OpenBSD 7.6 (original) (raw)

Released Oct 8, 2024. (57th OpenBSD release)Copyright 1997-2024, Theo de Raadt.Artwork by Sue Doeksen. See the information on the FTP page for a list of mirror machines.Go to the pub/OpenBSD/7.6/ directory on one of the mirror sites.Have a look at the 7.6 errata page for a list of bugs and workarounds.See a detailed log of changes between the 7.5 and 7.6 releases.signify(1) pubkeys for this release: openbsd-76-base.pub: RWTkuwn4mbq8ouJbfO4VfNH8+FdiZUosz2qIR0V0C9bm6CnVEt7CGkV0openbsd-76-fw.pub:RWTjkGqNGXmQxWRiGhZYwI3lUuv1LNutoO7ERDCfFwLB/Lkp1aCsS4QPopenbsd-76-pkg.pub:RWQnLSfWlibGntNj6cqS87rZEmqv1VWMbGSskBTuNKxiSg5hgBpTvzJzopenbsd-76-syspatch.pub:RWRzQWJ4ipcCDeYWQNJJ2gBVTP8KZTxaD0aELC/SNplE3ynVDEHWaPQR All applicable copyrights and credits are in the src.tar.gz, sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the files fetched via ports.tar.gz.

What's New

This is a partial list of new features and systems included in OpenBSD 7.6. For a comprehensive list, see the changelog leading to 7.6.

With this release all files that existed in the first commit in the OpenBSD source repository have been updated, modified or replaced at some point in time, reaching OpenBSD of Theseus.

• Platforms specific improvements:
  • arm64:
    * Implemented Spectre-V4 mitigations for arm64.
    * Extended Spectre-BHB mitigation support to Cortex-A57.
    * Enable Enhanced Privileged Access Never (EPAN) when available on arm64.
    * Recognise Cortex-A520AE (Hayes AE) and Cortex-A720AE (Hunter AE) CPUs
    * Made the LEDs work on the SolidRun ClearFog CN9130 Base.
    * Added Qualcomm Snapdragon X Elite (X1E80100) support.
    * Implemented support for deeper idle states offered by PSCI, reducing idle power usage.
    * Populate arm64 HWCAP and HWCAP2 flags based on recognized feature bits and sanitized values of the ID register values.
    * Made the Samsung Galaxy Book4 Edge (x1e80100) boot in ACPI mode.
    * Used FEAT_RNG to feed entropy into the random subsystem on arm64 as on amd64.
  • amd64:
    * Mitigated the RFDS (Register File Data Sampling) vulnerability present in Intel Atom CPUs (requires updated firmware).
    * Implemented support for AVX-512.
    * Shortening of the dmesg(8) output by suppressing cache-info lines when they are identical to the previous CPU.
    * Streamlined the display of flag information of amd64 CPU flags in dmesg(8).
    * Added AMD Secure Encrypted Virtualization (SEV)-related information provided by cpuid to dmesg(8).
    * Implemented bounce buffering for AMD SEV in amd64 bus dma.
    * Implemented hardware masking for MSI and MSI-X on amd64.
    * Implemented wakeup interrupts on amd64.
    * Ensure that the deepest possible C-state is selected during suspend-to-idle on amd64 and i386.
    * Set the target ACPI to S5 when powering down amd64 (and i386) machines, rather than attempting to put devices into the D3 power state.
    * Prevented livelocks on amd64 by avoiding caching pages belonging to memory ranges with a 'use' count to keep low pages available and avoid their exhaustion.
  • riscv64:
    * Use SBI calls to reboot or power down when supported by firmware.
    * Communicate cache-coherent DMA status via DMA tag for mainbus(4).
    * Support for Milk-V Pioneer board.
    * Enabled UVM percpu cache on riscv64.
  • powerpc:
    * Exported basic HWCAP bits to let applications detect Altivec and VSX on powerpc64.
    * Exported basic HWCAP bits to let applications detect Altivec on powerpc.
  • mips64:
    * Enabled uvm per-cpu page cache on mips64 (as well as sparc64 and luna88k)
  • alpha:
    * Switched alpha to MI mplock code.
  • More platform specific changes can be found in the hardware support section below.
• Various kernel improvements:
  • Reduced dmesg(8) output by only printing about PCI resource conflicts for resources that are enabled.
  • Deleted the msyscall mechanism, now replaced by the stricter mimmutable(2) and pinsyscalls(2).
  • Changed pledge(2), mmap(2)'s MAP_STACK and pinsyscalls(2) failures to use uprintf(9) rather than writing into dmesg(8).
  • Made witness(4) display lock cycles longer than two locks.
  • Made "show witness" display witness(4) lock subtypes in ddb(4).
  • Made ddb(4) print mbuf chain and packet list by implementing /c and /p modifiers in ddb show mbuf.
  • Repair printing of backtraces on arm64 ddb(4).
  • Added pathconfat(2): pathconf(2) but with at-fd and flags arguments, the latter supporting the ability to get timestamp resolution of symlinks.
  • Ensure that pmap_create(9) waits in the case of kernel virtual space shortage.
  • Made arc4random() depend on fewer subsystems by decoupling extract_entropy() from the enqueue_randomness() logic.
  • Ensure that concurrent calls to dequeue_randomness() will use some different events.
  • Work to support S0 sleep states, improving the suspend/resume experience on modern hardware.
    * Added an implementation of "suspend-to-idle" on amd64, enabling suspend on machines that don't support S3.
    * Began printing "S0ix" instead of "S0" on the acpi: sleep states line when FADT indicates FADT_POWER_S0_IDLE_CAPABLE, assuming that for these machines the vendors agree S0 suspend is as good or better than S3.
    * Added a temporary method to force S0 over S3 via machdep.lidaction=-1. We are not ready to choose S0-over-S3 based on the S0ix bit in FADT, but this will allow testing.
    * Fixed suspend/resume related bugs in many drivers.
  • Made exit1() wait for sysctl(2) 'allprocess' loops to prevent possible kernel crash due to concurrent process exit1().
  • Prevented potential crash when fuse(4) uses the ufs inode.
  • Ensure that in all filesystems file names passed back by readdir name validation do not include a '/' character to avoid unexpected path traversal on untrusted file systems.
  • Fixed kernel crashing due to invalid pin tables in ELF binaries.
  • Increased the default buffer size for AF_UNIX from 8192 to 32768, avoiding a fatal error in sshd(8) that can be triggered when the network stack is pushed hard enough to consume most of the allowed memory.
• SMP Improvements
  • Network
    * Allowed running UDP input on multiple CPU in parallel.
    * Made raw IPv4 and IPv6 sockets handle input in parallel.
    * Various improvements in the locking of unix4 and udp sockets.
    * Pushed socket lock down to sosend() for SOCK_RAW sockets.
    * Pushed socket lock down to sosend() and removed it from soreceive() paths for unix(4) sockets.
    * Switched AF_ROUTE sockets to the new locking scheme.
    * Mark the IP protocol GRE as MP safe from socket layer.
    * Removed kernel lock from socket splice idle timeout.
    * Removed kernel lock from shutdown(2) system call.
    * Run network protocol timer without kernel lock. TCP timers also run without kernel lock now.
    * Stopped using KERNEL_LOCK to protect the per process kqueue(2) list.
  • Sysctl
    * Used atomic operations to access integers insysctl(2) making it mp-safe.
    * Removed net lock fromsysctl(8) net.inet.ip.forwarding, net.inet6.ip6.forwarding, net.inet6.ip6.redirect, net.inet.ip.directed-broadcast.
    * Pushed kernel lock down to net_sysctl() to unlock uipc, bpf, pflow and pipex sysctl.
    * Removed kernel lock from various sysctl kern variables.
  • Stopped grabbing the kernel lock in kbind(2).
  • Added per-CPU caches to the pmemrange allocator.
  • Unlocked sigsuspend(2) and __thrsigdivert syscalls.
  • Converted SCHED_LOCK from a recursive kernel lock to a mutex.
  • Reworked per proc and per process time usage accounting, removing a SCHED_LOCK() dependency.
• Direct Rendering Manager and graphics drivers
  • Updated drm(4) to Linux 6.6.52.
  • Support for Meteor Lake ininteldrm(4).
• VMM/VMD improvements
  • Improve exposure of CPU features to virtual machines.
  • Fixed incorrect scaling when converting disk images in vmctl(8).
  • Dropped the vmm(4) and vmd(8) "continue" flag to simplify running a vcpu.
  • Added vmctl(8) "status -r" to limit the output of "vmctl status" to only running VMs.
  • Made vmm(4) update the host cr3 in the vmcs to allow vmx(4) to restore the proper cr3 value on the next vm exit.
  • Enabled AMD SEV support in vmm(4).
  • Added psp(4) ioctls to the "vmm" pledge to support AMD SEV and add an additional ioctl to support shutdown.
  • Set highest cpuid feature leaf based on host CPU in vmm(4), fixing Linux guests on older Intel hardware.
  • Implemented AMD SEV support in vmd(8). To enable SEV for a guest, use the parameter "sev" in the guest's vm section in vm.conf.5.
  • Fixed VPID leak on Intel VMX hosts.
  • Add ret-clean operation to interrupt dispatch assembly code.
  • Fixed DHCP request intercept when using local interfaces with vmd(8).
• Various new userland features:
  • Added scandirat(3) from FreeBSD.
  • Added elf_aux_info(3), designed to let userland peek at AT_HWCAP and AT_HWCAP2, using an interface from FreeBSD.
  • Added missing function wcsnlen(3) to find length of a wide string (i.e. wcslen(3) with a max len argument).
  • Imported libva 2.22.0, an implementation for VA-API (video acceleration API). VA-API provides access to graphics hardware acceleration capabilities for video processing.
  • Added the option "-u name" to env(1) to remove a variable from the environment.
• Various bugfixes and tweaks in userland:
  • Throughout the source tree, add missing error checks to calls of gmtime(3) and localtime(3).
  • Added missing error checks to all calls under libexec and sbin in case of ctime(3) and ctime_r(3) failures when timestamps are far off.
  • Audited programs that parse IP-addresses and replaced inet_aton(3) with better functions such as gethostbyname(3), getnameinfo(3), getaddrinfo(3), and inet_pton(3).
  • Added generic channel mapping in place of aucat(1) -j and -c options.
  • Allowed any device sample encoding in aucat(1).
  • Fixed a crash in sndiod(8) when the device is disconnected and the clients are not migrated to another device.
  • Made sndiod(8) discover new devices on SIGHUP and switch if a new device is higher priority (greater -F option number) than the current device.
  • Fixed sndiod(8) server.device entries disappearing when usb devices are unplugged while in use.
  • Fixed possible sndiod(8) crashes caused by a global table overread triggered by the client.
  • Switched pax(1) to write archives using the 'pax' format by default. Ramdisk versions will keep using ustar for writing.
  • Corrected detection of 'pax' format archives in pax(1) append mode.
  • Fixed a problem in pax(1) where the file list output was fully-buffered when used as part of a pipeline.
  • Fixed reading large pax(1) extended records.
  • Switched tar(1) write default format to 'pax'.
  • Added tar(1) -F option to select write format.
  • Used pathconfat(2) to compare mtimes for thepax(1) -u and -Z options when the target is "too old."
  • Added patch(1) "-V none" to prevent making any backups.
  • Fixed chroot(2) call in the lpd(8) control process.
  • Fixed a crash in ls(1) -l for files with bogus timestamp values.
  • Repaired malloc operation on systems where the malloc(3) page size is larger than the mmu page size.
  • In btrace(8), cache ELF .symtab, .strtab entries in sorted array to improve lookup cost from O(n) to O(lg n).
  • In libc, allow writing buffers larger than BUFSIZ or st_blksize, vastly improving write performance.
  • Made security(8) silently ignore setuid changes in relinked binaries to reduce false positives.
  • Added the flags NOPERM, STALLED, SWAPPABLE and DOOMED to pstat(8) -v output.
  • Rewrote dd(1) bytes/sec calculation to make signal handler safe on OpenBSD.
  • Added check in pwd_mkdb(8) preventing creation of a passwd(5) entry too large for getpwent(3).
  • Fixed cron(8) CVE-2024-43688: buffer underflow for very large step values.
  • Escaped newlines in file names in less(1).
  • Removed support for the less(1) LESSOPEN and LESSCLOSE environment variables.
  • Allowed the newsyslog(8) -F flag (Force trim logs) to be used on its own.
  • Added display of the current line number as percentage of the total lines in vi(1) ruler.
  • Ignored universal ctags extended metadata in tagaddress, making mg(1) search patterns work again.
  • Fixed mg(1) auto-indent-mode with custom tab widths.
  • Added handling for C-u modifier in M-! and M-| to mg(1).
  • Added an error message for sed(1) -i when the file is unwritable.
  • Fixed a bug in sed(1) where the pattern space is empty but does not start with a NUL character, which might occur after using the D command.
  • Ensure that giving UTF-8 command line arguments to apropos(1) allows searching in UTF-8 and ISO-Latin-1 encoded manual pages if the mandoc.db(5) was built makewhatis -T utf8.
  • Fixed a bug in mandoc(1) .Ql handling which could corrupt output.
  • Made gprof(1) output more compact.
• Improved hardware support and driver bugfixes, including:
  • Added clocks for the RK3588 PWM controller to rkclock(4).
  • Added RK3588 TSADC clocks and resets to rkclock(4).
  • Added RK3588 eMMC clocks and resets to rkclock(4).
  • Added RK3588 support to rktemp(4).
  • Added support for using the power button function of the RK809 to rkpmic(4).
  • Added rkpmic(4) support for configuring sleep voltage settings based on device tree settings for the RK809.
  • Prevented rkpmic(4) power down after resume initiated by pressing the power button.
  • Added RK3588 support to rkusbphy(4).
  • Added dwmshc(4) support for the RK3588 eMMC controller.
  • Made the eMMC come up reliably on the RK3588 eMMC controller by resetting the status before executing a new command.
  • Added PCI support for ufshci(4).
  • Enabled UFS "Auto-Hibernation" in ufshci(4).
  • Added ufshci(4) support for suspend/resume.
  • Added hibernation support in ufshci(4).
  • Added ufshci(4) at fdt support, allowing boot of the Samsung Galaxy Book4 Edge in DT mode.
  • Fixed ufshci(4) alignment issue where a DMA transfer scheduled on an odd slot would fail.
  • Enabled ufshci(4) on amd64.
  • Added CH9102 support to uchcom(4).
  • Added support for the numpad on newer macppc Apple Powerbooks with ukbd(4), with Num Lock set as Fn+F6.
  • Added uchcom(4) support for the CH343 uart.
  • Prevented a hang when the nvme(4) controller has disconnected from the pcie bus.
  • Added support for NVMe passthrough commands to allow software to get information about nvme(4) disks.
  • Enabled hibernate/resume to nvme(4) disks with 4096 byte sectors.
  • Added bio(4) support to nvme(4).
  • Added nvme(4) sensors based on information in the SMART/health log page, showing overall device health and temperature.
  • Made acpibat(4) forward AC change notifications to acpiac(4), giving access to programs like apm(8).
  • Implemented sleep button and EC events as wakeup events in acpi(4).
  • Added qcgpio(4) support for the ACPI PCIO pins necessary to support the keyboard, touchpad and touchscreen on the Qualcomm Snapdragon X Elite (X1E80100) laptops Asus Vivobook S15 and Lenovo Yoga Slim 7x.
  • Made the touchpad on the Samsung Galaxy Book4 Edge work via qcgpio(4).
  • Added Meinberg PCI510 to mbg(4).
  • Introduced rpigpio(4), a driver for the RP1 GPIO controller on the Raspberry Pi 5.
  • Added support to have bcmpcie(4) as both PCIe bus and simplebus to enable use of the Raspberry Pi 5's RP1 I/O controller.
  • Fixed access to Alder Lake-N and Elkhart Lake eMMC.
  • Added psp(4) driver for the AMD Platform Security Processor.
  • Prevent a crash in the openfirmware driver if the temperature for a zone can't be read while polling it.
  • Implemented qcspmi(4) support for version 7 controllers.
  • Implemented MSI multiple-vector support in dwpcie(4).
  • Hooked up the Qualcomm UEFI Secure Application that handles EFI variables to efi(4) to allow access to EFI variables through ioctls on /dev/efi.
  • Fixed uaudio(4) failure to attach when interface number and interface index do not match and the wrong interface is claimed.
  • Fixed delayed level setting on audio(4) devices.
  • Introduced intelpmc(4), a driver for the power management controller found on various Intel SoCs.
  • Added battery sensors to qcpas(4).
  • Corrected audio drivers to inform children about suspend/resume related events.
  • Ensure that softraid(4) sensors are unregistered when the volumes are removed.
  • Fixed suspend/resume for ums(4) and umt(4).
  • Ensure that some Intel xhci(4) controllers fully power down by issuing a "save state" command on suspend.
  • Fixed xhci(4) issues after resume by giving some AMD Ryzen hHCI controllers the extra time they need to transition from D3 into D0.
  • Made acpi(4) use ACPI_WAK upon resume, potentially improving S3 resume on some rare machines.
  • Made xhci(4) restore the saved state upon resume, needed for newer Intel xHCI controllers.
  • Skipped Controller Save State (CSS) and Controller Restore State (CRS) on AMD 17h/1xh xHCI to avoid problem with resume after introduction of CRS to xhci(4).
  • Corrected dwiic(4) to inform children of suspend/resume events and prevent sub-drivers racing against dwiic hardware re-initialization.
  • Eliminated some resume-hangs on dwiic(4) chips.
  • Added missing child activate handling in iatp(4).
• New or improved network hardware support:
  • Implemented resetting the PHY via a GPIO pin in cad(4), helping to enable the PHY on the Raspberry Pi 5.
  • Fixed TCP Segmentation Offload bugs in ixl(4).
  • Added mcx(4) support for media types from the extended Ethernet capabilities fields, fixing a gigabit SFP in the ConnectX-6 Lx.
  • Enabled em(4) on powerpc64.
  • Added VLAN hardware tagging in igc(4).
  • Fixed jumbo frames in igc(4) for strict alignment architectures.
  • Exposed igc(4) hardware counters to kstat(1).
  • Added support for checksum offloading to dwqe(4).
  • Added VLAN hardware tagging in dwqe(4).
  • Improved stability of dwqe(4).
  • Mapped MSI-X in addition to MSI and INTx on rge(4).
  • Fixed TX descriptors DMA syncs in rge(4).
  • Added rge(4) support for the Realtek RTL8126 chip.
  • Improved bus_dmamap_syncs for rx ring descriptors on rge(4) hardware.
  • Supported building a single packet out of multiple rx descriptors in rge(4).
  • Attempted to leave a gap on the tx ring for rge(4)/re(4) to keep entries on the ring from being overwritten, preventing confusion of the chip and the tx completion code.
  • Prevented VPID leakage in vmx(4) by allocating at vcpu init.
  • Implemented TCP Segmentation Offload in vmx(4), igc(4) and vio(4).
  • Implemented TCP Large Receive Offload in vmx(4) and vio(4).
  • Enable checksum offloading and TCP Segmentation Offload for vlan(4) via vio(4).
  • Improved stability of vio(4).
• Added or improved wireless network drivers:
  • Fixed qwx(4) display in ifconfig(8) showing a mix of 802.11 modes after switching APs.
  • Added a reset attempt for qwx(4) devices when firmware crashes.
  • Made qwx(4) offload TKIP and CCMP crypto to hardware, fixing ARP and IPv6 multicast with WPA2.
  • Plugged a memory leak in qwx(4).
  • Fixed a qwx(4) interrupt storm during resume.
  • Fixed iwx(4) monitor mode after firmware update.
  • Prevented firmware panic when iwx(4) runs in monitor mode with addresses configured on the interface and leaving 11n/11ac mode directly for monitor mode.
  • Added support for Quectel EM060K to umb(4).
  • Fixed WEP on athn(4) USB hostap, preventing potential "key not installed for sw crypto" panic.
• IEEE 802.11 wireless stack improvements and bugfixes:
  • Prevented potential firmware errors in Intel wifi drivers when APs send an ADDBA request early.
• Installer, upgrade and bootloader improvements:
  • Implemented support for the RISC-V UEFI Boot Protocol.
  • Implemented the chmod a-x bsd.upgrade trick in the sparc64 ofwboot bootloader.
  • Added boot.conf(8) "machine idle [secs]" to halt at idle passphrase prompts for efi(4) systems.
  • Made installboot(8) run again after fw_update(8) on Apple silicon to pick up Apple boot firmware.
  • Stopped sysupgrade(8) from enforcing the next version key if installing a snapshot.
  • Included BUILDINFO file in the iso/img files and installed it in the miniroot if available, to be used in the future in sysupgrade(8).
  • Use BUILDINFO to make sure sysupgrade(8) doesn't install an older snapshot over a newer one.
  • Ensure that loading a device tree using the "mach dtb" command gives firmware a chance to make modifications by using the EFI devicetree fixup protocol.
  • Apple machines can now also use USB type-A ports for installation.
• Security improvements:
  • Added -fret-clean option to the compiler, defaulting to off. This new option causes the caller to clean the return address off the stack after a call completes. The -fret-clean option was then enabled on amd64 for libc, libcrypto, ld.so, kernel, and all the ssh tools.
  • Expose branch target identification (BTI) to userland and make LLVM generate code with BTI instructions.
  • Enabled PAC in addition to BTI on arm64 such that JIT code matches the default branch protection provided by our base compiler.
  • Limit NFS connections to originate from a reserved port, but permit null requests (aka server pings) from non-reserved ports in nfs.
  • Made local ports bound during connect(2) unique per laddr rather than globally unique.
  • Enforced the pinsyscalls(2) rules on non-static/ld.so/libc.so text segments.
  • Added pledge and unveil to rpcinfo(8).
  • Added AUDIO_GETDEV ioctl to "audio" pledge(2).
• New features in the network stack:
  • Made PPP interfaces to run in an rdomain(4) and install a default route in the same routing domain.
  • Introduced rport(4) for point-to-point layer 3 connectivity between routing domains. Similar to pair(4) but is more efficient as it does not add Ethernet headers.
  • Implement IPv6 forwarding IPsec only (sysctl net.inet6.ip6.forwarding = 2),the equivalent to net.inet.ip.forwarding = 2 for IPv4.
  • Added BIOCSETFNR to bpf(4), like BIOCSETF without resetting the buffer or stats.
  • Implemented SO_ACCEPTCONN in getsockopt(2) which can be used to check if listen(2) was called and the socket is accepting connections.
• Further changes and bugfixes in the network stack:
  • Expose aggr(4) per port information via kstat(1).
  • Restrict listen(2) to sockets of type SOCK_STREAM or SOCK_SEQPACKET.
  • Prohibit userland changes of the interface loopback flag, preventing a potential kernel crash.
  • Split single TCP inpcb hash table into separate hash tables for IPv4 and IPv6, to help the ongoing work to improve SMP performance.
  • Use route cache function in IP input.
  • Implemented rule 5.5 of RFC 6724 (Default Address Selection for IPv6) to prefer addresses in a prefix advertised by the next-hop.
  • Stop storing full IPv6 packet in common forwarding case. Instead of storing a copy of the full IPv6 packet for the possible need to generate an ICMP6 packet. Instead only store the header. In most cases this can be kept on the stack resulting in speedup and less memory use.
  • Fixed bridging IPv6 fragments with pf reassembly. When output byveb(4) and bridge(4), the packets were not refragmented.
  • Fixed source and drain confusion in socket splicing somove(), improving performance in a corner case.
  • Drop packets if forwarding of IPsec packets only (sysctl net.inet.ip.forwarding = 2) is configured, but no IPsec policy is defined.
  • If IP forwarding is IPsec only, do not send ICMP redirect and do not accept ICMP redirect packets.
• The following changes were made to the pf(4) firewall:
  • Added display of pf(4) fragment reassembly counters to pfctl(8) and systat(1).
  • Fixed pfsync(4) TCP-state not being updated for destination connection peer and reduced excessive pfsync traffic.
  • Allow users to define tables inside an anchor in the same way they can define global tables in pf.conf(5). Previously this required a separate pfctl -a foo -t bar invocation.
• Routing daemons and other userland network improvements:
  • IPsec support was improved:
    * Added RADIUS support to iked(8), including authentication, accounting and "Dynamic Authorization Extensions" (DAE).
    * Fixed a bug where sasyncd(8) couldn't restore SAs.
  • More RADIUS changes:
    * In npppd(8), modified IPCP to use nameservers from RADIUS.
    * Added Dynamic Authorization Extensions (DAE) for RADIUS server to npppd(8).
    * Added support for RADIUS accounting configurable in radiusd.conf(5).
    * Changed radiusd.conf(5) syntax for "module" to take a {} block and "authentication" to go without. Specifying a "module" path is now optional.
    * Introduced radiusd_ipcp(8), a module providing IP configuration which manages the IP address pool.
    * Added radiusd_file(8) module, providing authentication by a local file.
    * Kept radiusd(8) number of requests for a DAE server below 64 to avoid congestion.
    * Added radiusctl(8) ipcp delete command to delete the specified session without requesting disconnection.
  • In bgpd(8),
    * Repair a withdraw desynchronization problem in bgpd(8).
    * Double peer description length to 64 characters.
    * Improve handling of bgpd AFI IPv4 sessions over IPv6 only links.
    * Sessions over IPv6 link-local addresses are now always considered to be connected.
    * Allow operators to enforce the presence of certain capabilities.
    * Improve capability negotiation and remove 'announce capabilities'. The 'announce capabilities [yes|no]' neighbor config option needs to be removed from configuration files. Instead individual capabilities need to be disabled.
    * Improve negotiation of the multi-protocol capability and the fallback to IPv4 only mode.
    * Mark RTR and IPv6 BGP packets with DSCP CS6 (network control).
    * Increase RTR PDU limit to 48k and limit number of SPAS to 10'000.
    * Convert the remaining session engine parsers to the new ibuf API.
    * Filtered prefixes are now included in the Local-RIB if the config option 'rde rib Loc-RIB include filtered' is set.
    * Add 'bgpctl show rib filtered' to show filtered prefixes.
    * Add 'min-version' RTR config option and default to RTR version 1. Set min-version to 2 to enable draft-ietf-sidrops-8210bis-14 and ASPA support or better define the ASPA table in the config.
    * Adjust RTR ASPA pdu parser to follow draft-ietf-sidrops-8210bis-14
    * Check the max_prefix and max_out_prefix limits on config reload.
    * Fix race condition between TCP-MD5 key removal and session closure to ensure all messages are sent with the proper TCP-MD5 signature.
    * Fix 'nexthop qualify via bgp' by re-evaluating the nexthops when a BGP route is added to the FIB.
    * Handle the CLUSTER_LIST attribute according to RFC7606.
    * Fix some undefined or non-portable behaviour when handling NULL / 0-sized objects.
  • rpki-client(8) saw these and more changes:
    * Impose same-origin policy for RRDP.
    * Introduce tiebreaking for trust anchors. This prevents certain forms of replay attack.
    * Fix internal identification of CA resource certificates.
    * Verify self-signage for trust anchors.
    * Introduce a check for filenames as presented by publication points.
    * Improved compliance with RFCs 6487 and 8209 for certificates and CRLs.
    * Presence of CMS signing-time is now enforced and presence of CMS binary-signing-time is disallowed, per RFC 9589.
    * Lowered the maximum acceptable manifest number to 2^159 - 1.
    * Limit number of validated ASPAs per customer ASID.
    * Ensure synchronization jobs are stopped when the timeout is reached.
    * Fix a corner case in repository handling. If the last RRDP repository failed to load, rpki-client would fail to fall back to rsync due to an ordering bug in the event loop.
    * Improve detection of duplicate file paths. Only trigger a duplicate error if a valid path is revisited otherwise a bad CA could prevent legitimate files from being considered valid.
    * Normalize internal representation of the caRepository to have a trailing slash and ensure that the rpkiManifest is a file inside it.
    * Avoid a quadratic complexity issue in ibuf_realloc() due to misuse of recallocarray(). Transferring a manifest with a large FileAndHash list across a privsep boundary could cost significant resources.
    * RRDP sessions are periodically reinitialized to snapshot at random intervals.
    * Signed Prefix List statistics are now only emitted when rpki-client is run with -x.
    * The -r command line option formerly enabling RRDP has long been the default and is now removed.
    * The CRL number extension in CRLs is checked to be in the range [0..2^159-1]. The CRL number is otherwise ignored.
  • In smtpd(8),
    * Set ORIGINAL_RECIPIENT in the environment of MDA scripts for postfix compatibility.
    * Add documentation on the expected behaviour and environment of MDAs.
    * Fixed smtpd(8) IPv6 address parsing in file-backed table(5).
    * Added smtpd-tables(7), an API to implement table(5) for smtpd(8).
    * Introduced a new smtpd(8) K_AUTH service to allow offloading the credentials to a table for non-crypt(3) authentication.
    * Implemented smtpd(8) report response for proc-filters as with built-in filters.
  • Network auto configuration improvements:
    * Introduced dhcp6leased(8), a daemon to acquire IPv6 prefix delegations from DHCPv6 servers.
    * Made rad(8) honor prefixes delegated by DHCPv6.
    * Implemented RFC 4191 Default Router Preferences in rad(8).
    * Made rad(8) send source link-layer address option in router advertisements, preventing Apple devices from installing an unusable default route.
    * Removed dhclient(8) binary.
  • Many other changes in various network programs and libraries:
    * Audited programs that parse IP-addresses and replaced inet_aton(3) with better functions such as gethostbyname(3),getnameinfo(3), getaddrinfo(3), andinet_pton(3).
    * Trimmed output of whois(1) to suppress some uninformative output by default, still accessible verbatim by using whois -S.
    * Removed obsolete whois(1) contact handle support.
    * Made spamd(8) advertise SMTPUTF8 and 8BITMIME extensions in EHLO, fixing potential interoperability issues when the real MTA supports those extensions.
    * Prevented TOCTOU issues in httpd(8) static file serving and auto index generation.
    * Added a "log" option to relayd.conf(5) rules.
    * Made relayd(8) host handle disable/enable commands from relayctl(8) correctly in case multiple redirect instances use the same host in relayd(8) tables.
    * Improved config validation in relayd(8) to prevent incompatibility with the length of names of redirects and tags in pf(4).
    * Made ftp(1) send HTTP 'Accept */*' headers.
    * Made ftp(1) send Host: headers with CONNECT requests when tunneling TLS over an HTTP proxy.
    * Added the 2024 root zone trust anchor to unwind(8).
    * Made netstat(1) display statistics about expensive mbuf operations, counting operations used to allocate mbufs or copy memory when memory layout is not optimal to find possible optimizations.
• tmux(1) improvements and bug fixes:
  • Reduced tmux(1) escape-time default to 10 milliseconds (from 500).
  • Added display-menu -M to tmux(1) to always turn mouse on in a menu.
  • Added tmux(1) option allow-set-title to forbid applications from changing the pane title.
  • Prevented a crash if focusing a pane in tmux(1) that is exiting.
  • Added "N" to search backwards in tmux(1) tree modes.
  • Added tmux(1) "refresh-client -r" for control mode clients to provide OSC 10 and 11 responses to tmux so they can set the default foreground and background colors.
  • Changed tmux(1) extended-keys behavior to allow applications to enter mode 2 but not turn extended keys off entirely.
  • Added a tmux(1) prefix-timeout option to allow setting a period after which to ignore the prefix key if no others are pressed.
  • Ignored tmux(1) mouse move keys to prevent accidental prefix cancelation.
  • Displayed hyperlinks in tmux(1) copy mode and added copy_cursor_hyperlink format to get the hyperlink under the cursor.
  • Added search_count and search_count_partial formats in tmux(1) copy mode.
  • Revamped tmux(1) extended keys support to more closely match xterm1 and support mode 2 as well as mode 1.
  • Added mirrored versions of the main-horizontal and main-vertical layouts when the tmux(1) main pane is bottom or right instead of top or left.
  • Allowed REP to work with Unicode characters in tmux(1).
• LibreSSL version 4.0.0
  • Portable changes
    * Added initial Emscripten support in CMake builds.
    * Removed timegm() compatibility layer since all uses were replaced with OPENSSL_timegm(). Cleaned up the corresponding test harness.
    * The mips32 platform is no longer actively supported.
  • Internal improvements
    * Cleaned up parts of the conf directory. Simplified some logic, fixed memory leaks.
    * Simplified X509_check_trust() internals to be somewhat readable.
    * Removed last internal uses of gmtime() and timegm() and replaced them with BoringSSL's POSIX time conversion API.
    * Removed unnecessary stat calls in by_dir.
    * Split parsing and processing of TLS extensions to ensure that extension callbacks are called in a predefined order.
    * Cleaned up the MD4 and MD5 implementations.
    * Assembly functions are no longer exposed in the public API, they are all wrapped by C functions.
    * Removed assembly implementations of legacy ciphers on legacy architectures.
    * Merged most multi-file implementations of ciphers into one or two C files.
    * Removed the cache of certificate validity. This was added for performance reasons which no longer apply since BoringSSL's time conversion API isn't slow. Also, a recently added error check led to obscure, undesirable validation failures.
    * Stopped calling OPENSSL_cpuid_setup() from the .init section on amd64 and i386.
    * Rewrote various BN conversion functions.
    * Improved certification request internals.
    * Removed unused DSA methods.
    * Improved X.509v3 extension internals. Fixed various bugs and leaks in X509V3_add1_i2d() and X509V3_get_d2i(). Their implementations now vaguely resemble code.
    * Rewrote BN_bn2mpi() using CBB.
    * Made most error string tables const.
    * Removed handling for SSLv2 client hello messages.
    * Improvements in the openssl(1) speed app's signal handler.
    * Cleaned up various X509v3_* extension API.
    * Unified the X.509v3 extension methods.
    * Cleaned up cipher handling in SSL_SESSION.
    * Removed get_cipher from SSL_METHOD.
    * Rewrote CRYPTO_EX_DATA from scratch. The only intentional change of behavior is that there is now a hard limit on the number of indexes that can be allocated.
    * Removed bogus connect() call from netcat.
    * Uses of atoi() and strtol() in libcrypto were replaced with strtonum().
    * Introduced crypto_arch.h which will contain the architecture dependent code and defines rather than the public opensslconf.h.
    * OPENSSL_cpu_caps() is now architecture independent.
    * Reorganized the DES implementation to use fewer files and removed optimizations for ancient processors and compilers.
  • New features
    * Added CRLfile option to the cms command of openssl(1) to specify additional CRLs for use during verification.
  • Documentation improvements
    * Removed documentation of no longer existing API.
    * Unified the description of the obsolete ENGINE parameter that needs to remain in many functions and should always be NULL.
  • Compatibility changes
    * Protocol parsing in libtls was changed. The unsupported TLSv1.1 and TLSv1.0 protocols are ignored and no longer enable or disable TLSv1.2 in surprising ways.
    * The dangerous EVP_PKEY*_check(3) family of functions was removed. The openssl(1) pkey and pkeyparam commands no longer support the -check and -pubcheck flags.
    * The one-step hashing functions, MD4(), MD5(), RIPEMD160(), SHA1(), all SHA-2, and HMAC() no longer support returning a static buffer. Callers must pass in a correctly sized buffer.
    * Support for Whirlpool was removed. Applications still using this should honor OPENSSL_NO_WHIRLPOOL.
    * Removed workaround for F5 middle boxes.
    * Removed the useless pem2.h, a public header that was added since it was too hard to add a single prototype to one file.
    * Removed conf_api.h and the public API therein.
    * Removed ssl2.h, ssl23.h and ui_compat.h.
    * Numerous conf and attribute functions were removed. Some unused types were removed, others were made opaque.
    * Removed the deprecated HMAC_Init() function.
    * Removed OPENSSL_load_builtin_modules().
    * Removed X509_REQ_{get,set}_extension_nids().
    * X509_check_trust() and was removed, X509_VAL was made opaque.
    * Only specified versions can be set on certs, CRLs and CSRs.
    * Removed unused PEM_USER and PEM_CTX types from pem.h.
    * Removed typedefs for COMP_CTX, COMP_METHOD, X509_CRL_METHOD, STORE, STORE_METHOD, and SSL_AEAD_CTX.
    * i2d_ASN1_OBJECT() now returns -1 on error like most other i2d_*.
    * SPKAC support was removed from openssl(1).
    * Added TLS1-PRF support to the EVP interface.
    * Support for attributes in EVP_PKEYs was removed.
    * The X509at_* API is no longer public.
    * SSL_CTX_set1_cert_store() and SSL_CIPHER_get_handshake_digest() were added to libssl.
    * The completely broken UI_UTIL password API was removed.
    * The OpenSSL pkcs12 command and PKCS12_create() no longer support setting the Microsoft-specific Local Key Set and Cryptographic Service Provider attributes.
  • Bug fixes
    * Made ASN1_TIME_set_string() and ASN1_TIME_set_string_X509() match their documentation. They always set an RFC 5280 conformant time.
    * Improved standards compliance for supported groups and key shares extensions:
    * Duplicate key shares are disallowed.
    * Duplicate supported groups are disallowed.
    * Key shares must be sent in the order of supported groups.
    * Key shares will only be selected if they match the most preferred supported group by client preference order.
    * Fixed signed integer overflow in bnrand().
    * Prevent negative zero from being created via BN_clear_bit() and BN_mask_bits(). Avoids a one byte overread in BN_bn2mpi().
    * Add guard to avoid contracting the number linear hash buckets to zero, which could lead to a crash due to accessing a zero sized allocation.
    * Fixed i2d_ASN1_OBJECT() with an output buffer pointing to NULL.
    * Implemented RSA key exchange in constant time. This is done by decrypting with RSA_NO_PADDING and checking the padding in libssl in constant time. This is possible because the pre-master secret is of known length based on the size of the RSA key.
    * Rewrote SSL_select_next_proto() using CBS, also fixing a buffer overread that wasn't reachable when used as intended from an ALPN callback.
    * Avoid pushing a spurious error onto the error stack in ssl_sigalg_select().
    * Made fatal alerts fatal in QUIC.
• OpenSSH 9.8 and OpenSSH 9.9
  • Security fixes
    * Fix a critical race condition in sshd(8) that could be used to obtain remote code execution.
    * Fix a logic error in ssh(1) that rendered the ObscureKeystrokeTiming option ineffective.
  • New features
    * ssh(1) and sshd(8) now support a new hybrid post-Quantum key exchange algorithm "mlkem768x25519-sha256" based on the recently-standardised FIPS 203 Module-Lattice Key Encapsulation Mechanism (ML-KEM) with ECDH using the X25519 group.
    * Support for DSA keys is now disabled at compile time in all OpenSSH tools.
    * Support for pre-authentication compression has been removed from ssh(1) (it was removed from the server a long time ago).
    * The existing default post-quantum key exchange "sntrup761x25519-sha512@openssh.com" is now significantly faster in both ssh(1) and sshd(8), and is now available under the assigned name "sntrup761x25519-sha512".
    * Split sshd(8) into two separate processes: a listener binary and a new sshd-session binary that handles each connection.
    * sshd(8) will now penalise clients that connect without completing authentication, crash the server or perform other unwelcome activities. This behaviour is controlled via the PerSourcePenalties and PerSourcePenaltyExemptList sshd_config(5) options.
    * ssh(1) now allows the HostkeyAlgorithms option to disable the implicit fallback from certificate host keys to plain host keys.
    * The ssh_config(5) Include directive can now expand environment variables as well as the same set of %-tokens that are accepted for "Match Exec".
    * Add a new RefuseConnection directive to ssh_config(5) that will cause the connection to be immediately refused, and a corresponding "refuseconnection" penalty class that allows clients that have connections so refused to be penalised.
    * Add a new sshd_config(5) "invalid-user" Match predicate that allows matching on invalid usernames, e.g. to allow penalisation of account/password guessers.
    * Add additional protection to private keys from being included in core dumps.
  • Bugfixes
    * Many bugfixes. Please see the release notes for the full list.
• Ports and packages:
  Many pre-built packages for each architecture:
  • aarch64: 12148
  • amd64: 12312
  • arm: 8177
  • i386: 10534
  • mips64: 8629
  • powerpc: 9809
  • powerpc64: 8314
  • riscv64: 10377
  • sparc64: 8797
    Some highlights:
  • Asterisk 16.30.1, 18.24.3 and 20.9.3
  • Audacity 3.6.3
  • CMake 3.30.1
  • Chromium 128.0.6613.137
  • Emacs 29.4
  • FFmpeg 4.4.5
  • GCC 8.4.0 and 11.2.0
  • GHC 9.6.6
  • GNOME 46
  • Go 1.23.1
  • JDK 8u402, 11.0.24, 17.0.12 and 21.0.4
  • KDE Applications 24.05.2
  • KDE Frameworks 6.5.0
  • KDE Plasma 6.1.4
  • Krita 5.2.3
  • LLVM/Clang 13.0.0, 16.0.6 and 17.0.6
  • LibreOffice 24.8.1.2
  • Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.7
  • MariaDB 10.9.8
  • Mono 6.12.0.199
  • Mozilla Firefox 130.0.1 and ESR 128.2.0
  • Mozilla Thunderbird 128.2.3
  • Mutt 2.2.13 and NeoMutt 20240425
  • Node.js 20.17.0
  • OCaml 4.14.2
  • OpenLDAP 2.6.8
  • PHP 8.1.29, 8.2.23 and 8.3.11
  • Postfix 3.9.0
  • PostgreSQL 16.4
  • Python 2.7.18, 3.11.10
  • Qt 5.15.13 (+ kde patches) and 6.6.3
  • R 4.4.1
  • Ruby 3.1.6, 3.2.5 and 3.3.5
  • Rust 1.81.0
  • SQLite 3.44.2
  • Shotcut 24.04.28
  • Sudo 1.9.15.5
  • Suricata 7.0.6
  • Tcl/Tk 8.5.19 and 8.6.13
  • TeX Live 2023
  • Vim 9.1.707 and Neovim 0.10.1
  • Xfce 4.18.1
• As usual, steady improvements in manual pages and other documentation.
• The system includes the following major components from outside suppliers:
  • Xenocara (based on X.Org 7.7 with xserver 21.1.13 + patches, freetype 2.13.2, fontconfig 2.14.2, Mesa 23.3.6, xterm 393, xkeyboard-config 2.20, fonttosfnt 1.2.3 and more)
  • LLVM/Clang 16.0.6 (+ patches)
  • GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
  • Perl 5.38.2 (+ patches)
  • NSD 4.9.1
  • Unbound 1.21.0
  • Ncurses 6.4
  • Binutils 2.17 (+ patches)
  • Gdb 6.3 (+ patches)
  • Awk July 28, 2024
  • Expat 2.6.3
  • zlib 1.3.1 (+ patches)

How to install

Please refer to the following files on the mirror site for extensive details on how to install OpenBSD 7.6 on your machine:

• .../OpenBSD/7.6/alpha/INSTALL.alpha
• .../OpenBSD/7.6/amd64/INSTALL.amd64
• .../OpenBSD/7.6/arm64/INSTALL.arm64
• .../OpenBSD/7.6/armv7/INSTALL.armv7
• .../OpenBSD/7.6/hppa/INSTALL.hppa
• .../OpenBSD/7.6/i386/INSTALL.i386
• .../OpenBSD/7.6/landisk/INSTALL.landisk
• .../OpenBSD/7.6/loongson/INSTALL.loongson
• .../OpenBSD/7.6/luna88k/INSTALL.luna88k
• .../OpenBSD/7.6/macppc/INSTALL.macppc
• .../OpenBSD/7.6/octeon/INSTALL.octeon
• .../OpenBSD/7.6/powerpc64/INSTALL.powerpc64
• .../OpenBSD/7.6/riscv64/INSTALL.riscv64
• .../OpenBSD/7.6/sparc64/INSTALL.sparc64

Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above!

OpenBSD/alpha:

If your machine can boot from CD, you can write install76.iso or_cd76.iso_ to a CD and boot from it. Refer to INSTALL.alpha for more details.

OpenBSD/amd64:

If your machine can boot from CD, you can write install76.iso or_cd76.iso_ to a CD and boot from it. You may need to adjust your BIOS options first.

If your machine can boot from USB, you can write install76.img or_miniroot76.img_ to a USB stick and boot from it.

If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.amd64 document.

If you are planning to dual boot OpenBSD with another OS, you will need to read INSTALL.amd64.

OpenBSD/arm64:

If your machine can boot from CD, you can write install76.iso or_cd76.iso_ to a CD and boot from it.

To boot from disk, write install76.img or miniroot76.img to a disk and boot from it after connecting to the serial console. Refer to INSTALL.arm64 for more details.

OpenBSD/armv7:

Write a system specific miniroot to an SD card and boot from it after connecting to the serial console. Refer to INSTALL.armv7 for more details.

OpenBSD/hppa:

Boot over the network by following the instructions in INSTALL.hppa or thehppa platform page.

OpenBSD/i386:

If your machine can boot from CD, you can write install76.iso or_cd76.iso_ to a CD and boot from it. You may need to adjust your BIOS options first.

If your machine can boot from USB, you can write install76.img or_miniroot76.img_ to a USB stick and boot from it.

If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.i386 document.

If you are planning on dual booting OpenBSD with another OS, you will need to read INSTALL.i386.

OpenBSD/landisk:

Write miniroot76.img to the start of the CF or disk, and boot normally.

OpenBSD/loongson:

Write miniroot76.img to a USB stick and boot bsd.rd from it or boot bsd.rd via tftp. Refer to the instructions in INSTALL.loongson for more details.

OpenBSD/luna88k:

Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader from the PROM, and then bsd.rd from the bootloader. Refer to the instructions in INSTALL.luna88k for more details.

OpenBSD/macppc:

Burn the image from a mirror site to a CDROM, and power on your machine while holding down the C key until the display turns on and shows OpenBSD/macppc boot.

Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /7.6/macppc/bsd.rd

OpenBSD/octeon:

After connecting a serial port, boot bsd.rd over the network via DHCP/tftp. Refer to the instructions in INSTALL.octeon for more details.

OpenBSD/powerpc64:

To install, write install76.img or miniroot76.img to a USB stick, plug it into the machine and choose the OpenBSD install menu item in Petitboot. Refer to the instructions in INSTALL.powerpc64 for more details.

OpenBSD/riscv64:

To install, write install76.img or miniroot76.img to a USB stick, and boot with that drive plugged in. Make sure you also have the microSD card plugged in that shipped with the HiFive Unmatched board. Refer to the instructions in INSTALL.riscv64 for more details.

OpenBSD/sparc64:

Burn the image from a mirror site to a CDROM, boot from it, and type_boot cdrom_.

If this doesn't work, or if you don't have a CDROM drive, you can write_floppy76.img_ or floppyB76.img(depending on your machine) to a floppy and boot it with boot floppy. Refer to INSTALL.sparc64 for details.

Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.

You can also write miniroot76.img to the swap partition on the disk and boot with boot disk:b.

If nothing works, you can boot over the network as described in INSTALL.sparc64.

How to upgrade

If you already have an OpenBSD 7.5 system, and do not want to reinstall, upgrade instructions and advice can be found in theUpgrade Guide.

Notes about the source code

src.tar.gz contains a source archive starting at /usr/src. This file contains everything you need except for the kernel sources, which are in a separate archive. To extract:

mkdir -p /usr/src

cd /usr/src

tar xvfz /tmp/src.tar.gz

sys.tar.gz contains a source archive starting at /usr/src/sys. This file contains all the kernel sources you need to rebuild kernels. To extract:

mkdir -p /usr/src/sys

cd /usr/src

tar xvfz /tmp/sys.tar.gz

Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as described here. Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree.

Ports Tree

A ports tree archive is also provided. To extract:

cd /usr

tar xvfz /tmp/ports.tar.gz

Go read the ports page if you know nothing about ports at this point. This text is not a manual of how to use ports. Rather, it is a set of notes meant to kickstart the user on the OpenBSD ports system.

The ports/ directory represents a CVS checkout of our ports. As with our complete source tree, our ports tree is available viaAnonCVS. So, in order to keep up to date with the -stable branch, you must make the ports/ tree available on a read-write medium and update the tree with a command like:

cd /usr/ports

cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_6

[Of course, you must replace the server name here with a nearby anoncvs server.]

Note that most ports are available as packages on our mirrors. Updated ports for the 7.6 release will be made available if problems arise.

If you're interested in seeing a port added, would like to help out, or just would like to know more, the mailing listports@openbsd.org is a good place to know.