BSDSec

deadsimple BSD Security Advisories and Announcements

OpenBSD 5.7 Released

May 1, 2015.

We are pleased to announce the official release of OpenBSD 5.7.
This is our 37th release on CD-ROM (and 38th via FTP/HTTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 5.7 provides significant improvements,
including new features, in nearly all areas of the system:

 - Improved hardware support, including:
    o New xhci(4) driver for USB 3.0 host controllers.
    o New umcs(4) driver for MosChip Semiconductor 78x0 USB multiport
      serial adapters.
    o New skgpio(4) driver for Soekris net6501 GPIO and LEDs.
    o New uslhcom(4) driver for Silicon Labs CP2110 USB HID based UART.
    o New nep(4) driver for Sun Neptune 10Gb Ethernet devices.
    o New iwm(4) driver for Intel 7260, 7265, and 3160 wifi cards.
    o The rtsx(4) driver now supports RTS5227 and RTL8411B card readers.
    o The bge(4) driver now supports jumbo frames on various additional
      BCM57xx chipsets.
    o The ciss(4) driver now supports HP Gen9 Smart Array/Smart HBA
      devices.
    o The mpi(4) and mfi(4) drivers now have mpsafe interrupt handlers
      running without the big lock.
    o The ppb(4) driver now supports PCI bridges that support
      subtractive decoding (fixes PCMCIA behind the ATI SB400 PCI
      bridge), and devices with 64-bit BARs behind PCI-PCI bridges as
      seen on SPARC T5-2 systems.
    o The puc(4) driver now supports Winchiphead CH382 devices.
    o The sdmmc(4) driver now supports eMMC storage devices larger than
      2GB.
    o The sdhc(4) driver can properly resume on Ricoh controllers.
    o The sdhc(4) driver now supports Ricoh R5U822 and R5U823 card
      readers.
    o The mfii(4) driver now supports the Megaraid 3008 (Fury) and 3108
      (Invader) cards.
    o The myx(4) driver runs less code under the big lock.
    o The msk(4) driver now supports Yukon Prime, Yukon Optima 2, Yukon
      88E8079, and various EC U and Supreme chipsets.
    o The umass(4) driver now supports Archos 24y Vision devices.
    o The athn(4) driver now supports Atheros UB94 devices.
    o The azalia(4) driver now supports Realtek ALC885 codecs and Bay
      Trail HD Audio devices.
    o The ix(4) driver now supports onboard Ethernet devices in SPARC T5
      machines.
    o The upd(4) driver now handles UPSes with broken report descriptors.
    o The ums(4) driver now supports the USB Tablet device emulated by
      Qemu.
    o The umsm(4) driver now supports MEDION S4222 devices.
    o The pciide(4) driver now supports Intel C610 chipsets.
    o The ukbd(4) driver now supports "wellspring" Apple keyboards.
    o The pms(4) driver now supports click-and-drag with Elantech v4
      touchpads.
    o The umodem(4) driver now supports Arduino Leonardo devices.
    o The sk(4) driver now supports receive ring scaling.
    o Replaced custom jumbo allocators in sk(4), nge(4), lge(4), and
      ti(4) with MCLGETI(9).
    o Wireless network scanning problems with the iwn(4) driver have
      been fixed.
    o Support for RS* IGP Radeon devices in the radeondrm(4) driver has
      been fixed.
    o PowerMac7,2 and PowerMac7,3 can now boot with a multiprocessor
      kernel.

 - Removed hardware support:
    o The lofn(4) and nofn(4) drivers for Hifn crypto accelerator
      devices have been removed.
    o The art(4) driver for Accoom Networks Artery T1/E1 devices has been
      removed.
    o The urio(4) driver for Diamond Multimedia Rio MP3 players has been
      removed.

 - Generic network stack improvements:
    o The routing table is now used for most of the address lookup
      operations superseding the RB-tree and IPv4 address list.
    o The SipHash algorithm is now used for PCB hashing, trunk(4)
      loadbalancing, pf(4) and bridge(4).
    o Traffic destinated to link-local IPv6 addresses can now be seen
      with tcpdump(8).
    o A carp(4) now needs to be configured with an explicit carpdev
      parent interface.
    o The mbuf(9) layer has been made mpsafe.
    o Introduce mbuf_list and mbuf_queue structures and APIs.
    o Support changing the IPv6 input queue length via sysctl(1) and
      net.inet6.ip6.ifq.

 - Installer improvements:
    o The etc and xetc sets are now part of base and xbase and are not
      distributed separately anymore. They are extracted from base and
      xbase during installation and upgrades.
      Note that this includes the rc and rc.conf files!
    o The installer now supports trunk(4) interfaces during upgrades.
    o The discovery of the responsefile location for unattended
      installation and upgrades has been extended to be more flexible.
       - Ask for the location if DHCP discovery fails for location or
         mode.
       - Provide a default URL if the 'next-server' DHCP option is found.
       - Use /auto_install.conf or /auto_upgrade.conf if present.
       - Automatically start the installer in unattended mode if either
         one of these files is present when the system boots. 
    o Ignore hostname.if.* files when upgrading.
    o Configure all physical interfaces before any dynamic interface
      types (e.g. trunks, vlans) when upgrading.
    o fdisk(8) now zeros out GPT signatures found when writing out an
      MBR that has been re-initialized and has no EFI or EFISYS
      partition.
    o Fixed manipulation of 'ro' and 'rw' fstab options to avoid damage
      to other options that happen to contain 'ro' or 'rw'.
    o The ramdisk binary (one binary contains all the commands) is now
      compiled without optimization and security features. The benefit
      is a substantial saving in space, allowing more features in the
      future.

 - Routing daemons and other userland network improvements:
    o nginx has been removed from base -- use the package if you need it.
    o sliplogin has been removed.
    o Sendmail has been removed from base -- use the package if you need
      it.
    o IPv6 router solicitations are now sent by the kernel ("inet6
      autoconf"); rtsol(8) and rtsold(8) are no longer necessary and
      have been removed.
    o Enhancements and bugfixes in arp(8) and ndp(8)
    o The effects of the AI_ADDRCONFIG flag on getaddrinfo(3) results
      are limited to DNS queries. This avoids erratic behavior with
      transient network problems, "raw" addresses and localhost entries
      in /etc/hosts.
    o gethostbyname(3) now no longer fails when more than 16
      addresses/aliases are returned. The original pre-asr limit of 35
      has been restored, with additional results being truncated.
    o tftp(1) now supports sending or receiving files larger than 65536
      blocks in size. 

 - Security improvements:
    o Stricter enforcement of W^X in the kernel address space,
      especially on architectures with the right featureset (amd64, in
      particular, has seen substantial improvements).
    o Support for loadable kernel modules has been removed.
    o procfs has been removed.
    o Comprehensive audit of the tree to use the reallocarray(3) idiom
      throughout.
    o Many conversions from select(2) to poll(2).
    o /var/tmp is now a symbolic link to /tmp, as a first step towards
      reducing the "fill it up" attack surface against the /var
      partition.
    o memcpy(3) with overlapping arguments now aborts a program (with a
      syslog report), allowing these problems to be found. Overlapping
      copies should use memmove(3). Sometime after 5.7 release, having
      learned more about the situation and repairing instances that are
      discovered by users during release use, we will go back to the
      optimized version.
    o Change rand(3), random(3), drand48(3), lrand48(3), mrand48(3),
      srand48(3) to return non-deterministic strong random values by
      default, sourced from arc4random(3). New functions
      srand_deterministic(3), srandom_deterministic(3),
      seed48_deterministic(3) and lcong48_deterministic(3) are added for 
      cases where determinism needs to be requested.
    o At resume (or unhibernate) time, use a variety of methods to
      reseed the random number generator. This also works on VMs which
      wake up (if a wakeup event is seen).
    o All architectures have been transitioned to static PIE, meaning
      the statically linked binaries in /bin and /sbin now have randomly
      located text segments.
    o Allow larger .openbsd.randomdata ELF segments.
    o Sync kernel AES code and ssh(1) AES code to the one shipped with
      OpenSSL/LibreSSL.
    o Removed passwd(1) support for all password ciphers except
      blowfish(3).
    o Use sha512 instead of md5 for tcp(4) initial sequence number.
    o Use sha512 instead of md5 in the random number generator.
    o Delete secret or secret-derived data in many base utilities with
      explicit_bzero(3). 

 - Assorted improvements:
    o New rcctl(8) utility to control daemons.
    o fw_update(1) has been rewritten to be faster and smarter.
    o Cleanup libevent(3), the compatibility layer for other operating
      systems has been removed. The API is still compatible with
      upstream libevent 1.4.15-stable.
    o openssl(1) s_client now supports a -proxy parameter for connecting
      over an HTTP proxy.
    o gzsig has been removed.
    o Switch to fast assembly versions of some libc functions on amd64.
    o Frequency scaling has been moved from apmd(8) to the kernel with
      an improved algorithm.
    o Switch last workq API uses to taskq API and remove all traces of
      workq.
    o Use services(5) names in the default pf rules in force during
      startup.
    o what(1) now correctly displays $OpenBSD$ expansions.
    o dhcpd(8) now removes addresses from its pf table a single time
      when they expire, rather than at every timeout after the expiry.
    o dhcpd(8) now ensures that the pf table process exits when the main
      process does.
    o dhcpd(8) has more informative log entries for DHCPACKs issued in
      response to DHCPINFORM messages.
    o Added POSIX types blkcnt_t (int64) and blksize_t (int32), and used
      them for st_blocks (formerly int64_t) and st_blksize (formerly
      u_int32_t) in struct stat.
    o Improved typography for banner(6).
    o dhclient(8) adjusts MTU when the interface-mtu DHCP option is
      provided.
    o Various memory leaks in dhclient(8) plugged, providing more
      stability for long running (in terms of time or renewals)
      instances.
    o The dhclient(8) command line options -q (quiet) and -d (don't
       daemonize) are now mutually exclusive.
    o The communication between the privileged and unprivileged
      dhclient(8) processes was reworked to further minimize information
      sharing.
    o dhclient(8) ensures lease timeouts (renew, rebind, expire) are
      sane and uses default values closer to RFC suggestions.
    o dhclient(8) no longer crashes when a lease expires and cannot be
      renewed or replaced.
    o dhclient(8) improved tracking network interface link states.
    o Improved network error tracking and accounting in dhclient(8).
    o Private number conversion functions in dhclient(8) eliminated in
      favour of standard library functions.
    o Further signal race cleanups in ftp(1).
    o BIND has been retired, encouraging use of nsd(8) and unbound(8).
    o Significant namespace cleanup in the /usr/include files,
      especially related to <sys/param.h> and <limits.h>.
    o softraid(4) RAID1 and CRYPTO volumes are now bootable on the
      sparc64 platform.
    o relayd(8) now uses "TLS" rather than "SSL" terminology to reflect
      the deprecation of the latter.
    o relayd(8) now supports the random and source-hash modes with
      redirections.
    o relayd(8) now supports the OPENBSD-RELAYD-MIB via agentx with
      snmpd(8).
    o Added interfaces for setting the close-on-exec flag and/or
      non-blocking mode on new file descriptors: pipe2(2), dup3(2),
      accept4(2), mkostemp(3), mkostemps(3), the SOCK_CLOEXEC and
      SOCK_NONBLOCK flags for socket(2) and socketpair(2), and the
      MSG_CMSG_CLOEXEC flag for recvmsg(2). In addition,
      posix_spawn_file_actions_adddup2(3) now always clears the
      close-on-exec flag.
    o Added interfaces for setting the close-on-exec flag on new FILE
      handles and for requesting exclusive creation via the the 'e' and
      'x' mode letters for fopen(3), fdopen(3), freopen(3), and popen(3).
    o Many library functions and programs changed to use the above for
      safety or simplicity.
    o Added chflagsat(2), sockatmark(3), and stravis(3).
    o Merged performance and safety fixes for fts(3) from FreeBSD.
    o Merged fixes for file descriptor leaks in various rpc(3) functions
      from NetBSD.
    o Added a kern.global_ptrace sysctl(1) to disable, by default, the
      ability to ptrace(2) processes that aren't your descendent.
    o kdump(1) now always displays both the numeric and the textual
      forms for users, groups, timestamps, and sysctl ids, eliminating
      the -r option. It also auto-selects between decimal and hex format
      for arguments, renders more types of flags, and is more robust
      when parsing corrupt ktrace files.
    o chmod(1)/chgrp(1)/chown(8) now comply with POSIX's requirements
      when they encounter symlinks when the -R option is used, and are
      safe from race conditions when doing so.
    o The dmesg(8) utility can now display the console message buffer in
      addition to the system message buffer.
    o inetd(8) now uses libevent instead of select(3).
    o Reworking of the kernel pool(9) implementation to provide mpsafety
      and pave the way for performance improvements.
    o Removed the workq API after replacing it with the task API.
    o Add support for creating kernel threads that cannot sleep to
      taskq_create(9).
    o Completed the implementation of the atomic (eg, atomic_cas_uint(9),
      atomic_swap_uint(9), atomic_add_int(9), atomic_sub_int(9),
      atomic_inc_int(9), and atomic_dec_int(9)) and membar
      (membar_sync(9)) APIs across all supported architectures.

 - OpenBSD httpd(8):
    o SSLv2/3 is not supported anymore; renamed all occurrences of "SSL"
      to "TLS".
    o Various TLS improvements with better support for ECDHE/DHE forward
      secrecy.
    o Improved support for virtual hosts by supporting name- and IP-
      ibased aliases.
    o Added support for basic authentication by checking against files
      created with htpasswd(1).
    o Added support for custom error codes, blocking and dropping of
      connections.
    o Added support for redirections and macros in specified target URLs.
    o Added the "root strip" option to sanitize PATH_INFO for some CGI
      scripts.
    o Added an option to specify an alternative log directory instead of
      /var/www/logs.
    o Various FastCGI improvements; httpd(8) is now compatible with many
      well-known web applications.
    o Various other fixes and improvements.

 - OpenSMTPD 5.4.4:
    o SSLv3 is not supported anymore.
    o Added support for a new message and headers parser.
    o Added support for append-domain.
    o Restricted address lookups to configured address families.
    o Domain is no longer required when mailing a local user.
    o Various other fixes and improvements.

 - OpenSSH 6.8:
    o Potentially-incompatible changes:
       - sshd(8): UseDNS now defaults to 'no'. Configurations that match
         against the client host name (via sshd_config(5) or
         authorized_keys) may need to re-enable it or convert to
         matching against addresses. 
    o New/changed features:
       - Much of OpenSSH's internal code has been re-factored to be more
         library-like. These changes are mostly not user-visible, but
         have greatly improved OpenSSH's testability and internal layout.
       - Add FingerprintHash option to ssh(1) and sshd(8), and
         equivalent command-line flags to the other tools to control
         algorithm used for key fingerprints. The default changes from
         MD5 to SHA256 and format from hex to base64. Fingerprints now
         have the hash algorithm prepended. Please note that visual host
         keys will also be different.
       - ssh(1), sshd(8): Experimental host key rotation support. Add a
         protocol extension for a server to inform a client of all its
         available host keys after authentication has completed. The
         client may record the keys in known_hosts, allowing it to
         upgrade to better host key algorithms and a server to
         gracefully rotate its keys. The client side of this is
         controlled by a UpdateHostkeys config option (default off).
       - ssh(1): Add a ssh_config(5) HostbasedKeyType option to control
         which host public key types are tried during host-based
         authentication.
       - ssh(1), sshd(8): fix connection-killing host key mismatch
         errors when sshd(8) offers multiple ECDSA keys of different
         lengths.
       - ssh(1): when host name canonicalisation is enabled, try to
         parse host names as addresses before looking them up for
         canonicalisation. Fixes bz#2074 and avoiding needless DNS
         lookups in some cases.
       - ssh-keygen(1), sshd(8): Key Revocation Lists (KRLs) no longer
         require OpenSSH to be compiled with OpenSSL support.
       - ssh(1), ssh-keysign(8): Make ed25519 keys work for host based
         authentication.
       - sshd(8): SSH protocol v.1 workaround for the Meyer, et al.,
         Bleichenbacher Side Channel Attack. Fake up a bignum key before
         RSA decryption.
       - sshd(8): Remember which public keys have been used for
         authentication and refuse to accept previously-used keys. This
         allows AuthenticationMethods=publickey,publickey to require
         that users authenticate using two different public keys.
       - sshd(8): add sshd_config(5) HostbasedAcceptedKeyTypes and
         PubkeyAcceptedKeyTypes options to allow sshd(8) to control what
         public key types will be accepted. Currently defaults to all.
       - sshd(8): Don't count partial authentication success as a
         failure against MaxAuthTries.
       - ssh(1): Add RevokedHostKeys option for the client to allow
         text-file or KRL-based revocation of host keys.
       - ssh-keygen(1), sshd(8): Permit KRLs that revoke certificates by
         serial number or key ID without scoping to a particular CA.
       - ssh(1): Add a "Match canonical" criteria that allows
         ssh_config(5) Match blocks to trigger only in the second config
         pass.
       - ssh(1): Add a -G option to ssh(1) that causes it to parse its
         configuration and dump the result to stdout, similar to "sshd
         -T".
       - ssh(1): Allow Match criteria to be negated (e.g. "Match !host").
       - The regression test suite has been extended to cover more
         OpenSSH features. The unit tests have been expanded and now
         cover key exchange. 
    o The following significant bugs have been fixed in this release:
       - ssh-keyscan(1): ssh-keyscan(1) has been made much more robust
         again servers that hang or violate the SSH protocol.
       - ssh(1), ssh-keygen(1): Fix regression bz#2306: Key path names
         were being lost as comment fields.
       - ssh(1): Allow ssh_config(5) Port options set in the second
         config parse phase to be applied (they were being ignored).
         (bz#2286)
       - ssh(1): Tweak config re-parsing with host canonicalisation --
         make the second pass through the config files always run when
         host name canonicalisation is enabled (and not whenever the
         host name changes). (bz#2267)
       - ssh(1): Fix passing of wildcard forward bind addresses when
         connection multiplexing is in use. (bz#2324)
       - ssh-keygen(1): Fix broken private key conversion from
         non-OpenSSH formats. (bz#2345)
       - ssh-keygen(1): Fix KRL generation bug when multiple CAs are in
         use.
       - Various fixes to manual pages. (bz#2273, bz#2288 and bz#2316)

 - LibreSSL
    o User-visible features:
       - Reluctantly add server-side support for TLS_FALLBACK_SCSV.
       - Import BoringSSL's crypto bytestring and crypto bytebuilder
         APIs.
       - Jettison DTLS over SCTP.
       - Move openssl(1) from /usr/sbin/openssl to /usr/bin/openssl.
       - Two important cipher suites, GOST and Camellia, have been
         reworked or reenabled, providing better interoperability with
         systems around the world.
       - libtls: New API for loading CA chains directly from memory
         instead of a file, allowing verification with privilege
         separation in a chroot(8) without direct access to CA
         certificate files.
       - libtls: Ciphers default to TLSv1.2 with AEAD and PFS.
       - libtls: Improved error handling and message generation.
       - Added X509_STORE_load_mem API for loading certificates from
         memory. This facilitates accessing certificates from a chrooted
         environment.
       - New AEAD "MAC alias" allows configuring TLSv1.2 AEAD ciphers by
         using 'TLSv1.2+AEAD' as the cipher selection string.
       - New openssl(1) command 'certhash' replaces the c_rehash script.
       - Application-Layer Protocol Negotiation (ALPN) support. 
    o Code improvements:
       - Dead and disabled code removal including MD5, Netscape
         workarounds, non-POSIX IO, SCTP, RFC 3779 support, "#if 0"
         sections, and more.
       - The ASN1 macros are expanded to aid readability and
         maintainability.
       - Various NULL pointer asserts removed in favor of letting the
         OS/signal handler catch them.
       - Dozens of issues found with the Coverity scanner fixed. 
    o Security updates:
       - Fix a Bleichenbacher style timing oracle with bad PKCS padding.
       - Fix memory leaks.
       - Address POODLE attack by disabling SSLv3 by default.
       - SHA256 Camellia cipher suites for TLS 1.2 from RFC 5932.
       - Earlier libtls support for non-blocking sockets and randomized
         session ID contexts.
       - Ensure the stack is marked non-executable for assembly sections.
       - Multiple CVEs fixed including CVE-2014-3506, CVE-2014-3507,
         CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511,
         CVE-2014-3570, CVE-2014-3572, CVE-2014-8275, CVE-2015-0205 and
         CVE-2015-0206.

 - mandoc 1.13.3:
    o man(1), apropos(1), and mandoc(1) now have a unified user
      interface, all with the same options, and are in fact all
      implemented by the same binary program.
    o For man(1), this implies new options -l and -IKOTW, and it now
      finds manual pages by the names in their NAME sections even if
      they lack matching file names.
    o For apropos(1), this implies new options -acfhklw and -IKOTW.
    o For mandoc(1), this implies new options -acfhkl.
    o mandoc(1) now automatically detects and transparently accepts
      input encoded in utf-8 and iso-8859-1, and provides a new option
      -K to explicitly specify the input encoding.
    o The mandoc(1) default output mode now is -Tlocale rather than
      -Tascii.
    o eqn(7) now supports in-line equations, and terminal rendering of
      equations is considerably improved.
    o mandoc(1) -Thtml now generates polyglot HTML5 and renders eqn(7)
      using MathML.
    o mandoc(1) can no longer fail with fatal errors, no matter how
      broken the input file may be, and the -Wfatal message level no
      longer has any effect. A new diagnostic level -Wunsupp is
      provided. Besides, many diagnostic messages are now more specific.
    o Many crashes were fixed that Jonathan Gray found with the American
      Fuzzy Lop (afl). 

 - Syslogd:
    o OpenBSD syslogd(8) is based on libevent now.
    o Sending and receiving UDP messages works with both IPv4 and IPv6.
    o Syslog messages can also be sent over TCP or TLS. The syntax to
      specify the loghost is documented in syslog.conf(5).
    o Sending over TCP and TLS is reliable. If a connection terminates,
      syslogd tries to reconnect. When the message buffer in memory gets
      full, the number of dropped messages is counted and logged.
    o With TLS, the x509 certificate of the syslog server is verified.
    o The maximum message size has been increased according to newer RFC.

 - Ports and packages:
    o Over 9,000 ports.

 - Many pre-built packages for each architecture:
    o i386:   8722                    o sparc64:  8184
    o alpha:  6811                    o sh:       0
    o amd64:  8745                    o powerpc:  8286
    o sparc:  4026                    o arm:      0
    o hppa:   6718                    o vax:      1550
    o mips64: 1595                    o mips64el: 6914
    o m88k:   1148

 - Some highlights:

    o Chromium 40.0.2214.115          o Node.js 0.10.35
    o Emacs 21.4 and 24.4             o OpenLDAP 2.3.43 and 2.4.40
    o GCC 4.8.4 and 4.9.2             o PHP 5.3.29, 5.4.38, 5.5.22 and
    o GHC 7.8.4                         5.6.5
    o GNOME 3.14.2                    o Postfix 2.11.4
    o Go 1.4.1                        o PostgreSQL 9.4.1
    o Groff 1.22.3                    o Python 2.7.9 and 3.4.2
    o JDK 1.7.0.71                    o R 3.1.2
    o KDE 3.5.10 and 4.14.3           o Ruby 1.8.7.374, 1.9.3.551,
    o LLVM/Clang 3.5 (20140228)         2.0.0.598, 2.1.5, and 2.2.0
    o LibreOffice 4.3.5.2             o Sendmail 8.15.1
    o MariaDB 10.0.16                 o Tcl/Tk 8.5.16 and 8.6.2
    o Mono 3.12.0                     o TeX Live 20
    o Mozilla Firefox 31.4.0esr and   o Vim 7.4.475
      35.0.1                          o Xfce 4.10
    o Mozilla Thunderbird 31.4.0

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.16.4 + patches,
      freetype 2.5.5, fontconfig 2.11.1, Mesa 10.2.9, xterm 314,
      xkeyboard-config 2.13 and more)
    o Gcc 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.20.1 (+ patches)
    o SQLite 3.8.6 (+ patches)
    o NSD 4.1.1
    o Unbound 1.5.2
    o Sudo 1.7.2p8
    o Ncurses 5.7
    o Binutils 2.15 (+ patches)
    o Gdb 6.3 (+ patches)
    o Less 458 (+ patches)
    o Awk Aug 10, 2011 version

If you'd like to see a list of what has changed between OpenBSD 5.6
and 5.7, look at

        http://www.OpenBSD.org/plus57.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each CD release.  As usual, between the
creation of the OpenBSD 5.7 HTTP/CD-ROM binaries and the actual 5.7
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default).  Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible.  Therefore, we advise regular visits to

        http://www.OpenBSD.org/security.html
and
        http://www.OpenBSD.org/errata.html

------------------------------------------------------------------------
- MAILING LISTS --------------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please
see:

        http://www.OpenBSD.org/mail.html

------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------

OpenBSD 5.7 is also available on CD-ROM.  The 3-CD set costs 44 EUR and
is available via web order worldwide.

The CD set includes a colourful booklet which carefully explains the
installation of OpenBSD.  A new set of cute little stickers is also
included (sorry, but our HTTP mirror sites do not support STP, the Sticker
Transfer Protocol).  As an added bonus, the second CD contains an audio
track, a song entitled "Source Fish".  MP3 and OGG versions of
the audio track can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

    http://www.OpenBSD.org/lyrics.html#57

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 5.7 CD-ROMs are bootable on the following platforms:

  o i386
  o amd64
  o macppc
  o sparc64

(Other platforms must boot from network, floppy, or other method).

For more information on ordering CD-ROMs, see:

        http://www.OpenBSD.org/orders.html

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts.  Additionally, donations to the project are
highly appreciated, as described in more detail at:

        http://www.OpenBSD.org/donations.html

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.  There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs.  Contact the foundation directors at
directors@openbsdfoundation.org for more information.

------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------

The OpenBSD distribution companies also sell T-shirts and polo shirts,
with new and old designs, available from our web ordering system.

------------------------------------------------------------------------
- HTTP INSTALLS --------------------------------------------------------

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via HTTP downloads.  Typically you need a single
small piece of boot media (e.g., a USB flash drive) and then the rest
of the files can be installed from a number of locations, including
directly off the Internet.  Follow this simple set of instructions
to ensure that you find all of the documentation you will need
while performing an install via HTTP.  With the CD-ROMs,
the necessary documentation is easier to find.

1) Read either of the following two files for a list of HTTP
   mirrors which provide OpenBSD, then choose one near you:

        http://www.OpenBSD.org/ftp.html
        http://ftp.openbsd.org/pub/OpenBSD/ftplist

   As of May 1, 2015, the following HTTP mirror sites have the 5.7 release:

        http://ftp.eu.openbsd.org/pub/OpenBSD/5.7/      Stockholm, Sweden
        http://ftp.bytemine.net/pub/OpenBSD/5.7/        Oldenburg, Germany
        http://ftp.ch.openbsd.org/pub/OpenBSD/5.7/      Zurich, Switzerland
        http://ftp.fr.openbsd.org/pub/OpenBSD/5.7/      Paris, France
        http://ftp5.eu.openbsd.org/pub/OpenBSD/5.7/     Vienna, Austria
        http://mirror.aarnet.edu.au/pub/OpenBSD/5.7/    Brisbane, Australia
        http://ftp.usa.openbsd.org/pub/OpenBSD/5.7/     CO, USA
        http://ftp5.usa.openbsd.org/pub/OpenBSD/5.7/    CA, USA
        http://mirror.esc7.net/pub/OpenBSD/5.7/         TX, USA

        The release is also available at the master site:

        http://ftp.openbsd.org/pub/OpenBSD/5.7/          Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTP mirror site and go into the directory
   pub/OpenBSD/5.7/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     alpha/           luna88k/         sparc/
        Changelogs/      amd64/           macppc/          sparc64/
        HARDWARE         armv7/           octeon/          src.tar.gz
        PACKAGES         aviion/          packages/        sys.tar.gz
        PORTS            hppa/            ports.tar.gz     tools/
        README           i386/            root.mail        vax/
        SHA256           landisk/         sgi/             xenocara.tar.gz
        SHA256.sig       loongson/        socppc/          zaurus/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        HARDWARE        - list of hardware we support
        PORTS           - description of our ports tree
        PACKAGES        - description of pre-compiled packages
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        INSTALL.amd64   bsd.rd*         game57.tgz      pxeboot*
        SHA256          cd57.iso        index.txt       xbase57.tgz
        SHA256.sig      cdboot*         install57.fs    xfont57.tgz
        base57.tgz      cdbr*           install57.iso   xserv57.tgz
        bsd*            comp57.tgz      man57.tgz       xshare57.tgz
        bsd.mp*         floppy57.fs     miniroot57.fs
                                                                          
   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install57.iso.  The install57.iso file (roughly 250MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install57.fs and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        http://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 5.7 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
      you can use "fdimage.exe" located in the pub/OpenBSD/5.7/tools
      directory to do so.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc.  During installation, you can install
X.Org quite easily.  Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.

------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------

The OpenBSD ports tree contains automated instructions for building
third party software.  The software has been verified to build and
run on the various OpenBSD architectures.  The 5.7 ports collection,
including many of the distribution files, is included on the 3-CD
set.  Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the nginx web server
and several X applications, come standard with OpenBSD.  Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).

------------------------------------------------------------------------
- BINARY PACKAGES WE PROVIDE -------------------------------------------

A large number of binary packages are provided.  Please see the PACKAGES
file (http://ftp.OpenBSD.org/pub/OpenBSD/5.7/PACKAGES) for more details.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The CD-ROMs contain source code for all the subsystems explained
above, and the README (http://ftp.OpenBSD.org/pub/OpenBSD/5.7/README)
file explains how to deal with these source files.  For those who
are doing an HTTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/5.7/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Jasper Lievisse Adriaanse,
Pierre-Emmanuel Andre, Landry Breuil, Stuart Henderson, Peter Hessler,
Paul Irofti, Sebastian Reitenbach, Miod Vallat, and Christian Weisgerber.
System builds by Jasper Lievisse Adriaanse, Kenji Aoyama, Theo de Raadt,
Jonathan Gray, Mark Kettenis, and Miod Vallat.  X11 builds by
Jasper Lievisse Adriaanse, Kenji Aoyama, Todd Fries, and Miod Vallat.
ISO-9660 filesystem layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 5.7 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

    Aaron Bieber, Alexander Bluhm, Alexander Hall, Alexandr Shadchin,
    Alexandre Ratchov, Andrew Fresh, Anil Madhavapeddy,
    Anthony J. Bentley, Antoine Jacoutot, Benoit Lecocq, Bob Beck,
    Brandon Mercer, Brent Cook, Bret Lambert, Brett Mahar,
    Brian Callahan, Bryan Steele, Camiel Dobbelaar, Charles Longeau,
    Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
    Claudio Jeker, Damien Miller, Daniel Dickman, Darren Tucker,
    David Coppa, David Gwynne, Doug Hogan, Edd Barrett, Eric Faurot,
    Federico G. Schwindt, Florian Obser, Gerhard Roth, Gilles Chehade,
    Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez,
    Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze,
    Jakob Schlyter, James Turner, Jason McIntyre,
    Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
    Jim Razmus II, Joel Sing, Joerg Jung, Jonathan Armani,
    Jonathan Gray, Jonathan Matthew, Joshua Elsasser, Joshua Stein,
    Juan Francisco Cantero Hurtado, Kenji Aoyama, Kenneth R Westerback,
    Kent R. Spillner, Kirill Bychkov, Kurt Miller, Landry Breuil,
    Lawrence Teo, Loganaden Velvindron, Luke Tymowski, Marc Espie,
    Marco Pfatschbacher, Mark Kettenis, Mark Lumsden, Markus Friedl,
    Martin Pelikan, Martin Pieuchot, Martin Reindl, Martynas Venckus,
    Masao Uebayashi, Mats O Jansson, Matthew Dempsky, Matthias Kilian,
    Matthieu Herrb, Mike Belopuhov, Mike Larkin, Miod Vallat,
    Naoya Kaneko, Nayden Markatchev, Nicholas Marriott, Nick Holland,
    Nigel Taylor, Okan Demirmen, Otto Moerbeek, Pascal Stumpf,
    Paul de Weerd, Paul Irofti, Peter Hessler, Philip Guenther,
    Pierre-Emmanuel Andre, Raphael Graf, Remi Pointel, Renato Westphal,
    Reyk Floeter, Robert Nagy, Robert Peichaer, Ryan Thomas McBride,
    Sasano Takayoshi, Sebastian Benoit, Sebastian Reitenbach,
    Simon Perreault, Stefan Fritsch, Stefan Sperling, Stephan Rickauer,
    Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sylvestre Gallon,
    Ted Unangst, Theo de Raadt, Tobias Stoeckmann, Tobias Ulmer,
    Todd C. Miller, Todd Fries, Vadim Zhukov, William Yodlowsky,
    Yasuoka Masahiko, Yojiro Uo