OpenBSD 6.2 released: Oct 9, 2017
9 October, 2017 by deraadt@openbsd.org | openbsd
------------------------------------------------------------------------
- OpenBSD 6.2 RELEASED -------------------------------------------------
October 9, 2017.
We are pleased to announce the official release of OpenBSD 6.2.
This is our 43rd release. We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.
As in our previous releases, 6.2 provides significant improvements,
including new features, in nearly all areas of the system:
- Improved hardware support, including:
o arm: New rkgrf(4) driver for the Rockchip RK3399/RK3288 register
file.
o arm: New rkclock(4) driver for Rockchip RK3399/RK3288 clocks.
o arm: New rkpinctrl(4) driver for controlling Rockchip
RK3399/RK3288 pins.
o arm: New rkgpio(4) driver for GPIO on Rockchip SoCs.
o arm: New rktemp(4) driver for Rockchip RK3399 temperature sensors.
o arm: New rkiic(4) driver for Rockchip RK3399 I2C controllers.
o arm: New rkpmic(4) driver for the RK808 Power Management IC.
o arm: New dwmmc(4) driver for Synopsis DesignWare SD/MMC
controllers.
o arm: New dwdog(4) driver for the Synopsys DesignWare watchdog
timer.
o arm: New dwxe(4) driver for the Synopsys DesignWare Ethernet
controller.
o arm: New sxitwi(4) driver for the two-wire bus on Allwinner SoCs.
o arm: New axppmic(4) driver for the AXP209 I2C PMIC.
o arm: New bcmaux(4) driver for clocks and interrupts on the
auxilliary UART on BCM2835 devices.
o arm: New mvmpic(4) driver for an interrupt controller on Marvell
ARMADA 38x.
o arm: New mvpxa(4) driver for the SD Host Controller on Marvell
ARMADA 38x.
o arm: New mvpinctrl(4) driver to configure pins on Marvell ARMADA
38x.
o arm: New mvneta(4) driver the Ethernet controller on Marvell
ARMADA 38x.
o arm: New amdisplay(4) & nxphdmi(4) drivers for the Texas
Instruments AM335x LCD controller.
o octeon: New octcib(4) driver for the interrupt bus widget on
CN70xx/CN71xx.
o octeon: New octcit(4) driver for the central interrupt unit
version 3 on CN72xx/CN73xx/CN77xx/CN78xx.
o octeon: New octsctl(4) driver for the OCTEON SATA controller
bridge.
o octeon: New octxctl(4) driver for the OCTEON USB3 controller
bridge.
o octeon: Rhino Labs Inc. SDNA Shasta, and Ubiquiti Networks
EdgeRouter 4 and 6 are now supported.
o New hvs(4) driver for Hyper-V storage.
o New pcxrtc(4) driver for the NXP PCF8563 Real Time Clock.
o New urng(4) driver for USB random number generator devices.
o Intel 8265 and 3168 support was added to the iwm(4) driver.
o RTL8192CE support was added to the rtwn(4) driver.
o RT5360 support was added to the ral(4) driver.
o RTS525A support was added to the rtsx(4) driver.
o The acpibat(4) driver now supports _BIX entries from ACPI 4.0.
o ACPI hibernate support was added to the nvme(4) driver.
o Substantially improved ACPI hibernate performance in the ahci(4)
driver.
o The inteldrm(4) driver was updated to code based on Linux 4.4.70 -
it now supports Skylake, Kaby Lake, and Cherryview devices and has
better support for Broadwell and Valleyview devices.
o The puc(4) driver now supports ASIX AX99100 devices.
o Xen platform support and the xbf(4) driver in particular have been
substantially improved.
o The nvme(4) driver now reports correct last sector address to
SCSI, allowing a valid GPT to be created.
o Repair ioapic(4) misconfigurations.
- vmm(4)/ vmd(8) improvements:
o vmctl(8) supports paused VM migration and memory snapshotting
using send and receive commands.
o VPID/ASID reuse/rollover in vmm(4).
o SGABIOS imported as an option ROM payload in SeaBIOS (for VGA to
serial console redirection).
o vmd(8) resets the guest VM RTC (real time clock) on host resume
from suspend/hibernate (OpenBSD guests only).
o Allow guest VMs access to AVX/AVX2 host CPU features.
o Support for AMD SVM/RVI hosts.
o Allow larger guest VM memory sizes (up to MAXDSIZ sized guests -
e.g. 32GB on amd64 hosts).
o Better handling of guest VM MONITOR/MWAIT and HLT instructions.
o Various device emulation improvements in vmd(8).
o Increase the virtio(4) queue size provided by vmd(8) from 64 to
128 entries, to increase performance.
o Many fixes to vmctl(8) and vmd(8) error handling.
- IEEE 802.11 wireless stack improvements:
o MiRA 802.11n TX rate scaling now supports devices with unequal
numbers of Tx and Rx streams. Fixes 11n mode for some athn(8)
devices.
o The iwn(8) and iwm(8) drivers will now start scanning for a new
access point if they no longer receive beacons from the current
AP.
o Prefer the 5GHz band over the 2GHz band during access point
selection.
o Improved debug output in dmesg(8) when a wireless interface is put
into debug mode with ifconfig(8).
- Generic network stack improvements:
o Incoming and forwarded IP packets are now processed without
KERNEL_LOCK, resulting in better performances and reduced latency.
o The kernel no longer handles IPv6 Stateless Address
Autoconfiguration (RFC 4862), allowing cleanup and simplification
of the IPv6 network stack.
o The kernel sends IPv6 router solicitations for link local
addresses with a link local source address.
o FQ-CoDel algorithm has been implemented for use with pf(4)
queueing.
o Improved IPv6 checks for IPsec policies and made them consistent
with IPv4.
o Refactored local IP delivery to process IPsec packets in a flow
and avoid enqueueing a second time.
o pf(4) now inspects AH packets and matches on the inner protocol.
This makes IPv4 authentication headers work like IPv6.
o The length of extension header chains in pf(4) is limited. This
prevents spending excessive CPU time on crafted packets.
o Block IPv6 packets in pf(4) that have a hop-by-hop options header
or a destination options header. Such packets can be passed by
adding "allow-opts" to the rule. This makes IPv6 option handling
consistent with IPv4.
o If the IPv4 ID gets reused too fast, pf(4) fragment reassembly
uses a smarter strategy to drop packets.
o Enabled the use of per-CPU caches in the network packet
allocators.
- Installer improvements:
o The installer now uses the Allotment Routing Table (ART).
o A unique kernel is now created by the installer to boot from after
install/upgrade.
o On release installs of architectures supported by syspatch,
"syspatch -c" is now added to rc.firsttime.
o Backwards compatibility code to support the 'rtsol' keyword in
hostname.if(5) has been removed.
o The install.site and upgrade.site scripts are now executed at the
end of the install/upgrade process.
o More detailed information is shown to identify disks.
o The IPv6 default router selection has been fixed.
o On the amd64 platform, AES-NI is used if present.
- Routing daemons and other userland network improvements:
o A new daemon, slaacd(8) handles IPv6 Stateless Address
Autoconfiguration (RFC 4862).
o rtadvd(8) now supports "Reducing Energy Consumption of Router
Advertisements" (RFC 7772).
o rtadvd(8) has been fixed to quickly handle IPv6 prefix changes on
the system.
o ipsecctl(8) can now show SA bundles and the "bundle" keyword
allows them to be explicitly created. This avoids confusion as
they were previously used implicitly.
o nc(1) now has a -W recvlimit option to terminate netcat after
receiving the specified number of packets. This allows for a UDP
request to be sent, a reply to be received and the result checked
on the command line.
o nc(1) now has a -Z option, allowing the peer certificate and chain
to be saved to a file in PEM format.
o A new -T tlscompat option was added to nc(1), which enables the
use of all TLS protocols and libtls "compat" ciphers.
o Various races have been fixed in relayd(8), expecially in HTTP
chunked mode.
o ndp(8) now shows the relevant NDP information when run in a
non-default routing domain.
o ifstated(8) now copes with interface departures/arrivals.
o bgpd(8) can now be started multiple times in different routing
domains, this provides virtual router functionality.
- Security improvements:
o A new function freezero(3) to easily clear and free memory holding
sensitive data has been added.
o Double free detection has been improved when the F malloc(3)
option is used. The existing S option now includes F.
o The TIOCSTI tty ioctl has been removed. The I/O-loops in the last
two consumers csh(1) and mail(1) were rewritten to cope with the
removal.
o Trapsleds, a new mitigation that significantly reduces the amount
of nops in the instruction stream, replacing them with trap
instructions or jump-over-trap sequences, thereby requiring
greater accuracy for targetting potential gadgets.
o Kernel Address Randomized Link (KARL), a new "link-kit" allows the
.o files of the kernel to be relinked in a random order, creating
a unique kernel for each boot. /bsd is now non-readable to users,
to try to keep the secret.
o Like with libc previously, rc(8) re-links libcrypto on startup,
placing the objects in a random order.
o In addition to libcrypto, to deter code reuse exploits, rc(8)
re-links ld.so on startup, placing the objects in a random order.
o If process accounting is activated with accton(8), the daily mail
shows pledge violations and program crashes. lastcomm(1) uses the
flags P and T for such processes.
o pflogd(8) uses the fork+exec model.
o tcpdump(8) uses the fork+exec model.
o ifstated(8) uses pledge(2).
o snmpd(8) and snmpctl(8) now use pledge(2).
o Tighter pledge for at(1).
o Fixed and simplified pledge logic for nc(1).
o More application of recallocarray(3) in userland, and tracked
sizes to free(9) in the kernel.
o Achieve higher levels of paranoia regarding structure packing, and
clear many kernel objects before passing to userland.
o Disable some optimizations in clang(1) due to incompatibility with
security.
o For instance, cope with clang(1)'s assumption that static or const
objects placed in unknown sections (such as .openbsd.randomdata)
are surely always 0, and therefore such memory accesses can be
optimized away.
o In kernel, randomly bias down the top-of-stack per kthread.
- dhcpd(8)/ dhcrelay(8) improvements:
o Add support for echo-client-id statement to dhclient.conf(5).
o Take greater care to process all data read, and only data read,
from the bpf(4) socket.
o Use /dev/bpf instead of /dev/bpf0.
o Handle DHCPINFORM messages from clients behind a DHCP relay.
o Fix handling of carp(4) interfaces in dhcrelay(8).
o Don't stop dhcrelay(8) logging to stderr when it is started with
the -d option.
- dhclient(8) improvements:
o Log messages reworked and clarified, in particular by prefixing
the name of the relevant network interface.
o Treat SSID as 0 to 32 bytes of binary data, not a string.
o Use RTM_PROPOSAL to take control of an interface rather than
flipping interface down and up in the hope that other dhclient(8)
instances notice.
o Reduce file operations needed by -L option by opening file at
startup and using it throughout process lifetime.
o Improve resolv.conf(5) handling by reducing writes and more
reliably determining which interface has the current default
route.
o Take greater care to process all data read, and only data read,
from the bpf(4) socket.
o Improve the determination of the link state of an interface.
o Decline inappropriate lease offers as soon as they are deemed
inappropriate.
o Drop support for the timestamp formats used in lease files created
more than four years ago.
o Accept an offer from the server that sent the first copy of the
offer, not the server that sent the last copy.
o Don't delete addresses and routes when exiting.
o Ensure IPv6 packets are not read from sockets.
o Don't silently ignore obsolete keywords in dhclient.conf(5).
o Reduce memory footprint by shrinking oversized static buffers.
o Eliminate repeated socket opens by opening the required sockets
during startup.
o Fix construction of unicast UDP packets, broken in 5.6.
o Improve determination of when a renewed lease requires interface
configuration changes.
o Don't exit when addresses are manually added or deleted from an
interface.
o Don't support option 33, classfull IP addresses.
o Fix configuration of default routes supplied by classless route
options.
o Consider dhclient.conf(5) contents when determining what MTU value
to configure.
o Consider dhclient.conf(5) contents when creating the content of
resolv.conf(5).
o Delete direct routes when routes are flushed.
o Don't label routes with "DHCLIENT nnnn".
o Don't delete addresses or routes that will be immediately added
back.
o Delete addresses and routes only when a renewal request is NAK'ed.
o Don't wait forever for requested information on the default route.
o Don't exit when an attempt to send a packet fails.
o Don't log a packet send when the send fails.
o Remove the -u option, broken since 2013 without complaints.
o Use /dev/bpf instead of /dev/bpf0.
- Assorted improvements:
o The i386 and amd64 platforms have switched to using clang(1) as
the base system compiler.
o Improved UTF-8 line editing support for ksh(1) Emacs and Vi input
mode.
o The HISTFILE of ksh(1) now uses a plain text format. Support for
the HISTCONTROL environment variable was added.
o The performance of the memory deallocator used by ksh(1) has been
fixed.
o The emacs-usemeta ksh(1) flag is no longer needed and is now
deprecated.
o New futex(2) syscall.
o New pthread mutex and condition variable implementations improving
latency of threaded applications.
o New POSIX xlocale implementation written from scratch, complete in
the sense that all POSIX *locale(3) and *_l(3) functions are
included, but in OpenBSD, we of course only really care about
LC_CTYPE and we only support ASCII and UTF-8.
o Automatic hibernation and suspend by apmd when battery is low.
o New ctfdump(1) and ctfconv(1) tools to manipulate CTF (Compact C
Type Format).
o The error handling in syslogd(8) has been improved. Even if
internal errors occur, the daemon tries to keep unaffected
subsystems active. So as many messages as possible are logged.
They can be filtered by severity and facility "syslog".
o syslogd(8) can now suppress "last message repeated" which is
useful for remote logging.
o syslogd(8) can listen on multiple TLS sockets.
o syslogd(8) closes the *.514 UDP sockets when they are not needed.
o Truncate log messages at 8192 bytes everywhere.
o newsyslog(8) now skips and logs invalid config lines.
o Nested mount points are umounted in correct order.
o Fix creation of softraid(4) CONCAT volumes.
o Include softraid(4) volume and backing disk information in i/o
error messages.
o Make vioscsi(4) a normal scsi(4) device by eliminating its use of
the obsolete XS_NO_CCB mechanism.
o Remove last vestiges of now unused XS_NO_CCB mechanism.
o Userspace can now get the address of the thread control block
without a system call on OCTEON II and later.
o FPU is enabled on OCTEON III.
o GENERIC kernels now include a .SUNW_ctf section containing CTF
data.
o New ddb(4) kill command, send an uncatchable SIGABRT to a process.
o New ddb(4) pprint command, using CTF information to "pretty print"
global symbols.
o New ddb(4) show struct command, using CTF information to display
the content of in memory C structures.
o x86: ddb(4) uses CTF data to display the correct number of
function arguments in backtraces.
o Power off all codecs in azalia(4) to avoid static noise in
speakers and headphones on reboot.
o Fix i386 boot regression seen on very old 486DX CPUs.
o New witness(4) tool for debugging lock order issues in the kernel.
The tool is not built in by default, and only amd64, hppa and i386
are supported.
o Modernize some bizzare tty behaviours of getty(8).
o Some subtle changes to pledge(2) to satisfy requirements observed
in real life.
o Prefer use of waitpid(2) rather than wait(3) where possible, to
avoid problems with pre-existing children.
o Rewrite swaths of machine-dependent system call stub code in
ld.so(1) in a more portable fashion.
o Per-CPU caches implemented in pools.
o Mutex, condition-variable, thread-specific data, pthread_once(3),
and pthread_exit(3) routines moved to libc from libpthread for
ease of library use and compatibility with other OSes.
o Added getptmfd(3), fdopenpty(3), and fdforkpty(3) to simplify
privilege separation and use of pledge(2).
o Improved computational complexity in various cases of strstr(3),
qsort(3), and glob(3).
o Added support for EV_RECEIPT and EV_DISPATCH to kqueue(2).
o Added fktrace(2).
- OpenSMTPD 6.0.0
o Fix an off-by-one in the config parser that made 65535 an invalid
port.
o Fix a fd leak in the session congestion mechanism.
o Fix a possible crash when relaying with smtps.
o Remove support for the "listen secure" syntax (expicitely define
two listeners for tls and smtps instead).
o Remove experimental support for filters.
o Assorted code and documentation cleanups and improvements.
- OpenSSH 7.6
o Security:
- sftp-server(8): in read-only mode, sftp-server was
incorrectly permitting creation of zero-length files.
o New/changed features:
- Add RemoteCommand option to specify a command in the ssh(1)
config file instead of giving it on the client's command
line. The feature allows to automate tasks using ssh config.
- sshd(8): add ExposeAuthInfo option that enables writing
details of the authentication methods used (including public
keys where applicable) to a file that is exposed via a
$SSH_USER_AUTH environment variable in the subsequent
session.
- ssh(1): add support for reverse dynamic forwarding. In this
mode, ssh will act as a SOCKS4/5 proxy and forward
connections to destinations requested by the remote SOCKS
client. This mode is requested using extended syntax for the
-R and RemoteForward options and, because it is implemented
solely at the client, does not require the server be updated
to be supported.
- sshd(8): allow LogLevel directive in sshd_config Match
blocks.
- ssh-keygen(1): allow inclusion of arbitrary string or flag
certificate extensions and critical options.
- ssh-keygen(1): allow ssh-keygen to use a key held in
ssh-agent as a CA when signing certificates.
- ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an
explicit ToS/DSCP value and just use the operating system
default.
- ssh-add(1): added -q option to make ssh-add quiet on success.
- ssh(1): expand the StrictHostKeyChecking option with two new
settings. The first "accept-new" will automatically accept
hitherto-unseen keys but will refuse connections for changed
or invalid hostkeys. This is a safer subset of the current
behaviour of StrictHostKeyChecking=no. The second setting
"off", is a synonym for the current behaviour of
StrictHostKeyChecking=no: accept new host keys, and continue
connection for hosts with incorrect hostkeys. A future
release will change the meaning of StrictHostKeyChecking=no
to the behaviour of "accept-new".
- ssh(1): add SyslogFacility option to ssh(1) matching the
equivalent option in sshd(8).
o The following significant bugs have been fixed in this release:
- ssh(1): use HostKeyAlias if specified instead of hostname for
matching host certificate principal names.
- sftp(1): implement sorting for globbed ls.
- ssh(1): add a user@host prefix to client's "Permission
denied" messages, useful in particular when using "stacked"
connections (e.g. ssh -J) where it's not clear which host is
denying.
- ssh(1): accept unknown EXT_INFO extension values that contain
\0 characters. These are legal, but would previously cause
fatal connection errors if received.
- ssh(1)/sshd(8): repair compression statistics printed at
connection exit.
- sftp(1): print '?' instead of incorrect link count (that the
protocol doesn't provide) for remote listings.
- ssh(1): return failure rather than fatal() for more cases
during session multiplexing negotiations. Causes the session
to fall back to a non-mux connection if they occur.
- ssh(1): mention that the server may send debug messages to
explain public key authentication problems under some
circumstances.
- Translate OpenSSL error codes to better report incorrect
passphrase errors when loading private keys.
- sshd(8): adjust compatibility patterns for WinSCP to
correctly identify versions that implement only the legacy DH
group exchange scheme.
- ssh(1): print the "Killed by signal 1" message only at
LogLevel verbose so that it is not shown at the default
level; prevents it from appearing during ssh -J and
equivalent ProxyCommand configs.
- ssh-keygen(1): when generating all hostkeys (ssh-keygen -A),
clobber existing keys if they exist but are zero length.
zero-length keys could previously be made if ssh-keygen
failed or was interrupted part way through generating them.
- ssh(1): fix pledge(2) violation in the escape sequence "~&"
used to place the current session in the background.
- ssh-keyscan(1): avoid double-close() on file descriptors.
- sshd(8): avoid reliance on shared use of pointers shared
between monitor and child sshd processes.
- sshd_config(8): document available AuthenticationMethods.
- ssh(1): avoid truncation in some login prompts.
- ssh(1): make "--" before the hostname terminate argument
processing after the hostname too.
- ssh-keygen(1): switch from aes256-cbc to aes256-ctr for
encrypting new-style private keys. Fixes problems related to
private key handling for no-OpenSSL builds.
- ssh(1): warn and do not attempt to use keys when the public
and private halves do not match.
- sftp(1): don't print verbose error message when ssh
disconnects from under sftp.
- sshd(8): fix keepalive scheduling problem: activity on a
forwarded port from preventing the keepalive from being sent.
- sshd(8): when started without root privileges, don't require
the privilege separation user or path to exist. Makes running
the regression tests easier without touching the filesystem.
- Make integrity.sh regression tests more robust against
timeouts.
- ssh(1)/sshd(8): correctness fix for channels implementation:
accept channel IDs greater than 0x7FFFFFFF.
- LibreSSL 2.6.3
o Added support for providing CRLs to libtls - once a CRL is
provided via tls_config_set_crl_file(3) or
tls_config_set_crl_mem(3), CRL checking is enabled and required
for the full certificate chain.
o Reworked TLS certificate name verification code to more strictly
follow RFC 6125.
o Cleaned up and simplified server key exchange EC point handling.
o Removed inconsistent IPv6 handling from BIO_get_accept_socket(),
simplified BIO_get_host_ip() and BIO_accept().
o Added definitions for three OIDs used in EV certificates.
o Relaxed SNI validation to allow non-RFC-compliant clients using
literal IP addresses with SNI to connect to a libtls-based TLS
server.
o Added tls_peer_cert_chain_pem() to libtls, useful in private
certificate validation callbacks such as those in relayd.
o Converted explicit clear/free sequences to use freezero(3).
o Fixed the openssl(1) ca command so that it generates certificates
with RFC 5280-conformant time.
o Added ASN1_TIME_set_tm(3) to set an ASN.1 time from a struct tm *.
o Added SSL{,_CTX}_set_{min,max}_proto_version(3) functions.
o Imported HKDF (HMAC Key Derivation Function) from BoringSSL.
o Provided a tls_unload_file(3) function that frees the memory
returned from a tls_load_file(3) call, ensuring that the contents
become inaccessible.
o Implemented reference counting for libtls tls_config, allowing
tls_config_free(3) to be called as soon as it has been passed to
the final tls_configure(3) call, simplifying lifetime tracking for
the application.
o Dropped cipher suites using DSS authentication.
o Removed support for DSS/DSA from libssl.
o Distinguish between self-issued certificates and self-signed
certificates. The certificate verification code has special cases
for self-signed certificates and without this change, self-issued
certificates (which it seems are common place with
openvpn/easyrsa) were also being included in this category.
o Added a new TLS extension handling framework and converted all TLS
extensions to use it.
o Improved and added many new manpages. Updated
SSL_{CTX_,}check_private_key(3) manpages with additional cautions
regarding their use.
o Cleaned up and simplified EC key/curve configuration handling.
o Added tls_config_set_ecdhecurves(3) to libtls, which allows the
names of the elliptical curves that may be used during client and
server key exchange to be specified.
o Converted more code paths to use CBB/CBS.
o Removed NPN support - NPN was never standardised and the last
draft expired in October 2012.
o Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken
CryptoPro clients.
o Removed support for the TLS padding extension, which was added as
a workaround for an old bug in F5's TLS termination.
o Added ability to clamp notafter values in certificates for systems
with 32-bit time_t. This is necessary to conform to RFC 5280
4.1.2.5.
o Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
o Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.
o Provide a useful error with libtls if there are no OCSP URLs in a
peer certificate.
o Keep track of which keypair is in use by a TLS context, fixing a
bug where a TLS server with SNI would only return the OCSP staple
for the default keypair.
o If tls_config_parse_protocols(3) is called with a NULL pointer it
now returns the default protocols.
- mandoc 1.14.3
o Full mandoc.db(5) databases are now enabled by default, allowing
semantic searching with apropos(1) without any local configuration
changes.
o Full integration of the former mdoclint(1) utility into mandoc(1)
-Wall, new -Wstyle and -Wopenbsd message levels, and many new
messages, for example about typos in .Sh lines, unknown .Xr
targets, and links to self.
o Additional steps unifying the mdoc(7), man(7), and roff(7)
parsers: use one common data type and ohash_init(3) for all
requests and macros and support creation of syntax tree nodes in
the roff(7) parser, allowing support for many new low-level
roff(7) features. Only about 25 ports still need USE_GROFF now.
o Many improvements to tbl(7) parsing and formatting, including
automatic line wrapping inside table columns.
o Many improvements to eqn(7) parsing and formatting, including
better font selection, recognition of well-known mathematical
function names, and writing of <mn> and <mo> HTML tags.
o Intelligible rendering of mathematical symbols in -Tascii output.
o Several parsing and rendering improvements for the mdoc(7) .Lk
macro.
o Some CSS improvements in HTML output, in particular for the
mdoc(7) .Bl macro.
- Ports and packages:
o A massive amount of clang-related fixes happened between 6.1 and 6.2.
o Pre-built packages are available for the following architectures on
the day of release:
- amd64: 9728
- i386: 9285
o Packages for the following architectures will be made available as
their builds complete:
- alpha
- arm
- hppa
- mips64
- mips64el
- powerpc
- sparc64
- Some highlights:
o AFL 2.51b o Mutt 1.9.1 and NeoMutt 20170912
o Cmake 3.9.3 o Node.js 6.11.2
o Chromium 61.0.3163.100 o Ocaml 4.03.0
o Emacs 21.4 and 25.3 o OpenLDAP 2.3.43 and 2.4.45
o GCC 4.9.4 o PHP 5.6.31 and 7.0.23
o GHC 7.10.3 o Postfix 3.2.2 and 3.3-20170910
o Gimp 2.8.22 o PostgreSQL 9.6.5
o GNOME 3.24.2 o Python 2.7.14 and 3.6.2
o Go 1.9 o R 3.4.1
o Groff 1.22.3 o Ruby 1.8.7.374, 2.1.9, 2.2.8,
o JDK 8u144 2.3.5 and 2.4.2
o KDE 3.5.10 and 4.14.3 (plus o Rust 1.20.0
KDE4 core updates) o Sendmail 8.16.0.21
o LLVM/Clang 5.0.0 o SQLite 3.20.1
o LibreOffice 5.2.7.2 o Sudo 1.8.21.2
o Lua 5.1.5, 5.2.4, and 5.3.4 o Tcl/Tk 8.5.19 and 8.6.6
o MariaDB 10.0.32 o TeX Live 2016
o Mozilla Firefox 52.4.0esr and o Vim 8.0.0987
56.0.0 o Xfce 4.12
o Mozilla Thunderbird 52.2.1
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.7 with xserver 1.18.4 + patches,
freetype 2.8.0, fontconfig 2.12.4, Mesa 13.0.6, xterm 330,
xkeyboard-config 2.20 and more)
o LLVM/Clang 4.0.0 (+ patches)
o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
o Perl 5.24.2 (+ patches)
o NSD 4.1.17
o Unbound 1.6.6
o Ncurses 5.7
o Binutils 2.17 (+ patches)
o Gdb 6.3 (+ patches)
o Awk Aug 10, 2011 version
o Expat 2.2.4
------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------
We provide patches for known security threats and other important
issues discovered after each release. Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible. Therefore, we advise regular
visits to
https://www.OpenBSD.org/security.html
and
https://www.OpenBSD.org/errata.html
------------------------------------------------------------------------
- MAILING LISTS AND FAQ ------------------------------------------------
Mailing lists are an important means of communication among users and
developers of OpenBSD. For information on OpenBSD mailing lists, please
see:
https://www.OpenBSD.org/mail.html
You are also encouraged to read the Frequently Asked Questions (FAQ) at:
https://www.OpenBSD.org/faq/
------------------------------------------------------------------------
- DONATIONS ------------------------------------------------------------
The OpenBSD Project is volunteer-driven software group funded by
donations. Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others. This ecosystem is all handled under the same funding umbrella.
We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon
events.
All of our developers strongly urge you to donate and support our future
efforts. Donations to the project are highly appreciated, and are
described in more detail at:
https://www.OpenBSD.org/donations.html
------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------
For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.
There may also be exposure benefits since the Foundation may be
interested in participating in press releases. In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at directors@openbsdfoundation.org for
more information.
------------------------------------------------------------------------
- RELEASE SONGS --------------------------------------------------------
Every OpenBSD release is accompanied by artwork and a song. The song
for OpenBSD 6.2 will be coming in December 2017.
Lyrics (and an explanation) of the song may be found at:
https://www.OpenBSD.org/lyrics.html#62
------------------------------------------------------------------------
- HTTP/HTTPS INSTALLS --------------------------------------------------
OpenBSD can be easily installed via HTTP/HTTPS downloads. Typically you
need a single small piece of boot media (e.g., a USB flash drive) and
then the rest of the files can be installed from a number of locations,
including directly off the Internet. Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTP/HTTPS.
1) Read either of the following two files for a list of HTTP/HTTPS
mirrors which provide OpenBSD, then choose one near you:
https://www.OpenBSD.org/ftp.html
https://ftp.openbsd.org/pub/OpenBSD/ftplist
As of October 15, 2017, the following HTTP/HTTPS mirror sites have
the 6.2 release:
https://ftp.eu.openbsd.org/pub/OpenBSD/6.2/ Stockholm, Sweden
http://ftp.bytemine.net/pub/OpenBSD/6.2/ Oldenburg, Germany
https://ftp.fr.openbsd.org/pub/OpenBSD/6.2/ Paris, France
https://mirror.aarnet.edu.au/pub/OpenBSD/6.2/ Brisbane, Australia
https://ftp.usa.openbsd.org/pub/OpenBSD/6.2/ CO, USA
https://ftp5.usa.openbsd.org/pub/OpenBSD/6.2/ CA, USA
https://mirror.esc7.net/pub/OpenBSD/6.2/ TX, USA
https://openbsd.cs.toronto.edu/pub/OpenBSD/6.2/ Toronto, Canada
https://fastly.cdn.openbsd.org/pub/OpenBSD/6.2/ Global
The release is also available at the master site:
https://ftp.openbsd.org/pub/OpenBSD/6.2/ Alberta, Canada
However it is strongly suggested you use a mirror.
Other mirror sites may take a day or two to update.
2) Connect to that HTTP/HTTPS mirror site and go into the directory
pub/OpenBSD/6.2/ which contains these files and directories.
This is a list of what you will see:
ANNOUNCEMENT arm64/ macppc/ src.tar.gz
Changelogs/ armv7/ octeon/ sys.tar.gz
README hppa/ packages/ tools/
SHA256 i386/ ports.tar.gz xenocara.tar.gz
SHA256.sig landisk/ root.mail
alpha/ loongson/ sgi/
amd64/ luna88k/ sparc64/
It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.
README - generic README
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).
3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.
4) Next, go into the directory that applies to your architecture,
for example, amd64. This is a list of what you will see:
BOOTIA32.EFI* bsd* floppy62.fs pxeboot*
BOOTX64.EFI* bsd.mp* game62.tgz xbase62.tgz
BUILDINFO bsd.rd* index.txt xfont62.tgz
INSTALL.amd64 cd62.iso install62.fs xserv62.tgz
SHA256 cdboot* install62.iso xshare62.tgz
SHA256.sig cdbr* man62.tgz
base62.tgz comp62.tgz miniroot62.fs
If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
and install62.iso. The install62.iso file (roughly 346MB in size)
is a one-step ISO-format install CD image which contains the various
*.tgz files so you do not need to fetch them separately.
If you prefer to use a USB flash drive, fetch install62.fs and
follow the instructions in INSTALL.amd64.
5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.amd64. INSTALL.amd64 may tell you that you
need to fetch other files.
6) Just in case, take a peek at:
https://www.OpenBSD.org/errata.html
This is the page where we talk about the mistakes we made while
creating the 6.2 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.
------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------
X.Org has been integrated more closely into the system. This release
contains X.Org 7.7. Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc. During installation, you can install X.Org
quite easily. Be sure to try out xenodm(1), our new, simplified X11
display manager forked from xdm(1).
------------------------------------------------------------------------
- PACKAGES AND PORTS ---------------------------------------------------
Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures. Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.
Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed
separately.
------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------
The source code for all four subsystems can be found in the
pub/OpenBSD/6.2/ directory:
xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
The README (https://ftp.OpenBSD.org/pub/OpenBSD/6.2/README) file
explains how to deal with these source files.
------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------
Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil,
Visa Hankala, Stuart Henderson, Peter Hessler, Paul Irofti, and
Christian Weisgerber. Base and X system builds by Kenji Aoyama,
Theo de Raadt, and Visa Hankala.
We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who bought our previous CD sets. Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.
Our developers are:
Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
Antoine Jacoutot, Anton Lindqvist, Ayaka Koshibe , Benoit Lecocq,
Bob Beck, Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele,
Can Erkin Acar, Charles Longeau, Chris Cappuccio,
Christian Weisgerber, Christopher Zimmermann, Claudio Jeker,
Dale Rahn, Damien Miller, Daniel Boulet, Daniel Dickman,
Daniel Jakots, Darren Tucker, David Coppa, David Gwynne, David Hill,
Denis Fondras, Dmitrij Czarkoff, Doug Hogan, Edd Barrett,
Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus,
Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis,
Gleydson Soares, Gonzalo L. Rodriguez, Henning Brauer, Ian Darwin,
Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
Inoguchi Kinichiro, James Turner, Jason McIntyre,
Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
Jonathan Matthew, Joris Vink, Joshua Stein,
Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama,
Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov,
Kurt Miller, Landry Breuil, Lawrence Teo, Luke Tymowski, Marc Espie,
Marco Pfatschbacher, Marcus Glocker, Mark Kettenis, Mark Lumsden,
Markus Friedl, Martijn van Duren, Martin Natano, Martin Pieuchot,
Martynas Venckus, Mats O Jansson, Matthew Dempsky, Matthias Kilian,
Matthieu Herrb, Mike Belopuhov, Mike Larkin, Miod Vallat,
Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen,
Otto Moerbeek, Pascal Stumpf, Patrick Wildt, Paul Irofti,
Pavel Korovin, Peter Hessler, Philip Guenther,
Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski,
Rafael Zalamena, Remi Pointel, Renato Westphal, Reyk Floeter,
Ricardo Mestre, Richard Procter, Rob Pierce, Robert Nagy,
Robert Peichaer, Sasano Takayoshi, Sebastian Benoit,
Sebastian Reitenbach, Sebastien Marie, Stefan Fritsch, Stefan Kempf,
Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
Theo de Raadt, Tim van der Molen, Tobias Stoeckmann, Todd C. Miller,
Todd Mortimer, Tom Cosgrove, Ulf Brosziewski, Uwe Stuehler,
Vadim Zhukov, Vincent Gross, Visa Hankala, Yasuoka Masahiko,
Yojiro Uo