deadsimple BSD Security Advisories and Announcements

OpenBSD 6.4 released - Oct 18, 2018

- OpenBSD 6.4 RELEASED -------------------------------------------------

October 18, 2018.

We are pleased to announce the official release of OpenBSD 6.4.
This is our 45th release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 6.4 provides significant improvements,
including new features, in nearly all areas of the system:

 - Improved hardware support, including:
    o ACPI support on OpenBSD/arm64 platforms.
    o The radeondrm(4) driver was updated to code based on Linux
      4.4.155, adding modesetting support for KAVERI/KABINI/MULLINS APUs
    o Support for radeondrm(4) on OpenBSD/arm64 platforms.
    o New umt(4) driver for USB Windows Precision Touchpad devices.
    o New bnxt(4) driver for Broadcom NetXtreme-C/E PCI Express Ethernet
      adapters based on the Broadcom BCM573xx and BCM574xx chipsets.
      Enabled on amd64 and arm64 platforms.
    o New mue(4) driver for Microchip LAN7500/LAN7505/LAN7515/LAN7850
      USB 2.0 and LAN7800/LAN7801 USB 3.0 Gigabit Ethernet devices.
    o New acpisurface(4) driver providing ACPI support for Microsoft
      Surface Book laptops.
    o New agintcmsi(4/arm64) driver for the ITS component of the ARM
    o New dwpcie(4) driver for the Synopsys Designware PCIe controller,
      which is built into various SoCs.
    o New acpipci(4/arm64) driver providing support for PCI host bridges
      based on information provided by ACPI.
    o New mvclock(4), mvgpio(4), mvicu(4), mvrng(4), mvrtc(4), and
      mvtemp(4) drivers for various components of the Marvell Armada
    o New hiclock(4), hidwusb(4), hireset(4), and hitemp(4) drivers for
      various components of the HiSilicon SoCs.
    o New ccp(4) and octcrypto(4/octeon) drivers for
      hardware-accelerated cryptography.
    o New ccpmic(4) and tipmic(4) drivers for Intel Crystal Cove and
      Dollar Cove TI Power Management ICs.
    o New imxrtc(4) driver for the RTC integrated in Freescale i.MX7 and
      i.MX8 processors.
    o New fanpwr(4) driver for the Fairchild FAN53555 and Silergy
      SYR827/828 voltage regulators.
    o New pinctrl(4) driver for generic pin multiplexing.
    o New plgpio(4) driver for the ARM PrimeCell PL061 GPIO controller.
    o PIE support for the m88k platform.
    o Support for some HID-over-I^2C touchscreen devices in imt(4).
    o Support for RTL8188EE and RTL8723AE in rtwn(4).
    o Support for RT3290 in ral(4).
    o Support for SAS 3.5 controllers (SAS34xx and SAS35xx) in mpii(4).
    o Support for drive and battery status sensors and bio in mfii(4).
    o On i386 Intel CPU microcode is loaded on boot.
    o On i386 reduce the size of the area reserved for brk(2) to make
      more memory available to anonymous mmap(2) calls.
    o On sparc64 ldomctl(8) now supports more modern firmware found on
      SPARC T2+ and T3 machines in particular such as T1000, T5120 and
      T5240. NVRAM variables can now be set per logical domain.
    o com(4) better supports Synopsys Designware UARTs.
    o New islrtc(4) driver for Intersil ISL1208 Real Time Clock.
    o Support for the Huawei k3772 in umsm(4).
    o Support for the VIA VX900 chipset in viapm(4).
    o Support for GNSS networks other than GPS in nmea(4).
    o Support for Elantech trackpoints in pms(4).
    o Added a sensor for port replicatior status to acpithinkpad(4).
    o Support for Allwinner H3 and A64 SoC in scitemp(4).

 - vmm(4) and vmd(8) improvements:
    o Support for qcow2 disk and snapshot images.
    o Support for VM templates and derived instances in vm.conf(5) and
    o Added initial unveil(2) support to vmctl(8) along with general
    o Various bug fixes and improvements.

 - IEEE 802.11 wireless stack improvements:
    o With the new 'join' feature (managed with ifconfig(8)), the kernel
      manages automatic switching between different WiFi networks.
    o ifconfig(8) scan performance has been improved for many devices.

 - Generic network stack improvements:
    o trunk(4) now has LACP administrative knobs for mode, timeout,
      system priority, port priority, and ifq priority.
    o ifconfig(8) now has the ability to adjust LACP administrative
      knobs lacpmode and lacptimeout.
    o sendmsg(2), sendto(2), recvfrom(2) and recvmsg(2) are run without
    o New global IPsec counters are available via netstat(1).
    o New eoip(4) interface for the MikroTik Ethernet over IP (EoIP)
      encapsulation protocol.

 - Installer improvements:
    o installurl(5) now defaults to if no mirror was
      chosen during installation. pkg_add(1) and syspatch(8) will thus
      work out of the box.
    o DUID can be used to answer the "Which disk is the root disk?"
      question during upgrade.
    o Installing a diskless(8) setup can be done over interfaces
      configured with dhclient(8).
    o disklabel(8) now creates a /usr/obj partition with a minimum size
      of 5G when using automatic disk allocation.
    o disklabel(8) now creates a /usr/local partition with a maximum
      size of 20G when using automatic disk allocation.

 - Security improvements:
    o New unveil(2) system call to restrict file system access of the
      calling process to the specified files and directories. It is most
      powerful when properly combined with privilege separation and
    o Implemented MAP_STACK option for mmap(2). At pagefaults and
      syscalls the kernel will check that the stack pointer points to
      MAP_STACK memory, which mitigates against attacks using stack
    o New RETGUARD security mechanism on amd64 and arm64: use
      per-function random cookies to protect access to function return
      instructions, making them harder to use in ROP gadgets.
    o clang(1) includes a pass that identifies common instructions which
      may be useful in ROP gadgets and replaces them with safe
      alternatives on amd64 and i386.
    o The Retpoline mitigation against Spectre Variant 2 has been
      enabled in clang(1) and in assembly files on amd64 and i386.
    o Added SpectreRSB mitigation on amd64.
    o Added Intel L1 Terminal Fault mitigation on amd64.
    o When available, PCIDs are used on amd64 to separate user and
      kernel thread TLB entries.
    o Meltdown mitigation was added to i386.
    o amd64 now uses eager-FPU switching to prevent FPU state
      information speculatively leaking across protection boundaries.
    o Because Simultaneous MultiThreading (SMT) uses core resources in a
      shared and unsafe manner, it is now disabled by default. It can be
      enabled with the new hw.smt sysctl(2) variable.
    o Audio recording is now disabled by default and can be enabled with
      the new sysctl(2) variable.
    o getpwnam(3) and getpwuid(3) no longer return a pointer to static
      storage but a managed allocation which gets unmapped. This allows
      detection of access to stale entries.
    o sshd(8) includes improved defence against user enumeration

 - Routing daemons and other userland network improvements:
    o ospf6d(8) can now set the metric for a route depending on the
      status of an interface.
    o ospf6d(8) can now be bound into an alternate routing domain.
    o ospf6d(8) is now pledged.
    o Prevent ospfd(8) and ospf6d(8) from being started more than once
      (in the same routing domain).
    o slaacd(8) is now fully pledged.
    o slaacd(8) is informed by the kernel when Duplicate Address
      Detection (DAD) fails and generates different addresses when
    o When slaacd(8) detects roaming between networks, it deprecates all
      configured IPs. IPs from newly advertised prefixes will be
    o A new daemon, rad(8), sends IPv6 Router Advertisement messages and
      replaces the old rtadvd(8) daemon from KAME.
    o The anachronistic networks(5) configuration file is no longer
    o More robust pfctl(8) parsing routines and corner case fixes around
      table and anchor handling.
    o route(8) now errors out on bad -netmask/-prefixlen usage instead
      of configuring ambiguous routes.
    o dhclient(8) now adds a direct route to the default route gateway
      when the gateway is not reachable via the address/netmask provided
      by the lease.
    o dhclient(8) now updates dhclient.leases(5), resolv.conf(5), and
      any '-L' file before daemonizing and returning control to invoking
    o dhclient(8)'s '-i' option now discards any previously defined
      values for the options to be ignored.
    o Any change to any interface now causes dhclient(8) to
      appropriately update resolv.conf(5).
    o dhclient(8) now always records the client identifier used to
      obtain a lease, enabling better conformance to RFC 6842.
    o dhclient(8) now has the '-r' option to release the current lease
      and exit.
    o dhclient(8) now avoids inappropriate changes to resolv.conf(5) by
      ignoring dhclient.leases(5) for interfaces that cannot report
      their link status.

 - bgpd(8) improvements:
    o The default filter action was changed from allow to deny.
    o The config option 'announce (all|self|none|default-route)' has
      been deprecated and superseded by filter configuration.
    o Improved prefix-sets both in speed and user experience.
    o Introduced as-sets to match ASPATH against large lists of AS
    o Support for BGP Origin Validation RFC 6811 through the roa-set
    o Added origin-sets for matching prefix / origin AS pairs
    o Some syntax cleanups: newlines are optional inside expansion lists
      (previously newlines needed to be escaped) but, in neighbor, group
      and rdomain blocks multiple statements have to be on new lines.
    o Reduce the amount of work done during a configuration reload.
    o Config reloading no longer blocks other event handling in the
      route decision engine.
    o Better support and bugfixes for multiple bgpd processes running in
      different rdomains.

 - Assorted improvements:
    o rasops(9)-backed framebuffer consoles such as inteldrm(4),
      radeondrm(4) and efifb(4) now support scrollback.
    o rebound(8) gained support for permanent A records, similiar to
      local-data supported by unbound(8).
    o New kcov(4) driver used for collection of code coverage inside the
      kernel. It's used in an ongoing effort to fuzz the kernel.
    o uid_from_user(3) and gid_from_group(3) were added to the C library
      and are now used in several programs to speed up repeated lookups.
    o New semaphore implementation making sem_post(3) async-safe.
    o pcap_set_immediate_mode(3) was imported from mainline libpcap,
      allowing programs to process packets as soon as they arrive.
    o ksh(1) now supports 64-bit integers on all architectures.
    o A bug in ksh(1) related to variable expansion of read-only
      variables has been fixed.
    o lam(1) now provides UTF-8 support.
    o Enable trunk(4) and vlan(4) on arm64 RAMDISK.
    o pf(4) IP fragment reassembly uses a better algorithm to make it
      robust against denial of service attacks.
    o New ldap(1) tool implementing a simple LDAP search client.
    o A bug in init(8) that caused hangs on i386 under VMware has been
    o TFTP boot support was added for U-Boot based arm64 and armv7
      platforms via EFI Simple Network protocol.
    o Support was added for the EFI Random Number Generator Protocol to
      insert additional entropy into the kernel at boot.
    o Support for RFC 3430 (TCP connections) was added to snmpd(8).
    o Enable bwfm(4) on amd64, i386, arm64 and armv7. Also on loongson
      and macppc for USB devices.
    o New "Spleen 5x8" font added to wsfont, targetted at small OLED
    o usbdevs(8) now reports USB port statuses.
    o top(1) and systat(1) now report the time spent by each CPU waiting
      on spinning locks.
    o Improved read speed on MSDOSFS via clustering.
    o Access to NFS nodes is now serialized.
    o systat(1) has a new uvm view that displays statistics relevant to
      the UVM subsystem.
    o mg(1) now handles carriage returns during incremental search by
      setting the mark and exiting the search, as modern emacsen do.
    o disklabel(8) improved the rounding of partition offsets and sizes
      to cylinder boundaries.
    o disklabel(8) now range checks all user input.
    o disklabel(8) no longer allows FS_RAID partitions to be given a
      mount point.
    o disklabel(8) now changes partition information only when all user
      input is valid.
    o relayd(8) has improved log directives in its configuration file
      for finer grained control of what gets logged.
    o tmux(1) now handles terminfo colors greater than 256 correctly.
    o httpd(8) now supports client certificate authentication.
    o Numerous improvements to the fuse(4) subsystem.
    o Improvements to the way the kernel searches for available memory
      to satisfy anonymous mmap(2) calls.
    o efifb(4) now remaps the EFI framebuffer early to use a write
      combining mapping, speeding things up considerably.

 - OpenSMTPD
    o Incompatible change to the smtpd.conf(5) grammar: separate
      envelope matching, which happens during the SMTP dialogue while
      receiving a message and merely results in assigning an action
      name, from delivery actions, which do not take effect until the
      queue runner makes a delivery attempt. This gets rid of several
      different roadblocks in OpenSMTPD development.
    o Improve SMTP server engine with a new RFC 5322 message parser.
    o Remove limitations preventing smtpd(8) from dealing with clients
      submitting long lines.
    o Improve security by moving expansion of .forward file variables
      into the users' MDA process.
    o Introduce MDA wrappers allowing recipient MDA commands to be
      transparently wrapped inside global commands.
    o A new smtp(1) command line client has been added.
    o Assorted documentation improvements, cleanups and minor bug fixes.

 - OpenSSH 7.9
    o New features:
       - In most places in ssh(1) and sshd(8) where port numbers are
         used, service names (from /etc/services) can now be used.
       - The ssh(1) IdentityAgent configuration directive now accepts
         environment variable names. This supports the use of multiple
         agent sockets without needing to use fixed paths.
       - Support signalling sessions via the SSH protocol in sshd(8).
       - "ssh -Q sig" can be used to list supported signature options.
         Also "ssh -Q help" will show the full set of supported
       - The new CASignatureAlgorithms option in ssh(1) and sshd(8)
         controls the allowed signature formats for CAs to sign
         certificates with. For example, this allows banning CAs that
         sign certificates using the RSA-SHA1 signature algorithm.
       - Key revocation lists (KRLs) can now contain keys specified by
         SHA256 hash. These lists are managed by ssh-keygen(8). In
         addition, KRLs can now be created from base64-encoded SHA256
         fingerprints, i.e. from only the information contained in
         sshd(8) authentication log messages.
    o Non-exhaustive list of bug fixes:
       - ssh(1): ssh-keygen(1): avoid spurious "invalid format" errors
         when attempting to load PEM private keys while using an
         incorrect passphrase.
       - sshd(8): when a channel closed message is received from a
         client, close the stderr file descriptor at the same time
         stdout is closed. This avoids stuck processes if they were
         waiting for stderr to close and were insensitive to stdin/out
       - ssh(1): allow ForwardX11Timeout=0 to disable the untrusted
         X11 forwarding timeout and support X11 forwarding
         indefinitely. Previously the behaviour of ForwardX11Timeout=0
         was undefined.
       - sshd(8): do not fail closed when configured with a text key
         revocation list that contains a too-short key.
       - ssh(1): treat connections with ProxyJump specified the same
         as ones with a ProxyCommand set with regards to hostname
         canonicalisation (i.e. don't try to canonicalise the hostname
         unless CanonicalizeHostname is set to 'always').
       - ssh(1): fix regression in OpenSSH 7.8 that could prevent
         public-key authentication using certificates hosted in a
         ssh-agent(1) or against sshd(8) from OpenSSH <7.8.

 - LibreSSL 2.8.2
    o API and Documentation Enhancements
       - X509 verification is now more strict so X509_VERIFY_PARAM
         host, ip or email failure will cause future
         X509_verify_cert(3) calls to fail.
       - Support for single DES cipher suites is removed.
       - Support for RSASSA-PKCS1-v1_5 (RFC 8017) is added to
       - Modified signature of CRYPTO_mem_leaks_*(3) to return -1.
         This function is a no-op in LibreSSL, so this function
         returns an error to not indicate the (non-)existence of
         memory leaks.
       - SSL_copy_session_id(3), PEM_Sign, EVP_EncodeUpdate(3),
         BIO_set_cipher(3), X509_OBJECT_up_ref_count(3) now return an
         int for error handling, matching OpenSSL.
       - Converted a number of #defines into proper functions,
         matching OpenSSL's ABI (e.g. X509_CRL_get_issuer(3) and other
         X509_*get*(3) functions)
       - Added X509_get0_serialNumber(3) from OpenSSL.
       - Removed EVP_PKEY2PKCS8_broken(3) and PKCS8_set_broken(3),
         while adding PKCS8_pkey_add1_attr_by_NID(3) and
         PKCS8_pkey_get0_attrs(3), matching OpenSSL.
       - Removed broken pkcs8 formats from openssl(1).
       - Added RSA_meth_get_finish(3) and RSA_meth_set1_name(3) from
       - Added new EVP_CIPHER_CTX_(get|set)_iv(3) API that allows the
         IV to be retrieved and set with appropriate validation.
       - Extensive documentation updates and additional API history.
       - Removed SSL_OP_TLS_ROLLBACK_BUG buggy client workarounds.
       - Made ENGINE_finish(3) and ENGINE_free(3) succeed on NULL and
         simplify callers and matching OpenSSL behavior, rewrote
         ENGINE_* documentation.
       - Added const annotations to many existing APIs from OpenSSL,
         making interoperability easier for downstream applications.
       - Documented security pitfalls with BN_FLG_CONSTTIME and
         constant-time operation of BN_* functions.
    o Testing and Proactive Security
       - Added Wycheproof test support for ECDH, RSASSA-PSS, AES-GCM,
         AES-CMAC, AES-CCM, AES-CBC-PKCS5, DSA, ChaCha20-Poly1305,
         ECDSA, and X25519 test vectors. Applied appropriate fixes for
         errors uncovered by tests.
       - Added more cipher tests, including all TLSv1.2 ciphers.
       - Added a blinding value when generating DSA and ECDSA
         signatures, in order to reduce the possibility of a
         side-channel attack leaking the private key.
       - Added timing-safe compares for checking results of signature
       - Added ECC constant time scalar multiplication support. From
         Billy Brumley and his team at Tampere University of
    o Internal Improvements
       - Simplified key exchange signature generation and
       - Converted more code paths to use CBB/CBS. All handshake
         messages are now created by CBB. RSA key exchange is
         simplified and uses dedicated buffers for secrets.
       - Simplified session ticket parsing and handling, inspired by
       - Stopped handing AES-GCM in ssl_cipher_get_evp, since they use
         the EVP_AEAD interface.
       - Stopped using composite EVP_CIPHER AEADs.
       - Removed unused SSL3_FLAGS_DELAY_CLIENT_FINISHED and
         SSL3_FLAGS_POP_BUFFER flags in write path, simplifying IO
       - Updated BN_clear to use explicit_bzero.
       - Cleaned up BN_* implementations following changes made in
         OpenSSL by Davide Galassi and others.
       - Revised the implementation of RSASSA-PKCS1-v1_5 to match the
         specification in RFC 8017. Based on an OpenSSL commit by
         David Benjamin.
    o Bug Fixes
       - Fixed a one-byte buffer overrun in callers of
       - Fixed various memory leaks found by Coverity.
       - Converted more functions in public API to use const
       - Correctly clear the current cipher state, when changing
         cipher state. This fixed an issue where renegotiation of
         cipher suites would fail when switched from AEAD to non-AEAD
         or vice-versa. Issue reported by Bernard Spil.
       - Fixed a pair of 20+ year-old bugs in X509_NAME_add_entry
       - Fixed a potential memory leak on failure in ASN1_item_digest
       - Fixed a potential memory alignment crash in
       - Fixed small timing side-channels in ecdsa_sign_setup and
       - Added a missing bounds check in c2i_ASN1_BIT_STRING.
       - Fixed a potential leak/incorrect return value in DSA
         signature generation.

 - Mandoc 1.14.4
    o In HTML output, many mdoc(7) macros now use more fitting HTML
    o In HTML output, almost all "style" attributes and a number of
      redundant "class" attributes were removed.
    o Baby steps towards responsive design: use a @media query in
      mandoc.css, use the HTML meta viewport element, and remove all
      hard-coded widths and heights from the generated HTML code.
    o Many style improvements in mandoc.css.
    o More than 15 new low level roff(7) and GNU man-ext features.
      Mandoc can now format the manuals of the groff port.

 - Ports and packages:
    o update-plist(1) has been entirely rewritten and now figures out
      MULTI_PACKAGES and variable substitution almost 100%.
    o New packages now run maintenance database tools like
      update-desktop-database just once instead of after every package
    o Ports infrastructure manuals (bulk(8), dpb(1) and others) are now
      included in the base install and are therefore readable without
      the ports tree.
    o Pre-built packages are available for the following architectures on
      the day of release:
       - aarch64 (arm64): 8139
       - amd64: 10304
       - i386: 10230
    o Packages for the following architectures will be made available as
      their builds complete:
       - arm
       - mips64
       - mips64el
       - powerpc
       - sparc64

 - Some highlights:

    o AFL 2.52b                       o Mutt 1.10.1 and NeoMutt 20180716
    o CMake 3.10.2                    o Node.js 8.12.0
    o Chromium 69.0.3497.100          o Ocaml 4.03.0
    o Emacs 21.4 and 26.1             o OpenLDAP 2.3.43 and 2.4.46
    o GCC 4.9.4                       o PHP 5.6.38, 7.0.32, 7.1.22 and 7.2.10
    o GHC 8.2.2                       o Postfix 3.3.1 and 3.4-20180904
    o Gimp 2.8.22                     o PostgreSQL 10.5
    o GNOME 3.28.2                    o Python 2.7.15 and 3.6.6
    o Go 1.11                         o R 3.5.1
    o Groff 1.22.3                    o Ruby 2.3.7, 2.4.4 and 2.5.1
    o JDK 8u172                       o Rust 1.29.2
    o LLVM/Clang 6.0.1                o Sendmail
    o LibreOffice             o SQLite3 3.24.0
    o Lua 5.1.5, 5.2.4 and 5.3.5      o Sudo 1.8.25
    o MariaDB 10.0.36                 o Tcl/Tk 8.5.19 and 8.6.8
    o Mono                 o TeX Live 2017
    o Mozilla Firefox 60.2.2esr and   o Vim 8.1.438
      62.0.3                          o Xfce 4.12
    o Mozilla Thunderbird 60.2.1

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.19.6 + patches,
      freetype 2.9.1, fontconfig 2.12.4, Mesa 13.0.6, xterm 331,
      xkeyboard-config 2.20 and more)
    o LLVM/Clang 6.0.0 (+ patches)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.24.3 (+ patches)
    o NSD 4.1.25
    o Unbound 1.8.1
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk Aug 10, 2011 version
    o Expat 2.2.6

- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each release.  Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible.  Therefore, we advise regular
visits to

- MAILING LISTS AND FAQ ------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please

You are also encouraged to read the Frequently Asked Questions (FAQ) at:

- DONATIONS ------------------------------------------------------------

The OpenBSD Project is volunteer-driven software group funded by
donations.  Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others.  This ecosystem is all handled under the same funding umbrella.

We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon

All of our developers strongly urge you to donate and support our future
efforts.  Donations to the project are highly appreciated, and are
described in more detail at:

- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation ( is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.

There may also be exposure benefits since the Foundation may be
interested in participating in press releases.  In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at for
more information.

- HTTP/HTTPS INSTALLS --------------------------------------------------

OpenBSD can be easily installed via HTTP/HTTPS downloads.  Typically you
need a single small piece of boot media (e.g., a USB flash drive) and
then the rest of the files can be installed from a number of locations,
including directly off the Internet.  Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTP/HTTPS.

1) Read either of the following two files for a list of HTTP/HTTPS
   mirrors which provide OpenBSD, then choose one near you:

   As of October 18, 2018, the following HTTP/HTTPS mirror sites have
   the 6.4 release:        Global     Stockholm, Sweden      Frankfurt, Germany        Oldenburg, Germany     Paris, France   Brisbane, Australia    CO, USA   CA, USA        TX, USA Toronto, Canada Global

        The release is also available at the master site:        Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTP/HTTPS mirror site and go into the directory
   pub/OpenBSD/6.4/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     arm64/           macppc/          src.tar.gz
        Changelogs/      armv7/           octeon/          sys.tar.gz
        README           hppa/            packages/        tools/
        SHA256           i386/            ports.tar.gz     xenocara.tar.gz
        SHA256.sig       landisk/         root.mail
        alpha/           loongson/        sgi/
        amd64/           luna88k/         sparc64/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        BOOTIA32.EFI*   bsd*            floppy64.fs     pxeboot*
        BOOTX64.EFI**         game64.tgz      xbase64.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont64.tgz
        INSTALL.amd64   cd64.iso        install64.fs    xserv64.tgz
        SHA256          cdboot*         install64.iso   xshare64.tgz
        SHA256.sig      cdbr*           man64.tgz
        base64.tgz      comp64.tgz      miniroot64.fs

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install64.iso.  The install64.iso file (roughly 351MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install64.fs and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

   This is the page where we talk about the mistakes we made while
   creating the 6.4 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily.  Be sure to try out xenodm(1), our new, simplified X11
display manager forked from xdm(1).

- PACKAGES AND PORTS ---------------------------------------------------

Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures.  Please see for
more information on working with packages and ports.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed

- SYSTEM SOURCE CODE ---------------------------------------------------

The source code for all four subsystems can be found in the
pub/OpenBSD/6.4/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

The README ( file
explains how to deal with these source files.

- THANKS ---------------------------------------------------------------

Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil,
Visa Hankala, Stuart Henderson, Peter Hessler, and Christian Weisgerber.
Base and X system builds by Kenji Aoyama, Theo de Raadt, and
Visa Hankala.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who bought our previous CD sets.  Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.

Our developers are:

    Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
    Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
    Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
    Antoine Jacoutot, Anton Lindqvist, Ayaka Koshibe , Benoit Lecocq,
    Bjorn Ketelaars, Bob Beck, Brandon Mercer, Brent Cook,
    Brian Callahan, Bryan Steele, Can Erkin Acar, Carlos Cardenas,
    Charles Longeau, Chris Cappuccio, Christian Weisgerber,
    Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller,
    Daniel Dickman, Daniel Jakots, Darren Tucker, David Coppa,
    David Gwynne, David Hill, Denis Fondras, Doug Hogan, Edd Barrett,
    Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus,
    Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis,
    Gleydson Soares, Gonzalo L. Rodriguez, Helg Bredow, Henning Brauer,
    Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
    Inoguchi Kinichiro, James Turner, Jason McIntyre,
    Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
    Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
    Jonathan Matthew, Joris Vink, Joshua Stein,
    Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama,
    Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov,
    Klemens Nanni, Kurt Miller, Landry Breuil, Lawrence Teo,
    Luke Tymowski, Marc Espie, Marco Pfatschbacher, Marcus Glocker,
    Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren,
    Martin Natano, Martin Pieuchot, Martynas Venckus, Mats O Jansson,
    Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos,
    Mike Belopuhov, Mike Larkin, Miod Vallat, Nayden Markatchev,
    Nicholas Marriott, Nigel Taylor, Okan Demirmen, Otto Moerbeek,
    Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin,
    Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas,
    Rafael Sadowski, Rafael Zalamena, Remi Locherer, Remi Pointel,
    Renato Westphal, Reyk Floeter, Ricardo Mestre, Richard Procter,
    Rob Pierce, Robert Nagy, Robert Peichaer, Sasano Takayoshi,
    Scott Soule Cheloha, Sebastian Benoit, Sebastian Reitenbach,
    Sebastien Marie, Solene Rapenne, Stefan Fritsch, Stefan Kempf,
    Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
    Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
    Theo de Raadt, Thomas Frohwein, Tim van der Molen,
    Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
    Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov, Vincent Gross,
    Visa Hankala, Yasuoka Masahiko, Yojiro Uo