OpenBSD -current Changelog
This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
or use CVS.
For changes in other releases, click below:
Changes made between OpenBSD 6.6 and -current
Added pwmfan(4), a driver for PWM-regulated fans.
Added rkpwm(4), a driver for the RK3399's PWM controller.
Added support for the RK3399's PWM clock to rkclock(4).
Added tcpdump(8) support for printing RFC 8300 Network Service Header (NSH).
Added tcpdump(8) support for VXLAN-GPE.
Rewrote dhcpv6 parsing in tcpdump(8) to match the rfc, correctly handling dhcpv6 messages.
Assumed grep(1) -R passed with "." rather than printing a warning by default.
Reverted switch to tickless backend.
Allowed forcing specific domains to be resolved by specific resolvers in unwind.conf(5), handling typical split-horizon setups.
Simplified sysupgrade directory check and creation (/home/_syspatch). It can now be a symlink.
Accepted netmask for IPv6 properly in ifconfig(8).
Added a create-vdisk command to ldomctl(8) analogous to amd64's vmctl(8) create.
Added uvm_objfree to uvm to efficiently free all pages from a uvm object, used in the buffer cache for considerable speedup when freeing pages.
Added rkemmcphy(4), a driver for the RK3399's eMMC PHY.
Added support for the RK3399's eMMC clock to rkclock(4).
Introduced msyscall(2), permitting system calls from selected code regions only: the main program, ld.so(1), libc.so and sigtramp. This is intended to harden against a mixture of W^X failures and JIT bugs allowing syscall misinterpretation.
Modified root's crontab(1) to run rpki-client(8) and reload bgpd(8) configuration, enabling RPKI ROA filtering.
Modified buffer cache to use individual uvm_objs per buffer to speed page lookups.
Decayed the unwind(8) resolver histogram data over time to reflect strategy performance.
Removed the -r flag in rpki-client(8). CRLs will always be checked.
Added the "console" command to ldomctl(8) which executes cu(1) on the domain's console.
Printed guest domain vcctty(4) devices in status output in ldomctl(8).
Removed km_mapblocks from kmemstats and its always-zero column from the ddb(4) "show malloc" output.
Implemented a hexdump command in the bootloader, helping to inspect the memory layout created by the firmware and useful for UEFI debugging.
Added list-io command to ldomctl(8), listing the available PCIe devices to be used with the iodevice parameter in ldom.conf(5).
Measured performance of resolving strategies in unwind(8), sorting them and choosing the next best strategy when one fails.
Removed captive portal detection from unwind(8).
Reinstated support for monitor mode and multiple frames in iwm(4).
Updated GLU to 9.0.1.
Updated libdrm to 2.4.100.
Added support for TLS 1.3 post handshake handshake messages and key updates to LibreSSL.
Fixed scsi(8) softraid crypto volumes on 4K-sector disks.
Faked disk info to match expected boot disk when EFI bootloader has been received via TFTP, fixing a hang during HP Elitebook UEFI boot.
Fixed kernel crash in pf_ioctl with WITH_PF_LOCK and NET_TASKQ > 1.
Switched to tickless backend in timeout(9), adding new interface timeout_at_ts(9) to avoid backwardly compatible behavior.
Allowed use of 'auth' as an origin in smtpd.conf(5).
Added support for MSI-X for iwm(4) devices.
Allowed use of mail-from and rctp-to as for and from parameters in smtpd.conf(5).
Computed RSSI on 9k iwm(4) devices as for previous generations, fixing spurious signal strength values of over 100%.
Added a tmux(1) p format modifier for padding to width.
Stored smtp(1) session usernames in an envelope, allowing the ruleset to match specific users or mailing addresses.
Added "no-touch-required" options to ssh-keygen(1) and sshd(8) to disable touch requirement for authorized_keys and certificates.
Added an sshd_config(5) PubkeyAuthOptions directive allowing specification of whether sshd(8) should check whether user presence was tested before a security key was made.
Withdrew all proposals on slaacd(8) startup to prevent indefinite retention of nameservers on interfaces no longer flagged for autoconf.
Prevented a timeout in ssh(1) when the server doesn't immediately send a banner, such as with multiplexers like sslh.
Allowed rc.d(8) script to reload sndiod(8).
Added tracking of which interfaces have learned nameservers to unwind(8).
Improved ksmn(4) temperature conversion precision.
Added a quirk to handle Apollo Lake, Gemini Lake and 100 Series Intel SD/MMC sdhc(4) controllers which should not have voltages set to 0V.
Added Gemini Lake SD/MMC controller pci(4) ids.
Ensured proper kernel stack alignment on mips64, fixing a panic on octeon related to pppoe(4).
Adjusted on-wire signature encoding for ecdsh-sk ssh(1) keys to better match ec25519-sk keys.
Fixed an off-by-one TRB issue in bulk transfers larger than 64k, making udl(4) work on xhci(4).
Added iwm(4) support for 9260 and 9560 devices.
Enabled ESP UDP-encapsulation with the iked(8) -t flag.
Added -keyopt option to openssl(1) cms subcommand, providing rsa_padding_mode:oaep for cms -encrypt and rsa_padding_mode:pss for cms -sign.
Added -f for full size to join-pane in tmux(1).
Added rge(4), a new driver for Realtek 8125 PCI Express 2.5Gb ethernet devices.
Repaired the "set delay" option for pf(4) to function as specified in pf.conf(5).
Added the initial framework for the TLSv1.3 server.
Used disable-bt overlay with raspberry pi to use pluart(4) as console, rather than the 'mini uart'.
Added a -d option to pkg_add(1) to add debug packages if present alongside intended updates or additions.
Fixed a segmentation fault in ncurses(3).
Implemented HTTP/1.1 in ftp(1).
Added direct support for U2F/FIDO2 security keys in ssh(1).
Began resolving captive portal hosts internally in unwind(8).
Changed tmux(1) new-session -A to attach to the best existing session when a session name is not specified, rather than creating a new session.
Added an option to tmux(1) to set the key sent by backspace for systems using ^H.
Prevented non-root users from using ioctl(2) to alter the address of a network interface.
Prevented non-root users from setting the parameters of pppoe(4) interfaces.
Prevented a local user from causing the system to hang by reading specific registers when Intel Gen8/Gen9 graphics hardware is in a low power state.
Prevented writes to memory allowed by the Intel Gen9 graphics hardware.
Notified the user via TTY or $SSH_ASKPASS when ssh(1) security keys must be tapped/touched in order to perform a signature operation.
Enabled ed25519 support in ssh(1).
Fixed iwm(4) support and loaded new firmware for 3168 devices.
Printed the URL when sysupgrade(8) fetches new sets.
Prevented a crash in ieee80211_node2req() which could be triggered by an ioctl(2) if the driver had not yet initialized the channel map.
Implemented DNS proposals in unwind(8) to learn nameservers from network autoconfiguration daemons.
Moved /usr and var remounting earlier to allow unwind(8) to start before pf(4) is configured.
Added a Content-Security-Policy HTTP header to mandoc(1) that allows only CSS.
Added an opportunistic run of fw_update(1) to sysupgrade(8) before rebooting to run the upgrade.
Introduced a "trusted" modifier to ntpd(8), for peers which should be on a local net, used in situations where https constraints cannot be used but auto settime is desired.
Stopped connecting to available open wifi networks when an interface is marked up. This behavior must now be explicitly enabled with ifconfig(8) join "".
Added support for active scan to bwfm(4).
Lowered the priority of APs which fail to connect in the ifconfig(8) join list, allowing switching wifi networks by moving between them without having to down/up the interface or suspend/resume.
Triggered a background scan when root runs the ifconfig(8) scan command, updating the list of cached APs for future scans and forcing a search for a better AP to roam to.
Switched 8260 and 8265 iwm(4) devices to -34 firmware.
Added support for buttons 2 and 3 to imt(4).
Enabled DNSSEC validation in unbound(8) by default.
Prevented non-root users from setting the WEP key on an(4) wireless network devices.
Added -F flag to tmux(1) send-keys to expand formats in search-backward and forward copy mode commands.
Performed constraint validation against 184.108.40.206 and 2620:fe::fe by default in ntpd.conf(5).
Fixed a bug where outstanding frames on the iwn(4) aggregation queue interfere with roaming to another AP.
Raised net80211's "beacon miss" threshold to avoid frequent reconnects to APs suffering packet loss due to distance.
Added ogx(4), a driver for the OCTEON III network processor.
Reinstated OpenSSL(1) CMS.
Switched iwm(4) 3160, 7260 and 7265 to -17 firmware images.
Enabled DQA mode for iwm(4).
Added support for iwm(4) firmware paging, required for newer 8k device firmware.
Fixed a possible crash in smtpd(8) when combining "from rdns" with nested virtual aliases under a particular configuration.
Added opportunistic DoT support to unwind(8).
Hooked rpki-client(8) up to the build.
Enabled CMS in ssl(8).
Added initial infrastructure for U2F/FIDO support in ssh(1).
Constrained and corrected the routes being deleted when applying a new lease in dhclient(8) and corrected route comparison. This corrects a network failure with "arpresolve: ... route contains no information".
Released OpenBGPD 6.6p0.
Added support for RSA-PSS to crypto(3).
Added an ASR resolver type to unwind(8), using the libc asynchronous resolver directly with DHCP-provided nameservers. Switched to the ASR resolver rather than DHCP when behind a captive portal.
Made background scans less frequent when choosing the same AP.
Began marking stale prefixes in the Adj-RIB-out during graceful reload of bgpd(8) and fixed prefix_withdraw to check the correct prefix flags before removing a prefix from the update or withdraw tree.
Added an Intel 9260 wifi card pci(4) id.
Added Marvell 88SE9128 AHCI pci(4) id.
Fixed a bug with the fatal bgpd(8) non-existing prefix call to ensure the missing prefix is inserted into the prefix tree.
Fixed bgpd(8) crashes where the nexthop_runners tail queue was corrupted.
Improved error handling for bwfm(4) connection attempts.
Added code laying groundwork for the use of multiple processors on armv7.
Made vmx(4) transmit mp-safe.
Corrected clock_getres(2) to provide the actual resolution of a given clock.
Released OpenSMTPD 6.6.0.
Allowed switching to framebuffer "glass" console on armv7, mirroring previous changes to arm64.
Added retguard for octeon/mips64.
Added a missing unveil(2) of /etc/shells for passwd(1).
Printed IP addresses in verbose mode in nc(1).
Reverted change to nc(1) fixing the -N flag due to regress failures for tls.
Added sxisid(4), a driver to read the on-chip eFuses.
Added new -N name option to ftp(1), allowing calling scripts to change the progname and produce better error messages.
Updated timezone information to reflect DST changes for Fiji and Norfolk Island.
Rewrote the time validity check for mtfs in rpki-client(8) to correctly account for the timezone.
Added the system clock interface nanoboottime(9), returning the UTC time at which the system booted in seconds and nanoseconds.
Added sxipwm(4) and pwmbl(4), drivers which jointly add support for the backlight controller on the Pinebook.
On newer ThinkPads reporting HKEY version > 1, allowed acpivout(4) to claim backlight controls rather than wscons(4), allowing use of the fine-grained backlight BCL steps defined in acpi(4).
Changed acpivout(4) to increment and decrement screen brightness based only on brightness level changes of 5% or higher.
Prevented an infinite loop when aborting ulpt(4)'s pipe after an I/O error.
Implemented the "parallel boot" feature on compatible sparc64 firmware.
Corrected a memory leak in unwind(1) when the list of DHCP resolvers doesn't change.
Stopped checking whether the IPv6 source address of a neighbor advertisement is from a neighbor's address, not required in accordance with RFC 4861.
Added support for dynamic queue allocation (DQA) to iwm(4).
Corrected cache flush operations on arm64 which were being incorrectly treated as write operations. This fixes a bug where cache flushing caused Firefox to abort.
Fixed the -N flag for nc(1) to shut down the socket when input stops, or when tls is in use and either side of the socket goes away.
Added rpki-client(8) output formats for bird and CSV.
Fixed a potential NULL dereference for revoked hostkeys in ssh(1).
Added support for percentage sizes to tmux(1) resize-pane ("-x 10%") and changed split-window and join-pane -l to accept similar percentages, deprecating the -p option.
Made sparc64 autoconf(4) try to match the devid against the bootpath if link->port_wwn doesn't work, helping when booting off of an mpii(4) controller.
Used unveil(2) to reduce filesystem access in vmstat(8), iostat(8) and systat(1).
Changed httpd(8) to send a 408 response when a timeout happens while headers are being received, but close the connection if no request is received.
Added an azalia(4) quirk for the ALC285 on the X1C7 to avoid a clicking noise on the headphone output.
Moved to 6.6-current.