This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
For changes in other releases, click below:
2.0,
2.1,
2.2,
2.3,
2.4,
2.5,
2.6,
2.7,
2.8,
2.9,
3.0,
3.1,
3.2,
3.3,
3.4,
3.5,
3.6,
3.7,
3.8,
3.9,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5,
5.6,
5.7,
5.8,
5.9,
6.0,
6.1,
6.2,
6.3,
6.4,
6.5,
6.6,
6.7,
6.8,
6.9,
7.0,
7.1,
7.3,
7.4,
current.
Changes made between OpenBSD 7.1 and 7.2
- OpenSSH version 9.1.
- Added Wacom One S (CTL-472) support to uwacom(4).
- Changed mfii(4) to allow the firmware more time to transition out of the UNDEFINED state.
- rpki-client(8) version 8.1.
- OpenBGPD version 7.7.
- Updated unbound(8) to 1.16.3.
- Updated awk(1) to the September 12, 2022 version.
- Updated libexpat to version 2.4.9.
- Fixed line length trimming in ps(1) -f mode.
- Added iked(8) connection statistics for successful and failed connections, error types, and other events that can be printed with "ikectl show stats".
- Added sftp(1) client support for "[email protected]".
- Added a "[email protected]" extension request to sftp-server(8) that allows the client to obtain user/group names that correspond to a set of uids/gids.
- Added RequiredRSASize for sshd(8). RSA keys that fail to meet this minimum length will be ignored for user and host-based authentication.
- Changed ftp(1) to use non-blocking connect(2) with ppoll(2) and timeout instead of alarm(3). This allows failing over to another IP address for hosts that have more than one.
- Changed ssh-agent(1) to attempt FIDO key signing without a PIN and use the error to determine whether a PIN is required and prompt only if necessary.
- Implemented the F_SHORTER filter in bgpd(8).
- Bumped rpki-client(8) version to 8.0.
- Adjusted rpki-client(8) chunked encoding handling.
- Allowed reading of MSR_TSC on vmm(4) Intel hosts.
- Moved the relayd(8) daemon(3) call to just before forking the children so the parent disassociates from its controlling terminal and shell, but not from its children.
- Made rpki-client(8) handle multiple X.509 locations by picking the first location and issuing a warning.
- Added apldcms(4), a driver for the touchpad on Apple M2 laptops.
- Implemented RRDP_ABORT in rpki-client(8).
- Accelerated wc(1) word counting.
- Added the recvmmsg system call that allows receiving multiple msghdrs at once.
- Added UFS2 support to landisk boot blocks.
- Made resolvd(8) write /etc/resolv.conf in a more atomic manner.
- Added softraid(4) RAID 1C boot support to sparc64.
- Made newer mime type definitions take precedence over existing ones in httpd(8).
- Fixed ssh(1) key_lookup() on tokens with built-in UV.
- Changed vmm(4) to send all port io emulation to userland.
- Added forest (-f) mode to ps(1).
- Updated awk(1) to the August 30, 2022 version.
- Added privilege separation to snmpd(8).
- Imported snmpd_metrics(8). This allows those who need to use net-snmpd the ability to access base snmpd(8) metrics.
- Added the new "configtest" action to rc.d(8).
- Stopped vnconfig(8) from printing the device name on failure.
- Changed ts(1) to parse the user format string once.
- Added qcgpio(4) and qciic(4) drivers for the Qualcomm GPIO and I2C controllers found on the SC8280XP SoC. These drivers make the keyboard, trackpoint and touchpad work on the ThinkPad X13s.
- Added apldc(4), apldchidev(4), apldckdb(4), and aplrtkit(4) to arm64. These drivers implement support for the Dockchannel-base keyboard found on Apple M2 laptops.
- Made sure only one bgpd(8) roa softreconfig runner is run at any time.
- Fixed tmux(1) window size reporting.
- Avoided a potential NULL dereference in ssl(3) ssl_set_pkey().
- Added a missing input validation step to pipex(4) mppe keylenbits.
- Added support for ASPA objects (draft-ietf-sidrops-aspa-profile-10) to rpki-client(8).
- Added initial support for mmio assist to vmd(4).
- In cases where a file in the rpki-client(8) validated cache directory is no longer valid while the newer file in the .rrdp directory is not yet valid, stopped rpki-client(8) from copying the old file over the newer file.
- Fixed the growth check in compress(1) and gzip(1) in cases of small files or files with sufficiently random data.
- Made fdisk(8) print a warning when a GPT partition start or end is outside the usable LBA area of the device.
- Changed rc.subr(8) to copy the message to stdout when using logger(1) to avoid needing to check syslog when running in debug mode.
- Fixed installboot(8) messaging when verbose (-v) and dry-run (-n) modes are combined with softraid(4).
- Fixed integer overflows in the iwm(4) and iwx(4) firmware file parsers.
- Changed the /sbin daemons dhcpleased(8), mountd(8), nfsd(8), pflogd(8), resolvd(8), slaacd(8), and unwind(8) to be dynamically linked to allow them to benefit from all the additional mitigations that dynamically linked executables gain. NFS mounting of /usr must now use statically configured IP addresses.
- Added a printed message when ld.so(1) fails inside execve(2) to clarify the failure mode when a dynamic executable is run while /usr isn't mounted.
- Updated unbound(8) to 1.16.2.
- Worked around MSI and INTx issues on the Qualcomm SC8280XP in acpipci(4). This makes the onboard nvme(4) work on the ThinkPad x13s.
- Made fdisk(8) print a warning when an MBR partition starts or extends past the end of the device.
- Updated libfido2 to 1.11.0.
- Added SPI support for interrupts on ThinkPad x13s.
- Added power button support to aplsmc(4).
- Added support for the changed layout of the "state" register on Apple's M2 SoC "Avalanche" performance cores to aplcpu(4).
- Added delay(9) implementations acpitimer_delay() and acpihpet_delay() to acpitimer(4) and acpihpet(4), respectively.
- Changed rpki-client(8) verbose filemode to print details about encapsulated certificates and allow specifying verbose filemode a second time to print in PEM format.
- Added delay_init() to provide basic delay(9) implementation management on i386 and amd64.
- Fixed a potential kernel panic when an msdosfs partition is filled by fixing instances where msdosfs passed a NULL proc pointer to detrunc().
- Added NFS client support to the luna88k RAMDISK kernel.
- Added support for agentx(3) to snmpd(8).
- Stopped building Mesa against llvm on 32-bit powerpc.
- Changed mips64, octeon, and loongson to trigger deferred clock interrupts from splx(9).
- Dropped detection code for Cyrix CPUs older than the Cyrix M2.
- Improved bioctl(8) RAID level parsing to check numeric levels before checking single character levels. This allows recognition of RAID 10 as a valid but unsupported level.
- Changed ssh(1) to attempt fido(4) key signing without a PIN and use the error code returned to fall back only if necessary. This avoids PIN prompts for FIDO tokens that don't require them.
- Added local bind mode to ypldap(8). In this mode ypldap binds its RPC sockets to loopback, so YP services are only available to the host ypldap is running on. In local bind mode one does not need to run portmap(8).
- Fixed vldc(4) event filters.
- Removed the "-c" compatibility option from vnconfig(8).
- Removed the obsolete kern.nselcoll sysctl(2).
- Solved an issue when multiple nexthops change concurrently in bgpd(8).
- Added support for booting from RAID 1C softraid(4) volumes on arm64.
- Added a notification when a paste buffer is deleted to tmux(1).
- Added a Nobr terminfo capability to tell tmux(1) the terminal does not use bright colors for bold.
- Dropped detection code for 386sx/386dx CPUs. OpenBSD/i386 hasn't actually supported running on either for some time.
- Corrected the rx data rate for rtl8192eu urtwn(4) devices.
- Added support for booting from RAID 1C softraid(4) volumes on amd64.
- Fixed a race between pflow_output_process() and pflow_clone_destroy() in pflow(4).
- Fixed Xorg(1) when using the luna88k 1bpp framebuffer hardware.
- Added support to sftp-server(8) for the home-directory extension defined in draft-ietf-secsh-filexfer-extensions-00.
- Simplified TSC synchronization testing on amd64.
- Fixed overflow of the number of errors in renice(8) by setting error instead of incrementing it.
- Corrected handling of an abnormal fastcgi termination in httpd(8).
- Added vi(1) Home/End bindings to tmux(1).
- Made the UTC timezone acceptable for certificate validity intervals, sshsig verification times, and authorized_keys expiry-time options by suffixing dates/times with a 'Z' character for sshd(8) and ssh-keygen(1). Also added certificate validity intervals specified in raw seconds-since-epoch as a hex value (e.g. "-V 0x1234:0x4567890") to ssh-keygen(1).
- Allowed spdmem(4) to attach to gdiumiic(4).
- Disallowed the AS Resources extension on ROA EE certificates for rpki-client(8).
- Added iic(4) at glxpcib(4) to get spdmem(4) to attach on 2F-based loongson systems.
- Prevented mandoc(1) from turning breakable hyphens in segment identifiers into underscores.
- Made putenv(3) return an error if the string starts with the '=' character. This matches the behavior on FreeBSD and NetBSD.
- Added seconds to the uptime display of top(1).
- Set the default openrsync(1) connection timeout that rpki-client(8) uses to 15 seconds.
- Updated libxcvt to 0.1.2.
- Added display of an error with the failing path if the xterm(1) unveil(2) fails.
- Added a slowcgi(8) -t flag to change the request timeout.
- Added support for wildcards in fw_update(8) patterns.
- Corrected sparc64 ofwboot to default to the softraid volume on the boot device to make root on softraid work out of the box on sparc64 and be more consistent with softraid boot on other architectures.
- Added aplaudio(4), a driver that ties together aplmca(4) and various codecs to present an audio(4) interface to the system.
- Added aplmca(4), a driver that controls the hardware block that takes data from apldma(4), serializes it and sends it out on the i2s ports.
- Fixed a tmux(1) crash when searching for .* with extremely long lines.
- Fixed a bug in pf(4) where a pool defined like "172.16.0.0/16" would count as a pool size of one address. Also fixed random selection of source address to be uniform across the whole pool.
- Fixed patch(1) locate-hunk in empty files.
- Fixed patch(1) in the case of reversing a patch that creates a file.
- Added connection timeout functionality to openrsync(1) via the --contimeout option.
- Added an "all" state to tmux(1) allow-passthrough to work even in invisible panes.
- Raised the "staff" login class data-size-cur on arm64 to be the same as that for amd64 in login.conf(5).
- Randomized the rekey interval of arc4random(3).
- Killed virtual address randomization for the arm64 EFI runtime.
- Enforced allowance of only one image specified for vmctl(8) create.
- Added stack frames to crypto(3) AES-NI x86_64 assembly to silence a false positive from valgrind.
- Added a "show swap" command to ddb(4) to help debugging.
- Added a "processing" message for when pkg_add(1) is transferring data to inform the user that pkg_add is still working.
- Added "show all routes" and the ability to show individual routes (e.g. "show route 0xfffffd807e9b0000") to ddb(4).
- Changed rc(8) to only attempt to set the yp(8) domainname if it has not been set yet.
- Retired identification code for Rise CPUs.
- Fixed an fdisk(8) regression to allow editing an MBR of all zeroes.
- Changed fdisk(8) to restrict user actions if neither GPT nor MBR structures can be found on the disk.
- Updated libX11 to version 1.8.1.
- Updated freetype to version 2.12.1.
- Modified pms(4) to discard relative movement packets outside of the [-127, 127] range to prevent cursor jumps when using the trackpoint on some Lenovo laptops.
- Added an OpenIKED Vendor ID payload in the iked(8) initial handshake to make it easier to handle interoperability problems with older versions in the future.
- Added support for the new DART variant found on the Apple M2 SoC.
- Moved to 7.2-beta.
- Changed ssh-keygen(1) to prompt the user for confirmation when enrolling a resident key on a security token before overwriting a key with matching application and user ID strings.
- Restrict pledge("vminfo") callers to read-only swapctl(2) operations.
- Set default sleep value of ico(1) to 10ms.
- Updated xcb-protos to version 1.15.2.
- Added handling for framebuffers where the first pixel isn't page-aligned to wsfb(4).
- Added support for using the power button to wake up from suspend to axppmic(4).
- Implemented support for framebuffers that don't start on a page boundary (like those on the new 14" and 16" Macbook Pro).
- New ypconnect(2) system call creates a socket based upon the IP address encoded directly in a locked ypbinding file, thereby removing a horrible hack to support YP lookups in programs using strong pledge(2) rules.
- Changed ypbind(8) to immediately reach out to learn the TCP port number for a remote ypserv(8) once we've learned the UDP port number and append the answer to the binding file.
- Updated xrefresh(1) to version 1.0.7.
- Updated xmessage(1) to version 1.0.6.
- Updated xmag(1) to version 1.0.7.
- Updated xkbutils(1) to version 1.0.5.
- Updated xev(1) to version 1.2.5.
- Updated xwud(1) to version 1.0.6.
- Updated xpr(1) to version 1.1.0.
- Updated xmodmap(1) to version 1.0.11.
- Updated xfontsel(1) to version 1.1.0.
- Updated xconsole(1) to version 1.0.8.
- Updated xclipboard(1) to version 1.1.4.
- Fixed an interrupt storm upon suspend on Amlogic arm64 boards.
- Added sxirintc(4), a driver for the "wake up" interrupt controller found on various Allwinner SoCs.
- Added the openssl(1) ciphers -s option to show only the ciphers supported by the specified SSL method.
- Implemented the fundamentals for suspend/resume on arm64.
- Implemented the Baillie-PSW primality test in crypto(3).
- Added an implementation of the integer square root using a variant of Newton's method with adaptive precision to crypto(3).
- Stopped building lldb(1) support libraries on arches where lldb is not installed.
- Added a method (ESC D) to enter ddb(4) on serial drivers that do not have a true BREAK mechanism.
- Bumped rpki-client(8) version to 7.9.
- Made the EFI bootloader provide the extra parameters necessary to use non-standard UARTs as console.
- Switched bootloaders to the extended BOOTARG_CONSDEV struct.
- Added send side RFC 7911 (ADD-PATH) support to bgpd(8).
- Added llvm-profdata(1) to base so that ports can benefit from profiled builds.
- Added anti-feline input protection to fdisk(8) by refusing to process input of excessive length.
- Added iked(8) support for sending certificate chains with intermediate CAs in multiple CERT payloads.
- Fixed a bug in cron(8) where it could exit silently if ppoll(2) exited. Now it will log to syslog(3) instead of stderr.
- Retired NexGen CPU identification code.
- Added support for hyperlinks with capture-pane -e and a mouse_hyperlink format to tmux(1).
- Updated capitals and countries in quiz(6).
- Got rid of mandoc(1) archaic table markup for header and footer lines in favor of flexbox CSS. Rendering now adapts to browser windows of arbitrary narrowness.
- Added xhci(4) support for the dual role controllers integrated on the Qualcomm Snapdragon 8cx gen 3 SoC.
- Improved accessibility of man.cgi(8).
- Bumped to LibreSSL 3.6.0.
- Made iked(8) ignore any CERT payload after the first rather than failing the exchange when more than one CERT payload is received.
- Updated to xorgproto version 2022.1.
- Updated to Xft(3) version 2.3.4.
- Updated to Xcursor(3) version 1.2.1.
- Made netstart(8) create virtual interfaces up front if specified on the command line.
- Implemented dig(1) support for SVCB and HTTPS record types.
- Made timeout(1) -s accept HUP like kill(1) and GNU timeout(1) do.
- Changed dhclient(8) to defer to dhcpleased(8) by doing execve ifconfig and providing syslog warnings about deprecated options.
- Made unix(4) domain sockets locking per-socket rather than coarse locking of the entire domain sockets layer.
- Fixed a bwfm(4) crash during USB detach.
- Added reference counting of vms and vcpus to vmm(4).
- Introduced a blocklist backend and keyword to snmpd(8) which deprecates filter-pf-addresses.
- Added ssl(3) checks to ensure we do not initiate or negotiate handshakes with versions below the minimum required by the security level.
- Updated to nsd(8) 4.6.0.
- Added tmux(1) support for OSC 8 hyperlinks.
- Fixed an off by one error in a vmd(8) vm memory range check.
- Added -m option to ts(1).
- Unlocked the pledge(2) system call.
- Added ts(1), a timestamp utility.
- Added support for using non-standard UARTs (such as the Synopsys DesignWare UART) as an early console.
- Added support for the Synopsys DesignWare UART found on the Ryzen Embedded V1000 SoCs to com(4).
- Ensured that uvm_swap_get() will always sleep rather than returning an error. Previously an error could be returned to the fault handler which would result in processes dying when a system was under a lot of memory pressure.
- Made the page daemon consider pmemrange regions when trying to free pages from the inactive list. Previously the page daemon could use a lot of CPU without freeing a page because the global limits were satisfied.
- Ensured progress in the swapper by pre-allocating pages in a DMA-reachable region.
- Ensure uvm_swap_io() can succeed, even in out of memory situations, by reserving a second segment for the page daemon.
- Added bgplgd(8), a fastcgi daemon that provides a REST JSON API to bgpctl(8).
- Fixed pf(4) syncookies during fast tcp port reuse.
- Altered installer behavior so the vlan(4) question won't be asked unless another network interface exists.
- Started allowing arguments to the sftp(1) -D option. (e.g. sftp -D "/usr/libexec/sftp-server -el debug3")
- Reworked the rttimer code to fix icmp_pmtu_timeout crashes.
- Introduced Large Receive Offloading of TCP segment offloading for ix(4). Also added a tso option to ifconfig(8) to enable and disable this feature.
- Unlocked kbind(2).
- Fixed a lock order reversal in nfs_inactive().
- Added support for RFC 9234 (Route Leak Prevention and Detection Using Roles) to bgpd(8).
- Allowed the pluart(4) baud rate to be changed.
- Added rpki-client(8) skiplist option.
- Fixed a panic triggered by ifconfig bnxt0 down by changing bnxt(4) devices to not run rx and tx interrupt handlers when the interface is not running.
- Fixed bwfm(4) ifconfig media display on devices with sta_info command version 3.
- Fixed missing interrupts for trackpads on some machines after resume by making sure amdgpio(4) restores pin configuration on resume.
- Implemented privilege separation in xlock(1).
- Added the --null flag to grep(1) which makes grep print an ASCII NUL byte after the file name to make the output unambiguous.
- Updated xsm(1) to version 1.0.5.
- Updated xlsfonts(1) to version 1.0.7.
- Updated xload(1) to version 1.1.4.
- Updated xedit(1) to version 1.2.3.
- Moved the wait for autoconf interfaces from rc(8) to netstart(8) to fix tunnel interfaces that depend on working autoconf interfaces.
- Updated xdpyinfo(1) to version 1.3.3.
- Updated xclock(1) to version 1.1.1.
- Updated xcalc(1) to version 1.1.1.
- Increased the disklabel(8) auto partitioner's maximum size for /usr to 30G.
- Updated xauth(1) to version 1.1.2.
- Updated setxkbmap(1) to version 1.3.3.
- Updated mkfontscale(1) to version 1.2.2.
- Updated listres(1) to version 1.0.5.
- Updated iceauth(1) to version 1.0.9.
- Updated editres(1) to version 1.0.8.
- Updated bitmap(1) to version 1.1.0.
- Updated appres(1) to version 1.0.6.
- Improved accessibility of mandoc(1) -T html -O toc output by using the <nav> element in the DPUB-ARIA doc-toc role.
- Fixed crypto(3) prime recognition when doing trial divisions.
- Fixed gzip byte counts with 32-bit integers.
- Fixed an issue where a device could show up 32 times by only probing device 0 on PCI busses corresponding to a PCIe root port or a PCIe switch/bridge downstream port.
- Bumped MAXCPUS to 256 on arm64.
- Ensured cursor remains on selected item on menu in tmux(1).
- Bumped bgpd(8) version to 7.4.
- Fixed a logic bug in pf_find_state() that could cause pf(4) to incorrectly block a packet.
- Added stftemp(4), a driver for the temperature sensor integrated on the StarFive JH7100 SoC.
- Fixed a missing kqueue(2) wakeup to fix a Go test hang.
- Implemented CPU_BUSY_CYCLE with the riscv64 ZiHintPause extension.
- Fixed bugs in the handling of tap inputs in wscons(4).
- Restored ETHERTYPE_NHRPA case to tcpdump(1).
- Added gpiorestart(4), a driver that resets a SoC/board/machine using a GPIO pin.
- Stopped refusing valid IPv6 addresses in -X connect SOCKS support of nc(1).
- Added the -b option to sysupgrade(8) to set an alternative base directory to which the installation files will be downloaded to.
- Added stfpinctrl(4), a driver for the pinctrl/gpio block found on the StarFive JH7100 SoC.
- Fixed a pf(4) NULL dereference panic triggered by relayd(8).
- Updated unbound to 1.16.0.
- Removed the unused uvm_km_valloc_prefer_wait(9) and uvm_km_free_wakeup(9) functions.
- Fixed rpki-client(8) path validation of AS numbers.
- Bumped pbuild's datasize-cur from 2G to 3G on i386.
- Added stfclock(4), a driver for the clock controller found on the StarFive JH7100 SoC.
- Imported libdrm 2.4.111.
- Matched groff behavior to allow arbitrary argument delimiters for \C in mandoc(1).
- Iterated the tied algorithm in pkg_add(1) to prevent O(n^2) behavior when packages contain several hundred copies of the same file.
- Added handling of 9k devices which do not support antenna B to iwm(4).
- Fixed multiple memory leaks in awk(1).
- Made SetEnv directives first-match-wins in both ssh_config(5) and sshd_config(5).
- Dropped DSA keys from the SSH keys generated by default by ssh-keygen -A.
- Allowed btrace(8) to execute the END probe upon receiving a SIGTERM signal.
- Changed dump(8) to not treat the first argument as a 4.3BSD option string if it contains a '/'.
- Ensured that when running sysupgrade(8) on -stable that it will move to the next release, not -current.
- Implemented and enabled IPv4, TCP, and UDP checksum offloading for igc(4).
- Enabled aq(4) on arm64.
- Implemented a rudimentary version of the roff(7)
\A
escape sequence for mandoc(1).
- Rewrote rpki-client(8) rsc.c using ASN.1 templates to implement the constrained versions of the RFC 3779 structures.
- Implemented
verify-required
certificate option in ssh-keygen(1).
- Implemented a
max-communities
filter match for bgpd.conf(5).
- Added sfgpio(4), a driver for the GPIO controller found on the SiFive FU740 SoC.
- Made grep(1) provide full context when using match count (
-m
).
- Added an ACL list for multiple users attaching to the tmux(1) socket.
- Made a first pass at providing kstats for mvneta(4) from the hardware counters.
- Limited locked memory to 64k.
- Fixed a crash in libpcap when it would walk off the end of the array performing frees.
- Made ssh(1) unconditionally call freezero(3) to guarantee that the password is removed from RAM even when sshpkt functions fail.
- Introduced a new daemon_execdir variable to rc.d(8) for changing to a specified directory before running rc_exec.
- Migrated tcpdump(8) printing of ASnumbers from the old asdot format to asplain format.
- Fixed non-transitive extended community handling in bgpd(8).
- Added RFC 9234 "BGP Role" support to tcpdump(8)
- Made mg(1) automatically delete trailing whitespace on RET in c-mode and auto-indent-mode.
- Stopped telling fdisk(8) that macppc HAS_MBR.
- Added support for the ehci(4) controller on marvell 3720 boards.
- Fixed a kernel panic in pf(4) if IP options with an ICMP payload were truncated. Such packets will now be dropped instead.
- Made xterm(1) use a much safer FD-passing idiom for updating utmp(5).
- Added kernel locking in nfsrv_rcv() because NFS subsystem is not MP-safe yet.
- Converted KVA allocation to kmalloc(9) on hppa, mips64, and sparc64.
- Repaired a FILE leak in resolvd(8).
- Replaced rc.d(8) $rcexec variable with an rc_exec function. This will require a mechanical change from
${rcexec}
to rc_exec
in rc.d scripts. Kept compatibility to give people a chance to fix their custom scripts.
- Fixed system(3) to ignore SIGINT and SIGQUIT until the shell exits.
- Made vmm(4) load the vmcs before reading vcpu registers. This fixes vmctl(8) send on Intel hosts using vmd(8).
- Changed the semantics of "hid_none" for hid_start_parse(3) to allow matching of all possible kinds of report IDs.
- Made mandoc(1)'s roff_expand() parse left-to-right rather than right-to-left.
- Fixed luna88k MULTIPROCESSOR kernels booting with CPU modules installed in arbitrary slots.
- Released LibreSSL 3.5.3.
- Boosted mvclock(4)'s priority such that it wins against syscon(4).
- Unlocked umask(2).
- Corrected veb(4) to avoid calling if_enqueue from an smr critical section.
- Added an additional vmm(4) fault type, fixing vm receive.
- Updated nsd(8) to upstream version 4.5.0.
- Corrected reorder_kernel to also handle redirecting stderr to logged output when $KERNEL_DIR.tgz exists.
- Arranged scp(1) so it won't ftruncate(2) files early when in sftp(1) mode.
- Added login.conf.d to mtree(8).
- Fixed iwx(4) setting of HT/VHT bits in rate flags of the Tx command that could cause a firmware panic.
- Added /etc/login.conf.d/* to changelist(5).
- Elminated a race condition in kqueue(2)'s knote_remove().
- Prevented use of "-u" when fdisk(8) is operating on GPT formatted disks.
- Made the CPU frequency scaling duration relative to the load when in automatic mode on battery.
- Fixed rwlock(9) implementation to be fair to writers. Previously, readers could grab the lock even if writers were waiting first.
- Aligned fdisk(8) logic with that used in the kernel to allow the protective EFI GPT partition to be in MBR partitions 0-3, not just 0.
- Added support for AX210/AX211 devices to iwx(4).
- Added preliminary support for decoding RSC objects in filemode to rpki-client(8).
- Allowed ssh-keygen(1) existing -U (use agent) flag to work with "-Y sign" operations.
- Fixed rebooting a received vm in vmd(8).
- Backported an upstream zlib fix for CRC calculation.
- Updated zlib to version 1.2.12.
- Fixed the watchdog in the installer so that the watchdog is reset after each download and each set installation.
- Added check to acme-client(1) to ensure the challenge token is turned into a filename that is base64url encoded.
- Added error handling to kbd(8) for when setting the keyboard encoding fails.
- Changed IN_EXPERIMENTAL (aka 240/4) to no longer be considered not forwardable.
- Introduced a mutex for ratecheck(9) and ppsratecheck(9).
- Imported the HDKF code from OpenSSL 1.1.1o into crypto(3).
- Bypassed rpki-client(8) timeout in file mode.
- Merged the UVM swap-backed and object-backed inactive page lists.
- Standardized memory units to bytes in vmm(4), vmctl(8), and vmd(8).
- Rate limited uvn_flush errors during pageout messages, preventing slowdown of system boot when a filesystem is full.
- Made pf(4) more paranoid about IGMP/MKP messages.
- Activated parallel IP forwarding, starting 4 softnet tasks but limiting the usage to the number of CPUs.
- Disabled bcmgenet DMA as part of hardware reset, preventing the hardware from ending up in a partially initialized state during netboot.
- Installed useful btrace(8) scripts in /usr/share/btrace.
- Prevented out-of-bounds array access with binaries that use unsupported relocations on amd64.
- Enabled running of IP input and forwarding with a shared netlock.
- Enabled pkg_add(1) caching by default.
- Updated libdrm to version 2.4.110.
- Altered sndiod(8) to wait until the buffer is drained before closing the device.
- Changed pf(4) handling of IGMP and ICMP6 MLD packets to allow multicast control packets to work by default.
- Introduced sio_flush(3) to stop playback immediately.
- Fixed a potential leak of an SK device in ssh(1).
- Fixed a memory leak on the session-bind path of ssh-agent(1).
- Protected the global lists with a mutex and moved rttimer entries into a temporary list to make route timers MP safe.
- Decoupled IP input and forwarding from protocol input to allow parallel IP processing while the upper layers are still not MP safe.
- Removed the ASN.1 decoder tag/length cache (TLC) from crypto(3).
- Added dt(4) tracepoints for vmm(4) vm exit reporting.
- Added cpu frequency sensors for each core on CPUs that have MPERF/APERF support.
- Reimplemented the page allocation code using bus_dma(9) APIs to make sure DMA addresses are translated properly on architectures with an IOMMU. This fixed amdgpu(4) and radeondrm(4) on powerpc, sparc64, and arm64 machines.
- Updated libX11 to version 1.7.5.
- Updated xterm(1) to version 372.
- Extended ksmn(4) to show CCD temperatures if available.
- Increased rx buffer size on uaq(4) to 62kB.
- Added missing uuid_dec_le() to init_fp() so fdisk(8) -A works on big-endian architectures.
- Updated vi(1) to apply expandtab to the output of a ! command.
- Protected arp(4), ND6, and pppoe(4) with the kernel lock so that IP forwarding can be run in parallel.
- Updated various wireless drivers to use memset(3) to initialize ieee80211_rxinfo struct properly.
- Prevented a crash in vi(1) when cursor key support is disabled.
- Introduced dedicated link entries for snapshots to pfsync(4).
- Repaired rge(4) hardware vlan tagging.
- Changed crypto(3) to avoid expensive RFC 3779 checks during certificate verification.
- Updated Mesa to version 21.3.8.
- Added concatenated JSON output to rpki-client(8) filemode.
- Made ssh(1) try to continue running local I/O for channels in OPEN state during transport rekeying to allow escapes to work in the client if the connection stalls during a rekey event.
- Made rpki-client(8) hard error when parse_filepath() is passed an unknown repository id.
- Restored vte(4) original MDC speed control register value on vte_reset, needed for Vortex86DX3 machines.
- Enabled kstat(4) and kstat(1).
- Fixed kbd(8) so it doesn't fail silently when executed by a regular user.
- Made device matching in iwx(4) more similar to linux iwlwifi.
- Allowed more than one CRL URI in certificates for rpki-client(8)
- Made use of the fact that repositories are unique objects in pkg_add(1) and annotated the quirks repository as cached, allowing for a large speed increase.
- Relaxed address availability check for multicast(4) binds so processes listening for the same multicast address do not need to be the same UID.
- Fixed witness lock issue found where pfsync(4) holds the mutex and an interrupt grabs the kernel lock.
- Updated afterboot(8) to direct the user to use binary packages.
- Changed to a simpler formula to calculate a default kern.maxthread value: 2*NPROCESS.
- Simplified machine command handling in ddb(4).
- Fixed openrsync(1) on sparc64 by eliminating a redundant second conversion of the int value from little to host endian.
- Extended rpki-client(8) -f filemode to decode and print TAL details.
- Changed compress(1) to print a more accurate message when -v is used with -k.
- Added missing arches (aarch64, mipsel64, powerpc64) to categories in sendbug(1).
- Fixed calculation of the width of spanned columns in mandoc(1).
- Fixed memory leak in ipmi(4) get_sdr on failure.
- Added support for more power sensors to ipmi(4).
- Added support for switching from glass console to serial console on arm64 systems that default to glass console.
- Allowed bsd.rd and bsd/bsd.mp to boot on Oracle Cloud amd64 instances.