This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
For changes in other releases, click below:
Changes made between OpenBSD 6.9 and 7.0
- Released OpenSSH 8.8.
- Corrected sshd(8) initialization of supplemental groups when executing an AuthorizedKeysCommand or AuthorizedPrincipalsCommand helper program (not enabled by default) as a different user.
- Updated timezone information to remove DST for Samoa.
- Avoided a potential overread in x509_constraints_parse_mailbox().
- Fixed a memory leak in rpki-client(8).
- Adjusted bgpctl(8) RIB_GENERIC_ADDPATH MRT message handling to work with other MRT implementations.
- Added a workaround to amdgpu(4) for machines where the framebuffer size reported by the hardware is incorrect.
- Prevented ucc(4) keyboards from changing the wsmux(4) keyboard layout.
- Moved objcopy to base set to allow KARL to work on all installs.
- Fixed pchgpio(4) issues with dead touchpads after resume.
- Moved to OpenBGPD 7.2(8).
- Prevented strlcpy(3) from reading too much in btrace(8).
- Allowed xenodm(1) login when ~./Xauthority does not exist.
- Fixed disklabel(8) generation on sparc64.
- Silently ignored invalid requests to change the encoding of a ucc(4) keyboard.
- Changed dhcpleased(8) client identifier transmission to match other dhcp client implementations.
- Fixed the ssh(1) "Allocated port" debug message for unix sockets.
- Switched scp(1) back to using the original scp/rcp protocol by default for release.
- Unlocked the top part of the VM fault handler on i386.
- In pchgpio(4), worked around a BIOS bug on Lenovo Thinkpads based on Intel's Tiger Lake platform to properly restore the GPIO pin used for the touchpad interrupt upon resume.
- Zeroed out potential passwords when freeing memory or handling parsing errors in iked(8).
- Fixed acme-client(1) SAN generation for CSRs.
- Implemented flushing for TLSv1.3 handshakes.
- Made scp(1) SFTP mode (including error logging) more scp-like.
- Prevented a crash on strict alignment architectures of tcpdump(8) WireGuard printer.
- Set the rpki-client(8) X.509 validation depth limit to 12 or double the current depth.
- Simplified dhcpleasectl(8) and added syntax to match dhclient(8) (interface), allowing one to be aliased to the other.
- Allowed CanonicalPermittedCNAMEs=none in ssh_config(5).
- Made pmap_extract() mpsafe on hppa and amd64.
- Limited rpki-client(8) to 300 deltas to sync an RRDP repository rather than fetching a snapshot.
- Put back the mux_ctx memleak fix for SSH_CHANNEL_MUX_CLIENT in ssh(1).
- Enabled cy(4) on amd64.
- Retried broadcast with dhcpleased(8) when the dhcp server is unreachable via unicast UDP.
- Added a theoretical limit of 512 to the number of allocated vcpus in vmm(4).
- Introduced /etc/bsd.re-config(5), which can be used to configure the kernel using config(8), allowing use of KARL while making changes to the GENERIC kernel.
- Checked the installer's /tmp/i/hostname.* files for a configured IP address so that configurations without a broadcast address are detected as well.
- Defaulted to using named curve parameter encoding in libcrypto.
- Identified TPM2.0 devices and performed the 2.0-specific "suspend" command, allowing the lenovo xlr9 and xlnano using the latest BIOS (which added S3) to resume.
- Stopped setting the highspeed bit on bcm2835-sdhci sdhc(4) controllers, fixing bwfm(4) wifi on the Raspberry Pi 3 Model B+.
- Zeroed out iwx(4) Tx descriptors of frames which are done to prevent the device from writing to the former DMA address of a buffer which has been taken off the Tx ring.
- Fixed a bug in iwx(4) Tx done interrupt processing which could cause fatal firmware errors under load and memory corruption.
- Stopped ignoring SIGINT in sftp(1) while waiting for input if editline(3) is not used.
- Imported Mesa 21.1.8.
- Altered scp(1) to use the SFTP protocol by default. The original scp/rcp protocol remains available via the -O flag.
- Changed iwm(4) and iwx(4) to sleep for 1 second while loading firmware to match what iwn(4) does. This fixes some issues with suspend/resume.
- Modified doas(1) to retry up to 3 times on password authentication failure.
- Fixed vmm(4) vcpu locking issues.
- Added the uaq(4) driver for Aquantia AQC111U/AQC112U USB ethernet devices.
- Added kprobes provider for dt(4).
- Ensured that iwm(4) and iwx(4) will reload firmware from disk on down/up and not during resume.
- Made traceroute(8) faster by sending probes and doing DNS lookups asynchronously.
- Add add-path support in MRT dumps (RFC8050) to bgpd(8).
- Disabled building all of the non-unicode fonts except for ISO8859-1.
- Fixed iwx(4) crystal latency values to match those used by Linux iwlwifi.
- Altered slowcgi(8) so it no longer sends debug logging to syslog unless debug logging is requested via the new -v flag.
- Made all vi(1) signal handler functions async-signal-safe.
- Deleted mention of the X11 README file from root.mail since it is no longer installed.
- Added the aq(4) driver to support Aquantia 1/2.5/5/10Gb/s PCIe ethernet adapters.
- Added unveil(2) calls to xterm in the case where there are no exec-formatted or exec-selected resources set.
- Added the ability for snmpd(8) to send SNMPv3 traps.
- Changed diff(1) to consider two files sharing the same inode identical.
- Imported timeout(1) utility from NetBSD. timeout(1) can be used to run commands with a time limit.
- Added client-side support for DNS configuration to iked(8).
- Removed from0 support from openrsync(1).
- Made rc(8) quietly attempt an early mount of /var/log in case someone has created it to avoid /var overflow issues.
- Added http_proxy support to rpki-client(8) http handler.
- Added aplpinctrl(4) driver for the Apple GPIO controller found on the M1 SoCs.
- Changed the printing of the hibernate image size from bytes to megabytes.
- Added "machine sysregs" command to ddb(4) on amd64.
- Added support for obtaining sense status and source slot of a media to chio(1) and ch(4).
- Added include and exclude options to rsync(1) usage message.
- Made resolvd(8) accept dns proposals for the loopback addresses.
- Implemented < and > operators in btrace(8) filters.
- Changed usage of %n from a syslog warning to syslog and abort for printf(3) (and associated variants).
- Increased hibernate writeout speed.
- Disabled the RSA/SHA-1 signature algorithm by default in ssh(1).
- Implemented -naccept in the s_server option of openssl(1).
- Implemented reporting of supplemental groups in ps(1).
- Changed traceroute(8) wait time to default to 3 seconds and allow setting of wait time as low as one second.
- Altered passwd(1) to use stderr for printer error and informational messages. This allows easier parsing of what passwd(1) is doing if spawned from a GUI.
- Fixed a crash with i915 graphics by removing bogus Linux code that tried to deal with something that is impossible on OpenBSD.
- Fixed dwiic(4) timeouts requesting data from at least one touchpad.
- Fixed automatic upgrade after fetching response file with dhcp.
- Released LibreSSL 3.3.4.
- Switched macppc to use ld.lld.1(1).
- Added ucc(4), a driver for USB HID Consumer Control keyboards.
- Fix crash in mandoc(1) when a manpath directory contained a symbolic link that pointed to a directory.
- Implemented reception of "VLAN 0 priority tagged" packets.
- Fixed an off-by-one error in bwfm(4).
- Changed iwn(4), iwm(4), and iwx(4) devices to hide detailed firmware error reports by default.
- Added veb(4) to the list of pseudo devices that ifconfig(8) can create.
- Imported initial support for the SM2 cipher into LibreSSL.
- Added the signify keys for 7.1 base sets, packages, and firmware.
- Moved to 7.0-beta.
- Set the uhidpp(4) battery level sensor status to unknown while charging to handle devices reporting zero during charge, preventing certain sensorsd.conf(5) actions from triggering inappropriately.
- Fixed iostat(8) per-device values when systat(1) is in boot time mode ('b'), not normalizing based on the sleep interval.
- Made jot(1) -b, -c and -w mutually exclusive.
- Made cdio(1) discard the current input line when Ctrl-C is used during line editing and provide a fresh prompt rather than exiting the program.
- Updated unbound(8) to 1.13.2.
- Added a -B flag to tmux(1) to remove borders from popups and added a menu to popups as well as options to convert a popup into a pane.
- Added to dhcpleased.conf(5) the ability to ignore routes or nameservers from a lease and to ignore servers entirely.
- Prevented a loop when bwfm(4) receives an unsolicited association status event right after successful association.
- Added pipe variants of the tmux(1) line copy commands.
- Changed the default snmp(1) version to -v3 and removed the default community.
- Made amd64 hw.setperf percentages proportional to the enhanced speed step frequencies on Intel processors. The default hw.setperf=99 corresponds to the maximum ordinary speed, and setting it to 100 enables turbo mode.
- Ensured some programs (including sftp(1)) do not ignore Ctrl-C when awaiting user input.
- Added support for two-character font names (BI, CW, CR, CB, CI) to the tbl(7) layout font modifier.
- Added Tiger Lake LP (INT34C5) support to pchgpio(4).
- Updated nsd(8) to 4.3.7.
- Allowed "any" to be used as a listen on address in snmpd.conf(5).
- Fixed Encode(3p) loading module from an incorrect relative path.
- Added scp(1) -O and temporary -s (SFTP) flags to select the sftp protocol.
- Made scp(1) -3 the default for remote-to-remote copies.
- Improved handling of ~ prefixed paths in scp(1) in SFTP mode.
- Allowed setting of the engineid in snmpd(8).
- Updated libXaw to 1.0.14.
- Updated xrdb(1) to 1.2.1.
- Handled "inet autoconf" in the ramdisk.
- Fixed a panic at shutdown relating to azalia(4) on the X1 Extreme Gen 1.
- Implemented reception of multiple paths per BGP session in bgpd.conf(5) and made it possible to match on path-id in bgpctl(8) show rib outputs.
- Switched default snmpd(8) and snmp(1) auth back to hmac-sha1.
- Fixed a panic reported in upd(4).
- Cleaned up the fdisk(8) MBR/GPT initialization code, making -g independent of -i, leaving four mutually exclusive initialization options (-i, -b, -u and -A) with the last option specified executed (allowing the existing -i -g to work as intended).
- Added basic support for zero width joiners to tmux(1).
- Added client focus hooks to tmux(1).
- Fixed ure(4) after a media link change on RTL8153/B devices.
- Fixed a leak with wg(4) keepalive.
- Added a new "nameserver" command to route(8), sending nameserver proposals to resolvd(8) using the dns proposal protocol over the route socket.
- Increased iked(8) default data bytes limit for Child SAs to 4 GB, preventing excessive rekeying and lost data in high performance setups.
- Updated xf86-video-amdgpu to 21.0.0.
- Prevented a kernel panic in sparc64 due to page boundary misalignment.
- Added experimental support for using the SFTP protocol for file transfers in scp(1).
- Enabled riscv64 multiprocessor support.
- Ensured rkpwm(4) can find the clock when using a recent device tree.
- Fixed incorrect status code for expired mails resulting in a misleading bounce report in smtpd(8).
- Left resolv.conf(5) to resolvd(8) rather than recreating after finding nameservers.
- Fixed display of incorrect patterns on LUNA's wscons(4) with 1bpp framebuffer when backspace is typed.
- Switched iwx(4) to -63 firmware images as shipped in iwx-firmware-20210512, including fixes addressing fragattacks vulnerabilities.
- Supported the new iwx(4) firmware session protection command, required for successful associations with new firmware.
- Allowed cad(4) recognition as boot interface when using netboot, making autoinstall/upgrade work.
- Released rpki-client(8) 7.2.
- Fixed suspend/resume of machines with certain radeondrm(4) hardware.
- Added RK3399 Type-C PHY clocks and PCIe PHY reference clocks to rkclock(4).
- Delayed installation of sensors until a device with battery support is connected, allowing sensorsd(8) to pick up hotplugged uhidpp(4) devices.
- Made window-linked and window-unlinked window options in tmux(1).
- Corrected awk(1) -F null string behavior to ensure -F '' behaves consistently with -v FS="".
- Made dhclient(8) defer to dhcpleased(8) when the inet autoconf flag is set. When run, dhclient will signal dhcpleased to request a new lease rather than requesting one itself.
- Fixed an attachment problem for dwctwo(4) for certain devices issuing NAK interrupts during split transactions.
- Fixed potential races in slaacd(8) and dhcpleased(8) when two processes are configuring the same IP.
- Ensured MRT dumps containing add-path information will be dumped properly by bgpctl(8) (RFC 8050).
- Implemented Extended Optional Parameters Length for BGP OPEN Message (RFC 9072) in bgpd(8), allowing sending of more than 255 bytes of optional parameters.
- Passed make flags to kernel and lib builds, making hacking on ramdisks/the installer much faster.
- Fixed an mbuf leak in xnf(4).
- Added the possibility to send vendor class identifier and client identifier using dhcpleased.conf(5).
- Updated pixman to 0.40.0.
- Forced luna88k to use the serial console when no graphics board is found.
- Enabled LEDs for the mue(4) LAN7800 chip as found on the Raspberry Pi 3 Model B+.
- Enabled iwm(4) and ix(4) on riscv64.
- Added riscv64 userland timecounter support.
- Fixed strchr() and strrchr() on mips64.
- Added a ForkAfterAuthentication directive to ssh_config(5), equivalent to ssh(1) -f.
- Added a StdinNull directive to ssh_config(5) to prevent reading from stdin, equivalent to ssh(1) -n.
- Let allowed signers files used by ssh-keygen(1) signatures support key lifetimes and verification mode to specify a signature time at which to check.
- Fixed ix(4) with older amd64 and current riscv64 hardware if MSI is not enabled for the device.
- Synced dwctwo(4) with the NetBSD-current code base, enabling the USB on-board ethernet controller through mue(4) and enabling the two USB uhub3 ports on the Raspberry Pi 3 Model B+.
- Made dhcpleased(8) always configure provided routes, regardless of whether the address received in the lease is already configured.
- Made slaacd(8) send rDNS proposals on ramdisks, allowing resolvd(8) to learn nameservers and update /etc/resolv.conf with IPv6 resolvers.
- Updated Mesa to 21.1.5.
- Introduced a short wait in rc(8) after netstart(8) finishes until an IPv4 or IPv6 default route is present before continuing boot. Fixed setups depending on working network and DNS resolution during early boot when using autoconfiguration (dhcpleased(8) or slaacd(8)).
- Added AMD 17h/6xh Root Complex to ksmn(4).
- Used exclusive locks under /dev/ to ensure single instances of resolvd(8), slaacd(8) and dhcpleased(8).
- Added installboot(8) "-p" to prepare by creating a new filesystem on the partition reserved for the bootloader on relevant architectures.
- Fixed an alignment fault observed on an octeon machine while pppoe(4) negotiated a large MTU.
- Fixed races which were slowing ipsec(4) throughput.
- Stopped asking iwx(4) to send probe requests on passive channels, fixing firmware going unresponsive after association.
- Fixed an iwx(4) edge case where devices failed to resume after system suspend.
- Supported auto-tagging for ".It Va" in mandoc(1).
- Switched to dhcpleased(8) / resolvd(8) in base.
- Prevented a kernel panic after VFS shutdown.
- Added a SessionType directive to ssh_config(5), equivalent to the -N (no session) and -s (subsystem) command line flags.
- Ensured the TX FIFO isn't overrun for longer transfers in dwiic(4).
- Added uaudio(4) and umidi(4) to riscv64.
- Corrected various min/max cluster numbers for FAT12/16/32 in newfs_msdos(8).
- Fixed a read buffer overrun in X509_CERT_AUX_print(3).
- Switched iwm(4) to newer firmware images available in iwm-firmware-20210512. This provides FragAttacks fixes for the updated devices.
- Avoided a potential buffer overflow in backslash escaping in awk(1).
- Reverted drm_mm to the 5.7.y version to prevent X startup failures on laptops with raven ridge and picasso apus using amdgpu.
- Updated drm(4) to linux 5.10.47.
- Fixed iwx(4) against access points using TKIP as the group cipher.
- Introduced CPU_IS_RUNNING() and used it in scheduler-related code to prevent waiting on non-running CPUs.
- Disallowed the use of an empty list between "while" and "do" in ksh(1).
- Updated libdrm to 2.4.107.
- Allowed spaces to appear in usernames for scp(1) local to remote and scp -3 remote to remote copies.
- Displayed provider ID for a umb(4) SIM in ifconfig(8).
- Fixed a crash in mandoc(1) when an input file contains tbl(7) or eqn(7) input unsupported by -T man(1) output mode.
- Updated libz to zlib 1.2.11.
- Prevented athn(4) from calling ieee80211_find_rxnode() on bad frames in an attempt to prevent creation of bogus node cache entries.
- Implemented various fixes addressing firmware errors in iwm(4) and iwx(4).
- Added SMP support to risc64.
- Defaulted to attempting RRDP first in rpki-client(8) -r.
- Added rktcphy(4), a driver for the Type-C PHY controller found on the Rockchip RK3399.
- Expanded info callback support for TLSv1.3.
- Made tcpdump(8) split the 802.11 sequence number field into its sequence number and fragment number components rather than printing the whole field in decimal.
- Made anonymous object reference counting independent from the KERNEL_LOCK().
- Enabled dt(4) on sparc64.
- Added btrace(8) display of time spent in userland when analyzing the kernel stack in the flame graph tool and fixed a parsing bug.
- Implemented 64-bit DMA mode in cad(4).
- Added riscv64 drm(4) support.
- Corrected a potential memory leak associated with pfsync(4) update requests.
- Added basic radeondrm/X support for riscv64 and supported xf86-video-radeon and xf86-video-amdgpu drivers.
- Allowed (w)hole disk allocation for GPT disks in arm64, using fdisk(8) -A when an Apple APFS ISC partition is detected and fdisk -ig otherwise. Created EFI SYS boot partitions only on ROOTDISK GPT disks.
- Added titmp(4), a driver for the TI TMP451 temperature sensor.
- Introduced locks around the global pf(4) state list.
- Ensured the values for fdisk(8) -b and -l are treated as 512-byte block counts.
- Fixed node leaks in iwm(4) and iwx(4) which caused the drivers to get stuck when roaming between access points.
- Added vmd(8) support for variable length vionet rx descriptor chains.
- Added an fdisk(8) -A option to initialize a GPT without removing special boot partitions.
- Removed default communities, changed seclevel default from none to enc and only allowed SNMPv3 by default in snmpd(8). Changed default authentication to SHA-256 and privacy protocol to AES in snmpd(8) and snmp(1).
- Made fdisk(8) available to architectures other than amd64 and i386 and extended the syntax to allow specification of the boot partition type and offset.
- Stopped attempting to install a default route with route(8) in netstart(8) if using inet autoconf.
- Increased the setitimer(2) timer limit to UINT_MAX seconds.
- Introduced sfclock(4), a driver for the SiFive Power Reset Clocking Interrupt (PRCI).
- Introduced sfcc(4), a driver for the SiFive level two cache controller.
- Introduced plic(4), a driver for the RISC-V Platform-Level Interrupt Controller.
- Implemented enhanced route refresh (RFC 7313) in bgpd(8).
- Added simple BGP enhanced route refresh message decoding to tcpdump(8).
- Fixed an iked(8) bug where no flows are added if a single address is configured in the config address instead of a pool.
- Added Broadcom BCM5725 to brgphy(4).
- Implemented classless static routes dhcp option in dhcpleased(8).
- Fixed a panic due to pfsync(4) deferral timeout handling.
- Fixed an issue preventing applications from selecting the non-ALTIVEC code path on macppc.
- Enabled nvme on riscv64.
- Introduced sfuart(4), a driver for the SiFive UART, and added support for it as a console.
- Added the ability for fdisk(8) to recognize "HiFive! FSBL" and "HiFive! BBL" GPT partitions.
- Enabled dwpcie(4) on riscv64 and added support for the PCIe host bridge found on the SiFive FU740 SoC.
- Made fdisk(8) always create an EFI SYS partition if the -b option is specified when initializing a GPT.
- Limited the workaround for AMD errata 400 ("APIC Timer Interrupt Does Not Occur in Processor C-States")to family 0fh and 10h.
- Serialized the internals of kqueue(2) with a mutex.
- Ensured a USB mouse will attach if otherwise qualified even if the usage report does not include X and Y usages.
- Prevented interleaved stack traces in ddb(4) from multiple CPUs.
- Added -F for tmux(1) command-prompt and used it to fix "Rename" on the window menu.
- Added different tmux(1) command histories for different types of prompts.
- Fixed tmux(1) problems with xterm in VT340 mode.
- Added an "always" value to the extended-keys option to always forward those keys to applications inside tmux(1).
- Added the Spleen 12x24 and 16x32 font on amd64's RAMDISK_CD and RAMDISK kernels.
- Prevented a hang in sshd(8) when interrupted.
- Enabled MSI-X support for powerpc64.
- Added libexecinfo, a library providing backtrace functions.
- Stopped fatal error in amdgpu(4) on failing to map visible VRAM.
- Prevented stack overflow in vmd(8) due to large dhcp packets on local interfaces.
- Ensured (W)hole disk partitioning cannot be used if an "APFS ISC" is found on the disk, required for Apple M1 machines to boot.
- Used installboot(8) on arm64 ramdisks.
- Matched host certificates against host public keys in sshd(8), allowing use of certificates with private keys held in an ssh-agent.
- Released OpenBGPD 7.0.
- Unlocked connect(2).
- Prevented a race condition which could result in sshd(8) not shutting down until the next time it receives a new connection.
- Allowed ssh_config(5) SetEnv to override $TERM.
- Disabled PPGTT on Intel machines with cherryview/braswell graphics to avoid memory corruption.
- Implemented multicast support in mvpp(4).
- Adjusted density for partitions on a 4k disk in newfs(8) when fragsize and density are not passed on the command line to ensure sufficient inodes to hold a src tree on a 2G fs.
- Relaxed media length checking to allow EFT GPT partitions to be smaller than the full disk.
- Added GPT support to armv7 installboot(8).
- Added arm64 support for booting from disks with 4k sectors.
- Allowed locking of a randomly assigned lladdr in vmd(8).
- Enabled pool cache on knote(9) pool.
- Unlocked setrtable(2).
- Added RTLD_NODELETE support.
- Introduced per-CPU panic(9) message buffers.
- Prevented crashes on amd64 when TLB entries which should have been invalidated were used.
- Fixed iwx(4) firmware reloading after a failure to parse the firmware file.
- Attached unsupported video devices to uvideo(4) but not video(1), rather than leaving it unmatched.
- Added a -R flag to usbhidctl(1) to dump the raw report descriptor bytes.
- Fixed a problem in iked(8) where no flows are loaded when a single config address without pool is configured.
- Avoided "mac clock not ready" panics in iwm(4) and iwx(4).
- Added hid_get_report_desc_data() to usbhid(3) to access raw report descriptor data.
- Fixed overlap check in disklabel(1) autoalloc code.
- Added initial arm64 support for installing on a disk with a GPT.
- Added an experimental post-quantum hybrid key exchange method based on Streamlined NTRU Prime (coupled with X25519) to iked(8) as sntrup761x25519.
- Added cad(4), a driver for Cadence GEM.
- Prevented watchdog resets on some i.MX 64-bit machines with a recent U-Boot and watchdog enabled on boot in imxdog(8).
- Added aplns(4) to provide support for Apple NVME storage as found in Apple M1 devices.
- Relaxed criteria for recognizing GPT formatted media, allowing GPT disk images added with dd(1) onto larger physical media to be recognized by fdisk(8) and the kernel.
- Improved bgpd(8) graceful restart capability handling.
- Added aplspmi(4), a driver for the Apple SPMI controller.
- Added aplpmu(4), a driver for the Apple "sera" SPMI power management unit that contains the RTC on Apple M1 systems.
- Updated libexpat to 2.4.1.
- Fixed futex(2) errno handling to match what Mesa expects and prevent failure to properly report timeouts.
- Used so_lock to protect key management (PF_KEY) sockets.
- Added support for pf(4) divert-to on tpmr(4) and veb(4).
- Fixed a segmentation violation in ssh(1) in an UpdateHostKezs debug() message when the update removed more host keys than remain present.
- Created audio devices for armv7.
- Added apldwusb(4), a glue driver for the Synopsys DesignWare USB 3 controllers found on the Apple M1 SoC.
- Added apldart(4) support for a DART with two sets of registers, needed to support the Synopsis DesignWare USB 3 controller.
- Skipped inspecting non-udp packets on local interfaces for vmd(8).
- Added TLS options cafile=(path), nosni, noverify and servername=(name) to smtp(1).
- Fixed overflows when reading multiple bytes from AML over an i2c bus in acpi(4).
- Allowed specification of TLS ciphers and protocols in smtp(1).
- Added a meta viewport element to the HTML output for mandoc(1) -Thtml.
- Fixed __ppc_lock for page faults that recursively grab the lock on powerpc.
- Added PCI support to riscv64.
- Increased the maximum data size on powerpc64 to 32GB.
- Fixed a kernel crash in tty(4).
- Disabled global page table mappings when using PCID to prevent crashes when not flushed from TLB.
- Fixed ssh(1) to restore file descriptors to non-blocking mode on exit.
- Prevented guest virtio drivers from causing stack and buffer overflows in vmd(8).
- Fixed uaudio(4) on certain machines such as the RPI4 by adding a pre-DMA-write barrier after data is stored to memory.
- Dropped fragmented 802.11 frames.
- Fixed a race condition in vmm(4) relating to incorrect physical cpu tracking.
- Fixed state key reference underflow when both state keys are identical in pf(4).
- Made additional free inodes on luna88k bsd.rd by specifying density=4096.
- Increased the default buffer space on PF_UNIX sockets to 8k and made the values tuneable via sysctl(2).
- Limited the number of concurrent RTR connects to 32 in bgpd(8).
- Prevented httpd(8) from trying to chunk encode an empty http body coming from an fcgi upstream.
- Prevented frame injection via forged 802.11n A-MSDUs.
- Updated en_US.UTF-8.src to Unicode 13.0.
- Implemented the tbl(7) layout modifiers "b" (bold) and "i" (italic) in mandoc(1) HTML output mode.
- Added pledge(8) for ftpd(8) user processes.
- Fixed IPsec(4) NAT-T to work with pipex(4).
- Fixed ssh(1) started with ControlPersist incorrectly executing a shell when the -N option was specified.
- Allowed router solicitations from the unspecified address (::) in rad(8).
- Updated libexpat to 2.3.0.
- Worked around x86 machines that advertise the "hardware reduced" ACPI feature, advertise S4 and S5 support, but fail to populate the SLEEP_CONTROL_REG and SLEEP_STATUS_REG descriptions in the FADT. This fixed the ASUS Zenbook 14.
- Limited the printf(1) \x escape sequence to two characters.
- Added support for RTL8168FP/RTL8111FP/RTL8117 to re(4).
- Added an 'expires' column to CSV & JSON output of rpki-client(8).
- Unlocked lseek(2).
- Unlocked the top part of the fault handler.
- Fixed hangs on riskv64 by replacing timer(4) with code based on the powerpc64 implementation of the randomized statclock code.
- Added support to binutils for riscv64.
- Prevented base pkg tools from looking under /usr/local in general.
- Tweaked net80211 RA heuristics to avoid picking Tx rate choices that may be too optimistic.
- Added 802.11n Tx aggregation support to iwm(4).
- Worked around a problem with certain athn(4) hardware that caused problem when running in HostAP mode with clients that use Tx aggregation.
- Disabled base-gcc on amd64.
- Retired OpenBSD/sgi platform.
- Changed int_TS_RESP_verify_token to avoid a double free.
- Made kernel stop all threads when terminating via pledge_fail().
- Made iwn(4), iwm(4) and iwx(4) keep track of beacon parameters at run-time.
- Used relative reference URIs in Location header on directory redirects in httpd(8), adding support for front-ending httpd with a TLS-terminating gateway that forwards unencrypted http traffic.
- Imported libc++ and libc++abi 11.1.0 releases.
- Imported LLVM 11.1.0 release including clang, lld, and lldb.
- Enabled dt(4) for GENERIC kernels on amd64, arm64, i386, and powerpc64.
- Fixed vmctl(8) client "wait" state corruption in vmd(8) when a wait is canceled and restarted, allowing multiple waiting clients.
- Implemented support for Rx aggregation offload in iwm(4) and iwx(4) and re-enabled de-aggregation of A-MSDUs in net80211 for all drivers capable of 11n mode.
- Fixed an issue on machines where the EFI memory map has more than 64 entries.
- Added gfrtc(4), a driver for the real-time clock interface of Google's Goldfish Android virtual hardware platform, used for the RTC on qemu-system-riscv64 -M virt.
- Only skipped pf(4) once for packets injected by a divert-packet socket, allowing pf to still act later on a diverted packet.
- Imported initial OpenBSD/riscv64 port.
- Changed error reporting for bwfm(4) to use the long version of the firmware path. This makes it easier to find the correct files to add to the bwfm-firmware port.
- Added protections against guests with bad virtio drivers to vmd(8)
- Made kqueue(2) timer re-addition reset an existing timer to use the new timeout period.
- Changed cwm(1) maximization and full-screen mode toggling to keep the cursor within the window, preventing focus loss.
- Cleaned up TLS v1.2 certificate request handshake data. This fixed a bug where decoding was broken when the number of certificate types exceeded SSL3_CT_NUMBER.
- Fixed __builtin_bitreverse32 on 32-bit powerpc, needed to build clang-11.
- Added indication of whether an mg(1) function is unsuitable for a startup file.
- Added keep-alive support to the rpki-client(8) HTTP module.
- Added "dired-jump" command to mg(1) to open a dired buffer containing the current buffer's directory location.
- Enabled all Thinkpad X1 Extreme 1 speakers and atmos dolby in azalia(4).
- Corrected multicast decryption for iwx(4).
- Moved to 6.9-current.