BSDSec

deadsimple BSD Security Advisories and Announcements

OpenBSD 5.9 released - March 29

------------------------------------------------------------------------
- OpenBSD 5.9 RELEASED -------------------------------------------------

March 29, 2016.

We are pleased to announce the official release of OpenBSD 5.9.
This is our 39th release on CD-ROM (and 40th via FTP/HTTP).  We remain
proud of OpenBSD's record of more than twenty years with only two remote
holes in the default install.

As in our previous releases, 5.9 provides significant improvements,
including new features, in nearly all areas of the system:

 - Processor support, including:
    o W^X policy enforced in the i386 kernel address space.

 - Improved hardware support, including:
    o New asmc(4) driver for the Apple System Management Controller.
    o New pchtemp(4) driver for the thermal sensor found on Intel X99,
      C610 series, 9 series and 100 series PCH.
    o New uonerng(4) driver for the Moonbase Otago OneRNG.
    o New dwiic(4) driver for the Synopsys DesignWare I2C controller.
    o New ikbd(4), ims(4), and imt(4) drivers for HID-over-i2c
      keyboards, mice and multitouch touchpads.
    o New efifb(4) driver for EFI frame buffer.
    o New viocon(4) driver for the virtio(4) console interface provided
      by KVM, QEMU, and others.
    o New xen(4) driver implementing Xen domU initialization and PVHVM
      device attachment.
    o New xspd(4) driver for the XenSource Platform Device providing
      guests with additional capabilities.
    o New xnf(4) driver for Xen paravirtualized networking interface.
    o amd64 can now boot from 32 bit and 64 bit EFI.
    o Initial support for hardware reduced ACPI added to acpi(4).
    o Support for ACPI configured SD host controllers has been added to
      sdhc(4).
    o The puc(4) driver now supports Moxa CP-168U, Perle Speed8 LE and
      QEMU PCI serial devices.
    o Intel 100 Series PCH Ethernet MAC with i219 PHY support has been
      added to the em(4) driver.
    o RTL8168H/RTL8111H support has been added to re(4).
    o inteldrm(4) has been updated to Linux 3.14.52 adding initial
      support for Bay Trail and Broadwell graphics.
    o Support for audio in Thinkpad docks has been added to the
      azalia(4) driver.
    o Support for Synaptic touchpads without W mode has been added to
      the pms(4) driver.
    o Support for tap-and-drag detection with ALPS touchpads in the
      pms(4) driver has been improved.
    o The sdmmc(4) driver now supports sector mode for eMMC devices,
      such as those found on some BeagleBone Black boards.
    o The cnmac(4) driver now supports checksum offloading.
    o The ipmi(4) driver now supports OpenIPMI compatible character
      device.
    o Support for ST-506 disks has been removed.

 - pledge(2) support integrated:
    o The tame(2) system call was renamed to pledge(2). Behavior and
      semantics were extended and refined.
    o 453 out of 707 base system binaries were adapted to use pledge.
    o 14 ports now use pledge(2): some decompression tools, mutt, some
      pdf tools, chromium/iridium, and the i3 window manager.
    o Various bugs exposed by pledge(2) were corrected. For example in
      bgpd(8), iked(8), ldapd(8), ntpd(8), and syslogd(8).
    o Several misfeatures were removed, such as:
       - support for HOSTALIASES in the resolver.
       - support for lookup yp in resolv.conf(5).
       - setuid-preserving code in tools from binutils.
       - handling of ed-style diffs via proc/exec in patch(1).
    o Userland programs were audited so that they could be properly
      annotated with pledge(2). This resulted in design changes such as:
       - addition of privilege separation to rdate(8)
       - addition of privilege separation to sndiod(8)
       - the introduction of the SOCK_DNS socket(2) flag that makes
         an SS_DNS tagged socket conceptually different from a plain
         socket.
    o pledge(2) is also used to constrain programs that handle untrusted
      data to a very limited subset of POSIX. For example, strings(1) or
      objdump(1) from binutils or the RSA-privsep process in smtpd(8).

 - SMP network stack improvements:
    o The task processing incoming packets can now run mostly in
      parallel of the rest of the kernel. This includes:
       - carp(4), trunk(4), vlan(4) and other pseudo-drivers with the
         exception of bridge(4).
       - Ethernet decapsulation, ARP processing and MPLS forwarding
         path.
       - bpf(4) filter matching.
    o The Rx and Tx rings of the ix(4), myx(4), em(4), bge(4), bnx(4),
      vmx(4), gem(4), re(4) and cas(4) drivers can now be processed in
      parallel of the rest of the kernel.
    o The Rx ring of the cnmac(4) driver can now be processed in
      parallel of the rest of the kernel.

 - Initial IEEE 802.11n wireless support:
    o The ieee80211(9) subsystem now supports HT data rates up to
      65 Mbit/s (802.11n MCS 0-7).
    o The input path of ieee80211(9) now supports receiving A-MPDU and
      A-MSDU aggregated frames.
    o The iwm(4) and iwn(4) drivers make use of the above features.
    o 802.11n mode is used by default if supported by the OpenBSD
      wireless driver and the access point. Operation in 802.11a,
      802.11b, and 802.11g modes can be forced with the new ifconfig(8)
      mode subcommand.

 - Generic network stack improvements:
    o New etherip(4) pseudo-device for tunneling Ethernet frames across
      IP[46] networks using RFC 3378 EtherIP encapsulation.
    o New pair(4) pseudo-device for creating paired virtual Ethernet
      interfaces.
    o New tap(4) pseudo-device split up from tun(4) providing a layer
      3 interface with userland.
    o Support for obsolete IPv6 socket options has been removed.
    o The iwn(4) driver now passes IEEE 802.11 control frames in monitor
      mode, allowing full capture of traffic on a particular wireless
      channel.
    o pflow(4) now supports IPv6 for transport.

 - Installer improvements:
    o Inappropriate user choices from a list of options are more
      reliably rejected.
    o Installing to a disk partitioned with a GPT is now supported
      (amd64 only).
    o When initializing a GPT, the required EFI System partition is
      automatically created.
    o When installing to a GPT disk, installboot(8) now formats the EFI
      System partition, creates the appropriate directory structure and
      copies the required UEFI boot files into place.

 - Routing daemons and other userland network improvements:
    o New eigrpd(8) routing daemon for the Enhanced Interior Gateway
      Routing Protocol.
    o dhclient(8) now supports multiple domain names provided via DHCP
      option 15 (Domain Name).
    o dhclient(8) now supports search domains provided via DHCP option
      119 (Domain Search).
    o dhclient(8) no longer continually checks for a change to the
      routing domain of the interface it controls. It now relies on the
      appropriate routing socket messages.
    o dhclient(8) now issues DHCP DECLINE responses to lease offers
      found to be inadequate, and restarts the DISCOVER/RENEW process
      rather than waiting indefinitely for a better lease to appear.
    o dhclient(8) no longer exits if a desired route cannot be added. It
      now just reports the fact.
    o dhclient(8) now takes a much more careful approach to received
      packets to ensure only received data is used to process the
      packet. Packets with incorrect length information or lacking
      appropriate header information are now dropped.
    o dhclient(8) again disables pending timeouts if the interface link
      is lost, preventing endless retries at obtaining a lease.
    o dhcpd(8) again properly utilizes default-lease-time,
      max-lease-time and bootp-lease-time options.
    o tcpdump(8) now displays more information about IEEE 802.11 frames
      when run with the -y IEEE802_11_RADIO and -v options.
    o Several interoperability issues in iked(8) have been fixed,
      including EAP auth with OS X El Capitan.

 - Security improvements:
    o Chacha20-Poly1305 authenticated encryption mode has been
      implemented in the IPsec stack for the ESP protocol.
    o Support for looking up hosts via YP has been removed from libc.
      The 'yp' lookup method in resolv.conf is no longer available.
    o Support for the HOSTALIASES environment variable has been removed
      from libc.

 - Assorted improvements:
    o doas(1) is a little friendlier to use.
    o Updated flex(1).
    o Forked less(1) from upstream, then proceeded to clean it up
      substantially.
    o pdisk(8) was largely rewritten and pledged.
    o Renaming files in the root directory of a MSDOS filesystem was
      fixed.
    o Many obsolete disktab(5) attributes and entries were removed.
    o softraid(4) volumes now correctly look for the disklabel in the
      first OpenBSD disk partition, not the last.
    o softraid(4) volumes can now be partitioned with a GPT.
    o fdisk(8) now creates a default GPT as well as the protective MBR
      when the -g flag is used.
    o fdisk(8) now has a -b flag that specifies the size of the EFI
      System partition to create.
    o fdisk(8) now has a -v flag that causes a verbose display of both
      MBR and GPT information.
    o fdisk(8) now provides full interactive GPT editing.
    o fdisk(8) was pledged.
    o Disks with sector sizes other than 512 bytes can now be
      partitioned with a GPT.
    o The GPT kernel option was removed and GPT support is part of all
      GENERIC and GENERIC derived kernels.
    o Many improvements were made to the GPT kernel support to ensure
      safe and reliable operation of GPT and MBR processing.
    o disklabel(8) no longer supports boot code installation, with the
      -B and -b flags being removed. The associated fields in the
      disklabel were also removed. These functions are now all performed
      by installboot(8).
    o PowerPC converted to secure-PLT ABI variant.
    o Perform lazy binding updates in ld.so(1) using kbind(2) to improve
      security and reduce overhead in threaded processes.
    o Over 100 internal or obsolete interfaces have been deleted or are
      no longer exported by libc, reducing symbol conflicts and process
      size.
    o libc now uses local references for most of its own functions to
      avoid symbol overriding, improve standards compliance, increase
      speed, and reduce dynamic linking overhead.
    o Handle intra-thread kills via new thrkill(2) system call to
      tighten pledge(2) restrictions and improve pthread_kill(3) and
      pthread_cancel(3) compliance.
    o Added getpwnam_shadow(3) and getpwuid_shadow(3) to permit tighter
      pledge(2) restrictions.
    o Added support to ktrace(1) the arguments to execve(2) and
      pledge(2). Removed support for tracing context switch points.
      kevent structures are now dumped.
    o Disabled support for loading locales other than UTF-8.
    o UTF-8 character locale data has been updated to Unicode 7.0.0.
    o Added UTF-8 support to several utilities, including calendar(1),
      colrm(1), cut(1), fmt(1), ls(1), ps(1), rs(1), ul(1), uniq(1) and
      wc(1).
    o Partial support for inserting and deleting UTF-8 characters in
      ksh(1) emacs command line editing mode.
    o Native language support (NLS) has been removed from libc.
    o ddb(4) now automatically shows a stack trace upon panic.

 - OpenSMTPD 5.9.1
    o Security:
       - Both smtpd(8) and smtpctl(8) have been pledged.
       - The offline enqueue mode of smtpctl(8) has been redesigned to
         remove the need for a publicly writable directory which was a
         vector of multiple attacks in the Qualys Security audit.
    o The following improvements were brought in this release:
       - Experimental support for filters API is now available with
         several filters available in ports.
       - Add Message-Id header if necessary.
       - Removed the kick mechanism which was misbehaving.
       - Increased the length of acceptable headers lines.
       - Assume messages are 8-bit bytes by default.

 - OpenSSH 7.2:
    o Security:
       - Qualys Security identified vulnerabilities in the ssh(1)
         client experimental support for resuming SSH-connections
         (roaming). In the default configuration, this could
         potentially leak client keys to a hostile server. The
         authentication of the server host key prevents exploitation
         by a man-in-the-middle, so this information leak is
         restricted to connections to malicious or compromised
         servers. This feature has been disabled in the ssh(1) client,
         and it has been removed from the source tree. The matching
         server code has never been shipped.
       - sshd(8): OpenSSH 7.0 contained a logic error in
         PermitRootLogin=prohibit-password/without-password that
         could, depending on compile-time configuration, permit
         password authentication to root while preventing other forms
         of authentication.
       - Fix an out of-bound read access in the packet handling code.
       - Further use of explicit_bzero(3) has been added in various
         buffer handling code paths to guard against compilers
         aggressively doing dead-store removal.
       - ssh(1), sshd(8): remove unfinished and unused roaming code.
       - ssh(1): eliminate fallback from untrusted X11 forwarding to
         trusted forwarding when the X server disables the SECURITY
         extension.
       - ssh(1), sshd(8): increase the minimum modulus size supported
         for diffie-hellman-group-exchange to 2048 bits.
    o Potentially-incompatible changes:
       - This release disables a number of legacy cryptographic
         algorithms by default in ssh(1):
          o Several ciphers: blowfish-cbc, cast128-cbc, all arcfour
            variants and the rijndael-cbc aliases for AES.
          o MD5-based and truncated HMAC algorithms.
    o New/changed features:
       - all: add support for RSA signatures using SHA-256/512 hash
         algorithms based on draft-rsa-dsa-sha2-256-03.txt and
         draft-ssh-ext-info-04.txt.
       - ssh(1): add an AddKeysToAgent client option which can be set
         to yes, no, ask, or confirm, and defaults to no. When
         enabled, a private key that is used during authentication
         will be added to ssh-agent(1) if it is running (with
         confirmation enabled if set to confirm).
       - sshd(8): add a new authorized_keys option restrict that
         includes all current and future key restrictions
         (no-*-forwarding, etc.). Also add permissive versions of the
         existing restrictions, e.g. no-pty -> pty. This simplifies
         the task of setting up restricted keys and ensures they are
         maximally-restricted, regardless of any permissions we might
         implement in the future.
       - ssh(1): add ssh_config(5) CertificateFile option to
         explicitly list certificates. (bz#2436)
       - ssh-keygen(1): allow ssh-keygen(1) to change the key comment
         for all supported formats.
       - ssh-keygen(1): allow fingerprinting from standard input, e.g.
         "ssh-keygen -lf -".
       - ssh-keygen(1): allow fingerprinting multiple public keys in a
         file, e.g. ssh-keygen -lf ~/.ssh/authorized_keys. (bz#1319)
       - sshd(8): support none as an argument for sshd_config(5)
         Foreground and ChrootDirectory. Useful inside Match blocks to
         override a global default. (bz#2486)
       - ssh-keygen(1): support multiple certificates (one per line)
         and reading from standard input (using "-f -") for ssh-keygen
         -L.
       - ssh-keyscan(1): add ssh-keyscan -c ... flag to allow fetching
         certificates instead of plain keys.
       - ssh(1): better handle anchored FQDNs (e.g. cvs.openbsd.org.)
         in hostname canonicalisation - treat them as already
         canonical and trailing '.' before matching ssh_config(5).
    o The following significant bugs have been fixed in this release:
       - ssh(1), sshd(8): add compatibility workarounds for FuTTY.
       - ssh(1), sshd(8): refine compatibility workarounds for WinSCP.
       - Fix a number of memory faults (double-free, free of
         uninitialised memory, etc.) in ssh(1) and ssh-keygen(1).
       - Correctly interpret the first_kex_follows option during the
         initial key exchange.
       - sftp(1): existing destination directories should not
         terminate recursive uploads (regression in openssh 6.8).
         (bz#2528)
       - ssh(1), sshd(8): correctly send back SSH2_MSG_UNIMPLEMENTED
         replies to unexpected messages during key exchange. (bz#2949)
       - ssh(1): refuse attempts to set ConnectionAttempts=0, which
         does not make sense and would cause ssh to print an
         uninitialised stack variable. (bz#2500)
       - ssh(1): fix errors when attempting to connect to scoped IPv6
         addresses with hostname canonicalisation enabled.
       - sshd_config(5): list a couple more options usable in Match
         blocks. (bz#2489)
       - sshd(8): fix PubkeyAcceptedKeyTypes +... inside a Match
         block.
       - ssh(1): expand tilde characters in filenames passed to -i
         options before checking whether or not the identity file
         exists. Avoids confusion for cases where shell doesn't expand
         (e.g. -i ~/file vs. -i~/file). (bz#2481)
       - ssh(1): do not prepend "exec" to the shell command run by
         Match exec in a config file, which could cause some commands
         to fail in certain environments. (bz#2471)
       - ssh-keyscan(1): fix output for multiple hosts/addrs on one
         line when host hashing or a non standard port is in use.
         (bz#2479)
       - sshd(8): skip "Could not chdir to home directory" message
         when ChrootDirectory is active. (bz#2485)
       - ssh(1): include PubkeyAcceptedKeyTypes in ssh -G config dump.
       - sshd(8): avoid changing TunnelForwarding device flags if they
         are already what is needed; makes it possible to use tun(4)/
         tap(4) networking as non-root user if device permissions and
         interface flags are pre-established.
       - ssh(1), sshd(8): RekeyLimits could be exceeded by one packet.
         (bz#2521)
       - ssh(1): fix multiplexing master failure to notice client
         exit.
       - ssh(1), ssh-agent(1): avoid fatal() for PKCS11 tokens that
         present empty key IDs. (bz#1773)
       - sshd(8): avoid printf(3) of NULL argument. (bz#2535)
       - ssh(1), sshd(8): allow RekeyLimits larger than 4GB. (bz#2521)
       - ssh-agent(1), sshd(8): fix several bugs in (unused) KRL
         signature support.
       - ssh(1), sshd(8): fix connections with peers that use the key
         exchange guess feature of the protocol. (bz#2515)
       - sshd(8): include remote port number in log messages.
         (bz#2503)
       - ssh(1): don't try to load SSHv1 private key when compiled
         without SSHv1 support. (bz#2505)
       - ssh-agent(1), ssh(1): fix incorrect error messages during key
         loading and signing errors. (bz#2507)
       - ssh-keygen(1): don't leave empty temporary files when
         performing known_hosts file edits when known_hosts doesn't
         exist.
       - sshd(8): correct packet format for tcpip-forward replies for
         requests that don't allocate a port. (bz#2509)
       - ssh(1), sshd(8): fix possible hang on closed output.
         (bz#2469)
       - ssh(1): expand %i in ControlPath to UID. (bz#2449)
       - ssh(1), sshd(8): fix return type of openssh_RSA_verify.
         (bz#2460)
       - ssh(1), sshd(8): fix some option parsing memory leaks.
         (bz#2182)
       - ssh(1): add some debug output before DNS resolution; it's a
         place where ssh could previously silently stall in cases of
         unresponsive DNS servers. (bz#2433)
       - ssh(1): remove spurious newline in visual hostkey. (bz#2686)
       - ssh(1): fix printing (ssh -G ...) of HostKeyAlgorithms=+...
       - ssh(1): fix expansion of HostkeyAlgorithms=+...

 - LibreSSL 2.3.2
    o User-visible features:
       - This release corrects the handling of ClientHello messages
         that do not include TLS extensions, resulting in such
         handshakes being aborted.
       - When loading a DSA key from a raw (without DH parameters)
         ASN.1 serialization, perform some consistency checks on its
         `p' and `q' values, and return an error if the checks failed.
       - Fixed a bug in ECDH_compute_key that can lead to silent
         truncation of the result key without error. A coding error
         could cause software to use much shorter keys than intended.
       - Removed support for DTLS_BAD_VER. Pre-DTLSv1 implementations
         are no longer supported.
       - The engine command and parameters are removed from
         openssl(1). Previous releases removed dynamic and built-in
         engine support already.
       - SHA-0 is removed, which was withdrawn shortly after
         publication twenty years ago.
       - Added Certplus CA root certificate to the default cert.pem
         file.
       - Fixed a leak in SSL_new(3) in the error path.
       - Fixed a memory leak and out-of-bounds access in
         OBJ_obj2txt(3).
       - Fixed an up-to 7 byte overflow in RC4 when len is not a
         multiple of sizeof(RC4_CHUNK).
       - Added EVP_aead_chacha20_poly1305_ietf(3) which matches the
         AEAD construction introduced in RFC 7539, which is different
         than that already used in TLS with
         EVP_aead_chacha20_poly1305(3).
       - More man pages converted from pod to mdoc(7) format.
       - Added COMODO RSA Certification Authority and QuoVadis root
         certificates to cert.pem.
       - Removed "C=US, O=VeriSign, Inc., OU=Class 3 Public Primary
         Certification Authority" (serial
         3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root
         certificate from cert.pem.
       - Fixed incorrect TLS certificate loading by nc(1).
       - The openssl(1) s_time command now performs a proper shutdown
         which allows a full TLS connection to be benchmarked more
         accurately. A new -no_shutdown flag makes s_time adopt the
         previous behavior so that comparisons can still be made with
         OpenSSL's version.
       - Removed support for the SSLEAY_CONF backwards compatibility
         environment variable in openssl(1).
       - The following CVEs had been fixed:
          o CVE-2015-3194--NULL pointer dereference in client side
            certificate validation.
          o CVE-2015-3195--memory leak in PKCS7, not reachable from
            TLS/SSL.
       - Note: The following OpenSSL CVEs did not apply to LibreSSL:
          o CVE-2015-3193--carry propagating bug in the x86_64
            Montgomery squaring procedure.
          o CVE-2015-3196--double free race condition of the
            identify hint data.
    o Code improvements:
       - Added install target for cmake builds.
       - Updated pkgconfig files to correctly report the release
         version number, not the individual library ABI version
         numbers.
       - SSLv3 is now permanently removed from the tree.
       - The libtls API is changed from the 2.2.x series:
          o The tls_read(3) and tls_write(3) functions now work better
            with external event libraries.
          o Client-side verification is now supported, with the client
            supplying the certificate to the server.
          o Also, when using tls_connect_fds(3),
            tls_connect_socket(3) or tls_accept_fds(3), libtls no longer
            implicitly closes the passed in sockets. The caller is
            responsible for closing them in this case.
       - New interface OPENSSL_cpu_caps is provided that does not
         allow software to inadvertently modify cpu capability flags.
         OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
       - The out_len argument of AEAD changed from ssize_t to size_t.
       - Deduplicated DTLS code, sharing bugfixes and improvements
         with TLS.
       - Converted nc(1) to use libtls for client and server
         operations; it is included in the libressl-portable
         distribution as an example of how to use the libtls library.
         This is intended to be a simpler and more robust replacement
         for openssl s_client and openssl s_server for day-to-day
         operations.
       - ASN.1 cleanups and RFC5280 compliance fixes.
       - Time representations switched from unsigned long to time_t.
         LibreSSL now checks if the host OS supports 64-bit time_t.
       - Support always extracting the peer cipher and version with
         libtls.
       - Added ability to check certificate validity times with
         libtls, tls_peer_cert_notbefore(3) and
         tls_peer_cert_notafter(3).
       - Changed tls_connect_servername(3) to use the first address
         that resolves with getaddrinfo(3).
       - Remove broken conditional EVP_CHECK_DES_KEY code
         (non-functional since initial commit in 2004).
       - Reject too small bits value in BN_generate_prime(3), so that
         it does not risk becoming negative in
         probable_prime_dh_safe().
       - Changed format of LIBRESSL_VERSION_NUMBER to match that of
         OPENSSL_VERSION_NUMBER.
       - Avoid a potential undefined C99+ behavior due to shift
         overflow in AES_decrypt.
       - Deprecated the SSL_OP_SINGLE_DH_USE flag.

 - Ports and packages:
   Many pre-built packages for each architecture:
    o alpha:  7450                    o mips64el: 7846
    o amd64:  9295                    o powerpc:  8383
    o hppa:   6304                    o sh:       111
    o i386:   9290                    o sparc:    1105
    o mips64: 7094                    o sparc64:  8528

 - Some highlights:

    o Chromium 48.0.2564.116          o Node.js 4.3.0
    o Emacs 21.4 and 24.5             o OpenLDAP 2.3.43 and 2.4.43
    o GCC 4.9.3                       o PHP 5.4.45, 5.5.32 and 5.6.18
    o GHC 7.10.3                      o Postfix 3.0.3
    o GNOME 3.18.2                    o PostgreSQL 9.4.6
    o Go 1.5.3                        o Python 2.7.11, 3.4.4 and 3.5.1
    o Groff 1.22.3                    o R 3.2.3
    o JDK 7u80 and 8u72               o Ruby 1.8.7.374, 2.0.0.648,
    o KDE 3.5.10 and 4.14.3 (plus       2.1.8, 2.2.4 and 2.2.0
      KDE4 core updates)              o Rust 1.6.0
    o LLVM/Clang 3.5 (20140228)       o Sendmail 8.15.2
    o LibreOffice 5.0.4.2             o Sudo 1.8.15
    o MariaDB 10.0.23                 o Tcl/Tk 8.5.18 and 8.6.4
    o Mono 4.2.1.102                  o TeX Live 2014
    o Mozilla Firefox 38.6.1esr and   o Vim 7.4.900
      44.0.2                          o Xfce 4.12
    o Mozilla Thunderbird 38.6.0

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.17.4 + patches,
      freetype 2.6.2, fontconfig 2.11.1, Mesa 11.0.9, xterm 322,
      xkeyboard-config 2.17 and more)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.20.2 (+ patches)
    o SQLite 3.9.2 (+ patches)
    o NSD 4.1.7
    o Unbound 1.5.7
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk Aug 10, 2011 version

If you'd like to see a list of what has changed between OpenBSD 5.8
and 5.9, look at

        http://www.OpenBSD.org/plus59.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each CD release.  As usual, between the
creation of the OpenBSD 5.9 HTTP/CD-ROM binaries and the actual 5.9
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default).  Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible.  Therefore, we advise regular visits to

        http://www.OpenBSD.org/security.html
and
        http://www.OpenBSD.org/errata.html

------------------------------------------------------------------------
- MAILING LISTS --------------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please
see:

        http://www.OpenBSD.org/mail.html

------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------

OpenBSD 5.9 is also available on CD-ROM.  The 3-CD set costs 44 EUR and
is available via web order worldwide.

The CD set includes a colourful booklet which carefully explains the
installation of OpenBSD.  A new set of cute little stickers is also
included (sorry, but our HTTP mirror sites do not support STP, the Sticker
Transfer Protocol).  As an added bonus, the second CD contains audio tracks
for two songs: "Doctor W^X" and "Systemagic (Anniversary Edition)".
MP3 and OGG versions of the audio tracks can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

    http://www.OpenBSD.org/lyrics.html#59

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 5.9 CD-ROMs are bootable on the following platforms:

  o i386
  o amd64
  o macppc
  o sparc64

(Other platforms must boot from network, floppy, or other method).

For more information on ordering CD-ROMs, see:

        http://www.OpenBSD.org/orders.html

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts.  Additionally, donations to the project are
highly appreciated, as described in more detail at:

        http://www.OpenBSD.org/donations.html

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.  There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs.  Contact the foundation directors at
directors@openbsdfoundation.org for more information.

------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------

The OpenBSD distribution company also sells T-shirts with new and old
designs and other merchandise, available from its web ordering system.

------------------------------------------------------------------------
- HTTP INSTALLS --------------------------------------------------------

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via HTTP downloads.  Typically you need a single
small piece of boot media (e.g., a USB flash drive) and then the rest
of the files can be installed from a number of locations, including
directly off the Internet.  Follow this simple set of instructions
to ensure that you find all of the documentation you will need
while performing an install via HTTP.  With the CD-ROMs,
the necessary documentation is easier to find.

1) Read either of the following two files for a list of HTTP
   mirrors which provide OpenBSD, then choose one near you:

        http://www.OpenBSD.org/ftp.html
        http://ftp.openbsd.org/pub/OpenBSD/ftplist

   As of March 29, 2016, the following HTTP mirror sites have the 5.9 release:

        http://ftp.eu.openbsd.org/pub/OpenBSD/5.9/      Stockholm, Sweden
        http://ftp.bytemine.net/pub/OpenBSD/5.9/        Oldenburg, Germany
        http://ftp.ch.openbsd.org/pub/OpenBSD/5.9/      Zurich, Switzerland
        http://ftp.fr.openbsd.org/pub/OpenBSD/5.9/      Paris, France
        http://ftp5.eu.openbsd.org/pub/OpenBSD/5.9/     Vienna, Austria
        http://mirror.aarnet.edu.au/pub/OpenBSD/5.9/    Brisbane, Australia
        http://ftp.usa.openbsd.org/pub/OpenBSD/5.9/     CO, USA
        http://ftp5.usa.openbsd.org/pub/OpenBSD/5.9/    CA, USA
        http://mirror.esc7.net/pub/OpenBSD/5.9/         TX, USA

        The release is also available at the master site:

        http://ftp.openbsd.org/pub/OpenBSD/5.9/          Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTP mirror site and go into the directory
   pub/OpenBSD/5.9/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     alpha/           luna88k/         sparc64/
        Changelogs/      amd64/           macppc/          src.tar.gz
        HARDWARE         armish/          octeon/          sys.tar.gz
        PACKAGES         armv7/           packages/        tools/
        PORTS            hppa/            ports.tar.gz     xenocara.tar.gz
        README           i386/            root.mail        zaurus/
        SHA256           landisk/         sgi/
        SHA256.sig       loongson/        socppc/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        HARDWARE        - list of hardware we support
        PORTS           - description of our ports tree
        PACKAGES        - description of pre-compiled packages
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        BOOTIA32.EFI*   bsd*            floppy59.fs     pxeboot*
        BOOTX62.EFI*    bsd.mp*         game59.tgz      xbase59.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont59.tgz
        INSTALL.amd64   cd59.iso        install59.fs    xserv59.tgz
        SHA256          cdboot*         install59.iso   xshare59.tgz
        SHA256.sig      cdbr*           man59.tgz
        base59.tgz      comp59.tgz      miniroot59.fs

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install59.iso.  The install59.iso file (roughly 290MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install59.fs and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        http://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 5.9 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily.  Be sure to try out xdm(1) and see how we have customized
it for OpenBSD.

------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------

The OpenBSD ports tree contains automated instructions for building
third party software.  The software has been verified to build and
run on the various OpenBSD architectures.  The 5.9 ports collection
is included on the 3-CD set.  Please see the PORTS file for more
information.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD.  Also, many popular ports have
been pre-compiled for those who do not desire to build their own binaries
(see BINARY PACKAGES, below).

------------------------------------------------------------------------
- BINARY PACKAGES ------------------------------------------------------

A large number of binary packages are provided.  Please see the PACKAGES
file (http://ftp.OpenBSD.org/pub/OpenBSD/5.9/PACKAGES) for more details.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The CD-ROMs contain source code for all the subsystems explained
above, and the README (http://ftp.OpenBSD.org/pub/OpenBSD/5.9/README)
file explains how to deal with these source files.  For those who
are doing an HTTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/5.9/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil,
Visa Hankala, Stuart Henderson, Peter Hessler, Paul Irofti, and
Christian Weisgerber.  Base and X system builds by
Jasper Lievisse Adriaanse, Kenji Aoyama, Theo de Raadt, Jonathan Gray,
and Tobias Ulmer.  ISO-9660 filesystem layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 5.9 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

    Aaron Bieber, Alexander Bluhm, Alexander Hall, Alexandr Nedvedicky,
    Alexandr Shadchin, Alexandre Ratchov, Andrew Fresh,
    Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot,
    Benoit Lecocq, Bob Beck, Brandon Mercer, Brent Cook, Bret Lambert,
    Bryan Steele, Can Erkin Acar, Charles Longeau, Chris Cappuccio,
    Christian Weisgerber, Christopher Zimmermann, Claudio Jeker,
    Damien Miller, Daniel Boulet, Daniel Dickman, Darren Tucker,
    David Coppa, David Gwynne, Dmitrij Czarkoff, Doug Hogan,
    Edd Barrett, Eric Faurot, Florian Obser, Gerhard Roth,
    Giannis Tsaraias, Gilles Chehade, Giovanni Bechis, Gleydson Soares,
    Gonzalo L. Rodriguez, Henning Brauer, Ian Darwin, Igor Sobrado,
    Ingo Feinerer, Ingo Schwarze, James Turner, Jason McIntyre,
    Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
    Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
    Jonathan Matthew, Joshua Stein, Juan Francisco Cantero Hurtado,
    Kazuya Goda, Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner,
    Kirill Bychkov, Kurt Miller, Landry Breuil, Lawrence Teo,
    Luke Tymowski, Marc Espie, Mark Kettenis, Mark Lumsden,
    Markus Friedl, Martijn van Duren, Martin Pieuchot, Martynas Venckus,
    Masao Uebayashi, Mats O Jansson, Matthew Dempsky, Matthias Kilian,
    Matthieu Herrb, Michael McConville, Mike Belopuhov, Mike Larkin,
    Miod Vallat, Nayden Markatchev, Nicholas Marriott, Nigel Taylor,
    Okan Demirmen, Otto Moerbeek, Pascal Stumpf, Paul Irofti,
    Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre,
    Rafael Zalamena, Remi Pointel, Renato Westphal, Reyk Floeter,
    Ricardo Mestre, Robert Nagy, Robert Peichaer, Sasano Takayoshi,
    Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
    Stefan Fritsch, Stefan Kempf, Stefan Sperling, Steven Mestdagh,
    Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda, T.J. Townsend,
    Ted Unangst, Theo Buehler, Theo de Raadt, Tim van der Molen,
    Tobias Stoeckmann, Tobias Ulmer, Todd C. Miller, Ulf Brosziewski,
    Vadim Zhukov, Vincent Gross, Visa Hankala, Yasuoka Masahiko,
    Yojiro Uo