BSDSec

deadsimple BSD Security Advisories and Announcements

OpenBSD 7.0 released, Oct 14

------------------------------------------------------------------------
- OpenBSD 7.0 RELEASED -------------------------------------------------

October 14, 2021.

We are pleased to announce the official release of OpenBSD 7.0.
This is our 51st release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.

As in our previous releases, 7.0 provides significant improvements,
including new features, in nearly all areas of the system:

 - New/extended platforms:
    o Added new riscv64 platform for 64-bit RISC-V systems.
    o The arm64 platform support was improved with the following
      changes:
       - Support for Apple Silicon Macs has improved but is not ready
         for general use yet:
      # Added support for installing on a disk with a GPT.
      # Added apldart(4) support for a DART with two sets of
        registers, needed to support the Synopsis DesignWare USB
        3 controller.
      # Added apldwusb(4), a glue driver for the Synopsys
        DesignWare USB 3 controllers found on the Apple M1 SoC.
      # Added aplns(4) to provide support for Apple NVME storage
        as found in Apple M1 devices.
      # Added aplpinctrl(4) driver for the Apple GPIO controller
        found on the M1 SoCs.
      # Added aplpmu(4), a driver for the Apple "sera" SPMI
        power management unit that contains the RTC on Apple M1
        systems.
      # Added aplspmi(4), a driver for the Apple SPMI
        controller.
       - Enabled LEDs for the mue(4) LAN7800 chip as found on the
         Raspberry Pi 3 Model B+.
       - Added rktcphy(4), a driver for the Type-C PHY controller
         found on the Rockchip RK3399.
       - Implemented multicast support in mvpp(4).
    o Changes on other architectures:
       - Switched macppc to use ld.lld(1).
       - Fixed an issue preventing applications from selecting the
         non-ALTIVEC code path on macppc.
       - Made amd64 hw.setperf percentages proportional to the
         enhanced speed step frequencies on Intel processors. The
         default hw.setperf™ corresponds to the maximum ordinary
         speed, and setting it to 100 enables turbo mode.
       - Enabled cy(4) on amd64.
       - Disabled base-gcc on amd64.
       - Prevented crashes on amd64 when TLB entries which should have
         been invalidated were used.
       - Prevented a kernel panic in sparc64 due to page boundary
         misalignment.
       - Forced luna88k to use the serial console when no graphics
         board is found.
       - Made additional free inodes on luna88k bsd.rd by specifying
         density@96.
       - Fixed strchr() and strrchr() on mips64.
       - Prevented watchdog resets on some i.MX 64-bit machines with a
         recent U-Boot and watchdog enabled on boot in imxdog(8).
       - Created audio devices on armv7.
       - Retired OpenBSD/sgi platform.
       - Enabled MSI-X support for powerpc64.
       - Fixed __ppc_lock for page faults that recursively grab the
         lock on powerpc.
       - Increased the maximum data size on powerpc64 to 32GB.
       - Disabled global page table mappings when using PCID to
         prevent crashes when not flushed from TLB on amd64.
       - Added cduart(4) driver for Cadence Universal Asynchronous
         Receiver/Transmitter on armv7.
       - Added zqclock(4) driver for Xilinx Zynq-7000 clock controller
         on armv7.
       - Added zqreset(4) driver for Xilinx Zynq-7000 reset controller
         on armv7.

 - Various kernel improvements:
    o Unlocked the top part of the VM fault handler on i386.
    o Enabled dt(4) for GENERIC kernels on amd64, arm64, i386, sparc64,
      and powerpc64.
    o Added kprobes provider for dt(4).
    o Implemented < and > operators in btrace(8) filters.
    o Added btrace(8) display of time spent in userland when analyzing
      the kernel stack in the flame graph tool and fixed a parsing bug.
    o Introduced /etc/bsd.re-config(5), which can be used to configure
      the kernel using config(8), allowing use of KARL while making
      changes to the GENERIC kernel.
    o Identify TPM 2.0 devices and perform the 2.0-specific suspend
      command, allowing the ThinkPad X1 Carbon Gen 9 and ThinkPad X1
      Nano with the latest BIOS (which added S3) to resume.
    o Changed the printing of the hibernate image size from bytes to
      megabytes.
    o Increased hibernate writeout speed.
    o Added "machine sysregs" command to ddb(4) on amd64.
    o Prevented interleaved stack traces in ddb(4) from multiple CPUs.
    o Delayed installation of sensors until a device with battery
      support is connected, allowing sensorsd(8) to pick up hotplugged
      uhidpp(4) devices.
    o Prevented a kernel panic after VFS shutdown.
    o Increased the setitimer(2) timer limit to UINT_MAX seconds.
    o Serialized the internals of kqueue(2) with a mutex.
    o Enabled pool cache on knote(9) pool.
    o Fixed futex(2) errno handling to match what Mesa expects and
      prevent failure to properly report timeouts.
    o Fixed a kernel crash in tty(4).
    o Increased the default buffer space on PF_UNIX sockets to 8k and
      made the values tuneable via sysctl(2).
    o Made kqueue(2) timer re-addition reset an existing timer to use
      the new timeout period.
    o In the build system, pass make flags to kernel and lib builds,
      making hacking on ramdisks/the installer much faster.

 - SMP Improvements
    o Made pmap_extract() mpsafe on hppa and amd64.
    o Introduced CPU_IS_RUNNING() and used it in scheduler-related code
      to prevent waiting on non-running CPUs.
    o Made anonymous object reference counting independent from the
      KERNEL_LOCK().
    o Unlocked connect(2).
    o Unlocked setrtable(2).
    o Introduced per-CPU panic(9) message buffers.
    o Used so_lock to protect key management (PF_KEY) sockets.
    o Used so_lock to protect routing (PF_ROUTE) sockets.
    o Unlocked lseek(2).
    o Unlocked the top part of the fault handler.

 - Direct Rendering Manager
    o Updated drm(4) to Linux 5.10.65
    o inteldrm(4): better support for Tiger Lake
    o amdgpu(4): support for Navi 12, Navi 21 "Sienna Cichlid", Arcturus
    o amdgpu(4): support for Cezanne "Green Sardine" Ryzen 5000 APU

 - VMM/VMD improvements
    o Added a theoretical limit of 512 to the number of allocated vcpus
      in vmm(4).
    o Fixed vmm(4) vcpu locking issues.
    o Added vmd(8) support for variable length vionet rx descriptor
      chains.
    o Prevented stack overflow in vmd(8) due to large DHCP packets on
      local interfaces.
    o Allowed locking of a randomly assigned lladdr in vmd(8).
    o Skipped inspecting non-udp packets on local interfaces for vmd(8).
    o Prevented guest virtio drivers from causing stack and buffer
      overflows in vmd(8).
    o Fixed a race condition in vmm(4) relating to incorrect physical
      cpu tracking.
    o Fixed vmctl(8) client "wait" state corruption in vmd(8) when a
      wait is canceled and restarted, allowing multiple waiting clients.
    o Added protections against guests with bad virtio drivers to vmd(8)
    o Unlocked the kernel in vmm(4) ioctl handlers and introduced vcpu
      locks

 - Various new userland features:
    o Imported timeout(1) utility from NetBSD. timeout(1) can be used to
      run commands with a time limit.
    o Added include and exclude options to openrsync(1).
    o Implemented reporting of supplemental groups in ps(1).
    o Added indication of whether an mg(1) function is unsuitable for a
      startup file.
    o Added "dired-jump" command to mg(1) to open a dired buffer
      containing the current buffer's directory location.

 - Various bugfixes and tweaks in userland:
    o Modified doas(1) to retry up to 3 times on password authentication
      failure.
    o Made all vi(1) signal handler functions async-signal-safe.
    o Changed diff(1) to consider two files sharing the same inode
      identical.
    o Allowed xenodm(1) login when ~/.Xauthority does not exist.
    o Disabled building all of the non-unicode fonts in Xenocara except
      for ISO8859-1.
    o Altered passwd(1) to use stderr for printer error and
      informational messages. This allows easier parsing of what
      passwd(1) is doing if spawned from a GUI.
    o Fixed iostat(8) per-device values when systat(1) is in boot time
      mode ('b'), not normalizing based on the sleep interval.
    o Made jot(1) -b, -c and -w mutually exclusive.
    o Made cdio(1) discard the current input line when Ctrl-C is used
      during line editing and provide a fresh prompt rather than exiting
      the program.
    o Let el_gets(3) honour the first Ctrl-C typed by the user rather
      than ignoring it.
    o Corrected awk(1) -F null string behavior to ensure -F '' behaves
      consistently with -v FS="".
    o Avoided a potential buffer overflow in backslash escaping in
      awk(1).
    o Disallowed the use of an empty list between "while" and "do" in
      ksh(1).
    o Changed cwm(1) maximization and full-screen mode toggling to keep
      the cursor within the window, preventing focus loss.
    o Made rc(8) quietly attempt an early mount of /var/log in case
      someone has created it as a separate filesystem to avoid /var
      overflow issues.
    o Improved fdisk(8) to retain essential partitions on various
      platforms.
    o Improved fdisk(8) for disks with 4K sectors.
    o Cleaned up the fdisk(8) MBR/GPT initialization code, making -g
      independent of -i, leaving four mutually exclusive initialization
      options (-i, -g, -u and -A) with the last option specified
      executed (allowing the existing -i -g to work as intended).
    o Relaxed criteria for recognizing GPT formatted media, allowing GPT
      disk images added with dd(1) onto larger physical media to be
      recognized by fdisk(8) and the kernel.
    o Added the ability for fdisk(8) to recognize "BIOS Boot", "APFS",
      "APFS ISC", "APFS Recovry" (sic), "HiFive FSBL" and "HiFive BBL"
      GPT partitions.
    o Ensured the values for fdisk(8) -b and -l are treated as 512-byte
      block counts.
    o Added an fdisk(8) -A option to initialize a GPT without removing
      special boot partitions.
    o Made fdisk(8) -b option available to architectures other than
      amd64 and i386 and extended the syntax to allow specification of
      the boot partition type and offset.
    o Adjusted density for partitions on a 4k disk in newfs(8) when
      fragsize and density are not passed on the command line to ensure
      sufficient inodes to hold a src tree on a 2G fs.
    o Fixed disklabel(8) generation on sparc64.
    o Fixed overlap check in disklabel(1) autoalloc code.
    o Corrected various min/max cluster numbers for FAT12/16/32 in
      newfs_msdos(8).
    o Added libexecinfo, a library providing backtrace functions.
    o Updated C library support for character classification to Unicode
      13.0.
    o Let wcwidth(3) treat all characters in Unicode private use areas
      as single-width, even those in planes 15 and 16.
    o Limited the printf(1) \x escape sequence to two characters.
    o Corrected the output of date(1) -f %s which was wrongly affected
      by the local timezone.
    o Turn printing additional information into toggles for systat(1).

 - Improved hardware support and driver bugfixes, including:
    o Added a workaround to amdgpu(4) for machines where the framebuffer
      size reported by the hardware is incorrect.
    o In pchgpio(4), worked around a BIOS bug on Lenovo ThinkPads based
      on Intel's Tiger Lake platform to properly restore the GPIO pin
      used for the touchpad interrupt upon resume.
    o Stopped setting the highspeed bit on bcm2835-sdhci sdhc(4)
      controllers, fixing bwfm(4) wifi on the Raspberry Pi 3 Model B+.
    o Added support for obtaining sense status and source slot of a
      media to chio(1) and ch(4).
    o Fixed dwiic(4) timeouts requesting data from at least one
      touchpad.
    o Added ucc(4), a driver for USB HID Consumer Control keyboards.
      Often used to expose volume, audio and application launch keys.
      Volume keys are handled by the kernel and all other keys are
      propagated to X11 and the console through wscons(4).
    o Set the uhidpp(4) battery level sensor status to unknown while
      charging to handle devices reporting zero during charge,
      preventing certain sensorsd.conf(5) actions from triggering
      inappropriately.
    o Added Tiger Lake LP (INT34C5) support to pchgpio(4).
    o Fixed a panic at shutdown relating to azalia(4) on the X1 Extreme
      Gen 1.
    o Fixed a panic reported in upd(4).
    o Fixed display of incorrect patterns on LUNA's wscons(4) with 1bpp
      framebuffer when backspace is typed.
    o Fixed an attachment problem for dwctwo(4) for certain devices
      issuing NAK interrupts during split transactions.
    o Added AMD 17h/6xh Root Complex to ksmn(4).
    o Ensured the TX FIFO isn't overrun for longer transfers in
      dwiic(4).
    o Added titmp(4), a driver for the TI TMP451 temperature sensor.
    o Ensured a USB mouse will attach if otherwise qualified even if the
      usage report does not include X and Y usages.
    o Attached unsupported video devices to uvideo(4) but not video(1),
      rather than leaving it unmatched.
    o Added a -R flag to usbhidctl(1) to dump the raw report descriptor
      bytes.
    o Added hid_get_report_desc_data() to usbhid(3) to access raw report
      descriptor data.
    o Fixed overflows when reading multiple bytes from AML over an i2c
      bus in acpi(4).
    o Fixed uaudio(4) on certain machines such as the RPI4 by adding a
      pre-DMA-write barrier after data is stored to memory.
    o Worked around x86 machines that advertise the "hardware reduced"
      ACPI feature, advertise S4 and S5 support, but fail to populate
      the SLEEP_CONTROL_REG and SLEEP_STATUS_REG descriptions in the
      FADT. This fixed the ASUS Zenbook 14.
    o Added quirk to enable ThinkPad X1 Extreme 1 speakers and Dolby
      Atmos in azalia(4).
    o Fixed pchgpio(4) issues with dead touchpads after resume.
    o Fixed an mbuf leak in xnf(4).

 - New or improved network hardware support:
    o Fixed ix(4) with older amd64 and current riscv64 hardware if MSI
      is not enabled for the device.
    o Added the uaq(4) driver for Aquantia AQC111U/AQC112U USB Ethernet
      devices.
    o Added the aq(4) driver to support Aquantia 1/2.5/5/10Gb/s PCIe
      Ethernet adapters.
    o Synced dwctwo(4) with the NetBSD-current code base, enabling the
      USB on-board Ethernet controller through mue(4), fixing uvideo(4),
      and enabling the two USB uhub3 ports on the Raspberry Pi 3 Model
      B+.
    o Added cad(4), a driver for Cadence GEM.
    o Added Broadcom BCM5725 to brgphy(4).
    o Added support for RTL8168FP/RTL8111FP/RTL8117 to re(4).
    o Fixed ure(4) after a media link change on RTL8153/B devices.
    o Fixed bnxt(4) with a single queue in MSI-X mode.

 - Added or improved wireless network drivers:
    o Zeroed out iwx(4) Tx descriptors of frames which are done to
      prevent the device from writing to the former DMA address of a
      buffer which has been taken off the Tx ring.
    o Fixed a bug in iwx(4) Tx done interrupt processing which could
      cause fatal firmware errors under load and memory corruption.
    o Changed iwm(4) and iwx(4) to sleep for 1 second while loading
      firmware to match what iwn(4) does. This fixes some issues with
      suspend/resume.
    o Ensured that iwm(4) and iwx(4) will reload firmware from disk on
      down/up and not during resume.
    o Fixed iwx(4) crystal latency values to match those used by Linux
      iwlwifi.
    o Fixed an off-by-one error in bwfm(4).
    o Changed iwn(4), iwm(4), and iwx(4) devices to hide detailed
      firmware error reports by default.
    o Prevented a loop when bwfm(4) receives an unsolicited association
      status event right after successful association.
    o Fixed a leak with wg(4) keepalive.
    o Switched iwx(4) to -63 firmware images as shipped in
      iwx-firmware-20210512, including fixes addressing fragattacks
      vulnerabilities.
    o Supported the new iwx(4) firmware session protection command,
      required for successful associations with new firmware.
    o Stopped asking iwx(4) to send probe requests on passive channels,
      fixing firmware going unresponsive after association.
    o Fixed an iwx(4) edge case where devices failed to resume after
      system suspend.
    o Switched iwm(4) to newer firmware images available in
      iwm-firmware-20210512. This provides FragAttacks fixes for the
      updated devices.
    o Fixed iwx(4) against access points using TKIP as the group cipher.
    o Prevented athn(4) from calling ieee80211_find_rxnode() on bad
      frames in an attempt to prevent creation of bogus node cache
      entries.
    o Implemented various fixes addressing firmware errors in iwm(4) and
      iwx(4).
    o Fixed node leaks in iwm(4) and iwx(4) which caused the drivers to
      get stuck when roaming between access points.
    o Fixed iwx(4) firmware reloading after a failure to parse the
      firmware file.
    o Avoided "mac clock not ready" panics in iwm(4) and iwx(4).
    o Worked around a problem with certain athn(4) hardware that caused
      problem when running in HostAP mode with clients that use Tx
      aggregation.
    o Corrected multicast decryption for iwx(4).
    o Added 802.11n Tx aggregation support to iwm(4).
    o Made iwn(4), iwm(4) and iwx(4) keep track of beacon parameters at
      run-time.
    o Implemented support for Rx aggregation offload in iwm(4) and
      iwx(4) and re-enabled de-aggregation of A-MSDUs in net80211 for
      all drivers capable of 11n mode.
    o Changed error reporting for bwfm(4) to use the long version of the
      firmware path. This makes it easier to find the correct files to
      add to the bwfm-firmware port.

 - IEEE 802.11 wireless stack improvements and bugfixes:
    o Drop fragmented 802.11 frames.
    o Prevent frame injection via forged 802.11n A-MSDUs.
    o Tweaked net80211 RA heuristics to avoid picking Tx rate choices
      that may be too optimistic.

 - Generic network stack improvements and bugfixes:
    o Implemented reception of "VLAN 0 priority tagged" packets.
    o Fixed an alignment fault observed on an octeon machine while
      pppoe(4) negotiated a large MTU.
    o Display provider ID for a umb(4) SIM in ifconfig(8).

 - Installer and upgrade improvements:
    o Checked the installer's /tmp/i/hostname.* files for a configured
      IP address so that configurations without a broadcast address are
      detected as well.
    o Handled "inet autoconf" in the ramdisk.
    o Introduced a short wait in rc(8) after netstart(8) finishes until
      an IPv4 or IPv6 default route is present before continuing boot.
      Fixed setups depending on working network and DNS resolution
      during early boot when using autoconfiguration (dhcpleased(8) or
      slaacd(8)).
    o Made fdisk(8) always create an EFI SYS partition if the -b option
      is specified when initializing a GPT.
    o Allowed (w)hole disk allocation for GPT disks in arm64, using
      fdisk(8) -A when an Apple APFS ISC partition is detected and fdisk
      -ig otherwise. Created EFI SYS boot partitions only on ROOTDISK
      GPT disks.
    o Added installboot(8) "-p" to prepare by creating a new filesystem
      on the partition reserved for the bootloader on relevant
      architectures.
    o Added GPT support to armv7 installboot(8).
    o Added the Spleen 12x24 and 16x32 font on amd64's RAMDISK_CD and
      RAMDISK kernels.
    o Use installboot(8) on arm64 ramdisks.
    o Enable dhcpleased(8) on ramdisks, and activate resolvd(8),
      replacing dhclient(8).
    o Enable slaacd(8) to configure nameservers on ramdisks.

 - Security improvements:
    o Moved objcopy to base set to allow KARL to work on all installs.
    o Added unveil(2) calls to xterm in the case where there are no
      exec-formatted or exec-selected resources set.
    o Changed usage of %n from a syslog warning to syslog and abort for
      printf(3) (and associated variants).
    o Made kernel stop all threads when terminating via pledge_fail().

 - Routing daemons and other userland network improvements:
    o The bgpd(8) daemon saw the following changes:
       - Stop processing queued UPDATES when the max-prefix limit was
         reached.
       - Improved negotiation for route refresh, graceful restart and
         multi-protocol capabilities
       - Correctly track 'rde evaluate all' and 'export' settings
         during reload.
       - Properly withdraw prefixes when 'rde evaluate all' is used.
       - Fixed MRT handling on initial startup for message dump types.
       - Fixed and use non-blocking connect for RTR sessions.
       - Fully implemented RFC 6286 by checking for BGP ID collisions.
       - Adjusted the 4-byte AS number handling to RFC 6793 by
         changing error behaviour from prefix witdraw to attribute
         discard.
       - In bgpctl(8) print out both the sent "Neighbor capabilities"
         and the "Negotiated capabilities" for a session.
       - Print timestamps both as a formatted and a pure time in
         seconds field in various JSON objects.
       - Fixed a bug, where during bgpd(8) config reloads prefixes of
         the wrong address family could leak to peers resulting in
         session resets.
       - Added support for RFC 7313 - Enhanced Route Refresh Disabled
         by default, to enable use 'announce enhanced refresh yes'.
       - Improved output of Adj-RIB-Out by updating nexthop and ASPATH
         before adding the prefix to the RIB. This improves `bgpctl
         show rib out` output.
       - Added command line option to both bgpd(8) and bgpctl(8) to
         show the version.
       - Added support for RFC 9072 - Extended Optional Parameters
         Length for BGP OPEN Message
       - Added support for RFC 8050 - MRT Format with BGP Additional
         Path Extensions
       - Implemented receive side of RFC 7911 - Advertisement of
         Multiple Paths in BGP. OpenBGPD is currently not able to send
         multiple paths out.
       - Improved checks of VRPs loaded via RTR or from the roa-set
         table.
       - Allowed optionally specifying an expiry time for roa-set
         entries to mitigate BGP route decision making based on
         outdated RPKI data. OpenBGPD's companion rpki-client(8)
         produces roa-sets with the new 'expires' property
    o The pf(4) packet filter and its userland utility:
       - Corrected a potential memory leak associated with pfsync(4)
         update requests.
       - Introduced locks around the global pf(4) state list.
       - Fixed a panic due to pfsync(4) deferral timeout handling.
       - Added support for pf(4) divert-to on tpmr(4) and veb(4).
       - Fixed state key reference underflow when both state keys are
         identical in pf(4).
       - Only skipped pf(4) once for packets injected by a
         divert-packet socket, allowing pf to still act later on a
         diverted packet.
    o IPSEC support in the kernel and the iked(8) userland daemon:
       - Zeroed out potential passwords when freeing memory or
         handling parsing errors in iked(8).
       - Added client-side support for DNS configuration to iked(8).
       - Increased iked(8) default data bytes limit for Child SAs to 4
         GB, preventing excessive rekeying and lost data in high
         performance setups.
       - Fixed an iked(8) bug where no flows are added if a single
         address is configured in the config address instead of a
         pool.
       - Fixed a problem in iked(8) where no flows are loaded when a
         single config address without pool is configured.
       - Added an experimental post-quantum hybrid key exchange method
         based on Streamlined NTRU Prime (coupled with X25519) to
         iked(8) as sntrup761x25519.
       - Fixed races which were slowing ipsec(4) throughput.
       - Fixed ipsec(4) NAT-T to work with pipex(4).
    o rpki-client(8) received the following new features and bugfixes:
       - Added keep-alive support to the HTTP client code for RRDP.
       - Reference-count and delete unused files synced via RRDP, as
         far as possible.
       - In the JSON output, changed the AS Number from a string
         ("AS123") to an integer ("123") to make processing of the
         output easier,
       - Added an 'expires' column to CSV & JSON output, based on
         certificate and CRL validity times. The 'expires' value can
         be used to avoid route selection based on stale data when
         generating VRP sets, when faced with loss of communication
         between consumer and validator, or validator and CA
         repository.
       - Made the runtime timeout (-s option) also trigger in child
         processes.
       - Improved RRDP support and make RRDP the default protocol for
         synchronizing the RPKI repository data, with openrsync(1)
         used as secondary.
       - At startup, warn if the filesystem containing the cache
         directory is probably too small.
       - Handle running out of disk space more gracefully, including
         cleanup of temporary and old files before exiting.
       - Improved the HTTP/1.1 request headers being sent.
       - Improved validation checks for ROA and MFT objects.
       - Improved the HTTP client code (status code handling, http
         proxy support, keep-alive).
       - In RRDP, do not access URI with userinfo (@-sign)
       - Improved RRDP syncing by considering a notification file
         serial jumping backwards as synced repository.
       - Made -R (rsync only) also apply to the fetching of TA files.
       - Only sync *.{cer,crl,gbr,mft,roa} files via rsync and exclude
         all others.
       - When producing output for bgpd(8), make use of the 'roa-set
         expires' attribute to prevent machines from loading outdated
         roa-sets.
       - In RRDP, limited the number of deltas to 300 per repo. If
         more deltas exist, downloading a full snapshot is faster.
       - Limited the validation depth of X.509 certificate chains to
         12, double the current depth seen in RPKI.
    o traceroute(8) was improved:
       - Probe packets are now sent in quick succession and responses
         handled asynchronously.
       - DNS lookups are performed asynchronously. This speeds up the
         time required to display results considerably.
    o dhcpleased(8) was made the default program for configuring IPv4
      addresses via DHCP. resolvd(8) was activated to handle concurrent
      changes to resolv.conf(5) by both dhcpleased(8) and slaacd(8).
      Additionally these programs saw the following improvements and
      bugfixes:
       - Changed dhcpleased(8) client identifier transmission to match
         other DHCP client implementations.
       - Simplified dhcpleasectl(8) and added syntax to match
         dhclient(8) (interface), allowing one to be aliased to the
         other.
       - Retried broadcast with dhcpleased(8) when the DHCP server is
         unreachable via unicast UDP.
       - Made resolvd(8) accept DNS proposals for the loopback
         addresses.
       - Added to dhcpleased.conf(5) the ability to ignore routes or
         nameservers from a lease and to ignore servers entirely.
       - Made dhclient(8) defer to dhcpleased(8) when the inet
         autoconf flag is set. When run, dhclient will signal
         dhcpleased to request a new lease rather than requesting one
         itself.
       - Fixed potential races in slaacd(8) and dhcpleased(8) when two
         processes are configuring the same IP.
       - Added the possibility to send vendor class identifier and
         client identifier using dhcpleased.conf(5).
       - Made dhcpleased(8) always configure provided routes,
         regardless of whether the address received in the lease is
         already configured.
       - Used exclusive locks under /dev/ to ensure single instances
         of resolvd(8), slaacd(8) and dhcpleased(8).
       - Implemented classless static routes DHCP option in
         dhcpleased(8).
       - Added a new "nameserver" command to route(8), sending
         nameserver proposals to resolvd(8) using the DNS proposal
         protocol over the route socket. This command is intended be
         used to integrate userland triggered nameserver changes, for
         example by VPN software.
    o Changes to snmp related tools:
       - Disable SNMPv1 and SNMPv2c by default in snmpd(8).
       - Remove default communities from snmpd(8).
       - Switched default seclevel to enc for snmpd(8).
       - Changed the default snmp(1) version to -v3 and removed the
         default community.
       - Switched default snmp(1) auth to hmac-sha1.
       - Switched default snmp(1) and snmpd(8) privacy protocol to
         AES.
       - Added the ability for snmpd(8) to send SNMPv3 traps.
       - Allowed "any" to be used as a listen on address in
         snmpd.conf(5).
       - Allowed setting of the engineid in snmpd(8).
    o Other userland network changes:
       - Fixed acme-client(1) SAN generation for CSRs.
       - Added pledge(2) for ftpd(8) user processes.
       - Allowed router solicitations from the unspecified address
         (::) in rad(8).
       - Altered slowcgi(8) so it no longer sends debug logging to
         syslog unless debug logging is requested via the new -v flag.
       - Prevented httpd(8) from trying to chunk encode an empty http
         body coming from an fcgi upstream.
       - Used relative reference URIs in Location header on directory
         redirects in httpd(8), adding support for front-ending httpd
         with a TLS-terminating gateway that forwards unencrypted http
         traffic.
       - Prevented a crash on strict alignment architectures of
         tcpdump(8) WireGuard printer.
       - Made tcpdump(8) split the 802.11 sequence number field into
         its sequence number and fragment number components rather
         than printing the whole field in decimal.
       - Added simple BGP enhanced route refresh message decoding to
         tcpdump(8).

 - tmux(1) improvements and bug fixes:
    o Added a -B flag to tmux(1) to remove borders from popups and added
      a menu to popups as well as options to convert a popup into a
      pane.
    o Added pipe variants of the tmux(1) line copy commands.
    o Added basic support for zero width joiners to tmux(1).
    o Added client focus hooks to tmux(1).
    o Made window-linked and window-unlinked window options in tmux(1).
    o Added -F for tmux(1) command-prompt and used it to fix "Rename" on
      the window menu.
    o Added different tmux(1) command histories for different types of
      prompts.
    o Fixed tmux(1) problems with xterm in VT340 mode.
    o Added an "always" value to the extended-keys option to always
      forward those keys to applications inside tmux(1).

 - OpenSMTPD 7.0.0
    o Fixed incorrect status code for expired mails resulting in a
      misleading bounce report in smtpd(8).
    o Added TLS options cafile=(path), nosni, noverify and
      servername=(name) to smtp(1).
    o Allowed specification of TLS ciphers and protocols in smtp(1).

 - LibreSSL 3.4.1
    o New Features
       - Added support for OpenSSL 1.1.1 TLSv1.3 APIs.
       - Enabled the new X.509 validator to allow verification of
         modern certificate chains.
    o Portable Improvements
       - Ported continuous integration and test infrastructure to
         Github actions.
       - Added Universal Windows Platform (UWP) build support.
       - Fixed mingw-w64 builds on newer versions with missing SSP
         support.
       - Added non-executable stack annotations for CMake builds.
    o API and Documentation Enhancements
       - Added the following APIs from OpenSSL
          BN_bn2binpad BN_bn2lebinpad BN_lebin2bn EC_GROUP_get_curve
        EC_GROUP_order_bits EC_GROUP_set_curve
        EC_POINT_get_affine_coordinates
        EC_POINT_set_affine_coordinates
        EC_POINT_set_compressed_coordinates EVP_DigestSign
        EVP_DigestVerify SSL_CIPHER_find SSL_CTX_get0_privatekey
        SSL_CTX_get_max_early_data SSL_CTX_get_ssl_method
        SSL_CTX_set_ciphersuites SSL_CTX_set_max_early_data
        SSL_CTX_set_post_handshake_auth SSL_SESSION_get0_cipher
        SSL_SESSION_get_max_early_data SSL_SESSION_is_resumable
        SSL_SESSION_set_max_early_data SSL_get_early_data_status
        SSL_get_max_early_data SSL_read_early_data SSL_set0_rbio
        SSL_set_ciphersuites SSL_set_max_early_data
        SSL_set_post_handshake_auth
        SSL_set_psk_use_session_callback
        SSL_verify_client_post_handshake SSL_write_early_data
       - Added AES-GCM constants from RFC 7714 for SRTP.
    o Compatibility Changes
       - Implement flushing for TLSv1.3 handshakes behavior, needed
         for Apache.
       - Call the info callback on connect/accept exit in TLSv1.3,
         needed for p5-Net-SSLeay.
       - Default to using named curve parameter encoding from
         pre-OpenSSL 1.1.0, adding OPENSSL_EC_EXPLICIT_CURVE.
       - Do not ignore SSL_TLSEXT_ERR_FATAL from the ALPN callback.
    o Testing and Proactive Security
       - Added additional state machine test coverage.
       - Improved integration test support with ruby/openssl tests.
       - Error codes and callback support in new X.509 validator made
         compatible with p5-Net_SSLeay tests.
    o Internal Improvements
       - Numerous fixes and improvements to the new X.509 validator to
         ensure compatible error codes and callback support compatible
         with the legacy OpenSSL validator.

 - OpenSSH 8.8
    o Security
       - sshd(8): OpenSSH 8.5 introduced the LogVerbose keyword. When
         this option was enabled with a set of patterns that activated
         logging in code that runs in the low-privilege sandboxed sshd
         process, the log messages were constructed in such a way that
         printf(3) format strings could effectively be specified the
         low-privilege code.
       - sshd(8) from OpenSSH 6.2 through 8.7 failed to correctly
         initialise supplemental groups when executing an
         AuthorizedKeysCommand or AuthorizedPrincipalsCommand, where a
         AuthorizedKeysCommandUser or AuthorizedPrincipalsCommandUser
         directive has been set to run the command as a different
         user.
    o Potentially incompatible changes
       - A near-future release of OpenSSH will switch scp(1) from
         using the legacy scp/rcp protocol to using SFTP by default.
       - This release disables RSA signatures using the SHA-1 hash
         algorithm by default.
       - scp(1): this release changes the behaviour of remote to
         remote copies (e.g. "scp host-a:/path host-b:") to transfer
         through the local host by default. This was previously
         available via the -3 flag. This mode avoids the need to
         expose credentials on the origin hop, avoids triplicate
         interpretation of filenames by the shell (by the local
         system, the copy origin and the destination) and, in
         conjunction with the SFTP support for scp(1) mentioned below,
         allows use of all authentication methods to the remote hosts
         (previously, only non-interactive methods could be used). A
         -R flag has been added to select the old behaviour.
       - ssh(1)/sshd(8): both the client and server are now using a
         stricter configuration file parser. The new parser uses more
         shell-like rules for quotes, space and escape characters. It
         is also more strict in rejecting configurations that include
         options lacking arguments. Previously some options (e.g.
         DenyUsers) could appear on a line with no subsequent
         arguments. This release will reject such configurations. The
         new parser will also reject configurations with unterminated
         quotes and multiple '=' characters after the option name.
       - ssh(1): when using SSHFP DNS records for host key
         verification, ssh(1) will verify all matching records instead
         of just those with the specific signature type requested.
         This may cause host key verification problems if stale SSHFP
         records of a different or legacy signature type exist
         alongside other records for a particular host.
       - ssh-keygen(1): when generating a FIDO key and specifying an
         explicit attestation challenge (using -Ochallenge), the
         challenge will now be hashed by the builtin security key
         middleware. This removes the (undocumented) requirement that
         challenges be exactly 32 bytes in length and matches the
         expectations of libfido2.
       - sshd(8): environment="..." directives in authorized_keys
         files are now first-match-wins and limited to 1024 discrete
         environment variable names.
    o New features
       - scp(1): experimental support for transfers using the SFTP
         protocol as a replacement for the venerable SCP/RCP protocol
         that it has traditionally used. SFTP offers more predictable
         filename handling and does not require expansion of glob(3)
         patterns via the shell on the remote side.
       - sftp-server(8): add a protocol extension to support expansion
         of ~/ and ~user/ prefixed paths. This was added to support
         these paths when used by scp(1) while in SFTP mode.
       - ssh(1): add a ForkAfterAuthentication ssh_config(5)
         counterpart to the ssh(1) -f flag.
       - ssh(1): add a StdinNull directive to ssh_config(5) that
         allows the config file to do the same thing as -n does on the
         ssh(1) command- line.
       - ssh(1): add a SessionType directive to ssh_config, allowing
         the configuration file to offer equivalent control to the -N
         (no session) and -s (subsystem) command-line flags.
       - ssh-keygen(1): allowed signers files used by ssh-keygen(1)
         signatures now support listing key validity intervals
         alongside they key, and ssh-keygen(1) can optionally check
         during signature verification whether a specified time falls
         inside this interval. This feature is intended for use by git
         to support signing and verifying objects using ssh keys.
       - ssh-keygen(8): support printing of the full public key in a
         sshsig signature via a -Oprint-pubkey flag.
       - ssh(1): allow the ssh_config(5) CanonicalizePermittedCNAMEs
         directive to accept a "none" argument to specify the default
         behaviour.
    o Bugfixes
       - ssh(1)/ sshd(8): start time-based re-keying exactly on
         schedule in the client and server mainloops. Previously the
         re-key timeout could expire but re-keying would not start
         until a packet was sent or received, causing a spin in
         select() if the connection was quiescent.
       - ssh-keygen(1): avoid Y2038 problem in printing certificate
         validity lifetimes. Dates past 2^31-1 seconds since epoch
         were displayed incorrectly on some platforms.
       - scp(1): allow spaces to appear in usernames for local to
         remote and scp -3 remote to remote copies.
       - ssh(1)/ sshd(8): remove references to
         ChallengeResponseAuthentication in favour of
         KbdInteractiveAuthentication. The former is what was in
         SSHv1, the latter is what is in SSHv2 (RFC4256) and they were
         treated as somewhat but not entirely equivalent. We retain
         the old name as a deprecated alias so configuration files
         continue to work as well as a reference in the man page for
         people looking for it.
       - ssh(1)/ ssh-add(1)/ ssh-keygen(1): fix decoding of X.509
         subject name when extracting a key from a PKCS#11
         certificate.
       - ssh(1): restore blocking status on stdio fds before close.
         ssh(1) needs file descriptors in non-blocking mode to operate
         but it was not restoring the original state on exit. This
         could cause problems with fds shared with other programs via
         the shell.
       - ssh(1)/ sshd(8): switch both client and server mainloops from
         select(3) to pselect(3). Avoids race conditions where a
         signal may arrive immediately before select(3) and not be
         processed until an event fires.
       - ssh(1): sessions started with ControlPersist were incorrectly
         executing a shell when the -N (no shell) option was
         specified.
       - ssh(1): check if IPQoS or TunnelDevice are already set before
         overriding. Prevents values in config files from overriding
         values supplied on the command line.
       - ssh(1): fix debug message when finding a private key to match
         a certificate being attempted for user authentication.
         Previously it would print the certificate's path, whereas it
         was supposed to be showing the private key's path.
       - sshd(8): match host certificates against host public keys,
         not private keys. Allows use of certificates with private
         keys held in a ssh-agent.
       - ssh(1): add a workaround for a bug in OpenSSH 7.4 sshd(8),
         which allows RSA/SHA2 signatures for public key
         authentication but fails to advertise this correctly via
         SSH2_MSG_EXT_INFO. This causes clients of these server to
         incorrectly match PubkeyAcceptedAlgorithms and potentially
         refuse to offer valid keys.
       - sftp(1)/ scp(1): degrade gracefully if a sftp-server offers
         the limits@openssh.com extension but fails when the client
         tries to invoke it.
       - ssh(1): allow ssh_config SetEnv to override $TERM, which is
         otherwise handled specially by the protocol. Useful in
         ~/.ssh/config to set TERM to something generic (e.g. "xterm"
         instead of "xterm-256color") for destinations that lack
         terminfo entries.
       - sftp-server(8): the limits@openssh.com extension was
         incorrectly marked as an operation that writes to the
         filesystem, which made it unavailable in sftp-server
         read-only mode.
       - ssh(1): fix SEGV in UpdateHostkeys debug() message, triggered
         when the update removed more host keys than remain present.
       - scp(1): when using the SFTP protocol, continue transferring
         files after a transfer error occurs, better matching original
         scp/rcp behaviour.
       - ssh(1): fixed a number of memory leaks in multiplexing,
       - ssh-keygen(1): avoid crash when using the -Y find-principals
         command.
       - A number of documentation and manual improvements.

 - mandoc 1.14.6
    o Added a style message about overlong text input lines.
    o Made "-W style" check .Xr links along the full manpath to help
      validation of non-base manual pages.
    o Supported auto-tagging for ".It Va" in mdoc(7) documents.
    o Stopped printing two extra blank lines at the top and bottom of
      man(7) documents.
    o Supported the CB and CI fonts in roff(7) \f font escapes and .ft
      font requests.
    o Added support for two-character font names (BI, CW, CR, CB, CI) to
      the tbl(7) layout font modifier.
    o Implemented the tbl(7) layout modifiers "b" (bold) and "i"
      (italic) in HTML output mode.
    o Completed support for the "nospaces" option in the tbl(7) parser.
    o Fixed an infinite loop in the tbl(7) parser for some cases of
      horizontally overlapping horizontal spans.
    o Added a meta viewport element to "-T html" output.
    o Fixed a crash with "-T man" when an input file contains tbl(7) or
      eqn(7) input.
    o Fixed a crash in makewhatis(8) when a manpath directory contains a
      symbolic link that points to a directory.

 - Ports and packages:
    o Pre-built packages are available for the following architectures on
      the day of release:
       - aarch64 (arm64): 11034
       - amd64: 11325
       - i386: 10248
       - mips64: 9311
       - powerpc64: 9273
       - sparc64: 9636
    o Packages for the following architectures will be made available as
      their builds complete:
       - arm
       - mips64el
       - powerpc

 - Some highlights:

    o Asterisk 18.6.0                 o Mutt 2.1.3 and NeoMutt 20210205
    o Audacity 2.4.2                  o Node.js 12.22.6
    o CMake 3.20.3                    o OCaml 4.10.0
    o Chromium 93.0.4577.82           o OpenLDAP 2.4.59
    o Emacs 27.2                      o PHP 7.3.30, 7.4.23 and 8.0.10
    o FFmpeg 4.4                      o Postfix 3.5.12
    o GCC 8.4.0 and 11.2.0            o PostgreSQL 13.4
    o GHC 8.10.6                      o Python 2.7.18, 3.8.12 and 3.9.7
    o GNOME 40.4                      o Qt 5.15.2 and 6.0.4
    o Go 1.17                         o R 4.1.1
    o JDK 8u302, 11.0.12 and 16.0.2   o Ruby 2.6.8, 2.7.4 and 3.0.2
    o KDE Applications 21.08.1        o Rust 1.55.0
    o KDE Frameworks 5.85.0           o SQLite 3.35.5
    o Krita 4.4.8                     o Shotcut 21.01.29
    o LLVM/Clang 11.1.0               o Sudo 1.9.7p2
    o LibreOffice 7.2.1.2             o Suricata 6.0.2
    o Lua 5.1.5, 5.2.4 and 5.3.6      o Tcl/Tk 8.5.19 and 8.6.8
    o MariaDB 10.6.4                  o TeX Live 2020
    o Mono 6.12.0.122                 o Vim 8.2.3394 and Neovim 0.5.0
    o Mozilla Firefox 92.0 and        o Xfce 4.16
      ESR 91.1.0
    o Mozilla Thunderbird 91.1.1

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 1.20.13 + patches,
      freetype 2.10.4, fontconfig 2.12.4, Mesa 21.1.8, xterm 367,
      xkeyboard-config 2.20, fonttosfnt 1.2.2, and more)
    o LLVM/Clang 11.1.0 (+ patches)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.32.1 (+ patches)
    o NSD 4.3.7
    o Unbound 1.13.2
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk December 18, 2020 version
    o Expat 2.4.1

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each release.  Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible.  Therefore, we advise regular
visits to

        https://www.OpenBSD.org/security.html
and
        https://www.OpenBSD.org/errata.html

------------------------------------------------------------------------
- MAILING LISTS AND FAQ ------------------------------------------------

Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please
see:

        https://www.OpenBSD.org/mail.html

You are also encouraged to read the Frequently Asked Questions (FAQ) at:

        https://www.OpenBSD.org/faq/

------------------------------------------------------------------------
- DONATIONS ------------------------------------------------------------

The OpenBSD Project is a volunteer-driven software group funded by
donations.  Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others.  This ecosystem is all handled under the same funding umbrella.

We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon
events.

All of our developers strongly urge you to donate and support our future
efforts.  Donations to the project are highly appreciated, and are
described in more detail at:

        https://www.OpenBSD.org/donations.html

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.

There may also be exposure benefits since the Foundation may be
interested in participating in press releases.  In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at directors@openbsdfoundation.org for
more information.

------------------------------------------------------------------------
- RELEASE SONG ---------------------------------------------------------

OpenBSD 7.0 comes with the song "The Style Hymn".  Lyrics (and an
explanation) of the song may be found at:

        https://www.OpenBSD.org/lyrics.html#70

------------------------------------------------------------------------
- HTTPS INSTALLS -------------------------------------------------------

OpenBSD can be easily installed via HTTPS downloads.  Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet.  Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.

1) Read either of the following two files for a list of HTTPS mirrors
   which provide OpenBSD, then choose one near you:

        https://www.OpenBSD.org/ftp.html
        https://ftp.openbsd.org/pub/OpenBSD/ftplist

   As of October 14, 2021, the following HTTPS mirror sites have the
   7.0 release:

        https://cdn.openbsd.org/pub/OpenBSD/7.0/            Global
        https://ftp.eu.openbsd.org/pub/OpenBSD/7.0/         Stockholm, Sweden
        https://ftp.hostserver.de/pub/OpenBSD/7.0/          Frankfurt, Germany
        https://ftp.bytemine.net/pub/OpenBSD/7.0/           Oldenburg, Germany
        https://ftp.fr.openbsd.org/pub/OpenBSD/7.0/         Paris, France
        https://mirror.aarnet.edu.au/pub/OpenBSD/7.0/       Brisbane, Australia
        https://ftp.usa.openbsd.org/pub/OpenBSD/7.0/        CO, USA
        https://ftp5.usa.openbsd.org/pub/OpenBSD/7.0/       CA, USA
        https://mirror.esc7.net/pub/OpenBSD/7.0/            TX, USA
        https://openbsd.cs.toronto.edu/pub/OpenBSD/7.0/     Toronto, Canada
        https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.0/ Global
        https://fastly.cdn.openbsd.org/pub/OpenBSD/7.0/     Global

        The release is also available at the master site:

        https://ftp.openbsd.org/pub/OpenBSD/7.0/            Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that HTTPS mirror site and go into the directory
   pub/OpenBSD/7.0/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     armv7/        octeon/             root.mail
        README           hppa/         openbsd-70-base.pub sparc64/
        SHA256           i386/         packages/           src.tar.gz
        SHA256.sig       landisk/      packages-stable/    sys.tar.gz
        alpha/           loongson/     ports.tar.gz        xenocara.tar.gz
        amd64/           luna88k/      powerpc64/
        arm64/           macppc/       riscv64/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:

        BOOTIA32.EFI*   bsd*            floppy70.img    pxeboot*
        BOOTX64.EFI*    bsd.mp*         game70.tgz      xbase70.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont70.tgz
        INSTALL.amd64   cd70.iso        install70.img   xserv70.tgz
        SHA256          cdboot*         install70.iso   xshare70.tgz
        SHA256.sig      cdbr*           man70.tgz
        base70.tgz      comp70.tgz      miniroot70.img

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install70.iso.  The install70.iso file (roughly 697MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.

   If you prefer to use a USB flash drive, fetch install70.img and
   follow the instructions in INSTALL.amd64.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        https://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 7.0 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).

------------------------------------------------------------------------
- PACKAGES AND PORTS ---------------------------------------------------

Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures.  Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.

Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed
separately.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The source code for all four subsystems can be found in the
pub/OpenBSD/7.0/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.0/README) file
explains how to deal with these source files.

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Jasper Lievisse Adriaanse,
Pierre-Emmanuel Andre, Jeremie Courreges-Anglas, Visa Hankala,
Stuart Henderson, Peter Hessler, Kurt Mosiejczuk, Christian Weisgerber,
and Charlene Wendling.  Base and X system builds by Kenji Aoyama and
Theo de Raadt.  Release art contributed by Natasha Allegri.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who bought our previous CD sets.  Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.

Our developers are:

    Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
    Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
    Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
    Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe,
    Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer,
    Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar,
    Carlos Cardenas, Charlene Wendling, Charles Longeau,
    Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
    Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman,
    Daniel Jakots, Darren Tucker, Dave Voutila, David Coppa,
    David Gwynne, David Hill, Denis Fondras, Doug Hogan, Edd Barrett,
    Elias M. Mariani, Eric Faurot, Florian Obser, Florian Riehm,
    Frederic Cambus, George Koehler, Gerhard Roth, Giannis Tsaraias,
    Gilles Chehade, Giovanni Bechis, Gleydson Soares,
    Gonzalo L. Rodriguez, Greg Steuck, Helg Bredow, Henning Brauer,
    Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
    Inoguchi Kinichiro, James Turner, Jan Klemkow, Jason McIntyre,
    Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
    Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
    Jonathan Matthew, Jordan Hargrave, Joris Vink, Joshua Stein,
    Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama,
    Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov,
    Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil,
    Lawrence Teo, Marc Espie, Marcus Glocker, Mark Kettenis,
    Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano,
    Martin Pieuchot, Martin Reindl, Martynas Venckus, Mats O Jansson,
    Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos,
    Mike Belopuhov, Mike Larkin, Moritz Buhl, Nam Nguyen,
    Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen,
    Ori Bernstein, Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk,
    Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin,
    Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas,
    Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer,
    Remi Pointel, Renato Westphal, Ricardo Mestre, Richard Procter,
    Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
    Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
    Solene Rapenne, Stefan Fritsch, Stefan Kempf, Stefan Sperling,
    Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda,
    T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt,
    Thomas Frohwein, Tim van der Molen, Tobias Heider,
    Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
    Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
    Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Yasuoka Masahiko,
    Yojiro Uo