BSDSec

deadsimple BSD Security Advisories and Announcements

OpenBSD 6.7 released - May 19, 2020

------------------------------------------------------------------------
- OpenBSD 6.7 RELEASED -------------------------------------------------

May 19, 2020.

We are pleased to announce the official release of OpenBSD 6.7.
This is our 48th release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 6.7 provides significant improvements,
including new features, in nearly all areas of the system:

 - General improvements and bugfixes:
    o Reduced the minimum allowed number of chunks in a CONCAT volume
      from 2 to 1, increasing the number of volumes which can be created
      on a single disk with bioctl(8) from 7 to 15. This can be used to
      create more partitions than previously.
    o Rewrote the cron(8) flag-parsing code to be getopt-like, allowing
      tight formations like -ns and flag repetition. Renamed the
      "options" field in crontab(5) to "flags".
    o Added crontab(5) -s flag to the command field, indicating that
      only a single instance of the job should run concurrently.
    o Added cron(8) support for random time values using the ~ operator.
    o Allowed cwm(1) configuration of window size based on percentage of
      the master window during horizontal and vertical tiling actions.
    o Allowed use of window-htile and window-vtile with the "empty"
      group clients in cwm(1).
    o Switched powerpc to a machine-independent mplock implementation,
      allowing use of witness(4).
    o Added acpi(4) support for the _CCA method, indicating whether DMA
      is cache-coherent.
    o Switched the default compiler on powerpc to clang.
    o Bumped nvme(4) max physio() i/o size to 128K.
    o Improved apmd(8) support for automatic suspend/hibernate (-z/-Z).
      The daemon now reacts to power changes messages sent by the
      battery driver. Those messages are ignored for 60 seconds after a
      resume, so that the user can take control before the machine goes
      back to sleep.
    o Prevented a kernel hang when no unlocked ffs_softdep worklist
      items could be processed.
    o Stopped counting pages mapped as PROT_NONE against the RLIMIT_DATA
      limit, helping code which reserves large chunks of address space
      but populates it sparsely.
    o Added the $REQUEST_SCHEME variable to httpd.conf(5), allowing
      preservation of the original connection type (http or https) for
      redirect locations
    o Implemented "strip" option in httpd.conf(5) for fastcgi to be able
      to have multiple chroots under /var/www for FastCGI servers.
    o Changed httpd(8) to send a 408 response when a timeout happens
      while headers are being received, but close the connection if no
      request is received.
    o Updated en_US.UTF-8.src to Unicode 12.1.
    o Added a new __tmpfd system call which creates a new, unnamed file
      in /tmp, intended for shm/fd passing, but in programs that may
      otherwise lack filesystem access (due to restrictions imposed by
      unveil(2) or pledge(2)).
    o Imported dt(4), a driver and framework for Dynamic Profiling, and
      an accompanying bug tracer that speaks the bt(5) language.
    o Added a human-readable mode (-h) to systat(1).
    o Implemented scrolling in top(1) using the 9 and 0 keys.
    o Added timeout_set_flags(9) and TIMEOUT_INITIALIZER_FLAGS(9) to the
      timeout API, allowing the caller to initialize timeouts with
      arbitrary flags.
    o Introduced TIMEOUT_SCHEDULED flag and tos_scheduled statistic to
      timeout(9).
    o Switched to tickless backend in timeout(9), adding new interface
      timeout_at_ts(9) to avoid backwardly compatible behavior.
    o Added the system clock interface nanoboottime(9), returning the
      UTC time at which the system booted in seconds and nanoseconds.
    o Introduced efficient page freeing in reverse order from uvm,
      greatly improving cases of massive page freeing.
    o Added uvm_objfree to uvm to efficiently free all pages from a uvm
      object, used in the buffer cache for considerable speedup when
      freeing pages.
    o Modified buffer cache to use individual uvm_objs per buffer to
      speed page lookups.
    o Speed up sort(1) by not performing a top-level sort when -c is
      used with a -k field.
    o Modified -z mode verification in signify(1) to save the header and
      output it, so signify -zV >saved.tgz will keep the signature for
      later checks.
    o Enabled DNSSEC validation in unbound(8) by default.
    o ntpd(8) now does constraint validation against 9.9.9.9 and
      2620:fe::fe by default.
    o Fixed arp(4) issues created by dhclient(8) modifying existing
      routes.
    o Fixed route.conf(5) handling by dhclient(8) when an interface
      loses link.
    o Restored previous dhclient(8) behaviour of rejecting leases that
      lack a subnet mask.
    o Enabled dhclient(8) to configure carp(4) interfaces.
    o Fixed dhclient(8) releasing leases without a server identifier.
    o Improved dhclient(8) NAK handling in various corner cases.
    o Fixed dhclient(8) endlessly sending REQUEST messages when an ACK
      is never received.
    o Prevented dhcpd(8) from referencing freed memory when releasing a
      lease with an unusually long uid.
    o Corrected parsing of classless static default route "0/0" in
      dhcpd.conf(5).
    o Increased to 15 the number of softraid(4) CONCAT volumes that can
      be created on a single disk.
    o Fixed softraid(4) CRYPTO volumes on 4K-sector disks.

 - The FFS2 filesystem, which uses 64bit timestamps and block numbers is
       now the default for new installs on nearly all architectures:
    o Enabled ffs2 in sgi bootblocks and ramdisks.
    o Made ffs2 the default filesystem type on installs except for
      landisk, luna88k and sgi.
    o Changed the sparc64 bootblocks to be able to read from ffs1, ffs2
      and softraid, and enabled the ffs2 option for both floppies.
    o Enabled FFS2 on the landisk ramdisk.
    o Taught i386 boot(8), cdboot(8) and pxeboot(8) about ffs2.
    o Taught macppc boot(8) about ffs2.
    o Taught sparc64 boot(8) about ffs2.
    o Allowed hppa boot(8) to read from an ffs2 filesystem.
    o Allowed alpha boot(8) to read from an ffs2 filesystem and adapted
      its custom installboot to deal with ffs2. Also fixed the partition
      read code to deal with offsets greater than 2G.
    o Adapted biosboot(8) so that it can read boot(8) from an ffs2
      filesystem.
    o Allowed amd64 boot(8) to read from an ffs2 filesystem. Enabled
      ffs2 for floppy.
    o Allowed loongson boot(8) to read from an ffs2 filesystem.
    o Allowed arm64 and armv7 efiboot(8) to read from an ffs2
      filesystem.

 - SMP-Improvements:
    o __thrsleep(2), __thrwakeup(2), close(2), closefrom(2), dup(2),
      dup2(2), dup3(2), flock(2), fcntl(2), kqueue(2), pipe(2), pipe2(2)
      and nanosleep(2) are run without KERNEL_LOCK.
    o The generic part of ioctl(2) is run without KERNEL_LOCK.
    o Reworked AMD smt/core/package detection, helping prevent cores
      being misidentified as threads.
    o Avoided false positives in witness(4) when detecting lock order
      reversals by using separate rwlock initializations for userland
      and kernel maps.
    o Allowed sleeping inside kqueue event filters.
    o Made vmx(4) transmit MP-safe.

 - Improved hardware support, including:
    o Improvements in the em(4) driver.
    o Added dsxrtc(4), a driver for the Maxim DS3231/DS3232 I2C RTC.
    o Added ure(4) support for Lenovo OneLine Plus Dock Ethernet.
    o Improved ucom(4) to fix firmware upload on some microcontroller
      boards using DTR and RTS as signaling lines to reset the device
      and enter the bootloader.
    o Added a PCI attachment driver for com(4) to support memory-mapped
      PCI devices which are part of a Low Power Subsystem (LPSS).
    o Implemented microsecond resolution using microuptime(9) to avoid a
      hard hang when starting X on Intel Cherry Trail Atom processors.
    o Added support for X553 controllers to ix(4).
    o Added usb(4) device support for an AMD hub on the APU2 and a
      Synaptics vendor id and two fingerprint readers.
    o Prevented buffer overflows with uthum(4) by not assuming the
      report length given by the hardware is necessarily smaller than
      the length of the on-stack buffer.
    o Added rge(4), a driver for the Realtek 8125 PCI Express 2.5Gb
      Ethernet devices.
    o Fixed cursor issues and suspend/resume on amdgpu(4) and
      radeondrm(4).
    o Fixed support for additional I2C busses in piixpm(4) for older
      SB800 SMBus controllers. Prevented sensors from attaching four
      times on old AMD machines.
    o Invalidated the knote(9) list of uhid(4) after device detach,
      preventing a crash that can happen when kqueue still holds
      references to knotes pointing to the device.
    o Prevented a use-after-free causing crashes with uhidev(4) devices.
    o Prevented mcx(4) interface lockups due to completion queue
      overflow.
    o Fixed brightness keys on various laptops with AMD graphics.
    o Fixed brightness controls on machines where the initial brightness
      values are returned out of range.
    o Set the default brightness level on attachment for pwmbl(4).
    o Fixed acpivout(4) screen brightness adjustment through function
      keys, better supporting machines using exponential brightness
      scaling.
    o Changed acpivout(4) to increment and decrement screen brightness
      based only on brightness level changes of 5% or higher.
    o Fixed Etron EJ168 USB 3.0 Host Controllers via USB 2 devices.
    o Added support for the SIERRA MC7700 to umsm(4) UMTS and LTE modem
      device.
    o Fixed RAID volume WWIDs for mpii(4) LSI controllers on sparc64,
      allowing autoconf(9) to identify the volume as the root device and
      boot off hardware RAID.
    o Populated logical disk port WWNs with their RAID volume's WWID in
      mpii(4).
    o Added fido(4), an HID driver for FIDO/U2F security keys.
    o Added parsing of DDR4 and LPDDDR3/4 SPD memories to spdmem(4).
    o Added support to lm(4) for NCT6775F, NCT5104D, NCT6779D and
      NCT679[1235]D sensors.
    o Updated piixpm(4) to support newer AMD chips like Hudson-2 and
      KERNCZ and implemented multi-bus support for SB800, Hudson-2 and
      KERNCZ.
    o Extended the expected SPD types to include DDR4 and low-power
      DDR3/DDR4.
    o Enabled full use of jumbo frames on bnx(4) devices.
    o Fixed scsi(8) softraid crypto volumes on 4K-sector disks.
    o Faked disk info to match expected boot disk when EFI bootloader
      has been received via TFTP, fixing a hang during HP Elitebook UEFI
      boot.
    o Implemented a hexdump command in the bootloader, helping to
      inspect the memory layout created by the firmware and useful for
      UEFI debugging.
    o Improved ksmn(4) temperature conversion precision.
    o Added a quirk to handle Apollo Lake, Gemini Lake and 100 Series
      Intel SD/MMC sdhc(4) controllers which should not have voltages
      set to 0V.
    o Prevented a local user from causing the system to hang by reading
      specific registers when Intel Gen8/Gen9 graphics hardware is in a
      low power state.
    o Prevented writes to memory allowed by the Intel Gen9 graphics
      hardware.
    o Added support for buttons 2 and 3 to imt(4).
    o Added ogx(4), a driver for the OCTEON III network processor.
    o Fixed endian swapping in xhci(4), allowing it to work again on
      octeon and other big endian architectures.
    o Implemented the "parallel boot" feature on compatible sparc64
      firmware.
    o Introduced iwx(4), a driver for Intel AX200 WiFi devices.
    o Added iwm(4) support for Intel 9260 and 9560 wifi devices.
    o Updated firmware for all devices supported by the iwm(4) driver.
    o Fixed iwm(4) support for Intel 3168 wifi devices.
    o Added support for the tp-link tl-wn823n to the urtwn(4) driver.
    o The athn(4) driver now offloads CCMP (WPA2) encryption and
      decryption to hardware.
    o Prevented an overflow due to xen(4) failing to release the
      interrupt source when unmasking the interrupt.
    o Fixed usb(4) handling USB 2.0 devices on various USB 3.0
      controllers.
    o Fixed usb(4) handling of controllers that STALL to indicate a
      short read.
    o Fixed xhci(4) handling of i/o's that are exact multiples of the
      max packet size.
    o Bumped nvme(4) maximum physio i/o size to 128K.
    o Fixed probing of modern scsi(4) devices to ignore the SYNC and
      WIDE flags used by parallel SCSI.

 - Removed hardware support
    o Removed the rtfps(4) driver, a multiplexing serial communications
      interface for IBM RT PC boards
    o Removed the dpt(4) driver for DPT EATA SCSI RAID.
    o Removed gpr(4), a driver for GemPlus GPR400 PCMCIA smartcard
      readers.
    o Removed mesh(4), a driver for old world Apple Power Macintosh SCSI
      cards.

 - Improvements in audio drivers and the sndio(7) framework:
    o Introduced the sioctl_open(3) API to manipulate audio controls
      exposed by sndiod(8).
    o Modified sndiod(8) to use and expose hardware volume controls if
      available.
    o Modified all ports manipulating audio controls to use sndio(7)
      instead of the kernel mixer(4) interface.
    o Introduced the sndioctl(1) utility to manipulate audio controls
      exposed by sndiod(8).
    o Exposed the first 4 audio(4) devices and the first 8 midi(4)
      devices through sndiod(8) by default.
    o Disabled access for regular users to /dev/audio* and /dev/rmidi*,
      for improved security.
    o Modified mixerctl(1) to use /dev/audioctl* instead of /dev/mixer*.
    o Removed /dev/mixer*
    o Fixed support for uaudio(4) devices with different recording and
      playback rate sets.
    o Fixed volume control of many uaudio(4) devices.
    o Fixed channel duplication (-j option) in sndiod(8).
    o Allowed rc.d(8) script to reload sndiod(8).
    o Added an azalia(4) quirk for the ALC285 on the X1C7 to avoid a
      clicking noise on the headphone output.
    o Disabled MSI for the AMD Hudson2 azalia(4) HDA to fix random lock
      ups.

 - A large number of drivers were written to improve arm64 and armv7
       hardware support, including:
    o Better hardware support for the i.MX8MM platform.
    o Support for the Raspberry Pi 4 on arm64.
    o Better support for the Raspberry Pi 3 on arm64.
    o Proper support for the Raspberry Pi 2 and 3 on armv7.
    o Better support for Rockchip based systems, especially the Pinebook
      Pro.
    o Switched USB to use non-coherent buffers for data transfers,
      dramatically improving performance on some ARM SoCs where the USB
      controller is not coherent with the caches.
    o Allowed switching to framebuffer "glass" console on armv7 in the
      bootloader, mirroring previous changes to arm64.
    o Corrected cache flush operations on arm64 which were being
      incorrectly treated as write operations. This fixes a bug where
      cache flushing caused Firefox to abort.
    o Added the capability for armv7 boot from another block device than
      the one from which efiboot was loaded.

      Specifically the following device drivers were added or fixed:
    o Added bcmbsc(4), a driver for the Broadcom Serial Control (BSC)
      controller.
    o Added bcmgpio(4), a driver for the Broadcom BCM283x GPIO
      controller.
    o Added bcmsdhost(4), a driver for the Broadcom "sdhost" SD
      controller found on the Raspberry Pi.
    o Added bcmdmac(4), a driver for the DMA controller found on BCM283x
      SoCs.
    o Added support for the additional sdhc(4) controller found on the
      Raspberry Pi.
    o Added quirks for the sdhc(4) controller on the Raspberry Pi,
      providing microSD card or WiFi support depending on the firmware
      configuration.
    o Added support for hardware with sdhc(4) controllers on busses only
      supporting 32-bit access.
    o Added bcmirng(4), a driver for the RNG200 random number generator
      found on the Raspberry Pi 4.
    o Added bcmclock(4), a driver for the BCM283X CPRMAN clock
      controller.
    o Added bcmmbox(4), a driver for the VideoCore messagebox interface
      on BCM283X.
    o Added bcmpcie(4), a driver for the PCIe controller found on the
      Raspberry Pi 4.
    o Added bse(4), a driver for the Broadcom GENET v5 network interface
      found on the Raspberry Pi 4.
    o Added brgphy(4) support for the Broadcom BCM54210E.
    o Added support for the Armada 3720 CPU clock to mvclock(4).
    o Fixed address filter in mvneta(4).
    o Added omcm(4), omclock(4) and omsysc(4) drivers that support the
      new bus structure used in current mainline Linux device trees.
    o Added omrng(4), a driver for the random number generator found on
      TI OMAP SoCs.
    o Fixed the MAC address on Pandaboard-ES by increasing smsc(4)
      buffer size used to fetch device tree properties.
    o Added support for additional Allwinner A80 clocks and resets in
      sxiccmu(4).
    o Fixed amlpciephy(4) USB3 support when USB has not been initialized
      by U-Boot.
    o Added clock support for i.MX8MM.
    o Fixed CPU frequency scaling support on the Librem5 Devkit.
    o Added imxpwm(4), a driver for the PWM controller found on various
      NXP i.MX SoCs.
    o Added support for reading the i.MX8MM temperature sensors to
      imxtmu(4).
    o Added bdpmic(4), a driver for the ROHM BD71837 and BD71847 Power
      Management IC.
    o Allowed ipmi(4) to attach using mmio.
    o Added rkrng(4), a driver for the random number generator found on
      various Rockchip SoCs.
    o Added glass console support to rkdrm(4) in Rockchip SoCs,
      including kernel modesetting support.
    o Added rkdrm(4), a driver providing kernel mode setting (KMS)
      functionality for the graphics hardware integrated on Rockchip
      SoCs.
    o Added rkdwhdmi(4), a driver for the HDMI transmitter found on the
      Rockchip RK3399 SoC.
    o Added rkanxdp(4), a driver for the Analogix Display Port
      controller on the RK3399.
    o Added rkvop(4), a driver for the RK3399's Video Output Processors.
    o Added rkpwm(4), a driver for the RK3399's PWM controller.
    o Added rkemmcphy(4), a driver for the RK3399's eMMC PHY.
    o Added support for gen2 negotiation to rkpcie(4) and enabled gen2
      link state training when the dtb is configured with max-link-speed
      = 2.
    o Enabled backlight control use on the Pinebook Pro via
      wsconsctl(8).
    o Fixed the Pinebook Pro's trackpad by ensuring only hid_input items
      are accepted when walking the HID descriptor.
    o Fixed pwmbl(4) attachment on the Pinebook Pro.
    o Added simplepanel(4), a driver for simple display panels such as
      the one found on the Pinebook Pro.
    o Recognized BCM4345 rev 9 as shipped with the Pinebook Pro as an
      AMPAK AP6256 module in bwfm(4).
    o Improved bwfm(4) on the Pinebook Pro by acking SDIO interrupts
      earlier on dwmmc(4).
    o Added amltemp(4), a driver for the temperature sensors on various
      Amlogic SoCs.
    o Added pwmfan(4), a driver for PWM-regulated fans.
    o Enabled umt(4) (USB HID multitouch touchpad devices) on arm64.

 - IEEE 802.11 wireless stack improvements and bugfixes:
    o Stop connecting to any available unencrypted wifi networks when an
      interface is marked up. This behavior must now be explicitly
      enabled with ifconfig(8) join "".
    o A background scan is now triggered when root runs the ifconfig(8)
      scan command. This updates the list of cached APs displayed by the
      scan command and forces a search for a better AP to roam to.
    o Add nwflag nomimo which can be set with ifconfig(8) to work around
      packet loss in 11n mode if the wireless network device has unused
      antenna connectors.
    o Increased the net80211 node cache size to allow more APs to be
      viewed during scans.
    o Fixed the ifconfig(8) "media:" line displayed during and after a
      background scan in 11n mode.
    o Made background scans less frequent if they keep choosing the same
      AP.
    o Fix kernel crashes in net80211 hostap mode due to mbuf corruption
      which occurred if a relatively long SSID was configured.
    o Added support for active scanning to bwfm(4).
    o Fix bwfm(4) behavior which could trigger the ifq pressure drop
      mechanism under moderate load.
    o Improved error handling for bwfm(4) connection attempts.
    o Improved automatic switching between wifi networks by lowering the
      priority of networks in the ifconfig(8) join list which fail to
      connect.
    o Avoid repeated switching between APs in areas where APs are tuned
      for low transmit range.
    o Raised net80211's "beacon miss" threshold to avoid frequent
      reconnects under conditions which cause loss of beacons.
    o Reduced stalls on packet loss in 11n mode by improving net80211
      handling of the Rx block ack sequence number window and queue.
    o Fixed a bug where outstanding frames on the iwn(4) aggregation
      queue interfered with roaming to another AP.
    o Fixed a race condition in iwm(4) Rx interrupt handling.
    o Implemented a workaround for missing Tx completion interrupts in
      iwm(4) which could lead to failures when roaming to another AP.
    o Re-enabled firmware-based Tx retries at lower rates for iwm(4),
      reducing packet loss.
    o Fixed automatic Tx rate control issues in iwn(4), and iwm(4).
    o Fixed a use-after-free that caused a kernel crash during zyd(4)
      device detach.

 - Generic network stack improvements and bugfixes:
    o Fixed a panic when using pppac(4) without pipex(4).
    o Fixed a "route contains no arp information" bug where a kernel
      routing table entry was incorrectly deleted upon insertion of a
      new entry.
    o Stopped processing packets under non-exclusive netlock, preventing
      concurrency in the socket layer.
    o Prevented data corruption on UDP receive socket buffers by
      grabbing the exclusive NET_LOCK() in the softnet thread.
    o Fixed a kernel crash due to unlimited recursion caused by local
      outbound UDP broadcast/multicast packets sent by a spliced socket.
    o Added IPv6 support to umb(4).
    o Added support for very old firmware umsm devices with umsm(4)
      rather than umb(4).
    o Added pppac(4) code for a dedicated PPP Access Concentrator
      interface and switched npppd.conf(5) to use pppac(4) instead of
      tun(4).
    o Added a check when IP forwarding is disabled to ensure packet
      destination address matches interface address.
    o Fixed kernel crash in pf_ioctl with WITH_PF_LOCK and NET_TASKQ >
      1.
    o Ensured proper kernel stack alignment on mips64, fixing a panic on
      octeon related to pppoe(4).
    o Added rge(4), a new driver for Realtek 8125 PCI Express 2.5Gb
      ethernet devices.
    o Repaired the "set delay" option for pf(4) to function as specified
      in pf.conf(5).
    o Prevented non-root users from using ioctl(2) to alter the address
      of a network interface.
    o Prevented non-root users from setting the parameters of pppoe(4)
      interfaces.
    o Removed mobileip(4).
    o Stopped checking whether the IPv6 source address of a neighbor
      advertisement is from a neighbor's address, not required in
      accordance with RFC 4861.

 - Installer improvements:
    o Simplified sysupgrade(8) directory check and creation
      (/home/_syspatch). It can now be a symlink.
    o Printed the URL when sysupgrade(8) fetches new sets.
    o Added an opportunistic run of fw_update(1) to sysupgrade(8) before
      rebooting to run the upgrade.

 - Security improvements:
    o unveil(2) is now used in 82 userland programs to redact filesystem
      access.
    o Used unveil(2) to reduce filesystem access in vmstat(8), iostat(8)
      and systat(1).
    o Extracted dig(1), host(1) and nslookup(1) from the bind(8) source
      code and cleaned up the source code by removing not needed
      features and auditing it. The kernel API accessible to these
      programs is now restricted through pledge(2).
    o System calls may now only be performed from selected code regions:
      the main program, ld.so(1), libc.so and the signal trampoline. A
      new system call msyscall(2) indicates the libc range, and
      activates the locking. This change hardens against some attack
      methods.
    o Prevented stack trace saving from inspecting untrusted data on
      amd64, arm64 and i386.
    o Used lfence in place of stac/clac on pre-SMAP CPUs to protect
      against Load-Value-Injection attacks against the kernel.
    o Prevented a panic due to missing sysctl(2) input validation.
    o Injected failure to fetch entropy with an rdrand() timeout as an
      entropic event, along with an additional rdtsc measuring the
      vmexit latency.
    o Enforced that ksh(1) TMOUT is an integer literal to prevent
      command execution from the environment at shell initialization
      time.
    o Ensured the first 2MB page of the amd64 kernel is correctly mapped
      read-only in the direct map.
    o Addressed an armv7/arm64 speculative execution issue by changing
      the system call ABI to skip two instructions and inserting a
      barrier after each system call.
    o Fixed arm64 speculative execution of instructions after ERET,
      which had led to spectre-like effects on some processors.
    o Tightened permissions for USB device nodes.
    o Ensured that ld.so(1) removed the LD_LIBRARY_PATH environment
      variable for set-user-ID and set-group-ID executables in low
      memory conditions.
    o Added support for RSA-PSS to crypto(3).
    o Added retguard for octeon/mips64.
    o The following security bugs were addressed:
       - Reset the login class each time through the loop when using
         -L (loop) mode with su(1). Fixes CVE-2019-19519.
       - Fixed insufficient username validation performed by libc's
         authentication privilege separation layer and added
         additional validation points, further validating in login(1)
         and su(1).
       - Prevented escalation to the auth group in xlock(1) through
         path-related environment variables and disabled mesa and
         opengl functionality.

 - Routing daemons and other userland network improvements:
    o Add initial support for JSON output in bgpctl(8).
    o Allow setting both IPv4 and IPv6 local-addresses at the same time
      in bgpd.conf(5) group blocks. Introduced no local-address to reset
      a previously set local address.
    o Properly aggregate duplicate bgpd(8) roa table prefix/source-as
      combinations into a single entry with the longest maxlen length.
    o Implemented bgpd.conf(5) max-prefix NUM out to limit the number of
      announced prefixes, avoiding leaks of full tables to upstreams and
      peers.
    o Extended bgpctl(8) show neighbor to include the received and set
      prefix count, as well as the max-prefix out limit if set.
    o Improved reporting of notifications to include the suberror cause.
    o Also report the last received error cause in bgpctl(8) show
      neighbor output.
    o Fix softreconfig out handling to also work for neighbors using
      export default-route.
    o Mark stale prefixes in the Adj-RIB-Out so that graceful reload
      operates properly.
    o Allowed configuration of the ospfd(8) interface setting "type p2p"
      to be configured globally or per area.
    o Added point-to-point ospf6d(8) support for broadcast interfaces.
    o Validated authentication lengths in ripd(8) before use to prevent
      crashes.
    o Fixed empty response packages sent out by ripd(8) when entries are
      skipped due to split-horizon simple.
    o Reduced temporary address valid lifetime to 2 days in slaacd(8).
    o Made slaacd(8) honor the rdomain in which it runs when configuring
      the default route.
    o Withdrew all proposals on slaacd(8) startup to prevent indefinite
      retention of nameservers on interfaces no longer flagged for
      autoconf.
    o Modified ldpd(8) to lookup the adjacency by LSR id as well as
      source IP address, as the remote peer may change its LSR id.
    o Added support for printing RFC 2332 NBMA Next Hop Resolution
      Protocol (NHRP) to tcpdump(8).
    o Added tcpdump(8) support for printing RFC 8300 Network Service
      Header (NSH).
    o Added tcpdump(8) support for VXLAN-GPE.
    o Fixed a tcpdump(8) crash when printing the contents of a malformed
      packet where the packet length was smaller than the size of the
      usbpcap header.
    o Rewrote dhcpv6 parsing in tcpdump(8) to match the RFC, correctly
      handling dhcpv6 messages.
    o Accept netmask for IPv6 in ifconfig(8) instead of ignoring it and
      using only the prefixlen argument.
    o Fixed snmp(1) agent address parsing to allow IPv6 addresses to be
      used based on format, allow those without brackets to skip the
      port if it results in a nonsensical address (allowing use of ::1),
      and try to connect to the address immediately.
    o Implemented a df subcommand for snmp(1) which outputs disk and
      memory information in a df(1) format.
    o Implemented a -Cs option in snmp(1) for snmp walk and bulkwalk,
      allowing subsections of a tree to be skipped.
    o Introduced option filter-pf-addresses to snmpd.conf(5), allowing
      the OPENBSD-PF-MIB::pfTblAddrTable tree to be filtered out when
      many prefixes are stored in pf tables, reducing CPU usage during
      bulk walks.
    o Added retries and timeouts for test packets to radiusctl(8).
    o Corrected http auth combined with proxy auth in ftp(1).
    o Corrected ftp(1) access to an https server with user/password
      through the "http_proxy" environment variable.
    o Prevented ftp(1) from following remote redirects to local files.
    o Implemented HTTP/1.1 in ftp(1).
    o Added new -N name option to ftp(1), allowing calling scripts to
      change the progname and produce better error messages.
    o Allowed pfctl(8) to recursively flush rules and tables.
    o In pf(4), ensured rdr-to with loopback destination will work even
      when IP forwarding is disabled.
    o Enabled rpki-client(8), a free, easy-to-use implementation of the
      Resource Public Key Infrastructure (RPKI) for Relying Parties (RP)
      to facilitate validation of the Route Origin of a BGP
      announcement. The program queries the RPKI repository system and
      outputs Validated ROA Payloads in the configuration format of
      OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by
      other routing stacks.
    o Modified root's crontab(1) to run rpki-client(8) and reload
      bgpd(8) configuration, enabling RPKI ROA filtering.
    o Stopped hardcoding the cache directory in rpki-client(8). Cache
      and output directory will use defaults for root users and must be
      specified by non-root users.
    o Made rpki-client(8) use the existing cache and not exit if
      rsync(1) exits non-zero.
    o Fixed rpki-client(8) -j option, which had not been producing any
      output.
    o Rewrote the time validity check for mtfs in rpki-client(8) to
      correctly account for the timezone.
    o Added rpki-client(8) output formats for the BIRD routing daemon
      and CSV.
    o For BIRD rpki-client(8) can generate three different output
      formats with the option -B: v1 with IPv4 and IPv6 routes, and v2.

 - unwind(8) improvements:
    o Implemented unwindctl(8) status memory to show cache memory usage.
    o Allowed forcing specific domains to be resolved by specific
      resolvers in unwind.conf(5), handling typical split-horizon
      setups.
    o Measured performance of resolving strategies in unwind(8), sorting
      them and choosing the next best strategy when one fails.
      Performance data decays over time.
    o Switched captive portal detection from HTTP probing to DNS probing
      in unwind(8).
    o Implemented DNS proposals in unwind(8) to learn nameservers from
      network autoconfiguration daemons.
    o Added opportunistic DoT support to unwind(8).
    o Added an ASR resolver type to unwind(8), using the libc
      asynchronous resolver directly with DHCP-provided nameservers to
      work around broken middle boxes.

 - ipsec(4) improvements and bugfixes:
    o Added support for automatically moving traffic between rdomains on
      ipsec(4) encryption or decryption, reducing the attack surface for
      network sidechannel attacks.
    o Added iked(8) support for switching rdomain on ipsec(4)
      encryption/decryption, configurable per policy with the new
      'rdomain' option in iked.conf(5).
    o Changed the default ipsec level set by iked(8) and isakmpd(8) to
      IPSEC_LEVEL_REQUIRE. Unencrypted packets matching incoming ipsec
      flows are no longer accepted by default.
    o Added curve25519, ecp256, ecp384, ecp521, modp3072 and modp4096 to
      the default Diffie-Hellman group configuration for IKE SAs in
      iked(8).
    o Removed support for the insecure EC2N Diffie-Hellman groups in
      iked(8).
    o Changed the default authentication method in iked(8) to generic
      signature authentication (RFC 7427).
    o Added ESN configuration options for ikesa in iked.conf(5).
    o Added transport mode for child SAs to iked(8).
    o Added active probing for lost connection in iked(8) resulting in a
      faster connection reset.
    o Added a -p command line option to iked(8) allow configuration of a
      non-standard UDP encapsulation port.
    o Added support for multiple x509 extensions and multiple
      subjectAltName fields in certificates used with iked(8).
    o Added support for certificates with uppercase subjectAltNames in
      iked(8).
    o Removed automatically installed ipsec(4) flow blocking unencrypted
      IPv6 traffic in iked(8).
    o Reduced size of IKE_AUTH message by eliminating duplicate traffic
      selectors in iked(8).
    o Added an ikectl(8) "show sa" command to print information about
      the state of negotiated IKE SAs, their child SAs and the resulting
      IPsec flows.
    o Added an ikectl(8) "reset id" command to reset all SAs from
      policies with matching destination IDs.
    o Added support for UDP encapsulation in manual SAs set up with
      ipsec.conf(5).
    o Fixed an iked(8) bug that lead to connection loss after
      simultaneous rekeying.
    o Fixed an iked(8) public key leak in the CA process for ASN-DN IDs.
    o Fixed a bug that lead to a lost EAP ID after rekeying in iked(8).
    o Fixed EAP user database corruption resulting from use of the
      ikectl(8) reload command.
    o Corrected iked(8) calculation of IPv6 address leases from small
      address pools.
    o Fixed several bugs that could lead to iked(8) selecting a false
      policy for incoming requests, resulting in a failed handshake.
    o Fixed a bug that broke PSK authentication against Strongswan.
    o Enabled UDP-encapsulation in Child SAs if iked(8) was started with
      -t.
    o Fixed isakmpd(8) IKE pcap file creation.

 - tmux(1) improvements and bug fixes:
    o Indicated the marked pane in tmux(1) choose mode in reverse, and
      added keys to set (m) and clear it (M), and to jump to the
      starting pane (H).
    o Allowed tmux(1) main-pane-width and height to be specified as
      percentages.
    o Added a -f filter argument to the tmux(1) list commands like
      choose-tree.
    o Added an -s flag to tmux(1) copy-mode to specify a different pane
      for the source content.
    o Added a -T flag to tmux(1) resize-pane to trim lines below the
      cursor.
    o Added support for tmux(1) overlay popup boxes, created with the
      display-popup command.
    o Added a tmux(1) -d flag to run-shell to wait for delay before
      running the command (or delay with no command).
    o Added a tmux(1) copy-mode -H flag to hide the position marker in
      the top right.
    o Added tmux(1) C-g to cancel command prompt with vi(1) keys as well
      as emacs, and q in command mode.
    o Modified tmux(1) -S server socket to be created with umask 177
      rather than 117.
    o Introduced a tmux(1) selection_active format for when the
      selection is present but not moving with the cursor.
    o Added -a to the list-keys command in tmux(1) to also list keys
      without notes with -N.
    o Added tmux(1) support for adding a note to a key binding with
      bind-key -N and using this to add descriptions to the default key
      binding. Using list-keys -N shows key bindings with notes. Changed
      the default ? binding to show a readable summary of keys.
    o Added -Z to the default tmux(1) switch-client command in tree
      mode.
    o Prevented read-only tmux(1) clients from limiting the size of
      other clients.
    o Added support for regex searches in tmux(1) copy mode.
    o Modified tmux(1) source-file to allow reading from stdin.
    o Added a tmux(1) p format modifier for padding to width.
    o Added -f for full size to join-pane in tmux(1).
    o Changed tmux(1) new-session -A to attach to the best existing
      session when a session name is not specified, rather than creating
      a new session.
    o Added an option to tmux(1) to set the key sent by backspace for
      systems using ^H.
    o Added -F flag to tmux(1) send-keys to expand formats in
      search-backward and forward copy mode commands.
    o Added support for percentage sizes to tmux(1) resize-pane ("-x
      10%") and changed split-window and join-pane -l to accept similar
      percentages, deprecating the -p option.

 - VMM/VMD improvements
    o Added vmm(4) IOCTL handler to set the access protections of the
      ept.
    o Added a check in vmm(4) for pvclock(4) struct crossing of page
      boundaries, which could potentially corrupt host memory.
    o Tightened rdmsr on svm in vmm(4).
    o Fixed an issue where a vmm(4) guest could write to host memory by
      passing bogus addresses in pvclock(4).
    o Run cu(1) in restricted mode using -r in vmctl(8) and ldomctl(8).
    o Started virtual machines defined in vm.conf(5) in a staggered
      fashion, helping prevent overload of the host and improper tsc
      calibration in guests.
    o Provided proper concurrency control when pausing a vm in vmd(8).
    o Fixed a panic when tearing down vms with vmm(4).

 - ldom/sparc64 virtualization improvements
    o Added support for devaliases for vnet in ldom.conf(5).
    o Implemented ldomctl(8) "panic -c" to panic a guest domain (and
      enter ddb(4)).
    o Implemented "start -c" in ldomctl(8) to automatically connect to
      the console.
    o Introduced a -n option to ldomctl(8) to validate the configuration
      file and exit.
    o Added a create-vdisk command to ldomctl(8) analogous to amd64's
      vmctl(8) create.
    o Added the "console" command to ldomctl(8) which executes cu(1) on
      the domain's console.
    o Printed guest domain vcctty(4) devices in status output in
      ldomctl(8).
    o Added list-io command to ldomctl(8), listing the available PCIe
      devices to be used with the iodevice parameter in ldom.conf(5).

 - OpenSMTPD 6.7.0
    o New Features
       - Allowed use of the smtpd(8) session username in built-in
         filters when available.
       - Introduced a bypass keyword to smtpd(8) so that built-in
         filters can bypass processing when a condition is met.
       - Allowed use of 'auth' as an origin in smtpd.conf(5).
       - Allowed use of mail-from and rctp-to as for and from
         parameters in smtpd.conf(5).
    o Bug fixes
       - Ensured legacy ssl(8) session ID is persistent during a
         client TLS session, fixing an issue using TLSv1.3 with
         smtp.mail.yahoo.com.
       - Fixed security vulnerabilities in smtpd(8). Corrected an
         out-of-bounds read in smtpd allowing an attacker to inject
         arbitrary commands into the envelope file to be executed as
         root, and ensured privilege revocation in smtpctl(8) to
         prevent arbitrary commands from being run with the _smtpq
         group.
       - Allowed mail.local(8) to be run as non-root, opening a pipe
         to lockspool(1) for file locking.
       - Fixed a security vulnerability in smtpd(8) which could lead
         to a privilege escalation on mbox deliveries and unprivileged
         code execution on lmtp deliveries.
       - Added support for CIDR in a: spf atoms in smtpd(8).
       - Fixed a possible crash in smtpd(8) when combining "from rdns"
         with nested virtual aliases under a particular configuration.
    o Experimental Features
       - Introduced smtp-out event reporting.
       - Improved filtering protocol.

 - LibreSSL 3.1.1
    o New Features
       - Completed initial TLS 1.3 implementation with a completely
         new state machine and record layer. TLS 1.3 is now enabled by
         default for the client side, with the server side to be
         enabled in a future release. Note that the OpenSSL TLS 1.3
         API is not yet visible/available.
       - Improved cipher suite handling to automatically include
         TLSv1.3 cipher suites when they are not explicitly referred
         to in the cipher string.
       - Provided TLSv1.3 cipher suite aliases to match the names used
         in RFC 8446.
       - Added cms subcommand to openssl(1).
       - Added -addext option to openssl(1) req subcommand.
       - Added -groups option to openssl(1) s_server subcommand.
       - Added TLSv1.3 extension types to openssl(1) -tlsextdebug.
    o API and Documentation Enhancements
       - Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1.
       - Ported Cryptographic Message Syntax (CMS) implementation from
         OpenSSL 1.1.1 and enabled by default.
    o Compatibility Changes
       - Improved compatibility by backporting functionality and
         documentation from OpenSSL 1.1.1.
       - Adjusted EVP_chacha20()'s behavior to match OpenSSL's
         semantics.
    o Testing and Proactive Security
       - Added many new additional crypto test vectors.
       - Fix to disallow setting the AES-GCM IV length to zero.
    o Internal Improvements
       - Many more code cleanups, fixes, and improvements to memory
         handling and protocol parsing.
    o Portable Improvements
       - Default CA bundle location is now configurable in portable
         builds.
       - Improved portable builds to support for use of static MSVC
         runtimes.
       - Fixed portable builds to avoid exporting a sleep() symbol.
    o Bug Fixes
       - Fixed printing the serialNumber with X509_print_ex() fall
         back to the colon separated hex bytes in case greater than
         int value.

 - OpenSSH 8.3
    o Potentially incompatible changes.
       - sftp(1): reject an argument of "-1" in the same way as ssh(1)
         and scp(1) do instead of accepting and silently ignoring it.
       - Removed ssh-rsa (SHA1) from the list of allowed CA signature
         algorithms.
       - Removed diffie-hellman-group14-sha1 from the default ssh(1)
         key exchange.
       - ssh-keygen(1): the command-line options related to the
         generation and screening of safe prime numbers used by the
         diffie-hellman-group-exchange-* key exchange algorithms have
         changed. Most options have been folded under the -O flag.
       - sshd(8): the sshd listener process title visible to ps(1) has
         changed to include information about the number of
         connections that are currently attempting authentication and
         the limits configured by MaxStartups.
       - ssh-sk-helper(8): this is a new binary. It is used by the
         FIDO/U2F support to provide address-space isolation for token
         middleware libraries (including the internal one). It needs
         to be installed in the expected path under /usr/libexec.
    o New Features
       - Allowed use of the IgnoreRhosts directive anywhere in an
         sshd_config(5) file, not just before Match blocks, and made
         it a tri-state option.
       - Added TOKEN percent expansion (i.e. userid, hostnames etc.)
         to ssh(1) LocalForward and RemoteForward when used for Unix
         domain socket forwarding.
       - all: allow loading public keys from the unencrypted envelope
         of a private key file if no corresponding public key file is
         present.
       - Gave ssh-keygen(1) the ability to dump the contents of a
         binary key revocation list with ssh-keygen -lQf /path.
       - Added ssh(1) -Q key-sig option for all key and signature
         types, teaching ssh -Q to accept ssh_config(5) and
         sshd_config(5) algorithm keywords as an alias for the
         corresponding query.
       - Updated to libfido2 780ad3c25.
       - Added an sshd_config(5) "Include" directive to allow
         inclusion of files.
       - Renamed ssh-add(1) -O to -K to load resident keys from a FIDO
         authenticator.
       - Added the ability to download FIDO2 resident keys from a
         token via the ssh-keygen(1) -K option and save public/private
         keys into the current directory.
       - Implemented support for generating FIDO2 resident keys.
         "ssh-add -O" will load resident keys from a FIDO2 token and
         add them to an ssh-agent. Removed the -x option currently
         used for the FIDO/U2F-specific key flags, now under -O.
       - Removed single letter flags for moduli generation in
         ssh-keygen(1) and moved all moduli generation options to
         under the -O flag. Breaks existing ssh-keygen commandline
         syntax for moduli-related operations.
       - Allowed forwarding of a different agent socket to a specified
         path in ssh(1).
       - Allowed ssh(1) security keys to act as host keys as well as
         user keys.
       - Used ssh-sk-helper for all security key signing operations
         and security key enrollment. Most ssh(1) tools no longer need
         to link against libfido2 or interact with /dev/uhid*
         directly.
       - Added "no-touch-required" options to ssh-keygen(1) and
         sshd(8) to disable touch requirement for authorized_keys and
         certificates.
       - Added an sshd_config(5) PubkeyAuthOptions directive allowing
         specification of whether sshd(8) should check whether user
         presence was tested before a security key was made.
       - Added direct support for U2F/FIDO2 security keys in ssh(1).
       - Added initial infrastructure for U2F/FIDO support in ssh(1).
       - Notified the user via TTY or $SSH_ASKPASS when ssh(1)
         security keys must be tapped/touched in order to perform a
         signature operation.
       - Enabled ed25519 support in ssh(1).
    o Bugfixes
       - Detected and prevented simple ssh(1) configuration loops when
         using ProxyJump.
       - Fixed PIN entry bugs on FIDO in ssh-keygen(1).
       - Fixed ssh-keygen(1) not displaying the authenticator touch
         prompt.
       - Prevented a timeout in ssh(1) when the server doesn't
         immediately send a banner, such as with multiplexers like
         sslh.
       - Adjusted on-wire signature encoding for ecdsh-sk ssh(1) keys
         to better match ec25519-sk keys.
       - Fixed a potential NULL dereference for revoked hostkeys in
         ssh(1).
       - ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded
         from a PKCS11Provider
       - ssh-keygen(1): avoid NULL dereference when trying to convert
         an invalid RFC4716 private key.
       - scp(2): when performing remote-to-remote copies using "scp
         -3", start the second ssh(1) channel with BatchMode=yes
         enabled to avoid confusing and non-deterministic ordering of
         prompts.
       - ssh(1): fix incorrect error message for "too many known hosts
         files."
       - ssh(1): make failures when establishing "Tunnel" forwarding
         terminate the connection when ExitOnForwardFailure is enabled
       - ssh-keygen(1): fix printing of fingerprints on private keys
         and add a regression test for same.
       - sshd(8): document order of checking AuthorizedKeysFile
         (first) and AuthorizedKeysCommand (subsequently, if the file
         doesn't match)
       - sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv
         are not considered for HostbasedAuthentication when the
         target user is root
       - ssh(1), ssh-keygen(1): fix NULL dereference in private
         certificate key parsing (oss-fuzz #20074).
       - ssh(1), sshd(8): more consistency between sets of %TOKENS are
         accepted in various configuration options.
       - ssh(1), ssh-keygen(1): improve error messages for some common
         PKCS#11 C_Login failure cases
       - ssh(1), sshd(8): make error messages for problems during SSH
         banner exchange consistent with other SSH transport-layer
         error messages and ensure they include the relevant IP
         addresses
       - various: fix a number of spelling errors in comments and
         debug/error messages
       - ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident
         keys from a token, don't prompt for a PIN until the token has
         told us that it needs one. Avoids double-prompting on devices
         that implement on-device authentication.
       - sshd(8), ssh-keygen(1): no-touch-required FIDO certificate
         option should be an extension, not a critical option.
       - ssh(1), ssh-keygen(1), ssh-add(1): offer a better error
         message when trying to use a FIDO key function and
         SecurityKeyProvider is empty.
       - ssh-add(1), ssh-agent(8): ensure that a key lifetime fits
         within the values allowed by the wire format (u32). Prevents
         integer wraparound of the timeout values

 - Mandoc 1.14.6
    o Introduced a new mdoc(7) macro .Tg ("tag") to explicitly mark a
      place as defining a term, and improved automatic tagging in
      various ways.
    o Print the manpath when the man(1) -w option is given without an
      argument, for compatibility with the man-1.6 and man-db
      implementations.
    o Deleted support for the _whatdb configuration directive from
      man.conf(5) five years after it was declared obsolete; use manpath
      instead.
    o Added a Content-Security-Policy HTTP header to man.cgi(8) that
      allows only CSS.
    o Provide a STYLE message when mandoc(1) knows the filename and the
      extension disagrees with the section number given in the .Dt or
      .TH macro.
    o When the mdoc(7) .Dd macro lacks an argument, use the empty
      string, and always concatenate all arguments, no matter their
      number. The same change was applied to groff.

 - Ports and packages:
    The package system provides an easy way to install 3rd party software.
    New features include:
    o Provide debug package information that can be installed alongside
      packages and used to provide better bug reports.
    o Added DEBUG_PKG_CACHE functionality to pkg_add(1), fetching debug
      patches when packages are installed.
    o Added a -d option to pkg_add(1) to add debug packages if present
      alongside intended updates or additions.
    o Added support for "alpha" suffixes in packages-specs(7), removing
      the need for workarounds in certain ports distfiles.
    o Pre-built packages are available for the following architectures on
      the day of release:
       - aarch64 (arm64): 10848
       - amd64: 11268
       - i386: 10715
       - mips64: 9281
       - sparc64: 9850
    o Packages for the following architectures will be made available as
      their builds complete:
       - arm
       - mips64el
       - powerpc

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.20.8 + patches,
      freetype 2.10.1, fontconfig 2.12.4, Mesa 19.2.8, xterm 351,
      xkeyboard-config 2.20 and more)
    o LLVM/Clang 8.0.1 (+ patches)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.30.2 (+ patches)
    o NSD 4.2.4
    o Unbound 1.10.0
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk Dec 20, 2012 version
    o Expat 2.2.8

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each release.  Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible.  Therefore, we advise regular
visits to

        https://www.OpenBSD.org/security.html
and
        https://www.OpenBSD.org/errata.html

------------------------------------------------------------------------
- MAILING LISTS AND FAQ ------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please
see:

        https://www.OpenBSD.org/mail.html

You are also encouraged to read the Frequently Asked Questions (FAQ) at:

        https://www.OpenBSD.org/faq/

------------------------------------------------------------------------
- DONATIONS ------------------------------------------------------------

The OpenBSD Project is a volunteer-driven software group funded by
donations.  Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others.  This ecosystem is all handled under the same funding umbrella.

We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon
events.

All of our developers strongly urge you to donate and support our future
efforts.  Donations to the project are highly appreciated, and are
described in more detail at:

        https://www.OpenBSD.org/donations.html

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.

There may also be exposure benefits since the Foundation may be
interested in participating in press releases.  In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at directors@openbsdfoundation.org for
more information.

------------------------------------------------------------------------
- HTTPS INSTALLS -------------------------------------------------------

OpenBSD can be easily installed via HTTPS downloads.  Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet.  Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.

1) Read either of the following two files for a list of HTTPS mirrors
   which provide OpenBSD, then choose one near you:

        https://www.OpenBSD.org/ftp.html
        https://ftp.openbsd.org/pub/OpenBSD/ftplist

   As of May 19, 2020, the following HTTPS mirror sites have the
   6.7 release:

        https://cdn.openbsd.org/pub/OpenBSD/6.7/            Global
        https://ftp.eu.openbsd.org/pub/OpenBSD/6.7/         Stockholm, Sweden
        https://ftp.hostserver.de/pub/OpenBSD/6.7/          Frankfurt, Germany
        https://ftp.bytemine.net/pub/OpenBSD/6.7/           Oldenburg, Germany
        https://ftp.fr.openbsd.org/pub/OpenBSD/6.7/         Paris, France
        https://mirror.aarnet.edu.au/pub/OpenBSD/6.7/       Brisbane, Australia
        https://ftp.usa.openbsd.org/pub/OpenBSD/6.7/        CO, USA
        https://ftp5.usa.openbsd.org/pub/OpenBSD/6.7/       CA, USA
        https://mirror.esc7.net/pub/OpenBSD/6.7/            TX, USA
        https://openbsd.cs.toronto.edu/pub/OpenBSD/6.7/     Toronto, Canada
        https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.7/ Global
        https://fastly.cdn.openbsd.org/pub/OpenBSD/6.7/     Global

        The release is also available at the master site:

        https://ftp.openbsd.org/pub/OpenBSD/6.7/            Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTPS mirror site and go into the directory
   pub/OpenBSD/6.7/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     armv7/        octeon/             sparc64/
        README           hppa/         openbsd-67-base.pub src.tar.gz
        SHA256           i386/         packages/           sys.tar.gz
        SHA256.sig       landisk/      packages-stable/    xenocara.tar.gz
        alpha/           loongson/     ports.tar.gz
        amd64/           luna88k/      root.mail
        arm64/           macppc/       sgi/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        BOOTIA32.EFI*   bsd*            floppy67.fs     pxeboot*
        BOOTX64.EFI*    bsd.mp*         game67.tgz      xbase67.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont67.tgz
        INSTALL.amd64   cd67.iso        install67.fs    xserv67.tgz
        SHA256          cdboot*         install67.iso   xshare67.tgz
        SHA256.sig      cdbr*           man67.tgz
        base67.tgz      comp67.tgz      miniroot67.fs

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install67.iso.  The install67.iso file (roughly 470MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install67.fs and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        https://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 6.7 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).

------------------------------------------------------------------------
- PACKAGES AND PORTS ---------------------------------------------------

Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures.  Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed
separately.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The source code for all four subsystems can be found in the
pub/OpenBSD/6.7/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

The README (https://ftp.OpenBSD.org/pub/OpenBSD/6.7/README) file
explains how to deal with these source files.

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Pierre-Emmanuel Andre, Visa Hankala,
Stuart Henderson, Peter Hessler, Kurt Mosiejczuk, Christian Weisgerber,
and Charlene Wendling.  Base and X system builds by Kenji Aoyama and
Theo de Raadt.  Release art contributed by Jonni Phillips.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who bought our previous CD sets.  Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.

Our developers are:

    Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
    Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
    Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
    Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe,
    Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer,
    Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar,
    Carlos Cardenas, Charlene Wendling, Charles Longeau,
    Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
    Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman,
    Daniel Jakots, Darren Tucker, David Coppa, David Gwynne, David Hill,
    Denis Fondras, Doug Hogan, Edd Barrett, Elias M. Mariani,
    Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus,
    George Koehler, Gerhard Roth, Giannis Tsaraias, Gilles Chehade,
    Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez, Helg Bredow,
    Henning Brauer, Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer,
    Ingo Schwarze, Inoguchi Kinichiro, James Turner, Jan Klemkow,
    Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas,
    Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani,
    Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Joris Vink,
    Joshua Stein, Juan Francisco Cantero Hurtado, Kazuya Goda,
    Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner, Kevin Lo,
    Kirill Bychkov, Klemens Nanni, Kurt Miller, Kurt Mosiejczuk,
    Landry Breuil, Lawrence Teo, Marc Espie, Marco Pfatschbacher,
    Marcus Glocker, Mark Kettenis, Mark Lumsden, Markus Friedl,
    Martijn van Duren, Martin Natano, Martin Pieuchot, Martin Reindl,
    Martynas Venckus, Mats O Jansson, Matthew Dempsky, Matthias Kilian,
    Matthieu Herrb, Michael Mikonos, Mike Belopuhov, Miod Vallat,
    Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen,
    Ori Bernstein, Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk,
    Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin,
    Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas,
    Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer,
    Remi Pointel, Renato Westphal, Reyk Floeter, Ricardo Mestre,
    Richard Procter, Rob Pierce, Robert Nagy, Sasano Takayoshi,
    Scott Soule Cheloha, Sebastian Benoit, Sebastian Reitenbach,
    Sebastien Marie, Solene Rapenne, Stefan Fritsch, Stefan Kempf,
    Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
    Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
    Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider,
    Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
    Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
    Vincent Gross, Visa Hankala, Yasuoka Masahiko, Yojiro Uo