OpenBSD Changelog

New in version 5.6

November 1st, 2014
  • LibreSSL:
  • This release forks OpenSSL into LibreSSL, a version of the TLS/crypto stack with goals of modernizing the codebase, improving security, and applying best practice development processes.
  • No support for legacy MacOS, Netware, OS/2, VMS and Windows platforms, as well as antique compilers.
  • Removal of the IBM 4758, Broadcom ubsec, Sureware, Nuron, GOST, GMP, CSwift, CHIL, CAPI, Atalla and AEP engines, either because the hardware is irrelevant, or because they require external non-free libraries to work.
  • No support for FIPS-140 compliance.
  • No EBCDIC support.
  • No support for big-endian i386 and amd64 platforms.
  • Use standard routines from the C library (malloc, strdup, snprintf...) instead of rolling our own, sometimes badly.
  • Remove the old OpenSSL PRNG, and rely upon arc4random_buf from libc for all the entropy needs.
  • Remove the MD2 and SEED algorithms.
  • Remove J-PAKE, PSK and SRP (mis)features.
  • Aggressive cleaning of BN memory when no longer used.
  • No support for Kerberos.
  • No support for SSLv2.
  • No support for the questionable DTLS heartbeat extension.
  • No support for TLS compression.
  • No support for US-Export SSL ciphers.
  • Do not use the current time as a random seed in libssl.
  • Support for ChaCha and Poly1305 algorithm.
  • Support for Brainpool and ANSSI elliptic curves.
  • Support for AES-GCM and ChaCha20-Poly1305 AEAD modes.
  • Improved hardware support, including:
  • SCSI Multipathing support via mpath(4) and associated path drivers on several architectures.
  • New qlw(4) driver for QLogic ISP SCSI HBAs.
  • New qla(4) driver for QLogic ISP2100/2200/2300 Fibre Channel HBAs.
  • New upd(4) sensor driver for USB Power Devices (UPS).
  • New brswphy(4) driver for Broadcom BCM53xx 10/100/1000TX Ethernet PHYs.
  • New uscom(4) driver for simple USB serial adapters.
  • New axen(4) driver for ASIX Electronics AX88179 10/100/Gigabit USB Ethernet devices.
  • The inteldrm(4) and radeondrm(4) drivers have improved suspend/resume support.
  • The userland interface for the agp(4) driver has been removed.
  • The rtsx(4) driver now supports card readers based on the RTS5227 and RTL8402 chipsets.
  • The firmware for the run(4) driver has been updated to version 0.33.
  • The run(4) driver now supports devices based on the RT3900E chipset.
  • The zyd(4) driver, which was broken for some time, has been fixed.
  • The bwi(4) driver now works in systems with more than 1GB of RAM.
  • The re(4) driver now supports devices based on the RTL8168EP/8111EP, RTL8168G/8111G, and RTL8168GU/8111GU chipsets.
  • Generic network stack improvements:
  • divert(4) now supports checksum offload.
  • IPv6 is now turned off on new interfaces by default. Assigning an IPv6 address will enable IPv6 on an interface.
  • Support for RFC4620 IPv6 Node Information Queries has been removed.
  • The kernel no longer supports the SO_DONTROUTE socket option.
  • The getaddrinfo(3) function now supports the AI_ADDRCONFIG flag defined in RFC 3493.
  • Include router alert option (RAO) in IGMP packets, as required by RFC2236.
  • ALTQ has been removed.
  • The hash table for Protocol Control Block (PCB) of TCP and UDP now resize automatically on load.
  • Installer improvements:
  • Remove ftp and tape as install methods.
  • Preserve the disklabel (and next 6 blocks) when installing boot block on 4k-sector disk drives.
  • Change the "Server?" question to "HTTP Server?" to allow unambiguous autoinstall(8) handling.
  • Allow autoinstall(8) to fetch and install sets from multiple locations.
  • Many sample configuration files have moved from /etc to /etc/examples.
  • Routing daemons and other userland network improvements:
  • When used with the -v flag, tcpdump(8) now shows the actual bad checksum within the IP/protocol header itself and what the good checksum should be.
  • ftp(1) now allows its User-Agent to be changed via the -U command-line option.
  • The -r option of ping(8) and traceroute(8) has been removed.
  • ifconfig(8) can now explicitly assign an IPv6 link-local address and turn IPv6 autoconf on or off.
  • ifconfig(8) has been made smarter about parsing WEP keys on the command line.
  • ifconfig(8) scan now shows the encryption type of wireless networks (WEP, WPA, WPA2, 802.1x).
  • MS-CHAPv1 (RFC2433) support has been removed from pppd(8).
  • traceroute6(8) has been merged into traceroute(8).
  • The asr API for asynchronous address resolution and nameserver querying is now public.
  • pflow(4)'s pflowproto 9 has been removed.
  • The userland ppp(8) daemon and its associated PPPoE helper, pppoe(8), have been removed.
  • snmpd(8), snmpctl(8), and relayd(8) now communicate via the AgentX protocol.
  • relayd(8) has a new filtering subsystem, where the new configuration language uses last-matching pf-like rules.
  • The new relayd(8) filter rules now support URL-based relaying.
  • relayd(8) now uses privilege separation for private keys. This acts as an additional mitigation to prevent leakage of the private keys from the processes doing SSL/TLS.
  • New httpd(8) HTTP server with FastCGI and SSL support.
  • OpenSMTPD 5.4.3 (includes changes to 5.4.2):
  • New/changed features:
  • OpenSMTPD replaces Sendmail as the default MTA.
  • Queue process now runs under a different user for better isolation.
  • Merged MDA, MTA and SMTP processes into a single unprivileged process.
  • Killed the MFA process, it is no longer needed.
  • Added support for email addresses lookups in the table_db backend.
  • Added RSA privilege separation support to prevent possible private key leakage.
  • The following significant bugs have been fixed in this release:
  • Minor bug fixes in some corner cases of the routing logic.
  • The enqueuer no longer adds its own User-Agent.
  • Disabled profiling code, allowing all processes to rest rather than waking up every second.
  • Reworked the purge task to avoid disk-hits unless necessary... only once at startup.
  • Fix various header parsing bugs in the local enqueuer.
  • Assorted minor fixes and code cleanups.
  • Security improvements:
  • Changed the heuristics of the stack protector to also protect functions with local array definitions and references to local frame addresses. This matches the -fstack-protector-strong option of upstream GCC.
  • Position-independent executables (PIE) are now used by default on powerpc.
  • Removed Kerberos.
  • Default bcrypt hash type is now $2b$.
  • Remove md5crypt support.
  • Improved easier to use bcrypt API is now available.
  • Increase randomness of random mmap mappings.
  • Added getentropy(2).
  • Added timingsafe_memcmp(3).
  • Removed the MD4 hash algorithm and functions from cksum(1), S/Key, and libc.
  • gets(3) has been removed.
  • Added reallocarray(3), which allows multiple sized objects to be allocated without the cost of clearing memory while avoiding possible integer overflows.
  • Extended fread(3) and fwrite(3) to check for integer overflows.
  • Assorted improvements:
  • locate databases for both base and xenocara, as /usr/lib/locate/src.db and /usr/X11R6/lib/locate/xorg.db.
  • Much faster package updates, due to package contents reordering that precludes re-downloading unchanged files.
  • Fix many programs that failed when accessing disks having sector sizes other than 512 bytes, including badsect(8), df(1), dump(8), dumpfs(8), fsck_ext2fs(8), fsck_ffs(8), fsdb(8), growfs(8), ncheck_ffs(8), quotacheck(8), tunefs(8).
  • Constrain MSDOS timestamps to 1/1/1980 through 12/31/2107. 64-bit time_t values outside that range are stored as 1/1/1980.
  • bs(6) now prints a battleship splash screen.
  • rcp, rsh, rshd, rwho, rwhod, ruptime, asa, bdes, fpr, mkstr, page, spray, xstr, oldrdist, fsplit, uyap, and bluetooth have been removed.
  • rmail(8) and uucpd(8) have been removed from the base system and added to the ports tree.
  • Lynx has been removed from the base system and added to the ports tree.
  • TCP Wrappers have been removed.
  • Fix atexit(3) recursive handlers.
  • Enhance disklabel(8) to recover filesystem mountpoint information when reading saved ascii labels.
  • Properly handle msgbuf_write(3) EOF conditions, including uses in tmux(1), dvmrpd(8), ldapd(8), ldpd(8), ospf6d(8), ospfd(8), relayd(8), ripd(8), smtpd(8), ypldap(8).
  • Constrain fdisk(8) '-l' to disk sizes of 64 blocks or more.
  • Sync fdisk(8) built-in MBR with current /usr/mdec/mbr.
  • Quiet dhclient(8) '-q' even more.
  • Log less redundant dhclient(8) info.
  • New leases, lease renewals, cable state changes more obvious to applications monitoring dhclient(8) files.
  • Preserve chronological order of leases in the dhclient.leases(5) leases files.
  • Use 'lease {}' statements in dhclient.conf(5), allowing interfaces to get an address when no dynamic lease is available.
  • Improve dhclient(8) parsing and printing of classess static routes.
  • Eliminate unnecessary rewrites of resolv.conf(5) by dhclient(8).
  • Added sendsyslog(2): syslog(3) now works even when out of file descriptors or in a chroot.
  • Added errc(3), verrc(3), warnc(3) and vwarnc(3).
  • Faster hibernate/unhibernate performance on amd64 and i386 platforms.
  • Support hibernating to softraid(4) crypto volumes.
  • Improved performance of seekdir(3) to start of current buffer.
  • Added per the revision of the POSIX spec in progress.
  • Apache has been removed.
  • Read support for ext4 filesystems.
  • Reworked mplocks as ticket locks instead of spinlocks on amd64, i386, and sparc64. This provides fairer access to the kernel lock between logical CPUs, especially in multi socket systems.
  • OpenSSH 6.7:
  • Potentially-incompatible changes:
  • sshd(8): The default set of ciphers and MACs has been altered to remove unsafe algorithms. In particular, CBC ciphers and arcfour* are disabled by default.
  • sshd(8): Support for tcpwrappers/libwrap has been removed.
  • OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections using the "curve25519-sha256@libssh.org" KEX exchange method to fail when connecting with something that implements the specification correctly. OpenSSH 6.7 disables this KEX method when speaking to one of the affected versions.
  • New/changed features:
  • Major internal refactoring to begin to make part of OpenSSH usable as a library. So far the wire parsing, key handling and KRL code has been refactored. Please note that we do not consider the API stable yet, nor do we offer the library in separable form.
  • ssh(1), sshd(8): Add support for Unix domain socket forwarding. A remote TCP port may be forwarded to a local Unix domain socket and vice versa or both ends may be a Unix domain socket.
  • ssh(1), ssh-keygen(1): Add support for SSHFP DNS records for Ed25519 key types.
  • sftp(1): Allow resumption of interrupted uploads.
  • ssh(1): When rekeying, skip file/DNS lookups of the hostkey if it is the same as the one sent during initial key exchange. (bz#2154)
  • sshd(8): Allow explicit ::1 and 127.0.0.1 forwarding bind addresses when GatewayPorts=no; allows client to choose address family. (bz#2222)
  • sshd(8): Add a sshd_config(5) PermitUserRC option to control whether ~/.ssh/rc is executed, mirroring the no-user-rc authorized_keys option. (bz#2160)
  • ssh(1): Add a %C escape sequence for LocalCommand and ControlPath that expands to a unique identifer based on a hash of the tuple of (local host, remote user, hostname, port). Helps avoid exceeding miserly pathname limits for Unix domain sockets in multiplexing control paths. (bz#2220)
  • sshd(8): Make the "Too many authentication failures" message include the user, source address, port and protocol in a format similar to the authentication success/failure messages. (bz#2199)
  • Added unit and fuzz tests for refactored code.
  • The following significant bugs have been fixed in this release:
  • sshd(8): Fix remote forwarding with same listen port but different listen address.
  • ssh(1): Fix inverted test that caused PKCS#11 keys that were explicitly listed in ssh_config(5) or on the commandline not to be preferred.
  • ssh-keygen(1): Fix bug in KRL generation: multiple consecutive revoked certificate serial number ranges could be serialised to an invalid format. Readers of a broken KRL caused by this bug will fail closed, so no should-have-been-revoked key will be accepted.
  • ssh(1): Reflect stdio-forward ("ssh -W host:port ...") failures in exit status. Previously we were always returning 0. (bz#2255)
  • ssh(1), ssh-keygen(1): Make Ed25519 keys' title fit properly in the randomart border. (bz#2247)
  • ssh-agent(1): Only cleanup agent socket in the main agent process and not in any subprocesses it may have started (e.g. forked askpass). Fixes agent sockets being zapped when askpass processes fatal(). (bz#2236)
  • ssh-add(1): Make stdout line-buffered; saves partial output getting lost when ssh-add(1) fatal()s part-way through (e.g. when listing keys from an agent that supports key types that ssh-add(1) doesn't). (bz#2234)
  • ssh-keygen(1): When hashing or removing hosts, don't choke on "@revoked" markers and don't remove "@cert-authority" markers. (bz#2241)
  • ssh(1): Don't fatal when hostname canonicalisation fails and a ProxyCommand is in use; continue and allow the ProxyCommand to connect anyway (e.g. to a host with a name outside the DNS behind a bastion).
  • scp(1): When copying local->remote fails during read, don't send uninitialised heap to the remote end.
  • sftp(1): Fix fatal "el_insertstr failed" errors when tab-completing filenames with a single quote char somewhere in the string. (bz#2238)
  • ssh-keyscan(1): Scan for Ed25519 keys by default.
  • ssh(1): When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any certificate keys to plain keys and attempt SSHFP resolution. Prevents a server from skipping SSHFP lookup and forcing a new-hostkey dialog by offering only certificate keys.
  • sshd(8): Avoid crash at exit via NULL pointer reference. (bz#2225)
  • Fix some strict-alignment errors.
  • mandoc 1.13.0:
  • New implementation of apropos(1), whatis(1), and makewhatis(8) based on SQLite3 databases.
  • Substantial improvements of mandoc(1) error and warning messages.
  • Almost complete implementation of roff(7) numerical expressions.
  • About a dozen minor new features and numerous bug fixes.
  • Ports and packages:
  • Over 8,800 ports.
  • Many pre-built packages for each architecture:
  • i386: 8588
  • sparc64: 7965
  • alpha: 6278
  • sh: 2626
  • amd64: 8588
  • powerpc: 8049
  • m88k: 2475
  • sparc: 3394
  • arm: 5633
  • hppa: 6143
  • vax: 1995
  • mips64: 4686
  • mips64el: 6697
  • Some highlights:
  • GNOME 3.12.2
  • KDE 3.5.10
  • KDE 4.13.3
  • Xfce 4.10
  • MySQL 5.1.73
  • PostgreSQL 9.3.4
  • Postfix 2.11.1
  • OpenLDAP 2.3.43 and 2.4.39
  • Mozilla Firefox 31.0
  • Mozilla Thunderbird 31.0
  • GHC 7.6.3
  • LibreOffice 4.1.6.2
  • Emacs 21.4 and 24.3
  • Vim 7.4.135
  • PHP 5.3.28, 5.4.30 and 5.5.14
  • Python 2.7.8, 3.3.5 and 3.4.1
  • Ruby 1.8.7.374, 1.9.3.545, 2.0.0.481 and 2.1.2
  • Tcl/Tk 8.5.15 and 8.6.1
  • JDK 1.6.0.32 and 1.7.0.55
  • Mono 3.4.0
  • Chromium 36.0.1985.125
  • Groff 1.22.2
  • Go 1.3
  • GCC 4.6.4, 4.8.3 and 4.9.0
  • LLVM/Clang 3.5 (20140228)
  • Node.js 0.10.28
  • As usual, steady improvements in manual pages and other documentation.
  • The system includes the following major components from outside suppliers:
  • Xenocara (based on X.Org 7.7 with xserver 1.15.2 + patches, freetype 2.5.3, fontconfig 2.11.1, Mesa 10.2.3, xterm 309, xkeyboard-config 2.11 and more)
  • Gcc 4.2.1 (+ patches) and 3.3.6 (+ patches)
  • Perl 5.18.2 (+ patches)
  • Nginx 1.6.0 (+ patches)
  • SQLite 3.8.4.3 (+ patches)
  • Sendmail 8.14.8, with libmilter
  • Bind 9.4.2-P2 (+ patches)
  • NSD 4.0.3
  • Unbound 1.4.22
  • Sudo 1.7.2p8
  • Ncurses 5.7
  • Binutils 2.15 (+ patches)
  • Gdb 6.3 (+ patches)
  • Less 458 (+ patches)
  • Awk Aug 10, 2011 version

New in version 5.5 (May 1st, 2014)

  • time_t is now 64 bits on all platforms.
  • From OpenBSD 5.5 onwards, OpenBSD is year 2038 ready and will run well beyond Tue Jan 19 03:14:07 2038 UTC.
  • The entire source tree (kernel, libraries, and userland programs) has been carefully and comprehensively audited to support 64-bit time_t.
  • Userland programs that were changed include arp(8), bgpd(8), calendar(8), cron(8), find(1), fsck_ffs(8), ifconfig(8), ksh(1), ld(1), ld.so(1), netstat(1), pfctl(8), ping(8), rtadvd(8), ssh(1), tar(1), tmux(1), top(1), and many others, including games!
  • Removed time_t from network, on-disk, and database formats.
  • Removed as many (time_t) casts as possible.
  • Format strings were converted to use %lld and (long long) casts.
  • Uses of timeval were converted to timespec where possible.
  • Parts of the system that could not use 64-bit time_t were converted to use unsigned 32-bit instead, so they are good till the year 2106.
  • Numerous ports throughout the ports tree received time_t fixes.
  • Releases and packages are now cryptographically signed with the signify(1) utility.
  • The installer will verify all sets before installing.
  • Installing without verification works, but is discouraged.
  • Users are advised to verify the installer (bsd.rd, install55.iso, etc.) ahead of time using the signify(1) tool if available.
  • pkg_add(1) now only trusts signed packages by default.
  • Installer improvements:
  • The installer now supports a scriptable auto-installation method that enables unattended installation and upgrades using a response file.
  • Disk images which can be written to a USB flash drive (miniroot55.fs [bsd.rd only] and install55.fs [bsd.rd + unsigned sets]) are now provided for amd64 and i386.
  • Rewritten installboot(8) utility aiming for a unified implementation across platforms (currently used by amd64 and i386 only).
  • The installer now parses nwids with embedded blanks correctly.
  • New/extended platforms:
  • OpenBSD/alpha:
  • Multiprocessor support.
  • OpenBSD/aviion:
  • First self-hosting release for 88100-based AViiON systems.
  • OpenBSD/armv7 replaces OpenBSD/beagle.
  • Improved hardware support, including:
  • New vmx(4) driver for VMware VMXNET3 Virtual Interface Controller devices.
  • New vmwpvs(4) driver for VMware Paravirtual SCSI.
  • New vioscsi(4) driver for VirtIO SCSI adapters.
  • New viornd(4) driver for VirtIO random number devices.
  • New ubcmtp(4) driver for Broadcom multi-touch trackpads found on newer Apple MacBook, MacBook Pro, and MacBook Air laptops.
  • New ugold(4) driver for TEMPer gold HID thermometers.
  • New ugl(4) driver for Genesys Logic based USB host-to-host adapters.
  • New qla(4) driver for Qlogic fibre channel HBAs.
  • radeondrm(4) has been overhauled, including:
  • New port of the Radeon code in Linux 3.8.13.19.
  • Support for Kernel Mode Setting (KMS) including support for additional output types such as DisplayPort.
  • wsdisplay(4) now attaches to radeondrm(4) and provides a framebuffer console.
  • inteldrm(4) has been updated to Linux 3.8.13.19 notably bringing Haswell stability fixes.
  • Support for Intel 8 Series Ethernet with i217/i218 PHYs, and i210/i211/i354 has been added to em(4).
  • Support for Intel Centrino Wireless-N 2200, 2230 and 105/135 has been added to iwn(4).
  • Support for Areca ARC-1880, ARC-1882, ARC-1883, ARC-1223, ARC-1214, ARC-1264, and ARC-1284 has been added to arc(4).
  • Support for Elantech v2 touchpads in pms(4) has been fixed.
  • Support for 802.11a (5Ghz) has been added to wpi(4).
  • Workarounds for firmware stability issues have been added to wpi(4), iwi(4), and iwn(4).
  • Support for RT3572 chips has been added to the ral(4) driver.
  • Support for RTL8106E chips has been added to the re(4) driver.
  • Support for RTS5229 card readers has been added to rtsx(4).
  • Support for Microsoft XBox 360 controllers has been added to the uhid(4) driver.
  • Support for CoreChip RD9700 USB Ethernet devices has been added to the udav(4) driver.
  • Further reliability improvements regarding suspend/resume and hibernation.
  • Enabled IPv6 transmit TCP/UDP checksum offload in jme(4).
  • Generic network stack improvements:
  • Added vxlan(4), a virtual extensible local area network tunnel interface.
  • pflow(4) now sends 64 bit time values for pflowproto 10. The changed templates / flows for pflowproto 10 are now parsable by existing receivers.
  • Continued improvement of the checksum offload framework to streamline the calculation of TCP, UDP, ICMP, and ICMPv6 checksums.
  • Enabled IPv6 routing domain support.
  • Routing daemons and other userland network improvements:
  • The popa3d POP3 server has been removed.
  • Added ntpctl(8), a program to control the Network Time Protocol daemon.
  • slowcgi(8) now works with a high number of concurrent connections.
  • The inetd-based identd has been replaced by a new libevent-based identd(8).
  • tcpdump(8) can now detect bad ICMP and ICMPv6 checksums when used with the -v flag.
  • Added rdomain support to IPv6 configuration tools ndp(8), rtsold(8), ping6(8), and traceroute6(8).
  • Added SNMPv2 client support to snmpctl(8) ("get", "walk", and "bulkwalk").
  • relayd(8) now supports TLS Perfect Forward Secrecy (PFS) with ECDHE (Elliptic curve Diffie-Hellman) that is enabled by default.
  • pf(4) improvements:
  • New queueing system with new syntax.
  • The "received-on" parameter can now be used with the "any" keyword to match any existing interface except loopback ones.
  • The block policy in the default pf.conf(5) is now "block return".
  • dhcpd(8) and dhclient(8) improvements:
  • No longer create a route to the bound address via 127.0.0.1.
  • The options 'dhcp-lease-time', 'dhcp-rebinding-time', and 'dhcp-renewal-time' can now be configured in dhclient.conf(5).
  • 'next-server' (a.k.a. siaddr) info now saved in lease files.
  • Fall back to broadcasting when unicast renewal fails, as specified in RFC 2131 and friends.
  • Fix various problems in communications between privileged and non-privileged processes.
  • Fix many abuses of memcpy.
  • Stop pretending we still support FDDI or token ring hardware types.
  • Fix classless static routes option handling and add syntax to parse human-readable forms.
  • Fix 'effective' lease created by '-L' to have correct address, 'next_server', 'timestamp', and 'resolv_conf' fields.
  • Fix handling of non-printable characters in lease file strings.
  • Fix many edge cases in config file and lease parsing and ensure that error messages refer to the correct position in erroneous line.
  • dhclient.conf(5) can now override anything in an offer or saved lease when creating the effective lease. In particular, 'fixed-address', 'next-server', 'filename' and 'server-name'.
  • Fix parsing of dhclient.conf(5) statements 'fixed-address' and 'next-server'.
  • Log failures to fchmod() or fchown() files being written.
  • Create lease files with permissions 0640.
  • Fix possible failure to write resolv.conf(5) when -L is used.
  • 'send dhcp-client-identifier "";' in dhclient.conf(5) will result in no 'dhcp-client-identifier' (option 61) being sent.
  • iked(8) improvements:
  • Support for OCSP ("Online Certificate Status Protocol"); enable with "set ocsp URL".
  • Support for RSA public key authentication as an alternative to X.509 certificates or pre-shared keys.
  • Support for DPD ("Dead Peer Detection") similar to the implementation in isakmpd(8).
  • Support for dynamic IP address assignment from a pool in configuration mode; enabled with "config address net/pool-prefix".
  • Initial support for IPComp.
  • Various improvements and a thorough audit of the network input path.
  • OpenSMTPD 5.4.2 (includes changes to 5.4.1):
  • Introduce initial support for DSN extension:
  • NOTIFY=SUCCESS, NOTIFY=FAILURE, NOTIFY=DELAY, NOTIFY=NEVER
  • RET=HDRS, RET=FULL
  • Introduce initial support for ENHANCEDSTATUSCODES extension:
  • smtp process returns Enhanced Status Codes for most commands.
  • other processes now have an API to return more precise codes ...
  • ... which will be improved further with each version.
  • Improved smtpctl(8):
  • sendmail mode now supports DSN parameters
  • Can now pause/resume a source address -> destination domain route.
  • Can now display status of processes with smtpctl show status.
  • show relays: displays list of currently active relays.
  • show routes: displays status of routes currently known by smtpd.
  • show hosts: displays list of known remote MX.
  • show hoststats: display status of last delivery for active domains.
  • resume route: resumes route temporarily disable by the MTA.
  • pause/resume envelope: allows pausing individual envelopes.
  • pause/resume message: allows pausing individual messages.
  • encrypt: allows generating credentials suitable for authentication.
  • show message/envelope is now compression/encryption aware.
  • Introduced SNI support.
  • Improved configuration file:
  • Removed last known ambiguity in grammar.
  • Much simpler configuration for TLS-enabled hosts.
  • Most parameters are now swappable in listen and accept rules.
  • Conditions may be negated (ie: accept from ! ...)
  • Forward-only rules can be declared to impose ~/.forward files.
  • New "recipient" keyword allows accept rule to provide a whitelist.
  • Sender and recipient tables accept wildcard in their domains.
  • TLS generic improvements:
  • Support for TLS Perfect Forward Secrecy.
  • Support for providing custom CA certificates.
  • MTA improvements:
  • mta may now require remote hosts to present valid certificates.
  • Always attempt TLS before falling back to plaintext.
  • Always present certificate if one is available.
  • AUTH LOGIN now supported.
  • MTA can now specify a EHLO-hostname when relaying.
  • SMTP server improvements:
  • IPv4-only and IPv6-only listeners are now possible.
  • Listeners may now hide the From part in a Received-line.
  • Listeners may require clients to provide a valid certificate.
  • Banner hostname can now be dynamically fetched from a table.
  • Queue improvements:
  • Introduce an envelope cache in the queue to improve disk-IO pattern.
  • Documentation:
  • table(5) describes format for static, file and db backends.
  • sendmail(8) describes our "sendmail" interface.
  • Reduced memory usage in both general and stressed cases.
  • OpenSMTPD now automagically upgrades queue if the format changes!
  • Support Qmail-like "sticky home".
  • Support for authenticating users from a credentials table.
  • Introduce passwd(5) table backend for user and credentials lookup.
  • Expansion variables in ~/.forward now support modifiers.
  • Much more efficient scheduler!
  • Many documentation fixes and improvements.
  • And a lot of minor bug fixes and internal cleanup!
  • Security improvements:
  • Position-independent executables (PIE) are now used by default on i386.
  • The arc4random(3) functions now use the ChaCha20 cipher.
  • The kernel random number system is initially seeded by the bootloader, providing better random very early.
  • Kernel stack protector is also seeded via the same mechanism, providing protection earlier.
  • -Wbounded is now enabled in GCC by default.
  • Added explicit_bzero(3).
  • Performance improvements:
  • Relations between the buffer cache and swap daemon have been improved.
  • Threading improvements:
  • Interprocess semaphores via sem_open(3).
  • Running threaded processes under a debugger no longer causes panics.
  • SIGPROF and SIGVTALRM are now reliably delivered to the thread that was running when they were triggered.
  • Thread stacks now have a random bias.
  • fork(2) no longer changes the pthread_t of the forking thread in the child.
  • Signaling races eliminated from pthread_kill(3) and pthread_cancel(3).
  • Assorted improvements:
  • New in-memory file system, tmpfs.
  • Many fuse(4) improvements and stability fixes.
  • Added POSIX-required nl(1) utility.
  • OpenBSD/vax has switched to GCC 3.
  • Replaced getdirentries(2) with getdents(2), vastly improving the performance and memory usage of telldir(3).
  • amd64 and i386 now use the MWAIT instruction for their idle loop where available to reduce latency.
  • Added support for CLOCK_UPTIME.
  • Added tcgetsid(3).
  • clock_t is now a 64 bit type, so it no longer wraps around in only 248 days.
  • ino_t is now a 64 bit type, mostly to support large NFS filesystems.
  • Corrected handling of UTIME_OMIT.
  • pax(1) now sets the mode and timestamps correctly on symlinks, and makes hardlinks to symlinks when requested.
  • Corrected handling of shared library destructors when libc is statically linked.
  • Corrected various disk drivers to handle non-512-byte sectors and disk sizes greater than 32-bits.
  • Corrected growfs(8) to handle non-512-byte sectors and disk sizes greater than 32-bits.
  • All CIRCLEQ uses replaced with TAILQ.
  • Preserve and honour changes to the OpenBSD bounds in a disklabel.
  • fdisk(8) now always writes a good signature when the MBR is written to disk.
  • disklabel(8) now writes the disklabel to the correct location on non-512-byte sector devices.
  • Fix athn(4) tick calculations to eliminate excessive timeouts.
  • Allow disklabel(8) to set any partition, including 'C', to type UNUSED.
  • New sha512(1) tool to calculate and verify the SHA-512 checksums of files.
  • sha256(1) and related tools (cksum(1), md5(1), sha1(1), and sha512(1)) now support a new -h flag to place the checksum into a specified hash file instead of stdout.
  • sha256(1) and related tools now support a new -C flag that allows the verification of selected files in a checklist.
  • sha256(1) and related tools will now print MISSING if they encounter non-existent files in a checklist.
  • i386 and amd64 platforms can now boot from keydisk-based softraid(4) crypto volumes.
  • Allow softraid(4) to work with partitions larger than 2TB.
  • Removed experimental RAID 4 support from softraid(4).
  • Added experimental support for rebuilding RAID 5 softraid(4) volumes. Lots of testing is still required and there is missing functionality, such as the ability to resume a partially completed rebuild. bioctl(8) refuses to create RAID 5 volumes unless recompiled with -DRAID5.
  • The uhts(4) driver has been merged into ums(4).
  • Many new checks were added to portcheck(1) utility; now it catches almost every popular mistake that observed in ports in last years.
  • OpenSSH 6.6 (including changes to 6.5, a feature-focused release):
  • Security:
  • sshd(8): when using environment passing with a sshd_config(5) AcceptEnv pattern with a wildcard. OpenSSH prior to 6.6 could be tricked into accepting any enviornment variable that contains the characters before the wildcard character.
  • New/changed features:
  • ssh(1), sshd(8): Add support for key exchange using elliptic-curve Diffie Hellman in Daniel Bernstein's Curve25519. This key exchange method is the default when both the client and server support it.
  • ssh(1), sshd(8): Add support for ED25519 as a public key type. ED25519 is a elliptic curve signature scheme that offers better security than ECDSA and DSA and good performance. It may be used for both user and host keys.
  • Add a new private key format that uses a bcrypt KDF to better protect keys at rest. This format is used unconditionally for ED25519 keys, but may be requested when generating or saving existing keys of other types via the -o ssh-keygen(1) option. We intend to make the new format the default in the near future. Details of the new format are in the PROTOCOL.key file.
  • ssh(1), sshd(8): Add a new transport cipher "chacha20-poly1305@openssh.com" that combines Daniel Bernstein's ChaCha20 stream cipher and Poly1305 MAC to build an authenticated encryption mode. Details are in the PROTOCOL.chacha20poly1305 file.
  • ssh(1), sshd(8): Refuse RSA keys from old proprietary clients and servers that use the obsolete RSA+MD5 signature scheme. It will still be possible to connect with these clients/servers but only DSA keys will be accepted, and OpenSSH will refuse connection entirely in a future release.
  • ssh(1), sshd(8): Refuse old proprietary clients and servers that use a weaker key exchange hash calculation.
  • ssh(1): Increase the size of the Diffie-Hellman groups requested for each symmetric key size. New values from NIST Special Publication 800-57 with the upper limit specified by RFC 4419.
  • ssh(1), ssh-agent(1): Support PKCS#11 tokens that only provide X.509 certs instead of raw public keys. (requested as bz#1908)
  • ssh(1): Add a ssh_config(5) Match keyword that allows conditional configuration to be applied by matching on hostname, user and result of arbitrary commands.
  • ssh(1): Add support for client-side hostname canonicalisation using a set of DNS suffixes and rules in ssh_config(5). This allows unqualified names to be canonicalised to fully-qualified domain names to eliminate ambiguity when looking up keys in known_hosts or checking host certificate names.
  • sftp-server(8): Add the ability to whitelist and/or blacklist sftp protocol requests by name.
  • sftp-server(8): Add a sftp "fsync@openssh.com" to support calling fsync(2) on an open file handle.
  • sshd(8): Add a ssh_config(5) PermitTTY to disallow TTY allocation, mirroring the longstanding no-pty authorized_keys option.
  • ssh(1): Add a ssh_config(5) ProxyUseFDPass option that supports the use of ProxyCommands that establish a connection and then pass a connected file descriptor back to ssh(1). This allows the ProxyCommand to exit rather than staying around to transfer data.
  • ssh(1), sshd(8): this release removes the J-PAKE authentication code. This code was experimental, never enabled and had been unmaintained for some time.
  • ssh(1): when processing Match blocks, skip 'exec' clauses other clauses predicates failed to match.
  • ssh(1): if hostname canonicalisation is enabled and results in the destination hostname being changed, then re-parse ssh_config(5) files using the new destination hostname. This gives 'Host' and 'Match' directives that use the expanded hostname a chance to be applied.
  • The following significant bugs have been fixed in this release:
  • ssh(1), sshd(8): Fix potential stack exhaustion caused by nested certificates.
  • ssh(1): make BindAddress work with UsePrivilegedPort. (bz#1211)
  • sftp(1): fix the progress meter for resumed transfer. (bz#2137)
  • ssh-add(1): do not request smartcard PIN when removing keys from ssh-agent(1). (bz#2187)
  • sshd(8): fix re-exec fallback when original sshd(8) binary cannot be executed. (bz#2139)
  • ssh-keygen(1): Make relative-specified certificate expiry times relative to current time and not the validity start time.
  • sshd(8): fix AuthorizedKeysCommand inside a Match block. (bz#2161)
  • sftp(1): symlinking a file would incorrectly canonicalise the target path. (bz#2129)
  • ssh-agent(1): fix a use-after-free in the PKCS#11 agent helper executable. (bz#2175)
  • sshd(8): Improve logging of sessions to include the user name, remote host and port, the session type (shell, command, etc.) and allocated TTY (if any).
  • sshd(8): tell the client (via a debug message) when their preferred listen address has been overridden by the server's GatewayPorts setting. (bz#1297)
  • sshd(8): include report port in bad protocol banner message. (bz#2162)
  • sftp(1): fix memory leak in error path in do_readdir(). (bz#2163)
  • sftp(1): don't leak file descriptor on error. (bz#2171)
  • sshd(8): include the local address and port in "Connection from ..." message. (only shown at loglevel>=verbose)
  • ssh(1): avoid spurious "getsockname failed: Bad file descriptor" in ssh -W. (bz#2200, debian#738692)
  • sshd(8): allow the shutdown(2) syscall in seccomp-bpf and systrace sandbox modes, as it is reachable if the connection is terminated during the pre-auth phase.
  • ssh(1), sshd(8): fix unsigned overflow that in SSH protocol 1 bignum parsing. Minimum key length checks render this bug unexploitable to compromise SSH 1 sessions.
  • sshd_config(5) clarify behaviour of a keyword that appears in multiple matching Match blocks. (bz#2184)
  • ssh(1): avoid unnecessary hostname lookups when canonicalisation is disabled. (bz#2205)
  • sshd(8): avoid sandbox violation crashes in GSSAPI code by caching the supported list of GSSAPI mechanism OIDs before entering the sandbox. (bz#2107)
  • ssh(1): fix possible crashes in SOCKS4 parsing caused by assumption that the SOCKS username is nul-terminated.
  • ssh(1): fix regression for UsePrivilegedPort=yes when BindAddress is not specified.
  • ssh(1), sshd(8): fix memory leak in ECDSA signature verification.
  • ssh(1): fix matching of 'Host' directives in ssh_config(5) files to be case-insensitive again. (regression in 6.5)
  • Ports and packages:
  • Over 8,700 ports.
  • Major overhaul of the package tools, resulting in much better memory usage.
  • pkg_add(1) now only trusts signed packages by default.
  • The build process now allows some limited capability for building conflicting packages, yielding KDE 4 packages as a result, along with KDE 3 ones.
  • Some highlights:
  • GNOME 3.10.2
  • KDE 3.5.10
  • KDE 4.11.5
  • Xfce 4.10
  • MySQL 5.1.73
  • PostgreSQL 9.3.2
  • Postfix 2.11.0
  • OpenLDAP 2.3.43 and 2.4.38
  • Mozilla Firefox 24.3 and 26.0
  • Mozilla Thunderbird 24.3.0
  • GHC 7.6.3
  • LibreOffice 4.1.4.2
  • Emacs 21.4 and 24.3
  • Vim 7.4.135
  • PHP 5.3.28 and 5.4.24
  • Python 2.7.6 and 3.3.2
  • Ruby 1.8.7.374, 1.9.3.484, 2.0.0.353 and 2.1.0
  • Tcl/Tk 8.5.15 and 8.6.1
  • JDK 1.6.0.32 and 1.7.0.21
  • Mono 2.10.9
  • Chromium 32.0.1700.102
  • Groff 1.22.2
  • Go 1.2
  • GCC 4.6.4 and 4.8.2
  • LLVM/Clang 3.3
  • Node.js 0.10.24
  • As usual, steady improvements in manual pages and other documentation.
  • The system includes the following major components from outside suppliers:
  • Xenocara (based on X.Org 7.7 with xserver 1.14.5 + patches, freetype 2.5.2, fontconfig 2.10.91, Mesa 9.2.5, xterm 301, xkeyboard-config 2.10.1 and more)
  • Gcc 4.2.1 (+ patches) and 3.3.6 (+ patches)
  • Perl 5.16.3 (+ patches)
  • Our improved and secured version of Apache 1.3, with SSL/TLS and DSO support
  • Nginx 1.4.4 (+ patches)
  • OpenSSL 1.0.1c (+ patches)
  • SQLite 3.8.0.2 (+ patches)
  • Sendmail 8.14.8, with libmilter
  • Bind 9.4.2-P2 (+ patches)
  • NSD 4.0.1
  • Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches)
  • Sudo 1.7.2p8
  • Ncurses 5.7
  • Heimdal 1.5.2 (+ patches)
  • Binutils 2.15 (+ patches)
  • Gdb 6.3 (+ patches)
  • Less 444 (+ patches)
  • Awk Aug 10, 2011 version

New in version 5.4 (November 1st, 2013)

  • New/extended platforms:
  • OpenBSD/octeon
  • New platform for systems based on the Cavium Octeon MIPS-compatible processors. Supported machines include:
  • Portwell CAM-0100
  • Ubiquiti Networks EdgeRouter LITE (no local storage)
  • OpenBSD/beagle
  • New platform for OMAP3/4 and AM335x systems using an ARM Cortex-A8 or Cortex-A9 CPU. Supported boards include:
  • BeagleBoard C4 / xM
  • BeagleBone and BeagleBone Black
  • PandaBoard and PandaBoard ES
  • Improved hardware support, including:
  • inteldrm(4) has been overhauled, including:
  • Now mostly in sync with Linux 3.8.13.
  • Support for Kernel Mode Setting (KMS) including support for additional output types such as DisplayPort.
  • Sandy Bridge and newer parts which previously had only ShadowFB acceleration now have full hardware acceleration including use of the 3D rings.
  • wsdisplay(4) now attaches to inteldrm(4) and providers a framebuffer console.
  • vgafb(4/macppc) now supports multiple virtual consoles.
  • Support for Elantech touchpads version 4 (clickpad) added to pms(4).
  • Fixed st(4) EOM handling, enabling much better Bacula support.
  • Support for vdsk(4) disks larger than 2TB.
  • Generic network stack improvements:
  • Reworked checksum handling for network protocols.
  • divert(4) now recalculates the IP and protocol checksums of reinjected packets.
  • No longer attempt to delete the undeletable RNF_ROOT route.
  • Routing daemons and other userland network improvements:
  • Support SSL inspection in relayd(8).
  • Added slowcgi(8), a libevent-based FastCGI implementation.
  • Enabled ECDHE support in httpd(8).
  • Do not start inetd(8) by default any more.
  • Many ldpd(8) improvements, including a speed-up of the session establishment process, support for adjacencies and targeted hellos, support for multiple addresses per interface, and more.
  • dhcpd(8) improvements:
  • Improved compliance with RFC 2131 strictures on client-identifiers.
  • Fixed synchronization of leases.
  • Replaced manual date parsing and printing with strftime and strptime.
  • Explicitly label dates in leases files as being UTC dates.
  • dhclient(8) improvements:
  • Delete routes added by defunct dhclient processes.
  • Improved handling of client-identifier option.
  • Increased ip_ttl on packets to 128, allowing more distant servers to provide leases.
  • Replaced manual date parsing and printing with strftime and strptime.
  • Explicitly label dates in leases files as being UTC dates.
  • Improved interactions between dhclient processes to make the most recent dhclient started the most likely to persist.
  • Support for static routes and classless static routes options.
  • Fixed log messages to print correct addresses.
  • Reduced log verbosity by emitting debug messages only when debugging.
  • Eliminated unnecessary address and route churn during lease renewal by not binding leases identical to the current one.
  • OpenSMTPD 5.3.3:
  • New features:
  • Add support for LMTP local deliveries
  • Add SECURE and AUTH transmission types
  • Add support for transparent queue compression
  • helo names can now be looked up in a db(3) table
  • New "error:" alias kind allows aliasing a user-part to an error
  • Traces can be (de)activated at runtime
  • Improvements:
  • More robust queue can cope with runtime errors
  • Improved routing strategies
  • Assorted minor bug fixes and cleanups
  • Performance improvements:
  • Don't require the kernel lock when processing audio interrupts.
  • Improved kernel bcopy/memmove/memcpy implementations and made more careful choices between them.
  • Implemented symbol caching and RELCOUNT/RELACOUNT optimizations in ld.so(1).
  • Threading improvements:
  • Closed various race conditions between exit/fork/execve/__tfork/__threxit/ptrace in both the kernel and libpthread.
  • Assorted improvements:
  • Added a locale(1) utility.
  • Added ltrace(1), a tool to trace PLT calls.
  • Added a new implementation of cu(1).
  • Added shm_open(3)/shm_unlink(3).
  • Added getprogname(3)/setprogname(3).
  • Added clock_getcpuclockid(3) and pthread_getcpuclockid(3).
  • Added fmemopen(3).
  • Added open_memstream(3)/open_wmemstream(3).
  • Added memmem(3).
  • Added fdatasync(2).
  • Added ppoll(2).
  • Added pselect(2).
  • Added utrace(2).
  • Switched the VAX platform to ELF.
  • Fixed kernel profiling on multiprocessor systems.
  • Experimental support for fuse(4).
  • Added support for write_opt=nodir and the 'path' and 'linkpath' extended headers to pax(1) (aka tar(1)).
  • Brought getconf(1) up to date with recent POSIX updates.
  • Added -L and -P options to ln(1).
  • More structures and symbolic values displayed by kdump(1).
  • pkill(1) now accepts an -I option to ask for confirmation on killing processes.
  • New vmx(4) driver provides support for the VMXNET3 virtual NIC available in VMware.
  • OpenSSH 6.3:
  • New features:
  • sshd(8): add ssh-agent(1) support to sshd(8); allows encrypted hostkeys, or hostkeys on smartcards.
  • ssh(1) and sshd(8): allow optional time-based rekeying via a second argument to the existing RekeyLimit option. RekeyLimit is now supported in sshd_config(5) as well as on the client.
  • sshd(8): standardise logging of information during user authentication.
  • ssh(1): add the ability to query supported ciphers, MAC algorithms, key types and key exchange methods.
  • ssh(1): support ProxyCommand=- to allow support cases where stdin and stdout already point to the proxy.
  • ssh(1): allow IdentityFile=none.
  • ssh(1) and sshd(8): add -E option to ssh(1) and sshd(8) to append debugging logs to a specified file instead of stderr or syslog.
  • sftp(1): add support for resuming partial downloads using the reget command and on the sftp(1) commandline or on the get commandline using the -a (append) option.
  • ssh(1): add an IgnoreUnknown configuration option to selectively suppress errors arising from unknown configuration directives.
  • sshd(8): add support for submethods to be appended to required authentication methods listed via AuthenticationMethods.
  • The following significant bugs have been fixed in this release:
  • sshd(8): fix refusal to accept certificate if a key of a different type to the CA key appeared in authorized_keys before the CA key.
  • ssh(1), ssh-agent(1) and sshd(8): Use a monotonic time source for timers so that things like keepalives and rekeying will work properly over clock steps.
  • sftp(1): update progressmeter when data is acknowledged, not when it's sent. (bz#2108)
  • ssh(1) and ssh-keygen(1): improve error messages when the current user does not exist in /etc/passwd. (bz#2125)
  • ssh(1): reset the order in which public keys are tried after partial authentication success.
  • ssh-agent(1): clean up socket files after SIGINT when in debug mode. (bz#2120)
  • ssh(1) and others: avoid confusing error messages in the case of broken system resolver configurations. (bz#2122)
  • ssh(1): set TCP nodelay for connections started with -N. (bz#2124)
  • ssh(1): correct manual for permission requirements on ~/.ssh/config. (bz#2078)
  • ssh(1): fix ControlPersist timeout not triggering in cases where TCP connections have hung. (bz#1917)
  • ssh(1): properly detach a ControlPersist master from its controlling terminal.
  • sftp(1): avoid crashes in libedit when it has been compiled with multi-byte character support. (bz#1990)
  • sshd(8): when running sshd -D, close stderr unless we have explicitly requested logging to stderr. (bz#1976)
  • ssh(1): fix incomplete bzero. (bz#2100)
  • sshd(8): log and error and exit if ChrootDirectory is specified and running without root privileges.
  • Many improvements to the regression test suite. In particular log files are now saved from ssh(1) and sshd(8) after failures.
  • Fix a number of memory leaks. (bz#1967, bz#2096 and others)
  • sshd(8): fix public key authentication when a :style is appended to the requested username.
  • ssh(1): do not fatally exit when attempting to cleanup multiplexing-created channels that are incompletely opened. (bz#2079)
  • Over 7,800 ports, major stability improvements in the package build process
  • The parallel ports builder is better at catching up errors on older slower platforms, thus allowing release engineers to better concentrate on real errors.
  • Many pre-built packages for each architecture:
  • i386: 7976
  • sparc64: 6959
  • alpha: 6062
  • m68k: 3862
  • sh: 989
  • amd64: 7941
  • powerpc: 7483
  • m88k: 3951
  • sparc: 4823
  • arm: 5582
  • hppa: 6607
  • vax: 2226
  • mips64: 6739
  • mips64el: 6306
  • Some highlights:
  • GNOME 3.8.3
  • KDE 3.5.10
  • Xfce 4.10
  • MySQL 5.1.70
  • PostgreSQL 9.2.4
  • Postfix 2.10.1
  • OpenLDAP 2.3.43 and 2.4.35
  • Mozilla Firefox 3.6.28 and 22.0
  • Mozilla Thunderbird 17.0.7
  • GHC 7.6.3
  • LibreOffice 4.0.4.2
  • Emacs 21.4 and 24.3
  • Vim 7.3.850
  • PHP 5.2.17 and 5.3.27
  • Python 2.7.5 and 3.3.2
  • Ruby 1.8.7.374, 1.9.3.448 and 2.0.0.247
  • Tcl/Tk 8.4.20, 8.5.14 and 8.6.0
  • JDK 1.6.0.32 and 1.7.0.21
  • Mono 2.10.9
  • Chromium 28.0.1500.45
  • Groff 1.22.2
  • Go 1.1.1
  • GCC 4.6.4 and 4.8.1
  • LLVM/Clang 3.3
  • Node.js 0.10.12
  • As usual, steady improvements in manual pages and other documentation.
  • The system includes the following major components from outside suppliers:
  • Xenocara (based on X.Org 7.7 with xserver 1.14.1 + patches, freetype 2.4.12, fontconfig 2.10.91, Mesa 7.11.2, xterm 293, xkeyboard-config 2.7 and more)
  • Gcc 4.2.1 (+patches), 3.3.6 (+ patches) and 2.95.3 (+ patches)
  • Perl 5.16.3 (+ patches)
  • Our improved and secured version of Apache 1.3, with SSL/TLS and DSO support
  • Nginx 1.4.1 (+ patches)
  • OpenSSL 1.0.1c (+ patches)
  • SQLite 3.7.17 (+ patches)
  • Sendmail 8.14.7, with libmilter
  • Bind 9.4.2-P2 (+ patches)
  • NSD 3.2.15
  • Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches)
  • Sudo 1.7.2p8
  • Ncurses 5.7
  • Heimdal 1.5.2 (+ patches)
  • Binutils 2.15 (+ patches)
  • Gdb 6.3 (+ patches)
  • Less 444 (+ patches)
  • Awk Aug 10, 2011 version

New in version 5.3 (May 1st, 2013)

  • Improved hardware support, including:
  • New driver oce(4) for Emulex OneConnect 10Gb Ethernet adapters.
  • New driver rtsx(4) for the Realtek RTS5209 card reader.
  • New driver mfii(4) for the LSI Logic MegaRAID SAS Fusion controllers.
  • New driver smsc(4) for SMSC LAN95xx 10/100 USB Ethernet adapters.
  • New drivers for Toradex OAK USB sensors: uoaklux(4) (illuminance), uoakrh(4) (temperature and relative humidity) and uoakv(4) (+/- 10V 8channel ADC).
  • New drivers for virtio(4) devices: vio(4) (network), vioblk(4) (block devices, attaching as SCSI disks) and viomb(4) (memory ballooning).
  • Support for Adaptec 39320LPE added to ahd(4).
  • Broadcom 5718/5719/5720 Gigabit Ethernet devices supported in bge(4).
  • Intel X540-based 10Gb Ethernet devices supported in ix(4).
  • Support for SFP+ hot-plug (82599) and various other improvements in ix(4).
  • TX interrupt mitigation, hardware VLAN tagging and checksum offload reduce CPU use in vr(4).
  • Baby jumbo frames supported in vr(4) and sis(4) useful for e.g. MPLS, vlan(4) tag stacking (QinQ) and RFC4638 pppoe(4).
  • TCP RX Checksum offload in gem(4).
  • Improvements for NICs using 82579/pch2 in em(4).
  • Flow control is now supported on bnx(4) 5708S/5709S adapters, gem(4) and jme(4).
  • Power-saving clients supported in hostap mode with acx(4) and athn(4).
  • A cause of RT2661 ral(4) wedging in hostap mode was fixed.
  • iwn(4) supports additional devices (Centrino Advanced-N 6235 and initial support for Centrino Wireless-N 1030).
  • Improvements to ahci(4).
  • Support for the fixed-function performance counter on newer x86 chips with constant time stamp counters.
  • Elantech touchpads supported in pms(4) and synaptics(4).
  • Support for "physical devices" on skinny mfi(4) controllers.
  • VMware emulated SAS adapters supported by mpi(4).
  • Support for Intel's Supervisor Mode Execution Protection (SMEP) and Supervisor Mode Access Prevention (SMAP) features on i386 and amd64.
  • Support for the RDRAND instruction to read the hardware random number generator on recent Intel processors.
  • amd64 PCI memory extent changed to cover the whole 64-bit memory space; fixes erroneous extent allocation panic on IBM x3100.
  • ulpt(4) can now upload firmware to certain HP LaserJet printers.
  • Added stat clock to Loongson machines, improving accuracy of CPU usage statistics.
  • CPU throttling supported on Loongson 2F.
  • Support for Apple UniNorth and U3 AGP added to agp(4).
  • DRM support for macppc.
  • Generic network stack improvements:
  • Restriction on writing to trunk(4) member interfaces relaxed; BPF can now write to interfaces directly (useful for LLDP).
  • UDP support added to sosplice(9) (zero-copy socket splicing).
  • IPv6 autoconfprivacy is enabled by default (can be disabled per-interface with an ifconfig(8) flag).
  • ifconfig(8) hwfeatures displays the maximum MTU supported by the driver (indicating support for jumbo/baby-jumbo frames).
  • Vastly improved IPsec v3 compatibility, including support for Extended Sequence Numbers in the AES-NI driver for AES-GCM and other modes.
  • Routing daemons and other userland network improvements:
  • OpenBSD now includes npppd(8), a server-side daemon for L2TP, L2TP/IPsec, PPTP and PPPoE.
  • New standalone tftp-proxy(8) to replace the old inetd(8)-based implementation.
  • SNMPv3 supported in snmpd(8).
  • bgpd(8) is more tolerant of unknown capabilities when bringing up a session (logs a warning rather than fails).
  • bgpd(8) now handles client side of "graceful restart".
  • bgpd(8) can now filter based on the NEXTHOP attribute.
  • A stratum can now be assigned to hardware sensors in ntpd(8).
  • authpf(8) now supports the use of per-group rules files.
  • ftp(1) client now supports basic HTTP authentication as per RFC 2617 and 3986 like "ftp http[s]://user:pass@host/file".
  • ftp(1) client's mput command allows to upload a directory tree recursively using the -r switch.
  • relayd(8) has various improvements including additional scheduling algorithms (least-states, for redirections, and random/source-hash, for relays).
  • The iked(8) IKEv2 daemon supports NAT-T. (The isakmpd daemon for IKEv1 has supported this for a long time).
  • iked(8) blocks IPv6 traffic unless there are v6 VPN flows; this is to prevent leakages as described in draft-gont-opsec-vpn-leakages.
  • dhclient(8) improvements:
  • dhclient-script eliminated, all configuration is done with ioctl's and routing sockets.
  • interface configuration is much faster.
  • HUP signals cause dhclient to restart; making it re-read the dhclient.conf(5) and resolv.conf.tail(5) files, and obtain a new lease.
  • INIT, USR1, USR2 signals cause dhclient to exit after attempting to remove routes and addresses it configured.
  • resolv.conf(5) is written only when the in-use default route was inserted by dhclient. Possible changes to the default route are detected and cause dhclient to write out resolv.conf when appropriate.
  • interface hardware address changes are detected and cause dhclient to restart.
  • dhclient.conf directive 'ignore' and command line option '-i' added, allowing the suppression of specific options offered by server.
  • '-L' command line option added, allowing the creation of a complete record of the most recent offer and what we modified it to when binding the lease.
  • rejected offers no longer prevent dhclient from trying recorded leases and going daemon.
  • cleanup of routing tables when starting and exiting is more complete.
  • log messages cleaned up and reduced.
  • dhclient is automatically placed in the routing domain of the interface.
  • incoming and outgoing packet buffers are separate, eliminating possible transmission of inappropriate packets when re-trying DISCOVER and REQUEST.
  • resolv.conf.tail read only once, at startup.
  • both OFFER and ACK packets that lack required options are rejected.
  • file names passed to '-L' and '-l' are constrained to be regular files.
  • bind success reported after binding complete, not when it is started.
  • privileged process daemonizes, eliminating its controlling terminal.
  • STDIN/STDOUT/STDERR no longer redirected to /dev/null when '-d' specified.
  • all existing addresses on the interface are deleted when binding a new lease.
  • leases which would cause routing problems because another interface is already configured with the same subnet are rejected.
  • premature and repeated DISCOVER and/or REQUEST messages at startup are avoided.
  • permanent ARP cache entries are no longer deleted during binding.
  • allow empty lists of option names for 'ignore', 'request', and 'require' dhclient.conf directives, so lists can be reset in interface declarations.
  • dhcpd(8) and dhclient recognize the same list of dhcp options.
  • hand-rolled IMSG implementation replaced with imsg_init(3) and related functions..
  • hand-rolled date string construction replaced with strftime(3) invocations.
  • hand-rolled '%m' option replaced with strerror(3) invocations.
  • many other internal code improvements.
  • pf(4) improvements:
  • The divert(4) socket now supports the new IP_DIVERTFL socket option to control whether both inbound and outbound packets are diverted (the default) or only packets travelling in one direction.
  • Sloppy state tracking (a special mode occasionally needed with asymmetric routing) now works correctly with ICMP.
  • PF now restricts the fragment limit to protect against a misconfiguration running the kernel out of mbuf clusters.

New in version 4.9 (May 1st, 2011)

  • New/extended platforms:
  • OpenBSD/amd64 and OpenBSD/i386:
  • Enabled NTFS by default (read-only) on GENERIC kernels.
  • Enabled the vmt(4) driver by default for VMWare tools support as a guest.
  • SMP kernels can now boot on machines with up to 64 cores.
  • Maximum allocation size for i386 bumped to 2G.
  • Handle >16 disks when searching for kernel boot device.
  • Added support for AES-NI instructions found in recent Intel processors.
  • Further improvements in suspend and resume.
  • Processes are now switched to TSS per cpu on the amd64 platform, resulting in removal of the old limit of ~4000 processes.
  • OpenBSD/hppa:
  • Multiprocessor support.
  • OpenBSD/loongson and OpenBSD/sgi:
  • All MIPS64 based platforms now use MI softfloat code, which implements all MIPS IV specified floating point operations.
  • OpenBSD/sparc64:
  • The vdsp(4) driver now supports the vDisk 1.1 protocol, allowing Solaris to run on top of an OpenBSD control domain.
  • Improved hardware support, including:
  • New vte(4) driver for RDC R6040 10/100 Ethernet devices.
  • New rdcphy(4) driver for RDC Semiconductor R6040 10/100 Ethernet PHY.
  • New rsu(4) driver for Realtek RTL8188SU/RTL8191SU/RTL8192SU USB IEEE 802.11b/g/n wireless devices.
  • New urtwn(4) driver for Realtek RTL8188CU/RTL8192CU USB IEEE 802.11b/g/n wireless devices.
  • New utwitch(4) driver for YUREX USB twitch/jiggle of knee sensor.
  • Support for AR9271, AR9280+AR7010 and AR9287+AR7010 USB IEEE 802.11a/g/n wireless adapters has been added to athn(4).
  • Support for 82583V has been added to em(4).
  • Support for Yukon 88E8059 has been added to msk(4).
  • Support for SiS191 has been added to se(4).
  • Support for SAS2004 has been added to mpii(4).
  • Support for NVIDIA MCP89 SATA has been added to pciide(4).
  • Support for Mobility Radeon HD 4200 has been added to radeondrm(4).
  • pms(4) support has been significantly reworked and expanded.
  • MCLGETI support has been added to xl(4).
  • Support for low latency interrupt modulation has been added to ix(4).
  • Port multiplier support has been added to ahci(4) and sili(4).
  • Support for Sun XVR-300 graphics has been added to radeonfb(4).
  • Added workaround for BCM5906 A0/1/2 controller silicon bug in bge(4).
  • ugen(4) can now be attached along with other drivers to multifunction devices.
  • umodem(4) now supports more devices.
  • umsm(4) now supports more mobile broadband devices.
  • Support for more image processing controls was added to uvideo(4).
  • Generic network stack improvements:
  • Reworking of the MCLGETI livelock algorithm to improve forwarding and host performance under high network load.
  • Added support for socket splicing; sockets can be temporarily connected so that the kernel moves data without userland intervention. This will be used by relayd(8) in the next release.
  • Added AES-GCM support for IPsec.
  • Added automatic send and receive buffer scaling for TCP.
  • Added wpakey option to ifconfig(8) replacing wpa-psk(8).
  • TCP acknowledgments are no longer delayed on the loopback interface.
  • Network livelock counters are now exported via sysctl(3).
  • A radix tree sorting bug was fixed, which results in significant improvements to IPsec performance under certain conditions.
  • tcpdump(8) now decodes Multicast DNS (mDNS) traffic.
  • Wake on Lan support has been added to arp(8).
  • Enabled MPLS and mpe(4) by default on GENERIC kernels.
  • Added a mpls option to ifconfig(8) to enable MPLS on a per interface basis replacing the global sysctl knob.
  • OpenBGPD, OpenOSPFD and other routing daemon improvements:
  • bgpd(8) handles various message encoding errors more gracefully now.
  • Notification messages are now logged in bgpd(8).
  • ospfd(8) will now correctly redistribute overlapping routes.
  • ospfctl(8) now prints the LSDB checksum in the show summary output for quick verification that two LSDBs are in sync.
  • Fixed ldpd(8)'s message parser to work on all architectures and more LDP messages are now implemented.
  • Various improvements in ospf6d(8).
  • pf(4) improvements:
  • The logging subsystem has been largely rewritten, now logging the translated addresses again instead of the original ones.
  • match log rules cause a log on the fly, showing the packet exactly as pf(4) sees it at the moment of evaluating that rule. A packet can also be logged more than once now.
  • match log(matches) rules allow the further rule matching to be traced.
  • pflog(4) now includes the original addresses and ports for packets that have been rewritten. This is also displayed by tcpdump(8).
  • IPsec stack audit was performed, resulting in:
  • Several potential security problems have been identified and fixed.
  • ARC4 based PRNG code was audited and revamped.
  • New explicit_bzero kernel function was introduced to prevent a compiler from optimizing bzero calls away.
  • SCSI improvements:
  • Improved safety when detaching SCSI devices by waiting for the completion of pending commands.
  • Improved hotplug support on mpi(4) and mpii(4).
  • Continued iopoolification of SCSI drivers, notably on umass(4) which improves the reliability and performance of multi-LUN devices.
  • Added vscsi(4), a driver for userland handling of SCSI device commands.
  • Added iscsid(8), an iSCSI initiator.
  • Forcibly restrict devices incapable of tagged I/O to executing one command at a time.
  • Discover and honour read-only status of sd(4) devices.
  • Improve st(4) handling of I/O residual information.
  • sd(4) devices that can only execute one command at a time (e.g. USB) will now be allowed to spin up if necessary.
  • cd(4) will now attach CDROM devices identified as non-removable.
  • Assorted improvements:
  • Enabled wide character support in ncurses(3).
  • Added nsd(8), an authoritative name server implementation.
  • Disklabel UID support improved and added to more utilities.
  • rarpd(8) now accepts a list of interfaces to listen on.
  • dhclient(8) now accepts 'egress' as an interface name, meaning whichever interface is marked as being in the 'egress' group.
  • dhcpd(8) no longer listens on interfaces without a broadcast address (e.g. pflog(4)).
  • who(1) now displays as much of the hostname as fits on the line.
  • tcpdump(8) now correctly handles 'net' primitives when processing pflog(4) traffic.
  • fdisk(8) now respects failure to read the MBR.
  • fdisk(8) will no longer infinitely loop when encountering an improperly constructed EBR.
  • disklabel(8) no longer reuses information from a failed partition addition on the next addition of the same partition.
  • Many unused and obsolete disktab(5) entries removed.
  • Enabled X11 autoconfiguration on sparc and sparc64.
  • Implement attribute syntax from RFC4517 and support bsdauth in ldapd(8).
  • New video(1) utility which can record or display images from video(4).
  • httpd(8) mod_headers now handles apache2 style RequestHeader directives.
  • UNIX-domain datagram socket support has been added to nc(1) (-uU option).
  • Added support for terabyte units in disklabel(8).
  • loongson and sgi platforms have been switched over to gcc4.
  • ddb cpu support was added to the sgi platform.
  • Fast path TLB miss handling was added to the landisk platform, resulting in a 44-50% gain in performance.
  • PCIe extended configuration space can now be viewed using pcidump(8) (-xxx option).
  • The number of spurious IPIs has been decreased on the amd64 platform, resulting in improved performance.
  • Numerous improvements and bug fixes to tmux(1).
  • Considerable robustness and interoperability improvements in the IKEv2 daemon iked(8).
  • Skipjack and libdes were retired from the system. CAST-128 implementation was also removed from libc.
  • Removed some races in the USB subsystem, substantially increasing reliability.
  • Added a few more compat_linux(8) system calls to make it possible for newer versions of applications, such as Skype, to execute.
  • OpenBSD-specific package documentation is now centralised in /usr/local/share/doc/pkg-readmes.
  • Install/Upgrade process changes:
  • Fixed the hppa CD installation process.
  • Added some more free firmwares to the CD media that could fit them.
  • Make the macppc upgrade script update the boot blocks (oddly, this had been broken a very long time and no one noticed).
  • Teach the install script about the configuration of 802.11 interfaces. Visible networks can be listed, and even configured for WPA.
  • The install script now passes collected entropy better to the system which is booted next.
  • Upgrade now defaults to checking only the root filesystem.
  • Upgrade no longer checks filesystems with a fs_passno of 0.
  • Upgrade now asks if it should proceed even if one or more filesystem mounts fail.
  • Installer now configures ntpd(8) to use all provided time source IPs.
  • New rc.d(8) for starting, stopping and reconfiguring package daemons:
  • The rc.subr(8) framework allows for easy creation of rc scripts. This framework is still evolving.
  • Only a handful of packages have migrated for now.
  • rc.local can still be used instead of or in addition to rc.d(8).
  • OpenSSH 5.8:
  • New features:
  • Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys.
  • sftp(1) and sftp-server(8): add a protocol extension to support a hard link operation. It is available through the "ln" command in the client. The old "ln" behaviour of creating a symlink is available using its "-s" option or through the preexisting "symlink" command.
  • scp(1): Add a new -3 option to scp: Copies between two remote hosts are transferred through the local host. Without this option the data is copied directly between the two remote hosts.
  • ssh(1): automatically order the hostkeys requested by the client based on which hostkeys are already recorded in known_hosts. This avoids hostkey warnings when connecting to servers with new ECDSA keys, since these are now preferred when learning hostkeys for the first time.
  • ssh(1) and sshd(8): add a new IPQoS option to specify arbitrary TOS/DSCP/QoS values instead of hardcoding lowdelay/throughput. (bz#1733)
  • sftp(1): the sftp client is now significantly faster at performing directory listings, using OpenBSD glob(3) extensions to preserve the results of stat(3) operations performed in the course of its execution rather than performing expensive round trips to fetch them again afterwards.
  • ssh(1): "atomically" create the listening mux socket by binding it on a temporary name and then linking it into position after listen() has succeeded. This allows the mux clients to determine that the server socket is either ready or stale without races. Stale server sockets are now automatically removed. (also fixes bz#1711)
  • ssh(1) and sshd(8): add a KexAlgorithms knob to the client and server configuration to allow selection of which key exchange methods are used by ssh(1) and sshd(8) and their order of preference.
  • sftp(1) and scp(1): factor out bandwidth limiting code from scp(1) into a generic bandwidth limiter that can be attached using the atomicio callback mechanism and use it to add a bandwidth limit option to sftp(1). (bz#1147)
  • The following significant bugs have been fixed in this release:
  • ssh(1) and ssh-agent(1): honour $TMPDIR for client xauth and ssh-agent temporary directories. (bz#1809)
  • ssh(1): avoid NULL deref on receiving a channel request on an unknown or invalid channel. (bz#1842)
  • sshd(8): remove a debug() that pollutes stderr on client connecting to a server in debug mode. (bz#1719)
  • scp(1): pass through ssh command-line flags and options when doing remote-remote transfers, e.g. to enable agent forwarding which is particularly useful in this case. (bz#1837)
  • sftp-server(8): umask should be parsed as octal.
  • sftp(1): escape '[' in filename tab-completion.
  • ssh(1): Typo in confirmation message. (bz#1827)
  • sshd(8): prevent free() of string in .rodata when overriding AuthorizedKeys in a Match block.
  • sshd(8): Use default shell /bin/sh if $SHELL is "".
  • ssh(1): kill proxy command on fatal() (we already killed it on clean exit).
  • ssh(1): install a SIGCHLD handler to reap expired child process. (bz#1812)
  • Support building against openssl-1.0.0a
  • Fix vulnerability in legacy certificate signing introduced in OpenSSH-5.6 and found by Mateusz Kocielski.
  • Mandoc 1.10.9:
  • New integrated tbl(7) parser and renderer.
  • Support the roff(7) .de, .rm, and .so requests.
  • Support all roff code used in the standard pod2man(1) preamble.
  • Fully support roff quoting in man(7) documents.
  • Mandoc now copes with most formatting errors that used to be fatal.
  • Much simplified and improved reporting of errors and warnings.
  • Significantly improved -Thtml output quality.
  • The ports tree now allows ports to use either mandoc or groff to render manuals.
  • Over 6,800 ports, major robustness and speed improvements in package tools.
  • Many pre-built packages for each architecture:
  • i386: 6620
  • sparc64: 6225
  • alpha: 6000
  • sh: 3656
  • amd64: 6570
  • powerpc: 6272
  • sparc: 4184
  • arm: 5679
  • hppa: 5838
  • vax: 1068
  • mips64: 5492
  • mips64el: 5499
  • Some highlights:
  • Gnome 2.32.1.
  • KDE 3.5.10.
  • Xfce 4.8.0.
  • MySQL 5.1.54.
  • PostgreSQL 9.0.3.
  • Postfix 2.7.2.
  • OpenLDAP 2.3.43 and 2.4.23.
  • Mozilla Firefox 3.5.16 and 3.6.13.
  • Mozilla Thunderbird 3.1.7.
  • OpenOffice.org 3.3.0rc9.
  • LibreOffice 3.3.0.4.
  • Emacs 21.4 and 22.3.
  • Vim 7.3.3.
  • PHP 5.2.16.
  • Python 2.4.6, 2.5.4 and 2.6.6.
  • Ruby 1.8.7.330 and 1.9.2.136.
  • Mono 2.8.2.
  • Chromium 9.0.597.94.
  • As usual, steady improvements in manual pages and other documentation.
  • The system includes the following major components from outside suppliers:
  • Xenocara (based on X.Org 7.6 with xserver 1.9 + patches, freetype 2.4.4, fontconfig 2.8.0, Mesa 7.8.2, xterm 267 and more)
  • Gcc 2.95.3 (+ patches), 3.3.5 (+ patches) and 4.2.1 (+ patches)
  • Perl 5.12.2 (+ patches)
  • Our improved and secured version of Apache 1.3, with SSL/TLS and DSO support
  • OpenSSL 1.0.0a (+ patches)
  • Sendmail 8.14.3, with libmilter
  • Bind 9.4.2-P2 (+ patches)
  • Lynx 2.8.6rel.5 with HTTPS and IPv6 support (+ patches)
  • Sudo 1.7.2p8
  • Ncurses 5.7
  • Heimdal 0.7.2 (+ patches)
  • Arla 0.35.7
  • Binutils 2.15 (+ patches)
  • Gdb 6.3 (+ patches)

New in version 4.5 (May 2nd, 2009)

  • New/extended platforms:
  • Initial ports to the xscale based gumstix platform and the ARM based OpenMoko
  • OpenBSD/sparc64
  • o New vdsk(4) and vnet(4) drivers provide support for virtual I/O between logical domains on Sun's CoolThreads servers, including UltraSPARC T2+ machines.
  • o Workstations and laptops with UltraSPARC IIe CPUs can now scale down the CPU frequency to save power.
  • Improved hardware support, including:
  • Several new/improved drivers for sensors, including:
  • o The cac(4) driver now has bio and sensor support.
  • o The mpi(4) driver now has bio and sensor support.
  • o New gpiodcf(4) driver for DCF77/HBG timedelta sensors through GPIO pins.
  • o New schsio(4) driver for SMSC SCH311x LPC Super I/O devices.
  • o The it(4) driver now supports IT8720F chips.
  • o The it(4) driver now supports FAN4 and FAN5 sensors for IT8716F/IT8718F/IT8720F/IT8726F chips.
  • o The owtemp(4) driver now supports Maxim/Dallas DS18B20 and DS1822 temperature sensors.
  • o The km(4) driver now supports AMD Family 11h processors (Turion X2 Ultra et al).
  • o The lm(4) driver now supports W83627DHG attachment on the I²C bus.
  • o The lmenv(4) driver now has better support for the fan sensors on lm81, adm9240 and ds1780 chips.
  • o The sdtemp(4) driver now supports ST STTS424 chips.
  • The em(4) driver now supports ICH9 IGP M and IGP M AMT chips, and link status detection has improved.
  • The sdmmc(4) driver now supports SDHC cards.
  • The msk(4) driver now supports Yukon-2 FE+ (88E8040, 88E8042) based devices.
  • The iwn(4) driver now supports Intel WiFi Link 5100/5300 devices.
  • The wpi(4) and iwn(4) drivers now support hardware CCMP cryptography.
  • The ath(4) driver now has WPA-PSK support.
  • age(4), a driver for Attansic L1 gigabit Ethernet devices was added.
  • ale(4), a driver for Atheros AR81xx (aka Attansic L1E) Ethernet devices was added.
  • mos(4), a driver for Moschip MCS7730/7830 10/100 USB Ethernet devices was added.
  • jme(4), a driver for JMicron JMC250/JMC260 10/100 and Gigabit Ethernet devices was added.
  • run(4), a driver for Ralink USB IEEE 802.11a/b/g/Draft-N devices was added.
  • auacer(4), a driver for Acer Labs M5455 audio devices was added.
  • ifb(4), a driver for Sun Expert3D, Expert3D-Lite, XVR-500, XVR-600 and XVR-1200 framebuffers (accelerated).
  • wildcatfb(4), an X driver for Sun Expert3D, Expert3D-Lite, XVR-500, XVR-600 and XVR-1200 framebuffers (unaccelerated).
  • sunffb(4), an accelerated X driver for Sun Creator, Creator 3D and Elite 3D framebuffers.
  • vdsk(4), a driver for virtual disks of sun4v logical domains.
  • vnet(4), a driver for virtual network adapters of sun4v logical domains.
  • vrng(4), a driver for the random number generator on Sun UltraSPARC T2/T2+ CPUs.
  • The vcons(4) driver is now interrupt driven.
  • ips(4), a driver for IBM SATA/SCSI ServeRAID controllers was added.
  • udfu(4), a driver for device firmware upgrade (DFU) was added.
  • Many improvements were made to the acpi(4) subsystem.
  • The umsm(4) driver supports several new EVDO/UMTS devices.
  • The mfi(4) driver now supports the next generation of MegaRAID SAS controllers.
  • New vsbic(4) driver for the MVME327A SCSI and floppy controller on mvme68k and mvme88k machines.
  • The re(4) driver now supports 8168D/8111D-based devices, and multicast reception on 8110SB/SC-based devices.
  • The ehci(4) driver now supports isochronous transfers.
  • S/PDIF output support has been added to the ac97(4), auich(4), auvia(4) and azalia(4) drivers.
  • azalia(4) mixer has been clarified and simplified, support for 20-bit and 24-bit encodings has been added.
  • The gbe(4) frame buffer driver now supports acceleration.
  • New tools:
  • ypldap(8), an YP server using LDAP as a backend.
  • xcompmgr(1) was added to xenocara.
  • New functionality:
  • The libc resolver(3) may now be forced to perform lookups by TCP only using a new resolv.conf(5) option. The nameserver declaration in resolv.conf(5) has also been extended to allow specification of non-default nameserver ports.
  • apropos(1) has two new options (-S and -s) to allow searching by machine architecture and manual section.
  • aucat(1) now has audio server capability. Audio devices can be shared between multiple applications. Applications can run natively on fixed sample rate devices or on devices with unusual encodings. Multi-channel audio devices can be split into smaller independent subdevices.
  • aucat(1) now has a deviceless mode, in which it can be used as a general purpose audio file format conversion utility (to mix, demultiplex, resample or reencode files).
  • ifconfig(8) can now list channels supported by an IEEE 802.11 device.
  • New views were added to systat(8): malloc, bucket and pool. Improvements were made to existing views.
  • vnconfig(8) can now create devices with arbitrary geometry with the new -t option.
  • FFS filesystems are now supported on most devices, e.g. CD's, that have sector sizes other than 512 bytes.
  • Disklabels are now correctly placed and found on most devices, e.g. CD's, that have sector sizes other than 512 bytes.
  • Assorted improvements and code cleanup:
  • malloc(3) has gained new attack mitigation measures; critical bookkeeping structures are protected at runtime using mprotect(2) and allocated at random addresses where possible.
  • A new version of the gdtoa code has been integrated, bringing better C99 support to printf(3) and friends.
  • Vastly improved C99 support in libm, including complex math support.
  • The sppp(4) layer and thus kernel pppoe(4) now support usernames and passwords of up to 255 characters.
  • Recognize and spoof disklabel entries for more FAT and FAT32 variants.
  • Automatically recognize tapes with 64K records.
  • Improve option handling in dhcpd(8).
  • When booting from a cd the root file system is now assumed to be on the cd, rather than always asking for the location.
  • Disklabels constructed from native disklabels are now subject to the same consistancy checks as all other disklabels.
  • No longer display geometry information for sd(4) disk drives, since it was mostly fictitious these days.
  • Fix handling of tftp ERROR frames so OpenBSD pxeboot can be loaded from picky tftp servers.
  • Many scsi(4) drivers now retry operations that can't be immediately started rather than giving up.
  • MBR and DPME disklabels are no longer written out with invalid checksum information in some circumstances.
  • Install/Upgrade process changes:
  • crunchgen(1) and crunchide(1) have been merged into crunchgen(8), which is now built and installed by default.
  • mksuncd(1) now lives in base and is installed by default.
  • CD-ROM installs are now supported on SGI.
  • Accept initial root passwords containing backslash characters.
  • Install now allows multiple interfaces to be configured with dhcp(8).
  • Upgrades now use the minimal protocols(5) and services(5) files provided on the install media.
  • The install media no longer contain a disktab(5) file.
  • Serial console speed is correctly determined on macppc.
  • OpenSSH 5.2:
  • New features:
  • o Added an option to ssh(1) to force logging to syslog rather than stderr.
  • o The sshd_config(5) ForceCommand directive now accepts commandline arguments for the internal-sftp server.
  • o The ssh(1) ~C escape commandline now support runtime creation of dynamic port forwards.
  • o Support the SOCKS4A protocol in ssh(1) dynamic forwards.
  • o Support remote port forwarding with a listen port of '0'.
  • o sshd(8) now supports setting PermitEmptyPasswords and AllowAgentForwarding in Match blocks.
  • The following significant bugs have been fixed in this release:
  • o Repair a ssh(1) crash introduced in openssh-5.1 when the client is sent a zero-length banner.
  • o The eow@openssh.com and no-more-sessions@openssh.com protocol extensions are now only sent to peers that identify themselves as OpenSSH.
  • o Avoid printing "Non-public channel" warnings in sshd(8), since ssh(1) has sent incorrect channel numbers since ~2004; make ssh(1) send the correct channel number for SSH2_MSG_CHANNEL_SUCCESS and SSH2_MSG_CHANNEL_FAILURE.
  • o Avoid double-free in ssh(1) ~C escape -L handler.
  • o Correct fail-on-error behaviour in sftp(1) batchmode for remote stat operations.
  • o Avoid hang in ssh(1) when attempting to connect to a server that has MaxSessions set to zero.
  • Over 5500 ports, minor robustness improvements in package tools.
  • Many pre-built packages for each architecture:
  • i386: 5379
  • sparc64: 5174
  • alpha: 5132
  • sh: 1543
  • amd64: 5312
  • powerpc: 5162
  • sparc: 2651
  • arm: 4120
  • hppa: 4689
  • vax: 1718
  • mips64: 3278
  • Some highlights:
  • Gnome 2.24.3.
  • GNUstep 1.18.0.
  • KDE 3.5.10.
  • Mozilla Firefox 3.0.6.
  • Mozilla Thunderbird 2.0.0.19.
  • MySQL 5.0.77.
  • OpenOffice.org 2.4.2 and 3.0.1.
  • PostgreSQL 8.3.6.
  • Xfce 4.4.3.
  • OpenArena 0.8.1 (only for amd64, i386 and macppc)
  • As usual, steady improvements in manual pages and other documentation.
  • The system includes the following major components from outside suppliers:
  • Xenocara (based on X.Org 7.4 + patches, freetype 2.3.7, fontconfig 2.4.2, Mesa 7.2, xterm 239 and more)
  • Gcc 2.95.3 (+ patches) and 3.3.5 (+ patches)
  • Perl 5.10.0 (+ patches)
  • Our improved and secured version of Apache 1.3, with SSL/TLS and DSO support
  • OpenSSL 0.9.8j (+ patches)
  • Groff 1.15
  • Sendmail 8.14.3, with libmilter
  • Bind 9.4.2-P2 (+ patches)
  • Lynx 2.8.5rel.4 with HTTPS and IPv6 support (+ patches)
  • Sudo 1.7
  • Ncurses 5.2
  • Latest KAME IPv6
  • Heimdal 0.7.2 (+ patches)
  • Arla 0.35.7
  • Binutils 2.15 (+ patches)
  • Gdb 6.3 (+ patches)