deadsimple BSD Security Advisories and Announcements

OpenBSD 6.0 released May 1

- OpenBSD 6.9 RELEASED -------------------------------------------------

May 1, 2021.

We are pleased to announce the official release of OpenBSD 6.9.
This is our 50th release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 6.9 provides significant improvements,
including new features, in nearly all areas of the system:

 - New/extended platforms:
    o Support for the powerpc64 platform was improved:
       - Added astfb(4), a driver for the framebuffer of the Aspeed
         BMC found on many POWER8 and POWER9 systems.
       - Added to powerpc64's installXX.{img,iso}.
       - Added RETGUARD implementation for powerpc and powerpc64.
       - Added a workaround for PCIO devices that cannot address the
         full 64-bit PCI address space to powerpc64. Needed for
         radeondrm(4) and amdgpu(4) since Radeon GPUs only implement
         36, 40, or 44 bits of address space.
       - Added limited emulation of unaligned access in the powerpc64
       - Added support for netbooting to the powerpc64 RAMDISK kernel.
       - Fixed booting on powerpc64 machines with memory banks higher
         in physical address space, needing a larger TCE table.
       - Introduced power-saving mode on POWER9 CPUs.
       - Enabled floating-point exceptions on powerpc64.
       - Added support for ipmi(4) on PowerNV systems.
    o Preliminary support was added for devices using the Apple M1 SoC:
       - Recognized Apple Icestorm/Firestorm cores on arm64.
       - Added support for BCM4378 chips, as found on the Apple M1
         SoCs, to bwfm(4).
       - Added exuart(4) support for the UART found on the Apple M1
       - Added apldog(4), a driver for the watchdog on Apple M1 SoCs,
         allowing reboot of the machine.
       - Added aplintc(4), a driver for the interrupt controller found
         on Apple M1 SoCs.
       - Added aplpcie(4), a driver for the PCIe host bridge on Apple
         M1 SoCs.
       - Added apldart(4), a driver for the IOMMU on Apple M1 SoCs.
       - Added support for CPUs with 8-bit ASIDs such as those on
         Apple's M1 SoC.
    o The arm64 platform support was improved with the following
       - Optimized arm64 copyin(9), copyout(9) and kcopy(9) by doing
         16-byte copies if possible.
       - Added recognition of Cortex-A78AE, Cortex-X1 and Neoverse V1
         arm64 CPUs.
       - Added clock support for i.MX8MP SoCs.
       - Added support for the VF610 I2C controller to imxiic(4).
       - Added dwgpio(4), a driver for the Synopsys DesignWare GPIO
       - Added amlpinctrl(4) support for the "Always On" GPIOs.
       - Made large read and write transactions work in amliic(4).
       - Added support for the PCIe controller found on Amlogic
         G12A/G12B/SM1 SoCs to dwpcie(4).
       - Implemented legacy interrupt support to mvkpcie(4).
       - Added cryptox(4), a driver for armv8 cryptographic
       - Added support for PCIe on the NanoPi R4S to rkpcie(4).
       - Added smmu(4), a driver for the ARM System MMU.
       - Introduced an IOVA early-allocation scheme in smmu(4),
         mitigating the performance penalty of typical IOVA allocation
       - Introduced Guard Pages in smmu(4), to spot misuse and
         misconfiguration of I/O devices more easily.
       - Added support for RK809 to rkpmic(4), as seen on the Rock Pi
         N10 with the rk3399pro.
       - Added support for sdhc(4) on the Raspberry Pi in ACPI mode.
       - Enabled ixl(4) on arm64.
       - Updated device-tree bindings for cwfg(4) battery capacity
         driver to correct attaching and account for monitoring
         interval change, making cwfg(4) export values under
         hw.sensors as expected when using a Pinebook Pro.
       - Added ARMv8-5 instruction set related CPU features to arm64.

 - Various kernel improvements:
    o Added the RAID1C (encrypted raid1) softraid(4) discipline,
      encrypting data like the CRYPTO discipline and accepting multiple
      chunks during creation and assembly like the RAID1 discipline.
    o Corrected raidlevel verification specified by the -c option in
    o Introduced for video(4) devices, a privacy
      feature analog to the sysctl(8) parameter for
      audio(4) devices. By default, will be set to
      zero and blank all data delivered by drivers attaching to
    o Allowed a process to open a video(4) device multiple times. Fixes
      webcam usage with Firefox and BigBlueButton.
    o Enabled multiple opens of a video(4) device as described in the
      V4L2 specification.
    o Added basic support for kclock timeouts to timeout(9).
    o Changed the pool(9) timeouts to use the system uptime instead of
    o Ensured sleep(3) calls nanosleep(2) if seconds is zero, now
      delegating all decisions about whether or not to yield the CPU.
    o Added a top-level 'reboot' command to ddb(4).
    o Added witness(4) check for uninitialized (or zeroed) lock usage.
    o Added fd close notification for kqueue-based poll(2) and
    o Added a global "nowake" channel for threads avoiding wakeup(9) to
    o Added trace points for malloc(9) and free(9), making them
      traceable via dt(4) and btrace(8).
    o Added btrace(8) -n (no action) mode, which parses the program and
      then exits.
    o Fixed a boot-time crash on sparc64 due to mutex use during the
      message buffer initialization.
    o Prevented a panic in some ACPI firmware that provided invalid
      memory regions in their reserved memory region reporting table.
    o Added a barrier between reading the cqe flags and the command ID
      to prevent completion of the wrong SCSI I/O for nvme(4) drives.
    o Prevented attachment of nvme(4) devices of zero size.
    o Introduced new function if_unit(9), returning a pointer to the
      interface descriptor corresponding to the unique name.
    o Clear interrupts on luna88k processors more efficiently at boot
    o Added acpiiort(4), a driver for the ACPI I/O Remapping Table.
    o Updated clock interrupt count atomically on mips64.
    o Prevented an amd64 kernel crash with protection fault due to an
      invalid offset when reading /dev/kmem.
    o Permitted access to kern.somaxconn sysctl information when the
      unix pledge(2) is used, allowing Go programs to use "unix" without
      also including "inet".
    o Excluded the first page and added a guard page between I/O virtual
      address space allocations on arm64.
    o Prevented attachment of SCSI devices that fail to provide adequate
      INQUIRY data.

 - SMP Improvements
    o Introduced "if_cloners_lock" rwlock and used it to serialize
      if_clone_{create,destroy}(), avoiding multiple race conditions.
    o Introduced a system-wide mutex that serializes msgbuf operations.
    o Made uvm_pagealloc(9) of the physical memory allocator mp-safe.
    o Unlocked getppid(2).
    o Introduced locking for amaps and anons, improving build
    o Moved UNIX domain sockets out of the kernel lock, using the new
      "unp_lock" rwlock(9) as solock()'s backend to protect the whole
    o Unlocked sendsyslog(2).
    o Used per-CPU counter for fault and stats counters reached in

 - Direct Rendering Manager
    o Fixed wsconsctl(8) backlight commands when using drm(4) drivers on
    o Fixed a radeondrm(4) panic on macppc with Powerbook5,6 and RV350.
    o Fixed DRI3 support on amdgpu(4) and ati(4).
    o /dev/dri/ device nodes are created to be more compatible with

 - VMM/VMD improvements
    o Prevented memory corruption or improper page access in vmm(4) due
      to improper TLB flushing for now by wiring the pages used by
      virtual machines.
    o Removed the ability of vmd(8) to boot from kernels in raw/qcow2
    o Made vmctl(8) properly indicate VMs are stopping instead of
      "running" with "vmctl status".
    o Simplify argument parsing of vmctl(8) stop thereby avoiding a
      printf(3) "%s" NULL, a use of uninitialized and a dead else
    o Cleaned up events on vmd(8) pause or resume and fixed an issue
      leading to broken serial console by cleanly tearing down and
      restoring emulated device state on vm send/receive.
    o Propagated host-side tap(4) lladdr to guest vm process to allow
      unicast dhcp and bootp renewals with vmd(8)'s built-in dhcp
    o Added veb(4) to the list of supported bridges for vmd(8).
    o Improved MSR exit handling in vmm(4) on SVM and VMX hosts
      preventing invalid reads and fixing support for 9front.
    o Added ability to boot compressed ramdisks to vmd(8).

 - Various new userland features:
    o Added doas.conf(5) "nolog" option to avoid syslog(3).
    o Allowed specific sndio(7) devices to be used for play-only and
      rec-only modes.
    o Use an 8th order FIR low-pass filter for resampling in sndiod(8)
      and for aucat(1), removing most of the aliasing noise during
    o Disabled sndiod(8) autovolume by default and set the default
      volume to 127. Setting "-w on" will replicate the previous
      behavior of automatically decreasing playback volume when new
      programs start playing.
    o Allowed mixing of alternative devices (-F) with different
      capabilities in sndiod(8) by treating any device as full-duplex.
    o Fixed visibility of sndioctl(1) output when used through a pipe.
    o Enabled build and install of lldb(1).
    o Added logger(1) support to rcctl(8), rc.subr(8) and rc.d(8) for
      daemons logging to stdout/stderr.
    o Added a configurable button mapping for tap gestures on touchpads
      to wsconsctl(8).
    o Made wscons(4) touchpad tap detection less restrictive for
      multi-finger taps and improved tap detection.
    o Enable apm(4) on arm64 to display meaningful information about
      battery use and capacity.

 - Various bugfixes and tweaks in userland:
    o Fixed a pledge violation in csh(1) where redirecting input from a
      file containing ^T would cause csh(1) to perform a tty ioctl
      operation against a non-tty.
    o Made syspatch(8) work again when fewer than 3 patches are
    o Stopped exempting file systems from security(8) on the basis of
      nodev and nosuid options, which may not be used for file systems
      mounted beneath.
    o Modified daily(8) to stop reporting disk status and networking
    o Made sysupgrade(8) specify a version when it uses fw_update(1) to
      avoid the situation where upgrading a pre-6.8 snapshot to 6.8
      release with "-r" would install firmware packages from snapshots.
    o Increased speed of the dependency check pass for pkg_add(1).
    o Prevented process exit in multithreaded programs from reporting
      the wrong error code.
    o Allowed booting of amd64/i386 from GPT formatted disks larger than
    o When using the cat(1) -n flag, correctly enumerate files with more
      than INT_MAX lines.
    o Fixed a memory leak in's malloc.
    o Added a "xenodm" login class for xenodm(1) and increased openfiles
      to 512 to avoid running out of file descriptors with a busy
    o Stopped xenodm(1) from adding authorizations for TCP connections
      by default and added "listenTCP" to explicitly add authorizations
      for existing IP addresses on startup.
    o Skip adding the IPv6 link local addresses for TCP listener
      authorizations in xenodm(1), matching what is done by startx(1).
    o Fixed -s option for cmp(1).
    o Improve pledge in doas(1), specifically added pledge to the "-C"
      code path.
    o Improved performance of malloc(3)'s cache.
    o Made editing GPT in fdisk(8) safer by defaulting offset to the
      beginning of the largest free space and preventing the creation of
      overlapping partitions.
    o Fixed a crash that could occur in sndiod(8) when a USB device is
    o Append .html suffixes to temporary files in mandoc(1) to allow
      recognition by browsers.
    o Allow specification of a path to the mg(1) startup file on the
      command line.
    o Added a "batch" mode to mg(1) via the "-b" command line option,
      which will initialize a pty, run the specified file of mg commands
      and then exit.
    o Inverted the mg(1) "R" indicator to mean that a "*" next to a
      file's name indicates that it is read-only. Made the active buffer
      indicator more visible by changing it to ">".
    o Fixed ksh(1) redrawing of a multiline PS1 prompt in vi mode and
      added support for ^R (redraw) in insert mode.
    o Used unveil(2) to restrict filesystem access in apmd(8).
    o Removed the 30s minimum delay for xlock(1) timeouts.
    o Stopped deleting the control socket on exit in apmd(8), as
      deleting the socket after calling unveil(2) would cause an unveil

 - Improved hardware support and driver bugfixes, including:
    o Corrected accounting of zero length Transfer Descriptors in
      xhci(4), preventing running out of free Transfer Ring Blocks.
    o Moved mfokclock(4) from loongson to make it available for other
      platforms and renamed it to mfokrtc(4).
    o Fixed brightness setting on MacBooks.
    o Added AMD Vi and Intel VTD IOMMU support. This creates separate
      domains for each PCI device and can provide protection against
      invalid memory access.
    o Enabled brightness keys on powerbooks where the keyboard attaches
      as ukbd(4).
    o Set initial default display brightness on macppc via
      of_setbrightness() to ensure wscons(4) and ofw are in sync.
    o Added support for the PL2303HXN series chips to uplcom(4).
    o Added support for the PCA9547 I2C mux to pcamux(4).
    o Extended pcamux(4) with ACPI support.
    o Added acpige(4), a driver for ACPI generic event devices, used on
      various systems to implement power button handling.
    o Added pchgpio(4), a driver for the GPIO controllers found on
      modern Intel PCHs.
    o Added ACPI support to imxiic(4).
    o Fixed panics on the HoneyComb LX2K with amdgpu(4).
    o Fixed very old umass(4) devices where the INQUIRY command succeeds
      but with a residue equal to the requested bytes.
    o Added Gemini Lake I2C id to dwiic(4), making the touchpad work on
      the Teclast F7 Plus laptop.
    o Introduced ujoy(4), a restricted subset of uhid(4) for game
      controllers which uses /dev/ujoy/* device nodes.
    o Set up ims(4) devices in X11 to behave like touchpads.
    o Stopped relying on USB devices to correctly present their indices,
      instead searching for the correct interfaces. This fixes E+ Corp.
      DAC Audio devices.
    o Introduced uhidpp(4), a driver for Logitech HID++ devices.
    o Separated reading of general and touchpad-specific wsmouse(4)
      settings and corrected identification of device type when reading
      touchpad parameters fails.
    o Added support for 30-bit color modes to simplefb(4) and wsfb(4).
    o Made loongson kernels recognize Lynloong LM9002/9003 and LM9013
    o Use native display resolution 1368x768 for Lynloong all-in-one

 - New or improved network hardware support:
    o Fixed link state change behavior in 82598 ix(4) chips.
    o Fixed issues with network stopping after the first down/up cycle
      in mvpp(4) Marvel Armada Ethernet device.
    o Added SFP+ support to ofw, including support for direct attach
    o Added 10G media support to mvpp(4).
    o Added support for 1000base-x and 2500base-x connections to
    o Added mvsw(4), a driver for Marvel "SOHO" switches.
    o Enabled auto-negotiation on the SerDes links, allowing
      in-band-status to work between mvpp(4) and mvsw(4) on the ClearFog
      GT 8K.
    o Added support for the i.MX8MP PCIe clocks, USB clocks and second
    o Added Wake on LAN support to rge(4).
    o Enabled IPv4 and TCP/UDP checksum offload on transmission in
    o Raised the maximum number of queues/interrupts from 1 to 16 on
      mcx(4) devices.
    o Added support for the Netgear ProSecure UTM25 to octeon.
    o Added vid/pid table to umb(4) allowing matching to alternate

 - Added or improved wireless network drivers:
    o Fixed the athn(4) and urtwn(4) drivers in client mode against
      access points which use WPA1/TKIP as the group cipher.
    o Added multicast support to bwfm(4) to allow IPv6.
    o Fixed urtwn(4) repeated DEAUTH and loss/restoration of link.
    o Introduced a delay to work around an issue in bwfm(4) on the
      BCM43602 that was triggering "unexpected pairwise key update"
    o Enabled athn(4) for arm64.
    o Implemented a new 802.11n Tx rate adaptation algorithm ("RA") for
      iwm(4), iwn(4), and athn(4).
    o Fixed association problems with the ipw(4) and iwi(4) drivers.
    o Made iwx(4) attach to AX201 devices with PCI IDs 0x34f0 and
      0x06f0. Needs fw_update(1).
    o Fixed a problem where iwn(4) firmware would generate bogus block
      ack requests and stall traffic.
    o Fixed automatic channel selection in the athn(4) driver when
      running in hostap or monitor mode.

 - IEEE 802.11 wireless stack improvements and bugfixes:
    o Fixed length calculations in iwm(4) and iwx(4) when there are
      multiple MPDUs in one packet.
    o Fixed 802.11n interoperability with access points that offer
      management frame protection.
    o Flush the A-MPDU reorder buffer after gap timeout to prevent
      frames from remaining in the buffer until the next frame is
    o Avoid spurious "input packet decapsulations failed" errors in
      netstat(1) -W with A-MSDU enabled.
    o Fixed automatic selection of the 11a/b/g/n/ac operating mode when
      the interface is running as an access point.
    o Ensured crypto keys are installed before the link is brought up.

 - Generic network stack improvements and bugfixes:
    o Removed the maxburst feature from tcp_output(). Sending out TCP
      segments was limited to 4 packets per burst. This did not scale
      well on high bandwidth, high latency links. Especially when the
      receiving side delays ACK packets aggressively, the maxburst
      limitation could seriously reduce TCP throughput per connection.
    o Added a MONITOR feature to interfaces. Packets received on these
      interfaces do not enter the network stack for further processing.
      This can be used to watch traffic, for example with bpf(4) without
      risk of the packets interfering with the system.
    o Added etherbridge, the internals of a reusable learning bridge
      interface providing common code reusable for other drivers needing
      a mac learning bridge.
    o Introduced veb(4), a Virtual Ethernet Bridge driver.
    o Added the ability to force the selection of source IP address for
      programs that do not specify a source IP, overriding the default
      source IP selection algorithm. This is configurable via route(8)
      sourceaddr command.
    o Bring interfaces up when autoconfiguration for inet or inet6 is
      enabled (AUTOCONF4 or AUTOCONF6 flags).
    o Adjust terminology in ifconfig(8) to refer to "temporary address
      extensions" rather than the former "privacy extensions," including
      the addition of an AUTOCONF6TEMP flag (to replace the negative
      flag "INET6_NOPRIVACY"). The autoconfprivacy option in ifconfig(8)
      has been deprecated.
    o Made it possible to disable the "autoconf" flag but keep
      "temporary" enabled in ifconfig(8).
    o For IPv6 addresses, added tracking of address proposal creation
      times to be able to establish total lifetime. This information is
      used to renew pltime/vltime of privacy addresse per RFC 4941.
    o Prevented kernel reuse of mbuf memory when generating the ICMP6
      response to an IPv6 packet.
    o Use the toeplitz hash algorithm to set a flowid for tcp packets,
      which in turn is used to choose the tx ring on network cards with
      multiple rings.
    o Fixed wg(4) on macppc by keeping track of allowed ips pointer
    o Fixed wg(4) ioctl to handle multiple wgpeers.
    o Fixed a race between tx/rx handshakes in wg(4).
    o Prevented a potential hang when trying to remove a tun(4)
    o Used the correct rdomain when adding and deleting routes with
      mpip(4) and mpw(4).
    o Made ifconfig(8) "-mplslabel" work with mpw(4).

 - Installer and upgrade improvements:
    o Prevented a race in dhclient(8) privsep which could cause
      autoinstall to fail by calling ftp(1) without a local address.
    o Fixed hangs on amd64 bsd.rd due to misreported core clock
      frequency on newer Intel Comet Lake models.
    o Began distributing the gzip'd version of bsd.rd on all platforms
      with boot methods supporting it.
    o Fixed a problem which prevented use of sysupgrade(8) when an
      interface failed to come up and dhclient(8) didn't notice
      link-timeout expiration.
    o Prevented disklabel(8) from adjusting the swap 'b' partition size
      if physmem is zero to keep the auto-allocate code from putting a
      filesystem on that partition.
    o Emulate "[inet] autoconf" hostname.if(5) lines with "dhcp" so
      users testing dhcpleased(8) will still be able to upgrade manually
      while the installer uses only dhclient(8).
    o Restored dhclient.conf(5) to the group of network configuration
      files used during upgrades.

 - Security improvements:
    o Added notices to syslog whenever the "%n" format string component
      of printf(3) is used.
    o Removed workaround permitting Go executables to do syscalls
      directly, forcing them to use shared libc like all other dynamic

 - Routing daemons and other userland network improvements:
    o The bgpd(8) daemon saw the following changes:
       - Introduced bgpd(8) rde evaluate all to reduce path hiding in
         IXP route-server environments.
       - Added RTR support to OpenBGPD.
       - Added bgpctl(8) "show rtr" to display basic information about
         RTR sessions.
       - Added bgpctl(8) "show sets" to display information about the
         roa-set, as-sets and prefix-sets loaded into bgpd(8).
       - Properly implemented "rde med compare strict" in bgpd(8) and
         ensured that the order of prefixes is always correct.
       - Introduced a send hold timer in bgpd(8) to detect stalls on
         the sending side of a TCP connection, acting as a last resort
         to detect faulty peers.
       - Introduced the bgpd.conf(5) per neighbor and global config
         option "reject as-set yes/no" to allow rejection of received
         UPDATES with AS_SET segments. These rejected prefixes can be
         viewed with bgpctl(8) "show rib in error".
       - No longer allow configuration of the same neighbor multiple
         times in bgpd(8).
       - pf(4) tables now track prefixes correctly even when received
         by multiple sessions.
       - Fixed a memory leak when parsing bgpd(8) roa-set lists.
    o The ospfd(8) and ospf6d(8) routing daemons were refactored to keep
      the code similar to changes in other routing daemons and to
      improve maintainability.
      Additionally, support for point-to-point interfaces in ospf6d(8)
      was fixed and ospfd(8) now works with point-to-point interfaces
      which use a common IP address.
    o The pf(4) packet filter and its userland utility:
       - Relaxed checks in pfctl(8) and pf(4) to accept any valid
         routing domain, even if it does not yet exist.
       - Made pfctl(8) detect and reject bogus ranges before loading
         the ruleset to prevent a panic.
       - Changed route-to in pf.conf(5) to send packets to IPs instead
         of interfaces.
       - Changed pf_route so pf(4) only runs when packets enter and
         leave the stack. Running the same packet through pf multiple
         times creates confusion for the state table. By default, pf
         states are floating, meaning that packets are matched to
         states regardless of which interface they're going over. This
         diff avoids multiple pf(4) traversals of one packet causing
         confusion in the state table.
       - Prevented the kernel from being stuck in an endless recursion
         during TCP path MTU discovery when pf(4) changes the routing
         table when sending packets.
       - When cutting off the head of an overlapping fragment during
         pf(4) reassembly, reinserted the fragment into the lookup
         table with the correct index.
       - Improved tftpd(8) logging to report the reasons a transfer
    o IPSEC support in the kernel and the iked(8) userland daemon:
       - Added support to request IP addresses as IKEv2 initiator to
         iked(8). If 'request addr' is configured, any address
         will be accepted.
       - Make iked(8) accept ANY dynamic address with 'request addr'.
       - Added 'dynamic' keyword to iked.conf(5) to allow
         configuration of flows to dynamically assigned addresses.
       - Added the 'any' keyword to iked.conf(5) for requests to allow
         "request address any".
       - Enabled iked(8) support for ASN1_DN ipsec identifiers.
       - Implemented iked(8) "from dynamic," installing flows where
         "dynamic" is replaced by the received dynamic IP address.
       - Made sure not to replace with a dynamic address in
         iked(8) if it is a network address.
       - Added iked(8) -s socket option to specify a control socket.
       - Used a counter instead of random IV for AES-GCM in iked(8),
         eliminating the risk of random collisions.
       - Added iked(8) support for multiple address pools.
       - Added the iked(8) "set stickyaddress" option, which attempts
         to assign the same "config address" when an IKESA is
         negotiated with the DSTID of an existing IKESA.
       - Ensured rekeying of every child SA in iked(8).
       - Added iked(8) support for RSASSA-PSS signature verification
         (RFC 7427).
       - Corrected the first packet of an ipsec(4) SA to have sequence
         number 1.
       - Accepted reject and blackhole routes for IPsec PMTU
       - Prevented leaking of ipsec_hosts in iked(8) when building
       - Prevented initiation of new additional SAs for each policy
         upon every ikectl(8) config reload.
       - Fixed "any" and "dynamic" keywords for flows in iked(8) and
         added proper IPv6 support.
       - Created a path MTU host route for IPsec(4) over IPv6.
       - Added support for INVALID_KE_PAYLOAD in iked(8)
         CREATE_CHILD_SA exchange.
       - Added support for RSA-PSS PKCS1 signatures to iked(8).
       - Fixed path MTU discovery for ESP tunnels in IPv6.
       - Upgraded to OpenSSL 1.1 compatible crypto API in iked(8).
       - Added an optional "group none" transform for child SAs in
         iked(8) to ensure the ability to negotiate optional PFS.
       - Added iked(8) dynamic address configuration for roadwarrior
         clients, with a new "iface" config option which can be used
         to specify an interface for the virtual addresses received
         from the peer.
       - Fixed an iked(8) interop problem with strongswan if
         make-before-break is enabled.
    o The httpd(8) webserver saw numerous improvements:
       - Prevented a crash due to httpd(8) listening on port 443 with
         missing TLS certificates.
       - Created a new "location (found|notfound)" option for
         httpd.conf(5) to allow testing for resource path existence.
       - Fixed detection of duplicate locations in httpd(8).
       - Fixed leak of access and error log filenames on config reload
         in httpd(8).
       - Avoid leaking the log message in httpd(8)'s server_sendlog.
       - Incorrect order of close(2) and tls_close(3) together with a
         bug in libssl led to leaking memory in httpd(8) for each TLS
       - Fixed the httpd(8) example configuration not to generate
         errors when running without TLS keys already in place.
       - Optimized disk reads of httpd(8) by using st_blocksize as
         high water mark instead of the socket buffer size.
       - Do not compare TLS config params for non-TLS servers. This
         allows using listen on * port 80 and listen on * port 443 in
         the same server block in httpd.conf(5).
    o rpki-client(8) received the following new features and bugfixes:
       - Added RRDP (The RPKI Repository Delta Protocol, RFC 8182)
         support as a 'technology preview'. To use it, the "-r" flag
         needs to be used.
       - Support the use of more than one URI in the TAL file, sorting
         with a preference for https.
       - Validation of ghostbuster records (RFC 6493).
       - Fixed checks of the manifest validity interval.
       - The rsync connection is now killed when the rsync server
       - Limited the URL embedded in .cer files to alphanumeric
         characters and punctuation.
       - Added a "-V" option to show version.
       - Included the default cert.pem file path in tls_load_file
         error messages.
    o The dig(1) DNS utility received the following updates:
       - Implemented RFC 8914 Extended DNS Errors for dig(1).
       - Fixed dig(1) EDNS Client Subnet option (+subnet=).
       - Fixed IPv6 link-local address handling for nameservers to
         talk to and for address to bind to in dig(1).
       - Implemented ZONEMD (RFC 8976) in dig(1) to convey a message
         digest of the content of a DNS zone.
    o Changes to dhclient(8):
       - Fixed incorrect behavior when using dhclient.conf(5) to
         change the lease renew/rebind/expiry timing.
       - Allowed the provision of dhclient(8) options on "dhcp" lines
         in hostname.if(5) files.
       - Converted all timers from time(3) values to clock_gettime(2)
         CLOCK_MONOTONIC values.
       - Removed -L command line option.
       - Improved debug output.
       - Improved re-acquisition of a previous address by immediately
         accepting any OFFER for the address, rather than waiting for
         'select-timeout' to expire.
       - Exit immediately if the -c option specifies a non-existent
       - Exit immediately if the -i option contains invalid
    o Two new daemons, dhcpleased(8) and resolvd(8) were added. These
      work alongside with slaacd(8) and unwind(8) to provide a coherent
      and simple automatic configuration of network interfaces and DNS
      The two daemons are not enabled by default for now, but can be
      tested by enabling them with rcctl(8).
       - dhcpleased(8) implements the DHCP protocol to acquire IPv4
         address leases from servers.
       - resolvd(8) manages the content of resolv.conf(5) based on
         nameserver proposals from dhcpleased(8), slaacd(8), and
         drivers like umb(4).
    o Changes to snmp related tools:
       - libagentx(3) moved its API prefix from subagentx_ to agentx_.
       - agentx_varbind_integer(3) now accepts an int32_t as per
         SMI/RFC 2578.
       - agentx_varbind_unsigned32(3) has been added as an alias for
       - snmpd.conf(5) no longer accepts the old listen on address
         [tcp|udp] syntax. Only the new listen on [tcp|udp] address
         syntax is now supported.
       - snmpd(8) now fully implements RFC3584 Trapv1 to Trapv2
         conversion for the trap handle.
       - sysUpTime and snmpTrapOID now respect snmpd(8)'s -N flag,
         similar to the other values sent by the trap handle.
       - snmpd.conf(5) now accepts the read, write, and notify
         keywords. This allows for request type filtering per listen
         on statement and custom trap handle ports.
       - snmp(1) now has initial support for SMI enums. For now only
         TruthValue is implemented on ifPromiscuousMode and
       - snmp(1) now interprets the "u" data type as unsigned integer.
    o Other userland network changes:
       - Fixed ldapd(8) cert and key path inference for absolute
       - Fixed incorrect cast in a vsnprintf(3) error check in
       - Applied unveil(2) to ldapd(8).
       - Changed ping(8) to drain the raw socket of packets received
         before it is fully set up to avoid reporting ICMP responses
         intended for other instances of ping(8) running in parallel.
       - Added ping(8) -g option to provide a visual display of
         packets received and lost.
       - Changed slaacd(8) Duplicate Address Detection (DAD) to only
         generate a new address if we are using Semantically Opaque
         Interface Identifiers.
       - Handled an autoconf interface changing its rdomain in
       - Completed slaacd(8) implementation of RFC 8981 temporary
         address extensions.
       - Do not leak the domains listed in unwind(8)'s blocklist file
         on each config reload.
       - Do not leak duplicate domain nodes when loading the unwind(8)
       - Fixed rare crashes of unwind(8) when DNS answers are larger
         than the maximum imsg size.
       - Implemented unwind(8) listening on TCP.
       - Implemented DNS64 synthesis in unwind(8).
       - Disabled logging to syslog(3) for libunbound with unwind(8).
         Does not prevent logging to stderr with "unwind -d".
       - Added a simple --timeout implementation to openrsync(1).
       - Added the rsync(1) option --no-motd to suppress the
         information output by the client at the start of a daemon
       - Added support for the use of !command to mygate(5), so that
         netstart has a late opportunity to perform network
       - Make rad(8) to handle multiple rdomains in a single daemon
         (instead of running it in multiple rdomains).
       - Added a specific headline to netstat(1) for TCP state and IP
       - Handle permanent redirects (RFC 7538) in ftp(1) fetch.
       - Introduced ftp(1) support for sending the If-Modified-Since
         header while fetching over http or https. Switched to using
         the timestamps from the remote server's Last-Modified header
         if available when saving local files and introduced the ftp
         "-u" flag to disable this behavior.
       - Made ftp(1) set timestamps only on files.
       - Added requests for a new certificate without requiring -F
         when acme-client(1) detects an added or removed SAN in the
         config file not reflected in the existing certificate on
       - Print rewritten addresses in tcpdump(8) logged with pflog(4)
         for rdr-to, nat-to and af-to rules.
       - When calling getaddrinfo(3) with AI_ADDRCONFIG, consider the
         routing domain when checking for available address families.
         This ensures that name resolution is only performed for the
         address families available in the rdomain.
       - Implemented the nc(1) -D socket debug option in tcpbench(1),
         allowing analysis of TCP connections.
       - Avoid leaking the help text in systat(8).
       - Increased the maximum length for CHAP challenges to 96 octets
         to ensure npppd(8) can handle longer challenges, such as
         those sent by Juniper.

 - tmux(1) improvements and bug fixes:
    o Made tmux(1) synchronize-panes a pane option and added set-option
      -U flag to unset an option on all panes.
    o Allowed use of ## and # in tmux(1) styles and added a "w" format
      modifier for width.
    o Added a -C flag to tmux(1) run-shell to use a tmux command rather
      than a shell command.
    o Added a tmux(1) -N flag to never start the server even if the
      command would normally do so.
    o Added the new tmux(1) -S flag to new-window to select the existing
      window if one with the given name already exists, rather than
    o Added support for X11 color names and other variations for OSC
      10/11 and added OSC 110 and 111 to tmux(1).
    o Removed tmux(1) support for popups where the content is provided
      directly to tmux.
    o Added a tmux(1) "absolute-centre" alignment to use the center of
      the total space instead of the available space.
    o Added tmux(1) split-window -Z to start the pane zoomed.
    o Added client-detached notification in tmux(1) control mode.
    o Changed tmux(1) search-again with vi keys to work like vi(1).

 - OpenSMTPD 6.9.0
    o Introduced smtp(1) -a to perform authentication before sending a
    o Fixed a memory leak in smtpd(8) resolver.
    o Prevented a crash due to premature release of resources by the
      smtpd(8) filter state machine.
    o Switch to libtls internally.
    o Change the way SNI works in smtpd.conf(5). TLS listeners may be
      configured with multiple certificates. The matching is based on
      the names included in these certificates.
    o Allow to specify tls protocols and ciphers per listener and relay

 - LibreSSL 3.3.2
    o New Features
       - Support for DTLSv1.2.
       - Continued rewrite of the record layer for the legacy stack.
       - Numerous bugs and interoperability issues were fixed in the
         new verifier. A few bugs and incompatibilities remain, so
         this release uses the old verifier by default.
       - The OpenSSL 1.1 TLSv1.3 API is not yet available.
    o Portable Improvements
       - Added '--enable-libtls-only' build option, which builds and
         installs a statically-linked libtls, skipping libcrypto and
         libssl. This is useful for systems that ship with OpenSSL but
         wish to also package libtls.
       - Update getentropy on Windows to use Cryptography Next
         Generation (CNG). wincrypt is deprecated and no longer works
         with newer Windows environments, such as in Windows Store
    o API and Documentation Enhancements
       - Add a number of RPKI OIDs from RFC 6482, 6484, 6493, 8182,
         8360, draft-ietf-sidrops-rpki-rta, and
       - Add support for SSL_get_shared_ciphers(3) with TLSv1.3.
       - Add DTLSv1.2 methods.
       - Implement SSL_is_dtls(3) and use it internally in place of
         the SSL_IS_DTLS macro.
       - Provide EVP_PKEY_new_CMAC_KEY(3).
       - Add missing prototype for d2i_DSAPrivateKey_fp(3) to x509.h.
       - Add DTLSv1.2 to openssl(1) s_server and s_client protocol
         message logging.
       - Provide SSL_use_certificate_chain_file(3).
       - Provide SSL_set_hostflags(3) and SSL_get0_peername(3).
       - Provide various DTLSv1.2 specific functions and defines.
       - Document meaning of '*' in the genrsa output.
       - Updated documentation for SSL_get_shared_ciphers(3).
       - Add documentation for SSL_get_finished(3).
       - Document EVP_PKEY_new_CMAC_key(3).
       - Document SSL_use_certificate_chain_file(3).
       - Document SSL_set_hostflags(3) and SSL_get0_peername(3).
       - Update SSL_get_version(3) manual for DTLSv.1.2 support.
       - Make supported protocols and options for DHE params more
         prominent in tls_config_set_protocols(3).
       - Various documentation improvements around TLS methods.
    o Compatibility Changes
       - Make openssl(1) s_server ignore -4 and -6 for compatibility
         with OpenSSL.
       - Set SO_REUSEADDR on the server socket in the openssl(1) ocsp
       - Send a host header with OCSP queries to make openssl(1) ocsp
         work with some widely used OCSP responders.
       - Add ability to ocspcheck(8) to parse a port in the specified
         OCSP URL.
       - Implement auto chain for the TLSv1.3 server since some
         software relies on this.
       - Implement key exporter for TLSv1.3.
       - Align SSL_get_shared_ciphers(3) with OpenSSL. This takes into
         account that it never returned server ciphers, so now it will
         fail when called from the client side.
       - Sync cert.pem with Mozilla NSS root CAs except "GeoTrust
         Global CA".
       - Make SSL{_CTX,}_get_{min,max}_proto_version(3) return a
         version of zero if the minimum or maximum has been set to
         zero to match OpenSSL's behavior.
       - Add DTLSv1.2 support to openssl(1) s_client/s_server.
    o Testing and Proactive Security
       - Malformed ASN.1 in a certificate revocation list or a
         timestamp response token can lead to a NULL pointer
       - Pull in fix for EVP_CipherUpdate(3) overflow from OpenSSL.
       - Use EXFLAG_INVALID to handle out of memory and parse errors
         in x509v3_cache_extensions().
       - Refactor and clean up ocspcheck(8) and add regression tests.
    o Internal Improvements
       - Further cleanup of the DTLS record handling.
       - Continue the replacement of the TLSv1.2 record layer by
         reimplementing the read side of the TLSv1.2 record handling.
       - Replace DTLSv1_enc_data() with TLSv1_1_enc_data().
       - Merge d1_{clnt,srvr}.c into ssl_{clnt,srvr}.c.
       - Add const to ssl_ciphers and tls1[23]_sigalgs* to push them
         into and .rodata, respectively.
       - Add a const qualifier to srtp_known_profiles.
       - Simplify TLS method by removing the client and server
         specific methods internally.
       - Avoid casting away const in ssl_ctx_make_profiles().
       - Avoid explicitly conditioning an assert on DTLS1_VERSION to
         make the assert work for newer DTLS versions.
       - Add a flag to mark DTLS methods as DTLS to have an easy way
         to recognize DTLS methods that avoids inspecting the version
       - Mark a few more internal static tables const.
       - Switch finish{,_peer}_md_len from an int to a size_t.
       - Use EVP_MD_MAX_MD_SIZE instead of 2 * EVP_MD_MAX_MD_SIZE as
         size for cert_verify_md[], finish_md[] and peer_finish_md[].
         The factor 2 was a historical artefact.
       - Free struct members in tls13_record_layer_free() in their
         natural order for reviewability.
       - Use consistent names in
       - Add tls13_secret_{init,cleanup}() and use them throughout the
         TLSv1.3 code base.
       - Move the read MAC key into the TLSv1.2 record layer.
       - Make tls12_record_layer_free() NULL safe.
       - Split the record protection from the TLSv1.2 record layer.
       - Clean up sequence number handling in the new TLSv1.2 record
       - Clean up sequence number handling in DTLS.
       - Clean up dtls1_reset_seq_numbers().
       - Factor out code for explicit IV length, block size and MAC
         length from
       - Provide record layer overhead for DTLS.
       - Provide functions to determine if TLSv1.2 record protection
         is engaged.
       - Add code to handle change of cipher state in the new TLSv1.2
         record layer.
       - Mop up now unused dtls1_build_sequence_numbers() function.
       - Allow setting a keypair on a tls context without specifying
         the private key, and fake it internally in libtls. This
         removes the need for privsep engines like relayd to use bogus
       - Skip the private key check for fake private keys.
       - Move the private key setup from tls_configure_ssl_keypair()
         to a helper function with proper error checking.
       - Change the internal tls_configure_ssl_keypair() function to
         return -1 instead of 1 on failure.
       - Move sequence numbers into the new TLSv1.2 record layer.
       - Move AEAD handling into the new TLSv1.2 record layer.
       - Factor out legacy stack version checks.
       - Correct handshake MAC/PRF for various TLSv1.2 cipher suites
         which were originally added with the default handshake MAC
         and PRF rather than the SHA256 handshake MAC and PRF.
       - Absorb ssl3_get_algorithm2() into ssl_get_handshake_evp_md().
       - Use dtls1_record_retrieve_buffered_record() to load buffered
         application data.
       - Enforce read ahead with DTLS.
       - Remove bogus DTLS checks that disabled ECC and OCSP.
       - Clean up and simplify dtls1_get_cipher().
       - Group HelloVerifyRequest decoding and add missing check for
         trailing data.
       - Revise HelloVerifyRequest handling for DTLSv1.2.
       - Handle DTLS1_2_VERSION in various places.
       - Rename the "truncated" label into "decode_err" and the
         "f_err" label into "fatal_err".
       - Factor out and change some of the legacy client version code.
       - Simplify version checks in the TLSv1.3 client. Ensure that
         the server announced TLSv1.3 and nothing higher and check
         that the legacy_version is set to TLSv1.2 as required by RFC
       - Only use TLS versions internally rather than both TLS and
         DTLS versions since the latter are the one's complement of
         the human readable version numbers, which means that newer
         versions decrease in value.
       - Identify DTLS based on the version major value.
       - Move handling of cipher/hash based cipher suites into the new
         record layer.
       - Add tls12_record_protection_unused() and call it from CCS
       - Move key/IV length checks closer to usage sites. Also add
         explicit checks against EVP_CIPHER_{iv,key}_length().
       - Replace two handrolled tls12_record_protection_engaged().
       - Improve internal version handling: add handshake fields for
         our minimum version, our maximum version and the TLS version
         negotiated during the handshake. Convert most of the internal
         code to use these version fields.
       - Guard against future internal use of
         TLS1_get_{client,}_version() macros.
       - Remove the internal ssl_downgrade_max_version() function
         which is no longer needed.
       - Add support for DTLSv1.2 version handling.
       - Remove no longer needed read ahead workarounds in the
         s_client and s_server.
       - Split TLSv1.3 record protection from record layer.
       - Move the TLSv1.3 handshake struct inside the shared handshake
       - Fully initialize rrec in
         tls12_record_layer_open_record_protected() to avoid confusing
         some static analyzers.
       - Use tls_set_errorx() on OCSP_basic_verify() failure since the
         latter does not set errno.
       - Convert openssl(1) x509 to new option handling and do the
         usual clean up that goes along with it.
       - Add SSL_HANDSHAKE_TLS12 for TLSv1.2 specific handshake data.
       - Rename new_cipher to cipher to align naming with keyblock or
         other parts of the handshake data.
       - Move the TLSv1.2 record number increment into the new record
       - Move finished and peer finished into the handshake struct.
       - Remove pointless assignment in SSL_get0_alpn_selected().
       - Add some error checking to openssl(1) x509.
    o Bug Fixes
       - Move point-on-curve check to set_affine_coordinates to avoid
         verifying ECDSA signatures with unchecked public keys.
       - Fix SSL_is_server(3) to behave as documented by
         re-introducing the client-specific methods.
       - Avoid undefined behavior due to memcpy(NULL, NULL, 0).
       - Make SSL_get{,_peer}_finished() work when used with TLSv1.3.
       - Correct the return value type from ERR_peek_error() to a
       - Avoid use of uninitialized in ASN1_time_parse() which could
         happen on parsing UTCTime if the caller did not initialize
         the passed struct tm.
       - Destroy the mutex in a tls_config object on
       - Free alert_data and phh_data in tls13_record_layer_free().
         These could leak if SSL_shutdown(3) or tls_close(3) were
         called after closing the underlying socket().
       - Gracefully handle root certificates being both trusted and
       - Handle X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE in the new
       - Use the legacy verifier when building auto chains for TLS.
       - Search the intermediates only after searching the root certs
         in the new verifier to avoid problems with the legacy
       - Bail out early after finding a single chain in the new
         verifier, if we have been called via the legacy verifier API.
       - Set (invalid and likely incomplete) chain on the xsc on chain
         build failure prior to calling the callback. This is required
         by various callers, including auto chain.
       - Remove direct assignment of aead_ctx to avoid a leak.
       - Fail early in legacy exporter if the master secret is not
         available to avoid a segfault if it is called when the
         handshake is not completed.
       - Only print the certificate file once on verification failure.
       - Fix an off-by-one in x509_verify_set_xsc_chain() to make sure
         that the new validator checks for EXFLAG_CRITICAL in
         x509_vfy_check_chain_extension() for all untrusted certs in
         the chain. Take into account that the root is not necessarily
       - Avoid passing last and depth to x509_verify_cert_error() on
       - Fix two bugs in the legacy verifier that resulted from
         refactoring of X509_verify_cert(3) for the new verifier: a
         return value was incorrectly treated as boolean, making it
         insufficient to decide whether validation should carry on or
       - Fix checks for memory caps of constraints names. There are
         internal caps on the number of name constraints and other
         names, that the new name constraints code allocates per cert
         chain. These limits were checked too late, making them only
         partially effective.
       - Fix a copy-paste error - skid was confused with an akid when
         checking for EXFLAG_INVALID. This broke OCSP validation with
         certain mirrors.
       - Avoid a use-after-scope in tls13_cert_add().
       - Avoid mangled output in BIO_debug_callback().
       - Fix client initiated renegotiation by replacing use of
         s->internal-type with s->server.
       - Avoid transcript initialization when sending a TLS
         HelloRequest, fixing server initiated renegotiation.
       - Avoid leaking param->name in x509_verify_param_zero().
       - Avoid a leak in an error path in openssl(1) x509.
       - When sending an alert in TLSv1.3, only set its error code
         when no other error was set previously. Certain clients rely
         on specific SSL_R_ error codes to identify that they are
         dealing with a self signed cert.
       - When switching from the TLSv1.3 stack to the legacy stack
         include a TLS record header. This is necessary if there is
         more than one handshake message in the TLS plaintext record.
       - Fix resource handling on error in OCSP_request_add0_id().
       - Make sure there is enough room for stashing the handshake
         message when switching to the legacy TLS stack.
       - Fix a memory leak in the openssl(1) s_client.
       - Unbreak DTLS retransmissions for flights that include a CCS.
       - If x509_verify() fails, ensure that the error is set on both
         the x509_verify_ctx() and its store context to make some
         failures visible from SSL_get_verify_result().
       - Use the X509_STORE_CTX get_issuer() callback from the new
         X.509 verifier to fix hashed certificate directories.
       - Only check BIO_should_read(3) on read and BIO_should_write(3)
         on write. Previously, BIO_should_write(3) was also checked
         after read and BIO_should_read(3) after write which could
         cause stalls in software that uses the same BIO for read and
       - In openssl(1) verify, also check for error on the store
         context since the return value of X509_verify_cert(3) is
         unreliable in presence of a callback that returns 1 too
       - Handle additional certificate error cases in the new X.509
         verifier. Keep track of the errors encountered if a verify
         callback tells the verifier to continue and report them back
         via the error on the store context. This mimics the behavior
         of the old verifier that would persist the first error
         encountered while building the chain.
       - Report specific failures for "self signed certificates" in a
         way compatible with the old verifier since software relies on
         the error code.
       - Plug a large memory leak in the new verifier caused by
         calling X509_policy_check(3) repeatedly.
       - Avoid leaking memory in x509_verify_chain_dup().

 - OpenSSH 8.5
    o Security fixes
       - ssh-agent(1): fixed a double-free memory corruption that was
         introduced in OpenSSH 8.2 . We treat all such memory faults
         as potentially exploitable. This bug could be reached by an
         attacker with access to the agent socket.
         On modern operating systems where the OS can provide
         information about the user identity connected to a socket,
         OpenSSH ssh-agent and sshd limit agent socket access only to
         the originating user and root. Additional mitigation may be
         afforded by the system's malloc(3)/free(3) implementation, if
         it detects double-free conditions.
         The most likely scenario for exploitation is a user
         forwarding an agent either to an account shared with a
         malicious user or to a host with an attacker holding root
    o Potentially incompatible changes
       - ssh(1), sshd(8): this release changes the first-preference
         signature algorithm from ECDSA to ED25519.
       - ssh(1), sshd(8): set the TOS/DSCP specified in the
         configuration for interactive use prior to TCP connect. The
         connection phase of the SSH session is time-sensitive and
         often explicitly interactive. The ultimate interactive/bulk
         TOS/DSCP will be set after authentication completes.
       - ssh(1), sshd(8): remove the pre-standardization cipher It is an alias for aes256-cbc
         before it was standardized in RFC4253 (2006), has been
         deprecated and disabled by default since OpenSSH 7.2 (2016)
         and was only briefly documented in ssh.1 in 2001.
       - ssh(1), sshd(8): update/replace the experimental post-quantum
         hybrid key exchange method based on Streamlined NTRU Prime
         coupled with X25519.
         The previous method is
         replaced with Per its
         designers, the sntrup4591761 algorithm was superseded almost
         two years ago by sntrup761. (Note that both the updated
         method and the one that it replaced are disabled by default.)
       - ssh(1): disable CheckHostIP by default. It provides
         insignificant benefits while making key rotation
         significantly more difficult, especially for hosts behind
         IP-based load-balancers.
    o New Features
       - ssh(1): this release enables UpdateHostkeys by default
         subject to some conservative preconditions:
      # The key was matched in the UserKnownHostsFile (and not
        in the GlobalKnownHostsFile).
      # The same key does not exist under another name.
      # A certificate host key is not in use.
      # known_hosts contains no matching wildcard hostname
      # VerifyHostKeyDNS is not enabled.
      # The default UserKnownHostsFile is in use.
         We expect some of these conditions will be modified or
         relaxed in future.
       - ssh(1), sshd(8): add a new LogVerbose configuration directive
         for that allows forcing maximum debug logging by
         file/function/line pattern-lists.
       - ssh(1): when prompting the user to accept a new hostkey,
         display any other host names/addresses already associated
         with the key.
       - ssh(1): allow UserKnownHostsFile=none to indicate that no
         known_hosts file should be used to identify host keys.
       - ssh(1): add a ssh_config KnownHostsCommand option that allows
         the client to obtain known_hosts data from a command in
         addition to the usual files.
       - ssh(1): add a ssh_config PermitRemoteOpen option that allows
         the client to restrict the destination when RemoteForward is
         used with SOCKS.
       - ssh(1): for FIDO keys, if a signature operation fails with a
         "incorrect PIN" reason and no PIN was initially requested
         from the user, then request a PIN and retry the operation.
         This supports some biometric devices that fall back to
         requiring PIN when reading of the biometric failed, and
         devices that require PINs for all hosted credentials.
       - sshd(8): implement client address-based rate-limiting via new
         sshd_config(5) PerSourceMaxStartups and PerSourceNetBlockSize
         directives that provide more fine-grained control on a
         per-origin address basis than the global MaxStartups limit.
    o Bugfixes
       - ssh(1): Prefix keyboard interactive prompts with
         "(user@host)" to make it easier to determine which connection
         they are associated with in cases like scp -3, ProxyJump,
         etc. bz#3224
       - sshd(8): fix sshd_config SetEnv directives located inside
         Match blocks. GHPR#201
       - ssh(1): when requesting a FIDO token touch on stderr, inform
         the user once the touch has been recorded.
       - ssh(1): prevent integer overflow when ridiculously large
         ConnectTimeout values are specified, capping the effective
         value (for most platforms) at 24 days. bz#3229
       - ssh(1): consider the ECDSA key subtype when ordering host key
         algorithms in the client.
       - ssh(1), sshd(8): rename the PubkeyAcceptedKeyTypes keyword to
         PubkeyAcceptedAlgorithms. The previous name incorrectly
         suggested that it control allowed key algorithms, when this
         option actually specifies the signature algorithms that are
         accepted. The previous name remains available as an alias.
       - ssh(1), sshd(8): similarly, rename HostbasedKeyTypes (ssh)
         and HostbasedAcceptedKeyTypes (sshd) to
       - sftp-server(8): add missing
         documentation and advertisement in the server's
         SSH2_FXP_VERSION hello packet.
       - ssh(1), sshd(8): more strictly enforce KEX state-machine by
         banning packet types once they are received. Fixes memleak
         caused by duplicate SSH2_MSG_KEX_DH_GEX_REQUEST (oss-fuzz
       - sftp(1): allow the full range of UIDs/GIDs for chown/chgrp on
         32bit platforms instead of being limited by LONG_MAX. bz#3206
       - Minor man page fixes (capitalization, commas, etc.) bz#3223
       - sftp(1): when doing an sftp recursive upload or download of a
         read-only directory, ensure that the directory is created
         with write and execute permissions in the interim so that the
         transfer can actually complete, then set the directory
         permission as the final step. bz#3222
       - ssh-keygen(1): document the -Z, check the validity of its
         argument earlier and provide a better error message if it's
         not correct. bz#2879
       - ssh(1): ignore comments at the end of config lines in
         ssh_config, similar to what we already do for sshd_config.
       - sshd_config(5): mention that DisableForwarding is valid in a
         sshd_config Match block. bz3239
       - sftp(1): fix incorrect sorting of "ls -ltr" under some
         circumstances. bz3248.
       - ssh(1), sshd(8): fix potential integer truncation of
         (unlikely) timeout values. bz#3250
       - ssh(1): make hostbased authentication send the signature
         algorithm in its SSH2_MSG_USERAUTH_REQUEST packets instead of
         the key type. This makes HostbasedAcceptedAlgorithms do what
         it is supposed to - filter on signature algorithm and not key

 - Ports and packages:
    o Pre-built packages are available for the following architectures on
      the day of release:
       - aarch64 (arm64): 10943
       - amd64: 11310
       - i386: 10468
       - mips64: 8182
       - powerpc64: 9341
       - sparc64: 9642
    o Packages for the following architectures will be made available as
      their builds complete:
       - arm
       - mips64el
       - powerpc

 - Some highlights:

    o Asterisk 18.3.0                 o Mutt 2.0.6 and NeoMutt 20210205
    o Audacity 2.4.2                  o Node.js 12.16.1
    o CMake 3.19.4                    o OCaml 4.10.0
    o Chromium 90.0.4430.72           o OpenLDAP 2.4.58
    o Emacs 27.2                      o PHP 7.2.34, 7.3.27, 7.4.16 and 8.0.3
    o FFmpeg 4.3.2                    o Postfix 3.5.10
    o GCC 8.4.0                       o PostgreSQL 13.2
    o GHC 8.10.3                      o Python 2.7.18, 3.8.8 and 3.9.2
    o GNOME 3.38                      o Qt 5.15.2
    o Go 1.16.2                       o R 4.0.5
    o JDK 8u282 and 11.0.10           o Ruby 2.6.7, 2.7.3 and 3.0.1
    o KDE Applications 20.12.3        o Rust 1.51.0
    o KDE Frameworks 5.80.0           o SQLite 3.34.1
    o Krita 4.4.3                     o Shotcut 21.01.29
    o LLVM/Clang 10.0.1               o Sudo 1.9.6p1
    o LibreOffice             o Suricata 6.0.1
    o Lua 5.1.5, 5.2.4 and 5.3.6      o Tcl/Tk 8.5.19 and 8.6.8
    o MariaDB 10.5.9                  o TeX Live 2020
    o Mono                 o Vim 8.2.2580 and Neovim 0.4.4
    o Mozilla Firefox 88.0 and        o Xfce 4.16
      ESR 78.10.0
    o Mozilla Thunderbird 78.10.0

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.20.10 + patches,
      freetype 2.10.4, fontconfig 2.12.4, Mesa 20.0.8, xterm 367,
      xkeyboard-config 2.20, fonttosfnt 1.2.1, and more)
    o LLVM/Clang 10.0.1 (+ patches)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.32.1 (+ patches)
    o NSD 4.3.6
    o Unbound 1.13.1
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk December 18, 2020 version
    o Expat 2.2.10

- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each release.  Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible.  Therefore, we advise regular
visits to

- MAILING LISTS AND FAQ ------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please

You are also encouraged to read the Frequently Asked Questions (FAQ) at:

- DONATIONS ------------------------------------------------------------

The OpenBSD Project is a volunteer-driven software group funded by
donations.  Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others.  This ecosystem is all handled under the same funding umbrella.

We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon

All of our developers strongly urge you to donate and support our future
efforts.  Donations to the project are highly appreciated, and are
described in more detail at:

- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation ( is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.

There may also be exposure benefits since the Foundation may be
interested in participating in press releases.  In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at for
more information.

- RELEASE SONG ---------------------------------------------------------

OpenBSD 6.9 comes with the song "Vetera Novis".  Lyrics (and an
explanation) of the song may be found at:

- HTTPS INSTALLS -------------------------------------------------------

OpenBSD can be easily installed via HTTPS downloads.  Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet.  Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.

1) Read either of the following two files for a list of HTTPS mirrors
   which provide OpenBSD, then choose one near you:

   As of May 1, 2021, the following HTTPS mirror sites have the
   6.9 release:            Global         Stockholm, Sweden          Frankfurt, Germany           Oldenburg, Germany         Paris, France       Brisbane, Australia        CO, USA       CA, USA            TX, USA     Toronto, Canada Global     Global

        The release is also available at the master site:            Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTPS mirror site and go into the directory
   pub/OpenBSD/6.9/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     armv7/        octeon/             sgi/
        README           hppa/ sparc64/
        SHA256           i386/         packages/           src.tar.gz
        SHA256.sig       landisk/      packages-stable/    sys.tar.gz
        alpha/           loongson/     ports.tar.gz        xenocara.tar.gz
        amd64/           luna88k/      powerpc64/
        arm64/           macppc/       root.mail

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        BOOTIA32.EFI*   bsd*            floppy69.img    pxeboot*
        BOOTX64.EFI**         game69.tgz      xbase69.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont69.tgz
        INSTALL.amd64   cd69.iso        install69.img   xserv69.tgz
        SHA256          cdboot*         install69.iso   xshare69.tgz
        SHA256.sig      cdbr*           man69.tgz
        base69.tgz      comp69.tgz      miniroot69.img

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install69.iso.  The install69.iso file (roughly 545MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install69.img and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

   This is the page where we talk about the mistakes we made while
   creating the 6.9 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).

- PACKAGES AND PORTS ---------------------------------------------------

Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures.  Please see for
more information on working with packages and ports.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed

- SYSTEM SOURCE CODE ---------------------------------------------------

The source code for all four subsystems can be found in the
pub/OpenBSD/6.9/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

The README ( file
explains how to deal with these source files.

- THANKS ---------------------------------------------------------------

Ports tree and package building by Jasper Lievisse Adriaanse,
Pierre-Emmanuel Andre, Visa Hankala, Stuart Henderson, Peter Hessler,
Kurt Mosiejczuk, Christian Weisgerber, and Charlene Wendling.
Base and X system builds by Kenji Aoyama and Theo de Raadt.  Release art
contributed by Joy San.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who bought our previous CD sets.  Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.

Our developers are:

    Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
    Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
    Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
    Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe,
    Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer,
    Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar,
    Carlos Cardenas, Charlene Wendling, Charles Longeau,
    Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
    Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman,
    Daniel Jakots, Darren Tucker, Dave Voutila, David Coppa,
    David Gwynne, David Hill, Denis Fondras, Doug Hogan, Edd Barrett,
    Elias M. Mariani, Eric Faurot, Florian Obser, Florian Riehm,
    Frederic Cambus, George Koehler, Gerhard Roth, Giannis Tsaraias,
    Gilles Chehade, Giovanni Bechis, Gleydson Soares,
    Gonzalo L. Rodriguez, Greg Steuck, Helg Bredow, Henning Brauer,
    Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
    Inoguchi Kinichiro, James Turner, Jan Klemkow, Jason McIntyre,
    Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
    Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
    Jonathan Matthew, Jordan Hargrave, Joris Vink, Joshua Stein,
    Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama,
    Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov,
    Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil,
    Lawrence Teo, Marc Espie, Marcus Glocker, Mark Kettenis,
    Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano,
    Martin Pieuchot, Martin Reindl, Martynas Venckus, Mats O Jansson,
    Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos,
    Mike Belopuhov, Mike Larkin, Nam Nguyen, Nayden Markatchev,
    Nicholas Marriott, Nigel Taylor, Okan Demirmen, Ori Bernstein,
    Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk, Pascal Stumpf,
    Patrick Wildt, Paul Irofti, Pavel Korovin, Peter Hessler,
    Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas,
    Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer,
    Remi Pointel, Renato Westphal, Ricardo Mestre, Richard Procter,
    Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
    Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
    Solene Rapenne, Stefan Fritsch, Stefan Kempf, Stefan Sperling,
    Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda,
    T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt,
    Thomas Frohwein, Tim van der Molen, Tobias Heider,
    Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
    Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
    Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Yasuoka Masahiko,
    Yojiro Uo