This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
Note: Problems for which patches exist are marked in red.
When doing a lookup in the routing table, account for the fact that L2 entries are always in the first table of a routing domain. This fixes a regression introduced during 5.7 and 5.8.
Fix ECMP routing by passing the correct destination address to the hash routine.
On hppa, hppa64, macppc and sgi, restore validity checks for the disklabels read from disk. This fixes a problem when reading CDROM disklabels.
In pkg_add(1), sanitize the environment thru a whitelist. Only pass what is relevant for ftp(1) and similar programs.
Remove the "GenuineIntel" check from x86 mdrandom(). This enables the use of RDRAND and TSC fallback on CPUs from other vendors, notably AMD.
In ssh(1), avoid fatal error for PKCS11 tokens that present empty key IDs (bz#1773).
In ieee80211(9), don't pass QoS "no data" frames to the A-MPDU reordering logic. This avoids major confusion.
In ipmi(4), check the sensor name length more carefully. This avoids a panic on the Dell R210 II.
In sftp(1), fix a regression where existing destination directories would incorrectly terminate recursive uploads (bz#2528).
In wsconsctl(8), hidms and uts(4), permit negative x and y coordinates in mouse.scale.
On hppa64, make __cpu_simple_lock provide serialisation of the critical section. This makes atomic sequences actually atomic.
In 5.8, fix a bug in vlan(4) and carp(4) refcounting. This will cause a panic when root does an "ifconfig destroy" of a the parent interface. (5.7 and -current are not affected.)
In ieee80211(9), log frames which fall outside the BlockAack window in dmesg(8) if the interface debug flag is set.
On hppa, make __cpu_simple_lock provide serialisation of the critical section. This makes atomic sequences actually atomic.
In ssh(1), turn off more old crypto: hmac-md5, ripemd, truncated HMACs, RC4 and blowfish.
In ssh(1), do not attempt to percent-expand an already-canonicalised addresses. This avoids unnecessary failures when attempting to connect to scoped IPv6 addresses.
In hexdump(1), fix a bug that caused nothing to be skipped when skipping exactly the number of bytes present in a regular file was requested.
In 5.8, fix a kernel crash when root creates, changes or destroys carp(4) interfaces multiple times with ifconfig(8). (5.7 and -current are not affected.)
In ssh(1), make application of rekey limits more accurate (related to bz#2521).
In pchtemp(4), add support for the Intel 9 Series.
In radeondrm(4), enable the code that reads the BIOS from the ACPI VFCT table on platforms with ACPI.
Fix iwn(4) CCMP replay detection so it does not drop out-of-order A-MPDU subframes. This helps 11n mode with WPA.
In the msdosfs code, guard against integer overflow when checking whether writing to a file stays within the maximum file size.
Make write(1) explicitly ASCII only. This prevents sending of potentially harmful bytes to terminals that do not support UTF-8.
In iwm(4) and iwn(4), set max A-MPDU length to 64k instead of 4k and tell the firmware about A-MPDU spacing.
In ieee80211(9), store ADDBA request and response parameters in the block ack record. Now it is possible keep track of the ACK policy and echo it back to the AP. This fixes Apple Airport APs.
On mips64, re-enable OpenGL.
In ssh(1), fix a problem where the mux master would sporadically fail to notice that the client had exited.
In tmux(1), do not wrap cursor at start or end of history.
Restore the CCMP key to firmware after HT protection setting updates. This unbreaks WPA in 11n mode.
Pass 802.11 control frames in monitor mode.
In ieee80211(9), restore the BlockAck session timer.
In smtpd(8), when deleting a message, remove associated envelopes from the cache.
In the ext2fs and ufs code, prevent a signed overflow.
In tcpdump(8), fix an infinite loop when printing a country element in a management frame in case we hit channel Tx power limits that cannot be pretty-printed.
In efiboot, work around peculiarities of (buggy) UEFI implementations: always call SetMode(), but don't report an error if the current mode is the same as the desired mode.
In radeondrm(4), prevent a panic when the ROM size is 0.
Check block 0 signature, physical block size and physical block count when reading partition map.
Check for unmapped physical blocks and overlapping partitions when reading partition map.
Remove "v" command.
Add hostctl(8), a tool to access key-value stores on the host, currently for hypervisor information stores on pvbus(4). It is not enabled yet.
On amd64 and i386, add /dev/pvbus0.
In pvbus(4), add a key-value interface that allows to get or set values in the underlying information store of the host from the OpenBSD-VM's userspace.
In libpthread, replace the malloc spinlock with a mutex. This makes ports like Firefox significantly more usable.
In mg(1), ensure the backup file has the same mtime as the original file.
In xnf(4), rewrite tx path to use flat transmit ring without fragment chains. This gives a transmit performance improvement and taxes grant table references much less than before.
In xen(4), do not take a grant table entry mutex in xen_grant_table_{enter,remove} since it is unnecessary. This provides a performance improvement as well.
In malloc(3), fix a possible crash when dumping malloc stats.
In xen(4), ensure use of locked atomic operations even on the SP kernel.
In fputwc(3), when encoding fails set the error indicator as required by POSIX and as done by FreeBSD, SunOS 10/11 and glibc.
In vr(4), fix an mbuf leak on encapsulation failure.
In ieee80211(9), honour ERP protection on 2 GHz channels in 11n mode.
In vmm(4/amd64), zero the buffer to be copied out to userland to avoid information leak.
In 5.8, fix a kernel crash when root creates, changes or destroys vlan(4) interfaces multiple times with ifconfig(8). (5.7 and -current are not affected.)
In ieee80211(9), iwm(4) and iwn(4), keep track of HT protection settings in beacons and have 11n-capable drivers update hardware configuration accordingly.
In xnf(4), revert the minimum number of rx ring slots back to 32.
In vmx(4), do not send the mbuf to bpf(4) after passing it to the hardware. This could have resulted in a page fault.
Set argument encode / result decode call backs for "maplist".
Set argument encode / result decode callbacks for "all".
In ld.so(1), make a nodelete object lock down the entire load group, not just the specific object.
Update to Mesa 11.0.9.
On arm and armv7, switch to SVC mode when machines with virtualisation extensions boot into a HYP processor mode that has different memory management and register behaviour among other things. This prevents an early crash.
In pdisk(8/macppc), avoid double prompt after creating default map on startup.
In dwiic(4), avoid reading uninitialised memory when expected value types are not present.
In xnf(4), set up interface features based on capabilities provided by the backend.
In xnf(4), set minimum number of slots on the receive ring to 18 as most versions of Xen require at least this number of slots.
Always check destination MAC address of received unicast packets, not only when in promiscuous mode. This is necessary for NICs like virtio(4).
In vxlan(4), drop packets whose VNI flag is not set and VNI is not zero.
On sparc64, check for disks deeper than 4 levels down in the Open Firmware device tree. This makes softraid(4) boot possible on more sparc64 machines.
In xnf(4), do not bump output errors when when tx ring is full.
Add hidmt(4) (a HID-layer driver for multitouch touchpads that conform to the "Windows Precision Touchpad" standard) and imt(4) (an i2c-HID driver that sits between ihidev(4) and hidmt(4)).
In ihidev(4), add the ability to set and get reports and establish interrupt before probing for devices to handle each report ID.
In morse(6), use the <AC> prosign as "@". Support decoding only of other prosigns, including <SK> as we were previously using for "@".
In unbound(8), suppress "cannot assign requested address" log messages unless verbosity is high.
On sparc, fix a race causing hardclock(9) to be sometimes invoked between the end of cpu_configure() and initclocks().
In calendar(1), add a calendar file for the United Kingdom.
Prevent a NULL dereference when detaching a USB device with ugen(4) disabled or if allocating memory during the attachment process failed.
On octeon, add support for a variety of USB devices.
In ssh, remove roaming support altogether.
5.7 and 5.8 SECURITY FIX: experimental roaming code in the ssh client could be tricked by a hostile sshd server, potentially leaking key material (CVE-2016-0777 and CVE-0216-0778). A source code patch and workaround is available for 5.7 and 5.8.
In ssh(1), disable experimental client-side roaming support.
Grab the kernel lock before delivering a message to the routing socket when an ARP resolution has been done. This should fix the "receive 1" panic.
In pfctl(8), print an error message when detecting multiple root queues on a single interface.
In acpi(4), fix a bug in dwiic(4) where it would try to access i2c devices on busses they're not attached to.
In ssh(1), eliminate fallback from untrusted X11 forwarding to trusted forwarding when the X server disables the SECURITY extension.
In luit(1), properly disable LNEXT (^V) processing.
In dhcrelay(8), check UDP length for short as well as long values.
Implement VFS read clustering for MSDOSFS.
Make "ifconfig $if mode" a valid subcommand that works independently of the "media" subcommand.
In iwn(4), tell the firmware to retry failed Tx at 1Mbit/s instead of MCS 0. This seems to make tx rate scaling go up faster and helps rx performance.
In vlan(4), do not propagate any of the parent interfaces offload features on svlan(4).
On amd64 and i386, in the TSC fallback code, perturbance is biased towards the lower bytes of a word. Compensate for this with a bit-spreading operation which applies a result byte by byte.
Let smtpd(8) start on machines without a FQDN as hostname.
Add dwiic(4) (a driver for the Synopsys DesignWare i2c controller), ihidev(4) (a HID-over-i2c driver) and ims(4) (a HID-over-i2c mouse/trackpad driver).
In the installer validate the data for CGI_{METHOD,TIME,TZ} since it comes from an external source.
In em(4), avoid a use-after-free when posting the packet on 82547 chips after bpf(4).
Make sdhc(4) attach to hardware IDs 80860F14 and PNP0FFF.
Make sure the keyboard mux gets picked up by the primary (console) display and that USB keyboards get paired with the console even if they are not marked as the console keyboard.
In relayd(8), add the host_error output and the http code (when available) to the host-check log.
On amd64 and i386, ensure the keyboard mux gets picked up by the primary (console) display and that USB keyboards get paired with the console even if they are not marked as the console keyboard.
Add uonerng(4), a driver for the Moonbase Otago OneRNG.
On octeon, avoid rendezvous from failing if buffering is enabled.
In Mesa, disable reading of drirc files by default. This allows for a stronger pledge(2) in chromium.
In ieee80211(9), make the A-MPDU reordering buffer more resilient against APs which drop some subframes or let the sequence number jump up by more than 1. This should fix network stalls seen in 11n mode.
In iwn(4) and iwm(4), fix A-MPDU parameters in link quality firmware commands.
In mandoc(1), detect recursive "define" in eqn(7) which avoids infinite loops.
In hack(6), read ^Z as a normal character. This fixes suspend/resume.
In iec(4/sgi), take the PHY out of reset before attaching the interface. This allows for disabling some checks on reboot, making reboots faster especially on IP27.
In sendsyslog2(2), avoid a panic that could occur when writing to the console.
In ix(4), do not grab the kernel lock in the rx and tx paths.
In trunk(4), fix the "lacp_compose_key protection fault trap" when removing a port from a lacp trunk.
Add pchtemp(4), a driver for the thermal sensor on recent Intel PCHs.
In inteldrm(4), unconditionally set the "switchcookie". This fixes synchronous VT switching.
Set the UltraDMA transfer mode for SATA drives. Some of these drives, such as the Maxtor 7Y250M0, refuse to do DMA unless the transfer mode has been set. This causes reads (and presumably writes) to time out.
In the installer, do not insist on EFISYS partitions on non-root disks and prevent an autoinstall loop.
In cp(1), set the times, mode and flags on symlinks when doing cp -p (or mv across filesystems).
In ukbd(4), enable the iso keyboard munge fix for MacBookAir6,2.
In libevent, revert the change to call kevent(2) immediately (which was done to prevent the dispatch loop from bringing down the entire process). tcpbench(1) relies on the old behaviour.
On sgi, add a timecounter for MP, make interrupt masking MP-aware, add launch logic for secondary CPUs and add IPI logic.
In dhclient(8), do not exit if a route can not be added.
In rc.d(8), don't report that the daemon has succesfully started if it actually failed because of a config error.
Prevent GPU lockups with KMS and AGP-enable on Uninorth (G4) machines. KMS is now usable on Uninorth machines but X11 output is still corrupted.
Do not match Uninorth bridges until we have a working KMS with AGP support for G4 machines. This allows us to enable agp(4) again for G5 machines which makes X11 usable on the Dual G5 with radeondrm(4).
Make carp_output() MP-safe.
Add UTF-8 support to uniq(1). Let -f recognize non-ASCII blank characters and let -s count characters rather than bytes.
In tmux(1), make input off flag (selectp -d) apply to synchronize-panes too.
Fix the behaviour of csqrt(3): we should have csqrt(conj(z)) == conj(csqrt(z)).
Avoid modulo bias in the IPv6 stack.
In the scheduler, make the cost of moving a process to the primary CPU a bit higher. This is the CPU that handles most hardware interrupts, so by making it less likely that the softnet taskq runs on that CPU, most of the performance lost by "unlocking" network drivers is restored.
In acpithinkpad(4), add display brightness support, available on the last few ThinkPad generations. This fixes surprising brightness changes that would sometimes happen if you used the brightness keys or if the firmware decided to reset the brightness level for some other reason.
Update to xf86-input-synaptics 1.8.3.
Update to xf86-input-keyboard 1.8.1.
In libevent, prevent the dispatch loop from bringing down the entire process because of incomplete kqueue(2) support for various types of files and filesystems.
In awk(1) and npppd(8), remove modulo bias in the random number generator.
Add the _sndiop user and group in preparation of the sndiod(8) privsep.
In resolver(3), remove support for HOSTALIASES. It is incompatible with pledge(2).
In acpithinkpad(4), avoid panics on older ThinkPads when pressing the ThinkLight key.
In nc(1), print the certificate validity to the verbose output when using TLS.
Avoid grabbing the kernel lock in uvm_unmap() if we have an interrupt-safe map.
In syslogd(8), unbreak adding mark messages to log files.
Remove the Class 3 Public Primary Certification Authority root certificate from /etc/ssl/cert.pem, per recommendation of Symantec/VeriSign.
In asmc(4), add more temperature keys found in MacBook Airs (6,1 and 7,2) and MacBook Pro (10,2).
Update to unbound 1.5.7.
In mountd(8), fix issues with adding and deleting exports when (re)reading the exports(5) file.
Add UTF-8 support to fmt(1). The -c option is not yet handled.
Do not panic when trying to delete an non-existing route with ART.
In relayd(8), handle the HTTP PATCH request correctly.
In tmux(1), allow list-keys and list-commands to be run without a running server.
In acpithinkpad(4), handle the keyboard backlight found on newer Thinkpads.
In ksh(1), fix moving trough and deleting multibyte characters in emacs command-line editing mode.
Install the OpenBSD::Pledge Perl module.
Remove plain DES encryption: remove support for DES-CBC encryption in ESP and in IKE main and quick mode from the kernel, isakpmd(8), ipsecctl(8) and iked(8).
In libcrypto, change the counter argument for CRYPTO_chacha_20 to be 64-bits on all platforms. This avoids truncation of the counter on 32-bit platforms.
Do not trigger a KASSERT() if the route we're trying to remove does not exist and we get another matching one instead.
Do not trigger a KASSERT() when destroying/detaching an interface with RTF_CLONED routes attached.
In inteldrm(4), enable support for 3840x2160 60Hz SST.
Rework the if_start MP-safe serialisation so it can serialise arbitrary work.
Add random "canaries" to the end of an allocation. This option is enabled with the malloc.conf(5) "C" flag.
When writing junk to freed chunks (current default behavior), check that the junk is still intact when freeing the delayed chunk in order to catch a potential use-after-free.
Add xenstore(4), a driver for XenStore, the configuration storage.
Add xspd(4), a driver for the XenSource Platform Device.
In vmm(4), restore VMM mode after resume from suspend/hibernate.
In vmd(8), terminate all running VMs on startup: it is not possible to pick up state of "zombie" VMs yet.
In as(1), implement the .inst assembler directive for arm.
Ensure the same CPU numbering is used for the kern.cptime2 sysctl as for kern.proc. This fixes an issue in top(1) where a CPU would seem to be idle even though a thread was reported to be running on it.
In ssh(1), prefer rsa-sha2-512 over -256 for hostkeys.
Update termtypes.master to upstream terminfo-20151128.
In rc.conf(8), merge "multicast_router" and "multicast_host" into a single "multicast" configuration variable.
In bnx(4), make the interrupt handler MP-safe, and perform RX and TX completion outside the kernel lock.
Make pppx(4) packets with npppd(8) through the device. This makes pppx(4) work with pipex.enable=0. Also fix tun(4) not to pass the packets to pipex(4) when pipex.enable=0.
Do not loop on EAGAIN in imsg_read(3); return the error instead. This fixes spinning relayd(8) processes seen on busy TLS relays. Adjust all imsg_read(3) consumers accordingly.
In ssh, implement SHA2-256 and SHA2-512 for RSASSA-PKCS1-v1_5 signatures for user and host auth.
In vmctl(8), add -c to the "start" subcommand to automatically connect to the VM console after startup.
Add a few kernel lock improvements in the network stack.
5.7 and 5.8 RELIABILITY FIX: a NULL pointer deference could be triggered by a crafted certificate sent to services configured to verify client certificates on TLS/SSL connections. A source code patch is available for 5.7 and 5.8.
Add a fix for OpenSSL CVE-2015-3195 and one for OpenSSL CVE-2015-3195.
In vmctl(8), re-add the "load" and "reload" commands.
Re-enable acceleration on Broadwell.
Revert xenocara/driver/xf86-video-intel/src/sna/sna_accel.c r1.6 that partly disabled acceleration on Broadwell. The "blt" codepath is not tested well and makes X crash.
Make DRI2 work on OpenBSD where we don't have support for DRI3 yet.
Enable glamor on architectures where we have OpenGL.
In ppb(4), properly condigure bridges left unconfigured by the system firmware. This makes the Apple Thunderbolt Giabit Ethernet adapter work when inserted at boot time.
Enable the GSE interrupt on Broadwell. This fixes ACPI brightness control on the MacBookPro12,1 and 3rd generation Lenovo X1 Carbon.
In pcidump(8), print PME# state together with the PCI power state when enabled/asserted.
In syslog.conf(5), disable the *.emerg block by default.
Automatically start vmm(4) when the first VM is created and after the last VM is terminated. This removes the explicit enable and disable cmmands from vmmctl(8) and vmm.conf(5).
In fdisk(8), when prompting for a GPT partition type, use the partition's current type as default; and when prompting for an LBA, show the minimum and maximum values in the prompt.
In ifconfig(8), fix breakage when re-configuring an IPv6 static address.
Stop building Mesa on alpha on mips64 because of gcc and binutils issues.
Replace IFF_OACTIVE manipulation with MP-safe operations.
Add sendsyslog2(2). This makes it possible to remove the direct /dev/console opening code from libc.
On libc, use reentrant versions of getpwnam(3), getpwuid(3), getgrnam(3), and getgrgid(3) within libc to avoid reusing the static buffers returned by the non-reentrant versions.
In tmux(1), only assume pasting with at least two characters.
Update to flex(1) 2.5.39 and add various improvements including use of pledge(2).
In fdisk(8), when an existing partition is modified in LBA mode, ensure that the partition table is marked dirty so that it gets written when "quit" is issued.
Unbreak next-hop caching on multipath setups: when multiple gateways are in use, the next-hop entry might not be on the same interface.
In bgpd(8), in the session engine, handle loss of the pipe with a normal shutdown of sessions and exit.
In ssh-keygen(1), allow fingerprinting from standard input and support fingerprinting multiple plain keys in a file and authorized_keys files (bz#1319).
Add the QuoVadis root certificates to /etc/ssl/cert.pem.
In sshd(8), add a new authorized_keys option "restrict" that includes all current and future key restrictions. Also add permissive versions of the existing restrictions.
Always strip off setuid/setgid bits when creating copies of files.
In ieee80211(9), fix CCMP (WPA2) in preparation for 11n.
Remove libocurses. It is no longer used.
In mandoc(1), fix a bug where hitting Ctrl-Backslash (= SIGQUIT) in the less(1) process spawned by man(1) causes man(1) to die uncleanly leaving behind its temp files, and kill less(1) uncleanly leaving the terminal in the wrong state.
5.7 and 5.8 RELIABILITY FIX: insufficient validation of RSN element group cipher values in 802.11 beacons and probe responses could result in system panics. A source code patch is available for 5.7 and 5.8.
Add the _vmd user and group for the forthcoming vmd(8) daemon.
Revert gnu/usr.bin/gcc/gcc/cp/g++spec.c r1.2 and r.13 in order to go back to the default upstream behaviour when linking a shared library with c++. It is no longer necessary to behave the same as g++ 2.95.
In ssh-keyscan(1), add -c to allow fetching certificates instead of plain keys.
In ncr53c9x, when issuing a non-dma command, set a length variable to 0 upfront to avoid problems on command completition interrupt.
In ld.so(1), fix unloading of load groups when the last reference was not on the load_object but rather some descendent.
On i386, fix a regression by reading/writing to CR4 register only if the processor has this capability.
Stop creating the directory /usr/share/nls. If the user does not specify a NLS path, fail early in catopen(3).
In res_init(3), restrict the number, size and address family of nameservers. This fixes a crash in sendmail. Only programs that use the bind resolver internals directly are affected.
Replace less(1) with the cleaned-up fork of less 458 maintained by Garrett D'Amore.
Update to unbound 1.5.6.
Update to nsd 4.1.6.
In the loongson installer, ensure that the partition containing the boot blocks is recognized on the eBenton EBT700.
Disable TCP/UDP TX hardware checksumming if an IPv4 packet contains IP options or if an IPv6 packet contains header extensions.
In rtadvd(8), recognize carp(4) interfaces in order to send the src lladdr option.
In fdisk(8), don't allow the user to enter GPT partition names too large to fit in the GPT partition structure. Also avoid running off the end of the name buffer.
Prevent a panic caused by an infinite recursion in the network stack.
In efiboot, use "Loaded Image Protocol" instead of "Loaded Device Path Protocol" to find the boot device since the MacBook does not support the latter protocol.
In snmpd(8), don't lose the ARP entries when updating an interface.
Add Chacha20-Poly1305 to the OpenBSD Cryptographic Framework and enable it in the software crypto driver and the IPsec/ESP and PF_KEY frameworks.
In whois(1), add -I to use whois.iana.org (root zone database).
In tcpdump(8), print RDNSS nameserver addresses and option names for some other known options that are not otherwise decoded yet (DNSSL, route information).
In smtpctl(8), implement the "discover" subcommand.
In ssh(1), fix "PubkeyAcceptedKeyTypes +..." inside a Match block.
Make inteldrm(4) attach to pci(4) instead of vga(4). This is needed for machines where Intel graphics isn't the primary graphics device and on systems with UEFI firmware that put the device in non-VGA mode.
In ssh(1), expand tildes in filenames passed to -i before checking whether or not the identity file exists in case the shell doesn't do the expansion (bz#2481).
In eigrpd(8), keep conversions between the real and composite bandwidth consistent with what Cisco does.
In ssh(1), fix keyscan output for multiple hosts/addresses on one line when host hashing or a non standard port is in use (bz#2479).
In tcpdump(8), avoid a segfault with malformed DECnet packets.
In ping6(8), move the output of the src address to the -v option. This syncs the output with that of ping(8).
Ignore Router Advertisment's current hop limit.
Wait a short while between setting a USB device's address and reloading its descriptor. This fixes a flaky attach of USB devices on the Thinkpad Helix 2.
In syslogd(8), stop the chrooted child from trying to load the default CA file.
In x99token(1), avoid a race between fopen(3) and fchmod(2). This prevents an attacker to open an old file with wrong permissions before the secret is written into it. It also guarantees that a new file with correct permissions is created.
Remove the "!" (subshell) and "v" (edit) commands from the ramdisk more(1) command.
On octeon, let the rx path of cnmac(4/octeon) run without the kernel lock.
In smtpctl(8), allow "all" as an argument for the "resume envelope", "pause envelope" and "remove" subcommands.
In tcpdump(8), fix a crash that occurs when printing the filename in a malformed NFS request packet.
5.6, 5.7 and 5.8 RELIABILITY FIX: the OBJ_obj2txt function in libcrypto contains a one byte buffer overrun and memory leak. A source code patch is available for 5.6, 5.7, 5.8.
In tar(1), use a strict $PATH to run the (de)compressors.
In newsyslog.conf(5), allow the wheel group to read /var/log/maillog.
RELEASE CD ISSUE: the "src.tar.gz" file on the source tree was created on the wrong day and does not match the 5.8 release builds. A replacement file is available for 5.8.
5.6, 5.7 and 5.8 RELIABILITY FIX: a problem with timer kevents could result in a kernel hang (local denial of service). A source code patch is available for 5.6, 5.7 and 5.8.
In fdisk(8), enhance -g to create a default GPT label in addition to the protective MBR. If -b is specified, an EFI System partition of the requested size is created.
When multiple vxlan(4) interfaces are configured with same VNI, select the interface whose tunnel destination corresponded to the incoming packets' source address.
In libssl, fix reference counting and memory leak in error path in an error path.
Do not allow connection IDs to wrap and collide with another active connection ID. This allows a local user to force the daemon to exit.
Fix a stack-based buffer overflow in the token expansion code of the (unprivileged) lookup process. This allows a local user to crash the server or potentially to execute arbitrary code.
Allow reading of imsg while discarding fd's when reading from a context where we don't expect/want to receive one. This prevents a local user from exhausting resources and causing smtpd to hang by crafting valid imsg that don't expect a descriptor but passing one anyway.
Prevent users from playing hardlink/symlink/mkfifo games with their offline messages and ~/.forward files. This allows a a local user to hang smtpd or even reset chflags and read the first line of an arbitrary file.
Do not exit on unexpected causes of SIGCHLD. This allows a specially crafted mda to cause smtpd to exit.
Make uid checking on ~/.forward files more strict. This avoids users from creating hardlink to root-owned files and leaking the first line.
Fix a use-after-free and out-of-bounds memory reads in the (unprivileged) lookup process. This avoids crashes or potential arbitrary code execution.
Revert src/sys/net/route.c r1.245. It breaks some NFS setups.
Update to tzdata2015g from ftp.iana.org.
In asmc(4), relax vendor comparison to match variations found in older models such as the MacMini1,1.
On alpha, make the pmap (more) MP-safe by protecting both the pmap itself and the pv lists with a mutex. This should make pmap_enter(9), pmap_remove(9) and pmap_page_protect(9) safe to use without holding the kernel lock.
If we don't get a (valid) CERTREQ but a CERT, respond with a local CERT that was selected based on our own policy instead of leaving it out. This seems to be valid with the RFC that makes the CERTREQ optional and allows to ignore it or to apply an own policy.
Don't reject an "empty" CERTREQ (one with no CA hashes), instead treat it as if no CERTREQ were received. This may fix other interoperability issues.
In sndio(7), remove support for the AUCAT_COOKIE environment variable.
Update to pixman 0.32.8.
On amd64, add asmc(4), a driver for the Apple System Management Controller (SMC).
Make the PPGTT code work. This seems to fix the caching issues on Broadwell.
Don't hardcode the type of BARs to be 64-bit.
On octeon and sgi, restore the interrupt mask even on secondary CPUs. This prevents the IPI from being left disabled accidentally on a non-primary CPU which will cause the system to hang eventually.
On octeon, let MP-safe interrupt handlers run without the kernel lock.
In mandoc(1), fix multiple aspects of SYNOPSIS .Nm formatting.
In tmux(1), if the terminal has colors=256, only try to use setaf/setab if they exist.
In syslogd(8), avoid potential event loss due to misuse of TLS read and write in libevent.
Enable IP26 builds.
On mips64, correctly compute the userland pte index in a pte page in the userland tlb miss handler.
Add the -d, -r and -w flags to rmt(8) to make it run in a restricted mode.
In ld.so(1), delete the bind lock, the callback, the sigprocmask stub.
On powerpc, make sure PROT_EXEC is set on the GOT for BSS-PLT binaries.
In em(4), avoid using a mutex in the rx completion path. Instead rely on intr_barrier(9) to avoid having the interrupt handler touch the rx data structures while the interface is brought down.
On sgi, go back to the previous approach when managing individual HPC DMA descriptors: provide an optional storage for a copy of the descriptor in the "sync" (fetch) function, and use the returned address afterwards.
In sysmerge(8), in case of a hard error, avoid missing files for comparison at the next run.
In LibreSSL, add support for disabling certificate and CRL validity checking.
Remove SHA-0 and MD4 support from libcrypto.
Put the 12x22 font on alpha and macppc installation kernels.
In netstart(8), only print the "IPv6 autoconf" line if there are interfaces to configure.
In ssh-add(1), when adding keys to the agent, don't ignore the comment of keys for which the user is prompted for a passphrase.
In tmux(1), add the -e flag to copy-mode to exit copy mode when scrolling off the bottom.
In libcrypto, check ECDH output buffer length and avoid truncation.
Introduce intr_barrier(9), an interface that guarantees that an interrupt handler that was running has finished.
Introduce sched_barrier(), an interface that acts as a scheduler barrier in the sense that it guarantees that the specified CPU went through the scheduler.
Add the Certplus CA root certificate to /etc/ssl/cert.pem.
In nc(1), display negotiated TLS version and cipher suite in verbose mode.
In libcrypto, add OPENSSL_cpu_caps(), to return the currently running CPU's specific hardware capabilities users of libcrypto might be interested in.
In LibreSSL, if there is hardware acceleration for AES, prefer AES as a symmetric cipher over CHACHA20. Otherwise, prefer CHACHA20 with AES second.
Make if_get() and vlan_input() MP-safe using SRPs.
On arm, use kbind(2) for lazy binding GOT/PLT updates.
Fix the "prime" command: when checking a decimal number for primality, do not unnecessarily convert the original decimal number to hex in the output. Hex numbers explicitly specified with -hex remain unchanged.
Add support for AEAD algorithms to the "speed" command.
Remove support for the SSLEAY_CONF environment variable.
Add an ftpproxy6 rc script. ftp-proxy(8) can only open one listening socket at a time, so a second instance of the daemon is required.
Introduce if_input_local(), a function to feed local traffic back to the protocol queues.
In ping6(8), avoid out-of-boundary access on invalid or short packet reads.
In ddb(4), show the non-idle, on-proc threads before showing the stack trace when panicking.
In em(4), add support for the 88E1512/88E1514 phys.
Update to sqlite3 3.8.11.1.
In acpicpu(4), work around broken AML by treating FFH vendor 8 the same as vendor 1 (Intel).
In openssl(1), remove the engine command and parameters.
Save/restore MSR_APICBASE during suspend/resume. This re-enables x2apic on the application processors at resume.
Remove the unfinished che(4) driver.
In libtls, do not match a wildcard against a name with no host part.
Make room for media types of the future: extend the ifmedia word to 64 bits.
In netstart(8), set "inet6 autoconf" individually on interfaces that have rtsol set in hostname.if(5). Previously, netstart tried to configure them all at once.
In mkhybrid(8), cast the isascii(3) argument to unsigned char, to avoid undefined behaviour.
In qle(4), don't copy more sense data than we have space for. This avoids a crash when trying to talk to a Sun STK6140 (although it still doesn't work).
Spoof EFI SYSTEM GPT partitions as MSDOS partitions, as is done with MBR EFI SYSTEM partitions.
No longer grab the kernel lock in the interrupt-safe multi page backend allocator implementation. This is possible because that interrupt-safe uvm maps are now properly locked.
In ddb(4), add ps/o to display just the non-idle on-proc threads.
Don't spoof GPT OpenBSD partitions. Simply record and use the first one found, as is done in MBR processing.
Change device locators type from int to long, for the sake of 64-bit ports without proper device trees.
In ssh(1), expand %i in ControlPath to UID (bz#2449).
In openssl(1), make the s_time command perform a proper shutdown by default. This allows s_time to benchmark a full TLS connection more accurately. The new -no_shutdown flag restores the previous behaviour.
In syslogd(8), instead of having global variables containing the libevent structures, allocate them with malloc. This makes the address space layout more random.
Remove support for DTLS_BAD_VER. We do not support non-standard and incomplete implementations.
When loading a DSA key from a raw (without DH parameters) ASN.1 serialization, perform some consistency checks on its "p" and "q" values, and return an error if the checks failed.
Use the full IPv6 source address (rather than only half of it) as input for the syn cache hash. Using only half the address makes it trivial to create syn cache collisions.
Move the if input handler list to an SRP list.
In libc, add hidden _libc_FOO aliases for the system call stubs.
On powerpc, it is no longer needed to use mprotect(2) to take away PROT_WRITE. This fixes ld(1) -Z and paves the way for the new Secure-PLT ABI.
In binutils 2.17, force .ctors, .dtors and .got to be read-only for truly static binaries. This prevents W^X violations on architectures that need an executable GOT (basically BSS-PLT powerpc).
Prevent nc(1) from hanging when writing more than the low water mark of the socket write buffer.
In disklabel(8), avoid a SIGSEGV with FGJ malloc.conf flags when a template is used.
The default backend allocator implementation no longer needs to grab the kernel lock.
Build xf86-video-wsfb on amd64 and i386. It can be used by efifb now.
Delete ktracing of context switches. It is unused and not particularly useful.
In smtpd(8), insert a Message-Id header if necessary.
In httpd(8), prevent a potential double free introduced in r1.64 of src/usr.sbin/httpd/server.c.
It is no longer necessary to grab the kernel lock for allocating and freeing pages in the (default) single page pool backend allocator.
In libc, fix aliasing of sys_errlist, sys_nerr, sys_siglist, and sys_signame to eliminate duplicate copies of the tables and get direct access internally.
In wsfontload(8), avoid a floating point exception when an invalid font width was specified.
On the minirootXX.fs and iso images, create an EFI system partition using fdisk(8) -b and put the UEFI boot loader on there.
Add support for QEMU PCI serial devices to puc(4).
In awk(1), revert srand() to its old behaviour with regard to what values it returns.
On sgi, remove the need for the memory controller to switch between "fast" and "slow" mode every time a DMA descriptor is updated.
In wscons(4), add support for xterm-compatible SGR escapes 39 and 49 (reset fg/bg colour to default).
Some symbol cleanup in libc.
In fdisk(8), add a -b option, to be used together with -i, to add a special boot partition on architectures that need it.
In audio(4), improve the search for candidates for the wskbd "record level" control. This may fix "record level" keys on certain keyboards.
In ugen(4), do not use an intermediary buffer on the stack of the caller when submitting a bulk write request. This means big bulk write requests are no longer split into multiple small transfers which libusb consumers do not expect.
Give every consumer of the radix tree a chance to explicitly initialize the shared data structures, instead of relying on another subsystem to do the initialization. ART kernels should now be fully usable because pf(4) and IPSEC properly initialize the radix tree.
In ssh(1) and sshd(8), plug minor memory leaks when options are used more than once (bz#2182).
In netstat(1), fix mbuf memory accounting after the recent *8 pool size change.
Again revert the two uses of rtisvalid(9). They break NFS.
In dwc2, avoid a possible lock recursion panic on transfer timeout.
Modify acpidump(8) to work on systems booted from efi boot.
Bring back the two uses of rtisvalid(9). The bug it exposed has been fixed.
Unconditionally set the RTF_UP flags when adding a route to the table. This makes dhclient(8)-configured default routes usable without relying on the link-state change hooks not present in RAMDISK kernels.
In ugen(4), do not use an intermediary buffer on the stack of the caller when submitting a read request. This means big read requests are no longer split into multiple small transfers which libusb consumers do not expect.
In smtpd(8), remove the session kicking mechanism until it is redesigned. It has an accounting bug leading to some legitimate sessions being kicked if they generate too many consecutive errors.
Only advertise the color depth that is actually supported. This makes the xf86-video-wsfb driver work.
Map the framebuffer in write-combining mode. This significantly speeds up.
In static binaries, invoke kbind(2) once to disable it.
On m88k and sparc, use kbind(2) for lazy binding GOT/PLT updates.
It is no longer needed to hold the kernel lock for MP-safe bpfs (again).
Bring back the commit that makes bpf_mtap MP-safe by using srp, but now using srp_follow(9) to avoid races and corruption.
Add srp_follow(9) which is necessary to correctly order the taking and releasing of SRP critical sections in situations such as following a chain of data structures linked with SRPs.
In dhclient(8), accept multiple domain names in dhcp option 15 (Domain Name). This allows resolv.conf(5) "search" statements to be built with multiple entries.
In syslogd(8), don't truncate program names and hostnames in syslog.conf(5). This fixes matching with IP addresses if syslogd is started with -n.
In efifb(4), check the driver name so that the driver only attempts to attach when we actually want it to.
In binutils 2.17, raise the number of spare local GOT entries from 5 to 7. This fixes building liblto_plugin.so in the gcc 4.9 port.
Rather than killing when *chmod(2) is asked to do setuid/setgid, clear those bits in the request and continue.
Do not install connected routes on loopback interfaces. This will allow systems with AUTOCONF'd addresses to see loopback connected routes in the routing table.
On macppc, map the whole config1 space based on the size read from the device tree. This allows supplementary PCIe cards to be properly detected and should prevent the kernel from faulting when reading unmapped PCI addresses.
Prevent cards with no midi connectors from attaching midi(4) devices.
In tmux(1), check for name changes at most once every 500 milliseconds.
On sparc64, add support for switching CPUs in ddb(4).
On sh, use kbind(2) for lazy binding GOT/PLT updates.
Make gdb(1) work again on mips64 PIE binaries by making sure a reasonable 64-bit ABI is selected for 64-bit ELF files instead of a 32-bit ABI.
5.8 SECURITY FIX: LibreSSL 2.2.2 incorrectly handles ClientHello messages that do not include TLS extensions, resulting in such handshakes being aborted. A source code patch is available for 5.8.
In apmd(8), log battery changes every 10%, not every 21%.
In envy(4), disable interrupts while the midi uart is not in use. This avoids generating unused interrupts when a chatty peripheral is connected but not used.
In binutils 2.17, add support for Irix-style "64-bit" archives.
Fix the build of the drm libraries on sparc64.
In envy(4), fix support of M-Audio Delta 44 cards that use different GPIO pins.
In binutils 2.17, do proper GOT slot accounting for symbols that were forced to be local.
Rework the UNIX domain socket garbage collector.
Make ld.so(1) work on hppa when _dl_bind_start gets hidden by the version script.
Fix rare occurrences of wrong floating-point values with MP kernels on Octeon.
On mips64, access the image of the floating point registers via p_md.md_regs instead of directly on the frame. This prevents updates from getting lost.
Ensure that syslogd(8) uses its original command-line arguments when it reloads its configuration and re-executes itself.
Prevent a socket that poll(2) reports is writable from becoming unwritable before write(2) is called.
In doas(1), add a type of "auth-doas" to the perm check to allow login.conf(5) fiddling.
In aucat(1), allow sparse blocks to be used as silence if samples are encoded as signed integers.
Remove SSLv3 support from LibreSSL.
On hppa, use kbind(2) for lazy binding GOT/PLT updates.
Add more overflow checks to libexpat.
5.8 SECURITY FIX: in sshd(8), inverted logic made PermitRootLogin "prohibit-password" unsafe. A source code patch is available for 5.8.
In radiusd(8), fix a use-after-free in an error path.
On alpha and mips64, use kbind(2) for lazy binding GOT/PLT updates.
Remove exect(2). It was unused and not portable across arches.
Hide many libc symbols that should not be used.
In cron(8), use ppoll(2) instead of poll(2). This avoids time conversion issues and eliminates a race condition that could delay SIGCHLD and SIGHUP actions.
In syslogd(8), don't use strlcpy(3) on strings that are not NUL-terminated. This prevents a crash.
Explicitly list the symbols permitted to be exported by libc. This will prevent unintentional additions in the future and sets the stage for reductions.
In doas(1), add the cwd context to the syslog entry.
Hide the "term" and "lock" commands in the application menu.
Don't let _NET_WM_STATE_STICKY apply to the position and size of a window.
Add the client freeze extension to _NET_WM_STATE Atom, allowing flag to persist.
In em(4), run the part of the interrupt handler that does rx completion without holding the kernel lock.
In relayd(8), don't drop the reply messages when "check icmp" is used with many hosts.
In httpd(8), avoid an HTTP 405 error when using the WebDAV MOVE method.
Whitelist TIOCGPGRP (for tcgetpgrp(3)) in TAME_IOCTL.
In azalia(4), enable beep and CD controls on ALC292.
In sshd(8), fix the inverted logic that broke PermitRootLogin.
If we're allowed to try and use large pages, we try and fit at least 8 of the items. This amortises the per page cost of an item a bit.
In acpi(4), respect the access size when reading or writing to pci config space and ensure writes are properly aligned. This prevents panics and fixes at least battery status passthrough in vmware and the brightness keys on the X220.
In exp2(3), avoid left-shifting a negative integer.
In cwm(1), make the big move and resize bindings match what is in the manual page.
On octeon, use the IPD Clock Count register as a timecounter.
Import an alternative routing table backend based on Yoichi Hariguchi's ART implementation.
Improve compat matching for WinSCP and add compat matching for FuTTY.
Enable the build of libOSMesa.
In pf(4), keep the IPv6 fragment size as chosen by sender also for packets that are routed on behalf of route-to.
Prevent mips64 FPU emulation from corrupting the page queues in MP systems.
Do not use a stale local address from the routing table. This prevents an interface address without interface pointer causing a uvm_fault.
On octeon, allow booting the SP kernel with a set of CPUs that does not contain core 0.
Unbreak the ikectl(8) "ca" commands after the removal of $ENV:: overwriting in LibreSSL.
Remove casts from many calls to malloc(3)-like functions.
Update the en_US.UTF-8 locale to Unicode 7.0.0.
Remove the last fragments of ST-506 support.
In whois(1), fix whois server detection for new TLDs.
Accept NULL pointers in rtfree(9). This will simplify upcoming conversions of rt_refcnt-- to rtfree(9).
5.6 and 5.7 SECURITY FIX: a change to sshd(8) resulted in incorrect permissions being applied to pseudo terminal devices, allowing local users to write to (but not read from) them. A source code patch is available for 5.7.
Avoid a TOCTOU problem in if_input in the bpf handling.
In tmux(1), come out of copy mode when history is cleared.
Add Loongson 3A support.
On alpha, consider ISA interrupts level-triggered if the SRM has explicitly set them up that way. This makes the kernel correctly run with serial console on the Multia.