BSDSec

deadsimple BSD Security Advisories and Announcements

OpenBSD 6.5 released -- Apr 24 2019

OpenBSD 6.5 builds finished a week early, so the May 1 dated code can
go out the door 1 week early.

------------------------------------------------------------------------
- OpenBSD 6.5 RELEASED -------------------------------------------------

May 1, 2019.

We are pleased to announce the official release of OpenBSD 6.5.
This is our 46th release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 6.5 provides significant improvements,
including new features, in nearly all areas of the system:

 - Improved hardware support, including:
    o clang(1) is now provided on mips64.
    o The default linker has been switched from the binutils bfd-based
      linker to lld on amd64 and i386.
    o octeon: Now the system automatically detects the number of
      available cores. However, manual setting of the numcores, or
      coremask, boot parameter is still needed to enable secondary
      cores.
    o octeon: It is now possible to use the root disk's DUID as the
      value of the rootdev boot parameter.
    o New octgpio(4) driver for the OCTEON GPIO controller.
    o New pvclock(4) driver for KVM paravirtual clock.
    o New ixl(4) driver for Intel Ethernet 700 series controller
      devices.
    o New abcrtc(4) driver for Abracon AB1805 real-time clock.
    o New imxsrc(4) driver for i.MX system reset controller.
    o New uxrcom(4) driver for Exar XR21V1410 USB serial adapters.
    o New mvgicp(4) driver for Marvell ARMADA 7K/8K GICP controller.
    o Support for QCA AR816x/AR817x in alc(4).
    o Support for isochronous transfers in xhci(4).
    o uaudio(4) has been replaced by a new driver which supports USB
      audio class v2.0.
    o Improved support for nmea(4) devices, providing altitude and
      ground speed values as sensors.

 - IEEE 802.11 wireless stack improvements:
    o Reduced usage of RTS frames improves overall throughput and
      latency.
    o Improved transmit rate selection in the iwm(4) driver.
    o Improved radio hardware calibration in the athn(4) driver.
    o The bwfm(4) driver now provides more accurate device configuration
      information to userland.
    o Added new routing socket message RTM_80211INFO to provide details
      of 802.11 interface state changes to dhclient(8) and route(8).
    o If an auto-join list is configured, wireless interfaces will no
      longer connect to unknown open networks by default. This behaviour
      must now be explicitly enabled by adding the empty network name to
      the auto-join list, e.g. ifconfig iwm0 join "", or join "" in
      hostname.if files.
    o The iwn(4) and iwm(4) drivers will now automatically try to
      connect to a network if the radio kill switch is toggled to allow
      radio transmissions while the interface is marked UP.

 - Generic network stack improvements:
    o New bpe(4) Backbone Provider Edge pseudo-device.
    o New mpip(4) MPLS IP layer 2 pseudowire driver.
    o MPLS encapsulation interfaces support configuration of alternative
      MPLS route domains.
    o The vlan(4) driver bypasses queue processing and outputs directly
      to the parent interface.
    o New per SAD counters visible via ipsecctl(8).
    o The bpf(4) filter drop mechanism has been extended to allow
      dropping without capturing packets, and use of the mechanism with
      tcpdump(8) as a filtering mechanism early in the device receive
      path.
    o ifconfig(8) gains txprio for controlling the encoding of priority
      in tunnel headers, and support in drivers including vlan(4),
      gre(4), gif(4), and etherip(4).

 - Installer improvements:
    o rdsetroot(8) (a build-time tool) is now available for general use.
    o During upgrades, some components of old releases are deleted.

 - Security improvements:
    o unveil(2) has been improved to understand and find covering unveil
      matches above the working directory of the running process for
      relative path accesses. As a result many programs now can use
      unveil in broad ways such as unveil("/", "r").
    o unveil(2) no longer silently allows stat(2) and access(2) to work
      on any unveiled path component.
    o Now using unveil(2) in ospfd(8), ospf6d(8), rebound(8),
      getconf(1), kvm_mkdb(8), bdftopcf(1), Xserver(1), passwd(1),
      spamlogd(8), spamd(8), sensorsd(8), snmpd(8), htpasswd(1),
      ifstated(8). Some pledge(2) changes were required to accommodate
      unveil.
    o ROP mitigations in clang(1) have been improved, resulting in a
      significant decrease in the number of polymorphic ROP gadgets in
      binaries on i386/amd64.
    o RETGUARD performance and security has been improved in clang(1) by
      keeping data on registers instead of on the stack when possible,
      and lengthening the epilogue trapsled on amd64 to consume the rest
      of the cache line before the return.
    o RETGUARD replaces the stack protector on amd64 and arm64, since
      RETGUARD instruments every function that returns and provides
      better security properties than the traditional stack protector.

 - Routing daemons and other userland network improvements:
    o pcap-filter(3) can now filter on MPLS packets.
    o The routing priority for ospfd(8), ospf6d(8) and ripd(8) is now
      configurable.
    o ripd(8) is now pledged.
    o First release of unwind(8), a validating, recursive nameserver for
      127.0.0.1. It is particularly suitable for laptops moving between
      networks.
    o ifconfig(8) gains sff and sffdump modes, displaying diagnostic
      information from fibre transceivers and similar modules. Currently
      ix(4) and ixl(4) are supported.
    o ldpd(8) now supports configuration of TCP MD5 for networks, not
      just specific neighbors.

 - bgpd(8) improvements:
    o bgpd(8) has now a real Adj-RIB-Out which improved overall memory
      usage.
    o Implemented a simple ruleset optimizer that merges filter rules
      that differ only by filter sets.
    o First release of OpenBGPD-portable. There is currently no FIB
      support in the portable version and some other features are also
      disabled.
    o The configuration of BGP MPLS VPN changed and the config needs to
      be adjusted if VPNs are used.
    o Added support for IPv6 BGP MPLS VPNs.
    o Implemented as-override in bgpd(8), a feature where the neighbor
      AS is replaced by the local AS in AS paths.
    o It is now possible to match multiple communities, ext-communities
      or large-communities per filter rule.
    o Added support for *, local-as and neighbor-as for ext-community
      matching and addition or removal.
    o Prevent bgpd(8) from being started more than once with the same
      config.
    o announce inet none no longer clears announce settings of other
      address families.
    o Removed potential for a spurious End-of-RIB marker being sent.
    o Fixed mrt table dumps and the route collector mode.
    o Improved throttling of initial routing table dump.
    o bgpd(8) terminates RIB table walks if bgpctl(8) terminates early.
    o Improved handling of communities, large-communities and
      ext-communities in bgpctl(8)
    o It is now possible to use neighbor group <name> to run bgpctl(8)
      commands against the specified group of neighbors:
      bgpctl neighbor group [clear|destroy|down|refresh|up]
      bgpctl show neighbor group [messages|terse|timers]
      bgpctl show rib neighbor group ...
    o bgpctl(8) can now add networks into BGP VPN tables by specifying
      the route distinguisher rd on the network command.
    o bgplg(8) and bgplgsh(8) can now filter on Origin Validation State
      and Extended Communities.
    o bgplgsh(8) can now [clear|destroy|down|refresh|up] and show groups
      of neighbors.

 - Assorted improvements:
    o kcov(4) gained support for KCOV_MODE_TRACE_CMP.
    o A 'video' promise was added to pledge(2).
    o The kern.witnesswatch sysctl(8) has been renamed to
      kern.witness.watch.
    o New pthread rwlock implementation improving latency of threaded
      applications.
    o kubsan(4) capable of detecting undefined behavior in the kernel.
    o signify -n option to zero date header in -z mode.
    o Remove OXTABS from default pty flags.
    o install(1) now always copies files safely (as with -S), avoiding
      race conditions.
    o syslog.conf(5) now supports program names containing dots and
      underscores.
    o tcpdump(8) already used privsep, pledge(2) and unveil(2)
      containment. It now also drops root privileges completely
      (switching to a reserved uid).
    o The multi-threaded performance of malloc(3) has been improved.
    o malloc(3) now uses sysctl(2) to get its settings, making it
      respect the system-wide settings in chroots as well.
    o Various improvements to the join command.
    o Work has started on a ISC-licensed rsync-compatible program called
      OpenRSYNC. In this release it has basic functionality such as -a,
      --delete, but lacks --exclude. Work will continue.
    o New Spleen font 8x16, 12x24, 16x32 and 32x64 variants added and
      enabled in wsfont, along with font selection logic to allow
      selecting larger fonts when available at runtime in rasops(9).

 - OpenSMTPD 6.5.0
    o New Features
       - Added the new matching criteria "from rdns" to smtpd.conf(5)
         to allow matching of sessions based on the reverse DNS of the
         client.
       - Added regex(3) support to table lookups in smtpd.conf(5).

 - LibreSSL 2.9.1
    o API and Documentation Enhancements
       - CRYPTO_LOCK is now automatically initialized, with the legacy
         callbacks stubbed for compatibility.
       - Added the SM3 hash function from the Chinese standard GB/T
         32905-2016.
       - Added the SM4 block cipher from the Chinese standard GB/T
         32907-2016.
       - Added more OPENSSL_NO_* macros for compatibility with
         OpenSSL.
       - Partial port of the OpenSSL EC_KEY_METHOD API for use by
         OpenSSH.
       - Implemented further missing OpenSSL 1.1 API.
       - Added support for XChaCha20 and XChaCha20-Poly1305.
       - Added support for AES key wrap constructions via the EVP
         interface.
    o Compatibility Changes
       - Added pbkdf2 key derivation support to openssl(1) enc.
       - Changed the default digest type of openssl(1) enc to sha256.
       - Changed the default digest type of openssl(1) dgst to sha256.
       - Changed the default digest type of openssl(1) x509
         -fingerprint to sha256.
       - Changed the default digest type of openssl(1) crl
         -fingerprint to sha256.
    o Testing and Proactive Security
       - Added extensive interoperability tests between LibreSSL and
         OpenSSL 1.0 and 1.1.
       - Added additional Wycheproof tests and related bug fixes.
    o Internal Improvements
       - Simplified sigalgs option processing and handshake signing
         algorithm selection.
       - Added the ability to use the RSA PSS algorithm for handshake
         signatures.
       - Added bn_rand_interval() and use it in code needing ranges of
         random bn values.
       - Added functionality to derive early, handshake, and
         application secrets as per RFC8446.
       - Added handshake state machine from RFC8446.
       - Removed some ASN.1 related code from libcrypto that had not
         been used since around 2000.
       - Unexported internal symbols and internalized more record
         layer structs.
       - Removed SHA224 based handshake signatures from consideration
         for use in a TLS 1.2 handshake.
    o Portable Improvements
       - Added support for assembly optimizations on 32-bit ARM ELF
         targets.
       - Added support for assembly optimizations on Mingw-w64
         targets.
       - Improved Android compatibility
    o Bug Fixes
       - Improved protection against timing side channels in ECDSA
         signature generation.
       - Coordinate blinding was added to some elliptic curves. This
         is the last bit of the work by Brumley et al. to protect
         against the Portsmash vulnerability.
       - Ensure transcript handshake is always freed with TLS 1.2.

 - OpenSSH 8.0
    o New Features
       - ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys
         in PKCS#11 tokens.
       - ssh(1), sshd(8): Add experimental quantum-computing resistant
         key exchange method, based on a combination of Streamlined
         NTRU Prime 4591^761 and X25519.
       - ssh-keygen(1): Increase the default RSA key size to 3072
         bits, following NIST Special Publication 800-57's guidance
         for a 128-bit equivalent symmetric security level.
       - ssh(1): Allow "PKCS11Provider=none" to override later
         instances of the PKCS11Provider directive in ssh_config;
         bz#2974
       - sshd(8): Add a log message for situations where a connection
         is dropped for attempting to run a command but a sshd_config
         ForceCommand=internal-sftp restriction is in effect; bz#2960
       - ssh(1): When prompting whether to record a new host key,
         accept the key fingerprint as a synonym for "yes". This
         allows the user to paste a fingerprint obtained out of band
         at the prompt and have the client do the comparison for you.
       - ssh-keygen(1): When signing multiple certificates on a single
         command-line invocation, allow automatically incrementing the
         certificate serial number.
       - scp(1), sftp(1): Accept -J option as an alias to ProxyJump on
         the scp and sftp command-lines.
       - ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
         command-line flags to increase the verbosity of output; pass
         verbose flags though to subprocesses, such as
         ssh-pkcs11-helper started from ssh-agent.
       - ssh-add(1): Add a "-T" option to allowing testing whether
         keys in an agent are usable by performing a signature and a
         verification.
       - sftp-server(8): Add a "lsetstat@openssh.com" protocol
         extension that replicates the functionality of the existing
         SSH2_FXP_SETSTAT operation but does not follow symlinks.
         bz#2067
       - sftp(1): Add "-h" flag to chown/chgrp/chmod commands to
         request they do not follow symlinks.
       - sshd(8): Expose $SSH_CONNECTION in the PAM environment. This
         makes the connection 4-tuple available to PAM modules that
         wish to use it in decision-making. bz#2741
       - sshd(8): Add a ssh_config "Match final" predicate Matches in
         same pass as "Match canonical" but doesn't require hostname
         canonicalisation be enabled. bz#2906
       - sftp(1): Support a prefix of '@' to suppress echo of sftp
         batch commands; bz#2926
       - ssh-keygen(1): When printing certificate contents using
         "ssh-keygen -Lf /path/certificate", include the algorithm
         that the CA used to sign the cert.
    o Bugfixes
       - sshd(8): Fix authentication failures when sshd_config
         contains "AuthenticationMethods any" inside a Match block
         that overrides a more restrictive default.
       - sshd(8): Avoid sending duplicate keepalives when
         ClientAliveCount is enabled.
       - sshd(8): Fix two race conditions related to SIGHUP daemon
         restart. Remnant file descriptors in recently-forked child
         processes could block the parent sshd's attempt to listen(2)
         to the configured addresses. Also, the restarting parent sshd
         could exit before any child processes that were awaiting
         their re-execution state had completed reading it, leaving
         them in a fallback path.
       - ssh(1): Fix stdout potentially being redirected to /dev/null
         when ProxyCommand=- was in use.
       - sshd(8): Avoid sending SIGPIPE to child processes if they
         attempt to write to stderr after their parent processes have
         exited; bz#2071
       - ssh(1): Fix bad interaction between the ssh_config
         ConnectTimeout and ConnectionAttempts directives - connection
         attempts after the first were ignoring the requested timeout;
         bz#2918
       - ssh-keyscan(1): Return a non-zero exit status if no keys were
         found; bz#2903
       - scp(1): Sanitize scp filenames to allow UTF-8 characters
         without terminal control sequences; bz#2434
       - sshd(8): Fix confusion between ClientAliveInterval and
         time-based RekeyLimit that could cause connections to be
         incorrectly closed. bz#2757
       - ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN
         handling at initial token login. The attempt to read the PIN
         could be skipped in some cases, particularly on devices with
         integrated PIN readers. This would lead to an inability to
         retrieve keys from these tokens. bz#2652
       - ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set
         the CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login
         after the C_SignInit operation. bz#2638
       - ssh(1): Improve documentation for ProxyJump/-J, clarifying
         that local configuration does not apply to jump hosts.
       - ssh-keygen(1): Clarify manual - ssh-keygen -e only writes
         public keys, not private.
       - ssh(1), sshd(8): be more strict in processing protocol
         banners, allowing \r characters only immediately before \n.
       - Various: fix a number of memory leaks, including bz#2942 and
         bz#2938
       - scp(1), sftp(1): fix calculation of initial bandwidth limits.
         Account for bytes written before the timer starts and adjust
         the schedule on which recalculations are performed. Avoids an
         initial burst of traffic and yields more accurate bandwidth
         limits; bz#2927
       - sshd(8): Only consider the ext-info-c extension during the
         initial key eschange. It shouldn't be sent in subsequent
         ones, but if it is present we should ignore it. This prevents
         sshd from sending a SSH_MSG_EXT_INFO for REKEX for buggy
         these clients. bz#2929
       - ssh-keygen(1): Clarify manual that ssh-keygen -F (find host
         in authorized_keys) and -R (remove host from authorized_keys)
         options may accept either a bare hostname or a
         [hostname]:port combo. bz#2935
       - ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK;
         bz#2936
       - sshd(8): Silence error messages when sshd fails to load some
         of the default host keys. Failure to load an
         explicitly-configured hostkey is still an error, and failure
         to load any host key is still fatal. pr/103
       - ssh(1): Redirect stderr of ProxyCommands to /dev/null when
         ssh is started with ControlPersist; prevents random
         ProxyCommand output from interfering with session output.
       - ssh(1): The ssh client was keeping a redundant ssh-agent
         socket (leftover from authentication) around for the life of
         the connection; bz#2912
       - sshd(8): Fix bug in HostbasedAcceptedKeyTypes and
         PubkeyAcceptedKeyTypes options. If only RSA-SHA2 siganture
         types were specified, then authentication would always fail
         for RSA keys as the monitor checks only the base key (not the
         signature algorithm) type against *AcceptedKeyTypes. bz#2746
       - ssh(1): Request correct signature types from ssh-agent when
         certificate keys and RSA-SHA2 signatures are in use.

 - Mandoc 1.14.5
    o Improved POSIX compliance in apropos(1) by accepting
      case-insensitive extended regular expressions by default.
    o New -O tag output option to open a page at the definition of a
      term.
    o Many tbl(7) improvements: line drawing, spanning, horizontal and
      vertical alignment in HTML output, improved column width
      calculations in terminal output, use of box drawing characters in
      UTF-8 output.
    o Much better HTML output, in particular with respect to paragraphs,
      line breaks, and vertical spacing in tagged lists. Tooltips are
      now implemented in pure CSS, the title attribute is no longer
      abused.

 - Xenocara
    o Xorg(1), the X window server, is no longer installed setuid.
      xenodm(1) should be used to start X.
    o The radeonsi Mesa driver is now included for hardware acceleration
      on Southern Islands and Sea Islands radeondrm(4) devices.

 - Ports and packages:
    o C++ ports for non-clang architectures are now compiled with ports
      gcc, so that more packages can be provided.
    o Pre-built packages are available for the following architectures on
      the day of release:
       - aarch64 (arm64): 9654
       - amd64: 10602
       - i386: 10535
    o Packages for the following architectures will be made available as
      their builds complete:
       - arm
       - mips64
       - mips64el
       - powerpc
       - sparc64

 - Some highlights:

    o AFL 2.52b                       o Mozilla Thunderbird 60.6.1
    o Asterisk 16.2.1                 o Mutt 1.11.4 and NeoMutt 20180716
    o Audacity 2.3.1                  o Node.js 10.15.0
    o CMake 3.10.2                    o OCaml 4.07.1
    o Chromium 73.0.3683.86           o OpenLDAP 2.3.43 and 2.4.47
    o Emacs 26.1                      o PHP 7.1.28, 7.2.17 and 7.3.4
    o FFmpeg 4.1.3                    o Postfix 3.3.3 and 3.4.20190106
    o GCC 4.9.4 and 8.3.0             o PostgreSQL 11.2
    o GHC 8.2.2                       o Python 2.7.16 and 3.6.8
    o GNOME 3.30.2.1                  o R 3.5.3
    o Go 1.12.1                       o Ruby 2.4.6, 2.5.5 and 2.6.2
    o Groff 1.22.4                    o Rust 1.33.0
    o JDK 8u202 and 11.0.2+9-3        o Sendmail 8.16.0.41
    o LLVM/Clang 7.0.1                o SQLite3 3.27.2
    o LibreOffice 6.2.2.2             o Sudo 1.8.27
    o Lua 5.1.5, 5.2.4 and 5.3.5      o Suricata 4.1.3
    o MariaDB 10.0.38                 o Tcl/Tk 8.5.19 and 8.6.8
    o Mono 5.18.1.0                   o TeX Live 2018
    o Mozilla Firefox 66.0.2 and      o Vim 8.1.1048 and Neovim 0.3.4
      ESR 60.6.1                      o Xfce 4.12

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.19.7 + patches,
      freetype 2.9.1, fontconfig 2.12.4, Mesa 18.3.5, xterm 344,
      xkeyboard-config 2.20 and more)
    o LLVM/Clang 7.0.1 (+ patches)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.28.1 (+ patches)
    o NSD 4.1.27
    o Unbound 1.9.1
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk Aug 10, 2011 version
    o Expat 2.2.6

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each release.  Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible.  Therefore, we advise regular
visits to

        https://www.OpenBSD.org/security.html
and
        https://www.OpenBSD.org/errata.html

------------------------------------------------------------------------
- MAILING LISTS AND FAQ ------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please
see:

        https://www.OpenBSD.org/mail.html

You are also encouraged to read the Frequently Asked Questions (FAQ) at:

        https://www.OpenBSD.org/faq/

------------------------------------------------------------------------
- DONATIONS ------------------------------------------------------------

The OpenBSD Project is a volunteer-driven software group funded by
donations.  Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others.  This ecosystem is all handled under the same funding umbrella.

We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon
events.

All of our developers strongly urge you to donate and support our future
efforts.  Donations to the project are highly appreciated, and are
described in more detail at:

        https://www.OpenBSD.org/donations.html

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.

There may also be exposure benefits since the Foundation may be
interested in participating in press releases.  In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at directors@openbsdfoundation.org for
more information.

------------------------------------------------------------------------
- HTTP/HTTPS INSTALLS --------------------------------------------------

OpenBSD can be easily installed via HTTP/HTTPS downloads.  Typically you
need a single small piece of boot media (e.g., a USB flash drive) and
then the rest of the files can be installed from a number of locations,
including directly off the Internet.  Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTP/HTTPS.

1) Read either of the following two files for a list of HTTP/HTTPS
   mirrors which provide OpenBSD, then choose one near you:

        https://www.OpenBSD.org/ftp.html
        https://ftp.openbsd.org/pub/OpenBSD/ftplist

   As of May 1, 2019, the following HTTP/HTTPS mirror sites have
   the 6.5 release:

        https://cdn.openbsd.org/pub/OpenBSD/6.5/            Global
        https://ftp.eu.openbsd.org/pub/OpenBSD/6.5/         Stockholm, Sweden
        https://ftp.hostserver.de/pub/OpenBSD/6.5/          Frankfurt, Germany
        http://ftp.bytemine.net/pub/OpenBSD/6.5/            Oldenburg, Germany
        https://ftp.fr.openbsd.org/pub/OpenBSD/6.5/         Paris, France
        https://mirror.aarnet.edu.au/pub/OpenBSD/6.5/       Brisbane, Australia
        https://ftp.usa.openbsd.org/pub/OpenBSD/6.5/        CO, USA
        https://ftp5.usa.openbsd.org/pub/OpenBSD/6.5/       CA, USA
        https://mirror.esc7.net/pub/OpenBSD/6.5/            TX, USA
        https://openbsd.cs.toronto.edu/pub/OpenBSD/6.5/     Toronto, Canada
        https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.5/ Global
        https://fastly.cdn.openbsd.org/pub/OpenBSD/6.5/     Global

        The release is also available at the master site:

        https://ftp.openbsd.org/pub/OpenBSD/6.5/            Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTP/HTTPS mirror site and go into the directory
   pub/OpenBSD/6.5/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     arm64/           luna88k/         sgi/
        README           armv7/           macppc/          sparc64/
        SHA256           hppa/            octeon/          src.tar.gz
        SHA256.sig       i386/            packages/        sys.tar.gz
        alpha/           landisk/         ports.tar.gz     xenocara.tar.gz
        amd64/           loongson/        root.mail

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        BOOTIA32.EFI*   bsd*            floppy65.fs     pxeboot*
        BOOTX64.EFI*    bsd.mp*         game65.tgz      xbase65.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont65.tgz
        INSTALL.amd64   cd65.iso        install65.fs    xserv65.tgz
        SHA256          cdboot*         install65.iso   xshare65.tgz
        SHA256.sig      cdbr*           man65.tgz
        base65.tgz      comp65.tgz      miniroot65.fs

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install65.iso.  The install65.iso file (roughly 407MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install65.fs and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        https://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 6.5 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily.  Be sure to try out xenodm(1), our new, simplified X11
display manager forked from xdm(1).

------------------------------------------------------------------------
- PACKAGES AND PORTS ---------------------------------------------------

Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures.  Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed
separately.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The source code for all four subsystems can be found in the
pub/OpenBSD/6.5/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

The README (https://ftp.OpenBSD.org/pub/OpenBSD/6.5/README) file
explains how to deal with these source files.

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil,
Visa Hankala, Stuart Henderson, Peter Hessler, and Christian Weisgerber.
Base and X system builds by Kenji Aoyama, Theo de Raadt, and
Visa Hankala.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who bought our previous CD sets.  Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.

Our developers are:

    Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
    Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
    Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
    Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe,
    Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer,
    Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar,
    Carlos Cardenas, Charlene Wendling, Charles Longeau,
    Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
    Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman,
    Daniel Jakots, Darren Tucker, David Coppa, David Gwynne, David Hill,
    Denis Fondras, Doug Hogan, Edd Barrett, Elias M. Mariani,
    Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus,
    Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis,
    Gleydson Soares, Gonzalo L. Rodriguez, Helg Bredow, Henning Brauer,
    Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
    Inoguchi Kinichiro, James Turner, Jason McIntyre,
    Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
    Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
    Jonathan Matthew, Joris Vink, Joshua Stein,
    Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama,
    Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov,
    Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil,
    Lawrence Teo, Marc Espie, Marco Pfatschbacher, Marcus Glocker,
    Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren,
    Martin Natano, Martin Pieuchot, Martynas Venckus, Mats O Jansson,
    Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos,
    Mike Belopuhov, Mike Larkin, Miod Vallat, Nayden Markatchev,
    Nicholas Marriott, Nigel Taylor, Okan Demirmen, Ori Bernstein,
    Otto Moerbeek, Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt,
    Paul Irofti, Pavel Korovin, Peter Hessler, Philip Guenther,
    Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski,
    Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel,
    Renato Westphal, Reyk Floeter, Ricardo Mestre, Richard Procter,
    Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
    Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
    Solene Rapenne, Stefan Fritsch, Stefan Kempf, Stefan Sperling,
    Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda,
    T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt,
    Thomas Frohwein, Tim van der Molen, Tobias Stoeckmann,
    Todd C. Miller, Todd Mortimer, Tom Cosgrove, Ulf Brosziewski,
    Uwe Stuehler, Vadim Zhukov, Vincent Gross, Visa Hankala,
    Yasuoka Masahiko, Yojiro Uo