Released March 29, 2016|
Copyright 1997-2016, Theo de Raadt.
5.9 Songs: "Doctor W^X", "Systemagic (Anniversary Edition)"
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via
This is a partial list of new features and systems included in OpenBSD 5.9. For a comprehensive list, see the changelog leading to 5.9.
-gflag is used.
-bflag that specifies the size of the EFI System partition to create.
-vflag that causes a verbose display of both MBR and GPT information.
-bflags being removed. The associated fields in the disklabel were also removed. These functions are now all performed by installboot(8).
keventstructures are now dumped.
PermitRootLogin=prohibit-password/without-passwordthat could, depending on compile-time configuration, permit password authentication to root while preventing other forms of authentication.
diffie-hellman-group-exchangeto 2048 bits.
arcfourvariants and the
rijndael-cbcaliases for AES.
AddKeysToAgentclient option which can be set to
confirm, and defaults to
no. When enabled, a private key that is used during authentication will be added to ssh-agent(1) if it is running (with confirmation enabled if set to
restrictthat includes all current and future key restrictions (
no-*-forwarding, etc.). Also add permissive versions of the existing restrictions, e.g.
pty. This simplifies the task of setting up restricted keys and ensures they are maximally-restricted, regardless of any permissions we might implement in the future.
ssh-keygen -lf ~/.ssh/authorized_keys. (bz#1319)
noneas an argument for sshd_config(5)
ChrootDirectory. Useful inside
Matchblocks to override a global default. (bz#2486)
-f -") for
ssh-keyscan -c ...flag to allow fetching certificates instead of plain keys.
cvs.openbsd.org.) in hostname canonicalisation - treat them as already canonical and trailing '
.' before matching ssh_config(5).
first_kex_followsoption during the initial key exchange.
SSH2_MSG_UNIMPLEMENTEDreplies to unexpected messages during key exchange. (bz#2949)
ConnectionAttempts=0, which does not make sense and would cause ssh to print an uninitialised stack variable. (bz#2500)
PubkeyAcceptedKeyTypes +...inside a
-ioptions before checking whether or not the identity file exists. Avoids confusion for cases where shell doesn't expand (e.g.
Match execin a config file, which could cause some commands to fail in certain environments. (bz#2471)
ChrootDirectoryis active. (bz#2485)
ssh -Gconfig dump.
TunnelForwardingdevice flags if they are already what is needed; makes it possible to use tun(4)/ tap(4) networking as non-root user if device permissions and interface flags are pre-established.
RekeyLimitscould be exceeded by one packet. (bz#2521)
fatal()for PKCS11 tokens that present empty key IDs. (bz#1773)
RekeyLimitslarger than 4GB. (bz#2521)
known_hostsfile edits when
ControlPathto UID. (bz#2449)
ssh -G ...) of
ClientHellomessages that do not include TLS extensions, resulting in such handshakes being aborted.
ECDH_compute_keythat can lead to silent truncation of the result key without error. A coding error could cause software to use much shorter keys than intended.
DTLS_BAD_VER. Pre-DTLSv1 implementations are no longer supported.
enginecommand and parameters are removed from openssl(1). Previous releases removed dynamic and built-in engine support already.
Certplus CAroot certificate to the default
AEADconstruction introduced in RFC 7539, which is different than that already used in TLS with EVP_aead_chacha20_poly1305(3).
COMODO RSA Certification Authorityand
QuoVadisroot certificates to
C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority" (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be) root certificate from
s_timecommand now performs a proper shutdown which allows a full TLS connection to be benchmarked more accurately. A new
s_timeadopt the previous behavior so that comparisons can still be made with OpenSSL's version.
SSLEAY_CONFbackwards compatibility environment variable in openssl(1).
CVE-2015-3194—NULL pointer dereference in client side certificate validation.
CVE-2015-3195—memory leak in PKCS7, not reachable from TLS/SSL.
CVE-2015-3193—carry propagating bug in the x86_64 Montgomery squaring procedure.
CVE-2015-3196—double free race condition of the identify hint data.
pkgconfigfiles to correctly report the release version number, not the individual library ABI version numbers.
libtlsAPI is changed from the 2.2.x series:
libtlsno longer implicitly closes the passed in sockets. The caller is responsible for closing them in this case.
OPENSSL_cpu_capsis provided that does not allow software to inadvertently modify cpu capability flags.
libtlsfor client and server operations; it is included in the libressl-portable distribution as an example of how to use the
libtlslibrary. This is intended to be a simpler and more robust replacement for
openssl s_serverfor day-to-day operations.
time_t. LibreSSL now checks if the host OS supports 64-bit
libtls, tls_peer_cert_notbefore(3) and tls_peer_cert_notafter(3).
EVP_CHECK_DES_KEYcode (non-functional since initial commit in 2004).
LIBRESSL_VERSION_NUMBERto match that of
Many pre-built packages for each architecture:
Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate form of install. The instructions for doing an HTTP (or other style of) install are very similar; the CDROM instructions are left intact so that you can see how much easier it would have been if you had purchased a CDROM instead.
Please refer to the following files on the three CDROMs or mirror site for extensive details on how to install OpenBSD 5.9 on your machine:
Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above!
If you already have an OpenBSD 5.8 system, and do not want to reinstall, upgrade instructions and advice can be found in the Upgrade Guide.
src.tar.gz contains a source archive starting at
This file contains everything you need except for the kernel sources, which are
in a separate archive. To extract:
# mkdir -p /usr/src # cd /usr/src # tar xvfz /tmp/src.tar.gz
sys.tar.gz contains a source archive starting at
This file contains all the kernel sources you need to rebuild kernels.
# mkdir -p /usr/src/sys # cd /usr/src # tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as described here. Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree.
A ports tree archive is also provided. To extract:
# cd /usr # tar xvfz /tmp/ports.tar.gz
Go read the ports page if you know nothing about ports at this point. This text is not a manual of how to use ports. Rather, it is a set of notes meant to kickstart the user on the OpenBSD ports system.
The ports/ directory represents a CVS (see the manpage for cvs(1) if you aren't familiar with CVS) checkout of our ports. As with our complete source tree, our ports tree is available via AnonCVS. So, in order to keep up to date with the -stable branch, you must make the ports/ tree available on a read-write medium and update the tree with a command like:
# cd /usr/ports # cvs -d email@example.com:/cvs update -Pd -rOPENBSD_5_9
[Of course, you must replace the server name here with a nearby anoncvs server.]
Note that most ports are available as packages on our mirrors. Updated ports for the 5.9 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just would like to know more, the mailing list firstname.lastname@example.org is a good place to know.