OpenBSD 7.6 released, Oct 8, 2024
7 October, 2024 by deraadt@openbsd.org | openbsd
------------------------------------------------------------------------ - OpenBSD 7.6 RELEASED ------------------------------------------------- October 8, 2024. We are pleased to announce the official release of OpenBSD 7.6. This is our 57th release. We remain proud of OpenBSD's record of more than twenty years with only two remote holes in the default install. As in our previous releases, 7.6 provides significant improvements, including new features, in nearly all areas of the system. With this release all files that existed in the first commit in the OpenBSD source repository have been updated, modified or replaced at some point in time, reaching OpenBSD of Theseus. - Platforms specific improvements: o arm64: - Implemented Spectre-V4 mitigations for arm64. - Extended Spectre-BHB mitigation support to Cortex-A57. - Enable Enhanced Privileged Access Never (EPAN) when available on arm64. - Recognise Cortex-A520AE (Hayes AE) and Cortex-A720AE (Hunter AE) CPUs - Made the LEDs work on the SolidRun ClearFog CN9130 Base. - Added Qualcomm Snapdragon X Elite (X1E80100) support. - Implemented support for deeper idle states offered by PSCI, reducing idle power usage. - Populate arm64 HWCAP and HWCAP2 flags based on recognized feature bits and sanitized values of the ID register values. - Made the Samsung Galaxy Book4 Edge (x1e80100) boot in ACPI mode. - Used FEAT_RNG to feed entropy into the random subsystem on arm64 as on amd64. o amd64: - Mitigated the RFDS (Register File Data Sampling) vulnerability present in Intel Atom CPUs (requires updated firmware). - Implemented support for AVX-512. - Shortening of the dmesg(8) output by suppressing cache-info lines when they are identical to the previous CPU. - Streamlined the display of flag information of amd64 CPU flags in dmesg(8). - Added AMD Secure Encrypted Virtualization (SEV)-related information provided by cpuid to dmesg(8). - Implemented bounce buffering for AMD SEV in amd64 bus dma. - Implemented hardware masking for MSI and MSI-X on amd64. - Implemented wakeup interrupts on amd64. - Ensure that the deepest possible C-state is selected during suspend-to-idle on amd64 and i386. - Set the target ACPI to S5 when powering down amd64 (and i386) machines, rather than attempting to put devices into the D3 power state. - Prevented livelocks on amd64 by avoiding caching pages belonging to memory ranges with a 'use' count to keep low pages available and avoid their exhaustion. o riscv64: - Use SBI calls to reboot or power down when supported by firmware. - Communicate cache-coherent DMA status via DMA tag for mainbus(4). - Support for Milk-V Pioneer board. - Enabled UVM percpu cache on riscv64. o powerpc: - Exported basic HWCAP bits to let applications detect Altivec and VSX on powerpc64. - Exported basic HWCAP bits to let applications detect Altivec on powerpc. o mips64: - Enabled uvm per-cpu page cache on mips64 (as well as sparc64 and luna88k) o alpha: - Switched alpha to MI mplock code. o More platform specific changes can be found in the hardware support section below. - Various kernel improvements: o Reduced dmesg(8) output by only printing about PCI resource conflicts for resources that are enabled. o Deleted the msyscall mechanism, now replaced by the stricter mimmutable(2) and pinsyscalls(2). o Changed pledge(2), mmap(2)'s MAP_STACK and pinsyscalls(2) failures to use uprintf(9) rather than writing into dmesg(8). o Made witness(4) display lock cycles longer than two locks. o Made "show witness" display witness(4) lock subtypes in ddb(4). o Made ddb(4) print mbuf chain and packet list by implementing /c and /p modifiers in ddb show mbuf. o Repair printing of backtraces on arm64 ddb(4). o Added pathconfat(2): pathconf(2) but with at-fd and flags arguments, the latter supporting the ability to get timestamp resolution of symlinks. o Ensure that pmap_create(9) waits in the case of kernel virtual space shortage. o Made arc4random() depend on fewer subsystems by decoupling extract_entropy() from the enqueue_randomness() logic. o Ensure that concurrent calls to dequeue_randomness() will use some different events. o Work to support S0 sleep states, improving the suspend/resume experience on modern hardware. - Added an implementation of "suspend-to-idle" on amd64, enabling suspend on machines that don't support S3. - Began printing "S0ix" instead of "S0" on the acpi: sleep states line when FADT indicates FADT_POWER_S0_IDLE_CAPABLE, assuming that for these machines the vendors agree S0 suspend is as good or better than S3. - Added a temporary method to force S0 over S3 via machdep.lidaction=-1. We are not ready to choose S0-over-S3 based on the S0ix bit in FADT, but this will allow testing. - Fixed suspend/resume related bugs in many drivers. o Made exit1() wait for sysctl(2) 'allprocess' loops to prevent possible kernel crash due to concurrent process exit1(). o Prevented potential crash when fuse(4) uses the ufs inode. o Ensure that in all filesystems file names passed back by readdir name validation do not include a '/' character to avoid unexpected path traversal on untrusted file systems. o Fixed kernel crashing due to invalid printables in ELF binaries. o Increased the default buffer size for AF_UNIX from 8192 to 32768, avoiding a fatal error in sshd(8) that can be triggered when the network stack is pushed hard enough to consume most of the allowed memory. - SMP Improvements o Network - Allowed running UDP input on multiple CPU in parallel. - Made raw IPv4 and IPv6 sockets handle input in parallel. - Various improvements in the locking of unix4 and udp sockets. - Pushed socket lock down to sosend() for SOCK_RAW sockets. - Pushed socket lock down to sosend() and removed it from soreceive() paths for unix(4) sockets. - Switched AF_ROUTE sockets to the new locking scheme. - Mark the IP protocol GRE as MP safe from socket layer. - Removed kernel lock from socket splice idle timeout. - Removed kernel lock from shutdown(2) system call. - Run network protocol timer without kernel lock. TCP timers also run without kernel lock now. - Stopped using KERNEL_LOCK to protect the per process kqueue(2) list. o Sysctl - Used atomic operations to access integers in sysctl(2) making it mp-safe. - Removed net lock from sysctl(8) net.inet.ip.forwarding, net.inet6.ip6.forwarding, net.inet6.ip6.redirect, net.inet.ip.directed-broadcast. - Pushed kernel lock down to net_sysctl() to unlock uipc, bpf, pflow and pipex sysctl. - Removed kernel lock from various sysctl kern variables. o Stopped grabbing the kernel lock in kbind(2). o Added per-CPU caches to the pmemrange allocator. o Unlocked sigsuspend(2) and __thrsigdivert syscalls. o Converted SCHED_LOCK from a recursive kernel lock to a mutex. o Reworked per proc and per process time usage accounting, removing a SCHED_LOCK() dependency. - Direct Rendering Manager and graphics drivers o Updated drm(4) to Linux 6.6.52. o Support for Meteor Lake in inteldrm(4). - VMM/VMD improvements o Improve exposure of CPU features to virtual machines. o Fixed incorrect scaling when converting disk images in vmctl(8). o Dropped the vmm(4) and vmd(8) "continue" flag to simplify running a vcpu. o Added vmctl(8) "status -r" to limit the output of "vmctl status" to only running VMs. o Made vmm(4) update the host cr3 in the vmcs to allow vmx(4) to restore the proper cr3 value on the next vm exit. o Enabled AMD SEV support in vmm(4). o Added psp(4) ioctls to the "vmm" pledge to support AMD SEV and add an additional ioctl to support shutdown. o Set highest cpuid feature leaf based on host CPU in vmm(4), fixing Linux guests on older Intel hardware. o Implemented AMD SEV support in vmd(8). To enable SEV for a guest, use the parameter "sev" in the guest's vm section in vm.conf.5. o Fixed VPID leak on Intel VMX hosts. o Add ret-clean operation to interrupt dispatch assembly code. o Fixed DHCP request intercept when using local interfaces with vmd(8). - Various new userland features: o Added scandirat(3) from FreeBSD. o Added elf_aux_info(3), designed to let userland peek at AT_HWCAP and AT_HWCAP2, using an interface from FreeBSD. o Added missing function wcsnlen(3) to find length of a wide string (i.e. wcslen(3) with a max len argument). o Imported libva 2.22.0, an implementation for VA-API (video acceleration API). VA-API provides access to graphics hardware acceleration capabilities for video processing. o Added the option "-u name" to env(1) to remove a variable from the environment. - Various bugfixes and tweaks in userland: o Throughout the source tree, add missing error checks to calls of gmtime(3) and localtime(3). o Added missing error checks to all calls under libexec and sbin in case of ctime(3) and ctime_r(3) failures when timestamps are far off. o Audited programs that parse IP-adresses and replaced inet_aton(3) with better functions such as gethostbyname(3), getnameinfo(3), getaddrinfo(3), and inet_pton(3). o Added generic channel mapping in place of aucat(1) -j and -c options. o Allowed any device sample encoding in aucat(1). o Fixed a crash in sndiod(8) when the device is disconnected and the clients are not migrated to another device. o Made sndiod(8) discover new devices on SIGHUP and switch if a new device is higher priority (greater -F option number) than the current device. o Fixed sndiod(8) server.device entries disappearing when usb devices are unplugged while in use. o Fixed possible sndiod(8) crashes caused by a global table overread triggered by the client. o Switched pax(1) to write archives using the 'pax' format by default. Ramdisk versions will keep using ustar for writing. o Corrected detection of 'pax' format archives in pax(1) append mode. o Fixed a problem in pax(1) where the file list output was fully-buffered when used as part of a pipeline. o Fixed reading large pax(1) extended records. o Switched tar(1) write default format to 'pax'. o Added tar(1) -F option to select write format. o Used pathconfat(2) to compare mtimes for the pax(1) -u and -Z options when the target is "too old." o Added patch(1) "-V none" to prevent making any backups. o Fixed chroot(2) call in the lpd(8) control process. o Fixed a crash in ls(1) -l for files with bogus timestamp values. o Repaired malloc operation on systems where the malloc(3) page size is larger than the mmu page size. o In btrace(8), cache ELF .symtab, .strtab entries in sorted array to improve lookup cost from O(n) to O(lg n). o In libc, allow writing buffers larger than BUFSIZ or st_blksize, vastly improving write performance. o Made security(8) silently ignore setuid changes in relinked binaries to reduce false positives. o Added the flags NOPERM, STALLED, SWAPPABLE and DOOMED to pstat(8) -v output. o Rewrote dd(1) bytes/sec calculation to make signal handler safe on OpenBSD. o Added check in pwd_mkdb(8) preventing creation of a passwd(5) entry too large for getpwent(3). o Fixed cron(8) CVE-2024-43688: buffer underflow for very large step values. o Escaped newlines in file names in less(1). o Removed support for the less(1) LESSOPEN and LESSCLOSE environment variables. o Allowed the newsyslog(8) -F flag (Force trim logs) to be used on its own. o Added display of the current line number as percentage of the total lines in vi(1) ruler. o Ignored universal ctags extended metadata in tagaddress, making mg(1) search patterns work again. o Fixed mg(1) auto-indent-mode with custom tab widths. o Added handling for C-u modifier in M-! and M-| to mg(1). o Added an error message for sed(1) -i when the file is unwritable. o Fixed a bug in sed(1) where the pattern space is empty but does not start with a NUL character, which might occur after using the D command. o Ensure that giving UTF-8 command line arguments to apropos(1) allows searching in UTF-8 and ISO-Latin-1 encoded manual pages if the mandoc.db(5) was built makewhatis -T utf8. o Fixed a bug in mandoc(1) .Ql handling which could corrupt output. o Made gprof(1) output more compact. - Improved hardware support and driver bugfixes, including: o Added clocks for the RK3588 PWM controller to rkclock(4). o Added RK3588 TSADC clocks and resets to rkclock(4). o Added RK3588 eMMC clocks and resets to rkclock(4). o Added RK3588 support to rktemp(4). o Added support for using the power button function of the RK809 to rkpmic(4). o Added rkpmic(4) support for configuring sleep voltage settings based on device tree settings for the RK809. o Prevented rkpmic(4) power down after resume initiated by pressing the power button. o Added RK3588 support to rkusbphy(4). o Added dwmshc(4) support for the RK3588 eMMC controller. o Made the eMMC come up reliably on the RK3588 eMMC controller by resetting the status before executing a new command. o Added PCI support for ufshci(4). o Enabled UFS "Auto-Hibernation" in ufshci(4). o Added ufshci(4) support for suspend/resume. o Added hibernation support in ufshci(4). o Added ufshci(4) at fdt support, allowing boot of the Samsung Galaxy Book4 Edge in DT mode. o Fixed ufshci(4) alignment issue where a DMA transfer scheduled on an odd slot would fail. o Enabled ufshci(4) on amd64. o Added CH9102 support to uchcom(4). o Added support for the numpad on newer macppc Apple Powerbooks with ukbd(4), with Num Lock set as Fn+F6. o Added uchcom(4) support for the CH343 uart. o Prevented a hang when the nvme(4) controller has disconnected from the pcie bus. o Added support for NVMe passthrough commands to allow software to get information about nvme(4) disks. o Enabled hibernate/resume to nvme(4) disks with 4096 byte sectors. o Added bio(4) support to nvme(4). o Added nvme(4) sensors based on information in the SMART/health log page, showing overall device health and temperature. o Made acpibat(4) forward AC change notifications to acpiac(4), giving access to programs like apm(8). o Implemented sleep button and EC events as wakeup events in acpi(4). o Added qcgpio(4) support for the ACPI PCIO pins necessary to support the keyboard, touchpad and touchscreen on the Qualcomm Snapdragon X Elite (X1E80100) laptops Asus Vivobook S15 and Lenovo Yoga Slim 7x. o Made the touchpad on the Samsung Galaxy Book4 Edge work via qcgpio(4). o Added Meinberg PCI510 to mbg(4). o Introduced rpigpio(4), a driver for the RP1 GPIO controller on the Raspberry Pi 5. o Added support to have bcmpcie(4) as both PCIe bus and simplebus to enable use of the Raspberry Pi 5's RP1 I/O controller. o Fixed access to Alder Lake-N and Elkhart Lake eMMC. o Added psp(4) driver for the AMD Platform Security Processor. o Prevent a crash in the openfirmware driver if the temperature for a zone can't be read while polling it. o Implemented qcspmi(4) support for version 7 controllers. o Implemented MSI multiple-vector support in dwpcie(4). o Hooked up the Qualcomm UEFI Secure Application that handles EFI variables to efi(4) to allow access to EFI variables through ioctls on /dev/efi. o Fixed uaudio(4) failure to attach when interface number and interface index do not match and the wrong interface is claimed. o Fixed delayed level setting on audio(4) devices. o Introduced intelpmc(4), a driver for the power management controller found on various Intel SoCs. o Added battery sensors to qcpas(4). o Corrected audio drivers to inform children about suspend/resume related events. o Ensure that softraid(4) sensors are unregistered when the volumes are removed. o Fixed suspend/resume for ums(4) and umt(4). o Ensure that some Intel xhci(4) controllers fully power down by issuing a "save state" command on suspend. o Fixed xhci(4) issues after resume by giving some AMD Ryzen hHCI controllers the extra time they need to transition from D3 into D0. o Made acpi(4) use ACPI_WAK upon resume, potentially improving S3 resume on some rare machines. o Made xhci(4) restore the saved state upon resume, needed for newer Intel xHCI controllers. o Skipped Controller Save State (CSS) and Controller Restore State (CRS) on AMD 17h/1xh xHCI to avoid problem with resume after introduction of CRS to xhci(4). o Corrected dwiic(4) to inform children of suspend/resume events and prevent sub-drivers racing against dwiic hardware re-initialization. o Eliminated some resume-hangs on dwiic(4) chips. o Added missing child activate handling in iatp(4). - New or improved network hardware support: o Implemented resetting the PHY via a GPIO pin in cad(4), helping to enable the PHY on the Raspberry Pi 5. o Fixed TCP Segmentation Offload bugs in ixl(4). o Added mcx(4) support for media types from the extended Ethernet capabilities fields, fixing a gigabit SFP in the ConnectX-6 Lx. o Enabled em(4) on powerpc64. o Added VLAN hardware tagging in igc(4). o Fixed jumbo frames in igc(4) for strict alignment architectures. o Exposed igc(4) hardware counters to kstat(1). o Added support for checksum offloading to dwqe(4). o Added VLAN hardware tagging in dwqe(4). o Improved stability of dwqe(4). o Mapped MSI-X in addition to MSI and INTx on rge(4). o Fixed TX descriptors DMA syncs in rge(4). o Added rge(4) support for the Realtek RTL8126 chip. o Improved bus_dmamap_syncs for rx ring descriptors on rge(4) hardware. o Supported building a single packet out of multiple rx descriptors in rge(4). o Attempted to leave a gap on the tx ring for rge(4)/re(4) to keep entries on the ring from being overwritten, preventing confusion of the chip and the tx completion code. o Prevented VPID leakage in vmx(4) by allocating at vcpu init. o Implemented TCP Segmentation Offload in vmx(4), igc(4) and vio(4). o Implemented TCP Large Receive Offload in vmx(4) and vio(4). o Enable checksum offloading and TCP Segmentation Offload for vlan(4) via vio(4). o Improved stability of vio(4). - Added or improved wireless network drivers: o Fixed qwx(4) display in ifconfig(8) showing a mix of 802.11 modes after switching APs. o Added a reset attempt for qwx(4) devices when firmware crashes. o Made qwx(4) offload TKIP and CCMP crypto to hardware, fixing ARP and IPv6 multicast with WPA2. o Plugged a memory leak in qwx(4). o Fixed a qwx(4) interrupt storm during resume. o Fixed iwx(4) monitor mode after firmware update. o Prevented firmware panic when iwx(4) runs in monitor mode with addresses configured on the interface and leaving 11n/11ac mode directly for monitor mode. o Added support for Quectel EM060K to umb(4). o Fixed WEP on athn(4) USB hostap, preventing potential "key not installed for sw crypto" panic. - IEEE 802.11 wireless stack improvements and bugfixes: o Prevented potential firmware errors in Intel wifi drivers when APs send an ADDBA request early. - Installer, upgrade and bootloader improvements: o Implemented support for the RISC-V UEFI Boot Protocol. o Implemented the chmod a-x bsd.upgrade trick in the sparc64 ofwboot bootloader. o Added boot.conf(8) "machine idle [secs]" to halt at idle passphrase prompts for efi(4) systems. o Made installboot(8) run again after fw_update(8) on Apple silicon to pick up Apple boot firmware. o Stopped sysupgrade(8) from enforcing the next version key if installing a snapshot. o Included BUILDINFO file in the iso/img files and installed it in the miniroot if available, to be used in the future in sysupgrade(8). o Use BUILDINFO to make sure sysupgrade(8) doesn't install an older snapshot over a newer one. o Ensure that loading a device tree using the "mach dtb" command gives firmware a chance to make modifications by using the EFI devicetree fixup protocol. o Apple machines can now also use USB type-A ports for installation. - Security improvements: o Added -fret-clean option to the compiler, defaulting to off. This new option causes the caller to clean the return address off the stack after a call completes. The -fret-clean option was then enabled on amd64 for libc, libcrypto, ld.so, kernel, and all the ssh tools. o Expose branch target identification (BTI) to userland and make LLVM generate code with BTI instructions. o Enabled PAC in addition to BTI on arm64 such that JIT code matches the default branch protection provided by our base compiler. o Limit NFS connections to originate from a reserved port, but permit null requests (aka server pings) from non-reserved ports in nfs. o Made local ports bound during connect(2) unique per laddr rather than globally unique. o Enforced the pinsyscalls(2) rules on non-static/ld.so/libc.so text segments. o Added pledge and unveil to rpcinfo(8). o Added AUDIO_GETDEV ioctl to "audio" pledge(2). - New features in the network stack: o Made PPP interfaces to run in an rdomain(4) and install a default route in the same routing domain. o Introduced rport(4) for point-to-point layer 3 connectivity between routing domains. Similar to pair(4) but is more efficient as it does not add Ethernet headers. o Implement IPv6 forwarding IPsec only (sysctl net.inet6.ip6.forwarding = 2),the equivalent to net.inet.ip.forwarding = 2 for IPv4. o Added BIOCSETFNR to bpf(4), like BIOCSETF without resetting the buffer or stats. o Implemented SO_ACCEPTCONN in getsockopt(2) which can be used to check if listen(2) was called and the socket is accepting connections. - Further changes and bugfixes in the network stack: o Expose aggr(4) per port information via kstat(1). o Restrict listen(2) to sockets of type SOCK_STREAM or SOCK_SEQPACKET. o Prohibit userland changes of the interface loopback flag, preventing a potential kernel crash. o Split single TCP inpcb hash table into separate hash tables for IPv4 and IPv6, to help the ongoing work to improve SMP performance. o Use route cache function in IP input. o Implemented rule 5.5 of RFC 6724 (Default Address Selection for IPv6) to prefer addresses in a prefix advertised by the next-hop. o Stop storing full IPv6 packet in common forwarding case. Instead of storing a copy of the full IPv6 packet for the possible need to generate an ICMP6 packet. Instead only store the header. In most cases this can be kept on the stack resulting in speedup and less memory use. o Fixed bridging IPv6 fragments with pf reassembly. When output by veb(4) and bridge(4), the packets were not refragmented. o Fixed source and drain confusion in socket splicing somove(), improving performance in a corner case. o Drop packets if forwarding of IPsec packets only (sysctl net.inet.ip.forwarding = 2) is configured, but no IPsec policy is defined. o If IP forwarding is IPsec only, do not send ICMP redirect and do not accept ICMP redirect packets. - The following changes were made to the pf(4) firewall: o Added display of pf(4) fragment reassembly counters to pfctl(8) and systat(1). o Fixed pfsync(4) TCP-state not being updated for destination connection peer and reduced excessive pfsync traffic. o Allow users to define tables inside an anchor in the same way they can define global tables in pf.conf(5). Previously this required a separate pfctl -a foo -t bar invocation. - Routing daemons and other userland network improvements: o IPsec support was improved: - Added RADIUS support to iked(8), including authentication, accounting and "Dynamic Authorization Extensions" (DAE). - Fixed a bug where sasyncd(8) couldn't restore SAs. o More RADIUS changes: - In npppd(8), modified IPCP to use nameservers from RADIUS. - Added Dynamic Authorization Extensions (DAE) for RADIUS server to npppd(8). - Added support for RADIUS accounting configurable in radiusd.conf(5). - Changed radiusd.conf(5) syntax for "module" to take a {} block and "authentication" to go without. Specifying a "module" path is now optional. - Introduced radiusd_ipcp(8), a module providing IP configuration which manages the IP address pool. - Added radiusd_file(8) module, providing authentication by a local file. - Kept radiusd(8) number of requests for a DAE server below 64 to avoid congestion. - Added radiusctl(8) ipcp delete command to delete the specified session without requesting disconnection. o In bgpd(8), - Repair a withdraw desynchronization problem in bgpd(8). - Double peer description length to 64 characters. - Improve handling of bgpd AFI IPv4 sessions over IPv6 only links. - Sessions over IPv6 link-local addresses are now always considered to be connected. - Allow operators to enforce the presence of certain capabilities. - Improve capability negotiation and remove 'announce capabilities'. The 'announce capabilities [yes|no]' neighbor config option needs to be removed from configuration files. Instead individual capabilities need to be disabled. - Improve negotiation of the multi-protocol capability and the fallback to IPv4 only mode. - Mark RTR and IPv6 BGP packets with DSCP CS6 (network control). - Increase RTR PDU limit to 48k and limit number of SPAS to 10'000. - Convert the remaining session engine parsers to the new ibuf API. - Filtered prefixes are now included in the Local-RIB if the config option 'rde rib Loc-RIB include filtered' is set. - Add 'bgpctl show rib filtered' to show filtered prefixes. - Add 'min-version' RTR config option and default to RTR version 1. Set min-version to 2 to enable draft-ietf-sidrops-8210bis-14 and ASPA support or better define the ASPA table in the config. - Adjust RTR ASPA pdu parser to follow draft-ietf-sidrops-8210bis-14 - Check the max_prefix and max_out_prefix limits on config reload. - Fix race condition between TCP-MD5 key removal and session closure to ensure all messages are sent with the proper TCP-MD5 signature. - Fix 'nexthop qualify via bgp' by re-evaluating the nexthops when a BGP route is added to the FIB. - Handle the CLUSTER_LIST attribute according to RFC7606. - Fix some undefined or non-portable behaviour when handling NULL / 0-sized objects. o rpki-client(8) saw these and more changes: - Impose same-origin policy for RRDP. - Introduce tiebreaking for trust anchors. This prevents certain forms of replay attack. - Fix internal identification of CA resource certificates. - Verify self-signage for trust anchors. - Introduce a check for filenames as presented by publication points. - Improved compliance with RFCs 6487 and 8209 for certificates and CRLs. - Presence of CMS signing-time is now enforced and presence of CMS binary-signing-time is disallowed, per RFC 9589. - Lowered the maximum acceptable manifest number to 2^159 - 1. - Limit number of validated ASPAs per customer ASID. - Ensure synchronization jobs are stopped when the timeout is reached. - Fix a corner case in repository handling. If the last RRDP repository failed to load, rpki-client would fail to fall back to rsync due to an ordering bug in the event loop. - Improve detection of duplicate file paths. Only trigger a duplicate error if a valid path is revisited otherwise a bad CA could prevent legitimate files from being considered valid. - Normalize internal representation of the caRepository to have a trailing slash and ensure that the rpkiManifest is a file inside it. - Avoid a quadratic complexity issue in ibuf_realloc() due to misuse of recallocarray(). Transferring a manifest with a large FileAndHash list across a privsep boundary could cost significant resources. - RRDP sessions are periodically reinitialized to snapshot at random intervals. - Signed Prefix List statistics are now only emitted when rpki-client is run with -x. - The -r command line option formerly enabling RRDP has long been the default and is now removed. - The CRL number extension in CRLs is checked to be in the range [0..2^159-1]. The CRL number is otherwise ignored. o In smtpd(8), - Set ORIGINAL_RECIPIENT in the environment of MDA scripts for postfix compatibility. - Add documentation on the expected behaviour and environment of MDAs. - Fixed smtpd(8) IPv6 address parsing in file-backed table(5). - Added smtpd-tables(7), an API to implement table(5) for smtpd(8). - Introduced a new smtpd(8) K_AUTH service to allow offloading the credentials to a table for non-crypt(3) authentication. - Implemented smtpd(8) report response for proc-filters as with built-in filters. o Network auto configuration improvements: - Introduced dhcp6leased(8), a daemon to acquire IPv6 prefix delegations from DHCPv6 servers. - Made rad(8) honor prefixes delegated by DHCPv6. - Implemented RFC 4191 Default Router Preferences in rad(8). - Made rad(8) send source link-layer address option in router advertisements, preventing Apple devices from installing an unusable default route. - Removed dhclient(8) binary. o Many other changes in various network programs and libraries: - Audited programs that parse IP-addresses and replaced inet_aton(3) with better functions such as gethostbyname(3), getnameinfo(3), getaddrinfo(3), and inet_pton(3). - Trimmed output of whois(1) to suppress some uninformative output by default, still accessible verbatim by using whois -S. - Removed obsolete whois(1) contact handle support. - Made spamd(8) advertise SMTPUTF8 and 8BITMIME extensions in EHLO, fixing potential interoperability issues when the real MTA supports those extensions. - Prevented TOCTOU issues in httpd(8) static file serving and auto index generation. - Added a "log" option to relayd.conf(5) rules. - Made relayd(8) host handle disable/enable commands from relayctl(8) correctly in case multiple redirect instances use the same host in relayd(8) tables. - Improved config validation in relayd(8) to prevent incompatibility with the length of names of redirects and tags in pf(4). - Made ftp(1) send HTTP 'Accept */*' headers. - Made ftp(1) send Host: headers with CONNECT requests when tunneling TLS over an HTTP proxy. - Added the 2024 root zone trust anchor to unwind(8). - Made netstat(1) display statistics about expensive mbuf operations, counting operations used to allocate mbufs or copy memory when memory layout is not optimal to find possible optimizations. - tmux(1) improvements and bug fixes: o Reduced tmux(1) escape-time default to 10 milliseconds (from 500). o Added display-menu -M to tmux(1) to always turn mouse on in a menu. o Added tmux(1) option allow-set-title to forbid applications from changing the pane title. o Prevented a crash if focusing a pane in tmux(1) that is exiting. o Added "N" to search backwards in tmux(1) tree modes. o Added tmux(1) "refresh-client -r" for control mode clients to provide OSC 10 and 11 responses to tmux so they can set the default foreground and background colors. o Changed tmux(1) extended-keys behavior to allow applications to enter mode 2 but not turn extended keys off entirely. o Added a tmux(1) prefix-timeout option to allow setting a period after which to ignore the prefix key if no others are pressed. o Ignored tmux(1) mouse move keys to prevent accidental prefix cancelation. o Displayed hyperlinks in tmux(1) copy mode and added copy_cursor_hyperlink format to get the hyperlink under the cursor. o Added search_count and search_count_partial formats in tmux(1) copy mode. o Revamped tmux(1) extended keys support to more closely match xterm1 and support mode 2 as well as mode 1. o Added mirrored versions of the main-horizontal and main-vertical layouts when the tmux(1) main pane is bottom or right instead of top or left. o Allowed REP to work with Unicode characters in tmux(1). - LibreSSL version 4.0.0 o Portable changes - Added initial Emscripten support in CMake builds. - Removed timegm() compatibility layer since all uses were replaced with OPENSSL_timegm(). Cleaned up the corresponding test harness. - The mips32 platform is no longer actively supported. o Internal improvements - Cleaned up parts of the conf directory. Simplified some logic, fixed memory leaks. - Simplified X509_check_trust() internals to be somewhat readable. - Removed last internal uses of gmtime() and timegm() and replaced them with BoringSSL's POSIX time conversion API. - Removed unnecessary stat calls in by_dir. - Split parsing and processing of TLS extensions to ensure that extension callbacks are called in a predefined order. - Cleaned up the MD4 and MD5 implementations. - Assembly functions are no longer exposed in the public API, they are all wrapped by C functions. - Removed assembly implementations of legacy ciphers on legacy architectures. - Merged most multi-file implementations of ciphers into one or two C files. - Removed the cache of certificate validity. This was added for performance reasons which no longer apply since BoringSSL's time conversion API isn't slow. Also, a recently added error check led to obscure, undesirable validation failures. - Stopped calling OPENSSL_cpuid_setup() from the .init section on amd64 and i386. - Rewrote various BN conversion functions. - Improved certification request internals. - Removed unused DSA methods. - Improved X.509v3 extension internals. Fixed various bugs and leaks in X509V3_add1_i2d() and X509V3_get_d2i(). Their implementations now vaguely resemble code. - Rewrote BN_bn2mpi() using CBB. - Made most error string tables const. - Removed handling for SSLv2 client hello messages. - Improvements in the openssl(1) speed app's signal handler. - Cleaned up various X509v3_* extension API. - Unified the X.509v3 extension methods. - Cleaned up cipher handling in SSL_SESSION. - Removed get_cipher from SSL_METHOD. - Rewrote CRYPTO_EX_DATA from scratch. The only intentional change of behavior is that there is now a hard limit on the number of indexes that can be allocated. - Removed bogus connect() call from netcat. - Uses of atoi() and strtol() in libcrypto were replaced with strtonum(). - Introduced crypto_arch.h which will contain the architecture dependent code and defines rather than the public opensslconf.h. - OPENSSL_cpu_caps() is now architecture independent. - Reorganized the DES implementation to use fewer files and removed optimizations for ancient processors and compilers. o New features - Added CRLfile option to the cms command of openssl(1) to specify additional CRLs for use during verification. o Documentation improvements - Removed documentation of no longer existing API. - Unified the description of the obsolete ENGINE parameter that needs to remain in many functions and should always be NULL. o Compatibility changes - Protocol parsing in libtls was changed. The unsupported TLSv1.1 and TLSv1.0 protocols are ignored and no longer enable or disable TLSv1.2 in surprising ways. - The dangerous EVP_PKEY*_check(3) family of functions was removed. The openssl(1) pkey and pkeyparam commands no longer support the -check and -pubcheck flags. - The one-step hashing functions, MD4(), MD5(), RIPEMD160(), SHA1(), all SHA-2, and HMAC() no longer support returning a static buffer. Callers must pass in a correctly sized buffer. - Support for Whirlpool was removed. Applications still using this should honor OPENSSL_NO_WHIRLPOOL. - Removed workaround for F5 middle boxes. - Removed the useless pem2.h, a public header that was added since it was too hard to add a single prototype to one file. - Removed conf_api.h and the public API therein. - Removed ssl2.h, ssl23.h and ui_compat.h. - Numerous conf and attribute functions were removed. Some unused types were removed, others were made opaque. - Removed the deprecated HMAC_Init() function. - Removed OPENSSL_load_builtin_modules(). - Removed X509_REQ_{get,set}_extension_nids(). - X509_check_trust() and was removed, X509_VAL was made opaque. - Only specified versions can be set on certs, CRLs and CSRs. - Removed unused PEM_USER and PEM_CTX types from pem.h. - Removed typedefs for COMP_CTX, COMP_METHOD, X509_CRL_METHOD, STORE, STORE_METHOD, and SSL_AEAD_CTX. - i2d_ASN1_OBJECT() now returns -1 on error like most other i2d_*. - SPKAC support was removed from openssl(1). - Added TLS1-PRF support to the EVP interface. - Support for attributes in EVP_PKEYs was removed. - The X509at_* API is no longer public. - SSL_CTX_set1_cert_store() and SSL_CIPHER_get_handshake_digest() were added to libssl. - The completely broken UI_UTIL password API was removed. - The OpenSSL pkcs12 command and PKCS12_create() no longer support setting the Microsoft-specific Local Key Set and Cryptographic Service Provider attributes. o Bug fixes - Made ASN1_TIME_set_string() and ASN1_TIME_set_string_X509() match their documentation. They always set an RFC 5280 conformant time. - Improved standards compliance for supported groups and key shares extensions: - Duplicate key shares are disallowed. - Duplicate supported groups are disallowed. - Key shares must be sent in the order of supported groups. - Key shares will only be selected if they match the most preferred supported group by client preference order. - Fixed signed integer overflow in bnrand(). - Prevent negative zero from being created via BN_clear_bit() and BN_mask_bits(). Avoids a one byte overread in BN_bn2mpi(). - Add guard to avoid contracting the number linear hash buckets to zero, which could lead to a crash due to accessing a zero sized allocation. - Fixed i2d_ASN1_OBJECT() with an output buffer pointing to NULL. - Implemented RSA key exchange in constant time. This is done by decrypting with RSA_NO_PADDING and checking the padding in libssl in constant time. This is possible because the pre-master secret is of known length based on the size of the RSA key. - Rewrote SSL_select_next_proto() using CBS, also fixing a buffer overread that wasn't reachable when used as intended from an ALPN callback. - Avoid pushing a spurious error onto the error stack in ssl_sigalg_select(). - Made fatal alerts fatal in QUIC. - OpenSSH 9.8 and OpenSSH 9.9 o Security fixes - Fix a critical race condition in sshd(8) that could be used to obtain remote code execution. - Fix a logic error in ssh(1) that rendered the ObscureKeystrokeTiming option ineffective. o New features - ssh(1) and sshd(8) now support a new hybrid post-Quantum key exchange algorithm "mlkem768x25519-sha256" based on the recently-standardised FIPS 203 Module-Lattice Key Encapsulation Mechanism (ML-KEM) with ECDH using the X25519 group. - Support for DSA keys is now disabled at compile time in all OpenSSH tools. - Support for pre-authentication compression has been removed from ssh(1) (it was removed from the server a long time ago). - The existing default post-quantum key exchange "sntrup761x25519-sha512@openssh.com" is now significantly faster in both ssh(1) and sshd(8), and is now available under the assigned name "sntrup761x25519-sha512". - Split sshd(8) into two separate processes: a listener binary and a new sshd-session binary that handles each connection. - sshd(8) will now penalise clients that connect without completing authentication, crash the server or perform other unwelcome activities. This behaviour is controlled via the PerSourcePenalties and PerSourcePenaltyExemptList sshd_config(5) options. - ssh(1) now allows the HostkeyAlgorithms option to disable the implicit fallback from certificate host keys to plain host keys. - The ssh_config(5) Include directive can now expand environment variables as well as the same set of %-tokens that are accepted for "Match Exec". - Add a new RefuseConnection directive to ssh_config(5) that will cause the connection to be immediately refused, and a corresponding "refuseconnection" penalty class that allows clients that have connections so refused to be penalised. - Add a new sshd_config(5) "invalid-user" Match predicate that allows matching on invalid usernames, e.g. to allow penalisation of account/password guessers. - Add additional protection to private keys from being included in core dumps. o Bugfixes - Many bugfixes. Please see the release notes at https://www.openssh.com/releasenotes.html#9.9 for the full list. - Ports and packages: o Pre-built packages are available for the following architectures on the day of release: - aarch64 (arm64): 12148 - amd64: 12312 - i386: 10534 - mips64: 8629 - powerpc64: 8314 - sparc64: 8797 o Packages for the following architectures will be made available as their builds complete: - arm - powerpc - riscv64 - Some highlights: o Asterisk 16.30.1, 18.24.3 and o Mozilla Firefox 130.0.1 and 20.9.3 ESR 128.2.0 o Audacity 3.6.3 o Mozilla Thunderbird 128.2.3 o CMake 3.30.1 o Mutt 2.2.13 and NeoMutt 20240425 o Chromium 128.0.6613.137 o Node.js 20.17.0 o Emacs 29.4 o OCaml 4.14.2 o FFmpeg 4.4.5 o OpenLDAP 2.6.8 o GCC 8.4.0 and 11.2.0 o PHP 8.1.29, 8.2.23 and 8.3.11 o GHC 9.6.6 o Postfix 3.9.0 o GNOME 46 o PostgreSQL 16.4 o Go 1.23.1 o Python 2.7.18 and 3.11.10 o JDK 8u402, 11.0.24, 17.0.12 o Qt 5.15.13 (+ kde patches) and and 21.0.4 6.6.3 o KDE Applications 24.05.2 o R 4.4.1 o KDE Frameworks 6.5.0 o Ruby 3.1.6, 3.2.5 and 3.3.5 o KDE Plasma 6.1.4 o Rust 1.81.0 o Krita 5.2.3 o SQLite 3.44.2 o LLVM/Clang 13.0.0, 16.0.6 and o Shotcut 24.04.28 17.0.6 o Sudo 1.9.15.5 o LibreOffice 24.8.1.2 o Suricata 7.0.6 o Lua 5.1.5, 5.2.4, 5.3.6 and o Tcl/Tk 8.5.19 and 8.6.13 5.4.7 o TeX Live 2023 o MariaDB 10.9.8 o Vim 9.1.707 and Neovim 0.10.1 o Mono 6.12.0.199 o Xfce 4.18.1 - As usual, steady improvements in manual pages and other documentation. - The system includes the following major components from outside suppliers: o Xenocara (based on X.Org 7.7 with xserver 21.1.13 + patches, freetype 2.13.2, fontconfig 2.14.2, Mesa 23.3.6, xterm 393, xkeyboard-config 2.20, fonttosfnt 1.2.3, and more) o LLVM/Clang 16.0.6 (+ patches) o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches) o Perl 5.38.2 (+ patches) o NSD 4.9.1 o Unbound 1.21.0 o Ncurses 6.4 o Binutils 2.17 (+ patches) o Gdb 6.3 (+ patches) o Awk July 28, 2024 version o Expat 2.6.3 o zlib 1.3.1 (+ patches) ------------------------------------------------------------------------ - SECURITY AND ERRATA -------------------------------------------------- We provide patches for known security threats and other important issues discovered after each release. Our continued research into security means we will find new security problems -- and we always provide patches as soon as possible. Therefore, we advise regular visits to https://www.OpenBSD.org/security.html and https://www.OpenBSD.org/errata.html ------------------------------------------------------------------------ - MAILING LISTS AND FAQ ------------------------------------------------ Mailing lists are an important means of communication among users and developers of OpenBSD. For information on OpenBSD mailing lists, please see: https://www.OpenBSD.org/mail.html You are also encouraged to read the Frequently Asked Questions (FAQ) at: https://www.OpenBSD.org/faq/ ------------------------------------------------------------------------ - DONATIONS ------------------------------------------------------------ The OpenBSD Project is a volunteer-driven software group funded by donations. Besides OpenBSD itself, we also develop important software like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet filter, the quality work of our ports development process, and many others. This ecosystem is all handled under the same funding umbrella. We hope our quality software will result in contributions that maintain our build/development infrastructure, pay our electrical/internet costs, and allow us to continue operating very productive developer hackathon events. All of our developers strongly urge you to donate and support our future efforts. Donations to the project are highly appreciated, and are described in more detail at: https://www.OpenBSD.org/donations.html ------------------------------------------------------------------------ - OPENBSD FOUNDATION --------------------------------------------------- For those unable to make their contributions as straightforward gifts, the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian not-for-profit corporation that can accept larger contributions and issue receipts. In some situations, their receipt may qualify as a business expense write-off, so this is certainly a consideration for some organizations or businesses. There may also be exposure benefits since the Foundation may be interested in participating in press releases. In turn, the Foundation then uses these contributions to assist OpenBSD's infrastructure needs. Contact the foundation directors at directors@openbsdfoundation.org for more information. ------------------------------------------------------------------------ - HTTPS INSTALLS ------------------------------------------------------- OpenBSD can be easily installed via HTTPS downloads. Typically you need a single small piece of boot media (e.g., a USB flash drive) and then the rest of the files can be installed from a number of locations, including directly off the Internet. Follow this simple set of instructions to ensure that you find all of the documentation you will need while performing an install via HTTPS. 1) Read either of the following two files for a list of HTTPS mirrors which provide OpenBSD, then choose one near you: https://www.OpenBSD.org/ftp.html https://ftp.openbsd.org/pub/OpenBSD/ftplist As of October 8, 2024, the following HTTPS mirror sites have the 7.6 release: https://cdn.openbsd.org/pub/OpenBSD/7.6/ Global https://ftp.eu.openbsd.org/pub/OpenBSD/7.6/ Stockholm, Sweden https://ftp.hostserver.de/pub/OpenBSD/7.6/ Frankfurt, Germany https://ftp.bytemine.net/pub/OpenBSD/7.6/ Oldenburg, Germany https://ftp.fr.openbsd.org/pub/OpenBSD/7.6/ Paris, France https://mirror.aarnet.edu.au/pub/OpenBSD/7.6/ Brisbane, Australia https://ftp.usa.openbsd.org/pub/OpenBSD/7.6/ CO, USA https://ftp5.usa.openbsd.org/pub/OpenBSD/7.6/ CA, USA https://mirror.esc7.net/pub/OpenBSD/7.6/ TX, USA https://openbsd.cs.toronto.edu/pub/OpenBSD/7.6/ Toronto, Canada https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.6/ Global https://fastly.cdn.openbsd.org/pub/OpenBSD/7.6/ Global The release is also available at the master site: https://ftp.openbsd.org/pub/OpenBSD/7.6/ Alberta, Canada However it is strongly suggested you use a mirror. Other mirror sites may take a day or two to update. 2) Connect to that HTTPS mirror site and go into the directory pub/OpenBSD/7.6/ which contains these files and directories. This is a list of what you will see: ANNOUNCEMENT armv7/ octeon/ root.mail README hppa/ openbsd-76-base.pub sparc64/ SHA256 i386/ packages/ src.tar.gz SHA256.sig landisk/ packages-stable/ sys.tar.gz alpha/ loongson/ ports.tar.gz xenocara.tar.gz amd64/ luna88k/ powerpc64/ arm64/ macppc/ riscv64/ It is quite likely that you will want at LEAST the following files which apply to all the architectures OpenBSD supports. README - generic README root.mail - a copy of root's mail at initial login. (This is really worthwhile reading). 3) Read the README file. It is short, and a quick read will make sure you understand what else you need to fetch. 4) Next, go into the directory that applies to your architecture, for example, amd64. This is a list of what you will see: BOOTIA32.EFI* bsd* floppy76.img pxeboot* BOOTX64.EFI* bsd.mp* game76.tgz xbase76.tgz BUILDINFO bsd.rd* index.txt xfont76.tgz INSTALL.amd64 cd76.iso install76.img xserv76.tgz SHA256 cdboot* install76.iso xshare76.tgz SHA256.sig cdbr* man76.tgz base76.tgz comp76.tgz miniroot76.img If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64 and install76.iso. The install76.iso file (roughly 702MB in size) is a one-step ISO-format install CD image which contains the various *.tgz files so you do not need to fetch them separately. If you prefer to use a USB flash drive, fetch install76.img and follow the instructions in INSTALL.amd64. 5) If you are an expert, follow the instructions in the file called README; otherwise, use the more complete instructions in the file called INSTALL.amd64. INSTALL.amd64 may tell you that you need to fetch other files. 6) Just in case, take a peek at: https://www.OpenBSD.org/errata.html This is the page where we talk about the mistakes we made while creating the 7.6 release, or the significant bugs we fixed post-release which we think our users should have fixes for. Patches and workarounds are clearly described there. ------------------------------------------------------------------------ - X.ORG FOR MOST ARCHITECTURES ----------------------------------------- X.Org has been integrated more closely into the system. This release contains X.Org 7.7. Most of our architectures ship with X.Org, including amd64, sparc64 and macppc. During installation, you can install X.Org quite easily using xenodm(1), our simplified X11 display manager forked from xdm(1). ------------------------------------------------------------------------ - PACKAGES AND PORTS --------------------------------------------------- Many third party software applications have been ported to OpenBSD and can be installed as pre-compiled binary packages on the various OpenBSD architectures. Please see https://www.openbsd.org/faq/faq15.html for more information on working with packages and ports. Note: a few popular ports, e.g., NSD, Unbound, and several X applications, come standard with OpenBSD and do not need to be installed separately. ------------------------------------------------------------------------ - SYSTEM SOURCE CODE --------------------------------------------------- The source code for all four subsystems can be found in the pub/OpenBSD/7.6/ directory: xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.6/README) file explains how to deal with these source files. ------------------------------------------------------------------------ - THANKS --------------------------------------------------------------- Ports tree and package building by Jeremie Courreges-Anglas, Visa Hankala, Stuart Henderson, Peter Hessler, George Koehler, Kurt Mosiejczuk, and Christian Weisgerber. Base and X system builds by Kenji Aoyama, Theo de Raadt, and Miod Vallat. Release art by Sue Doeksen. We would like to thank all of the people who sent in bug reports, bug fixes, donation cheques, and hardware that we use. We would also like to thank those who bought our previous CD sets. Those who did not support us financially have still helped us with our goal of improving the quality of the software. Our developers are: Aaron Bieber, Adam Wolk, Aisha Tammy, Alexander Bluhm, Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov, Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe, Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar, Caspar Schutijser, Charlene Wendling, Charles Longeau, Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman, Daniel Jakots, Darren Tucker, Dave Voutila, David Coppa, David Gwynne, David Hill, Denis Fondras, Edd Barrett, Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus, George Koehler, Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez, Greg Steuck, Helg Bredow, Henning Brauer, Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze, Inoguchi Kinichiro, James Hastings, James Turner, Jan Klemkow, Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Josh Rickmar, Joshua Sing, Joshua Stein, Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov, Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil, Lawrence Teo, Lucas Gabriel Vuotto, Lucas Raab, Marcus Glocker, Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano, Martin Pieuchot, Martin Reindl, Martynas Venckus, Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos, Mike Belopuhov, Mike Larkin, Miod Vallat, Moritz Buhl, Nam Nguyen, Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen, Omar Polo, Ori Bernstein, Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin, Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel, Renato Westphal, Ricardo Mestre, Richard Procter, Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha, Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie, Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf, Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider, Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove, Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov, Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Volker Schlecht, Yasuoka Masahiko, Yojiro Uo