OpenBSD 6.8 released, - Oct 18, 2020
18 October, 2020 by deraadt@openbsd.org | openbsd
------------------------------------------------------------------------
- OpenBSD 6.8 RELEASED -------------------------------------------------
October 18, 2020.
We are pleased to announce the official release of OpenBSD 6.8.
This day marks the OpenBSD project's 25th anniversary. As we celebrate
our 49th release, we remain proud of OpenBSD's record of more than
twenty years with only two remote holes in the default install.
As in our previous releases, 6.8 provides significant improvements,
including new features, in nearly all areas of the system:
- New/extended platforms:
o New powerpc64 platform, supporting PowerNV (non-virtualized)
systems with POWER8 and POWER9 CPUs, such as Raptor Computing
Systems Talos II and Blackbird systems. POWER8 support has not
been tested on real hardware yet.
- Improvements to time measurements, mostly in the kernel:
o Added support in the kernel and libc for timecounting in userland,
eliminating the need for a context switch everytime a process
requests the current time, thereby improving speed and
responsiveness in programs which make many gettimeofday(2) calls,
especially browsers and office software.
The userland timecounters are enabled on the amd64, arm64, macppc,
octeon and sparc64 architectures.
o Added a ktrace(1) -T option to make time-related system calls more
prominent.
o Added tsc_delay(), a delay(9) implementation based on the TSC, to
amd64.
o Used an LFENCE instruction everywhere RDTSC is used for a time
measurement, reducing the jitter in TSC skew measurements.
o Introduced gettime(9) and getuptime(9) and substituted these for
time_second(9) and time_uptime(9) throughout the kernel to prevent
split-read problems on 32-bit platforms.
o Synchronized each core's CP0 cycle counter using the IO clock
counter on mips64 and octeon, making the cycle counter usable as
timecounter.
o Improved CPU frequency scaling in automatic performance mode by
removing accounting for offline CPUs.
- Various kernel improvements:
o Added intrmap, an interrupt to CPU mapping API that is used by
hardware drivers to use multiple CPUs for interrupt handling.
o Added an ioctl PCIOCGETVPD allowing userland to access read-only
support information about pci devices via the vpd register.
o Set ddb(4) "/t" to show a trace via TID on all architectures.
o Introduced kstat(1), a subsystem to allow the kernel to expose
statistics to userland.
o Added kstat to cnmac(4).
o Added support for remote coverage to kcov(4).
o Moved sysctl(2) CTL_DEBUG from DEBUG to the new DEBUG_SYSCTL.
o Prevented creation of bogus sd(4) devices for nvme(4) namespaces
which are configured but have size 0.
o Added READ(12)/WRITE(12) support to cd(4).
o Used READ(16)/WRITE(16) commands for disks large enough to require
them to access the last sectors, fixing large 512E devices plugged
into USB to ATA/ATAPI bridges which mistakenly use 4K sector
addresses/sizes.
o Restored VGA fonts on VT switch, preventing an unusable screen
when switching to a VT with a custom VGA font from X.
o Ensured only pseudo-terminal devices use reprint delays.
o Prevented improper disabling of the backlight in umstc(4) when
brightness is adjusted to 0.
o Provided an optimized implementation of ffs(3) in the kernel on
arm64/powerpc/powerpc64.
o Rewrote m88k mutex code as a slight variation of the MI mutex
code, potentially improving stability and rendering mutex spinning
time visible in top(1).
o Reworked kernel loading with octboot, the OpenBSD/octeon
bootloader, which now does not rely on a mounted filesystem.
o Ensured scsi(4) devices do not attempt to process bogus MODE SENSE
data.
- Various new userland features:
o Imported login_ldap(8), using ldap(1) rather than openldap.
o Added support for set -o pipefail to ksh(1), potentially helping
error checking.
o Cleared the screen in ksh(1)'s vi mode before redrawing the line
with ^L.
o Implemented the gensub(), systime() and strftime() functions for
awk(1).
o Allowed specification of supported TLS protocols in ftp(1) "-S
protocols".
o Switched the default man(1) pager from "more(1) -s" to less(1).
o Supported -T html -O tag in man(1) by passing a file:// URI to the
pager.
o Added fstat(1) support for looking up unix domain sockets by file
name.
o Added / as an alias for g (grep) in top(1).
o Provided a naptime variable for userspace via kvm_read(3), usable
by vmstat(8).
o Allowed switching between alternate devices (-F) with sndioctl(1).
o Added the ability to set and display video(1) control values
directly on the CLI.
o Allowed the combination of video(1) "-dc" options, reset and
display control values.
o Added video(1) white balance temperature control through w/W keys.
o Added control for backlight compensation to video(4).
o Initialized v4l2_requestbuffers for libv4l compatibility, allowing
view of video encodings not directly supported by video(1).
o Added a new column to wsfontload(8) -l output to report the number
of characters contained in a loaded font.
o Relaxed filename checks in syspatch(8) to allow use of hyphens.
o Enabled btrace(8) (dt(4) not yet enabled in GENERIC, though).
o Added btrace(8) -p flag to filter all actions by PID.
o Implemented linear and power-of-two histograms in bt(5).
o Added support for "&" and "|" operators in btrace scripts.
- Various bugfixes and tweaks in userland:
o Fixed the ksh(1) exit code when evaluating a || compound list to
prevent termination of the shell when running under -e.
o Fixed "$@" splitting with empty IFS in ksh(1).
o Stopped incrementing openclass for a literal "[" in awk(1),
allowing parsing of expressions such as "/[[/[]/".
o Fixed make(1) :S with anchors and replacement.
o Prevented mg(1) from running out of memory or segfaulting with
query-replace-regex ^.
o Fixed ls(1) -R mode to not display subdirectories of a directory
beginning with '.' and ensure directory names are always
displayed.
o Prevented a core dump in ftp(1) during fetch abort.
o Taught su(1) -l -f to start a regular shell for non-csh shells
rather than a login shell.
o Used su(1) -fl to avoid sourcing the target user's .profile in
rc.d(8)/rcctl(8).
o Fixed merging of files that lack newlines for diff3(1), OpenRCS
and OpenCVS.
o Prevented rcs(1) removal of locked revisions with rcs -orange,
avoiding leaving behind a lock for a revision which no longer
exists.
o Fixed sndiod(8) crashes when USB devices are disconnected.
o Fixed the initial sndiod(8) alternate device number, preventing
device number 1 from being skipped on first use.
o Switched the default CDDB database for cdio(1) to
gnudb.gnudb.org:8880.
o Stopped syslogd(8) from closing UDP sockets for sending messages
when DNS lookup of a UDP loghost fails, allowing them to be used
to send if DNS is working during the next SIGHUP.
o Prevented established TCP and TLS sockets of syslogd(8) from
staying open forever if a client aborted the connection silently.
o Avoided reading one byte before the path buffer in mountd(8).
o Made apmd(8) always ask the kernel about current hw.perfpolicy
rather than maintaining state.
o Prevented an unveil(2) failure with chdir / on sensorsd(8).
o Fixed a segmentation fault in pstat(8)'s printing of active
vnodes.
o Corrected getopt_long(3) parsing of a trailing dash in an option
group, which was being incorrectly returned as an argument.
o Prevented callers inspecting unrelated fields in the libc resolver
function asr_run().
o Introduced a darker xenodm(1) login widget and a lower contrast
default background.
o Fixed an xconsole(1) crash by starting it after setting the
background.
- Improved hardware support and driver bugfixes, including:
o Enabled scrollback in simplefb(4).
o Fixed display glitches on smaller screens or with larger fonts in
efifb(4) associated with remapping and attaching.
o Improved reporting of remaining power with batteries of different
capacities in acpi(4).
o Fixed bogus frame sizes being returned by xhci(4).
o Added wsmoused(8) support to efifb(4).
o Added umstc(4), a driver for Microsoft Surface Type Cover
keyboards.
o Introduced acpihid(4) for ACPI HID event and 5-button array
devices.
o Moved Powerbook5,4 audio from aoa(4) to snapper(4), adding the
missing TAS3004 volume control.
o Fixed broken HID descriptors of Elecom trackballs with 6 or 8
buttons.
o Added RK3328 PWM, also found in the RK3308, to rkpwm(4).
o Added RK3308 temperature sensors to rktemp(4).
o Added pcamux(4), a driver for the PCA9548 I2C switch.
o Introduced a framework for digital audio interfaces, and added
simpleaudio(4), a driver for "simple audio cards." This is a
wrapper connecting the I2S controller, the codec and some aux
devices, and simpleamp(4), a driver for "simple audio amplifier,"
one of the aux devices for simpleaudio(4).
o Enabled nvme(4) on i386.
o Added support for the Ericsson F5521gw Mobile Broadband Modem.
o Ensured the STOP command sent by sd(4) on powerdown will not
result in hanging the machine if commands to the USB mass storage
fail.
o Fixed intermittent failing pms(4) device initialization seen on
some Synaptics devices.
o Corrected trackstick/button attachment of Windows Precision
Touchpad imt(4) devices, fixing behavior on certain Dell Latitude
laptops.
o Improved speed of scrolling by optimizing rasops(9) write-only
framebuffer console.
o Modified uvideo(4) to fix webcam detection in Firefox 78.
o Added a SENSOR_ENERGY sensor type to the sensors framework API
which uses microjoules.
o Added support for the AMDI0010 touchpad on the Inspiron 5505.
o Avoided nvram lock timeout on sparc64 systems with onboard BCM5704
bge(4) instances that come without a fitted EEPROM/NVRAM.
o Added pms(4) support for the Elantech v1 touchpad with firmware
version 0x20022.
o Added sdmmc(4) support for eMMC HS200 mode.
o Added Exar XR17V35x serial port support.
o Properly implemented amlmmc(4) setting of signal voltage.
o Implemented UHS-I support in the sdmmc(4) midlayer and enabled it
in amlmmc(4).
o Introduced abl(4), a new driver to control the backlight
brightness on Intel-based Apple machines, and allowed it to be
controlled through wsconsctl(8).
o Disabled acpivout(4) brightness control on machines aware of
Windows 8, enabling inteldrm to handle brightness ioctls.
o Fixed eeprom(8) error when setting variables on macppc.
o Updated drm(4) to Linux 5.7.19.
- New or improved network hardware support:
o Enabled multiple tx/rx queues with Toeplitz RSS hashing in vmx(4),
ix(4) and ixl(4).
o Added support for hardware VLAN tagging and checksumming to mcx(4)
and bnxt(4).
o Fixed a crash in re(4).
o Added bge(4) support for the BCM5719 A1 Ethernet controller.
o Handled AGL interfaces on octeon, making management network ports
usable on some machines.
o Added support for the mcx(4) ConnectX-6 Dx.
o Fixed a potential crash when bringing down an mcx(4) interface.
o Increased the mcx(4) event queue size, preventing a potential
interrupt storm on the ConnectX-4.
o Fixed outbound bpf(4) tap on ogx(4) interfaces.
o Improved ure(4) performance by combining multiple sent packets
into one transfer.
o Added support for RK3308 Ethernet to dwge(4).
o Added rge(4) support for newer RTL8125 chipset (RTL8125B).
- Added or improved wireless network drivers:
o Added support to urtwn(4) for TP-Link TL-WN822N-EU v5 (and v4).
o Added WPA2 (CCMP) crypto offload support to iwm(4) and iwx(4),
reducing CPU load during traffic bursts.
o Fixed causes of several fatal firmware errors on iwx(4) devices.
o Added bwfm(4) support for BCM4359 SDIO variants such as the
AP6359SA module found on the RockPro64 WiFi module.
o Enabled critical temperature detection in iwx(4) firmware.
o Fixed mbuf leak in urtwn(4) with frames CCMP-encrypted by
hardware.
o Added support for the D-Link DWA-121 rev B1 urtwn(4) device.
o Repaired athn(4) in client mode against WPA2 access points.
o Prevented a panic where athn(4) attempted to transmit old,
unencryptable frames after switching to a new group key in hostap
mode.
o Switched iwx(4) from -46 to -48 firmware.
o Enabled background scanning on iwx(4) devices.
o Fixed gain calibration for some iwn(4) devices (5000 and up).
o Added support for AX201 devices to iwx(4).
- New arm64 and armv7 hardware support and bugfixes, including:
o Added amlpwrc(4), a driver for the power domain controller found
on Amlogic SoCs.
o Made OpenBSD boot on the ODROID-C4 with power domain in
amldwusb(4).
o Added support for the SD card detect pins on the Turris Mox.
o Added support for the Marvell Xenon SDHC, used as storage on the
Armada 3700 and 8040 SoCs.
o Opened up a 4GB memory bus window for mvneta(4) on the Marvell
Armada 3700, making the second Ethernet controller/port work on
the Turris Mox.
o Added mkvpcie(4), a driver for the Aardvark PCIe controller found
on the Armada 3700 SoC.
o Adjusted dwpcie(4) timing to improve likelihood of a successful
PCIe link on the i.MX8MM. Avoids a failure to detect em(4) on the
HummingBoard Pulse.
o Added cwfg(4), a driver for the Cellwise CW201x fuel gauge on the
Pinebook Pro.
o Populated a list of 256 brightness levels as a fallback when the
device tree does not specify a list, making the Pinebook Pro
display work with the dtb from Linux 5.7.
o Added escodec(4), a driver for the Everest ES8316 audio codec used
on the Pinebook Pro.
o Added rkiis(4), a driver for the I2S controller found on the
Rockchip RK3399.
o Added bcmtmon(4), a driver for the temperature sensor on the
Raspberry Pi 4.
o Introduced mvpp(4), a driver for the Marvell Packet Processor v2
as used on the Armada 7K and 8K SoCs.
o Improved PLL1(CPU_PLL) stability for the Allwinner H3/H2+.
o Ported NetBSD's arm64 disassembler for ddb(4).
o Enabled spleen16x32 and spleen32x64 fonts on armv7 for GENERIC
kernels.
o Enabled building wsmoused(8) and wsfontload(8) on arm64 and armv7.
- IEEE 802.11 wireless stack improvements and bugfixes:
o Fixed CCMP replay checks with 11n Rx aggregation and CCMP hardware
offloading.
o In hostap mode, complete WPA group key renewals immediately if no
station is associated.
o Improved processing of lost frames during 802.11 Rx aggregation.
o Allowed passage of unencrypted 802.11 frames during hardware
decryption post-processing, fixing failure of some ral(4) devices
to receive packets on encrypted networks.
o Prevented a use-after-free when a wireless device is detached.
- Generic network stack improvements and bugfixes:
o Implemented a carp(4) transmit bypassing the ifq on output,
enqueuing the packet directly on the parent interface.
o Fixed pf.conf(5) "route-to TABLE least-states" in an anchor.
o Allowed pf(4) to divert packets from bridge(4) to local socket.
o Rehashed main pf(4) rulesets after rule expiration.
o Added a check for pfctl(8) that an rtable exists when parsing the
config.
o Corrected ruleset checksum calculation to allow pfsync(4) to
verify rulesets are identical on all nodes.
o Added wg(4), an in-kernel driver for WireGuard VPN communication.
o Protected the whole pipex(4) layer by NET_LOCK().
o Stopped creation of non-existent bridge(4) interfaces.
o Added a symmetric toeplitz implementation with integration for
nics, usable through the stoeplitz_to_key(9) hash algorithm API.
o Changed tpmr(4) from ifconfig [-]trunkport to add|del synopsis.
o Filtered vlan and svlan packets by default for tpmr(4).
o Implemented IPv6 source address selection as outlined in RFC 6724
section 5.
o Set IPv6 source address selection to prefer the address with the
highest preferred lifetime in case of a tie.
o Stopped preventing TCP connections to IPv6 anycast addresses.
o Added the pcap-filter(5) "sample NUM" primitive to allow capture
of 1/NUM packets.
o Added a ROUTE_FLAGFILTER socket option for routing sockets,
allowing routing daemons to opt out of receiving messages for L2
and broadcast route entries.
o Allowed SIOCSWGDPID and SIOCSWGMAXFLOW ioctls for non-root,
preventing switch(4) interfaces from appearing partially as
bridge(4) devices for unprivileged users running ifconfig(8).
o Modified trunk(4) to keep port interfaces UP on removal, matching
aggr(4) behavior.
o Fixed rdomain(4) handling for IPv6.
o Fixed rtable(4) separation of raw sockets for IPv6.
o Documented rtable(4) removal semantics.
- Installer improvements:
o On systems with multiple root disks, the installer will upgrade
the disk with auto_upgrade.conf present when the upgrade was
initiated by sysupgrade(8).
o Changed install images called *.fs to *.img to accommodate some
UEFI bootloaders.
o Forced long-names on msdos filenames for installboot on most
32-bit architectures.
o Converted macppc, octeon and loongson to use machine-independent
installboot.
- Improvements in the FFS2 filesystem:
o Made FFS2 the default for newfs(8), except for mfs.
o Improved reliability of very large FFS2 filesystems.
o Improved speed of checking FFS2 filesystems.
o Enabled the FFS2 option on the luna88k ramdisk.
o Made FFS2 the default non-root filesystems on landisk, sgi and
luna88k.
- Security improvements:
o Added RB_GOODRANDOM passed from bootloader to kernel in boothowto,
indicating confidence a "great seed" was loaded.
o Passed boothowto from the sparc64 bootloader to the kernel using
.openbsd.bootdata.
o Introduced detection of /etc/random.seed reuse.
o Rewrote the entropy enqueue ring to collect damage asynchronously
and adapted the dequeue to mix a selection of "best" ring entries,
exponentially backing off the dequeue timeout, to compensate
rapidly for weak seeding in unidentifiable conditions and ensure
quality to arc4random() calls early in boot.
o Enabled PAN (Privileged Access Never) on arm64 CPUs supporting it.
o Skipped scanning file systems which are both nodev and nosuid for
SUID, SGID and device files with security(8).
o Fixed two out-of-bounds array accesses in ioctl code pathways in
wscons(4).
o Fixed information leak in semctl SEM_GET.
o Prevented root from freezing the UTC clock with settimeofday(2) at
securelevel 2.
o Fixed performance problems relating to tty subsystem abuse.
o Fixed heap corruption in the X input method client in libX11.
o Fixed potential information leak via X server pixel data
uninitialized memory.
o Fixed a race condition for isoc devices during device close.
o Fixed an integer overflow in libX11 which could lead to a double
free.
o Corrected multiple input validation deficits in X server
extensions.
- Routing daemons and other userland network improvements:
o In bgpctl(8), the "reload" command now takes a 'reason' argument
to use as Administrative Shutdown Communication to its neighbors.
o Added bgpctl(8) support for VPNv6 in the family option of the
"show rib" command.
o Added bgpctl(8) support for JSON formatted output in various
"show" commands.
o Improve performance of ospfd(8), ospf6d(8) by using the
ROUTE_FLAGFILTER setsockopt to filter out routing socket messages
for L2 and broadcast routes.
o Modified ldapd(8) use of "ldaps" and "tls" keywords to enable only
the libtls defaults for protocols and ciphers. The new "legacy"
keyword can be used before these keywords in ldapd.conf(5) to
enable them all.
o Added a bsd.schema to ldapd(8) including a shadowPassword and an
sshPublicKey attribute which can be used to extend existing LDAP
users with the additional bsdAccount objectclass.
o Removed support for the socket keyword in snmpd.conf(5).
o Allowed snmpd(8) to define the port we listen on.
o Allowed snmp(1) mibtree to take one or more arguments to be
converted to a chosen output format.
o Replaced relayd(8)'s agentx backend and reworked the object
structure to be in line with what is defined in the MIB.
o Introduced a "dark mode" for directory listings and error pages in
httpd(8).
o Allowed specifying -d multiple times in slowcgi(8).
o Added unveil(2) to the main process of relayd(8).
o Added support for non-localhost fastcgi sockets to httpd.conf(5).
o Fixed a hang in rpki-client(8) by properly waiting for exiting
openrsync(1) processes.
o Removed the -f (force) option in rpki-client(8).
o rpki-client(8) no longer uses openrsync(1)'s "--delete" to clean
up stale files, but instead relies on cryptographically signed
RPKI manifest listings.
o Fixed rpki-client(8) return value check for OpenSSL API used
during pubkey validation.
o Released rpki-client(8) 6.7p1 including OpenBSD 6.7 Errata 015.
o Changed rpki-client(8) -n behavior to automatically validate the
repo.
o Added a "-s timeout" feature to rpki-client(8) with a one hour
default, allowing fresh attempts with cron(8) if rpki-client gets
stuck.
o Added an optional "domain name" acme-client.conf(5) option
allowing use of multiple domain sections with the same name and
creation of an rsa and an ecdsa key for the same domain name.
o Added an optional "contact" acme-client.conf(5) option to the
account section allowing issuance of certificates from authorities
that require a contact email address.
o Added netstat(1) -R to show a summary of rdomains with associated
interfaces and tables.
o Defaulted to showing full IPv6 address entries in the routing
tables displayed by route(8) show and netstat(1) -r.
o Fixed pcap-filters(5) on DLT_LOOP links, e.g. lo(4), gre(4),
wg(4), etc.
o Fixed dhclient(8) domain-search option processing.
o Corrected dhclient(8) DECLINE message generation to always include
the OFFER'd address.
o Enabled append/prepend for the domain-search option in
dhclient.conf(5).
o Removed 128-byte limit on dhclient(8) search domains and static
routes.
o Corrected route(8) handling of ::/0 and "route add -inet 0.0.0.0
-prefixlen 0 (gateway)".
o Fixed integer underflow in tcpdump(8) due to tiny snaplen causing
bogus hexdumps.
o Added initial tcpdump(8) support for handling geneve packets.
o Added top(1) "t" to toggle the display of routing tables.
o Added filtering by routing table to top(1).
o Moved ntpd(8) to unsynced mode if no replies are received for
awhile due to connectivity issues.
o Made slaacd(8) handle IPv6 address configuration in all rdomains
in a single daemon, instead of running one daemon per rdomain.
- ipsec(4) (and related userland programs) improvements and bugfixes:
o Added AES-GCM mode ciphers for IKEv2, configurable in iked.conf(5)
with the new "ikesa enc" options aes-128-gcm, aes-256-gcm,
aes-128-gcm-12 and aes-256-gcm-12.
o Enabled AES-GCM ciphers by default for IKE and Child SAs resulting
in considerable performance improvements with hardware
acceleration support.
o Enabled SHA2_384 and SHA2_512 by default for improved
compatibilty.
o Added the new iked(8) configuration option "set
enforcesingleikesa" to limit the number of connections for each
peer.
o Added optional iked(8) time-stamp validation for OCSP.
o Added a 30 second timeout for OCSP requests in iked(8).
o Added a new "set cert_partial_chain" config option to iked.conf(5)
to allow verification of partial certificate chains if a trusted
intermediate CA is found in /etc/iked/ca.
o Added a dpd_check_interval configuration option to iked.conf(5).
o Allowed disabling of iked(8) DPD liveness checks by setting
dpd_check_interval to 0 in iked.conf(5).
o Made iked(8) use the CA certificate for the OCSP issuer and
respect the OCSP url from the issuer certificate.
o Fixed iked(8) public key authentication interoperability with
*swan and other IKEv2 implementations by making CERT and CERTREQ
payloads optional.
o Fixed an iked(8) policy lookup edge case for simultaneous
transport and tunnel mode SAs.
o Fixed a dst/src iked(8) port configuration bug with multiple
flows.
o Prioritized incoming certificate requests by the order of CERTEQ
payloads in the received message in iked(8).
o Prevented concurrent CREATE_CHILD_SA and INFORMATION exchanges in
iked(8).
o Handled iked(8) TEMPORARY_FAILURE notification on IKESA rekeying.
o Fixed multiple bugs with pfkey acquire messages.
- tmux(1) improvements and bug fixes:
o How data is sent to control mode clients has been completely
revamped to both be more fair with multiple panes and to prevent
huge amounts of data being backed up.
o Configuration file parsing has changed slightly: the contents of
the {} syntax must now be valid tmux(1) command syntax; and to
allow formats to be annotated, strings given with quotes may now
contain newlines (leading spaces and comments are stripped).
o A new customize mode available with C-b C (C-b S-c) which allows
options and key bindings to be browsed and changed interactively.
o Support for extended keys offered by some terminals (xterm,
mintty, iTerm2).
o A pane-border-lines option to change the characters used to draw
the pane border separators.
o How UTF-8 data is stored has been rewritten to reduce memory use
for characters in the BMP.
o The message log (C-b ~) has been changed to be per server instead
of per client and to have some useful content.
o A new active-pane client flag that if given allows a client to
have its own active pane for each window rather than being tied to
the server's active pane.
o Improved command-prompt completion including showing a menu of
completions.
o All style options can now be formats, for example the default
pane-active-border-style now changes colour depending on
pane_in_mode and synchronize-panes.
o Performance improvements in copy mode and additional styles for
marking of search terms.
o Window and pane hooks such as window-layout-changed and
pane-exited are now window or pane options instead of session
options.
o Added the 'e' key in buffer mode to open the buffer in an editor.
o Added M-+ and M-- to expand and collapse all items in tree mode.
o Added a -D flag to run in non-daemonized mode.
o Added tmux(1) -b flags to insert a window before (like the
existing -a for after) to break-pane, move-window and new-window.
o Changed tmux(1) searching to behave more like emacs and prevented
regex searching from overlapping when searching forward.
o Allowed a-z keys for tmux(1) display-panes to jump to
higher-numbered panes.
o Allowed use of -N without a command to change or add a note to an
existing key in tmux(1).
- VMM/VMD and ldom/sparc64 virtualization improvements
o Fixed ldomctl(8) "init-system" with multiple PCIe root complexes
(Oracle SPARC T4-2 machines).
o Made ldomctl(8) reject vdisk, vnet and iodevice parameters for
primary domain.
o Made ldomctl(8) "init-system -n" check vcpu and memory
constraints.
o Increased the default number of ldom and ttyV devices for sparc64
from eight to sixteen.
o Fixed vmd(8) ns8250 lockup due to a race condition, helping to
prevent linux vm crashes when the return key is held on boot.
o Prevented possible libevent state corruption in vmd(8).
- OpenSMTPD 6.8.0
o Fixed an uninitialized variable and potential stack overflow with
IPv6 connections in smtpd(8).
o Fixed smtpd(8) handling of user names containing "@" symbols.
o Allowed handling of long lines in an smtpd(8) aliases table.
o Removed mail.local(8) support for world-writable mail spools.
- LibreSSL 3.2.2
o New Features
- This is the first stable release with the new TLSv1.3
implementation enabled by default for both client and server.
The OpenSSL 1.1 TLSv1.3 API is not yet available and will be
provided in an upcoming release.
- New X509 certificate chain validator that correctly handles
multiple paths through intermediate certificates. Loosely
based on Go's X509 validator.
- New name constraints verification implementation which passes
the bettertls.com certificate validation check suite.
o API and Documentation Enhancements
- New CMAC_Init(3) and ChaCha(3) manual pages.
- Document SSL_set1_host(3), SSL_set_SSL_CTX(3).
- Document PKCS7 attribute functions.
- Document PKCS7_final(3), PKCS7_add_attribute(3).
- Document PKCS7_get_signer_info(3).
- Document PEM_ASN1_read(3) and PEM_ASN1_read_bio(3).
- Document PEM_X509_INFO_read(3) and PEM_X509_INFO_read_bio(3).
- Document PEM_def_callback(3).
- Document EVP_read_pw_string_min(3).
- Merge documentation of X509_get0_serialNumber(3) from OpenSSL
1.1.1.
- Document error handling of X509_PUBKEY_get0(3) and
X509_PUBKEY_get(3).
- Document X509_get0_pubkey_bitstr(3)
- Document openssl(1) certhash.
o Compatibility Changes
- Modify I/O behavior so that SSL_MODE_AUTO_RETRY is the
default similar to new OpenSSL releases.
- Add the P-521 curve to the list of curves supported by
default in the client.
- Define OPENSSL_NO_SSL_TRACE in opensslfeatures.h.
- Make SSL_CTX_get_ciphers(NULL) return NULL rather than crash.
- Improve TLSv1.3 client certificate selection to allow EC
certificates instead of only RSA certificates.
- Add minimal info callback support for TLSv1.3.
- Support TLSv1.3 options in the openssl(1) command.
- Add support for additional GOST curves from RFC 7836 and
draft-deremin-rfc4491-bis.
- Add OIDs for HMAC using the Streebog hash function.
- Allow GOST R 34.11-2012 in PBE/PBKDF2/PKCS#5.
- Enable GOST_SIG_FORMAT_RS_LE when verifying certificate
signatures.
- Handle GOST in ssl_cert_dup().
- Stop sending GOST R 34.10-94 as a CertificateType.
- Use IANA allocated GOST ClientCertificateTypes.
o Testing and Proactive Security
- Greatly expanded test coverage via the tlsfuzzer test
scripts.
- Expanded test coverage via the bettertls certificate test
suite.
- Test interoperability with the Botan TLS client.
o Internal Improvements
- Collapse x509v3 directory into x509.
- Add initial support for openbsd/powerpc64.
- Improve length checks in the TLSv1.3 record layer and provide
appropriate alerts for violations of record layer limits.
- Enforce that SNI hostnames received by the TLS server are
correctly formed as per RFC 5890 and RFC 6066, responding
with illegal parameter for a nonconformant host name.
- Support SSL_MODE_AUTO_RETRY in TLSv1.3 to allow the automatic
retry of handshake messages.
- Improve the handling of BIO_read(3)/BIO_write(3) failures in
the TLSv1.3 stack.
- Start replacing the existing TLSv1.2 record layer.
- Simplify SSL method lookups.
- Clean up and simplify SSL_get_ciphers(3), SSL_set_session(3),
SSL_set_ssl_method(3) and several internal functions.
- Refactor dtls1_new(), dtls1_hm_fragment_new(),
dtls1_drain_fragments(), dtls1_clear_queues().
- Make the message type available in the internal TLS
extensions API functions.
- Numerous openssl(1) subcommands were converted to the new
option handling.
- Copy the session ID directly in ssl_get_prev_session()
instead of handing it through several functions for copying.
- Clean up and refactor ssl_get_prev_session(); simplify
tls_decrypt_ticket() and tls1_process_ticket() exit paths.
o Portable Improvements
- Make pthread_mutex static initialisation work on Windows.
- Get __STRICT_ALIGNMENT from machine/endian.h with portable
build.
o Bug Fixes
- Fix an off-by-one in the CBC padding removal.
- Enforce in the TLSv1.3 server that that ClientHello messages
after a HelloRetryRequest match the original ClientHello as
per RFC 8446 section 4.1.2
- Avoid calling freezero with a negative size if a server sends
a malformed plaintext of all zeroes.
- Correct use of sockaddr_storage instead of sockaddr in
openssl(1) s_client, which could lead to using 14 bytes of
stack garbage instead of an IPv6 address in DTLS mode.
- Fix a longstanding bug in PEM_X509_INFO_read_bio(3) that
could cause use-after-free and double-free issues in calling
programs.
- Zero out variable on the stack to avoid leaving garbage in
the tail of short session IDs.
- Ensure that appropriate alerts are sent on various error
conditions.
- Move state initialization from SSL_clear(3) to ssl3_clear()
to ensure that it gets correctly reinitialized across a
SSL_set_ssl_method(3) call.
- Add a custom copy handler for AES keywrap to fix a
use-after-free.
- Avoid an out-of-bounds write in BN_rand(3).
- Fix numerous leaks in the UI_dup_*(3) functions. Simplify and
tidy up the code in ui_lib.c.
- Correctly track selected ALPN length to avoid a potential
segmentation fault with SSL_get0_alpn_selected(3) when
alpn_selected is NULL.
- Include machine/endian.h gost2814789.c in order to pick up
the __STRICT_ALIGNMENT define.
- Correctly handle ssl_cert_dup() failure in
SSL_set_SSL_CTX(3).
- Fail on receiving an invalid NID in X509_ATTRIBUTE_create(3)
instead of constructing a broken objects that may cause NULL
pointer accesses.
- Fix SSL_shutdown(3) behavior in TLSv1.3 to match the legacy
stack. The previous behavior could cause a hang.
- Modify "openssl x509" to display invalid certificate times as
invalid, and correctly deal with the failing return case from
X509_cmp_time(3) so that a certificate with an invalid
NotAfter does not appear valid.
- OpenSSH 8.4
o Potentially incompatible changes.
- For FIDO/U2F support, OpenSSH recommends the use of libfido2
1.5.0 or greater. Older libraries have limited support at the
expense of disabling particular features. These include
resident keys, PIN- required keys and multiple attached
tokens.
- ssh-keygen(1): the format of the attestation information
optionally recorded when a FIDO key is generated has changed.
It now includes the authenticator data needed to validate
attestation signatures.
- The API between OpenSSH and the FIDO token middleware has
changed and the SSH_SK_VERSION_MAJOR version has been
incremented as a result. Third-party middleware libraries
must support the current API version (7) to work with OpenSSH
8.4.
- The portable OpenSSH distribution now requires automake to
rebuild the configure script and supporting files. This is
not required when simply building portable OpenSSH from a
release tar file.
o New Features
- ssh(1), ssh-keygen(1): support for FIDO keys that require a
PIN for each use. These keys may be generated using
ssh-keygen using a new "verify-required" option. When a
PIN-required key is used, the user will be prompted for a PIN
to complete the signature operation.
- sshd(8): authorized_keys now supports a new "verify-required"
option to require FIDO signatures assert that the token
verified that the user was present before making the
signature. The FIDO protocol supports multiple methods for
user-verification, but currently OpenSSH only supports PIN
verification.
- sshd(8), ssh-keygen(1): add support for verifying FIDO
webauthn signatures. Webauthn is a standard for using FIDO
keys in web browsers. These signatures are a slightly
different format to plain FIDO signatures and thus require
explicit support.
- ssh(1): allow some keywords to expand shell-style ${ENV}
environment variables. The supported keywords are
CertificateFile, ControlPath, IdentityAgent and IdentityFile,
plus LocalForward and RemoteForward when used for Unix domain
socket paths.
- ssh(1), ssh-agent(1): allow some additional control over the
use of ssh-askpass via a new $SSH_ASKPASS_REQUIRE environment
variable, including forcibly enabling and disabling its use.
- ssh(1): allow ssh_config(5)'s AddKeysToAgent keyword accept a
time limit for keys in addition to its current flag options.
Time- limited keys will automatically be removed from
ssh-agent after their expiry time has passed.
- scp(1), sftp(1): allow the -A flag to explicitly enable agent
forwarding in scp and sftp. The default remains to not
forward an agent, even when ssh_config enables it.
- ssh(1): add a '%k' TOKEN that expands to the effective
HostKey of the destination. This allows, e.g., keeping host
keys in individual files using "UserKnownHostsFile
~/.ssh/known_hosts.d/%k".
- ssh(1): add %-TOKEN, environment variable and tilde expansion
to the UserKnownHostsFile directive, allowing the path to be
completed by the configuration.
- ssh-keygen(1): allow "ssh-add -d -" to read keys to be
deleted from stdin.
- sshd(8): improve logging for MaxStartups connection
throttling. sshd will now log when it starts and stops
throttling and periodically while in this state.
o Bugfixes
- ssh(1), ssh-keygen(1): better support for multiple attached
FIDO tokens. In cases where OpenSSH cannot unambiguously
determine which token to direct a request to, the user is now
required to select a token by touching it. In cases of
operations that require a PIN to be verified, this avoids
sending the wrong PIN to the wrong token and incrementing the
token's PIN failure counter (tokens effectively erase their
keys after too many PIN failures).
- sshd(8): fix Include before Match in sshd_config(5).
- ssh(1): close stdin/out/error when forking after
authentication completes ("ssh -f ...").
- ssh(1), sshd(8): limit the amount of channel input data
buffered, avoiding peers that advertise large windows but are
slow to read from causing high memory consumption.
- ssh-agent(1): handle multiple requests sent in a single
write() to the agent.
- sshd(8): allow sshd_config(5) longer than 256k
- sshd(8): avoid spurious "Unable to load host key" message
when sshd load a private key but no public counterpart
- ssh(1): prefer the default hostkey algorithm list whenever we
have a hostkey that matches its best-preference algorithm.
- sshd(1): when ordering the hostkey algorithms to request from
a server, prefer certificate types if the known_hosts files
contain a key marked as a @cert-authority;
- ssh(1): perform host key fingerprint comparisons for the "Are
you sure you want to continue connecting
(yes/no/[fingerprint])?" prompt with case sensitivity.
- sshd(8): ensure that address/masklen mismatches in
sshd_config yield fatal errors at daemon start time rather
than later when they are evaluated.
- ssh-keygen(1): ensure that certificate extensions are
lexically sorted. Previously if the user specified a custom
extension then the everything would be in order except the
custom ones.
- ssh(1): also compare username when checking for JumpHost
loops.
- ssh-keygen(1): preserve group/world read permission on
known_hosts files across runs of "ssh-keygen -Rf /path". The
old behaviour was to remove all rights for group/other.
- ssh-keygen(1): Mention the [-a rounds] flag in the ssh-keygen
manual page and usage().
- sshd(8): explicitly construct path to ~/.ssh/rc rather than
relying on it being relative to the current directory, so
that it can still be found if the shell startup changes its
directory.
- sshd(8): when redirecting sshd's log output to a file, undo
this redirection after the session child process is forked().
Fixes missing log messages when using this feature under some
circumstances.
- sshd(8): start ClientAliveInterval bookkeeping before first
pass through select() loop; fixed theoretical case where busy
sshd may ignore timeouts from client.
- ssh(1): only reset the ServerAliveInterval check when we
receive traffic from the server and ignore traffic from a
port forwarding client, preventing a client from keeping a
connection alive when it should be terminated.
- ssh-keygen(1): avoid spurious error message when ssh-keygen
creates files outside ~/.ssh
- sftp-client(1): fix off-by-one error that caused sftp
downloads to make one more concurrent request that desired.
This prevented using sftp(1) in unpipelined request/response
mode, which is useful when debugging.
- ssh(1), sshd(8): handle EINTR in waitfd() and
timeout_connect() helpers.
- ssh(1), ssh-keygen(1): defer creation of ~/.ssh until we
attempt to write to it so we don't leave an empty .ssh
directory when it's not needed.
- ssh(1), sshd(8): fix multiplier when parsing time
specifications when handling seconds after other units.
- Ports and packages:
o Pre-built packages are available for the following architectures on
the day of release:
- aarch64 (arm64): 10768
- amd64: 11234
- i386: 10548
- mips64: 8540
- powerpc64: 6221
- sparc64: 9688
o Packages for the following architectures will be made available as
their builds complete:
- arm
- mips64el
- powerpc
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.7 with xserver 1.20.8 + patches,
freetype 2.10.2, fontconfig 2.12.4, Mesa 20.0.8, xterm 351,
xkeyboard-config 2.20 and more)
o LLVM/Clang 10.0.1 (+ patches)
o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
o Perl 5.30.3 (+ patches)
o NSD 4.3.2
o Unbound 1.11.0
o Ncurses 5.7
o Binutils 2.17 (+ patches)
o Gdb 6.3 (+ patches)
o Awk August 7, 2020 version
o Expat 2.2.8
------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------
We provide patches for known security threats and other important
issues discovered after each release. Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible. Therefore, we advise regular
visits to
https://www.OpenBSD.org/security.html
and
https://www.OpenBSD.org/errata.html
------------------------------------------------------------------------
- MAILING LISTS AND FAQ ------------------------------------------------
Mailing lists are an important means of communication among users and
developers of OpenBSD. For information on OpenBSD mailing lists, please
see:
https://www.OpenBSD.org/mail.html
You are also encouraged to read the Frequently Asked Questions (FAQ) at:
https://www.OpenBSD.org/faq/
------------------------------------------------------------------------
- DONATIONS ------------------------------------------------------------
The OpenBSD Project is a volunteer-driven software group funded by
donations. Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others. This ecosystem is all handled under the same funding umbrella.
We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon
events.
All of our developers strongly urge you to donate and support our future
efforts. Donations to the project are highly appreciated, and are
described in more detail at:
https://www.OpenBSD.org/donations.html
------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------
For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.
There may also be exposure benefits since the Foundation may be
interested in participating in press releases. In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at directors@openbsdfoundation.org for
more information.
------------------------------------------------------------------------
- RELEASE SONG ---------------------------------------------------------
OpenBSD 6.8 comes with the song "Hacker People". Lyrics (and an
explanation) of the song may be found at:
https://www.OpenBSD.org/lyrics.html#68
------------------------------------------------------------------------
- HTTPS INSTALLS -------------------------------------------------------
OpenBSD can be easily installed via HTTPS downloads. Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet. Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.
1) Read either of the following two files for a list of HTTPS mirrors
which provide OpenBSD, then choose one near you:
https://www.OpenBSD.org/ftp.html
https://ftp.openbsd.org/pub/OpenBSD/ftplist
As of October 18, 2020, the following HTTPS mirror sites have the
6.8 release:
https://cdn.openbsd.org/pub/OpenBSD/6.8/ Global
https://ftp.eu.openbsd.org/pub/OpenBSD/6.8/ Stockholm, Sweden
https://ftp.hostserver.de/pub/OpenBSD/6.8/ Frankfurt, Germany
https://ftp.bytemine.net/pub/OpenBSD/6.8/ Oldenburg, Germany
https://ftp.fr.openbsd.org/pub/OpenBSD/6.8/ Paris, France
https://mirror.aarnet.edu.au/pub/OpenBSD/6.8/ Brisbane, Australia
https://ftp.usa.openbsd.org/pub/OpenBSD/6.8/ CO, USA
https://ftp5.usa.openbsd.org/pub/OpenBSD/6.8/ CA, USA
https://mirror.esc7.net/pub/OpenBSD/6.8/ TX, USA
https://openbsd.cs.toronto.edu/pub/OpenBSD/6.8/ Toronto, Canada
https://cloudflare.cdn.openbsd.org/pub/OpenBSD/6.8/ Global
https://fastly.cdn.openbsd.org/pub/OpenBSD/6.8/ Global
The release is also available at the master site:
https://ftp.openbsd.org/pub/OpenBSD/6.8/ Alberta, Canada
However it is strongly suggested you use a mirror.
Other mirror sites may take a day or two to update.
2) Connect to that HTTPS mirror site and go into the directory
pub/OpenBSD/6.8/ which contains these files and directories.
This is a list of what you will see:
ANNOUNCEMENT armv7/ octeon/ sgi/
README hppa/ openbsd-68-base.pub sparc64/
SHA256 i386/ packages/ src.tar.gz
SHA256.sig landisk/ packages-stable/ sys.tar.gz
alpha/ loongson/ ports.tar.gz xenocara.tar.gz
amd64/ luna88k/ powerpc64/
arm64/ macppc/ root.mail
It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.
README - generic README
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).
3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.
4) Next, go into the directory that applies to your architecture,
for example, amd64. This is a list of what you will see:
BOOTIA32.EFI* bsd* floppy68.img pxeboot*
BOOTX64.EFI* bsd.mp* game68.tgz xbase68.tgz
BUILDINFO bsd.rd* index.txt xfont68.tgz
INSTALL.amd64 cd68.iso install68.img xserv68.tgz
SHA256 cdboot* install68.iso xshare68.tgz
SHA256.sig cdbr* man68.tgz
base68.tgz comp68.tgz miniroot68.img
If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
and install68.iso. The install68.iso file (roughly 536MB in size)
is a one-step ISO-format install CD image which contains the various
*.tgz files so you do not need to fetch them separately.
If you prefer to use a USB flash drive, fetch install68.img and
follow the instructions in INSTALL.amd64.
5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.amd64. INSTALL.amd64 may tell you that you
need to fetch other files.
6) Just in case, take a peek at:
https://www.OpenBSD.org/errata.html
This is the page where we talk about the mistakes we made while
creating the 6.8 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.
------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------
X.Org has been integrated more closely into the system. This release
contains X.Org 7.7. Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc. During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).
------------------------------------------------------------------------
- PACKAGES AND PORTS ---------------------------------------------------
Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures. Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.
Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed
separately.
------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------
The source code for all four subsystems can be found in the
pub/OpenBSD/6.8/ directory:
xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
The README (https://ftp.OpenBSD.org/pub/OpenBSD/6.8/README) file
explains how to deal with these source files.
------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------
Ports tree and package building by Jasper Lievisse Adriaanse,
Pierre-Emmanuel Andre, Visa Hankala, Stuart Henderson, Peter Hessler,
Kurt Mosiejczuk, Christian Weisgerber, and Charlene Wendling.
Base and X system builds by Kenji Aoyama, Theo de Raadt, and
Visa Hankala. Release art contributed by Siah Files.
We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who bought our previous CD sets. Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.
Our developers are:
Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe,
Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer,
Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar,
Carlos Cardenas, Charlene Wendling, Charles Longeau,
Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman,
Daniel Jakots, Darren Tucker, David Coppa, David Gwynne, David Hill,
Denis Fondras, Doug Hogan, Edd Barrett, Elias M. Mariani,
Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus,
George Koehler, Gerhard Roth, Giannis Tsaraias, Gilles Chehade,
Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez, Greg Steuck,
Helg Bredow, Henning Brauer, Ian Darwin, Ian Sutton, Igor Sobrado,
Ingo Feinerer, Ingo Schwarze, Inoguchi Kinichiro, James Turner,
Jan Klemkow, Jason McIntyre, Jasper Lievisse Adriaanse,
Jeremie Courreges-Anglas, Jeremy Evans, Job Snijders, Joel Sing,
Joerg Jung, Jonathan Armani, Jonathan Gray, Jonathan Matthew,
Jordan Hargrave, Joris Vink, Joshua Stein,
Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama,
Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov,
Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil,
Lawrence Teo, Marc Espie, Marcus Glocker, Mark Kettenis,
Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano,
Martin Pieuchot, Martin Reindl, Martynas Venckus, Mats O Jansson,
Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos,
Mike Belopuhov, Nayden Markatchev, Nicholas Marriott, Nigel Taylor,
Okan Demirmen, Ori Bernstein, Otto Moerbeek, Paco Esteban,
Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt, Paul Irofti,
Pavel Korovin, Peter Hessler, Philip Guenther,
Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski,
Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel,
Renato Westphal, Ricardo Mestre, Richard Procter, Rob Pierce,
Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
Solene Rapenne, Stefan Fritsch, Stefan Kempf, Stefan Sperling,
Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda,
T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt,
Thomas Frohwein, Tim van der Molen, Tobias Heider,
Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Yasuoka Masahiko,
Yojiro Uo