-
Notifications
You must be signed in to change notification settings - Fork 43
/
61.html
1210 lines (1137 loc) · 53.7 KB
/
61.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<!doctype html>
<html lang=en id=release>
<meta charset=utf-8>
<title>OpenBSD 6.1</title>
<meta name="description" content="OpenBSD 6.1">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/61.html">
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
6.1
</h2>
<table>
<tr>
<td>
<a href="images/Fugu.gif">
<img width="227" height="343" src="images/Fugu.gif" alt="Fugu"></a>
<td>
Released April 11, 2017<br>
Copyright 1997-2017, Theo de Raadt.<br>
<br>
6.1 Song:
<a href="lyrics.html#61">"Winter of 95"</a>.
<br>
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/6.1/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata61.html">the 6.1 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus61.html">detailed log of changes</a> between the
6.0 and 6.1 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<p>
<table class=signify>
<tr><td>
openbsd-61-base.pub:
<td>
RWQEQa33SgQSEsMwwVV1+GjzdcQfRNV2Bgo48Ztd2KiZ9bAodz9c+Maa
<tr><td>
openbsd-61-fw.pub:
<td>
RWS91POk0QZXfsqi4aI7MotYz8CPzoHjYg4a1IDi56cftacjsq+ZL/KY
<tr><td>
openbsd-61-pkg.pub:
<td>
RWQbTjGFHEvnOckqY7u9iABhXAkEpF/6TQ3Mr6bMrWbT1wOM/HnbV9ov
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 6.1.
For a comprehensive list, see the <a href="plus61.html">changelog</a> leading
to 6.1.
<ul>
<li>New/extended platforms:
<ul>
<li>New <a href="https://www.openbsd.org/arm64.html">arm64</a> platform,
using <a href="https://man.openbsd.org/clang-local.1">clang(1)</a>
as the base system compiler.
<li>The <a href="https://www.openbsd.org/armv7.html">armv7</a> platform
has seen some major improvements, including a switch to EABI and
support for a lot more hardware.
<li>The <a href="https://www.openbsd.org/loongson.html">loongson</a>
platform now supports systems with Loongson 3A CPU and RS780E chipset.
<li>The following platforms were retired:
<a href="https://www.openbsd.org/armish.html">armish</a>,
<a href="https://www.openbsd.org/sparc.html">sparc</a>,
<a href="https://www.openbsd.org/zaurus.html">zaurus</a>.
</ul>
<p>
<li>Improved hardware support, including:
<ul>
<li>New <a href="https://man.openbsd.org/acpials.4">acpials(4)</a>
driver for ACPI ambient light sensor devices.
<li>New <a href="https://man.openbsd.org/acpihve.4">acpihve(4)</a>
driver for feeding Hyper-V entropy into the kernel pool.
<li>New <a href="https://man.openbsd.org/acpisbs.4">acpisbs(4)</a>
driver for ACPI Smart Battery devices.
<li>New <a href="https://man.openbsd.org/dwge.4">dwge(4)</a>
driver for Designware GMAC 10/100/Gigabit Ethernet devices.
<li>New <a href="https://man.openbsd.org/loongson/htb.4">htb(4)</a>
driver for Loongson 3A PCI host bridges.
<li>New <a href="https://man.openbsd.org/hvn.4">hvn(4)</a>
driver for Hyper-V networking interfaces.
<li>New <a href="https://man.openbsd.org/hyperv.4">hyperv(4)</a>
driver for the Hyper-V guest nexus device.
<li>New <a href="https://man.openbsd.org/iatp.4">iatp(4)</a>
driver for the Atmel maXTouch touchpad and touchscreen.
<li>New <a href="https://man.openbsd.org/armv7/imxtemp.4">imxtemp(4)</a>
driver for Freescale i.MX6 temperature sensors.
<li>New <a href="https://man.openbsd.org/loongson/leioc.4">leioc(4)</a>
driver for the Loongson 3A low-end IO controller.
<li>New <a href="https://man.openbsd.org/octeon/octmmc.4">octmmc(4)</a>
driver for the OCTEON MMC host controller.
<li>New <a href="https://man.openbsd.org/armv7/ompinmux.4">ompinmux(4)</a>
driver for OMAP pin multiplexing.
<li>New <a href="https://man.openbsd.org/armv7/omwugen.4">omwugen(4)</a>
driver for OMAP wake-up generators.
<li>New <a href="https://man.openbsd.org/armv7/psci.4">psci(4)</a>
driver for the ARM Power State Coordination Interface.
<li>New <a href="https://man.openbsd.org/simplefb.4">simplefb(4)</a>
driver for the simple frame buffer on systems
using a device tree.
<li>New <a href="https://man.openbsd.org/armv7/sximmc.4">sximmc(4)</a>
driver for Allwinner A1X/A20 MMC/SD/SDIO controllers.
<li>New <a href="https://man.openbsd.org/tpm.4">tpm(4)</a>
driver for Trusted Platform Module devices.
<li>New <a href="https://man.openbsd.org/uwacom.4">uwacom(4)</a>
driver for Wacom USB tablets.
<li>New <a href="https://man.openbsd.org/vmmci.4">vmmci(4)</a>
VMM control interface.
<li>New <a href="https://man.openbsd.org/xbf.4">xbf(4)</a>
driver for Xen Blkfront virtual disks.
<li>New <a href="https://man.openbsd.org/luna88k/xp.4">xp(4)</a>
driver for the LUNA-88K HD647180X I/O processor.
<li>Support for Kaby Lake and Lewisburg PCH Ethernet MACs with I219 PHYs
has been added to the
<a href="https://man.openbsd.org/em">em(4)</a> driver.
<li>Support for RTL8153 USB 3.0 Gigabit Ethernet based devices
has been added to the
<a href="https://man.openbsd.org/ure">ure(4)</a> driver.
<li>Improved ACPI support for modern Apple hardware, including S3 suspend
and resume.
<li>Support for X550 family of 10 Gigabit Ethernet based devices
has been added to the
<a href="https://man.openbsd.org/ix">ix(4)</a> driver.
</ul>
<p>
<li>New <a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a>/
<a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a>:
<ul>
<li>Support was partially integrated in 6.0, but disabled.
<li>Support for amd64 and i386 hosts.
<li>BIOS payload provided via vmm-firmware, delivered via
<a href="https://man.openbsd.org/fw_update.1">fw_update(1)</a>.
<li>Support for Linux guest VMs.
<li>Better interrupt handling and legacy device emulation.
<li><a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a> no longer
requires VMX unrestricted guest capability (Nehalem and later CPUs
are sufficient).
<li>Removed bounce buffers previously used by
<a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> for
<a href="https://man.openbsd.org/vio.4">vio(4)</a> and
<a href="https://man.openbsd.org/vioblk.4">vioblk(4)</a> devices.
<li>Support VMs with > 2GB RAM.
<li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> uses
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a> and the
fork+exec model.
<li><a href="https://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>
expanded to include VM ownership rules (uid/gid).
<li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a>/
<a href="https://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>
supports automatic
<a href="https://man.openbsd.org/bridge.4">bridge(4)</a> and
<a href="https://man.openbsd.org/switch.4">switch(4)</a> configuration
for VM network interfaces.
<li><a href="https://man.openbsd.org/amd64/vmctl.8">vmctl(8)</a> supports
graceful VM shutdown via
<a href="https://man.openbsd.org/amd64/vmmci.4">vmmci(4)</a>.
</ul>
<p>
<li>IEEE 802.11 wireless stack improvements:
<ul>
<li>The <a href="https://man.openbsd.org/ral.4">ral(4)</a> driver
now supports Ralink RT3900E (RT5390, RT3292) devices.
<li>The <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
<a href="https://man.openbsd.org/iwn.4">iwn(4)</a> drivers
now support the short guard interval (SGI) in 11n mode.
<li>Added a new implementation of MiRa, a rate adapation algorithm
designed for 802.11n.
<li>The <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> driver
now supports 802.11n MIMO (MCS 0-15).
<li>The <a href="https://man.openbsd.org/athn.4">athn(4)</a> driver
now supports 802.11n, featuring MIMO (MCS 0-15) and hostap mode.
<li>The <a href="https://man.openbsd.org/iwn.4">iwn(4)</a> driver
now receives MIMO frames in monitor mode.
<li>The <a href="https://man.openbsd.org/rtwn.4">rtwn(4)</a> and
<a href="https://man.openbsd.org/urtwn.4">urtwn(4)</a> drivers
now use AMRR rate adaptation (8188EU and 8188CE devices only).
<li>TKIP/WPA1 was disabled by default because of inherent weaknesses
in this protocol.
</ul>
<p>
<li>Generic network stack improvements:
<ul>
<li>New <a href="https://man.openbsd.org/switch.4">switch(4)</a>
pseudo-device together with new
<a href="https://man.openbsd.org/switchd.8">switchd(8)</a> and
<a href="https://man.openbsd.org/switchctl.8">switchctl(8)</a>
programs.
<li>New <a href="https://man.openbsd.org/mobileip.4">mobileip(4)</a>
operation mode for the
<a href="https://man.openbsd.org/gre.4">gre(4)</a>
pseudo-device.
<li>Multipoint-to-multipoint mode in
<a href="https://man.openbsd.org/vxlan.4">vxlan(4)</a>.
<li><a href="https://man.openbsd.org/route.8">route(8)</a>
and netstat -r display all routing flags correctly and they
are completely documented in the
<a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
man page.
<li>When sending TCP streams they are locally stored in large
mbuf clusters to improve memory management.
The maximum TCP send and receive buffer size has been
increased from 256KB to 2MB.
Note that this results in a different
<a href="https://man.openbsd.org/pf.4">pf(4)</a>
OS fingerprint for OpenBSD.
The default limit for mbuf clusters has been increased.
You can check the values with
<a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
-m and adjust them with
<a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a>
kern.maxclusters.
<li>Make the TCP_NOPUSH flag work for
<a href="https://man.openbsd.org/listen.2">listen(2)</a>
sockets.
It is inherited by the socket returned from
<a href="https://man.openbsd.org/accept.2">accept(2)</a>.
<li>A lot of code has been removed or simplified to make the
transition to multi-processor easier.
Redesign the interrupt and multi-processor locks in the
network stack.
<li>When passing packets from the network stack to the
interface layer, make sure that they have no pointers to
<a href="https://man.openbsd.org/pf.4">pf(4)</a>
which could result in a memory free operation at the wrong
protection level.
<li>Fix checksum calculation in
<a href="https://man.openbsd.org/pf.4">pf(4)</a>
af-to ICMP packet conversions.
Simplify af-to processing in and fix path MTU discovery in
some corner cases.
<li>Improve IPv6 fragment processing.
Drop empty atomic fragments early.
Be more paranoid when IPv6 hop-by-hop headers appear after
fragment headers.
Follow RFC 5722 "Handling of Overlapping IPv6 Fragments"
more strictly in
<a href="https://man.openbsd.org/pf.4">pf(4)</a>.
RFC 8021 "IPv6 Atomic Fragments Considered Harmful" deprecates
generating atomic fragments, so do not send them anymore.
<li>Depending on the addresses,
<a href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a>
may automatically group SA bundles together.
To make clear what is going on, the kernel provides this
information and ipsecctl -s sa prints IPsec SA bundles.
<li>A new routing socket message type, RTM_PROPOSAL, was added to
facilitate future improvements to the network configuration process.
</ul>
<p>
<li>Installer improvements:
<ul>
<li>The installer now uses privilege separation for fetching and
verifying the install sets.
<li>Install sets are now fetched over an HTTPS connection by default
when using a <a href="ftp.html">mirror</a> that supports it.
<li>The installer now considers all of the DHCP information in filename,
bootfile-name, server-name, tftp-server-name, and next-server when
attempting to do automatic installs or upgrades.
<li>The installer no longer adds a route to an alias IP via 127.0.0.1, due
to improvements in the kernel routing components.
</ul>
<p>
<li>Routing daemons and other userland network improvements:
<ul>
<li><a href="https://man.openbsd.org/ping.8">ping(8)</a> and
<a href="https://man.openbsd.org/ping6.8">ping6(8)</a> are now the same
binary and share the engine.
<li><a href="https://man.openbsd.org/ripd.8">ripd(8)</a> now supports
p2p links with addresses in different subnets.
<li>UDP speakers can specify an IPv4 source address using
<code>IP_SENDSRCADDR</code>.
<a href="https://man.openbsd.org/iked.8">iked(8)</a>
and <a href="https://man.openbsd.org/snmpd.8">snmpd(8)</a> now
use the proper source address when sending replies.
<li><a href="https://man.openbsd.org/iked.8">iked(8)</a> now
supports ECDSA and RFC 7427 signatures for authentication.
<li><a href="https://man.openbsd.org/iked.8">iked(8)</a> now
supports replying to IKEv2 responder cookies.
<li>Many fixes and improvements for
<a href="https://man.openbsd.org/iked.8">iked(8)</a> and
<a href="https://man.openbsd.org/ikectl.8">ikectl(8)</a>, including
various fixes for rekeying.
<li><a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> and
<a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a> now cope
with interface MTU change at runtime.
<li><a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> now supports
BGP Large Communities
(<a href="https://www.rfc-editor.org/rfc/rfc8092.txt">RFC 8092</a>).
<li><a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a> now supports
BGP Administrative Shutdown Communication
(<a href="https://www.ietf.org/id/draft-ietf-idr-shutdown.txt">draft-ietf-idr-shutdown</a>).
</ul>
<p>
<li>Security improvements:
<ul>
<li>Enforcement of userland W^X on OCTEON Plus and later.
<li>All shared libraries, all dynamic and static-PIE executables, and
<a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> itself use
the RELRO ("read-only after relocation") design such that
more of the initial data is protected as read-only.
<li>The size of user virtual address space has been increased
from 2GB to 1TB on mips64.
<li>PIE and -static -pie on arm.
<li><a href="https://man.openbsd.org/route6d.8">route6d(8)</a> now
runs with fewer privileges.
<li>For incoming TLS connections
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
can validate client certificates with a given CA file.
<li>The privileged parent process of
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
calls
<a href="https://man.openbsd.org/execve.2">exec(2)</a>
to reshuffle its random memory layout.
<li>New function
<a href="https://man.openbsd.org/recallocarray.3">recallocarray(3)</a>
to reduce the risk of incorrect clearing of memory before and after
<a href="https://man.openbsd.org/reallocarray.3">reallocarray(3)</a>.
<li><a href="https://man.openbsd.org/sha2.3">SHA512_256</a> family
of functions added to libc.
<li>arm added to the list of archs where the
<a href="https://man.openbsd.org/setjmp.3">setjmp(3)</a>
family of functions apply XOR cookies to stack and return-address
values in the jmpbuf.
<li><a href="https://man.openbsd.org/printf.3">printf(3)</a> family
of formatting functions now report to syslog when the %s
format is used with a NULL pointer.
<li>Heap buffer overflow detection has been improved when the C
<a href="https://man.openbsd.org/malloc.3">malloc(3)</a> option is used.
The existing S option now includes C.
<li>Support for permitting non-root users to
<a href="https://man.openbsd.org/mount.8">mount(8)</a> filesystems
has been removed.
<li><a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a> now uses
<a href="https://man.openbsd.org/bcrypt_pbkdf.3">bcrypt PBKDF</a> to
derive keys for
<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> crypto
volumes.
</ul>
<p>
<li><a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>/
<a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>/
<a href="https://man.openbsd.org/dhcrelay.8">dhcrelay(8)</a> improvements:
<ul>
<li>Add DHO_BOOTFILE_NAME and DHO_TFTP_SERVER to the options requested by default.
<li>Add support for RFC 6842 (Client Identifier Option in DHCP Server Replies).
<li>Stop leaking option data received on the udp socket.
<li>Stop pretending we use RFC 3046/Option 82/Relay Agent Information.
<li>Stop recording ignored DHO_ROUTERS and DHO_STATIC_ROUTES options in the effective lease.
<li>Use only leases from no SSID or the current SSID when restarting.
<li>Reduce default values for various timeouts to something more
appropriate to modern networks.
<li>Fix issues with redundant dhcpd servers and CARP'd interfaces.
<li>Switch to standard logging functions
<li>Fix vis/unvis of strings in
<a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> leases files.
</ul>
<p>
<li>Assorted improvements:
<ul>
<li>New <a href="https://man.openbsd.org/syspatch.8">syspatch(8)</a>
utility for security and reliability binary updates to the base
system.
<li><a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>, a
privilege separated Automatic Certificate Management Environment
(ACME) client written by Kristaps Dzonsons has been imported.
<li>New, simplified
<a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a>
X11 display manager forked from
<a href="https://man.openbsd.org/OpenBSD-6.0/xdm.1">xdm(1)</a>.
<li>Unicode version 8 character properties in the C library.
<li>Partial UTF-8 line editing support for
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a> Vi input mode.
<li>UTF-8 support in
<a href="https://man.openbsd.org/column.1">column(1)</a>.
<li>The performance and concurrency of the
<a href="https://man.openbsd.org/malloc.3">malloc(3)</a> family
in multi-threaded processes has been improved.
<li>Estonian keyboard support.
<li><a href="https://man.openbsd.org/read.2">read(2)</a> on
directories now fails instead of returning 0.
<li>Support for the <code>RES_USE_EDNS0</code> and <code>RES_USE_DNSSEC</code>
flags has been added to the
<a href="https://man.openbsd.org/resolver.3">resolver(3)</a>
implementation.
<li><a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
limits the socket buffer for TCP and TLS connections to 64K
to avoid wasting kernel memory.
<li><a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
supports the option -Z to print the timestamp in RFC 5424
ISO format.
This logs everything in UTC including the year, timezone
and fractions of seconds.
The default is still RFC 3164 BSD syslog time format.
<li>When log files are rotated,
<a href="https://man.openbsd.org/newsyslog.8">newsyslog(8)</a>
writes the creation time in UTC ISO format into the first line.
<li>The
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
options -a, -T, and -U can be given more than once to specify
multiple input sources.
<li>Improve the
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
output and diagnostics in case the klog buffer
overflows.
<li>Make SIGHUP handling in
<a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
more reliable.
<li>Let <a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
tolerate most errors on startup.
Keep running and receive messages from all working subsystems,
but do not die.
<li>The <a href="https://man.openbsd.org/syslog.3">syslog(3)</a>
priority of fatal and warning messages of various daemons
has been adjusted.
<li>An NMI sends the amd64 kernel into
<a href="https://man.openbsd.org/ddb.4">ddb(4)</a>
more reliably.
<li><a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> now
supports the DT_PREINITARRAY, DT_INITARRAY, DT_FINIARRAY, DT_FLAGS,
and DT_RUNPATH dynamic tags.
<li><a href="https://man.openbsd.org/kdump.1">kdump(1)</a>
now dumps the fds returned by
<a href="https://man.openbsd.org/pipe.2">pipe(2)</a> and
<a href="https://man.openbsd.org/socketpair.2">socketpair(2)</a>.
<li>Added support to <a href="https://man.openbsd.org/doas.1">doas(1)</a>
for session-locked persistent authentication.
<li>Use a hardware register for the thread pointer on arm for improved
performance in multi-threaded processes.
<li>SGI boot blocks now consult the OpenBSD
<a href="https://man.openbsd.org/disklabel.5">disklabel(5)</a>
to locate the root filesystem.
This reduces constraints on disk partitioning.
<li><a href="https://man.openbsd.org/iec.4">iec(4)</a>
no longer hangs when its transmit ring gets full.
<li><a href="https://man.openbsd.org/sq.4">sq(4)</a>
has been fixed to accept broadcast frames in non-promiscuous mode
when no IP address is configured.
This lets the interface work with DHCP.
<li>Multiprocessor-safe PCI interrupt handlers are run
without the kernel lock on OpenBSD/sgi.
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> now unconditionally
sets the size of the protective MBR's EFI GPT partition to UINT32_MAX.
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> now respects the
current MBR or GPT format when initializing a disk.
<li><a href="https://man.openbsd.org/softraid.4">softraid(4)</a> now uses
sufficient parallel i/o's to efficiently rebuild RAID5 volumes.
<li><a href="https://man.openbsd.org/asr_run.3">asr</a> now accepts UDP
packets of up to 4096 bytes to account for broken DNS servers.
<li><a href="https://man.openbsd.org/umass.4">umass(4)</a> no longer assumes
that ATAPI or UFI devices have only 1 LUN.
<li><a href="https://man.openbsd.org/scsi.4">scsi(4)</a> now correctly
detects end of tape on LTO5 devices.
<li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a> supports
SNI
via <a href="https://man.openbsd.org/tls_config_add_keypair_ocsp_mem.3">libtls</a>
to allow for multiple https sites on a single IP address.
<li><a href="https://man.openbsd.org/ocspcheck.8">ocspcheck(8)</a>
has been added, and can be used to check the OCSP status of
certificates. The corresponding responses can be saved for later use in OCSP stapling.
<li><a href="https://man.openbsd.org/httpd.8">httpd(8)</a> supports
OCSP stapling
via <a href="https://man.openbsd.org/tls_config_add_keypair_ocsp_mem.3">libtls</a>
to permit OCSP responses to be stapled to the tls handshake
<li><a href="https://man.openbsd.org/nc.1">nc(1)</a> now also
supports OCSP stapling server side, and will show the stapling information
client side.
<li>Both <a href="https://man.openbsd.org/relayd.8">relayd(8)</a> and
<a href="https://man.openbsd.org/httpd.8">httpd(8)</a> support now
TLS session resumption using TLS session tickets.
See the respective configuration man page for more information.
<li>With the -f option
<a href="https://man.openbsd.org/sensorsd.8">sensorsd(8)</a>
can use an alternative config file.
</ul>
<p>
<li>OpenSMTPD 6.0.0
<ul>
<li>Added support for providing an alternate subaddressing delimiter
<li>Made the daemon less verbose in logs when exiting
<li>Improved the io layer to simplify code across the daemon
<li>Added support for matching authenticated sessions in the ruleset
<li>Assorted code and documentation cleanups
</ul>
<p>
<li>OpenSSH 7.4
<ul>
<li>Security:
<ul>
<li>ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
outside a trusted whitelist (run-time configurable). Requests to
load modules could be passed via agent forwarding and an attacker
could attempt to load a hostile PKCS#11 module across the forwarded
agent channel: PKCS#11 modules are shared libraries, so this would
result in code execution on the system running the ssh-agent if the
attacker has control of the forwarded agent-socket (on the host
running the sshd server) and the ability to write to the filesystem
of the host running ssh-agent (usually the host running the ssh
client).
<li>sshd(8): When privilege separation is disabled, forwarded Unix-
domain sockets would be created by sshd(8) with the privileges of
'root' instead of the authenticated user. This release refuses
Unix-domain socket forwarding when privilege separation is disabled
(Privilege separation has been enabled by default for 14 years).
<li>sshd(8): Avoid theoretical leak of host private key material to
privilege-separated child processes via realloc() when reading
keys. No such leak was observed in practice for normal-sized keys,
nor does a leak to the child processes directly expose key material
to unprivileged users.
<li>sshd(8): The shared memory manager used by pre-authentication
compression support had a bounds checks that could be elided by
some optimising compilers. Additionally, this memory manager was
incorrectly accessible when pre-authentication compression was
disabled. This could potentially allow attacks against the
privileged monitor process from the sandboxed privilege-separation
process (a compromise of the latter would be required first).
This release removes support for pre-authentication compression
from sshd(8).
<li>sshd(8): Fix denial-of-service condition where an attacker who
sends multiple KEXINIT messages may consume up to 128MB per
connection.
<li>sshd(8): Validate address ranges for AllowUser and DenyUsers
directives at configuration load time and refuse to accept invalid
ones. It was previously possible to specify invalid CIDR address
ranges (e.g. user@127.1.2.3/55) and these would always match,
possibly resulting in granting access where it was not intended.
<li>ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures
that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed.
</ul>
<li>New/changed features:
<ul>
<li>Server support for the SSH v.1 protocol has been removed.
<li>ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit
block ciphers are not safe in 2016 and we don't want to wait until
attacks like SWEET32 are extended to SSH. As 3des-cbc was the
only mandatory cipher in the SSH RFCs, this may cause problems
connecting to older devices using the default configuration,
but it's highly likely that such devices already need explicit
configuration for key exchange and hostkey algorithms already
anyway.
<li>sshd(8): Remove support for pre-authentication compression.
Doing compression early in the protocol probably seemed reasonable
in the 1990s, but today it's clearly a bad idea in terms of both
cryptography (cf. multiple compression oracle attacks in TLS) and
attack surface. Pre-auth compression support has been disabled by
default for >10 years. Support remains in the client.
<li>ssh-agent will refuse to load PKCS#11 modules outside a whitelist
of trusted paths by default. The path whitelist may be specified
at run-time.
<li>sshd(8): When a forced-command appears in both a certificate and
an authorized keys/principals command= restriction, sshd will now
refuse to accept the certificate unless they are identical.
The previous (documented) behaviour of having the certificate
forced-command override the other could be a bit confusing and
error-prone.
<li>sshd(8): Remove the UseLogin configuration directive and support
for having /bin/login manage login sessions.
<li>ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the
version in PuTTY by Simon Tatham. This allows a multiplexing
client to communicate with the master process using a subset of
the SSH packet and channels protocol over a Unix-domain socket,
with the main process acting as a proxy that translates channel
IDs, etc. This allows multiplexing mode to run on systems that
lack file- descriptor passing (used by current multiplexing
code) and potentially, in conjunction with Unix-domain socket
forwarding, with the client and multiplexing master process on
different machines. Multiplexing proxy mode may be invoked using
"ssh -O proxy ..."
<li>sshd(8): Add a sshd_config DisableForwarding option that disables
X11, agent, TCP, tunnel and Unix domain socket forwarding, as well
as anything else we might implement in the future. Like the
'restrict' authorized_keys flag, this is intended to be a simple
and future-proof way of restricting an account.
<li>sshd(8), ssh(1): Support the "curve25519-sha256" key exchange
method. This is identical to the currently-supported method named
"curve25519-sha256@libssh.org".
<li>sshd(8): Improve handling of SIGHUP by checking to see if sshd is
already daemonised at startup and skipping the call to daemon(3)
if it is. This ensures that a SIGHUP restart of sshd(8) will
retain the same process-ID as the initial execution. sshd(8) will
also now unlink the PidFile prior to SIGHUP restart and re-create
it after a successful restart, rather than leaving a stale file in
the case of a configuration error.
<li>sshd(8): Allow ClientAliveInterval and ClientAliveCountMax
directives to appear in sshd_config Match blocks.
<li>sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match
those supported by AuthorizedKeysCommand (key, key type,
fingerprint, etc.) and a few more to provide access to the
contents of the certificate being offered.
<li>Added regression tests for string matching, address matching and
string sanitisation functions.
<li>Improved the key exchange fuzzer harness.
<li>Deprecate the sshd_config UsePrivilegeSeparation
option, thereby making privilege separation mandatory. Privilege
separation has been on by default for almost 15 years and
sandboxing has been on by default for almost the last five.
<li>ssh(1), sshd(8): Support "=-" syntax to easily remove methods from
algorithm lists, e.g. Ciphers=-*cbc.
</ul>
<li>The following significant bugs have been fixed in this release:
<ul>
<li>ssh(1): Allow IdentityFile to successfully load and use
certificates that have no corresponding bare public key.
certificate id_rsa-cert.pub (and no id_rsa.pub).
<li>ssh(1): Fix public key authentication when multiple
authentication is in use and publickey is not just the first
method attempted.
<li>ssh-agent(1), ssh(1): improve reporting when attempting to load
keys from PKCS#11 tokens with fewer useless log messages and more
detail in debug messages.
<li>ssh(1): When tearing down ControlMaster connections, don't
pollute stderr when LogLevel=quiet.
<li>sftp(1): On ^Z wait for underlying ssh(1) to suspend before
suspending sftp(1) to ensure that ssh(1) restores the terminal mode
correctly if suspended during a password prompt.
<li>ssh(1): Avoid busy-wait when ssh(1) is suspended during a password
prompt.
<li>ssh(1), sshd(8): Correctly report errors during sending of ext-
info messages.
<li>sshd(8): fix NULL-deref crash if sshd(8) received an out-of-
sequence NEWKEYS message.
<li>sshd(8): Correct list of supported signature algorithms sent in
the server-sig-algs extension.
<li>sshd(8): Fix sending ext_info message if privsep is disabled.
<li>sshd(8): more strictly enforce the expected ordering of privilege
separation monitor calls used for authentication and allow them
only when their respective authentication methods are enabled
in the configuration
<li>sshd(8): Fix uninitialised optlen in getsockopt() call; harmless
on Unix/BSD but potentially crashy on Cygwin.
<li>Fix false positive reports caused by explicit_bzero(3) not being
recognised as a memory initialiser when compiled with
-fsanitize-memory.
<li>sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for
configuration examples.
<li>sshd(1): Fix NULL dereference crash when key exchange start
messages are sent out of sequence.
<li>ssh(1), sshd(8): Allow form-feed characters to appear in
configuration files.
<li>sshd(8): Fix regression in OpenSSH 7.4 support for the
server-sig-algs extension, where SHA2 RSA signature methods were
not being correctly advertised.
<li>ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in
known_hosts processing.
<li>ssh(1): Allow ssh to use certificates accompanied by a private key
file but no corresponding plain *.pub public key.
<li>ssh(1): When updating hostkeys using the UpdateHostKeys option,
accept RSA keys if HostkeyAlgorithms contains any RSA keytype.
Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-*
methods were enabled in HostkeyAlgorithms and not the old ssh-rsa
method.
<li>ssh(1): Detect and report excessively long configuration file
lines.
<li>Merge a number of fixes found by Coverity and reported via Redhat
and FreeBSD. Includes fixes for some memory and file descriptor
leaks in error paths.
<li>ssh-keyscan(1): Correctly hash hosts with a port number.
<li>ssh(1), sshd(8): When logging long messages to stderr, don't truncate
"\r\n" if the length of the message exceeds the buffer.
<li>ssh(1): Fully quote [host]:port in generated ProxyJump/-J command-
line; avoid confusion over IPv6 addresses and shells that treat
square bracket characters specially.
<li>ssh-keygen(1): Fix corruption of known_hosts when running
"ssh-keygen -H" on a known_hosts containing already-hashed entries.
<li>Fix various fallout and sharp edges caused by removing SSH protocol
1 support from the server, including the server banner string being
incorrectly terminated with only \n (instead of \r\n), confusing
error messages from ssh-keyscan a segfault in sshd
if protocol v.1 was enabled for the client and sshd_config
contained references to legacy keys.
<li>ssh(1), sshd(8): Free fd_set on connection timeout.
<li>sshd(8): Fix Unix domain socket forwarding for root (regression in
OpenSSH 7.4).
<li>sftp(1): Fix division by zero crash in "df" output when server
returns zero total filesystem blocks/inodes.
<li>ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors
encountered during key loading to more meaningful error codes.
<li>ssh-keygen(1): Sanitise escape sequences in key comments sent to
printf but preserve valid UTF-8 when the locale supports it.
<li>ssh(1), sshd(8): Return reason for port forwarding failures where
feasible rather than always "administratively prohibited".
<li>sshd(8): Fix deadlock when AuthorizedKeysCommand or
AuthorizedPrincipalsCommand produces a lot of output and a key is
matched early.
<li>ssh(1): Fix typo in ~C error message for bad port forward
cancellation.
<li>ssh(1): Show a useful error message when included config files
can't be opened.
<li>sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page
(previously incorrectly) advertised.
<li>sshd_config(5): Repair accidentally-deleted mention of %k token
in AuthorizedKeysCommand.
<li>sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM;
<li>ssh-agent(1): Relax PKCS#11 whitelist to include libexec and
common 32-bit compatibility library directories.
<li>sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME
response handling.
<li>ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted
keys. It was not possible to delete them except by specifying
their full physical path.
</ul>
</ul>
<p>
<li>LibreSSL 2.5.3
<ul>
<li>libtls now supports ALPN and SNI
<li>libtls adds a new callback interface for integrating custom IO
functions. Thanks to Tobias Pape.
<li>libtls now handles 4 cipher suite groups:
<ul>
<li>"secure" (TLSv1.2+AEAD+PFS)
<li>"compat" (HIGH:!aNULL)
<li>"legacy" (HIGH:MEDIUM:!aNULL)
<li>"insecure" (ALL:!aNULL:!eNULL)
</ul>
This allows for flexibility and finer grained control, rather than
having two extremes (an issue raised by Marko Kreen some time ago).
<li>Tightened error handling for tls_config_set_ciphers().
<li>libtls now always loads CA, key and certificate files at the time the
configuration function is called. This simplifies code and results in
a single memory based code path being used to provide data to libssl.
<li>Added support for OCSP intermediate certificates.
<li>Added X509_check_host(), X509_check_email(), X509_check_ip(), and
X509_check_ip_asc() functions, via BoringSSL.
<li>Added initial support for iOS, thanks to Jacob Berkman.
<li>Improved behavior of arc4random on Windows when using memory leak
analysis software.
<li>Correctly handle an EOF that occurs prior to the TLS handshake
completing. Reported by Vasily Kolobkov, based on a diff from Marko
Kreen.
<li>Limit the support of the "backward compatible" SSLv2 handshake to
only be used if TLS 1.0 is enabled.
<li>Fix incorrect results in certain cases on 64-bit systems when
BN_mod_word() can return incorrect results. BN_mod_word() now can
return an error condition. Thanks to Brian Smith.
<li>Added constant-time updates to address CVE-2016-0702.
<li>Fixed undefined behavior in BN_GF2m_mod_arr().
<li>Removed unused Cryptographic Message Support (CMS).
<li>More conversions of long long idioms to time_t.
<li>Improved compatibility by avoiding printing NULL strings with
printf.
<li>Reverted change that cleans up the EVP cipher context in
EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the
previous behaviour.
<li>Avoid unbounded memory growth in libssl, which can be triggered
by a TLS client repeatedly renegotiating and sending OCSP Status
Request TLS extensions.
<li>Avoid falling back to a weak digest for (EC)DH when using SNI
with libssl.
<li>X509_cmp_time() now passes a malformed GeneralizedTime field as
an error. Reported by Theofilos Petsios.
<li>Check for and handle failure of HMAC_{Update,Final} or
EVP_DecryptUpdate().
<li>Massive update and normalization of manpages, conversion to
mandoc format. Many pages were rewritten for clarity and accuracy.
Portable doc links are up-to-date with a new conversion tool.
<li>Curve25519 and TLS X25519 Key Exchange support.
<li>Support for alternate chains for certificate verification.
<li>Code cleanups, CBB conversions, further unification of DTLS/SSL
handshake code, further ASN1 macro expansion and removal.
<li>Private symbols are now hidden in libssl and libcrypto.
<li>Friendly certificate verification error messages in libtls, peer
verification is now always enabled.
<li>Added OCSP stapling support to libtls and nc.
<li>Added ocspcheck utility to validate a certificate against its OCSP
responder and save the reply for stapling
<li>Enhanced regression tests and error handling for libtls.
<li>Added explicit constant and non-constant time BN functions,
defaulting to constant time wherever possible.
<li>Moved many leaked implementation details in public structs behind
opaque pointers.
<li>Added ticket support to libtls.
<li>Added support for setting the supported EC curves via
SSL{_CTX}_set1_groups{_list}() - also provide defines for the
previous SSL{_CTX}_set1_curves{_list} names. This also changes
the default list of curves to be X25519, P-256 and P-384. All
other curves must be manually enabled.
<li>Added -groups option to openssl(1) s_client for specifying the
curves to be used in a colon-separated list.
<li>Merged client/server version negotiation code paths into one,
reducing much duplicate code.
<li>Removed error function codes from libssl and libcrypto.
<li>Fixed an issue where a truncated packet could crash via an OOB
read.
<li>Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows
client-initiated renegotiation. This is the default for libtls
servers.
<li>Avoid a side-channel cache-timing attack that can leak the ECDSA
private keys when signing. This is due to BN_mod_inverse() being
used without the constant time flag being set. Reported by Cesar
Pereida Garcia and Billy Brumley (Tampere University of
Technology). The fix was developed by Cesar Pereida Garcia.
<li>iOS and MacOS compatibility updates from Simone Basso and Jacob
Berkman.
<li>Added the recallocarray(3) memory allocation function, and
converted various places in the library to use it, such as CBB
and BUF_MEM_grow. recallocarray(3) is similar to
reallocarray. Newly allocated memory is cleared similar to
calloc(3). Memory that becomes unallocated while shrinking or
moving existing allocations is explicitly discarded by unmapping
or clearing to 0.
<li>Added new root CAs from SECOM Trust Systems / Security
Communication of Japan.
<li>Added EVP interface for MD5+SHA1 hashes.
<li>Improved nc(1) TLS handshake CPU usage and server-side error
reporting.
<li>Added a constant time version of BN_gcd and use it default for
BN_gcd to avoid the possibility of sidechannel timing attacks
against RSA private key generation - Thanks to Alejandro
Cabrera <aldaya@gmail.com>
</ul>
<p>
<li>mandoc 1.14.1
<ul>
<li>New <a href="https://man.openbsd.org/mandoc.db.5">mandoc.db(5)</a>
file format: <a href="https://man.openbsd.org/man.1">man(1)</a>,
<a href="https://man.openbsd.org/apropos.1">apropos(1)</a>, and
<a href="https://man.openbsd.org/makewhatis.8">makewhatis(8)</a>
no longer need SQLite3.
<li>Much improved HTML output and CSS.
<li>In <a href="https://man.openbsd.org/man.1">man(1)</a>, internal
searching with <a href="https://man.openbsd.org/less.1">less(1)</a>
<code>:t</code> has been improved.
<li>New <a href="https://man.openbsd.org/mandoc.1">mandoc(1)</a>
<code>-mdoc -T markdown</code> output mode
(already a post-1.14.1 feature).
</ul>
<p>
<li><p>Ports and packages:
<p>Many pre-built packages for each architecture:
<!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
<ul style="column-count: 3">
<li>alpha: 7413
<li>amd64: 9714
<li>arm: 7501
<li>hppa: 6422
<li>i386: 9697
<li>mips64: 8072
<li>mips64el: 6880
<li>powerpc: 7703
<li>sparc64: 8606
</ul>
<p>Some highlights:
<ul style="column-count: 2">
<li>AFL 2.39b
<li>Chromium 57.0.2987.133
<li>Emacs 21.4 and 25.1
<li>GCC 4.9.4
<li>GHC 7.10.3
<li>Gimp 2.8.18
<li>GNOME 3.22.2
<li>Go 1.8
<li>Groff 1.22.3
<li>JDK 7u80 and 8u121
<li>KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
<li>LLVM/Clang 4.0.0
<li>LibreOffice 5.2.4.2
<li>Lua 5.1.5, 5.2.4, and 5.3.4
<li>MariaDB 10.0.30
<li>Mono 4.6.2.6
<li>Mozilla Firefox 52.0.2esr and 52.0.2
<li>Mozilla Thunderbird 45.8.0
<li>Mutt 1.8.0
<li>Node.js 6.10.1
<li>Ocaml 4.03.0
<li>OpenLDAP 2.3.43 and 2.4.44
<li>PHP 5.5.38, 5.6.30, and 7.0.16
<li>Postfix 3.2.0 and 3.3-20170218
<li>PostgreSQL 9.6.2
<li>Python 2.7.13, 3.4.5, 3.5.2 and 3.6.0
<li>R 3.3.3
<li>Ruby 1.8.7.374, 2.1.9, 2.2.6, 2.3.3 and 2.4.1
<li>Rust 1.16.0
<li>Sendmail 8.15.2
<li>SQLite3 3.17.0
<li>Sudo 1.8.19.2
<li>Tcl/Tk 8.5.18 and 8.6.4
<li>TeX Live 2015
<li>Vim 8.0.0388
<li>Xfce 4.12
</ul>
<p>
<li>As usual, steady improvements in manual pages and other documentation.
<p>
<li>The system includes the following major components from outside suppliers:
<ul>
<li>Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches,
freetype 2.7.1, fontconfig 2.12.1, Mesa 13.0.6, xterm 327,
xkeyboard-config 2.20 and more)
<li>LLVM/Clang 4.0.0 (+ patches)
<li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
<li>Perl 5.24.1 (+ patches)
<li>NSD 4.1.15
<li>Unbound 1.6.1
<li>Ncurses 5.7
<li>Binutils 2.17 (+ patches)
<li>Gdb 6.3 (+ patches)
<li>Awk Aug 10, 2011 version
<li>Expat 2.1.1
</ul>
</ul>
</section>
<hr>
<section id=install>
<h3>How to install</h3>
<p>
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 6.1 on your machine:
<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/alpha/INSTALL.alpha">
.../OpenBSD/6.1/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/amd64/INSTALL.amd64">
.../OpenBSD/6.1/amd64/INSTALL.amd64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/arm64/INSTALL.arm64">
.../OpenBSD/6.1/arm64/INSTALL.arm64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/armv7/INSTALL.armv7">
.../OpenBSD/6.1/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/hppa/INSTALL.hppa">
.../OpenBSD/6.1/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/i386/INSTALL.i386">
.../OpenBSD/6.1/i386/INSTALL.i386</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/landisk/INSTALL.landisk">
.../OpenBSD/6.1/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/loongson/INSTALL.loongson">
.../OpenBSD/6.1/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/luna88k/INSTALL.luna88k">
.../OpenBSD/6.1/luna88k/INSTALL.luna88k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/macppc/INSTALL.macppc">
.../OpenBSD/6.1/macppc/INSTALL.macppc</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/octeon/INSTALL.octeon">
.../OpenBSD/6.1/octeon/INSTALL.octeon</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/sgi/INSTALL.sgi">
.../OpenBSD/6.1/sgi/INSTALL.sgi</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.1/sparc64/INSTALL.sparc64">
.../OpenBSD/6.1/sparc64/INSTALL.sparc64</a>
</ul>
</section>
<hr>
<section id=quickinstall>
<p>
Quick installer information for people familiar with OpenBSD, and the use of
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
<h3>OpenBSD/alpha:</h3>
<p>
Write <i>floppy61.fs</i> or <i>floppyB61.fs</i> (depending on your machine)
to a diskette and enter <i>boot dva0</i>.
Refer to INSTALL.alpha for more details.
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
<h3>OpenBSD/amd64:</h3>
<p>