OpenBSD 6.6 release, Oct 17, 2019
17 October, 2019 by deraadt@openbsd.org | openbsd
------------------------------------------------------------------------
- OpenBSD 6.6 RELEASED -------------------------------------------------
October 17, 2019.
We are pleased to announce the official release of OpenBSD 6.6.
This is our 47th release. We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.
As in our previous releases, 6.6 provides significant improvements,
including new features, in nearly all areas of the system:
- General improvements and bugfixes:
o Fixed support for amd64 machines with greater than 1023GB physical
memory.
o drm(4) updates.
o The octeon platform is now using clang(1) as the base system
compiler.
o The powerpc architecture is now provided with clang(1), in
addition to aarch64, amd64, armv7, i386, mips64el, sparc64.
o Disabled gcc in base on armv7 and i386.
o Prevented dhclient(8) from repeatedly obtaining a new lease when
the mtu is given in a lease.
o Prevented more than one thread from opening a wscons(4) device in
read/write mode.
o Allowed non-root users to become owner of the drm(4) device when
they are the first to open it.
o Added regular expression support for the format search, match and
substitute modifiers in tmux(1).
o Added a -v flag to source-file in tmux(1) to show the commands and
line numbers.
o Added simple menus usable with mouse or keyboard in tmux(1).
Introduced the command "display-menu" to show a menu bound to the
mouse on status line by default, and added menus in tree, client
and buffer modes.
o Changed the behavior of swap-window -d in tmux(1) to match
swap-pane.
o Allow panes to be empty in tmux(1), and enabling output to be
piped to them with split-window or display-message -I.
o Adjusted tmux(1) to automatically scroll when dragging to create a
selection with the mouse when the cursor reaches the top or bottom
line.
o Fixed a tmux(1) crash when killing the current window, and other
bugfixes.
- SMP-Improvements, System call unlocking:
o Unlocked getrlimit(2) and setrlimit(2) syscalls.
o Unlocked read(2) and write(2) syscalls.
o Removed the KERNEL_LOCK from the bridge(4) output fast-path.
o Made resource limit access MP-safe.
o Made file(9) offset access MP-safe.
- Improved hardware support, including:
o Implemented Linux compatible acpi(4) interfaces and enabled the
ACPI support code in radeon(4) and amdgpu(4).
o Implemented backlight control for amdgpu(4), allowing setting of
the backlight using wsconsctl(8).
o Both sets of speakers work by default on the ThinkPad X1C7.
o Added amdgpu(4), an AMD Radeon GPU video driver.
o Added TSC synchronization for multiprocessor machines and
re-enabled TSC as the default amd64 time source.
o Added support for Realtek ALC285 in azalia(4).
o Added uvideo(4) support for the KSMedia 8-bit IR format and for
dual functions on integrated USB cameras.
o Added the aplgpio(4) driver for the GPIO controllers on Intel's
Apollo Lake SoC.
o Implemented MSI-X support on sparc64.
o Skipped PCI host bridges and devices not present with acpi(1) when
establishing the mapping between ACPI device nodes and PCI
devices.
o Added the ukspan(4) driver for the Keyspan USA19HS USB serial
adapter.
o Improved support for SAS3 controllers, made device enumeration
during boot more reliable, and enabled 64bit DMA for io in
mpii(4).
o Fixed MSI/MSI-X on arm64 machines with agintc(4).
o Added MSI-X support in acpipci(4), pciecam, dwpcie(4) and
rkpcie(4).
o Improved support for type4 devices in the ubcmtp(4) multi-touch
trackpad driver.
o Support for virtio(4) 1.0 specification for PCI devices.
o Improved support for the AR9271 chipset in athn(4) .
o Repaired support for athn(4) 9280 1T2R devices (broken since
OpenBSD 6.5).
o Added support for the trackpad and trackpoint of the Dell
Precision 7520 laptop.
o Added the Colemak keyboard layout.
o New fusbtc(4) driver for the Fairchild FUSB302 USB Type-C
controller.
o Added a fallback to ehci(4) which enables the USB ports on the
RockPro64.
o Added support for more Intel 300 Series PCH devices to ichiic(4).
o Added mcx(4) driver for Mellanox ConnectX-4 (and later) Ethernet
controllers.
o Added support for the cryptographic coprocessor found on newer AMD
Ryzen CPUs/APUs.
o Improved the envy(4) codec API and used it on ESI Juli@ cards.
o Enabled EnvyHT-specific sample rates (above 96kHz) on the host
controller for envy(4) devices.
o Added support for the USB serial adapter found in Juniper SRX 300
to uslcom(4).
o Updated shared drm code, inteldrm(4) and radeondrm(4) to linux
4.19.78. This adds support for Intel Broxton/Apollo Lake, Amber
Lake, Gemini Lake, Coffee Lake, Whiskey Lake, and Comet Lake
hardware.
o Made startx(1) and xinit(1) work again on modern systems using
inteldrm(4), radeondrm(4) and amdgpu(4).
o Added mcprtc(4), a driver for the Microchip MCP79400 RTC and
similar.
o Added I2C clock gates to mvclock(4).
o Added support for MSI-X to bnxt(4).
o Added octpip(4), a driver for the Octeon packet input processing
unit.
o Added the octiic(4) driver for OCTEON two-wire serial interfaces.
o Enabled nvme(4) on octeon.
o Added octpcie(4), a driver for the PCIe controller found on OCTEON
II and OCTEON III.
o Fixed random kernel hangs on some sparc64 machines by blocking
interrupts while sending an IPI on sunv4 (as on sun4u).
o ure(4) now supports RTL8153B devices, adding support for Ethernet
on Lenovo USB-C docks.
o Added new ksmn(4) driver for temperature sensor on AMD Family 17h
CPUs.
o Explicitly disable BCM4331 wifi chips present in 2011-2012 Apple
Mac systems. Fixes an interrupt storm that consumes about 50% of
CPU0 on affected machines.
- Improved arm64 hardware support, including:
o Added support for Ampere eMAG CPU based systems.
o Added support to amlclock(4) for obtaining CPU clock frequency.
o Enabled amlmmc(4), a driver for the SD/MMC controller found on
various Amlogic SoCs.
o Implemented setting the CPU clock for Allwinner A64 SoCs in
sxiccmu(4).
o Added amldwusb(4), amlusbphy(4) and amlpciephy(4), drivers for the
USB controller and PHYs on the Amlogic G12A/B SoCs.
o Added imxtmu(4), a driver to support the temperature sensors on
i.MX8M SoCs.
o Added amlrng(4), a simple random number generator driver for
Amlogic SoCs.
o Added amclock(4), a driver for the Amlogic SoC clocks.
o Added amluart(4), a driver for the UARTs found on various Amlogic
SoCs.
o Added support for the SMBus System Interfaces (SSIF) to ipmi(4).
o PXE booting using U-Boot works now.
o Added clock support to sxisyscon(4), a driver for the system
controller found on various Allwinner SoCs.
o Implemented smbios(4) support on arm64.
o Added ucrcom(4), a driver for the serial console of chromebooks.
o Enabled mvmdio(4) and mvneta(4) on arm64.
o Added pinctrl(4) support for 'pinconf-single' devices and support
for bias and drive-strength properties, needed for HiSilicon SoCs.
o Added mvdog(4), a driver to support the watchdog on the Armada
3700 SoC.
o Added support for the Allwinner H6 to sxipio(4) and sxiccmu(4).
o Added mviic(4), a driver to support the I2C controller on the
Armada 3700 SoC.
o Added mvuart(4) to support the Armada 3720's serial console.
o Added support for the Armada 3720 clocks to mvclock(4).
o Added support for the Armada 3720 pinctrl controller to
mvpinctrl(4). This controller also includes GPIO controller
functionality.
o Added the RK3328 and RK3399 GMAC clocks to rkclock(4).
o Increased MAXCPUs to 32 in arm64, allowing use of all cores on the
Ampere eMAG.
o Added support for the Cortex-A65 CPU.
o Implemented interrupt controller functionality in rkgpio(4),
allowing use of the fusbtc(4) interrupt on the RockPro64.
- IEEE 802.11 wireless stack improvements:
o Repaired the ifconfig(8) 'nwflag' command (broken since OpenBSD
6.4).
o Added a new 'stayauth' nwflag which can be set to ignore deauth
frames. This is useful when deauth frames are being spoofed by an
attacker.
o Repaired the ifconfig(8) 'mode' command to properly force a
wireless interface into 11a/b/g/n mode.
o Made 11n Tx rate selection more sensitive to transmission
failures.
o Fixed automatic use of HT protection in 11n hostap mode.
o Fixed WPA APs occasionally appearing as non-WPA APs during AP
selection.
o Fixed some eligible APs being ignored during AP selection after a
roaming failure.
o Added support for 802.11n Tx aggregation to net80211 and the
iwn(4) driver.
o Made net80211 expose reasons for association failures to have
ifconfig(8) display them in "scan" output and on the ieee80211(9)
status line.
o Made all wireless drivers submit a batch of received packets to
the network stack during one interrupt if possible, rather than
submitting each packet individually. Prevents packet loss under
high load due to backpressure from the network stack.
- Generic network stack improvements:
o Enabled TCP and UDP checksum offloading by default for ix(4).
o Added tpmr(4), a 802.1Q two-port MAC relay implementation.
o Added iavf(4), a driver for Intel SR-IOV Virtual Functions of
Intel 700 series Ethernet controllers.
o Added aggr(4), a dedicated driver to implement 802.1AX link
aggregration.
o Added port protection support to switch(4). Domain membership is
checked for unicast, flooded (broadcast) and local
(host-network-bound, e.g. trunk) traffic.
o Disabled mobileip(4).
o Added support to ifconfig(8) for getting and setting rxprio,
finishing support for RFC 2983. Implemented configuring rxprio in
vlan(4), gre(4), mpw(4), mpe(4), mpip(4), etherip(4) and bpe(4).
o Implemented Tx mitigation by calling the hardware transmit routine
per several packets rather than for individual packets. Defers
calls to the transmit routine to a network taskq, or until a
backlog of packets has built up.
o Stopped using splnet(9) when running the network stack now that it
is using the NET_LOCK for protection, reducing latency spikes.
o Added support for reading SFPs to some ethernet cards.
- Installer improvements:
o Allowed quoted SSIDs in the installer, rather than ignoring those
containing whitespace.
o Introduced sysupgrade(8) that can be used to upgrade OpenBSD
unattended.
o A syspatch was provided which adds sysupgrade(8) to 6.5, so
unattended upgrades to 6.6 can be performed on amd64/arm64/i386
with '# syspatch && sysupgrade'.
o Created an octeon bootloader which is a modified kernel. To use
this bootloader, the firmware must be configured to load file
"boot" instead of "bsd".
o Included mount_nfs(8) on the amd64 CD ramdisk.
o Added tee(1) to the ramdisk, and display a moving progress bar
during auto upgrade/install.
o Repaired and improved v6 default route selection, fixing
autoinstalls.
o Added sysupgrade(8) support to the sparc64 bootloader.
o The DHCP configuration is now preserved when restarting an
install.
o The installer now remembers 'autoconf' when restarting an install.
o Stopped prompting for disks that do not contain a root partition
during upgrades. This defaults to the correct disk when full disk
encryption is in use, and will be useful for future unattended
upgrades.
- Security improvements:
o unveil(2) is now used in 77 userland programs to redact filesystem
access.
o Various changes in unveil(2) to improve application behavior when
encountering hidden filesystem paths.
o ps(1) can show which processes have called unveil(2) with the u
and U flags in STATE field.
o ps(1) can show the list of pledge(2) options processes use with
the -o pledge option.
o Further and improved mitigations against Spectre side-channel
vulnerability in Intel CPUs built since 2012.
o Mitigations for Intel's Microarchitectural Data Sampling
vulnerability, using the new CPU VERW behavior if available or by
using the proper sequence from Intel's "Deep Dive" doc in the
return-to-userspace and enter-VMM-guest paths. Updated vmm(4) to
pass through the MSR bits so that guests can apply the optimal
mitigation.
o Rewrote doas(1) environment inheritance not to inherit, and
instead reset to the target user's values by default.
o Prepare the amd64 BIOS bootloader for loading the kernel at a
random virtual address (future work).
o Introduced malloc_conceal(3) and calloc_conceal(3), which return
memory in pages marked MAP_CONCEAL and call freezero(3) on
free(3).
o Make 'systat pf' not require root permissions (systat(8)).
o Added support for the EFI Random Number Generator Protocol, using
it to XOR random data into the buffer we feed the kernel for
amd64.
o Added information about system call memory write protection and
stack mapping violations to system accounting. Now daily(8) will
print a list of affected processes and lastcomm(1) will flag
violations with 'M'.
- Routing daemons and other userland network improvements:
o The ntpd(8) daemon now gets and sets the clock in a secure way
when booting even when a battery-backed clock is absent.
o slaacd(8) now removes IPv6 addresses when it detects a link-state
change but no new router advertisement is received.
o ifconfig(8) now reports SFP, SFP+ and QSFP module information when
using the sff option.
o Imported snmp(1), a new SNMP client which aims to be
netsnmp-compatible for supported features, and removed snmpctl(8).
o Improvements in ntpd(8) DNS resolving and constraints checking,
especially during startup. Unreliable NTP peers are removed from
the pool and DNS resolving is repeated to add replacements.
o Changed the bgpd(8) Adj-RIB-Out to a per-peer set of RB trees,
improving speed.
o Rewrote bgpd(8) community matching and handling code and improved
performance for setups using many communities.
o Checked the type of a network statement when looking for
duplicates in bgpd(8). This fixes added network 0.0.0.0/0 after
'network inet static'.
o Made improvements to bgpd(8) speed when configuring many peers.
o Implemented bgpctl(8) 'show mrt neighbors', to print the neighbor
table of MRT TABLE_DUMP_V2 dumps.
o Moved bgpd(8) pfkey socket to the parent process. The refreshing
of the keys for MD5 and IPSEC is done whenever the session state
changes to IDLE or ACTIVE, which should behave better when
reloading configs with auth changes.
o In bgpd(8), fixed reloading of network statements that have no
fixed prefix specification.
o Extended the maximum size of the bgpd(8) shutdown communication
message to 255 bytes.
o Improvements in pfctl(8), to always check for namespace collisions
on table commands. Introduced 'pfctl -FR' to reset pfctl(8)
settings to defaults.
o Imported Kristaps Dzonsons' RPKI validator, rpki-client(8).
o relayd(8) now supports binary protocol health checking. See
relayd.conf(5).
o Added support for OCSP stapling to relayd(8).
o Added relayd(8) support for SNI with new 'tls keypair' option to
load additional certificates.
o Added support for 'from/to address[/prefix]' in relayd(8) filter
rules.
o Implemented RFC 8555 "Automatic Certificate Management Environment
(ACME)" to enable acme-client(1) to communicate with the v02 Let's
Encrypt API. Read the upgrade guide for more information.
o tcpdump(8) support for '-T erspan' and arbitrary gre(4) protocols.
o Allowed specifying area by number as well as id in ospf6d(8).
o ospfctl(8) now accepts both address and number format for 'ospfctl
show database area XXX'.
o ospfd(8) reload improvements.
o Added a check to ospfd(8) and ospf6d(8) that any "depend on"
interfaces are in the same rdomain.
o Make 'passive' (announce a network configured on an interface as a
stub network) work with P2P interfaces in ospfd(8).
o Shutdown the service port when behind a captive portal with
unwind(8), allowing bypass of captive portals that correctly
answer SOA queries for the root zone and return NXDOMAIN for the
captive portal redirect domain if edns0 is present.
o Implemented DNS block lists in unwind(8).
o Added support for IKEv2 Message Fragmentation (RFC 7383) to
iked(8).
o Enabled switching between wireless and wired interfaces in
dhclient(8), setting the default route with the interface address
and allowing two default routes in the routing table. A wired
interface will be preferred when connected.
o Added consistent use of 'ifconfig $_if [-inet| -inet6]' to clear
existing configurations completely after restarting an install.
o Added 'forwarded' log format extending the 'combined' log format
in httpd(8).
- Assorted improvements:
o The filesystem buffer cache now more aggressively uses memory
outside the DMA region, to improve cache performance on amd64
machines.
o The BER API previously internal to ldap(1), ldapd(8), ypldap(8),
and snmpd(8) has been moved into libutil. See
ber_read_elements(3).
o Removed the old userland realpath(3) and replaced it with
__realpath(2), a kernel implementation. This will prevent calling
readlink(2) on every component of a path and improve performance
for unveil(2).
o ld.so(1) speedups, improving dynamic linker performance for large
objects.
o Modified systat(1) to allow the use of 'b' to switch to stats
since boot.
o From perldoc(1), always produce man(7) output in UTF-8, which
gives better results with our mandoc(1) renderer no matter which
LC_CTYPE the user selected.
- VMM/VMD improvements
o Added support for 'boot device' to vm.conf(5) grammar, the '-B
device' counterpart from vmctl(8).
o Emulated kvm pvclock in vmm(4), compatible with pvclock(4) in
OpenBSD.
o Enabled reporting of the vm state through use of the vmctl(8)
'status' command.
o Synced vm state in vmd(8) when (un)pausing a vm to ensure both
vmm(4) and vmd(8) processes know the vm is paused.
o Handled some unhandled instructions for SVM which led to vmm(4)
guest termination, as well as RDTSCP and INVLPGA instructions.
o Modified vmm(4) to flush guest TLB entries if the guest disables
paging.
- OpenSMTPD 6.6.0
o New Features
- Introduced support for ECDSA certificates with an ECDSA
privsep engine.
- Introduced builtin filters to allow basic filtering of
incoming sessions in smtpd(8).
- Introduced option to deliver junk to a Junk folder in
mail.maildir(8).
o Bug fixes
- Fixed the smtp(1) client so it uses correct default port for
SMTPS.
- Fixed an smtpd(8) crash on excessively large input.
- Ensured mail rejected by an LMTP server will stay queued
rather than bouncing.
o Experimental Features
- Introduced a filters API to allow writing standalone filters
for smtpd(8), with multiple filters made available in ports.
- Introduced support for proxy-v2 protocol allowing smtpd(8) to
operate behind proxy.
- LibreSSL 3.0.2
o API and Documentation Enhancements
- Completed the port of RSA_METHOD accessors from the OpenSSL
1.1 API.
- Documented undescribed options and removed unfunctional
options description in openssl(1) manual.
o Compatibility Changes
o Testing and Proactive Security
- A plethora of small fixes due to regular oss-fuzz testing.
- Various side channels in DSA and ECDSA were addressed. These
are some of the many issues found in an extensive systematic
analysis of bignum usage by Samuel Weiser, David Schrammel et
al.
- Try to compute the cofactor if a nonsensical value was
provided for ECC parameters. Fix from Billy Brumley.
o Internal Improvements
o Portable Improvements
- Enabled performance optimizations when building with Visual
Studio on Windows.
- Enabled openssl(1) speed subcommand on Windows platform.
o Bug Fixes
- Fixed issue where SRTP extension would not be sent by server.
- Fixed incorrect carry operation in 512 addition for Streebog.
- Fixed -modulus option with openssl(1) dsa subcommand.
- Fixed PVK format output issue with openssl(1) dsa and rsa
subcommand.
- Fixed a padding oracle attack in PKCS7_dataDecode() and
CMS_decrypt_set1_pkey() (CMS is currently disabled). From
Bernd Edlinger.
- OpenSSH 8.1
o New Features
- ssh(1): Allow %n to be expanded in ProxyCommand strings
- ssh(1), sshd(8): Allow prepending a list of algorithms to the
default set by starting the list with the '^' character, E.g.
"HostKeyAlgorithms ^ssh-ed25519"
- ssh-keygen(1): add an experimental lightweight signature and
verification ability. Signatures may be made using regular
ssh keys held on disk or stored in a ssh-agent and verified
against an authorized_keys-like list of allowed keys.
Signatures embed a namespace that prevents confusion and
attacks between different usage domains (e.g. files vs
email).
- ssh-keygen(1): print key comment when extracting public key
from a private key. bz#3052
- ssh-keygen(1): accept the verbose flag when searching for
host keys in known hosts (i.e. "ssh-keygen -vF host") to
print the matching host's random-art signature too. bz#3003
- All: support PKCS8 as an optional format for storage of
private keys to disk. The OpenSSH native key format remains
the default, but PKCS8 is a superior format to PEM if
interoperability with non-OpenSSH software is required, as it
may use a less insecure key derivation function than PEM's.
o Bugfixes
- ssh(1): if a PKCS#11 token returns no keys then try to login
and refetch them. Based on patch from Jakub Jelen; bz#2430
- ssh(1): produce a useful error message if the user's shell is
set incorrectly during "match exec" processing. bz#2791
- sftp(1): allow the maximum uint32 value for the argument
passed to -b which allows better error messages from later
validation. bz#3050
- ssh(1): avoid pledge sandbox violations in some combinations
of remote forwarding, connection multiplexing and
ControlMaster.
- ssh-keyscan(1): include SHA2-variant RSA key algorithms in
KEX proposal; allows ssh-keyscan to harvest keys from servers
that disable old SHA1 ssh-rsa. bz#3029
- sftp(1): print explicit "not modified" message if a file was
requested for resumed download but was considered already
complete. bz#2978
- sftp(1): fix a typo and make <esc><right> move right to the
closest end of a word just like <esc><left> moves left to the
closest beginning of a word.
- sshd(8): cap the number of permitopen/permitlisten directives
allowed to appear on a single authorized_keys line.
- All: fix a number of memory leaks (one-off or on exit paths).
- Regression tests: a number of fixes and improvements,
including fixes to the interop tests, adding the ability to
run most tests on builds that disable OpenSSL support, better
support for running tests under Valgrind and a number of
bug-fixes.
- ssh(1), sshd(8): check for convtime() refusing to accept
times that resolve to LONG_MAX Reported by Kirk Wolf bz2977
- ssh(1): slightly more instructive error message when the user
specifies multiple -J options on the command-line. bz3015
- ssh-agent(1): process agent requests for RSA certificate
private keys using correct signature algorithm when
requested. bz3016
- sftp(1): check for user@host when parsing sftp target. This
allows user@[1.2.3.4] to work without a path. bz#2999
- sshd(8): enlarge format buffer size for certificate serial
number so the log message can record any 64-bit integer
without truncation. bz#3012
- sshd(8): for PermitOpen violations add the remote host and
port to be able to more easily ascertain the source of the
request. Add the same logging for PermitListen violations
which where not previously logged at all.
- scp(1), sftp(1): use the correct POSIX format style for left
justification for the transfer progress meter. bz#3002
- sshd(8) when examining a configuration using sshd -T, assume
any attribute not provided by -C does not match, which allows
it to work when sshd_config contains a Match directive with
or without -C. bz#2858
- ssh(1), ssh-keygen(1): downgrade PKCS#11 "provider returned
no slots" warning from log level error to debug. This is
common when attempting to enumerate keys on smartcard readers
with no cards plugged in. bz#3058
- ssh(1), ssh-keygen(1): do not unconditionally log in to
PKCS#11 tokens. Avoids spurious PIN prompts for keys not
selected for authentication in ssh(1) and when listing public
keys available in a token using ssh-keygen(1). bz#3006
- Mandoc
o Slowly start implementing tagging support for man(7) pages: tag
alphabetic arguments of .IP, .TP, and .TQ macros.
o In HTML output, wrap text and phrasing elements in paragraphs
unless already contained in flow containers; never put them
directly into sections. This helps to format paragraphs with the
CSS class selector .Pp.
o Implement the roff(7) .break request to break out of a .while
loop.
o If messages are shown and output is printed without a pager,
display a heads-up on standard error output at the end because
otherwise, users may easily miss the messages.
o Let mandoc.css support prefers-color-scheme: dark.
o For pages lacking a SYNOPSIS, let man(1) show the NAME section.
- Ports and packages:
o Pre-built packages are available for the following architectures on
the day of release:
- aarch64 (arm64): 10075
- amd64: 10736
- i386: 10682
- sparc64: 9685
- mips64: 7921
o Packages for the following architectures will be made available as
their builds complete:
- arm
- mips64el
- powerpc
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.7 with xserver 1.20.5 + patches,
freetype 2.10.1, fontconfig 2.12.4, Mesa 19.0.8, xterm 344,
xkeyboard-config 2.20 and more)
o LLVM/Clang 8.0.1 (+ patches)
o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
o Perl 5.28.2 (+ patches)
o NSD 4.2.2
o Unbound 1.9.4
o Ncurses 5.7
o Binutils 2.17 (+ patches)
o Gdb 6.3 (+ patches)
o Awk Aug 10, 2011 version
o Expat 2.2.8
------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------
We provide patches for known security threats and other important
issues discovered after each release. Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible. Therefore, we advise regular
visits to
https://www.OpenBSD.org/security.html
and
https://www.OpenBSD.org/errata.html
------------------------------------------------------------------------
- MAILING LISTS AND FAQ ------------------------------------------------
Mailing lists are an important means of communication among users and
developers of OpenBSD. For information on OpenBSD mailing lists, please
see:
https://www.OpenBSD.org/mail.html
You are also encouraged to read the Frequently Asked Questions (FAQ) at:
https://www.OpenBSD.org/faq/
------------------------------------------------------------------------
- DONATIONS ------------------------------------------------------------
The OpenBSD Project is a volunteer-driven software group funded by
donations. Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others. This ecosystem is all handled under the same funding umbrella.
We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon
events.
All of our developers strongly urge you to donate and support our future
efforts. Donations to the project are highly appreciated, and are
described in more detail at:
https://www.OpenBSD.org/donations.html
------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------
For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.
There may also be exposure benefits since the Foundation may be
interested in participating in press releases. In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at directors@openbsdfoundation.org for
more information.
------------------------------------------------------------------------
- HTTPS INSTALLS -------------------------------------------------------
OpenBSD can be easily installed via HTTPS downloads. Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet. Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.
1) Read either of the following two files for a list of HTTPS mirrors
which provide OpenBSD, then choose one near you:
https://www.OpenBSD.org/ftp.html
https://ftp.openbsd.org/pub/OpenBSD/ftplist
As of October 17, 2019, the following HTTPS mirror sites have the
6.6 release:
https://cdn.openbsd.org/pub/OpenBSD/6.6/ Global
https://ftp.eu.openbsd.org/pub/OpenBSD/6.6/ Stockholm, Sweden
https://ftp.hostserver.de/pub/OpenBSD/6.6/ Frankfurt, Germany
https://ftp.bytemine.net/pub/OpenBSD/6.6/ Oldenburg, Germany
https://ftp.fr.openbsd.org/pub/OpenBSD/6.6/ Paris, France
https://mirror.aarnet.edu.au/pub/OpenBSD/6.6/ Brisbane, Australia
https://ftp.usa.openbsd.org/pub/OpenBSD/6.6/ CO, USA
https://ftp5.usa.openbsd.org/pub/OpenBSD/6.6/ CA, USA
https://mirror.esc7.net/pub/OpenBSD/6.6/ TX, USA
https://openbsd.cs.toronto.edu/pub/OpenBSD/6.6/ Toronto, Canada
https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.6/ Global
https://fastly.cdn.openbsd.org/pub/OpenBSD/6.6/ Global
The release is also available at the master site:
https://ftp.openbsd.org/pub/OpenBSD/6.6/ Alberta, Canada
However it is strongly suggested you use a mirror.
Other mirror sites may take a day or two to update.
2) Connect to that HTTPS mirror site and go into the directory
pub/OpenBSD/6.6/ which contains these files and directories.
This is a list of what you will see:
ANNOUNCEMENT arm64/ luna88k/ ports.tar.gz
README armv7/ macppc/ root.mail
SHA256 hppa/ octeon/ sparc64/
SHA256.sig i386/ openbsd-66-base.pub src.tar.gz
alpha/ landisk/ packages/ sys.tar.gz
amd64/ loongson/ packages-stable/ xenocara.tar.gz
It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.
README - generic README
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).
3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.
4) Next, go into the directory that applies to your architecture,
for example, amd64. This is a list of what you will see:
BOOTIA32.EFI* bsd* floppy66.fs pxeboot*
BOOTX64.EFI* bsd.mp* game66.tgz xbase66.tgz
BUILDINFO bsd.rd* index.txt xfont66.tgz
INSTALL.amd64 cd66.iso install66.fs xserv66.tgz
SHA256 cdboot* install66.iso xshare66.tgz
SHA256.sig cdbr* man66.tgz
base66.tgz comp66.tgz miniroot66.fs
If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
and install66.iso. The install66.iso file (roughly 463MB in size)
is a one-step ISO-format install CD image which contains the various
*.tgz files so you do not need to fetch them separately.
If you prefer to use a USB flash drive, fetch install66.fs and
follow the instructions in INSTALL.amd64.
5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.amd64. INSTALL.amd64 may tell you that you
need to fetch other files.
6) Just in case, take a peek at:
https://www.OpenBSD.org/errata.html
This is the page where we talk about the mistakes we made while
creating the 6.6 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.
------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------
X.Org has been integrated more closely into the system. This release
contains X.Org 7.7. Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc. During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).
------------------------------------------------------------------------
- PACKAGES AND PORTS ---------------------------------------------------
Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures. Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.
Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed
separately.
------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------
The source code for all four subsystems can be found in the
pub/OpenBSD/6.6/ directory:
xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
The README (https://ftp.OpenBSD.org/pub/OpenBSD/6.6/README) file
explains how to deal with these source files.
------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------
Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil,
Visa Hankala, Stuart Henderson, Peter Hessler, and Christian Weisgerber.
Base and X system builds by Kenji Aoyama and Theo de Raadt. Release art
contributed by Natasha Allegri.
We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who bought our previous CD sets. Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.
Our developers are:
Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe,
Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer,
Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar,
Carlos Cardenas, Charlene Wendling, Charles Longeau,
Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman,
Daniel Jakots, Darren Tucker, David Coppa, David Gwynne, David Hill,
Denis Fondras, Doug Hogan, Edd Barrett, Elias M. Mariani,
Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus,
Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis,
Gleydson Soares, Gonzalo L. Rodriguez, Helg Bredow, Henning Brauer,
Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
Inoguchi Kinichiro, James Turner, Jan Klemkow, Jason McIntyre,
Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
Jonathan Matthew, Joris Vink, Joshua Stein,
Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama,
Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov,
Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil,
Lawrence Teo, Marc Espie, Marco Pfatschbacher, Marcus Glocker,
Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren,
Martin Natano, Martin Pieuchot, Martynas Venckus, Mats O Jansson,
Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos,
Mike Belopuhov, Mike Larkin, Miod Vallat, Nayden Markatchev,
Nicholas Marriott, Nigel Taylor, Okan Demirmen, Ori Bernstein,
Otto Moerbeek, Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt,
Paul Irofti, Pavel Korovin, Peter Hessler, Philip Guenther,
Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski,
Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel,
Renato Westphal, Reyk Floeter, Ricardo Mestre, Richard Procter,
Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
Solene Rapenne, Stefan Fritsch, Stefan Kempf, Stefan Sperling,
Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda,
T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt,
Thomas Frohwein, Tim van der Molen, Tobias Heider,
Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov, Vincent Gross,
Visa Hankala, Yasuoka Masahiko, Yojiro Uo