OpenBSD 7.6 released, Oct 8, 2024
7 October, 2024 by deraadt@openbsd.org | openbsd
------------------------------------------------------------------------
- OpenBSD 7.6 RELEASED -------------------------------------------------
October 8, 2024.
We are pleased to announce the official release of OpenBSD 7.6.
This is our 57th release. We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.
As in our previous releases, 7.6 provides significant improvements,
including new features, in nearly all areas of the system.
With this release all files that existed in the first commit in the
OpenBSD source repository have been updated, modified or replaced at some
point in time, reaching OpenBSD of Theseus.
- Platforms specific improvements:
o arm64:
- Implemented Spectre-V4 mitigations for arm64.
- Extended Spectre-BHB mitigation support to Cortex-A57.
- Enable Enhanced Privileged Access Never (EPAN) when available
on arm64.
- Recognise Cortex-A520AE (Hayes AE) and Cortex-A720AE (Hunter
AE) CPUs
- Made the LEDs work on the SolidRun ClearFog CN9130 Base.
- Added Qualcomm Snapdragon X Elite (X1E80100) support.
- Implemented support for deeper idle states offered by PSCI,
reducing idle power usage.
- Populate arm64 HWCAP and HWCAP2 flags based on recognized
feature bits and sanitized values of the ID register values.
- Made the Samsung Galaxy Book4 Edge (x1e80100) boot in ACPI
mode.
- Used FEAT_RNG to feed entropy into the random subsystem on
arm64 as on amd64.
o amd64:
- Mitigated the RFDS (Register File Data Sampling)
vulnerability present in Intel Atom CPUs (requires updated
firmware).
- Implemented support for AVX-512.
- Shortening of the dmesg(8) output by suppressing cache-info
lines when they are identical to the previous CPU.
- Streamlined the display of flag information of amd64 CPU
flags in dmesg(8).
- Added AMD Secure Encrypted Virtualization (SEV)-related
information provided by cpuid to dmesg(8).
- Implemented bounce buffering for AMD SEV in amd64 bus dma.
- Implemented hardware masking for MSI and MSI-X on amd64.
- Implemented wakeup interrupts on amd64.
- Ensure that the deepest possible C-state is selected during
suspend-to-idle on amd64 and i386.
- Set the target ACPI to S5 when powering down amd64 (and i386)
machines, rather than attempting to put devices into the D3
power state.
- Prevented livelocks on amd64 by avoiding caching pages
belonging to memory ranges with a 'use' count to keep low
pages available and avoid their exhaustion.
o riscv64:
- Use SBI calls to reboot or power down when supported by
firmware.
- Communicate cache-coherent DMA status via DMA tag for
mainbus(4).
- Support for Milk-V Pioneer board.
- Enabled UVM percpu cache on riscv64.
o powerpc:
- Exported basic HWCAP bits to let applications detect Altivec
and VSX on powerpc64.
- Exported basic HWCAP bits to let applications detect Altivec
on powerpc.
o mips64:
- Enabled uvm per-cpu page cache on mips64 (as well as sparc64
and luna88k)
o alpha:
- Switched alpha to MI mplock code.
o More platform specific changes can be found in the hardware
support section below.
- Various kernel improvements:
o Reduced dmesg(8) output by only printing about PCI resource
conflicts for resources that are enabled.
o Deleted the msyscall mechanism, now replaced by the stricter
mimmutable(2) and pinsyscalls(2).
o Changed pledge(2), mmap(2)'s MAP_STACK and pinsyscalls(2) failures
to use uprintf(9) rather than writing into dmesg(8).
o Made witness(4) display lock cycles longer than two locks.
o Made "show witness" display witness(4) lock subtypes in ddb(4).
o Made ddb(4) print mbuf chain and packet list by implementing /c
and /p modifiers in ddb show mbuf.
o Repair printing of backtraces on arm64 ddb(4).
o Added pathconfat(2): pathconf(2) but with at-fd and flags
arguments, the latter supporting the ability to get timestamp
resolution of symlinks.
o Ensure that pmap_create(9) waits in the case of kernel virtual
space shortage.
o Made arc4random() depend on fewer subsystems by decoupling
extract_entropy() from the enqueue_randomness() logic.
o Ensure that concurrent calls to dequeue_randomness() will use some
different events.
o Work to support S0 sleep states, improving the suspend/resume
experience on modern hardware.
- Added an implementation of "suspend-to-idle" on amd64,
enabling suspend on machines that don't support S3.
- Began printing "S0ix" instead of "S0" on the acpi: sleep
states line when FADT indicates FADT_POWER_S0_IDLE_CAPABLE,
assuming that for these machines the vendors agree S0 suspend
is as good or better than S3.
- Added a temporary method to force S0 over S3 via
machdep.lidaction=-1. We are not ready to choose S0-over-S3
based on the S0ix bit in FADT, but this will allow testing.
- Fixed suspend/resume related bugs in many drivers.
o Made exit1() wait for sysctl(2) 'allprocess' loops to prevent
possible kernel crash due to concurrent process exit1().
o Prevented potential crash when fuse(4) uses the ufs inode.
o Ensure that in all filesystems file names passed back by readdir
name validation do not include a '/' character to avoid unexpected
path traversal on untrusted file systems.
o Fixed kernel crashing due to invalid printables in ELF binaries.
o Increased the default buffer size for AF_UNIX from 8192 to 32768,
avoiding a fatal error in sshd(8) that can be triggered when the
network stack is pushed hard enough to consume most of the allowed
memory.
- SMP Improvements
o Network
- Allowed running UDP input on multiple CPU in parallel.
- Made raw IPv4 and IPv6 sockets handle input in parallel.
- Various improvements in the locking of unix4 and udp sockets.
- Pushed socket lock down to sosend() for SOCK_RAW sockets.
- Pushed socket lock down to sosend() and removed it from
soreceive() paths for unix(4) sockets.
- Switched AF_ROUTE sockets to the new locking scheme.
- Mark the IP protocol GRE as MP safe from socket layer.
- Removed kernel lock from socket splice idle timeout.
- Removed kernel lock from shutdown(2) system call.
- Run network protocol timer without kernel lock. TCP timers
also run without kernel lock now.
- Stopped using KERNEL_LOCK to protect the per process
kqueue(2) list.
o Sysctl
- Used atomic operations to access integers in sysctl(2) making
it mp-safe.
- Removed net lock from sysctl(8) net.inet.ip.forwarding,
net.inet6.ip6.forwarding, net.inet6.ip6.redirect,
net.inet.ip.directed-broadcast.
- Pushed kernel lock down to net_sysctl() to unlock uipc, bpf,
pflow and pipex sysctl.
- Removed kernel lock from various sysctl kern variables.
o Stopped grabbing the kernel lock in kbind(2).
o Added per-CPU caches to the pmemrange allocator.
o Unlocked sigsuspend(2) and __thrsigdivert syscalls.
o Converted SCHED_LOCK from a recursive kernel lock to a mutex.
o Reworked per proc and per process time usage accounting, removing
a SCHED_LOCK() dependency.
- Direct Rendering Manager and graphics drivers
o Updated drm(4) to Linux 6.6.52.
o Support for Meteor Lake in inteldrm(4).
- VMM/VMD improvements
o Improve exposure of CPU features to virtual machines.
o Fixed incorrect scaling when converting disk images in vmctl(8).
o Dropped the vmm(4) and vmd(8) "continue" flag to simplify running
a vcpu.
o Added vmctl(8) "status -r" to limit the output of "vmctl status"
to only running VMs.
o Made vmm(4) update the host cr3 in the vmcs to allow vmx(4) to
restore the proper cr3 value on the next vm exit.
o Enabled AMD SEV support in vmm(4).
o Added psp(4) ioctls to the "vmm" pledge to support AMD SEV and add
an additional ioctl to support shutdown.
o Set highest cpuid feature leaf based on host CPU in vmm(4), fixing
Linux guests on older Intel hardware.
o Implemented AMD SEV support in vmd(8). To enable SEV for a guest,
use the parameter "sev" in the guest's vm section in vm.conf.5.
o Fixed VPID leak on Intel VMX hosts.
o Add ret-clean operation to interrupt dispatch assembly code.
o Fixed DHCP request intercept when using local interfaces with
vmd(8).
- Various new userland features:
o Added scandirat(3) from FreeBSD.
o Added elf_aux_info(3), designed to let userland peek at AT_HWCAP
and AT_HWCAP2, using an interface from FreeBSD.
o Added missing function wcsnlen(3) to find length of a wide string
(i.e. wcslen(3) with a max len argument).
o Imported libva 2.22.0, an implementation for VA-API (video
acceleration API). VA-API provides access to graphics hardware
acceleration capabilities for video processing.
o Added the option "-u name" to env(1) to remove a variable from the
environment.
- Various bugfixes and tweaks in userland:
o Throughout the source tree, add missing error checks to calls of
gmtime(3) and localtime(3).
o Added missing error checks to all calls under libexec and sbin in
case of ctime(3) and ctime_r(3) failures when timestamps are far
off.
o Audited programs that parse IP-adresses and replaced inet_aton(3)
with better functions such as gethostbyname(3), getnameinfo(3),
getaddrinfo(3), and inet_pton(3).
o Added generic channel mapping in place of aucat(1) -j and -c
options.
o Allowed any device sample encoding in aucat(1).
o Fixed a crash in sndiod(8) when the device is disconnected and the
clients are not migrated to another device.
o Made sndiod(8) discover new devices on SIGHUP and switch if a new
device is higher priority (greater -F option number) than the
current device.
o Fixed sndiod(8) server.device entries disappearing when usb
devices are unplugged while in use.
o Fixed possible sndiod(8) crashes caused by a global table overread
triggered by the client.
o Switched pax(1) to write archives using the 'pax' format by
default. Ramdisk versions will keep using ustar for writing.
o Corrected detection of 'pax' format archives in pax(1) append
mode.
o Fixed a problem in pax(1) where the file list output was
fully-buffered when used as part of a pipeline.
o Fixed reading large pax(1) extended records.
o Switched tar(1) write default format to 'pax'.
o Added tar(1) -F option to select write format.
o Used pathconfat(2) to compare mtimes for the pax(1) -u and -Z
options when the target is "too old."
o Added patch(1) "-V none" to prevent making any backups.
o Fixed chroot(2) call in the lpd(8) control process.
o Fixed a crash in ls(1) -l for files with bogus timestamp values.
o Repaired malloc operation on systems where the malloc(3) page size
is larger than the mmu page size.
o In btrace(8), cache ELF .symtab, .strtab entries in sorted array
to improve lookup cost from O(n) to O(lg n).
o In libc, allow writing buffers larger than BUFSIZ or st_blksize,
vastly improving write performance.
o Made security(8) silently ignore setuid changes in relinked
binaries to reduce false positives.
o Added the flags NOPERM, STALLED, SWAPPABLE and DOOMED to pstat(8)
-v output.
o Rewrote dd(1) bytes/sec calculation to make signal handler safe on
OpenBSD.
o Added check in pwd_mkdb(8) preventing creation of a passwd(5)
entry too large for getpwent(3).
o Fixed cron(8) CVE-2024-43688: buffer underflow for very large step
values.
o Escaped newlines in file names in less(1).
o Removed support for the less(1) LESSOPEN and LESSCLOSE environment
variables.
o Allowed the newsyslog(8) -F flag (Force trim logs) to be used on
its own.
o Added display of the current line number as percentage of the
total lines in vi(1) ruler.
o Ignored universal ctags extended metadata in tagaddress, making
mg(1) search patterns work again.
o Fixed mg(1) auto-indent-mode with custom tab widths.
o Added handling for C-u modifier in M-! and M-| to mg(1).
o Added an error message for sed(1) -i when the file is unwritable.
o Fixed a bug in sed(1) where the pattern space is empty but does
not start with a NUL character, which might occur after using the
D command.
o Ensure that giving UTF-8 command line arguments to apropos(1)
allows searching in UTF-8 and ISO-Latin-1 encoded manual pages if
the mandoc.db(5) was built makewhatis -T utf8.
o Fixed a bug in mandoc(1) .Ql handling which could corrupt output.
o Made gprof(1) output more compact.
- Improved hardware support and driver bugfixes, including:
o Added clocks for the RK3588 PWM controller to rkclock(4).
o Added RK3588 TSADC clocks and resets to rkclock(4).
o Added RK3588 eMMC clocks and resets to rkclock(4).
o Added RK3588 support to rktemp(4).
o Added support for using the power button function of the RK809 to
rkpmic(4).
o Added rkpmic(4) support for configuring sleep voltage settings
based on device tree settings for the RK809.
o Prevented rkpmic(4) power down after resume initiated by pressing
the power button.
o Added RK3588 support to rkusbphy(4).
o Added dwmshc(4) support for the RK3588 eMMC controller.
o Made the eMMC come up reliably on the RK3588 eMMC controller by
resetting the status before executing a new command.
o Added PCI support for ufshci(4).
o Enabled UFS "Auto-Hibernation" in ufshci(4).
o Added ufshci(4) support for suspend/resume.
o Added hibernation support in ufshci(4).
o Added ufshci(4) at fdt support, allowing boot of the Samsung
Galaxy Book4 Edge in DT mode.
o Fixed ufshci(4) alignment issue where a DMA transfer scheduled on
an odd slot would fail.
o Enabled ufshci(4) on amd64.
o Added CH9102 support to uchcom(4).
o Added support for the numpad on newer macppc Apple Powerbooks with
ukbd(4), with Num Lock set as Fn+F6.
o Added uchcom(4) support for the CH343 uart.
o Prevented a hang when the nvme(4) controller has disconnected from
the pcie bus.
o Added support for NVMe passthrough commands to allow software to
get information about nvme(4) disks.
o Enabled hibernate/resume to nvme(4) disks with 4096 byte sectors.
o Added bio(4) support to nvme(4).
o Added nvme(4) sensors based on information in the SMART/health log
page, showing overall device health and temperature.
o Made acpibat(4) forward AC change notifications to acpiac(4),
giving access to programs like apm(8).
o Implemented sleep button and EC events as wakeup events in
acpi(4).
o Added qcgpio(4) support for the ACPI PCIO pins necessary to
support the keyboard, touchpad and touchscreen on the Qualcomm
Snapdragon X Elite (X1E80100) laptops Asus Vivobook S15 and Lenovo
Yoga Slim 7x.
o Made the touchpad on the Samsung Galaxy Book4 Edge work via
qcgpio(4).
o Added Meinberg PCI510 to mbg(4).
o Introduced rpigpio(4), a driver for the RP1 GPIO controller on the
Raspberry Pi 5.
o Added support to have bcmpcie(4) as both PCIe bus and simplebus to
enable use of the Raspberry Pi 5's RP1 I/O controller.
o Fixed access to Alder Lake-N and Elkhart Lake eMMC.
o Added psp(4) driver for the AMD Platform Security Processor.
o Prevent a crash in the openfirmware driver if the temperature for
a zone can't be read while polling it.
o Implemented qcspmi(4) support for version 7 controllers.
o Implemented MSI multiple-vector support in dwpcie(4).
o Hooked up the Qualcomm UEFI Secure Application that handles EFI
variables to efi(4) to allow access to EFI variables through
ioctls on /dev/efi.
o Fixed uaudio(4) failure to attach when interface number and
interface index do not match and the wrong interface is claimed.
o Fixed delayed level setting on audio(4) devices.
o Introduced intelpmc(4), a driver for the power management
controller found on various Intel SoCs.
o Added battery sensors to qcpas(4).
o Corrected audio drivers to inform children about suspend/resume
related events.
o Ensure that softraid(4) sensors are unregistered when the volumes
are removed.
o Fixed suspend/resume for ums(4) and umt(4).
o Ensure that some Intel xhci(4) controllers fully power down by
issuing a "save state" command on suspend.
o Fixed xhci(4) issues after resume by giving some AMD Ryzen hHCI
controllers the extra time they need to transition from D3 into
D0.
o Made acpi(4) use ACPI_WAK upon resume, potentially improving S3
resume on some rare machines.
o Made xhci(4) restore the saved state upon resume, needed for newer
Intel xHCI controllers.
o Skipped Controller Save State (CSS) and Controller Restore State
(CRS) on AMD 17h/1xh xHCI to avoid problem with resume after
introduction of CRS to xhci(4).
o Corrected dwiic(4) to inform children of suspend/resume events and
prevent sub-drivers racing against dwiic hardware
re-initialization.
o Eliminated some resume-hangs on dwiic(4) chips.
o Added missing child activate handling in iatp(4).
- New or improved network hardware support:
o Implemented resetting the PHY via a GPIO pin in cad(4), helping to
enable the PHY on the Raspberry Pi 5.
o Fixed TCP Segmentation Offload bugs in ixl(4).
o Added mcx(4) support for media types from the extended Ethernet
capabilities fields, fixing a gigabit SFP in the ConnectX-6 Lx.
o Enabled em(4) on powerpc64.
o Added VLAN hardware tagging in igc(4).
o Fixed jumbo frames in igc(4) for strict alignment architectures.
o Exposed igc(4) hardware counters to kstat(1).
o Added support for checksum offloading to dwqe(4).
o Added VLAN hardware tagging in dwqe(4).
o Improved stability of dwqe(4).
o Mapped MSI-X in addition to MSI and INTx on rge(4).
o Fixed TX descriptors DMA syncs in rge(4).
o Added rge(4) support for the Realtek RTL8126 chip.
o Improved bus_dmamap_syncs for rx ring descriptors on rge(4)
hardware.
o Supported building a single packet out of multiple rx descriptors
in rge(4).
o Attempted to leave a gap on the tx ring for rge(4)/re(4) to keep
entries on the ring from being overwritten, preventing confusion
of the chip and the tx completion code.
o Prevented VPID leakage in vmx(4) by allocating at vcpu init.
o Implemented TCP Segmentation Offload in vmx(4), igc(4) and vio(4).
o Implemented TCP Large Receive Offload in vmx(4) and vio(4).
o Enable checksum offloading and TCP Segmentation Offload for
vlan(4) via vio(4).
o Improved stability of vio(4).
- Added or improved wireless network drivers:
o Fixed qwx(4) display in ifconfig(8) showing a mix of 802.11 modes
after switching APs.
o Added a reset attempt for qwx(4) devices when firmware crashes.
o Made qwx(4) offload TKIP and CCMP crypto to hardware, fixing ARP
and IPv6 multicast with WPA2.
o Plugged a memory leak in qwx(4).
o Fixed a qwx(4) interrupt storm during resume.
o Fixed iwx(4) monitor mode after firmware update.
o Prevented firmware panic when iwx(4) runs in monitor mode with
addresses configured on the interface and leaving 11n/11ac mode
directly for monitor mode.
o Added support for Quectel EM060K to umb(4).
o Fixed WEP on athn(4) USB hostap, preventing potential "key not
installed for sw crypto" panic.
- IEEE 802.11 wireless stack improvements and bugfixes:
o Prevented potential firmware errors in Intel wifi drivers when APs
send an ADDBA request early.
- Installer, upgrade and bootloader improvements:
o Implemented support for the RISC-V UEFI Boot Protocol.
o Implemented the chmod a-x bsd.upgrade trick in the sparc64 ofwboot
bootloader.
o Added boot.conf(8) "machine idle [secs]" to halt at idle
passphrase prompts for efi(4) systems.
o Made installboot(8) run again after fw_update(8) on Apple silicon
to pick up Apple boot firmware.
o Stopped sysupgrade(8) from enforcing the next version key if
installing a snapshot.
o Included BUILDINFO file in the iso/img files and installed it in
the miniroot if available, to be used in the future in
sysupgrade(8).
o Use BUILDINFO to make sure sysupgrade(8) doesn't install an older
snapshot over a newer one.
o Ensure that loading a device tree using the "mach dtb" command
gives firmware a chance to make modifications by using the EFI
devicetree fixup protocol.
o Apple machines can now also use USB type-A ports for installation.
- Security improvements:
o Added -fret-clean option to the compiler, defaulting to off. This
new option causes the caller to clean the return address off the
stack after a call completes. The -fret-clean option was then
enabled on amd64 for libc, libcrypto, ld.so, kernel, and all the
ssh tools.
o Expose branch target identification (BTI) to userland and make
LLVM generate code with BTI instructions.
o Enabled PAC in addition to BTI on arm64 such that JIT code matches
the default branch protection provided by our base compiler.
o Limit NFS connections to originate from a reserved port, but
permit null requests (aka server pings) from non-reserved ports in
nfs.
o Made local ports bound during connect(2) unique per laddr rather
than globally unique.
o Enforced the pinsyscalls(2) rules on non-static/ld.so/libc.so text
segments.
o Added pledge and unveil to rpcinfo(8).
o Added AUDIO_GETDEV ioctl to "audio" pledge(2).
- New features in the network stack:
o Made PPP interfaces to run in an rdomain(4) and install a default
route in the same routing domain.
o Introduced rport(4) for point-to-point layer 3 connectivity
between routing domains. Similar to pair(4) but is more efficient
as it does not add Ethernet headers.
o Implement IPv6 forwarding IPsec only (sysctl
net.inet6.ip6.forwarding = 2),the equivalent to
net.inet.ip.forwarding = 2 for IPv4.
o Added BIOCSETFNR to bpf(4), like BIOCSETF without resetting the
buffer or stats.
o Implemented SO_ACCEPTCONN in getsockopt(2) which can be used to
check if listen(2) was called and the socket is accepting
connections.
- Further changes and bugfixes in the network stack:
o Expose aggr(4) per port information via kstat(1).
o Restrict listen(2) to sockets of type SOCK_STREAM or
SOCK_SEQPACKET.
o Prohibit userland changes of the interface loopback flag,
preventing a potential kernel crash.
o Split single TCP inpcb hash table into separate hash tables for
IPv4 and IPv6, to help the ongoing work to improve SMP
performance.
o Use route cache function in IP input.
o Implemented rule 5.5 of RFC 6724 (Default Address Selection for
IPv6) to prefer addresses in a prefix advertised by the next-hop.
o Stop storing full IPv6 packet in common forwarding case. Instead
of storing a copy of the full IPv6 packet for the possible need to
generate an ICMP6 packet. Instead only store the header. In most
cases this can be kept on the stack resulting in speedup and less
memory use.
o Fixed bridging IPv6 fragments with pf reassembly. When output by
veb(4) and bridge(4), the packets were not refragmented.
o Fixed source and drain confusion in socket splicing somove(),
improving performance in a corner case.
o Drop packets if forwarding of IPsec packets only (sysctl
net.inet.ip.forwarding = 2) is configured, but no IPsec policy is
defined.
o If IP forwarding is IPsec only, do not send ICMP redirect and do
not accept ICMP redirect packets.
- The following changes were made to the pf(4) firewall:
o Added display of pf(4) fragment reassembly counters to pfctl(8)
and systat(1).
o Fixed pfsync(4) TCP-state not being updated for destination
connection peer and reduced excessive pfsync traffic.
o Allow users to define tables inside an anchor in the same way they
can define global tables in pf.conf(5). Previously this required a
separate pfctl -a foo -t bar invocation.
- Routing daemons and other userland network improvements:
o IPsec support was improved:
- Added RADIUS support to iked(8), including authentication,
accounting and "Dynamic Authorization Extensions" (DAE).
- Fixed a bug where sasyncd(8) couldn't restore SAs.
o More RADIUS changes:
- In npppd(8), modified IPCP to use nameservers from RADIUS.
- Added Dynamic Authorization Extensions (DAE) for RADIUS
server to npppd(8).
- Added support for RADIUS accounting configurable in
radiusd.conf(5).
- Changed radiusd.conf(5) syntax for "module" to take a {}
block and "authentication" to go without. Specifying a
"module" path is now optional.
- Introduced radiusd_ipcp(8), a module providing IP
configuration which manages the IP address pool.
- Added radiusd_file(8) module, providing authentication by a
local file.
- Kept radiusd(8) number of requests for a DAE server below 64
to avoid congestion.
- Added radiusctl(8) ipcp delete command to delete the
specified session without requesting disconnection.
o In bgpd(8),
- Repair a withdraw desynchronization problem in bgpd(8).
- Double peer description length to 64 characters.
- Improve handling of bgpd AFI IPv4 sessions over IPv6 only
links.
- Sessions over IPv6 link-local addresses are now always
considered to be connected.
- Allow operators to enforce the presence of certain
capabilities.
- Improve capability negotiation and remove 'announce
capabilities'. The 'announce capabilities [yes|no]' neighbor
config option needs to be removed from configuration files.
Instead individual capabilities need to be disabled.
- Improve negotiation of the multi-protocol capability and the
fallback to IPv4 only mode.
- Mark RTR and IPv6 BGP packets with DSCP CS6 (network
control).
- Increase RTR PDU limit to 48k and limit number of SPAS to
10'000.
- Convert the remaining session engine parsers to the new ibuf
API.
- Filtered prefixes are now included in the Local-RIB if the
config option 'rde rib Loc-RIB include filtered' is set.
- Add 'bgpctl show rib filtered' to show filtered prefixes.
- Add 'min-version' RTR config option and default to RTR
version 1. Set min-version to 2 to enable
draft-ietf-sidrops-8210bis-14 and ASPA support or better
define the ASPA table in the config.
- Adjust RTR ASPA pdu parser to follow
draft-ietf-sidrops-8210bis-14
- Check the max_prefix and max_out_prefix limits on config
reload.
- Fix race condition between TCP-MD5 key removal and session
closure to ensure all messages are sent with the proper
TCP-MD5 signature.
- Fix 'nexthop qualify via bgp' by re-evaluating the nexthops
when a BGP route is added to the FIB.
- Handle the CLUSTER_LIST attribute according to RFC7606.
- Fix some undefined or non-portable behaviour when handling
NULL / 0-sized objects.
o rpki-client(8) saw these and more changes:
- Impose same-origin policy for RRDP.
- Introduce tiebreaking for trust anchors. This prevents
certain forms of replay attack.
- Fix internal identification of CA resource certificates.
- Verify self-signage for trust anchors.
- Introduce a check for filenames as presented by publication
points.
- Improved compliance with RFCs 6487 and 8209 for certificates
and CRLs.
- Presence of CMS signing-time is now enforced and presence of
CMS binary-signing-time is disallowed, per RFC 9589.
- Lowered the maximum acceptable manifest number to 2^159 - 1.
- Limit number of validated ASPAs per customer ASID.
- Ensure synchronization jobs are stopped when the timeout is
reached.
- Fix a corner case in repository handling. If the last RRDP
repository failed to load, rpki-client would fail to fall
back to rsync due to an ordering bug in the event loop.
- Improve detection of duplicate file paths. Only trigger a
duplicate error if a valid path is revisited otherwise a bad
CA could prevent legitimate files from being considered
valid.
- Normalize internal representation of the caRepository to have
a trailing slash and ensure that the rpkiManifest is a file
inside it.
- Avoid a quadratic complexity issue in ibuf_realloc() due to
misuse of recallocarray(). Transferring a manifest with a
large FileAndHash list across a privsep boundary could cost
significant resources.
- RRDP sessions are periodically reinitialized to snapshot at
random intervals.
- Signed Prefix List statistics are now only emitted when
rpki-client is run with -x.
- The -r command line option formerly enabling RRDP has long
been the default and is now removed.
- The CRL number extension in CRLs is checked to be in the
range [0..2^159-1]. The CRL number is otherwise ignored.
o In smtpd(8),
- Set ORIGINAL_RECIPIENT in the environment of MDA scripts for
postfix compatibility.
- Add documentation on the expected behaviour and environment
of MDAs.
- Fixed smtpd(8) IPv6 address parsing in file-backed table(5).
- Added smtpd-tables(7), an API to implement table(5) for
smtpd(8).
- Introduced a new smtpd(8) K_AUTH service to allow offloading
the credentials to a table for non-crypt(3) authentication.
- Implemented smtpd(8) report response for proc-filters as with
built-in filters.
o Network auto configuration improvements:
- Introduced dhcp6leased(8), a daemon to acquire IPv6 prefix
delegations from DHCPv6 servers.
- Made rad(8) honor prefixes delegated by DHCPv6.
- Implemented RFC 4191 Default Router Preferences in rad(8).
- Made rad(8) send source link-layer address option in router
advertisements, preventing Apple devices from installing an
unusable default route.
- Removed dhclient(8) binary.
o Many other changes in various network programs and libraries:
- Audited programs that parse IP-addresses and replaced
inet_aton(3) with better functions such as gethostbyname(3),
getnameinfo(3), getaddrinfo(3), and inet_pton(3).
- Trimmed output of whois(1) to suppress some uninformative
output by default, still accessible verbatim by using whois
-S.
- Removed obsolete whois(1) contact handle support.
- Made spamd(8) advertise SMTPUTF8 and 8BITMIME extensions in
EHLO, fixing potential interoperability issues when the real
MTA supports those extensions.
- Prevented TOCTOU issues in httpd(8) static file serving and
auto index generation.
- Added a "log" option to relayd.conf(5) rules.
- Made relayd(8) host handle disable/enable commands from
relayctl(8) correctly in case multiple redirect instances use
the same host in relayd(8) tables.
- Improved config validation in relayd(8) to prevent
incompatibility with the length of names of redirects and
tags in pf(4).
- Made ftp(1) send HTTP 'Accept */*' headers.
- Made ftp(1) send Host: headers with CONNECT requests when
tunneling TLS over an HTTP proxy.
- Added the 2024 root zone trust anchor to unwind(8).
- Made netstat(1) display statistics about expensive mbuf
operations, counting operations used to allocate mbufs or
copy memory when memory layout is not optimal to find
possible optimizations.
- tmux(1) improvements and bug fixes:
o Reduced tmux(1) escape-time default to 10 milliseconds (from 500).
o Added display-menu -M to tmux(1) to always turn mouse on in a
menu.
o Added tmux(1) option allow-set-title to forbid applications from
changing the pane title.
o Prevented a crash if focusing a pane in tmux(1) that is exiting.
o Added "N" to search backwards in tmux(1) tree modes.
o Added tmux(1) "refresh-client -r" for control mode clients to
provide OSC 10 and 11 responses to tmux so they can set the
default foreground and background colors.
o Changed tmux(1) extended-keys behavior to allow applications to
enter mode 2 but not turn extended keys off entirely.
o Added a tmux(1) prefix-timeout option to allow setting a period
after which to ignore the prefix key if no others are pressed.
o Ignored tmux(1) mouse move keys to prevent accidental prefix
cancelation.
o Displayed hyperlinks in tmux(1) copy mode and added
copy_cursor_hyperlink format to get the hyperlink under the
cursor.
o Added search_count and search_count_partial formats in tmux(1)
copy mode.
o Revamped tmux(1) extended keys support to more closely match
xterm1 and support mode 2 as well as mode 1.
o Added mirrored versions of the main-horizontal and main-vertical
layouts when the tmux(1) main pane is bottom or right instead of
top or left.
o Allowed REP to work with Unicode characters in tmux(1).
- LibreSSL version 4.0.0
o Portable changes
- Added initial Emscripten support in CMake builds.
- Removed timegm() compatibility layer since all uses were
replaced with OPENSSL_timegm(). Cleaned up the corresponding
test harness.
- The mips32 platform is no longer actively supported.
o Internal improvements
- Cleaned up parts of the conf directory. Simplified some
logic, fixed memory leaks.
- Simplified X509_check_trust() internals to be somewhat
readable.
- Removed last internal uses of gmtime() and timegm() and
replaced them with BoringSSL's POSIX time conversion API.
- Removed unnecessary stat calls in by_dir.
- Split parsing and processing of TLS extensions to ensure that
extension callbacks are called in a predefined order.
- Cleaned up the MD4 and MD5 implementations.
- Assembly functions are no longer exposed in the public API,
they are all wrapped by C functions.
- Removed assembly implementations of legacy ciphers on legacy
architectures.
- Merged most multi-file implementations of ciphers into one or
two C files.
- Removed the cache of certificate validity. This was added for
performance reasons which no longer apply since BoringSSL's
time conversion API isn't slow. Also, a recently added error
check led to obscure, undesirable validation failures.
- Stopped calling OPENSSL_cpuid_setup() from the .init section
on amd64 and i386.
- Rewrote various BN conversion functions.
- Improved certification request internals.
- Removed unused DSA methods.
- Improved X.509v3 extension internals. Fixed various bugs and
leaks in X509V3_add1_i2d() and X509V3_get_d2i(). Their
implementations now vaguely resemble code.
- Rewrote BN_bn2mpi() using CBB.
- Made most error string tables const.
- Removed handling for SSLv2 client hello messages.
- Improvements in the openssl(1) speed app's signal handler.
- Cleaned up various X509v3_* extension API.
- Unified the X.509v3 extension methods.
- Cleaned up cipher handling in SSL_SESSION.
- Removed get_cipher from SSL_METHOD.
- Rewrote CRYPTO_EX_DATA from scratch. The only intentional
change of behavior is that there is now a hard limit on the
number of indexes that can be allocated.
- Removed bogus connect() call from netcat.
- Uses of atoi() and strtol() in libcrypto were replaced with
strtonum().
- Introduced crypto_arch.h which will contain the architecture
dependent code and defines rather than the public
opensslconf.h.
- OPENSSL_cpu_caps() is now architecture independent.
- Reorganized the DES implementation to use fewer files and
removed optimizations for ancient processors and compilers.
o New features
- Added CRLfile option to the cms command of openssl(1) to
specify additional CRLs for use during verification.
o Documentation improvements
- Removed documentation of no longer existing API.
- Unified the description of the obsolete ENGINE parameter that
needs to remain in many functions and should always be NULL.
o Compatibility changes
- Protocol parsing in libtls was changed. The unsupported
TLSv1.1 and TLSv1.0 protocols are ignored and no longer
enable or disable TLSv1.2 in surprising ways.
- The dangerous EVP_PKEY*_check(3) family of functions was
removed. The openssl(1) pkey and pkeyparam commands no longer
support the -check and -pubcheck flags.
- The one-step hashing functions, MD4(), MD5(), RIPEMD160(),
SHA1(), all SHA-2, and HMAC() no longer support returning a
static buffer. Callers must pass in a correctly sized buffer.
- Support for Whirlpool was removed. Applications still using
this should honor OPENSSL_NO_WHIRLPOOL.
- Removed workaround for F5 middle boxes.
- Removed the useless pem2.h, a public header that was added
since it was too hard to add a single prototype to one file.
- Removed conf_api.h and the public API therein.
- Removed ssl2.h, ssl23.h and ui_compat.h.
- Numerous conf and attribute functions were removed. Some
unused types were removed, others were made opaque.
- Removed the deprecated HMAC_Init() function.
- Removed OPENSSL_load_builtin_modules().
- Removed X509_REQ_{get,set}_extension_nids().
- X509_check_trust() and was removed, X509_VAL was made opaque.
- Only specified versions can be set on certs, CRLs and CSRs.
- Removed unused PEM_USER and PEM_CTX types from pem.h.
- Removed typedefs for COMP_CTX, COMP_METHOD, X509_CRL_METHOD,
STORE, STORE_METHOD, and SSL_AEAD_CTX.
- i2d_ASN1_OBJECT() now returns -1 on error like most other
i2d_*.
- SPKAC support was removed from openssl(1).
- Added TLS1-PRF support to the EVP interface.
- Support for attributes in EVP_PKEYs was removed.
- The X509at_* API is no longer public.
- SSL_CTX_set1_cert_store() and
SSL_CIPHER_get_handshake_digest() were added to libssl.
- The completely broken UI_UTIL password API was removed.
- The OpenSSL pkcs12 command and PKCS12_create() no longer
support setting the Microsoft-specific Local Key Set and
Cryptographic Service Provider attributes.
o Bug fixes
- Made ASN1_TIME_set_string() and ASN1_TIME_set_string_X509()
match their documentation. They always set an RFC 5280
conformant time.
- Improved standards compliance for supported groups and key
shares extensions:
- Duplicate key shares are disallowed.
- Duplicate supported groups are disallowed.
- Key shares must be sent in the order of supported groups.
- Key shares will only be selected if they match the most
preferred supported group by client preference order.
- Fixed signed integer overflow in bnrand().
- Prevent negative zero from being created via BN_clear_bit()
and BN_mask_bits(). Avoids a one byte overread in
BN_bn2mpi().
- Add guard to avoid contracting the number linear hash buckets
to zero, which could lead to a crash due to accessing a zero
sized allocation.
- Fixed i2d_ASN1_OBJECT() with an output buffer pointing to
NULL.
- Implemented RSA key exchange in constant time. This is done
by decrypting with RSA_NO_PADDING and checking the padding in
libssl in constant time. This is possible because the
pre-master secret is of known length based on the size of the
RSA key.
- Rewrote SSL_select_next_proto() using CBS, also fixing a
buffer overread that wasn't reachable when used as intended
from an ALPN callback.
- Avoid pushing a spurious error onto the error stack in
ssl_sigalg_select().
- Made fatal alerts fatal in QUIC.
- OpenSSH 9.8 and OpenSSH 9.9
o Security fixes
- Fix a critical race condition in sshd(8) that could be used
to obtain remote code execution.
- Fix a logic error in ssh(1) that rendered the
ObscureKeystrokeTiming option ineffective.
o New features
- ssh(1) and sshd(8) now support a new hybrid post-Quantum key
exchange algorithm "mlkem768x25519-sha256" based on the
recently-standardised FIPS 203 Module-Lattice Key
Encapsulation Mechanism (ML-KEM) with ECDH using the X25519
group.
- Support for DSA keys is now disabled at compile time in all
OpenSSH tools.
- Support for pre-authentication compression has been removed
from ssh(1) (it was removed from the server a long time ago).
- The existing default post-quantum key exchange
"sntrup761x25519-sha512@openssh.com" is now significantly
faster in both ssh(1) and sshd(8), and is now available under
the assigned name "sntrup761x25519-sha512".
- Split sshd(8) into two separate processes: a listener binary
and a new sshd-session binary that handles each connection.
- sshd(8) will now penalise clients that connect without
completing authentication, crash the server or perform other
unwelcome activities. This behaviour is controlled via the
PerSourcePenalties and PerSourcePenaltyExemptList
sshd_config(5) options.
- ssh(1) now allows the HostkeyAlgorithms option to disable the
implicit fallback from certificate host keys to plain host
keys.
- The ssh_config(5) Include directive can now expand
environment variables as well as the same set of %-tokens
that are accepted for "Match Exec".
- Add a new RefuseConnection directive to ssh_config(5) that
will cause the connection to be immediately refused, and a
corresponding "refuseconnection" penalty class that allows
clients that have connections so refused to be penalised.
- Add a new sshd_config(5) "invalid-user" Match predicate that
allows matching on invalid usernames, e.g. to allow
penalisation of account/password guessers.
- Add additional protection to private keys from being included
in core dumps.
o Bugfixes
- Many bugfixes. Please see the release notes at
https://www.openssh.com/releasenotes.html#9.9 for the full
list.
- Ports and packages:
o Pre-built packages are available for the following architectures on
the day of release:
- aarch64 (arm64): 12148
- amd64: 12312
- i386: 10534
- mips64: 8629
- powerpc64: 8314
- sparc64: 8797
o Packages for the following architectures will be made available as
their builds complete:
- arm
- powerpc
- riscv64
- Some highlights:
o Asterisk 16.30.1, 18.24.3 and o Mozilla Firefox 130.0.1 and
20.9.3 ESR 128.2.0
o Audacity 3.6.3 o Mozilla Thunderbird 128.2.3
o CMake 3.30.1 o Mutt 2.2.13 and NeoMutt 20240425
o Chromium 128.0.6613.137 o Node.js 20.17.0
o Emacs 29.4 o OCaml 4.14.2
o FFmpeg 4.4.5 o OpenLDAP 2.6.8
o GCC 8.4.0 and 11.2.0 o PHP 8.1.29, 8.2.23 and 8.3.11
o GHC 9.6.6 o Postfix 3.9.0
o GNOME 46 o PostgreSQL 16.4
o Go 1.23.1 o Python 2.7.18 and 3.11.10
o JDK 8u402, 11.0.24, 17.0.12 o Qt 5.15.13 (+ kde patches) and
and 21.0.4 6.6.3
o KDE Applications 24.05.2 o R 4.4.1
o KDE Frameworks 6.5.0 o Ruby 3.1.6, 3.2.5 and 3.3.5
o KDE Plasma 6.1.4 o Rust 1.81.0
o Krita 5.2.3 o SQLite 3.44.2
o LLVM/Clang 13.0.0, 16.0.6 and o Shotcut 24.04.28
17.0.6 o Sudo 1.9.15.5
o LibreOffice 24.8.1.2 o Suricata 7.0.6
o Lua 5.1.5, 5.2.4, 5.3.6 and o Tcl/Tk 8.5.19 and 8.6.13
5.4.7 o TeX Live 2023
o MariaDB 10.9.8 o Vim 9.1.707 and Neovim 0.10.1
o Mono 6.12.0.199 o Xfce 4.18.1
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.7 with xserver 21.1.13 + patches,
freetype 2.13.2, fontconfig 2.14.2, Mesa 23.3.6, xterm 393,
xkeyboard-config 2.20, fonttosfnt 1.2.3, and more)
o LLVM/Clang 16.0.6 (+ patches)
o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
o Perl 5.38.2 (+ patches)
o NSD 4.9.1
o Unbound 1.21.0
o Ncurses 6.4
o Binutils 2.17 (+ patches)
o Gdb 6.3 (+ patches)
o Awk July 28, 2024 version
o Expat 2.6.3
o zlib 1.3.1 (+ patches)
------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------
We provide patches for known security threats and other important
issues discovered after each release. Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible. Therefore, we advise regular
visits to
https://www.OpenBSD.org/security.html
and
https://www.OpenBSD.org/errata.html
------------------------------------------------------------------------
- MAILING LISTS AND FAQ ------------------------------------------------
Mailing lists are an important means of communication among users and
developers of OpenBSD. For information on OpenBSD mailing lists, please
see:
https://www.OpenBSD.org/mail.html
You are also encouraged to read the Frequently Asked Questions (FAQ) at:
https://www.OpenBSD.org/faq/
------------------------------------------------------------------------
- DONATIONS ------------------------------------------------------------
The OpenBSD Project is a volunteer-driven software group funded by
donations. Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others. This ecosystem is all handled under the same funding umbrella.
We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon
events.
All of our developers strongly urge you to donate and support our future
efforts. Donations to the project are highly appreciated, and are
described in more detail at:
https://www.OpenBSD.org/donations.html
------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------
For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.
There may also be exposure benefits since the Foundation may be
interested in participating in press releases. In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at directors@openbsdfoundation.org for
more information.
------------------------------------------------------------------------
- HTTPS INSTALLS -------------------------------------------------------
OpenBSD can be easily installed via HTTPS downloads. Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet. Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.
1) Read either of the following two files for a list of HTTPS mirrors
which provide OpenBSD, then choose one near you:
https://www.OpenBSD.org/ftp.html
https://ftp.openbsd.org/pub/OpenBSD/ftplist
As of October 8, 2024, the following HTTPS mirror sites have the
7.6 release:
https://cdn.openbsd.org/pub/OpenBSD/7.6/ Global
https://ftp.eu.openbsd.org/pub/OpenBSD/7.6/ Stockholm, Sweden
https://ftp.hostserver.de/pub/OpenBSD/7.6/ Frankfurt, Germany
https://ftp.bytemine.net/pub/OpenBSD/7.6/ Oldenburg, Germany
https://ftp.fr.openbsd.org/pub/OpenBSD/7.6/ Paris, France
https://mirror.aarnet.edu.au/pub/OpenBSD/7.6/ Brisbane, Australia
https://ftp.usa.openbsd.org/pub/OpenBSD/7.6/ CO, USA
https://ftp5.usa.openbsd.org/pub/OpenBSD/7.6/ CA, USA
https://mirror.esc7.net/pub/OpenBSD/7.6/ TX, USA
https://openbsd.cs.toronto.edu/pub/OpenBSD/7.6/ Toronto, Canada
https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.6/ Global
https://fastly.cdn.openbsd.org/pub/OpenBSD/7.6/ Global
The release is also available at the master site:
https://ftp.openbsd.org/pub/OpenBSD/7.6/ Alberta, Canada
However it is strongly suggested you use a mirror.
Other mirror sites may take a day or two to update.
2) Connect to that HTTPS mirror site and go into the directory
pub/OpenBSD/7.6/ which contains these files and directories.
This is a list of what you will see:
ANNOUNCEMENT armv7/ octeon/ root.mail
README hppa/ openbsd-76-base.pub sparc64/
SHA256 i386/ packages/ src.tar.gz
SHA256.sig landisk/ packages-stable/ sys.tar.gz
alpha/ loongson/ ports.tar.gz xenocara.tar.gz
amd64/ luna88k/ powerpc64/
arm64/ macppc/ riscv64/
It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.
README - generic README
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).
3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.
4) Next, go into the directory that applies to your architecture,
for example, amd64. This is a list of what you will see:
BOOTIA32.EFI* bsd* floppy76.img pxeboot*
BOOTX64.EFI* bsd.mp* game76.tgz xbase76.tgz
BUILDINFO bsd.rd* index.txt xfont76.tgz
INSTALL.amd64 cd76.iso install76.img xserv76.tgz
SHA256 cdboot* install76.iso xshare76.tgz
SHA256.sig cdbr* man76.tgz
base76.tgz comp76.tgz miniroot76.img
If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
and install76.iso. The install76.iso file (roughly 702MB in size)
is a one-step ISO-format install CD image which contains the various
*.tgz files so you do not need to fetch them separately.
If you prefer to use a USB flash drive, fetch install76.img and
follow the instructions in INSTALL.amd64.
5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.amd64. INSTALL.amd64 may tell you that you
need to fetch other files.
6) Just in case, take a peek at:
https://www.OpenBSD.org/errata.html
This is the page where we talk about the mistakes we made while
creating the 7.6 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.
------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------
X.Org has been integrated more closely into the system. This release
contains X.Org 7.7. Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc. During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).
------------------------------------------------------------------------
- PACKAGES AND PORTS ---------------------------------------------------
Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures. Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.
Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed
separately.
------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------
The source code for all four subsystems can be found in the
pub/OpenBSD/7.6/ directory:
xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.6/README) file
explains how to deal with these source files.
------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------
Ports tree and package building by Jeremie Courreges-Anglas,
Visa Hankala, Stuart Henderson, Peter Hessler, George Koehler,
Kurt Mosiejczuk, and Christian Weisgerber. Base and X system builds by
Kenji Aoyama, Theo de Raadt, and Miod Vallat. Release art by
Sue Doeksen.
We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who bought our previous CD sets. Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.
Our developers are:
Aaron Bieber, Adam Wolk, Aisha Tammy, Alexander Bluhm,
Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin,
Alexandre Ratchov, Andrew Fresh, Anil Madhavapeddy,
Anthony J. Bentley, Antoine Jacoutot, Anton Lindqvist, Asou Masato,
Ayaka Koshibe, Benoit Lecocq, Bjorn Ketelaars, Bob Beck,
Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele,
Can Erkin Acar, Caspar Schutijser, Charlene Wendling,
Charles Longeau, Chris Cappuccio, Christian Weisgerber,
Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller,
Daniel Dickman, Daniel Jakots, Darren Tucker, Dave Voutila,
David Coppa, David Gwynne, David Hill, Denis Fondras, Edd Barrett,
Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus,
George Koehler, Gerhard Roth, Giannis Tsaraias, Gilles Chehade,
Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez, Greg Steuck,
Helg Bredow, Henning Brauer, Ian Darwin, Ian Sutton, Igor Sobrado,
Ingo Feinerer, Ingo Schwarze, Inoguchi Kinichiro, James Hastings,
James Turner, Jan Klemkow, Jason McIntyre,
Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans,
Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray,
Jonathan Matthew, Jordan Hargrave, Josh Rickmar, Joshua Sing,
Joshua Stein, Juan Francisco Cantero Hurtado, Kazuya Goda,
Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner, Kevin Lo,
Kirill Bychkov, Klemens Nanni, Kurt Miller, Kurt Mosiejczuk,
Landry Breuil, Lawrence Teo, Lucas Gabriel Vuotto, Lucas Raab,
Marcus Glocker, Mark Kettenis, Mark Lumsden, Markus Friedl,
Martijn van Duren, Martin Natano, Martin Pieuchot, Martin Reindl,
Martynas Venckus, Matthew Dempsky, Matthias Kilian, Matthieu Herrb,
Michael Mikonos, Mike Belopuhov, Mike Larkin, Miod Vallat,
Moritz Buhl, Nam Nguyen, Nayden Markatchev, Nicholas Marriott,
Nigel Taylor, Okan Demirmen, Omar Polo, Ori Bernstein,
Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk, Pascal Stumpf,
Patrick Wildt, Paul Irofti, Pavel Korovin, Peter Hessler,
Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas,
Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer,
Remi Pointel, Renato Westphal, Ricardo Mestre, Richard Procter,
Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf,
Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider,
Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Volker Schlecht,
Yasuoka Masahiko, Yojiro Uo