------------------------------------------------------------------------ - OpenBSD 7.1 RELEASED ------------------------------------------------- April 21, 2022. We are pleased to announce the official release of OpenBSD 7.1. This is our 52nd release. We remain proud of OpenBSD's record of more than twenty years with only two remote holes in the default install. As in our previous releases, 7.1 provides significant improvements, including new features, in nearly all areas of the system: - New/extended platforms: o Support for Apple Silicon Macs has improved and is ready for general use: - Added aplspi(4), a driver for the SPI controller found on the Apple M1 SoC. - Added aplhidev(4) support for the keyboard/touchpad on Apple M1 laptops. - Introduced aplpmgr(4), a driver for the power management controller found on Apple SoCs. - Introduced aplmbox(4), a driver for the mailbox that provides a communication channel with additional cores integrated on Apple SoCs. - Introduced apliic(4), a driver for the I2C controller found on Apple SoCs. - Added the chip ids used on Apple M1 Pro/Max and Apple T2 Macs to bwfm(4). - Rewrote arm64 kernel FPU handling code to fix the random crashes seen with SMP kernels on Apple M1. - Restricted the pci(4) ioctl interface to devices detected by the kernel, preventing Xorg PCI probes from breaking the WiFi chip on M1 macs. - Introduced aplsmc(4), a driver for the SMC found on Apple M1 SoCs. - Introduced aplnco(4), a driver for the Numerically-controlled oscillator (NCO) clock which drives the audio clocks on Apple silicon. - Introduced tascodec(4), a driver for the TI TAS2770/TAS5770 digital audio amplifier codec found on Apple M1 Macs. - Introduced apldma(4), a driver for the DMA controller found on Apple SoCs. - Added support to explicitly power on some PCIe devices on the M1 and M1 Pro/Max through a GPIO controlled by the SMC. - Added aplcpu(4), a driver to control the CPU performance levels on Apple SoCs. - Modified aplintc(4) to support a newer interrupt controller, making OpenBSD run on M1 Pro/Max machines. - Added nvmem support to aplpmu(4) and made it available on Apple SPMI PMUs. - Added RTC support to aplsmc(4). - Made the arm64 ramdisk installer fetch bwfm(4) firmware from the EFI System Partition on Apple Silicon devices for use during installation and addition to the newly installed system. - Added support for controlling keyboard LEDs to aplhidev(4). - Added basic GPIO support to aplsmc(4). - Ensured apldart(4) keeps the DART enabled in front of the display controller to preserve its access to the framebuffer and continued display. - Fixed reading motherboard time on Apple machines with old SMC firmware. - Implemented reboot/powerdown support in aplsmc(4). - Implemented aplintc(4) support for multiple dies, making OpenBSD work on the M1 Ultra. o Support for other arm64 architecture hardware was also improved with the following changes: - Introduced gpiocharger(4), a driver providing support for battery chargers connected to GPIO pins, such as those found on the Pinebook Pro. - Introduced gpioleds(4) for arm64, a driver providing support for LEDs connected to GPIO pins, such as those found on the Pinebook Pro. - Added gpiokeys(4) for arm64, a driver which handles events triggered by GPIO keys such as lid status and power button. - Added pclk clock used by dwdog(4) on RK3399 to rkclock(4). - Introduced mpfclock(4), a driver for the PolarFire SoC MSS clock controller. - Introduced cdsdhc(4), a driver for the Cadence SD/SDIO/eMMC host controller. - Introduced mpfiic(4), a driver for the PolarFire SoC MSS I2C controller. - Introduced mpfgpio(4), a driver for the PolarFire SoC MSS GPIO controller. - Enabled cduart(4) on arm64. - Added mvpinctrl(4) support for the CP115 block found on Marvell CN9K SoCs. - Added mvclock(4) support for the AP807 block found on Marvell CN9K SoCs. o Changes on other architectures: - Enabled uhid(4)/fido(4) on riscv64. - Allowed riscv64 installation on a disk with a GPT. - Added missing locking to pmap_extract(9) and pmap_unwire(9) on arm64 and riscv64. - Improved stack unwinding on riscv64 in ddb(4). - Fixed kernel stack alignment on riscv64. - Fixed RISC-V lld link code when dealing with object files created with "ld -b". - Made sure nothing can map address zero on RISC-V. - Made sure armv7,arm64 and risc-v FDT bootloader code does not write beyond the FDT data structure. - Fixed booting from an IDE block device on the Sun Blade 100. - Fixed radeondrm(4) console colors on sparc64. - Enabled dt(4) on macppc. - Increased ddb(1) access to registers on macppc and powerpc64. - Enabled enforcing of RLIMIT_MEMLOCK on powerpc64. - Allowed ddb(4) trace through interrupt on macppc. - Various kernel improvements: o Made futexes work in shared anonymous memory. o Improved tracking of mbuf memory usage in the whole system. o Switched to using long filenames by default with mount_msdos(8). o Fixed memory leak in fuse(4) when calling namei(9). o Fixed establishing legacy INTx interrupts on machines without a (usable) MSI interrupt controller. o Cleaned up irrelevant uses of 3rd mode_t parameter for open(2)/openat(2), unused when not creating files. o Reworked garbage collector for unix(4) sockets to prevent potential kernel panics. o Changed the power management sysctl(8) hw.perfpolicy to "auto" at startup, defaulting to 100% performance with AC power connected and using the auto algorithm when on battery. o Aligned memory allocation for USB device drivers and USB HC drivers, enlarging the USB memory pool. o Prevent panic in softraid(4) while rebooting if softraid has been disabled. o Fixed hibernate setups where removal of a umass(4) device results in a renumbered softraid(4) boot device. o Fix hibernate on newer hardware by allowing more memory ranges. o If CPU sleep state S4 is not available, use S5 for the ACPI-transitions in hibernate support. o Added code to update hw.power whenever AC state changes on resume. o Fixed a panic by prohibiting renames of tmpfs mount-points. o Fixed double free after allocation failure in bpf(4). - SMP Improvements o Made pipe event filters MP-safe. o Set klist lock for sockets to make socket event filters MP-safe. o Implemented poll(2), select(2), ppoll(2) and pselect(2) on top of kqueue. o Unlocked top part of UVM fault handler on mips64. o Unlocked the kevent(2) system call. o Made the kqread event filter MP-safe. o Reduced the time overhead of kqueue(2)-based poll(2) and select(2) systems calls by keeping knotes between the system calls. o Unlocked accept(2) and accept4(2) syscalls. o Prevented select(2) from blocking if registering found pending events. o Protected ipsec(4) input and output with the kernel lock to allow forwarding of non-ipsec traffic in parallel. o Unlocked the bottom part of the uvm fault handler. o Unlocked getpeername(2). o Made bpf(4) MP-safe. o Implemented the poll(2) system call on top of the kqueue(2) subsystem, obsoleting the old, non-MP-safe poll backend. o Made audio(4) event filters MP-safe. o Unlocked getsockname(2). o Added kernel interfaces for atomic load and store functions for int and long to be used in reference counted struct members. - Direct Rendering Manager o Updated drm(4) to Linux 5.15.26 o inteldrm(4): support for Elkhart Lake, Jasper Lake, Rocket Lake o amdgpu(4): support for Van Gogh APU, Rembrandt "Yellow Carp" Ryzen 6000 APU, Navi 22 "Navy Flounder", Navi 23 "Dimgrey Cavefish", Navi 24 "Beige Goby" o Reinstated a drm(4) workaround to get framebuffer size from efifb, preventing fatal errors for the BESSTAR TECH HM90 with Ryzen 9 4900H. - VMM/VMD improvements o Retired switch(4) support in vmd(8). o Fixed a bug where vmd(8) would exit when requesting a new VM and hitting memory resource limits. o Fixed vmm(4) state corruption on Intel hosts. o Fixed vmm(4) cpuid leaf clamping when the host has an invariant TSC. o Added quiesce/wakeup hooks to vmm(4) allowing Intel hosts to suspend and hibernate safely with running guests. o Added a new login class for vmd(8) on amd64. o Fixed broken vmd(8) "boot device cdrom" feature after a fix in seabios. o Reintroduced support for vmctl(8) start -B net -b bsd.rd, which emulates a PXE boot and performs an autoinstall. o Made vmm(4) dt(4) tracepoints amd64-only. - Various new userland features: o Added realpath(1), a wrapper for realpath(3) for use in ports. o Added rcctl(8) "ls rogue" to show daemons which are running but not set as "enabled" in rc.conf.local(8). o Implemented probe variables in BPFtrace (bt(5)). o Provided common btrace(8) scripts kprofile.bt (to save kernel stackframes and produce flamegraphs) and runqlat.bt (to measure the latency of the scheduler runqueues). o DNSSEC support: Implemented RFC6840 (AD flag processing) in the libc resolver, if using trusted name servers specified with 'trust-ad' in resolv.conf(5) o Enabled support for displaying an estimated battery recharge time in apm(8) and apmd(8). o Introduced support for storing capability databases in /etc/login.conf.d, allowing easy addition of custom login classes from packages and made rcctl(8) look for the login class in both login.conf and login.conf.d/${class}. o Added a malloc(3) cache of regions between 128k and 2M to accommodate programs allocating and deallocating regions of these sizes quickly. ` o Added pax(1) support for mtime/atime/ctime extended headers (in not-SMALL builds). o Added -k flag to gzip(1) and gunzip(1) to retain (de)compressed file. o Implemented openrsync(1) --compare-dest, allowing specification of additional directories to check for files to be available. o Implemented openrsync(1) --max-size and --min-size. - Various bugfixes and tweaks in userland: o Stopped pkg_add(1) from communicating warnings starting with "XXX" which appeared to indicate errors. o Enabled subpixel rendering in FreeType. o Updated xorg-server to 21.1.3, leaving in place an earlier change to compute the screen resolution from dimensions returned by the screen, reverted by upstream. o Allowed bare numbers for key and mouse bindings in cwm(1). o Added a cwm(1) "group-last" command that shows only the previously active group. o Fixed glass console and getty(8) interference with Xorg on arm64. o Fixed octal escape parsing in tr(1) backslash(). o Added uniq(1) support for arbitrarily long input lines. o Made uniq(1) ignore trailing newlines when comparing lines. o Made uniq(1) skip() each input line only once, improving performance. o Increased tee(1) I/O buffer size from 8KB to 64KB. o Improved performance of rev(1). o Made ed(1) flush all stdio streams before running a shell command. o Prevented a file descriptor leak in touch(1) after futimens(2) failure. o Added seq(1), a command to print sequences of numbers. o Set cpuspeed to 0 in apm(8) when hw.cpuspeed cannot be retrieved. o Copied the cos(3) cosine software implementation from FreeBSD-13, and disabled assembly implementations of trig functions on x86 platforms. o Added optimization for tiny x in cos(3) and sin(3) trigonometry functions. o Switched aucat(1) internal sample representation and default file encoding to 24-bit. o Switched sndiod(8) internal sample representation to 24-bit fixed point. o Allowed passing a different signal than SIGTERM in the default rc_stop() function in rc.subr(8). o Improved and simplified timer handling in rc.d(8) "stop" and "reload". o Made fdisk(8) -b available on all architectures. o Removed the constraint that fdisk(8) -b block count and block offset must be greater than 63. o Made fdisk(8) -b partitions other than EFI System partitions DOSACTIVE. o Switched to using fdisk(8) -b to create boot partitions on multiple architectures. o Removed fdisk(8) "disk" editing command. o Prevented fdisk(8) from initializing an MBR to have overlapping partitions 0 and 3. o Allowed fdisk(8) to extend the default OpenBSD partition to the end of the disk, rather than truncating at the end of the last full cylinder. o Corrected GPT checksums written by fdisk(8) on big-endian architectures to be little-endian as per spec. o Made fdisk(8) -A preserve BIOS boot partition. o Made fdisk(8) -A preserve the EFI System partition on GPT disks with Apple APFS partitions. o Removed the builtin MBR from fdisk(8). o Removed the "rpath" and "wpath" pledges from fdisk(8). o Ensured fdisk(8) creates the default OpenBSD MBR partition only when there is space for it. o Ensured fdisk(8) does not set MBR DOSACTIVE flag on unused partitions when initializing MBR. o Reduced the alignment space fdisk(8) inserts before the start of the default OpenBSD partition. o Merged bugfixes from upstream into less(1) including fixes for the prompt hiding feature (CTRL-P) and an integer overflow. o Fixed possible use after free with long lines in less(1). o Fixed file descriptor leak of /dev/tty on doas(1) auth failure. o Replaced lrint(3), lrintf(3), llrint(3) and llrintf(3) implementations from NetBSD with the existing FreeBSD implementations we were already using for lrintl(3) and llrintl(3). o In various games, call pledge(2) later to prevent it from killing various games using ncurses when both stdout and stderr are redirected to a non-tty. o Switched LLD_ARCHs (architectures using the LLVM ld.lld(1) linker) to also user the LLVM archiver llvm-ar(1). o Added openvpn ports (udp/1194 & tcp/1194) to /etc/services. o Prevented an access to uninitialized memory in awk(1). o Fixed vi(1) recovery mode. o Extended and reordered the process accounting information structure acct(5). Flag Day for the acct(2) file format. o Fixed setusercontext(3) error when /etc/login.conf is not present. - Improved hardware support and driver bugfixes, including: o Added support to pchgpio(4) for Cannon Lake H and Tiger Lake H platforms. o Ensured use of the correct encoding in xenocara when /etc/kbdtype is present with an attached ucc(4) keyboard. o Added support for tpm2 CRB interface to tpm(4), fixing recent S4 regressions on the Surface Go 2 caused by a firmware change. ` o Ensured armv7 and arm64 efiboot allocate fresh memory for the device tree with at least one page of free space to extend into. This fixes booting on VMWare Fusion. o Stopped binding audio devices exposed by sndiod(8) to physical devices. o Fixed handling of interrupts shared between multiple swiic(4) devices. o Introduced iicmux(4), a driver that switches between I2C busses connected to a single I2C controller by using the pin muxing facilities of an SoC. o Introduced pcyrtc(4), a driver for the NXP PCF85063A/TP RTC chips. o Fixed a panic when running utvfu(4) on xhci(4). o Added acpipci(4) support for interrupts represented by ACPI PCI Interrupt Link Devices, making PCI interrupts work on QEMU's SBSA target. o Added handling of multi-port controllers to uslcom(4). o Make com(4) attach over acpi(4) on amd64. o Added address locators for the ACPI "bus" and used these to fix the order of the com(4) devices to match the traditional order on the ISA bus. o Added Intel Jasper Lake to the azalia(4) audio driver. o Ensured azalia(4) matches on Intel 300 Series audio, fixing attaching on the Dell G3 3590. o Added Synopsys Designware UART support to com(4). o Fixed an issue where com(4) would attach for a disabled serial port leading to misdirection of the hardware variant and a subsequent hang when /etc/rc runs ttyflags(8) -a. o Fixed sdhc(4) for Jasper Lake eMMC. o Improved how quirks are handled on sdhc(4)-compatible drivers. o Enabled acpibat(4) use with the Surface Go 3. o Fixed suspend/resume issues with com(4) at acpi(4). o Correlated uaudio(4) and ucc(4) devices to adjust the volume of the correct audio device rather than the first one attached. o Enabled FIFO support in pluart(4). o Added support for XBox One game controller. o Stopped suspending the tpm(4) device upon hibernation, preventing some systems from hanging when hibernating a second time. o Fixed hilkbd(4) Swedish keyboard layout on non-PS/2 style keyboards. - New or improved network hardware support: o Added support to umb(4) for SIMCom SIM7600. o Fixed an interrupt storm on dwge(4) variants which support Energy Efficient Ethernet when connected to a switch which does so as well. o Made dwge(4) and dwxe(4) MP-safe. o Added igc(4), a driver for the Intel 2.5Gb Ethernet controllers. o Implemented em(4) support for selecting SMGII or SerDes mode depending on the plugged-in SFP transceiver and for reading out transceiver information via ifconfig(8). o Enabled hardware vlan tagging for ixl(4). o Re-enabled ixl(4) IPv4, TCP4/6 and UDP4/6 checksum offloading. \ o Enabled receive checksum offloading on ixl(4). o Prevented a possible deadlock in cad(4). o Prevented aq(4) nics from writing to mbufs taken off the ring when the interface was taken down. o Fixed receive filter handling and vlan packet reception in aq(4). o Enabled vlan and checksum offloads in aq(4). o Enabled interrupt moderation in aq(4), aiming at around 20k per second. o Fixed ure(4) vlan transmission with hw tagging. o Added preliminary ure(4) support for RTL8156B and bug fixes for RTL8153/RTL8156. o Reworked ix(4) checksum/vlan offloading and enabled it for IPv6. o Enabled IP header checksum offloading in ix(4). o Fixed msk(4) operation after interface state changes. o Enabled vmx(4) on arm64. - Added or improved wireless network drivers: o Introduced mtw(4), a driver for MediaTek MT7601U USB wifi devices, enabled on amd64, i386, macppc, and arm64. o Added 802.11n Tx aggregation support to the iwx(4) driver. o Added support for 802.11n 40MHz channels, and 802.11ac 80MHz channels, to the iwm(4) and iwx(4) drivers. o Reset the Tx watchdog timer when a block ack notification is received by iwx(4) and iwm(4) firmware to prevent spurios device timeouts. o Prevent invalid net80211 state transitions in the iwm(4) and iwx(4) drivers to avoid a potential hang. o Fixed a panic when iwx(4) cannot find firmware at boot time. o Fixed iwm(4) performance drop after roaming between APs in 11n mode. o When roaming with iwm(4) or iwx(4), keep the old BSSID available for use by firmware commands which tear down device state before switching to the new AP. o Fix race conditions in the iwm(4) and iwx(4) drivers while roaming between APs with outstanding frames on transmit queues. o Reverted to use iwm(4) firmware v17 on Intel AC 7265, fixing instability issues on X1 Carbon gen3. o Explicitly stop iwx(4) Rx block ack sessions when roaming between access points. o Fixed monitor mode on iwm(4) and iwx(4). o Let iwx(4) and iwm(4) use per-Tx-queue interface timers to ensure the Tx watchdog triggers if a particular Tx queue gets stuck. o Switched iwx(4) to new -67 firmware images, and updated iwm(4) 9260 and 9560 firmware, to address INTEL-SA-00509. o Made iwm(4) attach to PCI devices with product ID 0x31dc, part of the 9560 chip family. o Fixed wrong pointer assignment causing the iwx(4) driver to read Rx block ack request information from the wrong offset. o Fixed and reenabled use of probe requests during scans on iwm(4) and iwx(4). o Fixed attach of multiple iwm(4) or iwx(4) interfaces in the same machine. o Fixed iwn(4) with 4965 devices. o Improved roaming stability on iwn(4), particularly with wpa_supplicant. o Added relicensed wireless firmwares from Realtek for rsu(4), rtwn(4) and urtwn(4) devices, allowing these devices to work without requiring a separate firmware download. o Added a workaround for buggy athn(4) devices to prevent filling up the node cache when used in hostap mode. o Applied a workaround in mvkpcie(4) to fix an external abort under load with athn(4). o Made athn(4) attach to the Sony UWA-BR100. o Fixed "(null node)" panics on run(4). o Disabled minimum power consumption in bwfm(4) hostap mode, improving connection reliability when used as an access point. o Added support for the BCM4387 to bwfm(4). o Improved TX performance on urtwn(4) RTL8192EU devices. o Fix TX rate used by rtwn(4) and urtwn(4) for RTS frames. - IEEE 802.11 wireless stack improvements and bugfixes: o Added an ADDBA_OFFLOAD capability for wifi devices to manage Tx block ack sessions entirely in firmware. o Added support for 40MHz channels to net80211 Tx rate adaptation in 11n mode. o Added monitoring of 20/40MHz channel width changes in beacons sent by our access point, notifying drivers when the channel width has changed. o Introduced an optional background-scan handler for wireless drivers, which drivers can use to take control of the device teardown sequence, ensuring that race conditions between firmware state and net80211 state are avoided. o Taught the net80211 stack to remove corresponding frames from ic_pwrsaveq when a power-saving client decides to leave our hostap interface, preventing a panic in the athn(4) driver. o Added initial 802.11ac (VHT) support to the wifi stack. o Made tcpdump(8) show 802.11ac VHT capability and operation IEs with the IEEE802_11_RADIO data link type (-y) in verbose (-v) mode. o Added 802.11ac/VHT TX rate adaptation support to net80211. o When choosing networks during SSID selection, give a higher score to 11ac and 11n access points, prioritizing 11ac. o When choosing from a set of access points for a given SSID, prefer APs on 5GHz channels over APs on 2GHz channels. This was already supposed to happen in earlier OpenBSD releases but did not always work as intended. - Generic network stack improvements and bugfixes: o Fixed pfctl(8) $nr incorrect macro expansion. o Fixed pfctl(8) rdr-to rules failing on certain port ranges when explicitly specified. o Ensured the pf(4) "set prio" values are checked consistently. o Made "set skip on ..." in pf.conf(5) dynamic, with this, "set skip" can be used on interfaces that are not configured yet. o Protected pfsync(4) tdb flags and lists with a mutex to prevent crashes involving pfsync, IPsec and parallel forwarding. o Added support for PPP IPCP extensions for DNS to sppp(4). o Added display of DNS information from sppp(4) to ifconfig(8). o Switched to calculating pppoe(4) session duration using system uptime rather than UTC. o Fixed veb(4) vport handling to prevent improper drop of packets leaving a vport interface. o Prevented tweaks to tun(4) if_flags when the NET_LOCK isn't held. o Prevented reopening of tun(4)/tap(4) interfaces which are being destroyed. o Rewrote vxlan(4) to operate independently of bridge(4), create and bind udp sockets and prevent loops. o Stopped hiding the mtu on "bridge" interfaces which do handle l3 traffic in ifconfig(8). o Added mbuf tags to prevent output loops in etherip(4). o Added rtable capability to login.conf(5), allowing to specify the rtable a process uses. o Made su(1) honor the login class routing table when doing a full login with su -l. o Fix IP output routines on raw sockets so route sourceaddr can take effect using sendto(2) or similar. o Ensured pcap_lookupdev(3) matches only on complete interface names. - Installer and upgrade improvements: o Corrected installer to understand "inet autoconf" properly in hostname.if(5) files. o Stopped prompting whether to fall back to HTTP in the installer, making the fallback automatic. o Used ifconfig(8) "join" command by default in hostname.if(5) files, replacing the old "nwid". o Replace custom bootloader installation code with installboot(8) on riscv64 and armv7 architecture installations. o New logic for pkg_add(1) to avoid excessive moving of files during updates when possible. o Documented OpenBSD installation and upgrade customization using the install.site(5) file. o Corrected "!" escape handling in the installer when accepting WEP/WPA passphrase. o Prevented a potential race which could make umount(8) fail spuriously in the installer. o Made config(8) -e work with ramdisk kernels. o Made config(8) -c cmdfile use lines from the command file for all input, not just commands. This allows complex actions like changing device parameters. o Ensured that an interrupted arm64 install from the ramdisk kernel can be restarted. o Made redistributable firmwares available across all architectures. o Returned to a shell-script based fw_update(8), written to be usable by the install script, allowing earlier retrieval of downloaded firmwares. o Stopped fw_update(8) from downloading SHA256.sig when not needed, to allow installing local files without network access. o Modified the installer to use fw_update(8) to install non-free firmware files if present on the install media. o Made fw_update(8) re-download existing files with failed checksums. o Made fw_update(8) use the /snapshots directory only on -current snapshot installations. - Security improvements: o Clear the length of keys in vnconfig(8) alongside keys themselves. o Removed hifn(4), safe(4) and ubsec(4) crypto drivers. o Added call to unveil(2) to restrict stty(1) -f filesystem access. o Disabled xterm(1) mouse tracking by default. o On arm64 architectures, use "rng-seed" and "kaslr-seed" properties from the device tree to mix extra entropy into the random pool. o Made apmd(8) replace /etc/random.seed for hibernate-resumes. o Restricted usbhidctl(1) and usbhidaction(1) file system access with unveil(2). o Added ps(1) status flag "c" to indicate a process is chrooted. o In rpc.rusersd(8) unveil(2) "/dev" read-only instead of using chroot(2). - Routing daemons and other userland network improvements: o switchd(8), the software-defined networking (SDN) sflow controller was removed. While interesting the OpenFlow implementation never managed to really get into a usable state. o Switched nsd(8) to enable default DNS cookies on, matching behavior as released in OpenBSD 7.0. o Ensured enabled resolvers are honored by unwind(8) to keep unused forwarders disabled properly. o Installed missing scope identifiers for IPv6 link-local addresses for unwind(8) and resolvd(8). o Allowed interface names as scope-id in IPv6 link-local addresses in unbound(8). o Let unwind(8) probe for DNS64 presence with an absolute name, so asr doesn't add search domains and retry. o Stopped duplicating "Connection: close" headers in relayd(8), only adding it if it's not a websocket response. o Modified syslog.conf(5) examples to use TLS rather than the plaintext protocols. o Stopped ignoring carp(4) interfaces in dhcpleased(8). o Made the dhcpleased(8) host name DHCP option configurable. o Prevented a crash in slaacd(8) due to updating an interface which no longer exists. o Prevented a potential crash when slaacd(8) receives more than 7 nameservers. o Fixed crash in slaacd(8) when receiving a negative length field for DNS labels. o Fix unveil(2) in ldapd(8), create permissions are required for databases. o Made dhcpd(8) start listening on interface in 'down' state. Interfaces can come up later, at which point dhcpd(8) will start receiving packets. o Added a basic printer for EAPOL packets to tcpdump(8). o Made ping(8) print out the source address and sequence number when the signature on an icmp echo reply doesn't match. o Rate limit rad(8) router advertisements according to RFC 4861. o In smtpd(8), - Stop verifying the cert or CA for a relay using opportunistic TLS. - Enabled TLS verify by default for outbound "smtps://" and "smtp+tls://", restoring documented smtpd(8) behavior. o httpd(8) received new features and bugfixes: - Respond with 400 Bad Request when a client sends header lines without a colon. - Added protocol version checking. - Annotated an httpd(8) 413 error with "request body too large" in the error log. - Corrected httpd(8) version string checking, responding with 505 Version Not Supported rather than 400 Bad Request when the version format is incorrect. - Stop sending content alongside responses to HEAD requests. - Added support for custom error pages. - Added a gzip-static option to httpd.conf(5), allowing delivery of precompressed files with content-encoding gzip. - Improved handling of static compressed gzip files. o IPsec support was improved: - Made iked.conf(5) proto config option accept a list to allow specifying multiple protocols for a single policy. - Fixed removal of SAs that could not be flushed with ipsecctl(8) -F. - Changed isakmpd(8) to log a warning when proto is NULL rather than dereferencing it. - Fixed broken key exchange negotiation with matching proposals in iked(8). - Added ikectl(8) "show certinfo" to show trusted CAs and certificates. - Added iked(8) -V to display the version. - Fixed a bug where iked(8) sent zero-prefixed NAT-T messages on port 500, causing parsing errors. - Improved message fragment retransmissions for iked(8). - Make sure iked(8) vroute messages are correctly aligned, fixes autoconfiguration of addresses on octeon. o rpki-client(8) was made more resilient regarding untrusted input. The following bugfixes and improvements were made: - Added support for validating BGPsec Router Public Keys. - Fix issues with chunked transfer encoding in the RRDP HTTP client. - Cleanup and improvement of how IO is handled. - Improvements in the way X509 certificates are verified. - Limit the number of concurrent rsync processes. - Fix CRLF in tal files. - Enforce the correct namespace of rrdp files. - Fail certificate verification if a certificate contains unknown critical extensions. - Improve cleanup of rrdp directory contents. - Introduce a validated cache which holds all the files that have successfully been verified by rpki-client. - Add a new option '-f ' to validate a signed object in a file against the RPKI cache. - Add various RFC 6488 compliance checks to improve the CMS parser. - Improve RRDP replication through less aggressive cache cleanup. - Add a check whether a given Manifest EE certificate is listed on the applicable CRL. - For forward compatibility permit ASPA object to appear on Manifests. - Various improvements to the '-f ' diagnostic option to now also validate files containing Trust Anchor certs and CRLs. - Do not apply timezone offsets when converting X509 times. X509 times are in UTC and comparing them to times in different timezones would cause validity problems. o In bgpd(8), - The bgpd login class datasize attribute (in login.conf(5)) was set to either 16G or 1G, depending on architecture. - Macro expansion in the config file was improved. It is now possible to expand 'set large-community $myAS:$location:$transit'. - Added a "port" option to "listen on" and the "neighbor" section in bgpd.conf(5) to make it possible to bind and connect to non-default ports. - The RIB codebase was refactored in order to add multipath support in an upcoming release. - tmux(1) improvements and bug fixes: o Fixed a crash in tmux(1) when a session with multiple clients is destroyed but tmux does not close completely due to other sessions. o Fixed a tmux(1) redraw problem on automargin terminals. o Fixed a problem with repeat in tmux(1) copy mode. o Added -T to set a popup title in tmux(1). o Added -s and -S to tmux(1) display-popup to set popup and border style. o Fixed application-set fg and bg in tmux(1) panes. o Added a way to force a color to RGB in tmux(1) and a format to display it. o Added a cursor-colour option to tmux(1). o Added a cursor-style option to tmux(1). o Added a pane-border-format pane option to tmux(1). o Added attempts to turn on less-capable mouse modes when tmux(1) turns on more-capable ones, in case the terminal doesn't support the desired mode. o Added a tmux(1) option to show arrows for the active pane indicator. o Added a key in tmux(1) copy mode to toggle the position indicator. o Added an option in tmux(1) to set the character for unused areas of the terminal. o Add tmux(1) option to control if it scrolls into history on clear. o Added OSC 7 capability to tmux(1) for setting titles. - LibreSSL version 3.5.2 o New Features - The RFC 3779 API was ported from OpenSSL. Many bugs were fixed, regression tests were added and the code was cleaned up. - Certificate Transparency was ported from OpenSSL. Many internal improvements were made, resulting in cleaner and safer code. Regress coverage was added. libssl does not yet make use of it. o Portable Improvements - Enabled ASAN CI on Linux platform. - Fixed various POSIX compliance and other portability issues found by the port to the Sortix operating system. - Add libmd as platform specific libraries for Solaris. - Set IA-64 compiler flag only if it is HP-UX with IA-64. - Enabled and scheduled Coverity scans. o Compatibility Changes - Most structs that were previously defined in the following headers are now opaque as they are in OpenSSL 1.1: bio.h, bn.h, comp.h, dh.h, dsa.h, evp.h, hmac.h, ocsp.h, rsa.h, x509.h, x509v3.h, x509_vfy.h - Switch TLSv1.3 cipher names from AEAD- to OpenSSL's TLS_ OpenSSL added the TLSv1.3 ciphersuites with "RFC names" instead of using something consistent with the previous naming. Various test suites expect these names (instead of checking for the much more sensible cipher numbers). The old names are still accepted as aliases. - Subject alternative names and name constraints are now validated when they are added to certificates. Various interoperability problems with stacks that validate certificates more strictly than OpenSSL can be avoided this way. - Attempt to opportunistically use the host name for SNI in s_client - Allow non-standard name constraints of the form @domain.com. o Bug fixes - Avoid infinite loop for custom curves of order 1. - Avoid infinite loop on parsing DSA private keys. - Prevent a malicious certificate from causing an infinite loop. - In some situations, the verifier would discard the error on an unvalidated certificate chain. This would happen when the verification callback was in use, instructing the verifier to continue unconditionally. This could lead to incorrect decisions being made in software. - Avoid an infinite loop in SSL_shutdown() - Handle zero byte reads/writes that trigger handshakes in the TLSv1.3 stack. - A long standing memleak in libtls CRL handling was fixed - Allow name constraints with a leading dot. - Fix NULL dereferences in openssl(1) cms option parsing. - Do not zero the computed cofactor on ec_guess_cofactor() success. - Bound cofactor in EC_GROUP_set_generator() to reduce the number of bogus groups that can be described with nonsensical parameters. - Avoid various potential segfaults in EVP_PKEY_CTX_free() in low memory conditions. o Internal Improvements - Cache the SHA-512 hash instead of the SHA-1 hash and cache notBefore and notAfter times when X.509 certificates are parsed. - The X.509 lookup code has been simplified and cleaned up. - Fixed numerous issues flagged by coverity and the cryptofuzz project. - Increased the number of Miller-Rabin checks in DH and DSA key/parameter generation. - Started using the bytestring API in libcrypto for cleaner and safer code. - Convert asn1_d2i_ex_primitive()/asn1_collect() from BUF_MEM to CBB - Clean up d2i_ASN1_BOOLEAN() and i2d_ASN1_BOOLEAN() - Consolidate ASN.1 universal tag type data - Rewrite ASN.1 identifier/length parsing in CBS - Make OBJ_obj2nid() work correctly with NID_undef - Untangle ssl3_get_message() return values - Provide a way to determine our maximum legacy version - Add explicit CBS_contains_zero_byte() check in CBS_strdup() - Improve SNI hostname validation - Ensure SSL_set_tlsext_host_name() is given a valid hostname - Factor out/rewrite DHE key exchange - Convert server serialisation of DHE parameters/public key to new functions - Provide CBS_get_last_u8(), CBS_get_u64(), CBS_add_u64() and various CBS_peek_* functions. - Use CBS_get_last_u8() to find the content type in TLSv1.3 records - Correct SSL_get_peer_cert_chain() when used with the TLSv1.3 stack - Only allow zero length key shares when we know we're doing HRR - Pull key share group/length CBB code up from tls13_key_share_public() - Refactor ssl3_get_server_kex_ecdhe() to separate parsing and validation. - Allocate and free the EVP_AEAD_CTX struct in tls13_record_protection. - Convert legacy TLS client and server to tls_key_share - Clean up pkey handling in ssl3_get_server_key_exchange() - Fix GOST skip certificate verify handling - Simplify SSL_get_peer_certificate() - Cleanup/simplify ssl_cert_type() - The openssl(1) cms, smime and ts subcommands option handling was converted and the C source was cleaned up. - Limit OID text conversion to 64 bits per arc. - Clean up and simplify memory BIO code. - Reduce number of memmove() calls in memory BIOs. - Factor out alert handling code in the legacy stack. - Add sanity checks on p and q in old_dsa_priv_decode() - Cache the SHA-512 hash instead of the SHA-1 for CRLs. - Suppress various compiler warnings for old gcc versions. - Rework ASN1_STRING_set(). - Clean up and simplify ssl3_renegotiate{,_check}(). - Rewrite legacy TLS and DTLS unexpected handshake message handling. - Simplify SSL_do_handshake(). - Rewrite ASCII/text to ASN.1 object conversion. - Convert {c2i,d2i}_ASN1_OBJECT() to CBS. - Clean up {dtls1,ssl3}_read_bytes(). - Be more careful with embedded and terminating NULs in the new name constraints code. - Various minor code cleanup in openssl(1) pkcs12. - Simplify priv_key handling in d2i_ECPrivateKey(). o Documentation improvements - 45 new manual pages, most of which were written from scratch. Documentation coverage of ASN.1 and X.509 code has been significantly improved. - Update d2i_ASN1_OBJECT(3) documentation to reflect reality after refactoring and bug fixes. - Fixed numerous minor grammar, spelling, wording, and punctuation issues. - OpenSSH 9.0 o Security - Near miss in sshd(8): fix an integer overflow in the user authentication path that, in conjunction with other logic errors, could have yielded unauthenticated access under difficult to exploit conditions. This situation is not exploitable because of independent checks in the privilege separation monitor. Privilege separation has been enabled by default in since OpenBSD 3.2 (released in 2002) and has been mandatory since OpenBSD 6.1 (released in 2017). o Potentially incompatible changes - In OpenSSH 8.9 the FIDO security key middleware interface changed and increments SSH_SK_VERSION_MAJOR. - This release switches scp(1) from using the legacy scp/rcp protocol to using the SFTP protocol by default. Legacy scp/rcp performs wildcard expansion of remote filenames (e.g. "scp host:* .") through the remote shell. This has the side effect of requiring double quoting of shell meta-characters in file names included on scp(1) command-lines, otherwise they could be interpreted as shell commands on the remote side. This creates one area of potential incompatibility: scp(1) when using the SFTP protocol no longer requires this finicky and brittle quoting, and attempts to use it may cause transfers to fail. We consider the removal of the need for double-quoting shell characters in file names to be a benefit and do not intend to introduce bug-compatibility for legacy scp/rcp in scp(1) when using the SFTP protocol. Another area of potential incompatibility relates to the use of remote paths relative to other user's home directories, for example - "scp host:~user/file /tmp". The SFTP protocol has no native way to expand a ~user path. However, sftp-server(8) in OpenSSH 8.7 and later support a protocol extension "expand-path@openssh.com" to support this. In case of incompatibility, the scp(1) client may be instructed to use the legacy scp/rcp using the -O flag. o New features - ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for restricting forwarding and use of keys added to ssh-agent(1) A detailed description of the feature is available at https://www.openssh.com/agent-restrict.html and the protocol extensions are documented in the PROTOCOL and PROTOCOL.agent files in the source release. - ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the default KEXAlgorithms list (after the ECDH methods but before the prime-group DH ones). - ssh-keygen(1): when downloading resident keys from a FIDO token, pass back the user ID that was used when the key was created and append it to the filename the key is written to (if it is not the default). Avoids keys being clobbered if the user created multiple resident keys with the same application string but different user IDs. - ssh-keygen(1), ssh(1), ssh-agent(1): better handling for FIDO keys on tokens that provide user verification (UV) on the device itself, including biometric keys, avoiding unnecessary PIN prompts. - ssh-keygen(1): add "ssh-keygen -Y match-principals" operation to perform matching of principals names against an allowed signers file. To be used towards a TOFU model for SSH signatures in git. - ssh-add(1), ssh-agent(1): allow pin-required FIDO keys to be added to ssh-agent(1). $SSH_ASKPASS will be used to request the PIN at authentication time. - ssh-keygen(1): allow selection of hash at sshsig signing time (either sha512 (default) or sha256). - ssh(1), sshd(8): read network data directly to the packet input buffer instead of indirectly via a small stack buffer. Provides a modest performance improvement. - ssh(1), sshd(8): read data directly to the channel input buffer, providing a similar modest performance improvement. - ssh(1): extend the PubkeyAuthentication configuration directive to accept yes|no|unbound|host-bound to allow control over one of the protocol extensions used to implement agent-restricted keys. - ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key exchange method by default ("sntrup761x25519-sha512@openssh.com"). The NTRU algorithm is believed to resist attacks enabled by future quantum computers and is paired with the X25519 ECDH key exchange (the previous default) as a backstop against any weaknesses in NTRU Prime that may be discovered in the future. The combination ensures that the hybrid exchange offers at least as good security as the status quo. We are making this change now (i.e. ahead of cryptographically- relevant quantum computers) to prevent "capture now, decrypt later" attacks where an adversary who can record and store SSH session ciphertext would be able to decrypt it once a sufficiently advanced quantum computer is available. - sftp-server(8): support the "copy-data" extension to allow server- side copying of files/data, following the design in draft-ietf-secsh-filexfer-extensions-00. - sftp(1): add a "cp" command to allow the sftp client to perform server-side file copies. o Bugfixes - sshd(8): document that CASignatureAlgorithms, ExposeAuthInfo and PubkeyAuthOptions can be used in a Match block. - sshd(8): fix possible string truncation when constructing paths to .rhosts/.shosts files with very long user home directory names. - ssh-keysign(1): unbreak for KEX algorithms that use SHA384/512 exchange hashes - ssh(1): don't put the TTY into raw mode when SessionType=none, avoids ^C being unable to kill such a session. - scp(1): fix some corner-case bugs in SFTP-mode handling of ~-prefixed paths. - ssh(1): unbreak hostbased auth using RSA keys. Allow ssh(1) to select RSA keys when only RSA/SHA2 signature algorithms are configured (this is the default case). Previously RSA keys were not being considered in the default case. - ssh-keysign(1): make ssh-keysign use the requested signature algorithm and not the default for the key type. Part of unbreaking hostbased auth for RSA/SHA2 keys. - ssh(1): stricter UpdateHostkey signature verification logic on the client- side. Require RSA/SHA2 signatures for RSA hostkeys except when RSA/SHA1 was explicitly negotiated during initial KEX - ssh(1), sshd(8): fix signature algorithm selection logic for UpdateHostkeys on the server side. The previous code tried to prefer RSA/SHA2 for hostkey proofs of RSA keys, but missed some cases. This will use RSA/SHA2 signatures for RSA keys if the client proposed these algorithms in initial KEX. - All: convert all uses of select(2)/ pselect(2) to poll(2)/ ppoll(2). This includes the mainloops in ssh(1), ssh-agent(1), ssh-agent(1) and sftp-server(8), as well as the sshd(8) listen loop and all other FD read/writability checks. - ssh-keygen(1): the "-Y find-principals" command was verifying key validity when using ca certs but not with simple key lifetimes within the allowed signers file. - ssh-keygen(1): make sshsig verify-time argument parsing optional - sshd(8): fix truncation in rhosts/shosts path construction. - ssh(1), ssh-agent(1): avoid xmalloc(0) for PKCS#11 keyid for ECDSA keys (we already did this for RSA keys). Avoids fatal errors for PKCS#11 libraries that return empty keyid, e.g. Microchip ATECC608B "cryptoauthlib" - ssh(1), ssh-agent(1): improve the testing of credentials against inserted FIDO: ask the token whether a particular key belongs to it in cases where the token supports on-token user-verification (e.g. biometrics) rather than just assuming that it will accept it. Will reduce spurious "Confirm user presence" notifications for key handles that relate to FIDO keys that are not currently inserted in at least some cases. - ssh(1), sshd(8): correct value for IPTOS_DSCP_LE. It needs to allow for the preceding two ECN bits. - ssh-keygen(1): add missing -O option to usage() for the "-Y sign" option. - ssh-keygen(1): fix a NULL deref when using the find-principals function, when matching an allowed_signers line that contains a namespace restriction, but no restriction specified on the command-line - ssh-agent(1): fix memleak in process_extension(); oss-fuzz issue #42719 - ssh(1): suppress "Connection to xxx closed" messages when LogLevel is set to "error" or above. - ssh(1), sshd(8): use correct zlib flags when inflate(3)-ing compressed packet data. - scp(1): when recursively transferring files in SFTP mode, create the destination directory if it doesn't already exist to match scp(1) in legacy RCP mode behaviour. - scp(1): many improvements in error message consistency between scp(1) in SFTP mode vs legacy RCP mode. - sshd(8): fix potential race in SIGTERM handling - ssh(1), sshd(8)): since DSA keys are deprecated, move them to the end of the default list of public keys so that they will be tried last. - ssh-keygen(1): allow 'ssh-keygen -Y find-principals' to match wildcard principals in allowed_signers files - ssh(1), sshd(8): fix poll(2) spin when a channel's output fd closes without data in the channel buffer. - sshd(8): pack pollfd array in server listen/accept loop. Could cause the server to hang/spin when MaxStartups > RLIMIT_NOFILE - ssh-keygen(1): avoid NULL deref via the find-principals and check-novalidate operations. - scp(1): fix a memory leak in argument processing. - sshd(8): don't try to resolve ListenAddress directives in the sshd re-exec path. They are unused after re-exec and parsing errors (possible for example if the host's network configuration changed) could prevent connections from being accepted. - sshd(8): when refusing a public key authentication request from a client for using an unapproved or unsupported signature algorithm include the algorithm name in the log message to make debugging easier. - mandoc 1.14.6 plus several bugfixes, including: o Fixed man(1) to always read the configuration file and respect the other directives contained in it, even when the manpath is overridden by other means. o Fixed a memory leak in man(1) that mattered when many names were given on the command line. o Fixed a small memory leak in the roff(7) parser that occurred each time a user-defined macro was called. o Fixed the width of the \h (horizontal motion) roff(7) escape sequence in the PostScript and PDF output modes. - Ports and packages: o Pre-built packages are available for the following architectures on the day of release: - aarch64 (arm64): 11081 - amd64: 11301 - i386: 10136 - mips64: 8708 - powerpc64: 9132 - riscv64: 9108 - sparc64: 9288 o Packages for the following architectures will be made available as their builds complete: - arm - powerpc - Some highlights: o Asterisk 16.25.1, 18.11.1 and o Mozilla Thunderbird 91.8.0 19.3.1 o Mutt 2.2.2 and NeoMutt 20211029 o Audacity 2.4.2 o Node.js 16.14.2 o CMake 3.20.3 o OCaml 4.12.1 o Chromium 100.0.4896.75 o OpenLDAP 2.4.59 o Emacs 27.2 o PHP 7.4.28, 8.0.17 and 8.1.4 o FFmpeg 4.4.1 o Postfix 3.5.14 o GCC 8.4.0 and 11.2.0 o PostgreSQL 14.2 o GHC 8.10.6 o Python 2.7.18, 3.8.13, 3.9.12 o GNOME 41.5 and 3.10.4 o Go 1.17.7 o Qt 5.15.2 and 6.0.4 o JDK 8u322, 11.0.14 and 17.0.2 o R 4.1.2 o KDE Applications 21.12.2 o Ruby 2.7.5, 3.0.3 and 3.1.1 o KDE Frameworks 5.91.0 o Rust 1.59.0 o Krita 5.0.2 o SQLite 2.8.17 and 3.38.2 o LLVM/Clang 13.0.0 o Shotcut 21.10.31 o LibreOffice 7.3.2.2 o Sudo 1.9.10 o Lua 5.1.5, 5.2.4 and 5.3.6 o Suricata 6.0.4 o MariaDB 10.6.7 o Tcl/Tk 8.5.19 and 8.6.8 o Mono 6.12.0.122 o TeX Live 2021 o Mozilla Firefox 99.0 and o Vim 8.2.4600 and Neovim 0.6.1 ESR 91.8.0 o Xfce 4.16 - As usual, steady improvements in manual pages and other documentation. - The system includes the following major components from outside suppliers: o Xenocara (based on X.Org 7.7 with xserver 1.21.1.3 + patches, freetype 2.11.0, fontconfig 2.12.94, Mesa 21.3.7, xterm 369, xkeyboard-config 2.20, fonttosfnt 1.2.2, and more) o LLVM/Clang 13.0.0 (+ patches) o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches) o Perl 5.32.1 (+ patches) o NSD 4.4.0 o Unbound 1.15.0 o Ncurses 5.7 o Binutils 2.17 (+ patches) o Gdb 6.3 (+ patches) o Awk October 12, 2021 version o Expat 2.4.7 ------------------------------------------------------------------------ - SECURITY AND ERRATA -------------------------------------------------- We provide patches for known security threats and other important issues discovered after each release. Our continued research into security means we will find new security problems -- and we always provide patches as soon as possible. Therefore, we advise regular visits to https://www.OpenBSD.org/security.html and https://www.OpenBSD.org/errata.html ------------------------------------------------------------------------ - MAILING LISTS AND FAQ ------------------------------------------------ Mailing lists are an important means of communication among users and developers of OpenBSD. For information on OpenBSD mailing lists, please see: https://www.OpenBSD.org/mail.html You are also encouraged to read the Frequently Asked Questions (FAQ) at: https://www.OpenBSD.org/faq/ ------------------------------------------------------------------------ - DONATIONS ------------------------------------------------------------ The OpenBSD Project is a volunteer-driven software group funded by donations. Besides OpenBSD itself, we also develop important software like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet filter, the quality work of our ports development process, and many others. This ecosystem is all handled under the same funding umbrella. We hope our quality software will result in contributions that maintain our build/development infrastructure, pay our electrical/internet costs, and allow us to continue operating very productive developer hackathon events. All of our developers strongly urge you to donate and support our future efforts. Donations to the project are highly appreciated, and are described in more detail at: https://www.OpenBSD.org/donations.html ------------------------------------------------------------------------ - OPENBSD FOUNDATION --------------------------------------------------- For those unable to make their contributions as straightforward gifts, the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian not-for-profit corporation that can accept larger contributions and issue receipts. In some situations, their receipt may qualify as a business expense write-off, so this is certainly a consideration for some organizations or businesses. There may also be exposure benefits since the Foundation may be interested in participating in press releases. In turn, the Foundation then uses these contributions to assist OpenBSD's infrastructure needs. Contact the foundation directors at directors@openbsdfoundation.org for more information. ------------------------------------------------------------------------ - HTTPS INSTALLS ------------------------------------------------------- OpenBSD can be easily installed via HTTPS downloads. Typically you need a single small piece of boot media (e.g., a USB flash drive) and then the rest of the files can be installed from a number of locations, including directly off the Internet. Follow this simple set of instructions to ensure that you find all of the documentation you will need while performing an install via HTTPS. 1) Read either of the following two files for a list of HTTPS mirrors which provide OpenBSD, then choose one near you: https://www.OpenBSD.org/ftp.html https://ftp.openbsd.org/pub/OpenBSD/ftplist As of April 21, 2022, the following HTTPS mirror sites have the 7.1 release: https://cdn.openbsd.org/pub/OpenBSD/7.1/ Global https://ftp.eu.openbsd.org/pub/OpenBSD/7.1/ Stockholm, Sweden https://ftp.hostserver.de/pub/OpenBSD/7.1/ Frankfurt, Germany https://ftp.bytemine.net/pub/OpenBSD/7.1/ Oldenburg, Germany https://ftp.fr.openbsd.org/pub/OpenBSD/7.1/ Paris, France https://mirror.aarnet.edu.au/pub/OpenBSD/7.1/ Brisbane, Australia https://ftp.usa.openbsd.org/pub/OpenBSD/7.1/ CO, USA https://ftp5.usa.openbsd.org/pub/OpenBSD/7.1/ CA, USA https://mirror.esc7.net/pub/OpenBSD/7.1/ TX, USA https://openbsd.cs.toronto.edu/pub/OpenBSD/7.1/ Toronto, Canada https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.1/ Global https://fastly.cdn.openbsd.org/pub/OpenBSD/7.1/ Global The release is also available at the master site: https://ftp.openbsd.org/pub/OpenBSD/7.1/ Alberta, Canada However it is strongly suggested you use a mirror. Other mirror sites may take a day or two to update. 2) Connect to that HTTPS mirror site and go into the directory pub/OpenBSD/7.1/ which contains these files and directories. This is a list of what you will see: ANNOUNCEMENT armv7/ openbsd-71-base.pub sparc64/ README hppa/ packages/ src.tar.gz SHA256 i386/ packages-stable/ sys.tar.gz SHA256.sig landisk/ ports.tar.gz xenocara.tar.gz alpha/ luna88k/ powerpc64/ amd64/ macppc/ riscv64/ arm64/ octeon/ root.mail It is quite likely that you will want at LEAST the following files which apply to all the architectures OpenBSD supports. README - generic README root.mail - a copy of root's mail at initial login. (This is really worthwhile reading). 3) Read the README file. It is short, and a quick read will make sure you understand what else you need to fetch. 4) Next, go into the directory that applies to your architecture, for example, amd64. This is a list of what you will see: BOOTIA32.EFI* bsd* floppy71.img pxeboot* BOOTX64.EFI* bsd.mp* game71.tgz xbase71.tgz BUILDINFO bsd.rd* index.txt xfont71.tgz INSTALL.amd64 cd71.iso install71.img xserv71.tgz SHA256 cdboot* install71.iso xshare71.tgz SHA256.sig cdbr* man71.tgz base71.tgz comp71.tgz miniroot71.img If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64 and install71.iso. The install71.iso file (roughly 588MB in size) is a one-step ISO-format install CD image which contains the various *.tgz files so you do not need to fetch them separately. If you prefer to use a USB flash drive, fetch install71.img and follow the instructions in INSTALL.amd64. 5) If you are an expert, follow the instructions in the file called README; otherwise, use the more complete instructions in the file called INSTALL.amd64. INSTALL.amd64 may tell you that you need to fetch other files. 6) Just in case, take a peek at: https://www.OpenBSD.org/errata.html This is the page where we talk about the mistakes we made while creating the 7.1 release, or the significant bugs we fixed post-release which we think our users should have fixes for. Patches and workarounds are clearly described there. ------------------------------------------------------------------------ - X.ORG FOR MOST ARCHITECTURES ----------------------------------------- X.Org has been integrated more closely into the system. This release contains X.Org 7.7. Most of our architectures ship with X.Org, including amd64, sparc64 and macppc. During installation, you can install X.Org quite easily using xenodm(1), our simplified X11 display manager forked from xdm(1). ------------------------------------------------------------------------ - PACKAGES AND PORTS --------------------------------------------------- Many third party software applications have been ported to OpenBSD and can be installed as pre-compiled binary packages on the various OpenBSD architectures. Please see https://www.openbsd.org/faq/faq15.html for more information on working with packages and ports. Note: a few popular ports, e.g., NSD, Unbound, and several X applications, come standard with OpenBSD and do not need to be installed separately. ------------------------------------------------------------------------ - SYSTEM SOURCE CODE --------------------------------------------------- The source code for all four subsystems can be found in the pub/OpenBSD/7.1/ directory: xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.1/README) file explains how to deal with these source files. ------------------------------------------------------------------------ - THANKS --------------------------------------------------------------- Ports tree and package building by Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Visa Hankala, Stuart Henderson, Peter Hessler, George Koehler, Kurt Mosiejczuk, and Christian Weisgerber. Base and X system builds by Kenji Aoyama and Theo de Raadt. Release art contributed by Luc Houweling. We would like to thank all of the people who sent in bug reports, bug fixes, donation cheques, and hardware that we use. We would also like to thank those who bought our previous CD sets. Those who did not support us financially have still helped us with our goal of improving the quality of the software. Our developers are: Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov, Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe, Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar, Charlene Wendling, Charles Longeau, Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman, Daniel Jakots, Darren Tucker, Dave Voutila, David Coppa, David Gwynne, David Hill, Denis Fondras, Edd Barrett, Elias M. Mariani, Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus, George Koehler, Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez, Greg Steuck, Helg Bredow, Henning Brauer, Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze, Inoguchi Kinichiro, James Hastings, James Turner, Jan Klemkow, Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Joris Vink, Joshua Stein, Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov, Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil, Lawrence Teo, Marc Espie, Marcus Glocker, Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano, Martin Pieuchot, Martin Reindl, Martynas Venckus, Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos, Mike Belopuhov, Mike Larkin, Miod Vallat, Moritz Buhl, Nam Nguyen, Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen, Omar Polo, Ori Bernstein, Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin, Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel, Renato Westphal, Ricardo Mestre, Richard Procter, Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha, Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie, Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf, Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider, Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove, Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov, Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Yasuoka Masahiko, Yojiro Uo