deadsimple BSD Security Advisories and Announcements

OpenBSD 6.6 release, Oct 17, 2019

- OpenBSD 6.6 RELEASED -------------------------------------------------

October 17, 2019.

We are pleased to announce the official release of OpenBSD 6.6.
This is our 47th release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 6.6 provides significant improvements,
including new features, in nearly all areas of the system:

 - General improvements and bugfixes:
    o Fixed support for amd64 machines with greater than 1023GB physical
    o drm(4) updates.
    o The octeon platform is now using clang(1) as the base system
    o The powerpc architecture is now provided with clang(1), in
      addition to aarch64, amd64, armv7, i386, mips64el, sparc64.
    o Disabled gcc in base on armv7 and i386.
    o Prevented dhclient(8) from repeatedly obtaining a new lease when
      the mtu is given in a lease.
    o Prevented more than one thread from opening a wscons(4) device in
      read/write mode.
    o Allowed non-root users to become owner of the drm(4) device when
      they are the first to open it.
    o Added regular expression support for the format search, match and
      substitute modifiers in tmux(1).
    o Added a -v flag to source-file in tmux(1) to show the commands and
      line numbers.
    o Added simple menus usable with mouse or keyboard in tmux(1).
      Introduced the command "display-menu" to show a menu bound to the
      mouse on status line by default, and added menus in tree, client
      and buffer modes.
    o Changed the behavior of swap-window -d in tmux(1) to match
    o Allow panes to be empty in tmux(1), and enabling output to be
      piped to them with split-window or display-message -I.
    o Adjusted tmux(1) to automatically scroll when dragging to create a
      selection with the mouse when the cursor reaches the top or bottom
    o Fixed a tmux(1) crash when killing the current window, and other

 - SMP-Improvements, System call unlocking:
    o Unlocked getrlimit(2) and setrlimit(2) syscalls.
    o Unlocked read(2) and write(2) syscalls.
    o Removed the KERNEL_LOCK from the bridge(4) output fast-path.
    o Made resource limit access MP-safe.
    o Made file(9) offset access MP-safe.

 - Improved hardware support, including:
    o Implemented Linux compatible acpi(4) interfaces and enabled the
      ACPI support code in radeon(4) and amdgpu(4).
    o Implemented backlight control for amdgpu(4), allowing setting of
      the backlight using wsconsctl(8).
    o Both sets of speakers work by default on the ThinkPad X1C7.
    o Added amdgpu(4), an AMD Radeon GPU video driver.
    o Added TSC synchronization for multiprocessor machines and
      re-enabled TSC as the default amd64 time source.
    o Added support for Realtek ALC285 in azalia(4).
    o Added uvideo(4) support for the KSMedia 8-bit IR format and for
      dual functions on integrated USB cameras.
    o Added the aplgpio(4) driver for the GPIO controllers on Intel's
      Apollo Lake SoC.
    o Implemented MSI-X support on sparc64.
    o Skipped PCI host bridges and devices not present with acpi(1) when
      establishing the mapping between ACPI device nodes and PCI
    o Added the ukspan(4) driver for the Keyspan USA19HS USB serial
    o Improved support for SAS3 controllers, made device enumeration
      during boot more reliable, and enabled 64bit DMA for io in
    o Fixed MSI/MSI-X on arm64 machines with agintc(4).
    o Added MSI-X support in acpipci(4), pciecam, dwpcie(4) and
    o Improved support for type4 devices in the ubcmtp(4) multi-touch
      trackpad driver.
    o Support for virtio(4) 1.0 specification for PCI devices.
    o Improved support for the AR9271 chipset in athn(4) .
    o Repaired support for athn(4) 9280 1T2R devices (broken since
      OpenBSD 6.5).
    o Added support for the trackpad and trackpoint of the Dell
      Precision 7520 laptop.
    o Added the Colemak keyboard layout.
    o New fusbtc(4) driver for the Fairchild FUSB302 USB Type-C
    o Added a fallback to ehci(4) which enables the USB ports on the
    o Added support for more Intel 300 Series PCH devices to ichiic(4).
    o Added mcx(4) driver for Mellanox ConnectX-4 (and later) Ethernet
    o Added support for the cryptographic coprocessor found on newer AMD
      Ryzen CPUs/APUs.
    o Improved the envy(4) codec API and used it on ESI Juli@ cards.
    o Enabled EnvyHT-specific sample rates (above 96kHz) on the host
      controller for envy(4) devices.
    o Added support for the USB serial adapter found in Juniper SRX 300
      to uslcom(4).
    o Updated shared drm code, inteldrm(4) and radeondrm(4) to linux
      4.19.78. This adds support for Intel Broxton/Apollo Lake, Amber
      Lake, Gemini Lake, Coffee Lake, Whiskey Lake, and Comet Lake
    o Made startx(1) and xinit(1) work again on modern systems using
      inteldrm(4), radeondrm(4) and amdgpu(4).
    o Added mcprtc(4), a driver for the Microchip MCP79400 RTC and
    o Added I2C clock gates to mvclock(4).
    o Added support for MSI-X to bnxt(4).
    o Added octpip(4), a driver for the Octeon packet input processing
    o Added the octiic(4) driver for OCTEON two-wire serial interfaces.
    o Enabled nvme(4) on octeon.
    o Added octpcie(4), a driver for the PCIe controller found on OCTEON
      II and OCTEON III.
    o Fixed random kernel hangs on some sparc64 machines by blocking
      interrupts while sending an IPI on sunv4 (as on sun4u).
    o ure(4) now supports RTL8153B devices, adding support for Ethernet
      on Lenovo USB-C docks.
    o Added new ksmn(4) driver for temperature sensor on AMD Family 17h
    o Explicitly disable BCM4331 wifi chips present in 2011-2012 Apple
      Mac systems. Fixes an interrupt storm that consumes about 50% of
      CPU0 on affected machines.

 - Improved arm64 hardware support, including:
    o Added support for Ampere eMAG CPU based systems.
    o Added support to amlclock(4) for obtaining CPU clock frequency.
    o Enabled amlmmc(4), a driver for the SD/MMC controller found on
      various Amlogic SoCs.
    o Implemented setting the CPU clock for Allwinner A64 SoCs in
    o Added amldwusb(4), amlusbphy(4) and amlpciephy(4), drivers for the
      USB controller and PHYs on the Amlogic G12A/B SoCs.
    o Added imxtmu(4), a driver to support the temperature sensors on
      i.MX8M SoCs.
    o Added amlrng(4), a simple random number generator driver for
      Amlogic SoCs.
    o Added amclock(4), a driver for the Amlogic SoC clocks.
    o Added amluart(4), a driver for the UARTs found on various Amlogic
    o Added support for the SMBus System Interfaces (SSIF) to ipmi(4).
    o PXE booting using U-Boot works now.
    o Added clock support to sxisyscon(4), a driver for the system
      controller found on various Allwinner SoCs.
    o Implemented smbios(4) support on arm64.
    o Added ucrcom(4), a driver for the serial console of chromebooks.
    o Enabled mvmdio(4) and mvneta(4) on arm64.
    o Added pinctrl(4) support for 'pinconf-single' devices and support
      for bias and drive-strength properties, needed for HiSilicon SoCs.
    o Added mvdog(4), a driver to support the watchdog on the Armada
      3700 SoC.
    o Added support for the Allwinner H6 to sxipio(4) and sxiccmu(4).
    o Added mviic(4), a driver to support the I2C controller on the
      Armada 3700 SoC.
    o Added mvuart(4) to support the Armada 3720's serial console.
    o Added support for the Armada 3720 clocks to mvclock(4).
    o Added support for the Armada 3720 pinctrl controller to
      mvpinctrl(4). This controller also includes GPIO controller
    o Added the RK3328 and RK3399 GMAC clocks to rkclock(4).
    o Increased MAXCPUs to 32 in arm64, allowing use of all cores on the
      Ampere eMAG.
    o Added support for the Cortex-A65 CPU.
    o Implemented interrupt controller functionality in rkgpio(4),
      allowing use of the fusbtc(4) interrupt on the RockPro64.

 - IEEE 802.11 wireless stack improvements:
    o Repaired the ifconfig(8) 'nwflag' command (broken since OpenBSD
    o Added a new 'stayauth' nwflag which can be set to ignore deauth
      frames. This is useful when deauth frames are being spoofed by an
    o Repaired the ifconfig(8) 'mode' command to properly force a
      wireless interface into 11a/b/g/n mode.
    o Made 11n Tx rate selection more sensitive to transmission
    o Fixed automatic use of HT protection in 11n hostap mode.
    o Fixed WPA APs occasionally appearing as non-WPA APs during AP
    o Fixed some eligible APs being ignored during AP selection after a
      roaming failure.
    o Added support for 802.11n Tx aggregation to net80211 and the
      iwn(4) driver.
    o Made net80211 expose reasons for association failures to have
      ifconfig(8) display them in "scan" output and on the ieee80211(9)
      status line.
    o Made all wireless drivers submit a batch of received packets to
      the network stack during one interrupt if possible, rather than
      submitting each packet individually. Prevents packet loss under
      high load due to backpressure from the network stack.

 - Generic network stack improvements:
    o Enabled TCP and UDP checksum offloading by default for ix(4).
    o Added tpmr(4), a 802.1Q two-port MAC relay implementation.
    o Added iavf(4), a driver for Intel SR-IOV Virtual Functions of
      Intel 700 series Ethernet controllers.
    o Added aggr(4), a dedicated driver to implement 802.1AX link
    o Added port protection support to switch(4). Domain membership is
      checked for unicast, flooded (broadcast) and local
      (host-network-bound, e.g. trunk) traffic.
    o Disabled mobileip(4).
    o Added support to ifconfig(8) for getting and setting rxprio,
      finishing support for RFC 2983. Implemented configuring rxprio in
      vlan(4), gre(4), mpw(4), mpe(4), mpip(4), etherip(4) and bpe(4).
    o Implemented Tx mitigation by calling the hardware transmit routine
      per several packets rather than for individual packets. Defers
      calls to the transmit routine to a network taskq, or until a
      backlog of packets has built up.
    o Stopped using splnet(9) when running the network stack now that it
      is using the NET_LOCK for protection, reducing latency spikes.
    o Added support for reading SFPs to some ethernet cards.

 - Installer improvements:
    o Allowed quoted SSIDs in the installer, rather than ignoring those
      containing whitespace.
    o Introduced sysupgrade(8) that can be used to upgrade OpenBSD
    o A syspatch was provided which adds sysupgrade(8) to 6.5, so
      unattended upgrades to 6.6 can be performed on amd64/arm64/i386
      with '# syspatch && sysupgrade'.
    o Created an octeon bootloader which is a modified kernel. To use
      this bootloader, the firmware must be configured to load file
      "boot" instead of "bsd".
    o Included mount_nfs(8) on the amd64 CD ramdisk.
    o Added tee(1) to the ramdisk, and display a moving progress bar
      during auto upgrade/install.
    o Repaired and improved v6 default route selection, fixing
    o Added sysupgrade(8) support to the sparc64 bootloader.
    o The DHCP configuration is now preserved when restarting an
    o The installer now remembers 'autoconf' when restarting an install.
    o Stopped prompting for disks that do not contain a root partition
      during upgrades. This defaults to the correct disk when full disk
      encryption is in use, and will be useful for future unattended

 - Security improvements:
    o unveil(2) is now used in 77 userland programs to redact filesystem
    o Various changes in unveil(2) to improve application behavior when
      encountering hidden filesystem paths.
    o ps(1) can show which processes have called unveil(2) with the u
      and U flags in STATE field.
    o ps(1) can show the list of pledge(2) options processes use with
      the -o pledge option.
    o Further and improved mitigations against Spectre side-channel
      vulnerability in Intel CPUs built since 2012.
    o Mitigations for Intel's Microarchitectural Data Sampling
      vulnerability, using the new CPU VERW behavior if available or by
      using the proper sequence from Intel's "Deep Dive" doc in the
      return-to-userspace and enter-VMM-guest paths. Updated vmm(4) to
      pass through the MSR bits so that guests can apply the optimal
    o Rewrote doas(1) environment inheritance not to inherit, and
      instead reset to the target user's values by default.
    o Prepare the amd64 BIOS bootloader for loading the kernel at a
      random virtual address (future work).
    o Introduced malloc_conceal(3) and calloc_conceal(3), which return
      memory in pages marked MAP_CONCEAL and call freezero(3) on
    o Make 'systat pf' not require root permissions (systat(8)).
    o Added support for the EFI Random Number Generator Protocol, using
      it to XOR random data into the buffer we feed the kernel for
    o Added information about system call memory write protection and
      stack mapping violations to system accounting. Now daily(8) will
      print a list of affected processes and lastcomm(1) will flag
      violations with 'M'.

 - Routing daemons and other userland network improvements:
    o The ntpd(8) daemon now gets and sets the clock in a secure way
      when booting even when a battery-backed clock is absent.
    o slaacd(8) now removes IPv6 addresses when it detects a link-state
      change but no new router advertisement is received.
    o ifconfig(8) now reports SFP, SFP+ and QSFP module information when
      using the sff option.
    o Imported snmp(1), a new SNMP client which aims to be
      netsnmp-compatible for supported features, and removed snmpctl(8).
    o Improvements in ntpd(8) DNS resolving and constraints checking,
      especially during startup. Unreliable NTP peers are removed from
      the pool and DNS resolving is repeated to add replacements.
    o Changed the bgpd(8) Adj-RIB-Out to a per-peer set of RB trees,
      improving speed.
    o Rewrote bgpd(8) community matching and handling code and improved
      performance for setups using many communities.
    o Checked the type of a network statement when looking for
      duplicates in bgpd(8). This fixes added network after
      'network inet static'.
    o Made improvements to bgpd(8) speed when configuring many peers.
    o Implemented bgpctl(8) 'show mrt neighbors', to print the neighbor
      table of MRT TABLE_DUMP_V2 dumps.
    o Moved bgpd(8) pfkey socket to the parent process. The refreshing
      of the keys for MD5 and IPSEC is done whenever the session state
      changes to IDLE or ACTIVE, which should behave better when
      reloading configs with auth changes.
    o In bgpd(8), fixed reloading of network statements that have no
      fixed prefix specification.
    o Extended the maximum size of the bgpd(8) shutdown communication
      message to 255 bytes.
    o Improvements in pfctl(8), to always check for namespace collisions
      on table commands. Introduced 'pfctl -FR' to reset pfctl(8)
      settings to defaults.
    o Imported Kristaps Dzonsons' RPKI validator, rpki-client(8).
    o relayd(8) now supports binary protocol health checking. See
    o Added support for OCSP stapling to relayd(8).
    o Added relayd(8) support for SNI with new 'tls keypair' option to
      load additional certificates.
    o Added support for 'from/to address[/prefix]' in relayd(8) filter
    o Implemented RFC 8555 "Automatic Certificate Management Environment
      (ACME)" to enable acme-client(1) to communicate with the v02 Let's
      Encrypt API. Read the upgrade guide for more information.
    o tcpdump(8) support for '-T erspan' and arbitrary gre(4) protocols.
    o Allowed specifying area by number as well as id in ospf6d(8).
    o ospfctl(8) now accepts both address and number format for 'ospfctl
      show database area XXX'.
    o ospfd(8) reload improvements.
    o Added a check to ospfd(8) and ospf6d(8) that any "depend on"
      interfaces are in the same rdomain.
    o Make 'passive' (announce a network configured on an interface as a
      stub network) work with P2P interfaces in ospfd(8).
    o Shutdown the service port when behind a captive portal with
      unwind(8), allowing bypass of captive portals that correctly
      answer SOA queries for the root zone and return NXDOMAIN for the
      captive portal redirect domain if edns0 is present.
    o Implemented DNS block lists in unwind(8).
    o Added support for IKEv2 Message Fragmentation (RFC 7383) to
    o Enabled switching between wireless and wired interfaces in
      dhclient(8), setting the default route with the interface address
      and allowing two default routes in the routing table. A wired
      interface will be preferred when connected.
    o Added consistent use of 'ifconfig $_if [-inet| -inet6]' to clear
      existing configurations completely after restarting an install.
    o Added 'forwarded' log format extending the 'combined' log format
      in httpd(8).

 - Assorted improvements:
    o The filesystem buffer cache now more aggressively uses memory
      outside the DMA region, to improve cache performance on amd64
    o The BER API previously internal to ldap(1), ldapd(8), ypldap(8),
      and snmpd(8) has been moved into libutil. See
    o Removed the old userland realpath(3) and replaced it with
      __realpath(2), a kernel implementation. This will prevent calling
      readlink(2) on every component of a path and improve performance
      for unveil(2).
    o speedups, improving dynamic linker performance for large
    o Modified systat(1) to allow the use of 'b' to switch to stats
      since boot.
    o From perldoc(1), always produce man(7) output in UTF-8, which
      gives better results with our mandoc(1) renderer no matter which
      LC_CTYPE the user selected.

 - VMM/VMD improvements
    o Added support for 'boot device' to vm.conf(5) grammar, the '-B
      device' counterpart from vmctl(8).
    o Emulated kvm pvclock in vmm(4), compatible with pvclock(4) in
    o Enabled reporting of the vm state through use of the vmctl(8)
      'status' command.
    o Synced vm state in vmd(8) when (un)pausing a vm to ensure both
      vmm(4) and vmd(8) processes know the vm is paused.
    o Handled some unhandled instructions for SVM which led to vmm(4)
      guest termination, as well as RDTSCP and INVLPGA instructions.
    o Modified vmm(4) to flush guest TLB entries if the guest disables

 - OpenSMTPD 6.6.0
    o New Features
       - Introduced support for ECDSA certificates with an ECDSA
         privsep engine.
       - Introduced builtin filters to allow basic filtering of
         incoming sessions in smtpd(8).
       - Introduced option to deliver junk to a Junk folder in
    o Bug fixes
       - Fixed the smtp(1) client so it uses correct default port for
       - Fixed an smtpd(8) crash on excessively large input.
       - Ensured mail rejected by an LMTP server will stay queued
         rather than bouncing.
    o Experimental Features
       - Introduced a filters API to allow writing standalone filters
         for smtpd(8), with multiple filters made available in ports.
       - Introduced support for proxy-v2 protocol allowing smtpd(8) to
         operate behind proxy.

 - LibreSSL 3.0.2
    o API and Documentation Enhancements
       - Completed the port of RSA_METHOD accessors from the OpenSSL
         1.1 API.
       - Documented undescribed options and removed unfunctional
         options description in openssl(1) manual.
    o Compatibility Changes
    o Testing and Proactive Security
       - A plethora of small fixes due to regular oss-fuzz testing.
       - Various side channels in DSA and ECDSA were addressed. These
         are some of the many issues found in an extensive systematic
         analysis of bignum usage by Samuel Weiser, David Schrammel et
       - Try to compute the cofactor if a nonsensical value was
         provided for ECC parameters. Fix from Billy Brumley.
    o Internal Improvements
    o Portable Improvements
       - Enabled performance optimizations when building with Visual
         Studio on Windows.
       - Enabled openssl(1) speed subcommand on Windows platform.
    o Bug Fixes
       - Fixed issue where SRTP extension would not be sent by server.
       - Fixed incorrect carry operation in 512 addition for Streebog.
       - Fixed -modulus option with openssl(1) dsa subcommand.
       - Fixed PVK format output issue with openssl(1) dsa and rsa
       - Fixed a padding oracle attack in PKCS7_dataDecode() and
         CMS_decrypt_set1_pkey() (CMS is currently disabled). From
         Bernd Edlinger.

 - OpenSSH 8.1
    o New Features
       - ssh(1): Allow %n to be expanded in ProxyCommand strings
       - ssh(1), sshd(8): Allow prepending a list of algorithms to the
         default set by starting the list with the '^' character, E.g.
         "HostKeyAlgorithms ^ssh-ed25519"
       - ssh-keygen(1): add an experimental lightweight signature and
         verification ability. Signatures may be made using regular
         ssh keys held on disk or stored in a ssh-agent and verified
         against an authorized_keys-like list of allowed keys.
         Signatures embed a namespace that prevents confusion and
         attacks between different usage domains (e.g. files vs
       - ssh-keygen(1): print key comment when extracting public key
         from a private key. bz#3052
       - ssh-keygen(1): accept the verbose flag when searching for
         host keys in known hosts (i.e. "ssh-keygen -vF host") to
         print the matching host's random-art signature too. bz#3003
       - All: support PKCS8 as an optional format for storage of
         private keys to disk. The OpenSSH native key format remains
         the default, but PKCS8 is a superior format to PEM if
         interoperability with non-OpenSSH software is required, as it
         may use a less insecure key derivation function than PEM's.
    o Bugfixes
       - ssh(1): if a PKCS#11 token returns no keys then try to login
         and refetch them. Based on patch from Jakub Jelen; bz#2430
       - ssh(1): produce a useful error message if the user's shell is
         set incorrectly during "match exec" processing. bz#2791
       - sftp(1): allow the maximum uint32 value for the argument
         passed to -b which allows better error messages from later
         validation. bz#3050
       - ssh(1): avoid pledge sandbox violations in some combinations
         of remote forwarding, connection multiplexing and
       - ssh-keyscan(1): include SHA2-variant RSA key algorithms in
         KEX proposal; allows ssh-keyscan to harvest keys from servers
         that disable old SHA1 ssh-rsa. bz#3029
       - sftp(1): print explicit "not modified" message if a file was
         requested for resumed download but was considered already
         complete. bz#2978
       - sftp(1): fix a typo and make <esc><right> move right to the
         closest end of a word just like <esc><left> moves left to the
         closest beginning of a word.
       - sshd(8): cap the number of permitopen/permitlisten directives
         allowed to appear on a single authorized_keys line.
       - All: fix a number of memory leaks (one-off or on exit paths).
       - Regression tests: a number of fixes and improvements,
         including fixes to the interop tests, adding the ability to
         run most tests on builds that disable OpenSSL support, better
         support for running tests under Valgrind and a number of
       - ssh(1), sshd(8): check for convtime() refusing to accept
         times that resolve to LONG_MAX Reported by Kirk Wolf bz2977
       - ssh(1): slightly more instructive error message when the user
         specifies multiple -J options on the command-line. bz3015
       - ssh-agent(1): process agent requests for RSA certificate
         private keys using correct signature algorithm when
         requested. bz3016
       - sftp(1): check for user@host when parsing sftp target. This
         allows user@[] to work without a path. bz#2999
       - sshd(8): enlarge format buffer size for certificate serial
         number so the log message can record any 64-bit integer
         without truncation. bz#3012
       - sshd(8): for PermitOpen violations add the remote host and
         port to be able to more easily ascertain the source of the
         request. Add the same logging for PermitListen violations
         which where not previously logged at all.
       - scp(1), sftp(1): use the correct POSIX format style for left
         justification for the transfer progress meter. bz#3002
       - sshd(8) when examining a configuration using sshd -T, assume
         any attribute not provided by -C does not match, which allows
         it to work when sshd_config contains a Match directive with
         or without -C. bz#2858
       - ssh(1), ssh-keygen(1): downgrade PKCS#11 "provider returned
         no slots" warning from log level error to debug. This is
         common when attempting to enumerate keys on smartcard readers
         with no cards plugged in. bz#3058
       - ssh(1), ssh-keygen(1): do not unconditionally log in to
         PKCS#11 tokens. Avoids spurious PIN prompts for keys not
         selected for authentication in ssh(1) and when listing public
         keys available in a token using ssh-keygen(1). bz#3006

 - Mandoc
    o Slowly start implementing tagging support for man(7) pages: tag
      alphabetic arguments of .IP, .TP, and .TQ macros.
    o In HTML output, wrap text and phrasing elements in paragraphs
      unless already contained in flow containers; never put them
      directly into sections. This helps to format paragraphs with the
      CSS class selector .Pp.
    o Implement the roff(7) .break request to break out of a .while
    o If messages are shown and output is printed without a pager,
      display a heads-up on standard error output at the end because
      otherwise, users may easily miss the messages.
    o Let mandoc.css support prefers-color-scheme: dark.
    o For pages lacking a SYNOPSIS, let man(1) show the NAME section.

 - Ports and packages:
    o Pre-built packages are available for the following architectures on
      the day of release:
       - aarch64 (arm64): 10075
       - amd64: 10736
       - i386: 10682
       - sparc64: 9685
       - mips64: 7921
    o Packages for the following architectures will be made available as
      their builds complete:
       - arm
       - mips64el
       - powerpc

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.20.5 + patches,
      freetype 2.10.1, fontconfig 2.12.4, Mesa 19.0.8, xterm 344,
      xkeyboard-config 2.20 and more)
    o LLVM/Clang 8.0.1 (+ patches)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.28.2 (+ patches)
    o NSD 4.2.2
    o Unbound 1.9.4
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk Aug 10, 2011 version
    o Expat 2.2.8

- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each release.  Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible.  Therefore, we advise regular
visits to

- MAILING LISTS AND FAQ ------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please

You are also encouraged to read the Frequently Asked Questions (FAQ) at:

- DONATIONS ------------------------------------------------------------

The OpenBSD Project is a volunteer-driven software group funded by
donations.  Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others.  This ecosystem is all handled under the same funding umbrella.

We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon

All of our developers strongly urge you to donate and support our future
efforts.  Donations to the project are highly appreciated, and are
described in more detail at:

- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation ( is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.

There may also be exposure benefits since the Foundation may be
interested in participating in press releases.  In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at for
more information.

- HTTPS INSTALLS -------------------------------------------------------

OpenBSD can be easily installed via HTTPS downloads.  Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet.  Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.

1) Read either of the following two files for a list of HTTPS mirrors
   which provide OpenBSD, then choose one near you:

   As of October 17, 2019, the following HTTPS mirror sites have the
   6.6 release:            Global         Stockholm, Sweden          Frankfurt, Germany           Oldenburg, Germany         Paris, France       Brisbane, Australia        CO, USA       CA, USA            TX, USA     Toronto, Canada Global     Global

        The release is also available at the master site:            Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTPS mirror site and go into the directory
   pub/OpenBSD/6.6/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     arm64/        luna88k/            ports.tar.gz
        README           armv7/        macppc/             root.mail
        SHA256           hppa/         octeon/             sparc64/
        SHA256.sig       i386/ src.tar.gz
        alpha/           landisk/      packages/           sys.tar.gz
        amd64/           loongson/     packages-stable/    xenocara.tar.gz

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        BOOTIA32.EFI*   bsd*            floppy66.fs     pxeboot*
        BOOTX64.EFI**         game66.tgz      xbase66.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont66.tgz
        INSTALL.amd64   cd66.iso        install66.fs    xserv66.tgz
        SHA256          cdboot*         install66.iso   xshare66.tgz
        SHA256.sig      cdbr*           man66.tgz
        base66.tgz      comp66.tgz      miniroot66.fs

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install66.iso.  The install66.iso file (roughly 463MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install66.fs and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

   This is the page where we talk about the mistakes we made while
   creating the 6.6 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).

- PACKAGES AND PORTS ---------------------------------------------------

Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures.  Please see for
more information on working with packages and ports.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed

- SYSTEM SOURCE CODE ---------------------------------------------------

The source code for all four subsystems can be found in the
pub/OpenBSD/6.6/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

The README ( file
explains how to deal with these source files.

- THANKS ---------------------------------------------------------------

Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil,
Visa Hankala, Stuart Henderson, Peter Hessler, and Christian Weisgerber.
Base and X system builds by Kenji Aoyama and Theo de Raadt. Release art
contributed by Natasha Allegri.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who bought our previous CD sets.  Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.

Our developers are:

    Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
    Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
    Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
    Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe,
    Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer,
    Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar,
    Carlos Cardenas, Charlene Wendling, Charles Longeau,
    Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
    Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman,
    Daniel Jakots, Darren Tucker, David Coppa, David Gwynne, David Hill,
    Denis Fondras, Doug Hogan, Edd Barrett, Elias M. Mariani,
    Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus,
    Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis,
    Gleydson Soares, Gonzalo L. Rodriguez, Helg Bredow, Henning Brauer,
    Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
    Inoguchi Kinichiro, James Turner, Jan Klemkow, Jason McIntyre,
    Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
    Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
    Jonathan Matthew, Joris Vink, Joshua Stein,
    Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama,
    Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov,
    Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil,
    Lawrence Teo, Marc Espie, Marco Pfatschbacher, Marcus Glocker,
    Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren,
    Martin Natano, Martin Pieuchot, Martynas Venckus, Mats O Jansson,
    Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos,
    Mike Belopuhov, Mike Larkin, Miod Vallat, Nayden Markatchev,
    Nicholas Marriott, Nigel Taylor, Okan Demirmen, Ori Bernstein,
    Otto Moerbeek, Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt,
    Paul Irofti, Pavel Korovin, Peter Hessler, Philip Guenther,
    Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski,
    Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel,
    Renato Westphal, Reyk Floeter, Ricardo Mestre, Richard Procter,
    Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
    Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
    Solene Rapenne, Stefan Fritsch, Stefan Kempf, Stefan Sperling,
    Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda,
    T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt,
    Thomas Frohwein, Tim van der Molen, Tobias Heider,
    Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
    Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov, Vincent Gross,
    Visa Hankala, Yasuoka Masahiko, Yojiro Uo