core updates)              o Sendmail
    o LLVM/Clang 5.0.0                o SQLite 3.20.1
    o LibreOffice             o Sudo
    o Lua 5.1.5, 5.2.4, and 5.3.4     o Tcl/Tk 8.5.19 and 8.6.6
    o MariaDB 10.0.32                 o TeX Live 2016
    o Mozilla Firefox 52.4.0esr and   o Vim 8.0.0987
      56.0.0                          o Xfce 4.12
    o Mozilla Thunderbird 52.2.1

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.18.4 + patches,
      freetype 2.8.0, fontconfig 2.12.4, Mesa 13.0.6, xterm 330,
      xkeyboard-config 2.20 and more)
    o LLVM/Clang 4.0.0 (+ patches)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.24.2 (+ patches)
    o NSD 4.1.17
    o Unbound 1.6.6
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk Aug 10, 2011 version
    o Expat 2.2.4

- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each release.  Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible.  Therefore, we advise regular
visits to

- MAILING LISTS AND FAQ ------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please

You are also encouraged to read the Frequently Asked Questions (FAQ) at:

- DONATIONS ------------------------------------------------------------

The OpenBSD Project is volunteer-driven software group funded by
donations.  Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others.  This ecosystem is all handled under the same funding umbrella.

We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon

All of our developers strongly urge you to donate and support our future
efforts.  Donations to the project are highly appreciated, and are
described in more detail at:

- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation ( is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.

There may also be exposure benefits since the Foundation may be
interested in participating in press releases.  In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at for
more information.

- RELEASE SONGS --------------------------------------------------------

Every OpenBSD release is accompanied by artwork and a song.  The song
for OpenBSD 6.2 will be coming in December 2017.

Lyrics (and an explanation) of the song may be found at:

- HTTP/HTTPS INSTALLS --------------------------------------------------

OpenBSD can be easily installed via HTTP/HTTPS downloads.  Typically you
need a single small piece of boot media (e.g., a USB flash drive) and
then the rest of the files can be installed from a number of locations,
including directly off the Internet.  Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTP/HTTPS.

1) Read either of the following two files for a list of HTTP/HTTPS
   mirrors which provide OpenBSD, then choose one near you:

   As of October 15, 2017, the following HTTP/HTTPS mirror sites have
   the 6.2 release:     Stockholm, Sweden        Oldenburg, Germany     Paris, France   Brisbane, Australia    CO, USA   CA, USA        TX, USA Toronto, Canada Global

        The release is also available at the master site:        Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTP/HTTPS mirror site and go into the directory
   pub/OpenBSD/6.2/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     arm64/           macppc/          src.tar.gz
        Changelogs/      armv7/           octeon/          sys.tar.gz
        README           hppa/            packages/        tools/
        SHA256           i386/            ports.tar.gz     xenocara.tar.gz
        SHA256.sig       landisk/         root.mail
        alpha/           loongson/        sgi/
        amd64/           luna88k/         sparc64/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        BOOTIA32.EFI*   bsd*            floppy62.fs     pxeboot*
        BOOTX64.EFI**         game62.tgz      xbase62.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont62.tgz
        INSTALL.amd64   cd62.iso        install62.fs    xserv62.tgz
        SHA256          cdboot*         install62.iso   xshare62.tgz
        SHA256.sig      cdbr*           man62.tgz
        base62.tgz      comp62.tgz      miniroot62.fs

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install62.iso.  The install62.iso file (roughly 346MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install62.fs and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

   This is the page where we talk about the mistakes we made while
   creating the 6.2 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily.  Be sure to try out xenodm(1), our new, simplified X11
display manager forked from xdm(1).

- PACKAGES AND PORTS ---------------------------------------------------

Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures.  Please see for
more information on working with packages and ports.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed

- SYSTEM SOURCE CODE ---------------------------------------------------

The source code for all four subsystems can be found in the
pub/OpenBSD/6.2/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

The README ( file
explains how to deal with these source files.

- THANKS ---------------------------------------------------------------

Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil,
Visa Hankala, Stuart Henderson, Peter Hessler, Paul Irofti, and
Christian Weisgerber.  Base and X system builds by Kenji Aoyama,
Theo de Raadt, and Visa Hankala.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who bought our previous CD sets.  Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.

Our developers are:

    Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
    Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
    Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
    Antoine Jacoutot, Anton Lindqvist, Ayaka Koshibe , Benoit Lecocq,
    Bob Beck, Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele,
    Can Erkin Acar, Charles Longeau, Chris Cappuccio,
    Christian Weisgerber, Christopher Zimmermann, Claudio Jeker,
    Dale Rahn, Damien Miller, Daniel Boulet, Daniel Dickman,
    Daniel Jakots, Darren Tucker, David Coppa, David Gwynne, David Hill,
    Denis Fondras, Dmitrij Czarkoff, Doug Hogan, Edd Barrett,
    Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus,
    Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis,
    Gleydson Soares, Gonzalo L. Rodriguez, Henning Brauer, Ian Darwin,
    Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
    Inoguchi Kinichiro, James Turner, Jason McIntyre,
    Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
    Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
    Jonathan Matthew, Joris Vink, Joshua Stein,
    Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama,
    Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov,
    Kurt Miller, Landry Breuil, Lawrence Teo, Luke Tymowski, Marc Espie,
    Marco Pfatschbacher, Marcus Glocker, Mark Kettenis, Mark Lumsden,
    Markus Friedl, Martijn van Duren, Martin Natano, Martin Pieuchot,
    Martynas Venckus, Mats O Jansson, Matthew Dempsky, Matthias Kilian,
    Matthieu Herrb, Mike Belopuhov, Mike Larkin, Miod Vallat,
    Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen,
    Otto Moerbeek, Pascal Stumpf, Patrick Wildt, Paul Irofti,
    Pavel Korovin, Peter Hessler, Philip Guenther,
    Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski,
    Rafael Zalamena, Remi Pointel, Renato Westphal, Reyk Floeter,
    Ricardo Mestre, Richard Procter, Rob Pierce, Robert Nagy,
    Robert Peichaer, Sasano Takayoshi, Sebastian Benoit,
    Sebastian Reitenbach, Sebastien Marie, Stefan Fritsch, Stefan Kempf,
    Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
    Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
    Theo de Raadt, Tim van der Molen, Tobias Stoeckmann, Todd C. Miller,
    Todd Mortimer, Tom Cosgrove, Ulf Brosziewski, Uwe Stuehler,
    Vadim Zhukov, Vincent Gross, Visa Hankala, Yasuoka Masahiko,
    Yojiro Uo