deadsimple BSD Security Advisories and Announcements

OpenBSD 6.8 released, - Oct 18, 2020

- OpenBSD 6.8 RELEASED -------------------------------------------------

October 18, 2020.

We are pleased to announce the official release of OpenBSD 6.8.
This day marks the OpenBSD project's 25th anniversary.  As we celebrate
our 49th release, we remain proud of OpenBSD's record of more than
twenty years with only two remote holes in the default install.

As in our previous releases, 6.8 provides significant improvements,
including new features, in nearly all areas of the system:

 - New/extended platforms:
    o New powerpc64 platform, supporting PowerNV (non-virtualized)
      systems with POWER8 and POWER9 CPUs, such as Raptor Computing
      Systems Talos II and Blackbird systems. POWER8 support has not
      been tested on real hardware yet.

 - Improvements to time measurements, mostly in the kernel:
    o Added support in the kernel and libc for timecounting in userland,
      eliminating the need for a context switch everytime a process
      requests the current time, thereby improving speed and
      responsiveness in programs which make many gettimeofday(2) calls,
      especially browsers and office software.
      The userland timecounters are enabled on the amd64, arm64, macppc,
      octeon and sparc64 architectures.
    o Added a ktrace(1) -T option to make time-related system calls more
    o Added tsc_delay(), a delay(9) implementation based on the TSC, to
    o Used an LFENCE instruction everywhere RDTSC is used for a time
      measurement, reducing the jitter in TSC skew measurements.
    o Introduced gettime(9) and getuptime(9) and substituted these for
      time_second(9) and time_uptime(9) throughout the kernel to prevent
      split-read problems on 32-bit platforms.
    o Synchronized each core's CP0 cycle counter using the IO clock
      counter on mips64 and octeon, making the cycle counter usable as
    o Improved CPU frequency scaling in automatic performance mode by
      removing accounting for offline CPUs.

 - Various kernel improvements:
    o Added intrmap, an interrupt to CPU mapping API that is used by
      hardware drivers to use multiple CPUs for interrupt handling.
    o Added an ioctl PCIOCGETVPD allowing userland to access read-only
      support information about pci devices via the vpd register.
    o Set ddb(4) "/t" to show a trace via TID on all architectures.
    o Introduced kstat(1), a subsystem to allow the kernel to expose
      statistics to userland.
    o Added kstat to cnmac(4).
    o Added support for remote coverage to kcov(4).
    o Moved sysctl(2) CTL_DEBUG from DEBUG to the new DEBUG_SYSCTL.
    o Prevented creation of bogus sd(4) devices for nvme(4) namespaces
      which are configured but have size 0.
    o Added READ(12)/WRITE(12) support to cd(4).
    o Used READ(16)/WRITE(16) commands for disks large enough to require
      them to access the last sectors, fixing large 512E devices plugged
      into USB to ATA/ATAPI bridges which mistakenly use 4K sector
    o Restored VGA fonts on VT switch, preventing an unusable screen
      when switching to a VT with a custom VGA font from X.
    o Ensured only pseudo-terminal devices use reprint delays.
    o Prevented improper disabling of the backlight in umstc(4) when
      brightness is adjusted to 0.
    o Provided an optimized implementation of ffs(3) in the kernel on
    o Rewrote m88k mutex code as a slight variation of the MI mutex
      code, potentially improving stability and rendering mutex spinning
      time visible in top(1).
    o Reworked kernel loading with octboot, the OpenBSD/octeon
      bootloader, which now does not rely on a mounted filesystem.
    o Ensured scsi(4) devices do not attempt to process bogus MODE SENSE

 - Various new userland features:
    o Imported login_ldap(8), using ldap(1) rather than openldap.
    o Added support for set -o pipefail to ksh(1), potentially helping
      error checking.
    o Cleared the screen in ksh(1)'s vi mode before redrawing the line
      with ^L.
    o Implemented the gensub(), systime() and strftime() functions for
    o Allowed specification of supported TLS protocols in ftp(1) "-S
    o Switched the default man(1) pager from "more(1) -s" to less(1).
    o Supported -T html -O tag in man(1) by passing a file:// URI to the
    o Added fstat(1) support for looking up unix domain sockets by file
    o Added / as an alias for g (grep) in top(1).
    o Provided a naptime variable for userspace via kvm_read(3), usable
      by vmstat(8).
    o Allowed switching between alternate devices (-F) with sndioctl(1).
    o Added the ability to set and display video(1) control values
      directly on the CLI.
    o Allowed the combination of video(1) "-dc" options, reset and
      display control values.
    o Added video(1) white balance temperature control through w/W keys.
    o Added control for backlight compensation to video(4).
    o Initialized v4l2_requestbuffers for libv4l compatibility, allowing
      view of video encodings not directly supported by video(1).
    o Added a new column to wsfontload(8) -l output to report the number
      of characters contained in a loaded font.
    o Relaxed filename checks in syspatch(8) to allow use of hyphens.
    o Enabled btrace(8) (dt(4) not yet enabled in GENERIC, though).
    o Added btrace(8) -p flag to filter all actions by PID.
    o Implemented linear and power-of-two histograms in bt(5).
    o Added support for "&" and "|" operators in btrace scripts.

 - Various bugfixes and tweaks in userland:
    o Fixed the ksh(1) exit code when evaluating a || compound list to
      prevent termination of the shell when running under -e.
    o Fixed "$@" splitting with empty IFS in ksh(1).
    o Stopped incrementing openclass for a literal "[" in awk(1),
      allowing parsing of expressions such as "/[[/[]/".
    o Fixed make(1) :S with anchors and replacement.
    o Prevented mg(1) from running out of memory or segfaulting with
      query-replace-regex ^.
    o Fixed ls(1) -R mode to not display subdirectories of a directory
      beginning with '.' and ensure directory names are always
    o Prevented a core dump in ftp(1) during fetch abort.
    o Taught su(1) -l -f to start a regular shell for non-csh shells
      rather than a login shell.
    o Used su(1) -fl to avoid sourcing the target user's .profile in
    o Fixed merging of files that lack newlines for diff3(1), OpenRCS
      and OpenCVS.
    o Prevented rcs(1) removal of locked revisions with rcs -orange,
      avoiding leaving behind a lock for a revision which no longer
    o Fixed sndiod(8) crashes when USB devices are disconnected.
    o Fixed the initial sndiod(8) alternate device number, preventing
      device number 1 from being skipped on first use.
    o Switched the default CDDB database for cdio(1) to
    o Stopped syslogd(8) from closing UDP sockets for sending messages
      when DNS lookup of a UDP loghost fails, allowing them to be used
      to send if DNS is working during the next SIGHUP.
    o Prevented established TCP and TLS sockets of syslogd(8) from
      staying open forever if a client aborted the connection silently.
    o Avoided reading one byte before the path buffer in mountd(8).
    o Made apmd(8) always ask the kernel about current hw.perfpolicy
      rather than maintaining state.
    o Prevented an unveil(2) failure with chdir / on sensorsd(8).
    o Fixed a segmentation fault in pstat(8)'s printing of active
    o Corrected getopt_long(3) parsing of a trailing dash in an option
      group, which was being incorrectly returned as an argument.
    o Prevented callers inspecting unrelated fields in the libc resolver
      function asr_run().
    o Introduced a darker xenodm(1) login widget and a lower contrast
      default background.
    o Fixed an xconsole(1) crash by starting it after setting the

 - Improved hardware support and driver bugfixes, including:
    o Enabled scrollback in simplefb(4).
    o Fixed display glitches on smaller screens or with larger fonts in
      efifb(4) associated with remapping and attaching.
    o Improved reporting of remaining power with batteries of different
      capacities in acpi(4).
    o Fixed bogus frame sizes being returned by xhci(4).
    o Added wsmoused(8) support to efifb(4).
    o Added umstc(4), a driver for Microsoft Surface Type Cover
    o Introduced acpihid(4) for ACPI HID event and 5-button array
    o Moved Powerbook5,4 audio from aoa(4) to snapper(4), adding the
      missing TAS3004 volume control.
    o Fixed broken HID descriptors of Elecom trackballs with 6 or 8
    o Added RK3328 PWM, also found in the RK3308, to rkpwm(4).
    o Added RK3308 temperature sensors to rktemp(4).
    o Added pcamux(4), a driver for the PCA9548 I2C switch.
    o Introduced a framework for digital audio interfaces, and added
      simpleaudio(4), a driver for "simple audio cards." This is a
      wrapper connecting the I2S controller, the codec and some aux
      devices, and simpleamp(4), a driver for "simple audio amplifier,"
      one of the aux devices for simpleaudio(4).
    o Enabled nvme(4) on i386.
    o Added support for the Ericsson F5521gw Mobile Broadband Modem.
    o Ensured the STOP command sent by sd(4) on powerdown will not
      result in hanging the machine if commands to the USB mass storage
    o Fixed intermittent failing pms(4) device initialization seen on
      some Synaptics devices.
    o Corrected trackstick/button attachment of Windows Precision
      Touchpad imt(4) devices, fixing behavior on certain Dell Latitude
    o Improved speed of scrolling by optimizing rasops(9) write-only
      framebuffer console.
    o Modified uvideo(4) to fix webcam detection in Firefox 78.
    o Added a SENSOR_ENERGY sensor type to the sensors framework API
      which uses microjoules.
    o Added support for the AMDI0010 touchpad on the Inspiron 5505.
    o Avoided nvram lock timeout on sparc64 systems with onboard BCM5704
      bge(4) instances that come without a fitted EEPROM/NVRAM.
    o Added pms(4) support for the Elantech v1 touchpad with firmware
      version 0x20022.
    o Added sdmmc(4) support for eMMC HS200 mode.
    o Added Exar XR17V35x serial port support.
    o Properly implemented amlmmc(4) setting of signal voltage.
    o Implemented UHS-I support in the sdmmc(4) midlayer and enabled it
      in amlmmc(4).
    o Introduced abl(4), a new driver to control the backlight
      brightness on Intel-based Apple machines, and allowed it to be
      controlled through wsconsctl(8).
    o Disabled acpivout(4) brightness control on machines aware of
      Windows 8, enabling inteldrm to handle brightness ioctls.
    o Fixed eeprom(8) error when setting variables on macppc.
    o Updated drm(4) to Linux 5.7.19.

 - New or improved network hardware support:
    o Enabled multiple tx/rx queues with Toeplitz RSS hashing in vmx(4),
      ix(4) and ixl(4).
    o Added support for hardware VLAN tagging and checksumming to mcx(4)
      and bnxt(4).
    o Fixed a crash in re(4).
    o Added bge(4) support for the BCM5719 A1 Ethernet controller.
    o Handled AGL interfaces on octeon, making management network ports
      usable on some machines.
    o Added support for the mcx(4) ConnectX-6 Dx.
    o Fixed a potential crash when bringing down an mcx(4) interface.
    o Increased the mcx(4) event queue size, preventing a potential
      interrupt storm on the ConnectX-4.
    o Fixed outbound bpf(4) tap on ogx(4) interfaces.
    o Improved ure(4) performance by combining multiple sent packets
      into one transfer.
    o Added support for RK3308 Ethernet to dwge(4).
    o Added rge(4) support for newer RTL8125 chipset (RTL8125B).

 - Added or improved wireless network drivers:
    o Added support to urtwn(4) for TP-Link TL-WN822N-EU v5 (and v4).
    o Added WPA2 (CCMP) crypto offload support to iwm(4) and iwx(4),
      reducing CPU load during traffic bursts.
    o Fixed causes of several fatal firmware errors on iwx(4) devices.
    o Added bwfm(4) support for BCM4359 SDIO variants such as the
      AP6359SA module found on the RockPro64 WiFi module.
    o Enabled critical temperature detection in iwx(4) firmware.
    o Fixed mbuf leak in urtwn(4) with frames CCMP-encrypted by
    o Added support for the D-Link DWA-121 rev B1 urtwn(4) device.
    o Repaired athn(4) in client mode against WPA2 access points.
    o Prevented a panic where athn(4) attempted to transmit old,
      unencryptable frames after switching to a new group key in hostap
    o Switched iwx(4) from -46 to -48 firmware.
    o Enabled background scanning on iwx(4) devices.
    o Fixed gain calibration for some iwn(4) devices (5000 and up).
    o Added support for AX201 devices to iwx(4).

 - New arm64 and armv7 hardware support and bugfixes, including:
    o Added amlpwrc(4), a driver for the power domain controller found
      on Amlogic SoCs.
    o Made OpenBSD boot on the ODROID-C4 with power domain in
    o Added support for the SD card detect pins on the Turris Mox.
    o Added support for the Marvell Xenon SDHC, used as storage on the
      Armada 3700 and 8040 SoCs.
    o Opened up a 4GB memory bus window for mvneta(4) on the Marvell
      Armada 3700, making the second Ethernet controller/port work on
      the Turris Mox.
    o Added mkvpcie(4), a driver for the Aardvark PCIe controller found
      on the Armada 3700 SoC.
    o Adjusted dwpcie(4) timing to improve likelihood of a successful
      PCIe link on the i.MX8MM. Avoids a failure to detect em(4) on the
      HummingBoard Pulse.
    o Added cwfg(4), a driver for the Cellwise CW201x fuel gauge on the
      Pinebook Pro.
    o Populated a list of 256 brightness levels as a fallback when the
      device tree does not specify a list, making the Pinebook Pro
      display work with the dtb from Linux 5.7.
    o Added escodec(4), a driver for the Everest ES8316 audio codec used
      on the Pinebook Pro.
    o Added rkiis(4), a driver for the I2S controller found on the
      Rockchip RK3399.
    o Added bcmtmon(4), a driver for the temperature sensor on the
      Raspberry Pi 4.
    o Introduced mvpp(4), a driver for the Marvell Packet Processor v2
      as used on the Armada 7K and 8K SoCs.
    o Improved PLL1(CPU_PLL) stability for the Allwinner H3/H2+.
    o Ported NetBSD's arm64 disassembler for ddb(4).
    o Enabled spleen16x32 and spleen32x64 fonts on armv7 for GENERIC
    o Enabled building wsmoused(8) and wsfontload(8) on arm64 and armv7.

 - IEEE 802.11 wireless stack improvements and bugfixes:
    o Fixed CCMP replay checks with 11n Rx aggregation and CCMP hardware
    o In hostap mode, complete WPA group key renewals immediately if no
      station is associated.
    o Improved processing of lost frames during 802.11 Rx aggregation.
    o Allowed passage of unencrypted 802.11 frames during hardware
      decryption post-processing, fixing failure of some ral(4) devices
      to receive packets on encrypted networks.
    o Prevented a use-after-free when a wireless device is detached.

 - Generic network stack improvements and bugfixes:
    o Implemented a carp(4) transmit bypassing the ifq on output,
      enqueuing the packet directly on the parent interface.
    o Fixed pf.conf(5) "route-to TABLE least-states" in an anchor.
    o Allowed pf(4) to divert packets from bridge(4) to local socket.
    o Rehashed main pf(4) rulesets after rule expiration.
    o Added a check for pfctl(8) that an rtable exists when parsing the
    o Corrected ruleset checksum calculation to allow pfsync(4) to
      verify rulesets are identical on all nodes.
    o Added wg(4), an in-kernel driver for WireGuard VPN communication.
    o Protected the whole pipex(4) layer by NET_LOCK().
    o Stopped creation of non-existent bridge(4) interfaces.
    o Added a symmetric toeplitz implementation with integration for
      nics, usable through the stoeplitz_to_key(9) hash algorithm API.
    o Changed tpmr(4) from ifconfig [-]trunkport to add|del synopsis.
    o Filtered vlan and svlan packets by default for tpmr(4).
    o Implemented IPv6 source address selection as outlined in RFC 6724
      section 5.
    o Set IPv6 source address selection to prefer the address with the
      highest preferred lifetime in case of a tie.
    o Stopped preventing TCP connections to IPv6 anycast addresses.
    o Added the pcap-filter(5) "sample NUM" primitive to allow capture
      of 1/NUM packets.
    o Added a ROUTE_FLAGFILTER socket option for routing sockets,
      allowing routing daemons to opt out of receiving messages for L2
      and broadcast route entries.
    o Allowed SIOCSWGDPID and SIOCSWGMAXFLOW ioctls for non-root,
      preventing switch(4) interfaces from appearing partially as
      bridge(4) devices for unprivileged users running ifconfig(8).
    o Modified trunk(4) to keep port interfaces UP on removal, matching
      aggr(4) behavior.
    o Fixed rdomain(4) handling for IPv6.
    o Fixed rtable(4) separation of raw sockets for IPv6.
    o Documented rtable(4) removal semantics.

 - Installer improvements:
    o On systems with multiple root disks, the installer will upgrade
      the disk with auto_upgrade.conf present when the upgrade was
      initiated by sysupgrade(8).
    o Changed install images called *.fs to *.img to accommodate some
      UEFI bootloaders.
    o Forced long-names on msdos filenames for installboot on most
      32-bit architectures.
    o Converted macppc, octeon and loongson to use machine-independent

 - Improvements in the FFS2 filesystem:
    o Made FFS2 the default for newfs(8), except for mfs.
    o Improved reliability of very large FFS2 filesystems.
    o Improved speed of checking FFS2 filesystems.
    o Enabled the FFS2 option on the luna88k ramdisk.
    o Made FFS2 the default non-root filesystems on landisk, sgi and

 - Security improvements:
    o Added RB_GOODRANDOM passed from bootloader to kernel in boothowto,
      indicating confidence a "great seed" was loaded.
    o Passed boothowto from the sparc64 bootloader to the kernel using
    o Introduced detection of /etc/random.seed reuse.
    o Rewrote the entropy enqueue ring to collect damage asynchronously
      and adapted the dequeue to mix a selection of "best" ring entries,
      exponentially backing off the dequeue timeout, to compensate
      rapidly for weak seeding in unidentifiable conditions and ensure
      quality to arc4random() calls early in boot.
    o Enabled PAN (Privileged Access Never) on arm64 CPUs supporting it.
    o Skipped scanning file systems which are both nodev and nosuid for
      SUID, SGID and device files with security(8).
    o Fixed two out-of-bounds array accesses in ioctl code pathways in
    o Fixed information leak in semctl SEM_GET.
    o Prevented root from freezing the UTC clock with settimeofday(2) at
      securelevel 2.
    o Fixed performance problems relating to tty subsystem abuse.
    o Fixed heap corruption in the X input method client in libX11.
    o Fixed potential information leak via X server pixel data
      uninitialized memory.
    o Fixed a race condition for isoc devices during device close.
    o Fixed an integer overflow in libX11 which could lead to a double
    o Corrected multiple input validation deficits in X server

 - Routing daemons and other userland network improvements:
    o In bgpctl(8), the "reload" command now takes a 'reason' argument
      to use as Administrative Shutdown Communication to its neighbors.
    o Added bgpctl(8) support for VPNv6 in the family option of the
      "show rib" command.
    o Added bgpctl(8) support for JSON formatted output in various
      "show" commands.
    o Improve performance of ospfd(8), ospf6d(8) by using the
      ROUTE_FLAGFILTER setsockopt to filter out routing socket messages
      for L2 and broadcast routes.
    o Modified ldapd(8) use of "ldaps" and "tls" keywords to enable only
      the libtls defaults for protocols and ciphers. The new "legacy"
      keyword can be used before these keywords in ldapd.conf(5) to
      enable them all.
    o Added a bsd.schema to ldapd(8) including a shadowPassword and an
      sshPublicKey attribute which can be used to extend existing LDAP
      users with the additional bsdAccount objectclass.
    o Removed support for the socket keyword in snmpd.conf(5).
    o Allowed snmpd(8) to define the port we listen on.
    o Allowed snmp(1) mibtree to take one or more arguments to be
      converted to a chosen output format.
    o Replaced relayd(8)'s agentx backend and reworked the object
      structure to be in line with what is defined in the MIB.
    o Introduced a "dark mode" for directory listings and error pages in
    o Allowed specifying -d multiple times in slowcgi(8).
    o Added unveil(2) to the main process of relayd(8).
    o Added support for non-localhost fastcgi sockets to httpd.conf(5).
    o Fixed a hang in rpki-client(8) by properly waiting for exiting
      openrsync(1) processes.
    o Removed the -f (force) option in rpki-client(8).
    o rpki-client(8) no longer uses openrsync(1)'s "--delete" to clean
      up stale files, but instead relies on cryptographically signed
      RPKI manifest listings.
    o Fixed rpki-client(8) return value check for OpenSSL API used
      during pubkey validation.
    o Released rpki-client(8) 6.7p1 including OpenBSD 6.7 Errata 015.
    o Changed rpki-client(8) -n behavior to automatically validate the
    o Added a "-s timeout" feature to rpki-client(8) with a one hour
      default, allowing fresh attempts with cron(8) if rpki-client gets
    o Added an optional "domain name" acme-client.conf(5) option
      allowing use of multiple domain sections with the same name and
      creation of an rsa and an ecdsa key for the same domain name.
    o Added an optional "contact" acme-client.conf(5) option to the
      account section allowing issuance of certificates from authorities
      that require a contact email address.
    o Added netstat(1) -R to show a summary of rdomains with associated
      interfaces and tables.
    o Defaulted to showing full IPv6 address entries in the routing
      tables displayed by route(8) show and netstat(1) -r.
    o Fixed pcap-filters(5) on DLT_LOOP links, e.g. lo(4), gre(4),
      wg(4), etc.
    o Fixed dhclient(8) domain-search option processing.
    o Corrected dhclient(8) DECLINE message generation to always include
      the OFFER'd address.
    o Enabled append/prepend for the domain-search option in
    o Removed 128-byte limit on dhclient(8) search domains and static
    o Corrected route(8) handling of ::/0 and "route add -inet
      -prefixlen 0 (gateway)".
    o Fixed integer underflow in tcpdump(8) due to tiny snaplen causing
      bogus hexdumps.
    o Added initial tcpdump(8) support for handling geneve packets.
    o Added top(1) "t" to toggle the display of routing tables.
    o Added filtering by routing table to top(1).
    o Moved ntpd(8) to unsynced mode if no replies are received for
      awhile due to connectivity issues.
    o Made slaacd(8) handle IPv6 address configuration in all rdomains
      in a single daemon, instead of running one daemon per rdomain.

 - ipsec(4) (and related userland programs) improvements and bugfixes:
    o Added AES-GCM mode ciphers for IKEv2, configurable in iked.conf(5)
      with the new "ikesa enc" options aes-128-gcm, aes-256-gcm,
      aes-128-gcm-12 and aes-256-gcm-12.
    o Enabled AES-GCM ciphers by default for IKE and Child SAs resulting
      in considerable performance improvements with hardware
      acceleration support.
    o Enabled SHA2_384 and SHA2_512 by default for improved
    o Added the new iked(8) configuration option "set
      enforcesingleikesa" to limit the number of connections for each
    o Added optional iked(8) time-stamp validation for OCSP.
    o Added a 30 second timeout for OCSP requests in iked(8).
    o Added a new "set cert_partial_chain" config option to iked.conf(5)
      to allow verification of partial certificate chains if a trusted
      intermediate CA is found in /etc/iked/ca.
    o Added a dpd_check_interval configuration option to iked.conf(5).
    o Allowed disabling of iked(8) DPD liveness checks by setting
      dpd_check_interval to 0 in iked.conf(5).
    o Made iked(8) use the CA certificate for the OCSP issuer and
      respect the OCSP url from the issuer certificate.
    o Fixed iked(8) public key authentication interoperability with
      *swan and other IKEv2 implementations by making CERT and CERTREQ
      payloads optional.
    o Fixed an iked(8) policy lookup edge case for simultaneous
      transport and tunnel mode SAs.
    o Fixed a dst/src iked(8) port configuration bug with multiple
    o Prioritized incoming certificate requests by the order of CERTEQ
      payloads in the received message in iked(8).
    o Prevented concurrent CREATE_CHILD_SA and INFORMATION exchanges in
    o Handled iked(8) TEMPORARY_FAILURE notification on IKESA rekeying.
    o Fixed multiple bugs with pfkey acquire messages.

 - tmux(1) improvements and bug fixes:
    o How data is sent to control mode clients has been completely
      revamped to both be more fair with multiple panes and to prevent
      huge amounts of data being backed up.
    o Configuration file parsing has changed slightly: the contents of
      the {} syntax must now be valid tmux(1) command syntax; and to
      allow formats to be annotated, strings given with quotes may now
      contain newlines (leading spaces and comments are stripped).
    o A new customize mode available with C-b C (C-b S-c) which allows
      options and key bindings to be browsed and changed interactively.
    o Support for extended keys offered by some terminals (xterm,
      mintty, iTerm2).
    o A pane-border-lines option to change the characters used to draw
      the pane border separators.
    o How UTF-8 data is stored has been rewritten to reduce memory use
      for characters in the BMP.
    o The message log (C-b ~) has been changed to be per server instead
      of per client and to have some useful content.
    o A new active-pane client flag that if given allows a client to
      have its own active pane for each window rather than being tied to
      the server's active pane.
    o Improved command-prompt completion including showing a menu of
    o All style options can now be formats, for example the default
      pane-active-border-style now changes colour depending on
      pane_in_mode and synchronize-panes.
    o Performance improvements in copy mode and additional styles for
      marking of search terms.
    o Window and pane hooks such as window-layout-changed and
      pane-exited are now window or pane options instead of session
    o Added the 'e' key in buffer mode to open the buffer in an editor.
    o Added M-+ and M-- to expand and collapse all items in tree mode.
    o Added a -D flag to run in non-daemonized mode.
    o Added tmux(1) -b flags to insert a window before (like the
      existing -a for after) to break-pane, move-window and new-window.
    o Changed tmux(1) searching to behave more like emacs and prevented
      regex searching from overlapping when searching forward.
    o Allowed a-z keys for tmux(1) display-panes to jump to
      higher-numbered panes.
    o Allowed use of -N without a command to change or add a note to an
      existing key in tmux(1).

 - VMM/VMD and ldom/sparc64 virtualization improvements
    o Fixed ldomctl(8) "init-system" with multiple PCIe root complexes
      (Oracle SPARC T4-2 machines).
    o Made ldomctl(8) reject vdisk, vnet and iodevice parameters for
      primary domain.
    o Made ldomctl(8) "init-system -n" check vcpu and memory
    o Increased the default number of ldom and ttyV devices for sparc64
      from eight to sixteen.
    o Fixed vmd(8) ns8250 lockup due to a race condition, helping to
      prevent linux vm crashes when the return key is held on boot.
    o Prevented possible libevent state corruption in vmd(8).

 - OpenSMTPD 6.8.0
    o Fixed an uninitialized variable and potential stack overflow with
      IPv6 connections in smtpd(8).
    o Fixed smtpd(8) handling of user names containing "@" symbols.
    o Allowed handling of long lines in an smtpd(8) aliases table.
    o Removed mail.local(8) support for world-writable mail spools.

 - LibreSSL 3.2.2
    o New Features
       - This is the first stable release with the new TLSv1.3
         implementation enabled by default for both client and server.
         The OpenSSL 1.1 TLSv1.3 API is not yet available and will be
         provided in an upcoming release.
       - New X509 certificate chain validator that correctly handles
         multiple paths through intermediate certificates. Loosely
         based on Go's X509 validator.
       - New name constraints verification implementation which passes
         the certificate validation check suite.
    o API and Documentation Enhancements
       - New CMAC_Init(3) and ChaCha(3) manual pages.
       - Document SSL_set1_host(3), SSL_set_SSL_CTX(3).
       - Document PKCS7 attribute functions.
       - Document PKCS7_final(3), PKCS7_add_attribute(3).
       - Document PKCS7_get_signer_info(3).
       - Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3).
       - Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3).
       - Document PEM_def_callback(3).
       - Document EVP_read_pw_string_min(3).
       - Merge documentation of X509_get0_serialNumber(3) from OpenSSL
       - Document error handling of X509_PUBKEY_get0(3) and
       - Document X509_get0_pubkey_bitstr(3)
       - Document openssl(1) certhash.
    o Compatibility Changes
       - Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the
         default similar to new OpenSSL releases.
       - Add the P-521 curve to the list of curves supported by
         default in the client.
       - Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h.
       - Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.
       - Improve TLSv1.3 client certificate selection to allow EC
         certificates instead of only RSA certificates.
       - Add minimal info callback support for TLSv1.3.
       - Support TLSv1.3 options in the openssl(1) command.
       - Add support for additional GOST curves from RFC 7836 and
       - Add OIDs for HMAC using the Streebog hash function.
       - Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.
       - Enable GOST_SIG_FORMAT_RS_LE when verifying certificate
       - Handle GOST in ssl_cert_dup().
       - Stop sending GOST R 34.10-94 as a CertificateType.
       - Use IANA allocated GOST ClientCertificateTypes.
    o Testing and Proactive Security
       - Greatly expanded test coverage via the tlsfuzzer test
       - Expanded test coverage via the bettertls certificate test
       - Test interoperability with the Botan TLS client.
    o Internal Improvements
       - Collapse x509v3 directory into x509.
       - Add initial support for openbsd/powerpc64.
       - Improve length checks in the TLSv1.3 record layer and provide
         appropriate alerts for violations of record layer limits.
       - Enforce that SNI hostnames received by the TLS server are
         correctly formed as per RFC 5890 and RFC 6066, responding
         with illegal parameter for a nonconformant host name.
       - Support SSL_MODE_AUTO_RETRY in TLSv1.3 to allow the automatic
         retry of handshake messages.
       - Improve the handling of BIO_read(3)/BIO_write(3) failures in
         the TLSv1.3 stack.
       - Start replacing the existing TLSv1.2 record layer.
       - Simplify SSL method lookups.
       - Clean up and simplify SSL_get_ciphers(3), SSL_set_session(3),
         SSL_set_ssl_method(3) and several internal functions.
       - Refactor dtls1_new(), dtls1_hm_fragment_new(),
         dtls1_drain_fragments(), dtls1_clear_queues().
       - Make the message type available in the internal TLS
         extensions API functions.
       - Numerous openssl(1) subcommands were converted to the new
         option handling.
       - Copy the session ID directly in ssl_get_prev_session()
         instead of handing it through several functions for copying.
       - Clean up and refactor ssl_get_prev_session(); simplify
         tls_decrypt_ticket() and tls1_process_ticket() exit paths.
    o Portable Improvements
       - Make pthread_mutex static initialisation work on Windows.
       - Get __STRICT_ALIGNMENT from machine/endian.h with portable
    o Bug Fixes
       - Fix an off-by-one in the CBC padding removal.
       - Enforce in the TLSv1.3 server that that ClientHello messages
         after a HelloRetryRequest match the original ClientHello as
         per RFC 8446 section 4.1.2
       - Avoid calling freezero with a negative size if a server sends
         a malformed plaintext of all zeroes.
       - Correct use of sockaddr_storage instead of sockaddr in
         openssl(1) s_client, which could lead to using 14 bytes of
         stack garbage instead of an IPv6 address in DTLS mode.
       - Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that
         could cause use-after-free and double-free issues in calling
       - Zero out variable on the stack to avoid leaving garbage in
         the tail of short session IDs.
       - Ensure that appropriate alerts are sent on various error
       - Move state initialization from SSL_clear(3) to ssl3_clear()
         to ensure that it gets correctly reinitialized across a
         SSL_set_ssl_method(3) call.
       - Add a custom copy handler for AES keywrap to fix a
       - Avoid an out-of-bounds write in BN_rand(3).
       - Fix numerous leaks in the UI_dup_*(3) functions. Simplify and
         tidy up the code in ui_lib.c.
       - Correctly track selected ALPN length to avoid a potential
         segmentation fault with SSL_get0_alpn_selected(3) when
         alpn_selected is NULL.
       - Include machine/endian.h gost2814789.c in order to pick up
         the __STRICT_ALIGNMENT define.
       - Correctly handle ssl_cert_dup() failure in
       - Fail on receiving an invalid NID in X509_ATTRIBUTE_create(3)
         instead of constructing a broken objects that may cause NULL
         pointer accesses.
       - Fix SSL_shutdown(3) behavior in TLSv1.3 to match the legacy
         stack. The previous behavior could cause a hang.
       - Modify "openssl x509" to display invalid certificate times as
         invalid, and correctly deal with the failing return case from
         X509_cmp_time(3) so that a certificate with an invalid
         NotAfter does not appear valid.

 - OpenSSH 8.4
    o Potentially incompatible changes.
       - For FIDO/U2F support, OpenSSH recommends the use of libfido2
         1.5.0 or greater. Older libraries have limited support at the
         expense of disabling particular features. These include
         resident keys, PIN- required keys and multiple attached
       - ssh-keygen(1): the format of the attestation information
         optionally recorded when a FIDO key is generated has changed.
         It now includes the authenticator data needed to validate
         attestation signatures.
       - The API between OpenSSH and the FIDO token middleware has
         changed and the SSH_SK_VERSION_MAJOR version has been
         incremented as a result. Third-party middleware libraries
         must support the current API version (7) to work with OpenSSH
       - The portable OpenSSH distribution now requires automake to
         rebuild the configure script and supporting files. This is
         not required when simply building portable OpenSSH from a
         release tar file.
    o New Features
       - ssh(1), ssh-keygen(1): support for FIDO keys that require a
         PIN for each use. These keys may be generated using
         ssh-keygen using a new "verify-required" option. When a
         PIN-required key is used, the user will be prompted for a PIN
         to complete the signature operation.
       - sshd(8): authorized_keys now supports a new "verify-required"
         option to require FIDO signatures assert that the token
         verified that the user was present before making the
         signature. The FIDO protocol supports multiple methods for
         user-verification, but currently OpenSSH only supports PIN
       - sshd(8), ssh-keygen(1): add support for verifying FIDO
         webauthn signatures. Webauthn is a standard for using FIDO
         keys in web browsers. These signatures are a slightly
         different format to plain FIDO signatures and thus require
         explicit support.
       - ssh(1): allow some keywords to expand shell-style ${ENV}
         environment variables. The supported keywords are
         CertificateFile, ControlPath, IdentityAgent and IdentityFile,
         plus LocalForward and RemoteForward when used for Unix domain
         socket paths.
       - ssh(1), ssh-agent(1): allow some additional control over the
         use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment
         variable, including forcibly enabling and disabling its use.
       - ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a
         time limit for keys in addition to its current flag options.
         Time- limited keys will automatically be removed from
         ssh-agent after their expiry time has passed.
       - scp(1), sftp(1): allow the -A flag to explicitly enable agent
         forwarding in scp and sftp. The default remains to not
         forward an agent, even when ssh_config enables it.
       - ssh(1): add a '%k' TOKEN that expands to the effective
         HostKey of the destination. This allows, e.g., keeping host
         keys in individual files using "UserKnownHostsFile
       - ssh(1): add %-TOKEN, environment variable and tilde expansion
         to the UserKnownHostsFile directive, allowing the path to be
         completed by the configuration.
       - ssh-keygen(1): allow "ssh-add -d -" to read keys to be
         deleted from stdin.
       - sshd(8): improve logging for MaxStartups connection
         throttling. sshd will now log when it starts and stops
         throttling and periodically while in this state.
    o Bugfixes
       - ssh(1), ssh-keygen(1): better support for multiple attached
         FIDO tokens. In cases where OpenSSH cannot unambiguously
         determine which token to direct a request to, the user is now
         required to select a token by touching it. In cases of
         operations that require a PIN to be verified, this avoids
         sending the wrong PIN to the wrong token and incrementing the
         token's PIN failure counter (tokens effectively erase their
         keys after too many PIN failures).
       - sshd(8): fix Include before Match in sshd_config(5).
       - ssh(1): close stdin/out/error when forking after
         authentication completes ("ssh -f ...").
       - ssh(1), sshd(8): limit the amount of channel input data
         buffered, avoiding peers that advertise large windows but are
         slow to read from causing high memory consumption.
       - ssh-agent(1): handle multiple requests sent in a single
         write() to the agent.
       - sshd(8): allow sshd_config(5) longer than 256k
       - sshd(8): avoid spurious "Unable to load host key" message
         when sshd load a private key but no public counterpart
       - ssh(1): prefer the default hostkey algorithm list whenever we
         have a hostkey that matches its best-preference algorithm.
       - sshd(1): when ordering the hostkey algorithms to request from
         a server, prefer certificate types if the known_hosts files
         contain a key marked as a @cert-authority;
       - ssh(1): perform host key fingerprint comparisons for the "Are
         you sure you want to continue connecting
         (yes/no/[fingerprint])?" prompt with case sensitivity.
       - sshd(8): ensure that address/masklen mismatches in
         sshd_config yield fatal errors at daemon start time rather
         than later when they are evaluated.
       - ssh-keygen(1): ensure that certificate extensions are
         lexically sorted. Previously if the user specified a custom
         extension then the everything would be in order except the
         custom ones.
       - ssh(1): also compare username when checking for JumpHost
       - ssh-keygen(1): preserve group/world read permission on
         known_hosts files across runs of "ssh-keygen -Rf /path". The
         old behaviour was to remove all rights for group/other.
       - ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen
         manual page and usage().
       - sshd(8): explicitly construct path to ~/.ssh/rc rather than
         relying on it being relative to the current directory, so
         that it can still be found if the shell startup changes its
       - sshd(8): when redirecting sshd's log output to a file, undo
         this redirection after the session child process is forked().
         Fixes missing log messages when using this feature under some
       - sshd(8): start ClientAliveInterval bookkeeping before first
         pass through select() loop; fixed theoretical case where busy
         sshd may ignore timeouts from client.
       - ssh(1): only reset the ServerAliveInterval check when we
         receive traffic from the server and ignore traffic from a
         port forwarding client, preventing a client from keeping a
         connection alive when it should be terminated.
       - ssh-keygen(1): avoid spurious error message when ssh-keygen
         creates files outside ~/.ssh
       - sftp-client(1): fix off-by-one error that caused sftp
         downloads to make one more concurrent request that desired.
         This prevented using sftp(1) in unpipelined request/response
         mode, which is useful when debugging.
       - ssh(1), sshd(8): handle EINTR in waitfd() and
         timeout_connect() helpers.
       - ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we
         attempt to write to it so we don't leave an empty .ssh
         directory when it's not needed.
       - ssh(1), sshd(8): fix multiplier when parsing time
         specifications when handling seconds after other units.

 - Ports and packages:
    o Pre-built packages are available for the following architectures on
      the day of release:
       - aarch64 (arm64): 10768
       - amd64: 11234
       - i386: 10548
       - mips64: 8540
       - powerpc64: 6221
       - sparc64: 9688
    o Packages for the following architectures will be made available as
      their builds complete:
       - arm
       - mips64el
       - powerpc

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.20.8 + patches,
      freetype 2.10.2, fontconfig 2.12.4, Mesa 20.0.8, xterm 351,
      xkeyboard-config 2.20 and more)
    o LLVM/Clang 10.0.1 (+ patches)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.30.3 (+ patches)
    o NSD 4.3.2
    o Unbound 1.11.0
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk August 7, 2020 version
    o Expat 2.2.8

- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each release.  Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible.  Therefore, we advise regular
visits to

- MAILING LISTS AND FAQ ------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please

You are also encouraged to read the Frequently Asked Questions (FAQ) at:

- DONATIONS ------------------------------------------------------------

The OpenBSD Project is a volunteer-driven software group funded by
donations.  Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others.  This ecosystem is all handled under the same funding umbrella.

We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon

All of our developers strongly urge you to donate and support our future
efforts.  Donations to the project are highly appreciated, and are
described in more detail at:

- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation ( is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.

There may also be exposure benefits since the Foundation may be
interested in participating in press releases.  In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at for
more information.

- RELEASE SONG ---------------------------------------------------------

OpenBSD 6.8 comes with the song "Hacker People".  Lyrics (and an
explanation) of the song may be found at:

- HTTPS INSTALLS -------------------------------------------------------

OpenBSD can be easily installed via HTTPS downloads.  Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet.  Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.

1) Read either of the following two files for a list of HTTPS mirrors
   which provide OpenBSD, then choose one near you:

   As of October 18, 2020, the following HTTPS mirror sites have the
   6.8 release:            Global         Stockholm, Sweden          Frankfurt, Germany           Oldenburg, Germany         Paris, France       Brisbane, Australia        CO, USA       CA, USA            TX, USA     Toronto, Canada Global     Global

        The release is also available at the master site:            Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTPS mirror site and go into the directory
   pub/OpenBSD/6.8/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     armv7/        octeon/             sgi/
        README           hppa/ sparc64/
        SHA256           i386/         packages/           src.tar.gz
        SHA256.sig       landisk/      packages-stable/    sys.tar.gz
        alpha/           loongson/     ports.tar.gz        xenocara.tar.gz
        amd64/           luna88k/      powerpc64/
        arm64/           macppc/       root.mail

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        BOOTIA32.EFI*   bsd*            floppy68.img    pxeboot*
        BOOTX64.EFI**         game68.tgz      xbase68.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont68.tgz
        INSTALL.amd64   cd68.iso        install68.img   xserv68.tgz
        SHA256          cdboot*         install68.iso   xshare68.tgz
        SHA256.sig      cdbr*           man68.tgz
        base68.tgz      comp68.tgz      miniroot68.img

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install68.iso.  The install68.iso file (roughly 536MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install68.img and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

   This is the page where we talk about the mistakes we made while
   creating the 6.8 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).

- PACKAGES AND PORTS ---------------------------------------------------

Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures.  Please see for
more information on working with packages and ports.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed

- SYSTEM SOURCE CODE ---------------------------------------------------

The source code for all four subsystems can be found in the
pub/OpenBSD/6.8/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

The README ( file
explains how to deal with these source files.

- THANKS ---------------------------------------------------------------

Ports tree and package building by Jasper Lievisse Adriaanse,
Pierre-Emmanuel Andre, Visa Hankala, Stuart Henderson, Peter Hessler,
Kurt Mosiejczuk, Christian Weisgerber, and Charlene Wendling.
Base and X system builds by Kenji Aoyama, Theo de Raadt, and
Visa Hankala.  Release art contributed by Siah Files.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who bought our previous CD sets.  Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.

Our developers are:

    Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
    Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
    Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
    Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe,
    Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer,
    Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar,
    Carlos Cardenas, Charlene Wendling, Charles Longeau,
    Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
    Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman,
    Daniel Jakots, Darren Tucker, David Coppa, David Gwynne, David Hill,
    Denis Fondras, Doug Hogan, Edd Barrett, Elias M. Mariani,
    Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus,
    George Koehler, Gerhard Roth, Giannis Tsaraias, Gilles Chehade,
    Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez, Greg Steuck,
    Helg Bredow, Henning Brauer, Ian Darwin, Ian Sutton, Igor Sobrado,
    Ingo Feinerer, Ingo Schwarze, Inoguchi Kinichiro, James Turner,
    Jan Klemkow, Jason McIntyre, Jasper Lievisse Adriaanse,
    Jeremie Courreges-Anglas, Jeremy Evans, Job Snijders, Joel Sing,
    Joerg Jung, Jonathan Armani, Jonathan Gray, Jonathan Matthew,
    Jordan Hargrave, Joris Vink, Joshua Stein,
    Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama,
    Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov,
    Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil,
    Lawrence Teo, Marc Espie, Marcus Glocker, Mark Kettenis,
    Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano,
    Martin Pieuchot, Martin Reindl, Martynas Venckus, Mats O Jansson,
    Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos,
    Mike Belopuhov, Nayden Markatchev, Nicholas Marriott, Nigel Taylor,
    Okan Demirmen, Ori Bernstein, Otto Moerbeek, Paco Esteban,
    Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt, Paul Irofti,
    Pavel Korovin, Peter Hessler, Philip Guenther,
    Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski,
    Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel,
    Renato Westphal, Ricardo Mestre, Richard Procter, Rob Pierce,
    Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
    Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
    Solene Rapenne, Stefan Fritsch, Stefan Kempf, Stefan Sperling,
    Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda,
    T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt,
    Thomas Frohwein, Tim van der Molen, Tobias Heider,
    Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
    Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
    Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Yasuoka Masahiko,
    Yojiro Uo