This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
For changes in other releases, click below:
Changes made between OpenBSD 6.5 and -current
- Changed the number of wsmouse(4) devices created by MAKEDEV to 10, allowing X input configs for many devices at once on newer machines.
- Implemented SHA-2 support for snmpd(8) authentication (RFC 7860).
- Added the mcx(4) driver to sparc64.
- Implemented MSI-X support on sparc64.
- Allowed drm(4) allocation of memory without constraints if the hardware supports 64-bit DMA.
- Introduced ntpd(8) automatic settime mode.
- Included mount_nfs(8) on the amd64 ramdisk_cd.
- Skipped PCI host bridges and devices not present with acpi(1) when establishing the mapping between ACPI device nodes and PCI devices.
- Added the ukspan(4) driver for the Keyspan USA19HS USB serial adapter.
- Implemented RFC 8555 "Automatic Certificate Management Environment (ACME)" to enable acme-client(1) to communicate with the v02 Let's Encrypt API. IMPORTANT NOTE: Users must change the api url in /etc/acme-client.conf to https://acme-v02.api.letsencrypt.org/directory. The v01 API will no longer be usable. Additionally, the acme-client(1) -A and -D flags have been removed.
- Enabled mcx(4) on arm64.
- Added a -v flag to source-file in tmux(1) to show the commands and line numbers.
- Introduced an ECDSA privsep engine and the code required for smtpd(8) to load and use ECDSA certificates.
- Supported 64BIT DMA for io in mpii(4).
- Increased MAXCPUs to 32 in arm64, allowing use of all cores on the Ampere eMAG.
- Prevented corruption of the pckbc(4) command queue when the first of multiple synchronous commands to timeout clears the command queue.
- Allowed mg(1) beginning-of-buffer and end-of-buffer commands the ability to take a numeric argument and remove n/10th of the way from the top or bottom of the current buffer respectively.
- Fixed MSI/MSI-X on arm64 machines with agintc(4).
- Implemented mcx(4) rx filtering using the flow table.
- Switched bintime routines to bintimeadd(9) and introduced bintimecmp(9), with similar behavior to the timeradd(3) macros.
- Used a simple hash table to look up blocks by the fast-hash in openrsync(1) and used a rolling computation, putting openrsync speed on par with gpl rsync for file updates.
- Added mandoc(1) support for 'prefers-color-scheme: dark'.
- Called uvm_growkernel(9) before uvm is initialized on arm64 to ensure machines with large amounts of physical memory do not fail to initialize uvm.
- Added support for the Cortex-A65 CPU.
- Re-enabled RETGUARD leaf function optimization for arm64.
- Added relayd(8) support for SNI with new 'tls keypair' option to load additional certificates.
- Checked the type of a network statement when looking for duplicates in bgpd(8). This fixes added network 0.0.0.0/0 after 'network inet static'.
- Added MSI-X support for acpipci(4), pciecam, dwpcie(4) and rkpcie(4).
- Changed vmctl(8) syntax to specify command options before the create, start and stop commands, matching commonly-expected style.
- Added mcx(4) jumbo frame support, setting the port MTU up to 9500.
- Worked around an ntpd(8) bootstrap failure in a dnssec environment by repeating a failed DNS lookup after an incorrect time leads to dnssec validation failure and disallows setting the correct time.
- Made improvements to bgpd(8) peer finding in the case where many peers have been configured.
- Fixed ubcmtp(4) multitouch by properly reading multi-finger data on type4 devices with padding between finger data.
- Fixed a tmux(1) crash when killing the current window.
- Supported virtio(4) 1.0 for virtio_pci.
- Modified tcpdump(8) to support '-T erspan' and allow arbitrary gre protocols.
- Allowed specifying area by number as well as id in ospf6d(8).
- Updated perl(1) to 5.28.2.
- Shutdown the service port when behind a captive portal with unwind(8), allowing bypass of captive portals that correctly answer SOA queries for the root zone and return NXDOMAIN for the captive portal redirect domain if edns0 is present.
- Implemented 'show mrt neighbors' in bgpctl(8), a command to print the neighbor table of MRT TABLE_DUMP_V2 dumps.
- Replaced the tmux(1) parser code, unifying parsing of the configuration file and string commands (and allowing constructs formerly unique to configuration to be used in string commands).
- Merged Mesa 19.0.5.
- Prevented more than one thread from opening a wscons(4) device in read/write mode.
- Ignored APM_UPDATE_TIME events in i386/amd64 apm(4). This prevents constant erosion of the system wallclock on certain systems.
- Stopped duplicate lease negotiation and application in dhclient(8) when RTM_IFINFO reports a change to the MTU of the interface, which had been confusing Google Compute Engine.
- Added amdgpu(4) from linux 4.19.44 to support recent AMD Radeon cards.
- Modified vmd(8) to drop fatalx calls when claiming a new vm id, preventing a crash of vmd and existing vms.
- Adjusted ssh(1) to default to using the rsa-sha2-512 signature algorith when signing certificates with an RSA key. This will render these certificates incompatible with OpenSSH < 7.2 unless the default is overridden by use of the (1) -t flag.
- Fixed integer overflow in block size calculation in aucat(1), fixing truncation of contents of files with rate above 64kHz generated in offline (-n) mode.
- Used unveil(2) on tetris(6).
- Prevented dhclient(8) from repeatedly obtaining a new/renewed lease when interface-mtu is present in a lease.
- Mitigated Intel's Microarchitectural Data Sampling vulnerability by using the new CPU VERW behavior if available or by using the proper sequence from Intel's "Deep Dive" doc in the return-to-userspace and enter-VMM-guest paths. Updated vmm(4) to pass through the MSR bits so that guests can apply the optimal mitigation.
- Added tcpdump(8) handling specific to ERSPAN type I.
- Improved athn(4) support for AR9271 to use the correct clock control register.
- Fixed vmd(8) -b to allow use of 'vmctl start foo -b /bsd -d disk.img -cL'.
- Adjusted ospfctl(8) to accept address and number format for 'ospfctl show database area XXX'.
- Modified vmctl(8) to treat vms disabled in vm.conf the same as any other vm which is stopped.
- Stopped changing router-id on ospfd(8) reload if unspecified.
- Attached two dwiic(4)-pci devices that are now functioning, enabling correct behavior of the trackpad and trackpoint of the Dell Precision 7520.
- Added support to the amd64 BIOS bootloader to load a kernel at a random virtual address.
- Allowed specification of a cmdfile for config(8) rather than piping in commands for -ef.
- Added support for 'boot device' to vm.conf(5) grammar, the '-B device' counterpart from vmctl(8).
- Added tee(1) to the ramdisk filesystem to provide a moving progress bar during auto upgrade/install and a clean log.
- Emulated kvm pvclock in vmm(4), compatible with pvclock(4) in OpenBSD.
- Added elf(3) support for -znoretpolineplt and made -zretpolineplt the default. Affects i386 and amd64.
- Fixed ifconfig(8) newflags. Added a new 'stayauth' nwflag which can be set to let net80211 ignore deauth frames, useful when deauth frames are being spoofed by an attacker.
- Ensured the extended acpi(4) PM register descriptions actually exist before using them, fixing machines with ACPI 1.0.
- Added first drm render node to the fbtab(5) list of devices to change when logging in on ttyC0. Added drm0 to loongson and added the complete set of wscons and drm devices to arm64.
- Added simple menus to tmux(1) tree, client and buffer modes.
- Added the colemak keyboard layout.
- Added support for remapping ACPI(4) PM registers using the 'extended' gasio representation from the FADT, fixing the Lanner NCA-1510.
- Enabled reporting of the vm state through use of the vmctl(8) 'status' command.
- Modified ld.so(1) to prune visited leaves when walking dependencies to call init functions in topological sort order, greatly reducing cost.
- Repaired and improved v6 default route selection in install.sub, fixing autoinstalls.
- Added support for IKEv2 Message Fragmentation (RFC 7383) to iked(8).
- Implemented interrupt controller functionality in rkgpio(4), allowing use of the fusbtc(4) interrupt on the RockPro64.
- Added fusbtc(4) to support the Fairchild FUSB302 USB Type-C controller.
- Synced vm state in vmd(8) when (un)pausing a vm to ensure both vmm(4) and vmd(8) processes know the vm is paused.
- Handled some unhandled instructions for SVM which led to vmm(4) guest termination, as well as RDTSCP and INVLPGA instructions.
- Added sysupgrade(8) support to the sparc64 bootloader.
- Added logging of ssh(1) PermitOpen and PermitListen violations.
- Added a fallback to ehci(4) which enables the USB ports on the RockPro64.
- Added support for simple tmux(1) menus usable with mouse or keyboard. Introduced the command "display-menu" to show a menu bound to the mouse on status line by default.
- Enabled switching between wireless and wired interfaces in dhclient(8), setting the default route with the interface address and allowing two default routes in the routing table. A wired interface will be preferred when connected.
- Explicitly disabled BCM4331 chips present in 2011-2012 Apple Mac systems to prevent an interrupt storm that can result when the Mac EFI firmware enables, but does not disable, the wireless controller.
- Added Intel Atom C3000 pci(4) ids.
- Added port protection support to switch(4). Domain membership is checked for unicast, flooded (broadcast) and local (host-network-bound, e.g. trunk) traffic.
- Introduced malloc_conceal(3) and calloc_conceal(3), which return memory in pages marked MAP_CONCEAL and call freezero() on free().
- Implemented DNS block lists in unwind(8).
- Fixed a bridge(4) memory leak when multiple interfaces do MAC filtering.
- Added support for from/to in relayd(8) filter rules.
- Introduced a -k flag to sysupgrade(8) to preserve the files in /home/_sysupgrade after upgrading.
- Added measurement of poll intervals with monotonic clock to acpisbs(4).
- Added consistent use of 'ifconfig $_if [-inet| -inet6]' to clear existing configurations completely after restarting an install.
- Added a sysctl(8) accessor to struct pf_status to allow export of current status and statistics without super-user rights via sysctl. Used this to print
- Changed the behavior of swap-window -d in tmux(1) to match swap-pane.
- Preserved dhcp configuration when restarting an install.
- Modified systat(1) to allow the use of 'b' to switch to stats since boot.
- Added ucrcom(4), a driver for the serial console of certain chromebooks.
- Removed ld.so-local stack-protector handling functions on retguard systems, as hard-traps are used.
- Set the REQUEST_URI CGI variable to the requested URI and query string instead of the rewritten ones in httpd(8).
- Fixed integer overflow with an excessively large number of kqueue(2) events.
- Added support for more Intel 300 Series PCH to ichiic(4).
- Moved bgpd(8) pfkey socket to the parent process. The refreshing of the keys is done whenever the session state changes to IDLE or ACTIVE, which should behave better when reloading configs with auth changes.
- Fixed a bug in pkg_info(1) -S where version elements were ignored.
- Ensured mcx(4) completion queues are always rearmed to prevent rx or tx completion stalling.
- Adjusted unwind(8) to try to resolve the DNSSEC trust anchor only if we have a validating resolver context.
- To restore lockf(3) deadlock detection, introduced a list for all pending blocked locks to be scanned before waiting on a blocking lock in order to determine whether sleeping would cause a deadlock.
- Enforced store/load order when setting or clearing AST flag on mips64, preventing an unlikely case with inter-CPU ASTs where the receiving CPU uses stale state. Ensured that the clearing store is performed before other memory accesses, preventing potential loss of an AST request.
- Issued a write-write barrier before sending IPI on mips64, preventing a receiving CPU from observing an old state when processing the interrupt.
- Made the interrupt and trap return paths check for ASTs with interrupts disabled, fixing unintentional delay of ASTs on MP mips64.
- Fixed reloading of network statements that have no fixed prefix specification in bgpd(8).
- Fixed a logic error when configuring the alc(4) driver to use msi.
- Fixed the case where switchd(8) does not save a copy of a packet needing forwarding.
- Added support for the EFI Random Number Generator Protocol, using it to XOR random data into the buffer we feed the kernel for amd64.
- Relaxed a check in knote(9) to prevent a panic without KERNEL_LOCK().
- Began to assume eDP is present on port A when there is no VBT, making inteldrm(4) work on a Gemini Lake system (HP Stream Laptop 14-cb1XX) where finding the VBT fails.
- Improved the interaction among efifb(4), inteldrm(4) and radeondrm(4) for a serial console by introducing a 'primary' device, the one set up and used by firmware. This should help X to work correctly out of the box with multiple cards or with a serial console.
- Added mcx(4) driver for Mellanox ConnectX-4 (and later) Ethernet controllers.
- Began to allow panes to be empty in tmux(1), allowing output to be piped to them with split-window or display-message -I.
- Adjusted installer to remember 'autoconf' if install restarts.
- Added a 'forwarded' log format extending the 'combined' log format for httpd(8), allowing tracking of request origins behind a proxy. This format is compatible with log analyzers like GoAccess and Webalizer.
- Fixed endless loop / OOB write on 64 bit systems with large buffers.
- Improved man(1) matching for requests for a specific section.
- Renamed the -c option in sysupgrade(8) to -s to indicate snapshots, and implemented a -r option to force an upgrade to the next release.
- Added a -n option to sysupgrade(8) for a no-reboot option.
- Adjusted sysupgrade(8) to only fetch and upgrade if a new snapshot is available.
- Avoided opening httpd(8) log files on 'no log,' preventing startup failures where the log/directory is missing but logging is disabled anyway.
- Avoided running the activate function for a partially-attached ehci(4) driver, preventing a panic during suspend for the Realtek DASH ehci.
- Added support for the cryptographic coprocessor found on newer AMD Ryzen CPUs/APUs.
- Allowed non-root users to become master when they are the first to open a drm(4) device.
- Increased datasize and maxproc for the pbuild class in login.conf(5).
- Used the proper UAC-v2.0 request in uaudio(4) to read the device controls, fixing STALL errors in mixer requests causing the mixer to be unusable.
- Protected tun(4) wakeup with KERNEL_LOCK, rather than NET_LOCK.
- Pulled cdfs and cdrom production into the full ramdisk build for i386.
- Added a 'set_rate' method to the envy(4) codec API, allowing card-specific codec initialization code called when the sample rate is changed. Implemented this method for ESI Juli@ cards, switching the AK5385 and AK4358 chips among single-, double- and quad-speed modes depending on host sample rate and suppressing aliasing noise.
- Enabled mvmdio(4) and mvneta(4) on arm64.
- Enabled EnvyHT-specific sample rates (above 96kHz) on the host controller for envy(4) devices.
- Added support for the Armada 3720 pinctrl controller to mvpinctrl(4). This controller also includes GPIO controller functionality.
- Added mvuart(4) to support the Armada 3720's serial console.
- Added support for the Armada 3720 clocks to mvclock(4) and added mvuart(4) to support the serial console.
- Allowed enabling of regulators with the 'regulator-always-on' property.
- Added unveil(2) to chpass(1).
- Fixed user options crash in tmux(1).
- Began the process of making Makefiles more similar across architectures.
- Restricted hotplugd(8) filesystem access with unveil(2).
- Fixed a memory leak in window tree search in tmux(1).
- Added an equivalent test for master in drm_fb_helper_is_bound() for drm(4). This prevents black screens on hotplugging a new display with X(7) running, which required a vt switch.
- Added a check to ospfd(8) and ospf6d(8) that any "depend on" interfaces are in the same rdomain.
- Changed default Ruby version in ports(7) to 2.6.
- Removed the KERNEL_LOCK from the bridge(4) output fast-path.
- Cranked BUFCACHEPERCENT back down to 20 after the increase to 80 exposed a few problems.
- Started a cleanup of boot media creation and made the process use the new vnconfig(8) vnd-auto-allocate mode.
- Removed the need for the -A option from vnconfig(8).
- Silenced all of the OKs from signify(1) while it is verifying the install sets for sysupgrade(8).
- Modified syspatch(8) to default to using cdn.openbsd.org if there isn't a proper /etc/installurl.
- Changed sysupgrade(8) to re-verify the signature only for SHA256 when checking the old files.
- Regenerated moduli(5).
- Imported libdrm 2.4.98.
- Removed vnconfig(8) functionality from mount_vnd(8).
- Added sysupgrade(8), a tool to upgrade OpenBSD to the next release or a new snapshot.
- Split vnconfig(8) out of mount_vnd(8).
- Extended the maximum size of the bgpd(8) shutdown communication message to 255 bytes. Made the same adjustment to bgpctl(8).
- Fixed a potential panic in inteldrm(4) caused by an interrupt coming in before the interrupt handler is set up.
- Adjusted tmux(1) to automatically scroll when dragging to create a selection with the mouse when the cursor reaches the top or bottom line.
- Added support for the USB serial adapter found in Juniper SRX 300 to uslcom(4).
- Used unveil(2) to restrict file system access in relayd(8) to read only.
- Added a watchdog for unattended upgrade to reboot after 30 minutes in case the script halts.
- Changed most bootloaders to boot from /bsd.upgrade if it is present.
- Implemented SIOCGIFSFFPAGE in bnxt(4) so that ifconfig(1) can get transceiver information from it.
- Added the pci(4) product id for the VMware nvme(4) interface.
- Added support for ccp(4) at acpi(4).
- Added pinctrl(4) support for 'pinconf-single' devices and support for bias and drive-strength properties, needed for HiSilicon SoCs.
- Added the octiic(4) driver for OCTEON two-wire serial interfaces.
- Removed file name and line number output from witness(4), along with the wrapper for mutexes.
- Added -no-clear variants of copy-selection and copy-pipe to tmux(1) which do not clear the selection after copying.
- Checked for linkstate instead of IF_STA_POINTTOPOINT for originating router LSAs for P2P interfaces in ospfd(8), making 'passive' work on P2P interfaces.
- Modified vmm(4) to flush guest TLB entries if the guest disables paging.
- Began to change only the clock frequency and skip setting voltage on arm64 systems supporting DVFS which do not expose a regulator.
- Added support for official Linux device tree bindings and the 'stub' clocks handling CPU clock frequency on the Hi3670.
- Stopped prompting for disks that do not contain a root partition during upgrades. This defaults to the correct disk when full disk encryption is in use, and will be useful for future unattended upgrades.
- Set vlan(4) to use if_vinput instead of if_input, bypassing ifiqs and improving vlan input speeds.
- Added if_vinput so pseudo (ethernet) interfaces can bypass ifiqs, running interface input handlers directly rather than queuing the packets for a nettq to run and improving performance.
- Disabled mobileip(4).
- Added support for rxprio to gre(4).
- Implemented the roff(7) .break request, preventing infinite loops.
- Built clang(1) on powerpc.
- Used IPL_TTY to prevent 'locking against myself' panics for drm/i915.
- Fixed crashes seen with the 'intel' X driver with the new inteldrm(4) kernel driver by fixing rbtree_postorder_for_each_entry_safe() implementation.
- Fixed unreliable 'ifconfig mode' with some wireless drivers by interpreting ENETRESET from ifm_change() as success in ifmedia_ioctl().
- Added stdio pledge(2) to nl(1) after opening a file but before doing operations.
- Completed conversion of rdsetroot(8) to -lelf on alpha.
- Adjusted dma-range bufcache to 80% from 20%, to learn the downsides of this change based on user reports.
- Avoided an underflow in the rip6 delivered counter in netstat(1).
- Fixed netstat(1) statistics so 'netstat -s -f inet6 -p rip6' correctly copies out rip6counters, not ip6counters.
- Adapted radeon_detach_kms() to struct drm_device being split from drm softc. Avoids uvm_fault() when firmware is missing and radeondrm(4) is forcibly detached.
- Added a subsystem lock for vfs_lockf.c, allowing calling lf_advlock() and lf_purgelocks() without the kernel lock.
- Implemented factored-out txprio and rxprio checks.
- Implemented rxprio in mpw(4), mpe(4) and mpip(4). Added rxprio support to etherip(4) and bpe(4).
- Added support to ifconfig(8) for getting and setting rxprio, finishing support for RFC 2983. Implemented configuring rxprio in vlan(4).
- Modified pfctl(8) to always check for namespace collisions on table commands.
- Fixed pfctl(8) table definition parsing as unprivileged user, printing a brief notice if -v was given to help find duplicate definitions by hand.
- Modified sshd(8) -T to assume any attribute not provided by -C does not match, allowing it to work when sshd_config(5) contains a Match directive with or without -C.
- Released OpenSSH 8.0.
- Switched powerpc to big PIC to allow clang(1) to build libc++abi and libc++.
- Used txprio to control the use of exp as a priority field for mpw(4), mpip(4) and mpe(4). Intermediate LSPs can use the exp field to manage prioritization of encapsulated traffic.
- Prevented attaching drivers to devices for which a driver was attached early with simplebus on armv7 and arm64.
- Adjusted myx(4) i2c reads to read only one byte at a time, increasing reliability.
- Fixed sff page reads for myx(4) devices on little endian architectures.
- Rewrote rdsetroot(8) using libelf(3).
- Imported xf86-video-amdgpu 19.0.1 for amd64 and i386.
- Implemented tx mitigation by calling the hardware transmit routine per several packets rather than for individual packets. Defers calls to the transmit routine to a network taskq, or until a backlog of packets has built up.
- Introduced 'pfctl -FR' to reset pfctl(8) settings to defaults.
- Removed old -vlan and -vlandev code from ifconfig(8), using these instead as aliases for -vnetid and -parent.
- Added basic support to ifconfig(8) to display xfp and qsfp+ information.
- Implemented SIOCGIFSFFPAGE to allow ifconfig(8) to get transceiver information from myx(4) devices.
- Applied strvis(3) to strings from USB devices in usbdevs(8).
- Removed the potential for double-frees in copied cipher data by zeroing and freeing following EVP_CIPHER_CTX_copy() in evp(3). Used calloc(3) when allocating cipher_data to avoid use of uninitialized memory.
- Updated shared drm code, inteldrm(4) and radeondrm(4) to linux 4.19.34. This adds support for Intel Broxton/Apollo Lake, Amber Lake, Gemini Lake, Coffee Lake, Whiskey Lake, Cannon Lake and Ice Lake hardware.
- Stopped using splnet(9) when running the network stack now that it is using the NET_LOCK for protection, reducing latency spikes.
- Increased information displayed for -v and -vv options for tcpdump(8) during md5 authentication.
- Added missing compatibles for newer Linux kernel bindings to mvpinctrl(4).
- Fixed a leak in SSL_dup_CA_list() in ssl(3).