![]() |
Released Oct XXX, 2025. (59th OpenBSD release) Copyright 1997-2025, Theo de Raadt. Artwork by XXX.
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via |
This is a partial list of new features and systems included in OpenBSD 7.8. For a comprehensive list, see the changelog leading to 7.8.
#ifdef
mess and removing a few
instances of undefined behavior.
OPENSSL_SMALL_FOOTPRINT
and OPENSSL_FIPSAPI
.
SIGILL
-based CPU capability detection was removed.
Instead, capabilities are now detected using a constructor on
library load, which improves the incomplete coverage by calls
to OPENSSL_init_crypto() on various entry points.
If an ssh(1) commandline was constructed using usernames or URIs obtained from an untrusted source, and if a ProxyCommand that uses the %u expansion was configured, then it may be possible for an attacker to inject shell expressions that may be executed when the proxy command is started.
We strongly recommend against using untrusted inputs to construct ssh(1) commandlines.
This change also relaxes the validity checks in one small way: usernames supplied via the configuration file as literals (i.e. that have no % expansion characters) are not subject to these validity checks. This allows usernames that contain arbitrary characters to be used, but only via configuration files. This is done on the basis that ssh's configuration is trusted.
This issue was reported by David Leadbeater.
This warning has been added due to the risk of "store now, decrypt later" attacks. More details at the OpenSSH Post-Quantum Cryptography page.
This warning may be controlled via a new WarnWeakCrypto
ssh_config option, defaulting to on. This option is likely to control
additional weak crypto warnings in the future.
IPQoS
Both the client and the server have changed the default DSCP (a.k.a IPQoS) values and the way these values are selected at runtime.
Both endpoints now use Expedited Forward (EF) for interactive
traffic by default. This provides better prioritisation,
especially on wireless media (cf. RFC 8325). Non-interactive
traffic now uses the operating system default DSCP marking.
Both the interactive and non-interactive DSCP values may be
overridden via the IPQoS
keyword in ssh_config(5) and
sshd_config(5).
The DSCP value selected may now change over the course of a connection. ssh(1) and sshd(8) will automatically select between the interactive and non-interactive IPQoS values depending on the type of SSH channels open. E.g. if an sftp session is using the connection, then the non-interactive value will be used.
This is important now that the default interactive IPQoS is EF (Expedited Forwarding), as many networks are configured to allow only relatively small amounts of traffic of this class and they will aggressively deprioritise the entire connection if this is exceeded.
Type of Service (ToS) was deprecated in the late nineties and replaced with the Differentiated Services architecture. Diffserv has significant advantages for operators because this mechanism offers more granularity.
OpenSSH switched its default IPQoS from ToS to DSCP values in 2018.
IPQoS configurations with 'lowdelay', 'reliability', or 'throughput' will be ignored and instead the system default QoS settings apply. Additionally, a debug message is logged about the deprecation with a suggestion to use DSCP.
This will cause the agent to automatically remove certificates shortly after they expire. A new ssh-add -N option disables this behaviour.
This ensures processes that have restricted filesystem access that includes /tmp do not ambiently have the ability to use keys in an agent.
Moving the default directory has the consequence that the OS will no longer clean up stale agent sockets, so ssh-agent now gains this ability.
To support $HOME on NFS, the socket path includes a truncated hash of the hostname. ssh-agent will by default only clean up sockets from the same hostname.
ssh-agent(1) gains some new flags: -U suppresses the automatic cleanup of stale sockets when it starts. -u forces a cleanup without keeping a running agent, -uu forces a cleanup that ignores the hostname. -T makes ssh-agent put the socket back in /tmp.
This may be useful for expressing reminders or warnings in config files, for example:
Match host foo RefuseConnection "foo is deprecated, use splork instead"
Usually writes to this file are serialised on the "Are you sure you want to continue connecting?" prompt, but if host key checking is disabled and connections were being made with high concurrency then interleaved writes might have been possible.
Many pre-built packages for each architecture:
Some highlights:
Please refer to the following files on the mirror site for extensive details on how to install OpenBSD 7.8 on your machine:
Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above!
If your machine can boot from CD, you can write install78.iso or cd78.iso to a CD and boot from it. Refer to INSTALL.alpha for more details.
If your machine can boot from CD, you can write install78.iso or cd78.iso to a CD and boot from it. You may need to adjust your BIOS options first.
If your machine can boot from USB, you can write install78.img or miniroot78.img to a USB stick and boot from it.
If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.amd64 document.
If you are planning to dual boot OpenBSD with another OS, you will need to read INSTALL.amd64.
Depending on your hardware, you can write install78.iso or cd78.iso to a CD and boot from it, or write a system specific miniroot to an SD card and boot from it after connecting to the serial console. Refer to INSTALL.armv64 for more details.
Write a system specific miniroot to an SD card and boot from it after connecting to the serial console. Refer to INSTALL.armv7 for more details.
Boot over the network by following the instructions in INSTALL.hppa or the hppa platform page.
If your machine can boot from CD, you can write install78.iso or cd78.iso to a CD and boot from it. You may need to adjust your BIOS options first.
If your machine can boot from USB, you can write install78.img or miniroot78.img to a USB stick and boot from it.
If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.i386 document.
If you are planning on dual booting OpenBSD with another OS, you will need to read INSTALL.i386.
Write miniroot78.img to the start of the CF or disk, and boot normally.
Write miniroot78.img to a USB stick and boot bsd.rd from it or boot bsd.rd via tftp. Refer to the instructions in INSTALL.loongson for more details.
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader from the PROM, and then bsd.rd from the bootloader. Refer to the instructions in INSTALL.luna88k for more details.
Burn the install78.iso image from a mirror site to a CDROM, and power on your machine while holding down the C key until the display turns on and shows OpenBSD/macppc boot.
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /7.8/macppc/bsd.rd
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp. Refer to the instructions in INSTALL.octeon for more details.
To install, write install78.img or miniroot78.img to a USB stick, plug it into the machine and choose the OpenBSD install menu item in Petitboot. Refer to the instructions in INSTALL.powerpc64 for more details.
To install, write install78.img or miniroot78.img to a USB stick, and boot with that drive plugged in. Make sure you also have the microSD card plugged in that shipped with the HiFive Unmatched board. Refer to the instructions in INSTALL.riscv64 for more details.
Burn the image from a mirror site to a CDROM, boot from it, and type boot cdrom.
If this doesn't work, or if you don't have a CDROM drive, you can write floppy78.img or floppyB78.img (depending on your machine) to a floppy and boot it with boot floppy. Refer to INSTALL.sparc64 for details.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
You can also write miniroot78.img to the swap partition on the disk and boot with boot disk:b.
If nothing works, you can boot over the network as described in INSTALL.sparc64.
If you already have an OpenBSD 7.7 system, and do not want to reinstall, upgrade instructions and advice can be found in the Upgrade Guide.
src.tar.gz
contains a source archive starting at /usr/src
.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
# mkdir -p /usr/src # cd /usr/src # tar xvfz /tmp/src.tar.gz
sys.tar.gz
contains a source archive starting at /usr/src/sys
.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
# mkdir -p /usr/src/sys # cd /usr/src # tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as described here. Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree.
A ports tree archive is also provided. To extract:
# cd /usr # tar xvfz /tmp/ports.tar.gz
Go read the ports page if you know nothing about ports at this point. This text is not a manual of how to use ports. Rather, it is a set of notes meant to kickstart the user on the OpenBSD ports system.
The ports/ directory represents a CVS checkout of our ports. As with our complete source tree, our ports tree is available via AnonCVS. So, in order to keep up to date with the -stable branch, you must make the ports/ tree available on a read-write medium and update the tree with a command like:
# cd /usr/ports # cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_8
[Of course, you must replace the server name here with a nearby anoncvs server.]
Note that most ports are available as packages on our mirrors. Updated ports for the 7.8 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just would like to know more, the mailing list ports@openbsd.org is a good place to know.