This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
For changes in other releases, click below:
2.0,
2.1,
2.2,
2.3,
2.4,
2.5,
2.6,
2.7,
2.8,
2.9,
3.0,
3.1,
3.2,
3.3,
3.4,
3.5,
3.6,
3.7,
3.8,
3.9,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5,
5.6,
5.7,
5.8,
5.9,
6.0,
6.1,
6.2,
6.3,
6.4,
6.5,
6.6,
6.7,
6.8,
6.9,
7.0,
7.2,
7.3,
7.4,
current.
Changes made between OpenBSD 7.0 and 7.1
- Moved to OpenSSH 9.0.
- Stopped suspending the tpm(4) device upon hibernation, preventing some systems from hanging when hibernating a second time.
- Fixed pfctl(8) rdr-to rules failing on certain port ranges when explicitly specified.
- Added mvpinctrl(4) support for the CP115 block found on Marvell CN9K SoCs.
- Added mvclock(4) support for the AP807 block found on Marvell CN9K SoCs.
- Fixed ure(4) vlan transmission with hw tagging.
- Added preliminary ure(4) support for RTL8156B and bug fixes for RTL8153/RTL8156.
- Fixed aq(4) occasional errors seen on rockpro64.
- Ensured azalia(4) matches on Intel 300 Series audio, fixing attaching on the Dell G3 3590.
- Stopped printing "You may wish to update your font path" with use of pkg_add(1) for paths which are under /usr/local/share/fonts.
- Implemented aplintc(4) support for multiple dies, making OpenBSD work on the M1 Ultra.
- Ensured that an interrupted arm64 install from the ramdisk kernel can be restarted.
- Added support for the sftp-server(8) "copy-data" protocol extension to allow server-side copies to be performed without going via the client.
- Added sftp(1) "cp" command which supports server-side copying of files.
- Ensured i386/amd64 machines boot from partition 'a' when selected, rather than the partition marked active.
- Reinstated a drm(4) workaround to get framebuffer size from efifb, preventing fatal errors for the BESSTAR TECH HM90 with Ryzen 9 4900H.
- Fixed glass console and getty(8) interference with Xorg on arm64.
- Added quiesce/wakeup hooks to sync vcpu state in vmm(4).
- Ensured pcap_lookupdev(3) matches only on complete interface names.
- Enabled mtw(4) on i386, macppc and arm64.
- Implemented reboot/powerdown support in aplsmc(4).
- Implemented most of CMS related checks in rpki-client(8) required by RFC 6488 section 3.
- Added fix in zlib for CLEAR_HASH macro.
- Added OSC 7 capability to tmux(1) for setting titles.
- Fixed a small ntpd(8) leak.
- Rate limit rad(8) router advertisements according to RFC 4861.
- Fixed iwm(4) 802.11ac throughput at a distance.
- Made sure nothing can map address zero on RISC-V.
- Fixed crash in slaacd(8) when receiving a negative length field for DNS labels.
- Added code to update hw.power whenever AC state changes on resume.
- Added support for XBox One game controller on usb.
- Fix IP output routines on raw sockets so route sourceaddr can take effect using sendto(2) or similar.
- Avoid calling setrtable(2) unless "rtable" is set explicitly in login.conf.
- Prevent panic in softraid(4) while rebooting if softraid has been disabled.
- Prevent announcing VHT capabilities on iwm(4) and iwx(4) for 2GHz bands during scans.
- Fixed argument list leak in scp(1).
- Enabled interrupt moderation on aq(4), aiming at around 20k per second.
- When choosing networks during SSID selection, give a higher score to 11ac and 11n access points, prioritizing 11ac.
- Fixed attach of multiple iwm(4) or iwx(4) interfaces in the same machine.
- Add initial 802.11ac support to iwm(4).
- Added 802.11ac/VHT TX rate adaptation support to the wifi stack.
- Made sure sshd(8) does not try to resolve ListenAddress when re-execing.
- Fixed ssh-keygen(1) SEGV when using -Y check-novalidate.
- New logic for pkg_add(1) to avoid excessive moving of files during updates when possible.
- Avoid legacy CSS2 syntax and use CSS3 two-value syntax in mandoc(1).
- Updated time zone database to tzdata2022a.
- Made tcpdump(8) show 802.11ac VHT capability and operation IEs in -v mode.
- Add tmux(1) option to control if it scrolls into history on clear.
- Make sure iked(8) vroute messages are correctly aligned, fixes autoconfiguration of addresses on octeon.
- Added an option in tmux(1) to set the character for unused areas of the terminal.
- Updated nsd(8) to version 4.4.0.
- Bumped LibreSSL to 3.5.2.
- Fixed reading motherboard time on Apple machines with old SMC firmware.
- Make su(1) honor the login class routing table when doing a full login with su -l.
- Fixed infinite loop in libcrypto for certain elliptic curve public key operations.
- Enabled IP header checksum offloading in ix(4).
- Changed the way $macros are expanded in bgpd.conf(5).
- Fix TX rate used by rtwn(4) and urtwn(4) for RTS frames.
- Fixed sndiod(8) crash.
- Enabled checksum offloads on aq(4).
- Added -k flag to gzip(1) and gunzip(1) to retain (de)compressed file.
- Made sure armv7,arm64 and risc-v FDT bootloader code does not write beyond the FDT data structure.
- Added 802.11ac support on iwx(4).
- Added initial 802.11ac (VHT) support to the wifi stack.
- Improved TX performance on urtwn(4) RTL8192EU devices.
- Improved message fragment retransmissions for iked(8).
- Fix crash in IPSec while doing parallel IP forwarding.
- Add missing error check for x509 constraints code in libcrypto.
- Enable vlan promisc, header stripping and vlan RX/TX offload on aq(4).
- Let unwind(8) probe for DNS64 presence with an absolute name, so asr doesn't add search domains and retry.
- Made fdisk(8) preserve the EFI System partition when auto-allocating space on GPT disks with magic Apple partitions.
- Fixed receive filter handling in aq(4).
- Fixed masked signal traps while in a debugger.
- Fixed overflow protection code in rpki-client(8).
- Enabled PL011 UART FIFO support in pluart(4).
- Fixed RISC-V lld link code when dealing with object files created with "ld -b".
- Added kernel interfaces for atomic load and store functions for int and long to be used in reference counted struct members.
- Prevented an assert in uvm_page.c when freeing an anon after swapping out its memory.
- Added mtw(4) to fw_update(8).
- Prevented aq(4) nics from writing to mbufs taken off the ring when the interface was taken down.
- Updated libexpat to 2.4.7.
- Improved roaming stability on iwn(4), particularly with wpa_supplicant.
- Switched aucat(1) internal sample representation and default file encoding to 24-bit.
- Switched sndiod(8) internal sample representation to 24-bit fixed point.
- Renamed net80211 ioctl(2) struct ieee80211_channel to struct ieee80211_chaninfo.
- Updated to xf86-video-amdgpu 22.0.0.
- Prevented a possible deadlock in cad(4).
- Made the arm64 ramdisk installer fetch bwfm(4) firmware from the EFI System Partition on Apple Silicon devices for use during installation and addition to the newly installed system.
- Added support for the BCM4387 to bwfm(4).
- Improved handling of static compressed gzip files in httpd(8).
- Added openvpn ports (udp/1194 & tcp/1194) to /etc/services.
- Added an ofw interface to write to an nvmem cell.
- Added RTC support to aplsmc(4).
- Added nvmem support to aplpmu(4) and made it available on Apple SPMI PMUs.
- Added pax(1) support for mtime/atime/ctime extended headers in !SMALL builds.
- Ensured apldart(4) keeps the DART enabled in front of the display controller to preserve its access to the framebuffer and continued display.
- Added handling for vmd(8) hitting resource limits when starting a vm and added memory error messages for the user.
- Modified aplintc(4) to support a newer interrupt controller, making OpenBSD run on M1 Pro/Max machines.
- Added rtable capability to login.conf(5).
- Provided a login class for vmd(8).
- Added mbuf tags to prevent output loops in etherip(4).
- Fixed backtraces on i386 and armv7.
- Added a gzip-static option to httpd.conf(5), allowing delivery of precompressed files with content-encoding gzip.
- Added a malloc(3) cache of regions between 128k and 2M to accommodate programs allocating and deallocating regions of these sizes quickly.
- Fixed setusercontext(3) error when /etc/login.conf is not present.
- Protected pfsync(4) tdb flags and lists with a mutex to prevent crashes involving pfsync, IPsec and parallel forwarding.
- Enabled cduart(4) on arm64.
- Released LibreSSL 3.5.0.
- Fixed kernel stack alignment on riscv64.
- Unlocked getsockname(2).
- Updated Mesa to 21.3.7.
- Updated to unbound(8) 1.15.0.
- Made it possible to bind and connect to non-default ports in bgpd.conf(5).
- Randomized the password used in fakepw in ssh(1).
- Released OpenSSH 8.9.
- Extended and reordered the process accounting information structure acct(5). Flag Day for the acct(2) file format.
- Added seq(1), a command to print sequences of numbers.
- Added new _MAXCOMLEN (a proper string expanded to 24 bytes including the NUL) to syslimits, allowing replacement of the MAXCOMLEN symbol from sys/param.h in userland.
- Updated libexpat to 2.4.6.
- Stopped hiding the mtu on "bridge" interfaces which do handle l3 traffic in ifconfig(8).
- Improved stack unwinding on riscv64 in ddb(4).
- Made audio(4) event filters MP-safe.
- In rpc.rusersd(8) unveil(2) "/dev" read-only instead of using chroot(2).
- Updated to libX11 1.7.3.1.
- Capped the daemon login class datasize at either 1G or 4G depending on the architecture and set the bgpd class datasize to either 16G or 1G.
- Made ping(8) print out the source address and sequence number when the signature on an icmp echo reply doesn't match.
- Made fw_update(8) use the /snapshots directory only on -current.
- Fixed vi(1) recovery mode.
- Added aplcpu(4), a driver to control the CPU performance levels on Apple SoCs.
- Prevented a potential crash when slaacd(8) receives more than 7 nameservers.
- Updated xorg-server to 21.1.3, leaving in place an earlier change to compute the screen resolution from dimensions returned by the screen, reverted by upstream.
- Moved to OpenBSD 7.1-beta.
- Enabled subpixel rendering in FreeType.
- Used installboot(8) in install.md for armv7.
- Made apmd(8) replace /etc/random.seed for hibernate-resumes.
- Enabled TLS verify by default for outbound "smtps://" and "smtp+tls://", restoring documented smtpd(8) behavior.
- Introduced mpfgpio(4), a driver for the PolarFire SoC MSS GPIO controller.
- If S4 is not available, use S5 for the ACPI-transitions in hibernate support.
- Corrected architecture checking to prevent partial building of binutils-2.17 on unsupported systems.
- Introduced mpfiic(4), a driver for the PolarFire SoC MSS I2C controller.
- Included minimal UBSan libraries, for runtime detection of undefined behavior.
- Correlated uaudio(4) and ucc(4) devices attached over USB in order to adjust the volume of the correct attached audio device rather than the first one attached. (Reverted 2022/03/29)
- Fixed suspend/resume issues with com(4) at acpi(4).
- Ensured the pf(4) "set prio" values are checked consistently.
- Prevented reopening of tun(4)/tap(4) interfaces which are being destroyed.
- Rewrote vxlan(4) to operate independently of bridge(4), create and bind udp sockets and prevent loops.
- Prevented tweaks to tun(4) if_flags when the NET_LOCK isn't held.
- Used fdisk(8) -b to create the desired 1MB MSDOS boot partition for macppc rather than relying on /usr/mdec/mbr.
- Added support to explicitly power on some PCIe devices on the M1 and M1 Pro/Max through a GPIO controlled by the SMC.
- Added basic GPIO support to aplsmc(4).
- Improved tracking of mbuf memory usage in the whole system.
- Made rcctl(8) look for the login class in both login.conf and login.conf.d/${class}.
- Enabled receive checksum offloading on ixl(4).
- Stopped smtpd(8) from verifying the cert or CA for a relay using opportunistic TLS.
- Updated Devel::PPPort to 3.6.4.
- Unveil(2) _PATH_LOGIN_CONF_D.
- Introduced support for storing capability databases in /etc/login.conf.d, allowing easy addition of custom login classes from packages.
- Switched to using fdisk(8) -b to create boot partitions on multiple architectures.
- Stopped unregistering firmware with fw_update(8) when the SHA256.sig cannot be fetched.
- Enabled acpibat(4) use with the Surface Go 3.
- Fixed getcap(1) -f option when passed multiple files.
- Enabled more flexible device matching for I2C devices.
- Increased armv7 ramdisk size.
- Added a CRL check for manifests to rpki-client(8).
- Re-enabled ixl(4) IPv4, TCP4/6 and UDP4/6 checksum offloading.
- Switched ssh(1) hpdelim interface to accept only ":" as a delimiter.
- Enabled hardware vlan tagging for ixl(4).
- Implemented the poll(2) system call on top of the kqueue(2) subsystem, obsoleting the old, non-MP-safe poll backend.
- Plugged a leak in libtls CRL handling.
- Reworked ix(4) checksum/vlan offloading and enabled it for IPv6.
- Added ps(1) status flag "c" to indicate a process is chrooted.
- Allowed ddb(4) trace through interrupt on macppc.
- Released rpki-client(8) 7.6.
- Allowed riscv64 installation on a disk with a GPT.
- Enabled support for displaying an estimated battery recharge time in apm(8) and apmd(8).
- Grew the dmesg(8) buffer on i386 from 4 to 8 pages.
- Enforced RFC 6384 certificate policy for RPKI in rpki-client(8).
- Moved to rpki-client(8) 7.6.
- Made fdisk(8) -A preserve BIOS boot partition.
- Used installboot(8) in riscv64 install.md.
- Added a key in tmux(1) copy mode to toggle the position indicator.
- Introduced apldma(4), a driver for the DMA controller found on Apple SoCs.
- Allowed ssh-keygen(1) -Y find-principals to match wildcard principals in allowed_signers files.
- Added a tmux(1) option to show arrows for the active pane indicator.
- Attempted to guarantee that on copy-on-write faulting, the new copy can't be written to while any thread can see the original version of the page via a not-yet-flushed stale TLB entry.
- Changed isakmpd(8) to log a warning when proto is NULL rather than dereferencing it.
- Updated libexpat to 2.4.4, fixing CVE-2022-23852 and CVE-2022-23990.
- Introduced aplnco(4), a driver for the Numerically-controlled oscillator (NCO) clock which drives the audio clocks on Apple silicon.
- Introduced tascodec(4), a driver for the TI TAS2770/TAS5770 digital audio amplifier codec found on Apple M1 Macs.
- Prevented a file descriptor leak in touch(1) after futimens(2) failure.
- Increased ddb(1) access to registers on macppc and powerpc64.
- Properly handled .mft files in rpki-client(8), preventing replay attacks using old but still valid files.
- Added a cwm(1) "group-last" command that shows only the previously active group.
- Update awk(1) to Dec 8, 2021 version.
- Allowed rsync:// URIs as files in rpki-client(8) -f mode.
- Fixed an issue where com(4) would attach for a disabled serial port leading to misdirection of the hardware variant and a subsequent hang when /etc/rc runs ttyflags(8) -a.
- Made vmm(4) dt(4) tracepoints amd64-only.
- Made fw_update(8) re-download existing files with failed checksums.
- Allowed rpki-client(8) to display more than one file in -f mode.
- Made ed(1) flush all stdio streams before running a shell command.
- Fixed and reenabled active scans on iwm(4) and iwx(4).
- Enabled dt(4) on macppc.
- Added optimization for tiny x in cos(3) and sin(3).
- Disabled assembly implementations of trig functions on x86 platforms.
- Copied the cos(3) software implementation from FreeBSD-13.
- Improved how quirks are handled on sdhc(4)-compatible drivers.
- Introduced cdsdhc(4), a driver for the Cadence SD/SDIO/eMMC host controller.
- Made transferring multiple files in scp(1) mode create the destination if it doesn't already exist.
- Updated libexpat to 2.4.3.
- Allowed more memory ranges in hibernate.
- Introduced a validated cache which holds all the files successfully verified by rpki-client(8).
- Enabled openssl(1) pkey -{,pub}check and pkeyparam -check.
- Implemented new-style OpenSSL BIO callbacks in crypto(3).
- Updated drm(4) to linux 5.15.14.
- Allowed pin-required FIDO keys to be added to ssh-agent(1).
- Made bpf(4) MP-safe.
- Implemented powerdown in arm64.
- Improved performance of rev(1).
- Set cpuspeed to 0 in apm(8) when hw.cpuspeed cannot be retrieved.
- Fixed sdhc(4) for Jasper Lake eMMC.
- Added Synopsys Designware UART support to com(4).
- Unlocked getpeername(2).
- Modified the installer to use fw_update(8) to install non-free firmware files if present on the install media.
- Added Intel Jasper Lake to azalia(4).
- Introduced aplsmc(4), a driver for the SMC found on Apple M1 SoCs.
- Fixed GOST skip certificate verify handling.
- Fixed a problem where unveil("/", "r") and unveil("usr/bin/id", "rx") cause an error when read accessing /usr/bin.
- Stopped fw_update(8) from downloading SHA256.sig when not needed, to allow installing local files without network access.
- Removed apldwusb(4).
- Fixed possible use after free with long lines in less(1).
- Applied MP-safe changes from dwge(4) to dwxe(4).
- Made ssh-keysign(8) use the requested signature algorithm and not the default for the keytype.
- Made ssh(1) UpdateHostkey signature verification logic more strict.
- Fixed sshd(8) signature algorithm selection logic for UpdateHostkeys.
- Fixed wrong pointer assignment causing the driver to read block ack request information sent by firmware from the wrong offset in iwx(4).
- Returned to a shell-script based fw_update(8), written to be usable by the install script, allowing earlier retrieval of downloaded firmwares.
- Added a basic printer for EAPOL packets to tcpdump(8).
- Changed ssh-keygen(1) to allow selection of hash algorithm at sshsig signing time.
- Fixed an ssh-keygen(1) NULL dereference when using find-principals and matching an allowed_signers line that contains a namespace restriction but no restriction specified on command line.
- Introduced mpfclock(4), a driver for the PolarFire SoC MSS clock controller.
- Fixed hibernate setups where a removed umass(4) device results in a renumbered softraid(4) device.
- Restricted the pci(4) ioctl interface to devices detected by hthe kernel, preventing Xorg PCI probes from breaking the WiFi chip on M1 macs.
- Made the dhcpleased(8) host name DHCP option configurable.
- Corrected checksums written by fdisk(8) on big-endian architectures to be little-endian as per spec.
- Rewrote arm64 kernel FPU handling code to fix the random crashes seen with SMP kernels on Apple M1.
- Added attempts to turn on less-capable mouse modes when tmux(1) turns on more-capable ones, in case the terminal doesn't support the desired mode.
- Added missing locking to pmap_extract(9) and pmap_unwire(9) on arm64 and riscv64.
- Reintroduced support for vmctl(8)
start -B net -b bsd.rd
, which emulates a PXE boot and performs an autoinstall.
- Prevented a potential race when assigning new wskbd(4) keymap.
- Fixed veb(4) vport handling to prevent improper drop of packets leaving a vport interface.
- Unlocked the bottom part of the uvm fault handler.
- Added the chip ids used on Apple M1 Pro/Max and Apple T2 Macs to bwfm(4).
- Reworked garbage collector for unix(4) sockets to prevent potential kernel panics.
- Added address locators for the ACPI "bus" and used these to fix the order of the com(4) devices to match the traditional order on the ISA bus.
- Made "set skip on ..." in pf.conf(5) dynamic.
- Allowed bare numbers for key and mouse bindings in cwm(1).
- Made uniq(1) skip() each input line only once, improving performance.
- Introduced apliic(4), a driver for the I2C controller found on various Apple SoCs.
- Protected ipsec(4) input and output with the kernel lock to allow forwarding of non-ipsec traffic in parallel.
- Disabled minimum power consumption in bwfm(4) hostap mode, improving connection reliability when used as an access point.
- Updated to nsd(8) 4.3.9.
- Made dhcpd(8) start listening on DOWN interfaces.
- Made iwm(4) attach to PCI devices with product ID 0x31dc, part of the 9560 chip family.
- Introduced mtw(4), a driver for MediaTek MT7601U wifi devices.
- Added unbound and host-bound options for ssh(1) PubkeyAuthentication for hardware devices unable to sign longer pubkey authentication challenges.
- Required host-bound userauth requests for forwarded SSH connections.
- Gave ssh-agent(1) the ability to parse [email protected] constraints and to apply them to keys.
- Made ssh-add(1) accept a list of "destination constraints" that allow restricting where keys may be used in conjunction with an ssh-agent/ssh that supports session ID/hostkey binding.
- Fixed radeondrm(4) console colors on sparc64.
- Introduced aplmbox(4), a driver for the mailbox that provides a communication channel with additional cores integrated on Apple SoCs.
- Updated to LLVM 13.0.0.
- Attached com(4) over acpi(4) on amd64.
- Added create permissions to unveil(2) on ldapd(8).
- Restricted usbhidctl(1) and usbhidaction(1) file system access with unveil(2).
- Implemented em(4) support for selecting SMGII or SerDes mode depending on the plugged-in SFP transceiver and for reading out transceiver information via ifconfig(8).
- Used "rng-seed" and "kaslr-seed" properties from the device tree to mix extra entropy into the pool for arm64.
- Added pclk clock used by dwdog(4) on RK3399 to rkclock(4).
- Increased tee(1) I/O buffer size from 8KB to 64KB.
- Added handling of multi-port controllers to uslcom(4).
- Added a pane-border-format pane option to tmux(1).
- Reduced unnecessary usage of sys/cdefs.h includes.
- Cleaned up unnecessary sys/param.h includes across the kernel and userland, replacing some macros with local copies.
- Added a "vnode" parameter to VOP_STRATEGY(9).
- Added acpipci(4) support for interrupts represented by ACPI PCI Interrupt Link Devices, making PCI interrupts work on QEMU's SBSA target.
- Fixed a potential DOS associated with BIO_indent(3) when a caller asks for a negative number of bytes of output.
- Fixed a bug where iked(8) sent zero-prefixed NAT-T messages on port 500, causing parsing errors.
- Introduced aplpmgr(4), a driver for the power management controller found on various Apple SoCs.
- Taught the net80211 stack to remove corresponding frames from ic_pwrsaveq when a power-saving client decides to leave our hostap interface, preventing a panic.
- Allowed fdisk(8) to extend the default OpenBSD partition to the end of the disk, rather than truncating at the end of the last full cylinder.
- Fixed spurious abort of a VM by vmd(8) when the scheduler moves a VM to a different core while it is sleeping on a lock.
- Fixed broken vmd(8) "boot device cdrom" feature after a fix in seabios.
- Switched iwx(4) to new -67 firmware images.
- Disabled probe requests during scans in iwx(4) again, preventing device timeouts for some devices.
- Implemented bgscan_done() handlers for iwx(4) and iwm(4).
- Introduced an optional driver-specific bgscan_done() handler which allows the driver to take control of the roaming teardown sequence, ensuring that race conditions between firmware state and net80211 state are avoided.
- Fixed an xserver 1.21.1 crash when attempting to run fvwm(1) on an x61/965gm with the modesetting driver on amd64.
- Prevented a potential race which could make umount(8) fail spuriously in the installer.
- Improved the testing of credentials against inserted FIDO keys, reducing spurious "Confirm user presence" notifications for key handles relating to FIDO keys which are not currently inserted.
- Ensured ^C may be used to kill ssh(1) sessions where SessionType=none.
- Fixed removal of SAs that could not be flushed with ipsecctl(8) -F.
- Fixed booting from an IDE block device on the Sun Blade 100.
- Prevented select(2) from blocking if registering found pending events.
- Enabled uhid(4)/fido(4) on riscv64.
- Unlocked accept(2) and accept4(2) syscalls.
- Added iked(8) -V to display the version.
- Prevented a crash in slaacd(8) due to updating an interface which no longer exists.
- Let iwx(4) and iwm(4) use per-Tx-queue interface timers to ensure timeout if a particular Tx queue gets stuck.
- Added ssh-keygen(1) -Y match-principals operation to perform matching of principals names against an allowed signers file.
- Dropped support for netscape certificates and server gated keys in openssl(1).
- Released LibreSSL 3.4.2.
- Prevented the possible creation of MBRs with overlapping partitions 0 and 3 in fdisk(8).
- Fixed a panic when running utvfu(4) on xhci(4).
- Fixed timestamp printing in Signed Certificate Timestamps.
- Switched to calculating pppoe(4) session duration using system uptime rather than UTC.
- Updated to openchrome(4) 0.6.409.
- Switched LLD_ARCHs to llvm-ar(1).
- Introduced pcyrtc(4), a driver for the NXP PCF85063A/TP RTC chips.
- Implemented RFC6840 (AD flag processing) if using trusted name servers.
- Aligned memory allocation for USB device drivers and USB HC drivers, enlarging the USB memory pool.
- Added ikectl(8) "show certinfo" to show trusted CAs and certificates.
- Introduced iicmux(4), a driver that switches between I2C busses connected to a single I2C controller by using the pin muxing facilities of an SoC.
- Made config(8) -c cmdfile use lines from the command file for all input, not just commands. This allows complex actions like changing device parameters.
- Allowed interface names as scope-id in IPv6 link-local addresses in unbound(8).
- Made futexes work in shared anonymous memory.
- Fixed monitor mode on iwm(4) and iwx(4).
- Made uniq(1) ignore trailing newlines when comparing lines.
- Fixed a crash when xrandr(1) is invoked with X server 21.1.1.
- Added display of DNS information from sppp(4) to ifconfig(8).
- Disabled active scanning on iwm(4) 9260 and 9560 to prevent a device lockup.
- Installed missing scope identifiers for IPv6 link-local addresses for unwind(8) and resolvd(8).
- Fixed hilkbd(4) Swedish keyboard layout on non-PS/2 style keyboards.
- Improved and simplified timer handling in rc.d(8) "stop" and "reload".
- Switched to using long filenames by default with mount_msdos(8) on FAT filesystems.
- Added support for controlling keyboard LEDs to aplhidev(4).
- Implemented the probe variable in bt(5).
- Updated awk(1) to the Nov 3, 2021 version.
- Added support for 40MHz channels to iwn(4).
- Reduced the time overhead of kqueue(2)-based poll(2) and select(2) systems calls by keeping knotes between the system calls.
- Made config(8) -e work with ramdisk kernels.
- Fixed crashes in httpd(8).
- Fixed iwn(4) with 4965 devices.
- Retired switch(4), switchd(8) and switchctl(8).
- Updated to Xserver(1) 21.1.1.
- Updated to libXi 1.8.
- Updated to libXfixes 6.0.0.
- Updated to xorgprotos 2021.5.
- Updated to fontconfig 2.13.94.
- Updated to Freetype 2.11.0.
- Added support for PPP IPCP extensions for DNS to sppp(4).
- Fixed broken key exchange negotiation with matching proposals in iked(8).
- Added the [email protected] hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list fo ssh_config(5) and sshd_config(5).
- Fixed ssh-keysign(8) for KEX algorithms that use SHA384/512 exchange hashes.
- Added gpiokeys(4) for arm64, a driver which handles events triggered by GPIO keys such as lid status and power button.
- Published rpki-client 7.5.
- Limited the number of publication points under a given TAL in rpki-client(8).
- Documented install.site(5), OpenBSD installation and upgrade customization.
- Fixed handling of interrupts shared between multiple swiic(4) devices.
- Allowed passing a different signal than SIGTERM in the default rc_stop() function in rc.subr(8).
- Made the kqread event filter MP-safe.
- Corrected httpd(8) version string checking, responding with 505 Version Not Supported rather than 400 Bad Request when the version format is incorrect.
- Limited the number of openrsync(1) processes being spawned by rpki-client(8) to 16.
- Fixed ASN1_TIME_diff(3) with NULL times.
- Added a cursor-style option to tmux(1).
- Fixed "(null node)" panics on run(4).
- Improved handling of FIDO keys on tokens which provide user verification on the device itself, including biometric keys.
- Corrected "!" escape handling in the installer when accepting WEP/WPA passphrase.
- Updated awk(1) to the October 12, 2021 version.
- Added uniq(1) support for arbitrarily long input lines.
- Prevented awk(1) access to uninitialized data.
- Improved SNI hostname validation.
- Stopped binding audio devices exposed by sndiod(8) to physical devices.
- Fixed "null node" panics in run(4).
- Added a cursor-colour option to tmux(1).
- Added aplhidev(4) support for the keyboard/touchpad on Apple M1 laptops.
- Enabled RFC 3779 (X.509 Extensions for IP Addresses and AS Identifiers) code in OpenSSl.
- Fixed octal escape parsing in tr(1) backslash().
- Disabled xterm(1) mouse tracking by default.
- Added aplspi(4), a driver for the SPI controller found on the Apple M1 SoC.
- Added igc(4), a driver for the Intel 2.5Gb Ethernet controllers.
- Made athn(4) attach to the Sony UWA-BR100.
- Changed sysctl(8) default to hw.perfpolicy=auto at startup, defaulting to 100% performance with AC power connected and using the auto algorithm when on battery.
- Fixed UNIX domain sockets leak in soclose().
- Updated to libepoxy 1.5.9.
- Limited rpki-client(8) HTTP requests to 2GB of data.
- Implemented openrsync(1) --max-size and --min-size.
- When downloading resident keys from a FIDO token, made ssh(1) pass back the user ID that was used when the key was created and append it to the filename the key was written to (if not the default).
- Unlocked the kevent(2) system call.
- Updated to libfido2 1.8.0.
- Made iked.conf(5) proto config option accept a list to allow specifying multiple protocols for a single policy.
- Improved unhibernate performance by skipping attach of irrelevant devices.
- Enabled vmx(4) on arm64.
- Cleaned up irrelevant uses of 3rd mode_t parameter for open(2)/openat(2), unused when not creating files.
- Ensured armv7 and arm64 efiboot allocate fresh memory for the device tree with at least one page of free space to extend into. This fixes booting on VMWare Fusion.
- Added rejection of malformed Subject Alternative Names at certificate creation time to LibreSSL.
- Added a way to force a color to RGB in tmux(1) and a format to display it.
- Fixed pfctl(8) $nr incorrect macro expansion.
- Fixed vi(1) use after free with unsaved buffer.
- Added -s and -S to tmux(1) display-popup to set popup and border style.
- Fixed application-set fg and bg in tmux(1) panes.
- Added httpd(8) custom error page facility.
- Added mount -ur/uw support to tmpfs.
- Unlocked top part of UVM fault hander on mips64.
- Used unveil(2) for the possible btrace(8) script file, dt(4) and ksyms(4) nodes.
- Used ifconfig(8) "join" command by default in hostname.if(5) files, replacing the old "nwid".
- Switched nsd(8) to enable default DNS cookies on, matching behavior as released in OpenBSD 7.0.
- Updated to nsd(8) 4.3.8.
- Implemented poll(2), select(2), ppoll(2) and pselect(2) on top of kqueue.
- Stopped prompting whether to fall back to HTTP in the installer, making the fallback automatic.
- Fixed a panic by prohibiting renames of tmpfs mount-points.
- Set klist lock for sockets to make socket event filters MP-safe.
- Made pipe event filters MP-safe.
- In httpd(8), stopped sending content alongside responses to HEAD requests.
- Stopped duplicating "Connection: close" headers in relayd(8), only adding it if it's not a websocket response.
- Provided common btrace(8) scripts kprofile.bt (to save kernel stackframes and produce flamegraphs) and runqlat.bt (to measure the latency of the scheduler runqueues).
- Added call to unveil(2) to restrict stty(1) -f filesystem access.
- Added support for tpm2 CRB interface to tpm(4), fixing recent S4 regressions on the Surface Go 2 caused by a firmware change.
- Retired asynchronous crypto API.
- Added new OpenSSL api SSL_write_ex, SSL_read_ex and SSL_peek_ex.
- Annotated an httpd(8) 413 error with "request body too large" in the error log.
- Fixed double free after allocation failure in bpf(4).
- Provided a way to determine our maximum legacy version for TLS in libssl, unbreaking RSA KEX for the TLS client when the non-version specific method is used with TLSv1.0 or TLSv1.1.
- Called pledge(2) later to prevent it from killing various games using ncurses when both stdout and stderr are redirected to a non-tty.
- Removed unusable route(8) -T and exec support from ramdisk.
- Reinstated the fips mode test functions to libcrypto.
- Added rcctl(8) "ls rogue" to show daemons which are running but not set as "enabled" in rc.conf.local(8).
- Fixed a potential buffer overflow in openssl(1) certhash.
- Renamed Pacific/Enderbury timezone to Pacific/Kanton.
- Fixed an interrupt storm on dwge(4) variants which support Energy Efficient Ethernet when connected to a switch which does so as well.
- Ensured enabled resolvers are honored by unwind(8) to keep unused forwarders disabled properly.
- Implemented rsync(1) --compare-dest, allowing specification of additional directories to check for files to be available.
- Prevented ssh(1) memory leak if getaddrinfo returns no addresses.
- Added protocol version checking to httpd(8).
- Ensured use of the correct encoding in xenocara when /etc/kbdtype is present with an attached ucc(4) keyboard.
- Removed hifn(4), safe(4) and ubsec(4) crypto drivers.
- Removed fdisk(8) "disk" editing command.
- Fixed httpd(8) to respond with 400 Bad Request when a client sends header lines without a colon.
- Bumped to LibreSSL 3.5.0.
- Added -T to set a popup title in tmux(1).
- Stopped ignoring carp(4) interfaces in dhcpleased(8).
- Removed an unused decoding of c/h/s from the MBR read from disk by fdisk(8).
- Updated to xterm(1) 369.
- Corrected installer to use "inet autoconf" properly for hostname.if(5) files.
- Returned to use of the SFTP protocol for scp(1).
- Added initial 40MHz support to the iwx(4) driver.
- Fixed a problem with repeat in tmux(1) copy mode.
- Released LibreSSL 3.4.1.
- Replaced lrint(3), lrintf(3), llrint(3) and llrintf(3) implementations from NetBSD with the existing FreeBSD implementations we were already using for lrintl(3) and llrintl(3).
- Fixed a tmux(1) redraw problem on automargin terminals.
- Modified syslog.conf(5) examples to use TLS rather than the plaintext protocols.
- Fixed file descriptor leak of /dev/tty on doas(1) auth failure.
- Added realpath(1), a wrapper for realpath(3) for use in ports.
- Enabled enforcing of RLIMIT_MEMLOCK on powerpc64.
- Reverted to use iwm(4) firmware v17 on Intel AC 7265, fixing instability issues on X1 Carbon gen3.
- Cached the old BSSID when roaming with iwx(4).
- Explicitly stopped iwx(4) Rx block ack when roaming between access points.
- Added support for 802.11n 40MHz channels to the iwm(4) driver.
- Added monitoring of 20/40MHz channel width changes in beacons sent by our access point, notifying drivers when the channel width has changed.
- Added support for 40MHz channels to net80211 RA.
- Fixed establishing legacy INTx interrupts on machines without a (usable) MSI interrupt controller.
- Merged bugfixes from upstream into less(1) including fixes for the prompt hiding feature (CTRL-P) and an integer overflow.
- Cached the old BSSID when roaming with iwm(4) so firmware commands can continue using it while roaming to a new AP.
- Stopped pkg_add(1) from communicating warnings starting with "XXX" which appeared to indicate errors.
- Ensured iwm(4) uses only the HT (high throughput) frame format for data frames.
- Allowed AUTH->AUTH state transitions in the iwm(4) and iwx(4) drivers again, needed if the access point uses band-steering.
- Removed the ifconfig(8) autoconfprivacy deprecation warning.
- Retired the Loongson platform.
- Fixed iwm(4) performance drop after roaming between APs in 11n mode.
- Applied a workaround in mvkpcie(4) to fix an external abort under load with athn(4).
- Added relicensed wireless firmwares from Realtek for rsu(4), rtwn(4) and urtwn(4) devices, allowing these devices to work without requiring a separate firmware download.
- Added a workaround for buggy athn(4) devices to prevent filling up the node cache when used in hostap mode.
- Made redistributable firmwares available across all architectures.
- Fixed memory leak in fuse(4) when calling namei(9).
- Fixed a panic when iwx(4) cannot find firmware at boot time.
- Released LibreSSL 3.3.5 and 3.2.7.
- Enabled X509_V_FLAG_TRUSTED_FIRST by default in the legacy verifier.
- Deleted expired DST Root CA X3.
- Prevented iwm(4) and iwx(4) attempts to transition toward the same state where this would result in a redundant or illegal state transition and a potential hang.
- Removed the constraint that fdisk(8) -b specified block count or block size must be greater than 63.
- Added support to pchgpio(4) for Cannon Lake H and Tiger Lake H platforms.
- Fixed a crash in tmux(1) when a session with multiple clients is destroyed but tmux does not close completely due to other sessions.
- Introduced gpiocharger(4), a driver providing support for battery chargers connected to GPIO pins, such as those found on the Pinebook Pro.
- Introduced gpioleds(4) for arm64, a driver providing support for LEDs connected to GPIO pins, such as those found on the Pinebook Pro.
- Reset the Tx timer upon validation of a BA notification sent by iwx(4) and iwm(4) firmware.
- Added support to umb(4) for SIMCom SIM7600.
- Released rpki-client 7.3.
- Removed wpath from less(1) secure mode pledge.
- Added iwx(4) Tx aggregation support.
- Added an ADDBA_OFFLOAD capability for wifi devices to manage Tx block ack sessions entirely in firmware.
- Released OpenBGPD 7.2.
- Cleared length of keys in vnconfig(8) alongside keys themselves.