This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
Note: Problems for which patches exist are marked in red.
For changes in other releases, click below:
2.0,
2.1,
2.2,
2.3,
2.4,
2.5,
2.6,
2.7,
2.8,
2.9,
3.0,
3.1,
3.2,
3.3,
3.4,
3.5,
3.6,
3.7,
3.8,
3.9,
4.0,
4.1,
4.2,
4.3,
4.4,
4.5,
4.6,
4.7,
4.8,
4.9,
5.0,
5.1,
5.2,
5.3,
5.4,
5.5,
5.6,
5.8,
5.9,
6.0,
6.1,
6.2,
6.3,
6.4,
6.5,
6.6,
6.7,
6.8,
6.9,
7.0,
7.1,
7.2,
7.3,
7.4,
7.5,
7.6,
current.
Changes made between OpenBSD 5.6 and 5.7
- Update unbound(8) to 1.5.0.
- In mandoc(1), make .Ao and .Aq renders as "<>" after .An, and as "\(la\(ra" elsewhere, just like groff.
- Fixed for mandoc(1) db for NAME_FIRST before its first use, NAME_FILE duplication and correct NAME_FILE mask for .so links.
- Delete KERN_VNODE sysctl(3).
- Add support for exporting relayd(8) statistics via AgentX/snmpd(8).
- Add support for AgentX subagents in snmpd(8).
- Fix ssl memory leak with pkey in client key exchange.
- Bugfix for grdc(6) to run for the specified amount of seconds, not for a fixed amount of iterations. Makes a difference on slow terminals.
- Make mandoc(1) let escape sequences terminate high-level macro names, and when doing so, they are ignored.
- Make binutils recognize sahf/lahf for amd64 code, backported from 2.17.
- For newer re(4) chipsets, add support for stopping the operation within re_stop().
- Let mandoc(1) support the ".if v" conditional operater for groff compatibility.
- Sync ssh(1) AES code to the one shipped with OpenSSL/LibreSSL.
- Make binutils recognize dcbzl for PPC code, backported from 2.17.
- Disable the page zeroing thread on MP mips64 kernels.
- Added support for sigwinch resizing in grdc(6).
- Make mandoc(1) ignore invalid directories in man.conf and MANPATH, but complain about invalid directories given on the command line.
- Avoid iteration over end of string in patch(1).
- On ppc platforms, make pmap_zero_page MP-safe by using the directmap.
- Enable GOST cipher in libcrypto.
- For cas(4), use pa_device to ensure each MAC address of a multi port board is unique.
- When running mandoc(1) in man(1) mode, set match order to file name over .Dt name over first .Nm entries over other NAME .Nm enties over SYNOPSIS .Nm entries. Re-run "makewhatis" to effectuate this change.
- Fix NULL pointer dereference in ssh(1) key loading.
- Activate support in pkg-config(1) for "package != version" requests.
- Imported perl 5.20.1.
- Add Cammelia cipher to libcrypto.
- Make /var/tmp a symbolic link to /tmp. Move /tmp to the same 7-day expiration that /var/tmp had.
- Added new function to libc, crypt_newhash(3).
- Add quirks for "Realtek ALC885" found on MacMini3.1, unmutes the internal speaker, line input and hp output.
- Reduce dhclient(8) risk by putting config file reading after forking the privilege separated child process but before getting hardware link.
- Sync kernel AES code to the one shipped with OpenSSL/LibreSSL.
- Make usbdevs(8) show super speed status in verbose output mode.
- In ssh(1), fix KRL generation when multiple CAs are in use.
- Make mandoc(1) correctly handle whitespace-only lines in regard to vbl and vis variables.
- Two fixes to make Qemu and VMWare xhci(4) implementations work, always unmask the slow context for the Set Address command and use the right spl when wubmitting a transfer.
- Allow cas(4) to retrieve the MAC address from the rom for NS Saturn based boards.
- Reworked the sigwait() handling to fix ptrace() in some circumstances.
- Add cas(4) devices to i386 and amd64 GENERIC kernels.
- Change librthread to not restart syscalls on SIGTHR.
- Fix in librthread to allow check for cancellation when a handled (but not waited for) signal occurs.
- Use newly imported siphash algorithm for in_pcb hashing.
- In dhclient(8), make -q and -d mutually exclusive.
- Removed 'tcl' command from vi(1).
- On ifconfig(8), move trunk(4) code outside #ifdef SMALL to allow trunk operation on RAMDISK kernels.
- Implement atomic_* ops for the arm platform.
- In mandoc(1), remove harmful byte swapping on big endian architectures.
- Fix reversed logic when selecting log level in npppd(8).
- Fixed use after free in npppd(8) when pool addresses change.
- Add -b to splitw in tmux(1) like in joinw.
- In the performance adjustment code, take a few more ticks before throttling down to handle situation where it is cpu intense but intermittenly idle.
- In tmux(1), don't let force-width or force-height be less tha PANE_MINIMUM.
- Store autoinstaller logfile in /mnt/var/log to be available after reboot.
- Updated time zone data to tzdata2014j.
- Do not hold the kernel lock when calling hardclock() and statclock().
- When exploring the usb buses, do not probe the ports which status hasn't changed. Saves a lot of I/O when attaching/detaching devices.
- Tweaked DHCPACK to DHCPINFORM log entries to more informative.
- Speedup in mandoc(1) in man(1) mode without -a, stop searching after the first manual tree that contained at least one match.
- Stop athn(4) from attaching to AR9300 devices due to unresolveed bugs.
- For httpd(8), allow the log directory be configurable in the config file, rather than having it fixed as /logs in the chroot.
- In xhci(4), do not reset the base address of the control endpoints ring when the second Set Address command is issued.
- Make pf(4) ask for ICMPv6 checksum recalculation in pf_route6 since the addresses may have been tweaked.
- bgpd(8) now outputs 32bit AS numbers in ASPLAIN format by default instead of AS_DOT+.
- Socket closing fixes in the client rpc(3) code.
- Implemented -h in mandoc(1) for preformatted (cat) pages.
- Fix for ix(4) SFP+ module detection when booting without the modules plugged in.
- Added support for USB 1.x devices below external hubs on xhci(4).
- Make sure httpd(8) does't try to open log files when using syslog.
- Changed the xhci(4) attach logic to set the address of a device. Fixes issues seen on root hubs with some Low/Full speed devices.
- Plug an rtentry leak in route code.
- Fix pf(4) state linking used to implement transparent relays for connectionless protocols.
- Added GOST crypto algorithms to libcrypto. Not enabled yet.
- Make tmux(1) expand formats in copy-pipe command.
- When a usb(4) pipe is closed, only clear the memory of the corresponding endpoint context. Fixes a panic.
- Stopped tmux(1) extending the line to full width on insert/delete character (leaves extra spaces when reflowing); only mark a line wrapped when the cursor actually goes off the end (not on newlines).
- If resuming from sleep (zzz/ZZZ) and the lid is still closed, go back to sleep. Prevents accidental lid flex from waking the machine up.
- Libtool moved to the comp set.
- Enabled xhci(4) on i386 and amd64, for USB 3.0 support.
- Fixed problems with iked(8) EAP state transition. Allows Win7 to establish the a tunnel again.
- Fixed a race (and panic) in xhci(4) when submitting a command by using the appropriate spl(9) protection.
- Removed the SSLv2 option from relayd(8); made "no sslv3" work as intended.
- Added bcd(6) -l option to create "modern" 80 column cards.
- Made malloc(9) calculate correct size before doing the free checks, to fix recent panics.
- Enabled TLS extensions in ssl(8).
- Fixed mac address selection with unnumbered carpdevs when using carp(4).
- When tmux(1) copy mode is used for output, wrap the text.
- Removed old curses support from vi(1).
- Added V for tmux(1) "select line" with vi(1) keys.
- In smtpd(8), stopped prepending the user ID in the local enqueuing "Received" line.
- Implemented workaround for em(4) i218 watchdog timeouts that are triggered by heavy traffic.
- Fixed sd(4) cards with rev C BeagleBone Blacks.
- Added rgephy(4) for the RTL8211E phy in the LeMaker Banana Pi and Banana Pro.
- Added atphy(4) to armv7, for the Atheros AR8031 phys in the AM335x starter kit.
- Introduced SipHash (https://131002.net/siphash/), useful when adding protection against hash bucket flooding attacks.
- Allow the five man(7) font macros to concatenate their line arguments. Removes bogus <br/> when font macros are used in -Thtml "no-fill" mode.
- Stopped dhclient(8) leaking static leases when the "lease {}" parsing fails or when a static lease supersedes an earlier one.
- Fixed kernel stack overflow in carp(4) by preventing carp_send_ad_all() from re-entrant calls.
- Stopped changing the gateway of local route(4) for p2p interfaces. Prevents a panic.
- Updated to xterm(1) version 312.
- Use the correct default MaxPacketSize for Full Speed usb(4) devices and make them work with xhci(4).
- In passwd(1), removed support for all password cyphers except blowfish(3).
- Removed ephemeral RSA key handling from ssl(8).
- Add support for automatic DH ephemeral keys in ssl(8), so DH keys can be generated based on the server key length; use automatic DH ephemeral parameters instead of fixed 512 bit.
- Removed ssl(8) support for ephemeral/temporary RSA private keys.
- Renamed libressl to libtls, to avoid confusion.
- Major bugsquashing with respect to -offset and -width in mdoc(7).
- Do not enable interrupts before attaching usb(4). Fixes panic when an Express Card has usb(4) devices.
- Support utf-8 and iso-8859-1 input by integrating preconv(1) utility into mandoc(1).
- In mandoc(1) -Tascii mode, only print "<?>" for unicode escapes of unknown representation (not for character escapes with unknown names).
- Tightened mandoc(1) unicode escape name parsing.
- Fixed pipex(4) to return multicast packets to the caller so that npppd(8) can handle them.
- Fixed pipex(4) to initialise DF bit in IP header for L2TP message, so packets larger than minimum MTU aren't dropped.
- 5.4, 5.5, 5.6 and -current SECURITY FIX: Fixed incorrect expansion of netmask for dynamic interfaces by pfctl(8). Stops potential elevation of access permissions for IPv6 traffic..
- Removed execute permission from most pages in the kernel pmap(9) on powerpc.
- Stopped supporting wsmoused(8) and X(7) in parallel. Code is racy and known to break mice upon resume.
- Fixed regression in term.c r1.89: repaired handling of zero-width spaces (\&) in mandoc(1) utf-8 output.
- Allow the current lease to expire without causing dhclient(8) to seg fault when it tries to get a new one.
- Fixed possible infinite recursion in perl(1) Data::Dumper (CVE-2014-4330).
- Improved mandoc(1) -Tascii output for unicode escape sequences: for the first 512 code points, provide ASCII approximations; provide approximations for some sequences above codepoint 512 via mandoc_char(7) character table.
- When using the local enqueuer and the internal SMTP session fails, made smtpd(8) copy the original message to ~/dead.letter so it's not lost.
- On hppa, fixed "read section header string table failed(0)" errors when attempting to boot lif.fs.
- Fixed smtpd(8) so newaliases and makemap can parse multi-line aliases entries.
- Stopped mandoc(1) attempting to parse empty equations. Fixes a null pointer dereference.
- In mandoc(1), report arguments to .EQ if they have caused an error.
- Don't attempt to suspend/resume a partially attached drm(4) driver. Fixes crash upon resume with ATI FireMV 2400 card.
- Stopped the page zeroing thread launching on m88k multiprocessor systems. Avoids a deadlock between reaper and zerothread.
- Added pane_input_off format to tmux(1).
- Retired networks(5) support from amd(8) and getent(1).
- Extended features in autoinstall(8).
- No longer limit physmem to 2GB on hppa.
- Removed networks(5) support from netstat(1).
- Avoid an ssl(8) null pointer dereference that could be triggered by SSL3_RT_HANDSHAKE replays.
- Allow reliable IPv6 communication between carp(4) master and backup across a shared IPv6 subnet.
- URL-decode the httpd(8) request path.
- Only redraw the tmux(1) pane when it has actually changed.
- Reworked httpd(8) error messages: do not send details of 40x errors, to avoid possibility of javascript injection attacks.
- Made tftp(1) cope with sending or receiving files beyond 65536 blocks in length.
- Fixed du(1) regression, always report the size of files listed.
- 5.6 SECURITY FIX: disabled SSLv3 by default.
A source code patch is available for 5.6.
- In getent(1), error out when hosts enumeration is requested.
- Made mandoc(1) correctly parse spacing around in-line equations.
- Removed the "interface" option from relayd(8) "transparent forward" directive.
- Fixed memory leak in ssl(8) d2i_SSL_SESSION.
- Backported fix for binutils bug 11867: ".quad" directive not assembled correctly.
- Use sha512 instead of md5 for tcp(4) initial sequence number.
- In ssl(8) s_client, no longer call shutdown on a non-existent socket descriptor.
- In the random number generator, use sha512 to hash the entropy (instead of md5).
- 5.4, 5.5 and 5.6 RELIABILITY FIX: Stopped assuming elf(5) ep_taddr and ep_daddr are page-aligned, to fix a panic.
A source code patch is available for 5.4, 5.5 and 5.6.
- Update to xf86-video-mga 1.6.3
- Update to xf86-video-savage 2.3.7.
- More gracefully handle firmware loading errors in ulpt(4). Avoids potential kernel crash.
- 5.4 and 5.5 RELIABILITY FIX: Fixed two remotely triggerable memory leaks in ssl(8).
A source code patch is available for 5.4 and 5.5.
- Better POSIX compliance for realpath(3).
- Made sure the pmap(9) direct map isn't executable on amd64. Mitigates some ret2dir attacks.
- Correctly encode half line feed in the output stream for col(1) -f.
- Added the -d flag (limit display depth) to du(1).
- Made the mg(1) kill-paragraph and forward-paragraph commands stop once they can go no further.
- Fixed resume from hibernate on AMD processors.
- Fixed col(1) segfault triggered by an input line containing two consecutive backspace characters beyond column MAX_SHRT.
- Implemented in-line equations in mandoc(1), needed by Xenocara manuals.
- Allow empty headers in smtpd(8).
- Disabled SSLv3 by default in ssl(8), relayd(8) and smtpd(8).
- Stopped smtpd(8) relaying a header that will be rewritten by the destination MX.
- Prevented sessions from sending a huge number of continuations to a single header and starving smtpd(8).
- Made rcctl(8) properly access all rc.d(8) scripts and ignore anything irrelevant in /etc/rc.d.
- Fixed memory leak in smtpd(8) error path.
- Even if a table has zero columns, do not segfault in the mandoc(1) formatter.
- Stricter syntax checking of unicode character names by mandoc(1); properly scale string length measurements for postscript and pdf output.
- Improved error handling in the eqn(7) parser; do not parse quoted strings for tokens. Fixes glFrustum(3).
- Fixed bug in mg(1) backward-paragraph when pressing "M-{".
- Stopped iked(8) segfaulting when connecting from Strongswan on Android
- Major upgrade to eqn(7) terminal output.
- Removed possibility of multiplicative integer overflow in relayd(8) and snmpd(8).
- Moved CPU throttling into the kernel, enabled with sysctl(8) hw.setperf=-1.
- Added rcctl(8) "default" command.
- Allow pkg_sign(1) signing to proceed when interrupted.
- In rcctl(8), prevented "-e" in daemon_flags being fed as an argument to the built-in echo.
- Partial eqn(7) rewrite, to fix operator precedence.
- Let rcs(1) handle -l and -u combinations.
- Parse and render "from" and "to" clauses in eqn(7), and render matrices.
- More readable eqn(7) -Ttree output; initial bits of MathML rendering for eqn(7) -Thtml.
- Properly initialise secondary CPUs on 64 bit macppc machines.
- Allow kernel to be built without ddb(4).
- Added ddb(4) support for DWARF line number decoding, so "trace" includes file and line numbers.
- No more modstat(8), modload(8) or lkm(4).
- Tweaked ssh_config(5) reparsing with host canonicalisation; added -G option to ssh(1); don't ignore ssh_config(5) "Port" options (bz#2267 and bz#2286).
- Made sndiod(8) check parameters returned by audio drivers, and report driver bugs rather than crashing.
- Made workq/taskq runner threads yield when they've hogged the CPU.
- Now that the cleaner yields the CPU, stopped vfs(9) checking to see if we are hogging the CPU.
- Restricted smtpd(8) address lookups to configured address families.
- Fixed hardware lockup on intel(4) with i845g.
- In vi(1), bumped max columns to 768 to accommodate bigger screens.
- Removed support for AOE (ata over ethernet).
- Fixed DDOS in head(1) by using the correct exit code on failure.
- Removed gzsig(1).
- Switched mandoc(1) HTML output to polyglot HTML5; have only one single -Thtml mode.
- If a tbl(7) layout contains unknown font modifiers, don't fail table, fallback to default font.
- Removed sdio(8).
- Made amd64 pmap(9) more efficient on multi-processor machines.
- When chmod(1) is called, do not silently ignore syntax errors in options, instead error out properly.
- When ssl(8) is verifying an IP address is in a certificate common Name, do not perform wildcard matching.
- If ssl(8) has to match against a wildcard in a cert, verify that it contains at least a domain label.
- Amended previous commit in ftp(1) fetch.c to un break ELS cert validation when using a proxy.
- Check object allocation for success before using it in ssl(8) v3_cpols.c.
- In ssl(8), fixed memory leaks in the error path of v2i_AUTHORITY_KEYID() and set_dist_point_name().
- Switched syslogd(8) from using poll(2) to libevent.
- Updated xterm(1) to version 311.
- Stopped xhci(4) Intel Series 7 controllers reporting illegal context state transition when detaching devices.
- In ftp(1), only pass the remote host name (not any ":portnumber" suffix) to ressl_connect_socket().
- Forced smtpd(8) to strip any empty BCC header in the DATA part of the SMTP transaction.
- Cleaned up the reporting socket code in syslogd(8).
- Introduced a thread for zeroing uvm(9) pages without holding the kernel lock, to reduce latency.
- In syslog_r(3), strip trailing newlines from syslog messages, to avoid empty lines when printing.
- Allow ssl(8) to disable hostname and certificate verification separately.
- Enabled automatic handling of ephemeral EC keys by ssl(8).
- Allowed many code paths in myx(4) to run without the kernel lock.
- Now that pool(9) are mpsafe, made the mbuf(9) allocators on top of pools mpsafe too.
- Fixed a crash when there is text after a failed %Z conversion in strptime(3).
- When no domain is specified in MAIL FROM or RCPT TO, smtpd(8) now assumes local user.
- Fixed httpd(8) endless event loop that could eat all CPU time.
- Added local subnet route (RFC 3442) support to dhclient(8).
- Enlarged columns for 4-byte ASN display with bgpctl(8) "show summary" output.
- Fixed route(4) so arp(8) will no longer report an incomplete entry for lo0.
- Made tmux(1) take account of window-status-separator when checking window position.
- Update status when a tmux(1) pane is selected with a mouse.
- Always call waitpid(2) on SIGCHLD when client_attached is set in tmux(1). Avoids potential zombie.
- Fixed some incorrect format specifiers in a debug printf(9) in apm(8).
- Fixed loopback related breakage introduced by the conversion of in_ouraddr() to use the route(4) table.
- Map out-of-range facility values to LOG_USER to avoid array over-read in syslogd(8).
- No longer define default_bits in openssl.cnf. Allows the compiled-in default to take priority.
- Switched openssl(1) "req" command to using SHA256 (hashes) and AES256 (on-disk keys) by default.
- 5.6 RELIABILITY FIX: Fixed some run(4) devices working in 5.5 but not in 5.6-release.
- More optimisations of luna frame buffer. Makes 4bpp wscons(4) putchar ~8% faster on luna88k.
- Unhooked sliplogin(8), sl(4), slstats(8) and slattach(8).
- Check speed of a new device does not exceed parent's speed prior to calling usbd_new_device().
- 5.4, 5.5 and 5.6 SECURITY FIX: Stopped nginx (in base) reusing cached ssl(8) sessions in unrelated contexts (CVE-2014-3616).
A source code patch is available for 5.4, 5.5 and 5.6.
- Added support for "physical devices" to mfii(4).
- In ssl(8), cleaned up EC cipher handling in ssl3_choose_cipher().
- Prevented dmesg(8) spam from some windows-only keys (found on very new thinkpads).
- Do not use the global list of IPv4 addresses in icmp_reflect(), use the route(4) table.
- Increased text segment size on arm to 32MB.
- When setting env(1) in an at(1) atrun script, use the "export foo=bar" form. Allows shell to catch variable names that are not valid shell identifiers.
- Fixed r1.12 of ssl(8) x509_att.c which had a NULL pointer dereference in the error path.
- Added option that allows any enabled ssl(8) protocols to be explicitly configured.
- Use raster operation (ROP) function on luna frame buffer. 4bpp wscons(4) putchar now ~20% faster.
- vds(4/sparc64) now supports block devices.
- Reversion fixed in smtpd(8), which had broken table_passwd.
- In ssl(8) check_cert(), reset ctx->current_crl to NULL before freeing it.
- In ssl(8) X509_NAME_get_text_by_OBJ(), made sure we do not pass a negative size to memcpy(3).
- In wdc(4) when doing ioctl(2), fixed leak by ensuring scsi(4) xfer free is done before ata xfer free.
- Properly serialise closing vnode on sparc64. Fixes occasional panic during reboot or when restarting ldomd(8).
- Updated to: xtrans 1.3.5; libXext 1.3.3, libXi 1.7.4, inputproto 2.3.1 and xrandr 1.4.3.
- Provided a ressl config function that explicitly clears keys.
- New API function SSL_CTX_use_certificate_chain(). Allows reading PEM-encoded certificate chain from memory instead of a file.
- Remove a limitation that ignored IPv6 link-local addresses (eg fe80::2%carp0) on carp(4).
- Reverted r1.142 of netstart.
- In ssl(8) X509v3_add_ext() error path, do not free memory that was not allocated.
- In ssl(8) X509_TRUST_add(), check X509_TRUST_get0() return value before dereferencing it; fixed memory leak.
- In pool_destroy(9), enter and leave mutex(9) as necessary to satisfy assertions.
- Updated to: xf86-video-vmware 13.0.2, fontsproto 2.1.3, libXfont 1.5.0 and xserver 1.16.1.
- Disabled WRITE events when closing file descriptor of the I/O bufferevent. Fixes potential event flood in httpd(8).
- In ssl(8), check that the specified curve is one of the client preferences.
- In ssl(8) X509_STORE_get1_certs() and X509_STORE_get1_crls(), check the result of allocations.
- Fixed memory leaks in ssl(8) X509_issuer_and_serial_hash() and X509_STORE_new().
- Use correct format specifiers in various loongson machine dependent code.
- Push sdhc(4) ricoh controllers into "old slow mode" at resume time.
- Reverted part of r1.98 if_run.c which caused a regression on older run(4) devices.
- Reworked piglet and pig memory allocation for more robust hibernation.
- Now that sysctl(8) mp setperf is fixed, activated aggressive apmd(8) throttling again.
- Fixed the calculation of the number of items to prime the pool(9) with in pool_setlowat(9).
- Restored r1.249 of sys/dev/acpi/acpi.c. Upon resume, CPU now runs at speed requested by apm(8).
- Support using pane id as part of session or window specifier and window id as part of session in tmux(1).
- Support ! for last pane in tmux(1).
- Fixed the build when DRMDEBUG is defined.
- Enabled MSI support in msk(4).
- Release the acpi(4) lock when calling wsdisplay_suspend() and wsdisplay_resume(). For better resume.
- Fixed high capacity (> 2GB) eMMC support in sdmmc(4).
- Hide unused, duplicate and/or misleading fields from audioctl(1).
- In ssl(8), check the result from final_finish_mac() against finish_mac_length in ssl3_send_finished().
- In ssl(8), don't record a match with the "finish MAC" if "SSL finished" has a zero-byte payload.
- Implemented atomic_{cas,swap}_{uint,ulong,ptr} and atomic_{add,sub}_{int,long}_nv on hppa.
- On macppc, enabled power saving modes for IBM PowerPC 970 CPUs.
- Reworked pool(9) code to make it mpsafe (can be called without the kernel biglock being held).
- Made packages(7) rsync-friendly. Reduces bandwidth usage by mirrors.
- Fixed an invalid escape sequence in cu(1).
- Allow agp(4) to map a single page without sleeping. Fixes intel(4) drm(4) panic on i386.
- Added CHACHA20 to ssl(8) as a cipher symmetric encryption alias.
- Moved rc.conf(8) from the etc to the base set (any local changes will be overwritten at next upgrade).
- 5.5 and 5.6 SECURITY FIX: ssl(8) session reuse vulnerability (CVE-2014-3616).
- Introduce config_suspend_all(9), to invoke config_suspend(9) in appropriate order. Fixes problems with unflushed disk caches on machines where mpath(4) takes control of some of your disks.
- Stopped sd(4) spinning back up while attempting to spin down some drives.
- Increased number of blowfish(3) rounds to 8 by default (when not specified in login.conf(5)).
- Updated to xkeyboard-config(7) version 2.12.
- Changed screen terminfo(5) entry to have kbs=\177. Fixes problems with "le" editor.
- If there are more than 8 CPUs, top(1) now defaults to combined CPU stats.
- Disabled taking the mutex(9) to read pool(9) stats. Eliminates code paths that try to mtx_enter(9) twice.
- Unlinked sendmail from the build.
- Support ppb(4) bridges subtractive decoding. Fixes issues with pcmcia(4) behind a ATI SB400 PCI bridge.
- Marked the mpi(4) and mpii(4) interrupt handlers mpsafe.
- In httpd(8) and relayd(8), made the HTTP version mandatory and abort if it is missing in the request.
- Made dd(1) error out when negative values are given for sizes on the command line.
- In man.cgi(8), support backslash-escaping of white space in the query expression, similar to apropos(1).
- Made the new isp(4) drivers match at a higher priority than old drivers.
- In sysmerge(8) PKG mode, cope with non-default PREFIX (e.g. /var/www/...).
- Provided a sparc64 version of sqrtl(3) for quad-precision floating point.
- Remove cached 802.11 nodes in IEEE80211_STA_CACHE state. Stops them showing with ifconfig(8) scan.
- On i386/amd64, stopped attempts to synchronise P-state transitions between CPUs. Fixes hangs and suspend/resume when running apmd(8/amd64).
- Inspired by mdoclint(1), made mandoc(1) warn about botched .Xr ordering and punctuation below SEE ALSO; warn about commas in function arguments.
- Implemented membar(9) API for i386.
- Install files that moved from etc to base during "make build" to unbreak updating from src.
- Let httpd(8) handle variations of the "Host" header (eg www.example.com:80, [2001:db8::1], [2001:db8::1]:80).
- If a manpath directory does not exist, mandoc(1) will now silently skip it.
- Fixed scans with various iwn(4) devices.
- If pkg_add(1) not running as root, dismiss user id and groups, replace with root/bin. For FAKE_AS_ROOT=No.
- Made the cleaner, syncer, pagedaemon and aiodone daemons all yield() if CPU is marked SHOULDYIELD.
- Marked the mfi(4) interrupt handler mpsafe; give up biglock in the scsi(4) cmd submission paths.
- Fixed interrupt storm on 2009 Mac minis with WOL enabled on nfe(4) interfaces.
- Stopped uvm(9) sleeping on allocation of hash table entries. Fixes crashes with tmpfs.
- Stopped pflog(4) counting bad packets multiple times.
- Added window_last_flag and window_zoomed_flag to tmux(1).
- 5.6 and -current RELIABILITY FIX: Prevent addition of redundant IPv6 autoconf (SLAAC) addresses.
- Fix a syslogd(8) regression when specifying all 20 additional log paths.
- Implemented membar API for amd64.
- Deleted procfs (always suffered from race conditions and is now unused).
- 5.4 RELIABILITY FIX: Added a one second receive timeout. Avoids stall of receive queue in vio(4).
- 5.4 and 5.5 RELIABILITY FIX: Removed race condition. Stops occasional network hangs in in vio(4).
- Updated to mesa version 10.2.7.
- Removed SSL_kDHr, SSL_kDHd and SSL_aDH from ssl(8). No supported ciphersuites use them.
- Use shell substitution instead of dirname in sysmerge(8); fixed installing pkg @sample when target directory is missing; fixed output when a file fails to install.
- 5.6 RELIABILITY FIX: Stopped incorrect RX ring computation, which led to panics under load with bge(4), em(4) and ix(4).
A source code patch is available for 5.6.
- Let roff(7) accept .ll in the prologue; parse and ignore the .pl (page length) request.
- Upgraded inodesc.id_entryno in fsck_ffs(8) to u_int64_t, to handle larger file sizes with FFS2; fixed check for allocated fragments marked free in the bitmap.
- Fixed FastCGI-based WebDAV and CalDAV (calendar) servers with httpd(8).
- httpd(8) server name specification changed to name+address+port. Allows using same server name for multiple servers with different addresses.
- Removed /etc/{hosts,myname} from etc.tgz; made the installer create the /etc/hosts template.
- In perl(1), updated libnet to version 1.27.
- Reworked how pool(9) with large pages (>PAGE_SIZE) are implemented.
- Added *.gz support to apropos(1) -a, man(1), and mandoc(1).
- In ssh(1), tightened permissions on pty(4) when the "tty" group does not exist.
- Be coherent in the way arp(8) and ndp(8) display local entries, use "l" flag to distinguish them; skip broadcast entries (are not real arp(4) entries).
- Make sure broadcast entries won't be freed by the arp(4) timer so we can use them for address lookups.
- Treat broadcast entries like local ones and give them the highest route(4) priority.
- Sync amd64 and i386 GENERIC.MP with other arches by enabling MP_LOCKDEBUG option.
- If crypt(3) fails, smtpd(8) will now return an authentication error.
- Implemented traditional -h option for man(1): show the SYNOPSIS only.
- Initial httpd(8) support for persistent FastCGI connections via chunked Transfer-Encoding.
- Added Jumbo support for BCM5714/5780/5717/5719/5720/57765/57766 bge(4) chipsets.
- Fixed makewhatis(8) bug so apropos(1) and man(1) can find Xenocara manuals via .so links.
- In man(1) mode, change to the right directory before starting the parser. Finds more Xenocara manuals.
- Wake up any waiting clients with the tmux(1) "wait-for" command when the server exits.
- smtpd(8) queue_api.c code will now close the file descriptor if fdopen(3) fails.
- Prevented a null dereference of the urtw(4) configuration descriptor.
- Improved option usage output for ssl(8); converted ssl(8) ecparam to new option/usage handling.
- Applied fix from upstream perl(1) to harden the close() function (RT 37700).
- Replaced the "least recently used" bufcache in vfs_cache(9) with one based on 2Q, for scan resistance.
- On amd64, added implementations of atomic_{inc,dec,add,sub}_{int,long}(9) and atomic_{add,sub}_{int,long}_nv(9).
- Correctly made accept4(2) a cancellation point as per pthread_testcancel(3).
- Backported @file support from binutils-2.17.
- Added uuid(3) support routines to libc.
- Made sysmerge(8) completely silent by default when no file is modified.
- In sysmerge(8) pkg mode, warn if the directory we want to copy an @sample into doesn't exist or is not an @sample.
- In sparc64 ld.so(1), made the handling of PLT entries above the 32k mark thread-safe.
- When a service is not available, made rcctl(8) return ENOENT.
- Introduced a man(1) -l option as an alias for mandoc(1) -a.
- Converted the openssl(1) "version" command to new option/usage handling.
- On lii(4), set the MRU to a full size frame instead of basing it on the MTU.
- Let the MRU always be what the oce(4) chip can do, not what the MTU implies.
- Fixed 2 macppc panics.
- Allow new devices to get an address for xhci(4) when XHCI_DEBUG is defined.
- Fixed checking sync for old synaptics touchpad (ver 5.9) in pckbc(4).
- Allow multiple relayd(8) instances to be configured to forward traffic to the same host.
- Major sysmerge(8) cleanup now that both etc and xetc sets are part of base (-S -s and -x options gone).
- Moved the xetc set into xbase (like etc was moved into base).
- Added openssl(8) option handling for input/output formats, ordered flags, and for argument processing.
- Added mdoc(7) support for .St -susv1 and .St -susv4.
- Made diff(1) -uw produce valid output even when one file doesn't end with a newline.
- Implemented table-driven ssl(8) option parsing. Allows an application to specify valid options and where to store them.
- Ported openssl(1) rand application to the new option parsing and usage.
- Nuked sysctl(8) net.inet6.icmp6.rediraccept and allow redirects on interfaces with autoconf enabled.
- In newsyslog.conf(5), added httpd(8) default log files to the rotation.
- Added ssl(8) API function ressl_config_set_ecdhcurve to set or disable a non-standard ECDH curve.
- Added support for Curve25519 to iked(8).
- Write all data before closing the httpd(8) server socket if the output buffer is not empty.
- Added missing capability to handle new $2b version of blowfish(3) password encryption for usermod(8) and friends.
- Added an implementation of man(1) into the /usr/bin/mandoc binary; unify command line options for mandoc(1), man(1), apropos(1), and whatis(1).
- Create etc set during "make build", now embedded it in base set.
- Removed nginx from the base system in favour of OpenBSD's homegrown httpd(8).
- Moved openssl(1) from /usr/sbin/openssl to /usr/bin/openssl.
- Unlinked xfs(1) from the build.
- Added the ability to restrict syslogd(8) to an ip(4) or ip6(4) protocol family.
- Added iked(8) support for DH groups 27-30 using the Brainpool curves as in ssl(8).
- httpd(8) now supports both mime.types flavours (nginx- or apache-style).
- Added generic system-wide /usr/share/misc/mime.types file, usable by httpd.conf(5).
- Moved sending of router solicitations to the kernel. Makes rtsol(8) and rtsold(8) unnecessary.
- Don't allow pasting into input-disabled tmux(1) panes.
- Implemented _NET_WM_STATE_STICKY in cwm(1). Allows client to "stick" to all desktops or groups.
- When using a proxy, made ftp(1) validate the cert hostname against the target hostname, not the proxy hostname.
- Delete secret or secret-derived data in many base utilities with explicit_bzero(3).
- Implementation of bold italic font support for postscript and pdf output in mandoc(1).
- Start all rcctl(8) error messages with "rcctl: " so it is clear where they come from.
- In debug mode, only print the flags relevant to the rc.d(8) we are calling instead of all flags; make it clear when we are using the default flags when none are set.
- Make it possible for rcctl(8) to pass '-d' and '-f' to the rc.d(8) script.
- Removed non-standard GOST cipher suites (which are not compiled in currently) from ssl(8).
- pfctl(8) now makes sure rules have been defined when you specify queues in a rule.
- Switched ndp(8) to display MAC addresses in 00:00:00:00:00:00 format.
- Get arp(8) to print leading zeros in MAC addresses again.
- Disabled use of bind in base (base uses nsd(8)/unbound(8) instead).
- Ensure cwm(1) client that wants to be in nogroup stays in nogroup (thus stays in view), even when (re)reading NET_WM_DESKTOP.
- Made syslogd(8) check host/port length when parsing syslog.conf(5). Avoids nasty error message "syslogd: priv_getaddrinfo: overflow attempt in hostname".
- Set the default nfsd(8) flags to "-tun 4" when launched from rc.d(8).
- Fixed memory leak in isakmpd(8) ike_phase_1.c.
- Fixed acpi(4) sensor status for docking/undocking laptops, to allow sensorsd(8) to correctly detects state changes.
- Bugfix to make whatis(1) case-insensitive again.
- Added Last-Modified: HTTP header to httpd(8).
- Allow syslogd(8) to send and receive udp(4) syslog packets on the IPv6 socket.
- Unbroke sysmerge(8) when "SRCDIR=."
- Limited the mandoc(1) CGI process execution time, to make REDoS attacks less effective.
- Stopped mandoc(1) suppressing white space after .Fl if the next node is a text node on the same input line.
- Made rcctl(8) "status" output match rc.conf(8) format.
- Changed the output of arp(8) to match what ndp(8) does; include the expire timer.
- After nfe(4) allocates an mbuf and cluster, properly init the length fields.
- Implemented rxrinfo ioctl in ix(4) for cluster usage statistics.
- Call audio_{pint,rint}() call-backs with the mutex held.
- When doing "whole disk" installs on macppc, blank the first 1 meg of the disk. Allows successful creation of boot partition.
- Unlinked the crypto(4) pseudo device (disabled by default for about 4 years).
- Made sure eap(4) releases CPU mutexes upon receiving an EINVAL message.
- On i386/amd64, backported support for the "rdtscp" instruction from binutils-2.17.
- Removed the custom jumbo allocator from nfe(4) which was never enabled.
- When sshd(8) is dumping the server configuration, made it print correct KEX, MAC and cipher defaults.
- Introduced rcctl(8), a simple utility for maintaining rc.conf.local(8).
- When a local route(4) entry is added for an ifa having a broadcast address, made it identifiable (by a flag) and persistent.
- Ensure state changes are properly serialised in pms(4). makes enabling/disabling touchpads more reliable.
- Missing stack var initialisation fixed in ld.so(1).
- Added -4 and -6 flags to tcpbench(1), to specify ipv4 or ipv6 respectively.
- Fixed _exit codes in syslogd(8) privsep.c, which were the wrong way around.
- Fixed read access to uninitialised memory in mandoc(1).
- Removed malloc(3) lock across some mmap(2) syscall(9). Speeds up multithreaded programs.
- Added fancy printing of ktrace(1)'s ops argument to kdump(1).
- Made kdump(1) display symbolically the mode argument of mkdir(1), mkfifo(1), mknod(2) and umask(2).
- /etc/netstart now executed using sh(1) instead of sourcing it.
- Repaired operation of sysctl(8) kern.arandom.
- Removed support for public key operations from ubsec(4) and safe(4).
- lofn(4) and nofn(4) removed as obsolete, due to reliance on the crypto(4) interface.
- Switched to using O_CLOEXEC wherever we open a file and then call fcntl(F_SETFD, FD_CLOEXEC)
on it. Reduces system calls and improves thread-safety for libraries.
- More fixes in the attach failure path for ze(4/vax).
- Added bounce matching for [] and {} to mg(1).
- Synced relayd(8) and httpd(8) with RFC 7230-7235 phrases and IANA registered status codes.
- In oce(4), implemented rxrinfo ioctl for cluster usage statistics.
- systat(1) now only show active pools by default, pressing "A" shows all pools.
- Updated drm(4) to libdrm 2.4.56.
- Began cleanup of scaling units in roff(7).
- Some X(7) resource files moved to /usr/X11R6/share/X11/app-defaults.
- With a non-existent httpd(8) root, removed root prefix from PATH_INFO (useful for virtual FastCGI scripts inside a chroot(8)).
- Made sure tftpd(8) always calls freeaddrinfo(3) after getaddrinfo(3).
- In httpd(8), provided a failsafe version of the path_info() function.
- Correctly set the rtable ID of the packet header when sending pppoe(4) Active Discovery Terminate packets.
- Brought pflow(4) IPFIX sequence numbers in line with the RFC.
- Sync pf.conf(5) behaviour with the man page regarding parent anchors for "once" rules.
- On mips64, stopped uvm_map(9) from receiving addresses outside userland bounds.
- Fixed tmux(1) copy mode problems: in vi mode, include the last character if you moved the cursor up or left; in emacs mode include the last character if you moved the cursor left.
- Added tmux(1) flags to selectp, to enable and disable input to a pane.
- In ksh(1), separately set FD_CLOEXEC if the new fd was >= FDBASE. Affects scripts that directly use 9 of the first 10 file descriptors.
- When dhclient(8) is parsing 32 bit values, verify that we received 4 bytes.
- Validate len field in dhcpd(8) for proper length, not just "not zero."
- Brought back r1.131 of sys/kern/subr_pool.c: take the pools mutex when copying stats out of it in the sysctl(8) path.
- Put back the checks about RTF_LOCAL routes now that userland tools are aware of them.
- Stopped arp(4) and ndp(8) from trying to delete RTF_LOCAL entries.
- Fixed unchecked memory allocation (and potential leak upon error) in ssl(8) ssl3_get_cert_verify().
- Provided ssl3_get_cipher_by_id() function that allows ssl(8) ciphers to be looked up by their ID.
- Always write core file of a non-suid process into pwd(1), even if sysctl(8) kern.nosuidcoredump is 2 or 3.
- Fixed race in relayd(8) that caused non-persistent PUT connections with a short body to hang.
- Removed disabled (weakened export and non-ephemeral DH) cipher suites from the ssl(8) cipher list.
- If pkg_create(1) is run as non-root, restore correct group/owner to root/bin, and remove write permissions without explicit modes.
- Fixed kqueue read/write filters for msdosfs and fuse(4) filesystems.
- Fixed the length check for reinjected icmp(4) packets. Stops divert(4) discarding valid packets shorter than 20 bytes.
- Fixed readelf(1) "--debug-dump=frames-interp" output.
- 5.4 and 5.5 SECURITY FIXES: Backported security fixes from openssl 1.0.1i
A source code patch is available for 5.4 and 5.5.
- Initial sysmerge(8) support for handling configuration files from packages.
- Now that uhub(4) can deal with them, added support for non-root hubs.
- Made uhub(4) correctly recognise Super Speed devices.
- Allow httpd.conf(5) to include the "types" section anywhere in the configuration file.
- Removed tmux(1) support for the continuously reporting "any" mouse mode (never worked properly, rarely used).
- Backport from binutils-2.17 the correct i386/amd64 register->int assignments for CFI.
- Allow httpd(8) to use a fastcgi target as the default index (eg index.php).
- Fixed relayd(8) when using DNS over udp(4) so it continues to work after the first request.
- radeon(4) fixes: only apply hdmi "bpc pll" flags when encoder mode is hdmi; fixed dithering on some panels; fixed lane/clock setup for dp 1.2 capable devices.
- Brought mandoc(1) handling of defective prologues closer to groff.
- Simplified man(7) validation in mandoc(1).
- Fixed mandoc(1) floating point handling. Fixes the indentation of the readline(3) manual.
- Allow httpd(8) to serve emtpy (0 bytes) files.
- Improved mandoc(1) handling of next-line scope when it is broken by end of file.
- Partial mandoc(1) implementation of .Bd -centred; various improvements related to .Ex and .Rv.
- Made sure asynchronous commands do not race with synchronous ones in xhci(4).
- Improved xhci(4) logic to determine the maximum endpoint service interface time payload.
- Made xhci(4) always report stalls, as umass(4) relies on this information.
- Added support for using "-" as shorthand for stdin/stdout in tradcpp(1).