OpenBSD 6.8 Changelog

This selection is intended to include all important and all user-visible changes. For a complete record of all changes, please see the "source-changes" mailing list, called "OpenBSD CVS" in the archives, or use CVS.

For changes in other releases, click below:
2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6,
3.7, 3.8, 3.9, 4.0, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 5.0, 5.1, 5.2, 5.3,
5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.9, 7.0, 7.1,
7.2, 7.3, 7.4, 7.5, 7.6, 7.7, current.

Changes made between OpenBSD 6.7 and 6.8

• Reintroduced checks against heavy amap allocations for MAP_SHARED to prevent a panic reachable with mmap(2).
• On arm64 and powerpc64, changed kcopy(9) to perform 64-bit and 32-bit copies whenever possible, needed for kbind(2) to update PLT/GOT entries atomically when doing lazy binding.
• Added support for the PCA9546 I2C switch to pcamux(4).
• Set length correctly in ugen(4) to prevent incorrect copy of descriptors to userland and kernel memory leaks.
• Added the TP-LINK UE300 to ure(4).
• Added support for Comet Lake I2C controllers to dwiic(4), needed for the trackpad on machines such as the 8th generation Lenovo X1.
• Fixed a segfault in pstat(8) -v.
• Released OpenSSH 8.4.
• Added powerpc support for POWER9P "Axone" CPUs.
• Updated LibreSSL to 3.2.2.
• Made apmd(8) always ask the kernel about current hw.perfpolicy rather than maintaining state.
• Added a new "set cert_partial_chain" config option to iked.conf(5) to allow verification of partial certificate chains if a trusted intermediate CA is found in /etc/iked/ca.
• Used an IPI on powerpc64 so hw.setperf affects all cores in the mp kernel.
• Allowed handling of long lines in an smtpd(8) aliases table.
• Ensured sysupgrade(8) on systems with multiple root disks will proceed on the disk with auto_upgrade.conf present.
• Moved to Mesa 20.0.8 in response to hard hangs on certain systems.
• Fixed eeprom(8) error when setting variables on macppc.
• Cleared the screen in ksh(1)'s vi editing mode before redrawing the line with ^L.
• Capped ssh(1) channel input buffer size at 16MB, avoiding high memory use when a peer advertises a large window but is slow to consume sent data.
• Fixed a memory leak in x509_constraints_extract_names.
• Fixed frame pointer slot on aarch64 for functions not saving callee registers with reguard enabled.
• Added a bsd.schema to ldapd(8) including a shadowPassword and an sshPublicKey attribute which can be used to extend existing LDAP users with the additional bsdAccount objectclass.
• Added a check for pfctl(8) that an rtable exists when parsing the config.
• Disabled acpivout(4) brightness control on machines aware of Windows 8, enabling inteldrm to handle brightness ioctls.
• Provided a naptime variable for userspace via kvm_read(3), usable by vmstat(8).
• Defaulted to showing full IPv6 address entries in the routing tables displayed by route(8) show and netstat(1) -r.
• Introduced abl(4), a new driver to control the backlight brightness on Intel-based Apple machines, and allowed it to be controlled through wsconsctl(8).
• Added a "-s timeout" feature to rpki-client(8) with a one hour default, allowing fresh attempts with cron(8) if rpki-client gets stuck.
• Prevented established TCP and TLS sockets of syslogd(8) from staying open forever if a client aborted the connection silently.
• Ensured certain registers are read before a potential sleep in trap()
• Added support for "&" and "|" operators in btrace scripts.
• Fixed smtpd(8) handling of user names containing "@" symbols.
• Prevented improper disabling of the backlight in umstc(4) when brightness is adjusted to 0.
• Allowed snmp(1) mibtree to take one or more arguments to be converted to a chosen output format.
• Skipped scanning file systems which are both nodev and nosuid for SUID, SGID and device files with security(8).
• Added an explanation for acme-client(1) account creation failure.
• Allowed slaacd(8) to handle all rdomains in a single daemon.
• Fixed "$@" splitting with empty IFS in ksh(1).
• Used READ(16)/WRITE(16) commands for disks large enough to require them to access the last sectors, fixing large 512E devices plugged into USB to ATA/ATAPI bridges which mistakenly use 4K sector addresses/sizes.
• Imported login_ldap(8), using ldap(1) rather than openldap.
• Allowed theoretical multiple attachment of asmc(4) controllers.
• Changed rpki-client(8) -n behavior to automatically validate the repo.
• Added support for the RK3308 MAC to dwge(4).
• Modified trunk(4) to keep port interfaces UP on removal, matching aggr(4) behavior.
• Enabled btrace(8).
• Added btrace(8) -p flag to filter all actions by PID.
• Fixed outbound bpf(4) tap for ogx(4).
• Handled AGL interfaces on octeon, making management network ports usable on some machines.
• Allowed use of -N without a command to change or add a note to an existing key in tmux(1).
• Added RK3308 temperature sensors to rktemp(4).
• Added RK3328 PWM, also found in the RK3308, to rkpwm(4).
• Added control for backlight compensation to video(4).
• Added tsc_delay(), a delay(9) implementation based on the TSC, to amd64.
• Allowed specification of supported TLS protocols in ftp(1) "-S protocols".
• Added mpii(4) to powerpc64.
• Added kstat to cnmac(4).
• Updated Mesa to 20.1.7.
• Added a 30 second timeout for OCSP requests in iked(8).
• Allowed a-z keys for tmux(1) display-panes to jump to higher-numbered panes.
• Moved to 6.8-beta.
• Moved ntpd(8) to unsynced mode if no replies are received for awhile due to connectivity issues.
• Fixed make(1) :S with anchors and replacement.
• Improved PLL1(CPU_PLL) stability for the Allwinner H3/H2+.
• Added support for requiring user-verified FIDO keys in sshd(8).
• Improved detection of the proper powerpc64 boot device by choosing the disk matching the bootduid of the boot kernel.
• Added top(1) "t" to toggle the display of routing tables.
• Allowed disabling of iked(8) DPD liveness checks by setting dpd_check_interval to 0 in iked.conf(5).
• Updated Mesa to 20.1.6.
• Fixed a race in single-thread mode switching.
• Corrected multiple input validation deficits in X server extensions.
• Fixed an integer overflow in libX11 which could lead to a double free.
• Added a dpd_check_interval configuration option to iked.conf(5).
• Released LibreSSL 3.2.1.
• Added support for non-localhost fastcgi sockets to httpd.conf(5).
• Rehashed main pf(4) rulesets after rule expiration.
• Implemented UHS-I support in the sdmmc(4) midlayer and enabled it in amlmmc(4).
• Updated unbound(8) to 1.11.0.
• Added filtering by routing table to top(1).
• Added support for the IBM POWER8 host bridge.
• Introduced xicp(4), a driver for the interrupt control presenter hardware found on POWER8 CPUs.
• Added the new iked(8) configuration option "set enforcesingleikesa" to limit the number of connections for each peer.
• Added powerpc64 support for "normal" external interrupts, needed for running POWER8 and earlier CPUs.
• Updated to libfido2 46710ac06.
• Prevented concurrent CREATE_CHILD_SA and INFORMATION exchanges in iked(8).
• Added fstat(1) support for looking up unix domain sockets by file name.
• Moved sysctl(2) CTL_DEBUG from DEBUG to the new DEBUG_SYSCTL.
• Added the tmux(1) n: modifier to get the length of a format.
• Allowed SIOCSWGDPID and SIOCSWGMAXFLOW ioctls for non-root, preventing switch(4) interfaces from appearing partially as bridge(4) devices for unprivileged users running ifconfig(8).
• Added support for IODA2 bridges such as those found on POWER8 chips.
• Added powerpc support for POWER8 CPUs.
• Added unveil(2) to the main process of relayd(8).
• Added optional iked(8) time-stamp validation for OCSP.
• Enabled PAN (Privileged Access Never) on arm64 CPUs supporting it.
• Added initial tcpdump(8) support for handling geneve packets.
• Updated xkbcomp(1) to 1.4.3.
• Properly implemented amlmmc(4) setting of signal voltage.
• Added Exar XR17V35x serial port support.
• Added sdmmc(4) support for eMMC HS200 mode.
• Added a ROUTE_FLAGFILTER socket option for routing sockets, allowing routing daemons to opt out of receiving messages for L2 and broadcast route entries.
• Prioritized incoming certificate requests by the order of CERTEQ payloads in the received message in iked(8).
• Updated awk(1) to the August 7, 2020 version.
• Added optional time limits for the AddKeysToAgent keyword in ssh_config(5).
• Allowed the combination of video(1) "-dc" options, reset and display control values.
• Added kstat(1) -w option, allowing update and printing of stats at a specified wait interval.
• Added pms(4) support for the Elantech v1 touchpad with firmware version 0x20022.
• Updated compiler-rt to 10.0.1.
• Released LibreSSL 3.1.4.
• Stopped blocking IPIs when acquiring the rendezvous mutex of mips64, which may fix some hangs on sgi.
• Added the ability to filter which kstat(1) entries are displayed.
• Added P-521 to the list of curves supported by default for TLS.
• Updated LLVM to 10.0.1 including clang, lld and lldb.
• Stopped preventing TCP connections to IPv6 anycast addresses.
• Set IPv6 source address selection to prefer the address with the highest preferred lifetime in case of a tie.
• Allowed pf(4) to divert packets from bridge(4) to local socket.
• Avoided reading one byte before the path buffer in mountd(8).
• Added the ability to set and display video(1) control values directly on the CLI.
• Changed tmux(1) searching to behave more like emacs and prevented regex searching from overlapping when searching forward.
• Built installXX.{img,iso} powerpc64 files.
• Added powerpc64 cd9660, msdos and inet6 ramdisk support.
• Improved ure(4) TX performance by combining multiple packets into one xfer as possible.
• Corrected ssl(8) handling of server requests for an OCSP response.
• Added additional scsi devices on powerpc64.
• Updated LLVM to 10.0.0, including clang, lld and lldb.
• Added support for Gear Head keyboards.
• Updated libpcap to 9.0.
• Added the pcap-filter(5) "sample NUM" primitive to allow capture of 1/NUM packets.
• Allowed scp(1) and sftp(1) -A option to explicitly enable agent forwarding.
• Updated libcbor to v0.7.0.
• Added support for AX201 devices to iwx(4).
• Added support for remote coverage to kcov(4).
• Updated Spleen kernel fonts to version 1.8.2.
• Fixed a race condition for isoc devices during device close.
• Fixed potential information leak via X server pixel data uninitialized memory.
• Fixed heap corruption in the X input method client in libX11.
• Enabled userland timecounter code on sparc64.
• Updated awk(1) through the July 30, 2020 version.
• Added Intel Wi-Fi 6 AX201 pci(4) device ID.
• Fixed a panic in wscons(4).
• Implemented IPv6 source address selection as outlined in RFC 6724 section 5.
• Fixed bogus frame sizes being returned by xhci(4).
• Released rpki-client(8) 6.7p1 including OpenBSD 6.7 Errata 015.
• Fixed rpki-client(8) return value check for openssl API used during pubkey validation.
• Added tmux(1) -d option to display-message to set delay.
• Added / as an alias for g (grep) in top(1).
• Avoided nvram lock timeout on sparc64 systems with onboard BCM5704 bge(4) instances that come without a fitted EEPROM/NVRAM.
• Ported NetBSD's arm64 disassembler for ddb(4).
• Fixed potential use-after-free and double-free issues in PEM_X509_INFO_read_bio(3).
• Increased the powerpc64 MAXCPUS to 48, the maximum cores available in any POWER9 system.
• Updated nsd(8) to 4.3.2.
• Added support for the AMDI0010 touchpad on the Inspiron 5505.
• Increased the mcx(4) event queue size, preventing a potential interrupt storm on the ConnectX-4.
• Implemented IPIs on powerpc64.
• Prevented an unveil(2) failure with chdir / on sensorsd(8).
• Built bsd.mp on powerpc64.
• Created /dev nodes for sparc64 and powerpc console.
• Prevented mg(1) from running out of memory or segfaulting with query-replace-regex ^.
• Added support for Intel AX200 Bluetooth usb(4) devices.
• Forced long-names on msdos filenames for installboot on most 32-bit architectures.
• Filtered vlan and svlan packets by default for tpmr(4).
• Changed tpmr(4) from ifconfig [-]trunkport to add|del synopsis.
• Added rge(4) support for newer RTL8125 chipset (RTL8125B).
• Introduced powerpc64 GENERIC.MP.
• Corrected ruleset checksum calculation to allow pfsync(4) to verify rulesets are identical on all nodes.
• Improved processing of lost frames during 802.11 Rx aggregation.
• Handled iked(8) TEMPORARY_FAILURE notification on IKESA rekeying.
• Fixed a dst/src iked(8) port configuration bug with multiple flows.
• Ensured only pseudo-terminal devices use reprint delays.
• Switched the default pager from "more(1) -s" to less(1).
• Added a new column to wsfontload(8) -l output to report the number of characters contained in a loaded font.
• Updated Spleen kernel fonts to version 1.8.1.
• Fixed gain calibration for some iwn(4) devices (5000 and up).
• Enabled xhci(4) in the powerpc64 BOOT kernel.
• Fixed the initial sndiod(8) alternate device number, preventing device number 1 from being skipped on first use.
• Added additional Atheros pci(4) IDs.
• Improved the powerpc64 kernel linker script and installed proper page protections via pmap_bootstrap().
• Passed boothowto and bootduid parameters to the booted powerpc64 kernel via the device tree.
• Implemented userland timecounting for macppc and octeon.
• Added initial powerpc64 X sets.
• Randomized the system stoeplitz key.
• Added installboot powerpc64 support.
• Added video(1) white balance temperature control through w/W keys.
• Enabled multiq support for ix(4).
• Added a "%k" TOKEN to ssh_config(5) that expands to the effective HostKey of the destination.
• Added %-TOKEN, environment variable and tilde expansion to UserKnownHostsFile in ssh_config(5).
• Introduced an initial bootloader for OpenBSD/powerpc64.
• Added a ktrace(1) -T option to make time-related system calls more prominent.
• Fixed a potential crash when bringing down an mcx(4) interface.
• Optimized character rendering in 32bpp mode, providing double-pixel rendering for the common font widths and a signicant speed increase.
• Added a SENSOR_ENERGY sensor type which uses microjoules.
• Implemented userland timecounter for arm64.
• Prevented root from freezing the UTC clock with settimeofday(2) at securelevel 2.
• Fixed iked(8) public key authentication interoperability with *swan and other IKEv2 implementations by making CERT and CERTREQ payloads optional.
• Corrected handling of padding cells while searching in tmux(1).
• Allowed additional control over the use of ssh-askpass(1) in ssh-add(1), including force-enable/disable.
• Introduced xics(4), a driver for the OPAL virtual ICS.
• Added powerpc64 FDT interrupt support.
• Added support for routing interrupts to other CPUs in ampintc(4) and agintc(4).
• Fixed performance problems relating to tty subsystem abuse.
• Enabled background scanning on iwx(4) devices.
• Fixed athn(4) use with WPA2 APs.
• Stopped creation of non-existent bridge(4) interfaces.
• Used su(1) -fl to avoid sourcing the target user's .profile in rc.d(8)/rcctl(8).
• Synchronized each core's CP0 cycle counter using the IO clock counter on mips64 and octeon, making the cycle counter usable as timecounter.
• Improved speed of scrolling by optimizing rasops(9) write-only framebuffer console.
• Implemented linear and power-of-two histograms in btrace(5).
• Added the Spleen 6x12 font to wsfont.
• Corrected trackstick/button attachment of Windows Precision Touchpad imt(4) devices, fixing behavior on certain Dell Latitude laptops.
• Fixed information leak in semctl SEM_GET.
• Enabled spleen16x32 and spleen32x64 fonts on armv7 for GENERIC kernels.
• Taught su(1) -l -f to start a regular shell for non-csh shells rather than a login shell.
• Introduced opalsens(4), a driver for sensors provided by the OPAL firmware.
• Enabled TLSv1.3 for the generic TLS_method().
• Corrected route(8) handling of ::/0 and "route add -inet 0.0.0.0 -prefixlen 0 (gateway)".
• Switched iwx(4) from -46 to -48 firmware.
• Added support for set -o pipefail to ksh(1), potentially helping error checking.
• Protected the whole pipex(4) layer by NET_LOCK().
• Increased the buffer size for OFW parameter name strings, making it possible to dump the full device tree on POWER9 systems using eeprom -p.
• Added support for timecounting in userland, improving speed and responsiveness in programs which make many time of day calls.
• Repaired athn(4) in client mode against WPA2 access points.
• Added support for the D-Link DWA-121 rev B1 urtwn(4) device.
• Introduced kstat(1), a subsystem to allow the kernel to expose statistics to userland (and kstat(8), the userland side).
• Fixed ls(1) -R mode to not display subdirectories of a directory beginning with '.' and ensure directory names are always displayed.
• Modified uvideo(4) to fix webcam detection in Firefox 78.
• Began natively compiling for the powerpc64 architecture.
• Fixed mbuf leak in urtwn(4) with frames CCMP-encrypted by hardware.
• Fixed an xconsole(1) crash by starting it after setting the background.
• Prevented a core dump in ftp(1) during fetch abort.
• Fixed intermittent failing pms(4) device initialization seen on some Synaptics devices.
• Used an LFENCE instruction everywhere RDTSC is used for a time measurement, reducing the jitter in TSC skew measurements.
• Prevented ssh(1) port forwarding clients from keeping a connection alive when it should be terminated.
• Updated awk(1) to July 2, 2020 version.
• Initialized v4l2_requestbuffers for libv4l compatibility, allowing view of video encodings not directly supported by video(1).
• Fixed gpu hangs when starting Xorg seen with 4.19 and 5.7 drm.
• Removed support for the socket keyword in snmpd.conf(5).
• Removed the -f (force) option in rpki-client(8).
• Added support for the mcx(4) ConnectX-6 Dx.
• Introduced arch/powerpc64.
• Prevented creation of bogus sd(4) devices for nvme(4) namespaces which are configured but have size 0.
• Updated Spleen kernel fonts to version 1.8.0.
• Prevented possible libevent state corruption in vmd(8).
• Introduced a darker xenodm(1) login widget and a lower contrast default background.
• Allowed switching between alternate devices (-F) with sndioctl(1).
• Fixed a problem where switching to a vt and back was needed to see rc output and login prompt on some intel machines with skylake and newer graphics.
• Converted macppc, octeon and loongson to use machine-independent installboot.
• Updated to freetype 2.10.2.
• Switched the default CDDB database for cdio(1) to gnudb.gnudb.org:8880.
• Fixed merging of files that lack newlines for diff3(1), OpenRCS and OpenCVS.
• Allowed ssh-add(1) "-d -" to read keys to be deleted from stdin.
• Fixed variable shadowing in vpci(4) which led to a noticeable delay while attaching devices using multiple msi-x vectors.
• Introduced a framework for MII busses.
• Introduced mvpp(4), a driver for the Marvell Packet Processor v2 as used on the Armada 7K and 8K SoCs.
• Implemented rss/toeplitz support for ixl(4) 710 chips.
• Allowed sshd_config(5) longer than 256k.
• Ensured the STOP command sent by sd(4) on powerdown will not result in hanging the machine if commands to the USB mass storage fail.
• Modified ldapd(8) use of "ldaps" and "tls" keywords to enable only the libtls defaults for protocols and ciphers. The new "legacy" keyword can be used before these keywords in ldapd.conf(5) to enable them all.
• Enabled wg(4).
• Stopped incrementing openclass for a literal "[" in awk(1), allowing parsing of expressions such as "/[[/[]/".
• Increased pbuild datasize limit to 8G to allow Firefox to build with Rust 1.44.
• Implemented pci_intr_establish_cpu() for pyro(4) and vpci(4)-based sparc64 systems.
• Introduced gettime(9) and getuptime(9) and substituted these for time_second(9) and time_uptime(9) throughout the kernel to prevent split-read problems on 32-bit platforms.
• Introduced opalcons(4), a driver for the OPAL console.
• Added support for the Ericsson F5521gw Mobile Broadband Modem.
• Resolved a panic in bridge_ioctl() by ensuring the netlock is held when calling ioctl handlers and dropped for the wg(4)-specific ioctls.
• Enabled critical temperature detection in iwx(4) firmware.
• Added ssh(1) support for fido(4) WebAuthn (verification only).
• Added an ioctl allowing userland to access read-only support information about pci devices via the vpd register.
• Enabled nvme(4) on i386.
• Fixed vmd(8) ns8250 lockup due to a race condition, helping to prevent linux vm crashes when the return key is held on boot.
• Updated Spleen kernel fonts to version 1.7.1.
• Added wg(4), an in-kernel driver for Wireguard vpn communication.
• Added bcmtmon(4), a driver for the temperature sensor on the Raspberry Pi 4.
• Added bwfm(4) support for BCM4359 SDIO variants such as the AP6359SA module found on the RockPro64 WiFi module.
• Fixed a fatal firmware error at run-time on iwx(4).
• Added WPA2 (CCMP) crypto offload support to iwx(4).
• Added pcamux(4), a driver for the PCA8548 I2C switch.
• Added bge(4) support for the BCM5719 A1.
• Fixed broken HID descriptors of Elecom trackballs with 6 or 8 buttons.
• Fixed a crash in re(4).
• Enabled multiple queues on vmx(4).
• Added intrmap, an api that picks CPUs for devices to attach interruptions to.
• Added d and D keys to tmux(1) customize mode to reset to defaults.
• Added a symmetric toeplitz implementation with integration for nics, usable through the stoeplitz_to_key(9) API.
• Supported -T html -O tag for mandoc(1) by passing a file:// URI to the pager.
• Fixed an sdhc(4) panic on the MACCHIATObin due to unaligned memory access.
• Added support for the XIVE interrupt controller found on POWER9 CPUs.
• Added tmux(1) -b flags to insert a window before (like the existing -a for after) to break-pane, move-window and new-window.
• Implemented the gensub(), systime() and strftime() functions for awk(1).
• Fixed sndiod(8) crashes when USB devices are disconnected.
• Added netstat(1) -R to show a summary of rdomains with associated interfaces and tables.
• Added a tmux(1) -A option to pause a pane manually.
• Added escodec(4), a driver for the Everest ES8316 audio codec used on the Pinebook Pro.
• Added rkiis(4), a driver for the I25 controller found on the Rockchip RK3399.
• Added simpleamp(4), a driver for "simple audio amplifier," one of the aux devices for simpleaudio(4).
• Added simpleaudio(4), a driver for "simple audio cards." This is a wrapper connecting the I25 controller, the codec and some aux devices.
• Introduced a framework for digital audio interfaces.
• Populated a list of 256 brightness levels as a fallback when the device tree does not specify a list, making the Pinebook Pro display work with the dtb from Linux 5.7.
• Updated awk(1) through the June 5, 2020 version.
• Provided an optimized implementation of ffs(3) in the kernel on arm64/powerpc/powerpc64.
• Added cwfg(4), a driver for the Cellwise CW201x fuel gauge on the Pinebook Pro.
• Added opal(4), a driver that interacts with the OPAL firmware on powerpc64 and implements RTC functionality.
• Added IBM POWER9 host bridge pci(4) id.
• Prevented rcs(1) removal of locked revisions with rcs -orange, avoiding leaving behind a lock for a revision which no longer exists.
• Added Intel 200 Series HD Audio pci(4) id.
• Prevented a use-after-free when a wireless device is detached.
• Updated drm(4) to linux 5.7.
• Added Marvel 88SE9215 and 88SE9235 AHCI pci(4) ids.
• Prevented callers inspecting unrelated fields in the libc resolver function asr_run().
• Moved Powerbook5,4 audio from aoa(4) to snapper(4), adding the missing TAS3004 volume control.
• Added ssl(8) support for additional GOST curves and aliases for 256-bit GOST curves.
• Added support for pausing a tmux(1) pane when the output buffered for a control mode client is too far behind, controllable with refresh-client -f and -A.
• Prevented the HID parser from overflowing if a malicious device provides too many PUSH.
• Added support for the Cortex-A78 cpu.
• Improved TLSv1.3 client certificate selection to allow use of EC certificates.
• Fixed pf.conf(5) "route-to TABLE least-states" in an anchor.
• Updated perl(1) to 5.30.3.
• Introduced acpihid(4) for ACPI HID event and 5-button array devices.
• Added support for hardware vlan tagging to mcx(4).
• Added an SK hynix NVMe pci(4) id.
• Released LibreSSL 3.2.0.
• Added umstc(4), a driver for Microsoft Surface Type Cover keyboards.
• Began looking for non-expired certificates first when building a chain, making certificate validation possible for various sites that are serving expired AddTrust certificates.
• Improved CPU frequency scaling in automatic performance mode by removing accounting for offline CPUs.
• Added to ssh_config(5) a selection of keywords allowed to expand shell-style ${ENV} environment variables on the client side.
• Adjusted to complete group key renewal immediately if no station is associated when ieee80211_proto.c runs.
• Prevented a panic where athn(4) attempted to transmit old, unencryptable frames after switching to a new group key in hostap mode.
• Enabled building wsmoused(8) and wsfontload(8) on arm64 and armv7.
• Fixed display glitches on smaller screens or with larger fonts in efifb(4) associated with remapping and attaching.
• Enabled scrollback in simplefb(4).
• Prevented unconditional initialization of VGA on amd64 boot causing video distortion.
• Corrected getopt_long(3) parsing of a trailing dash in an option group, which was being incorrectly returned as an argument.
• Removed mail.local(8) support for world-writable mail spools.
• Added AES-GCM mode ciphers for IKEv2, configurable in iked.conf(5) with the new "ikesa enc" options aes-128-gcm, aes-256-gcm, aes-128-gcm-12 and aes-256-gcm-12.
• Rewrote the entropy enqueue ring to collect damage asynchronously and adapted the dequeue to mix a selection of "best" ring entries, exponentially backing off the dequeue timeout, to compensate rapidly for weak seeding in unidentifiable conditions and ensure quality to arc4random() calls early in boot.
• Introduced detection of /etc/random.seed reuse.
• Reworked kernel loading with octboot(4), which now does not rely on a mounted filesystem.
• Prevented a fatal iwx(4) firmware error when the driver moves out of AUTH state.
• Rewrote m88k mutex code as a slight variation of the MI mutex code, potentially improving stability and rendering mutex spinning time visible in top(1).
• Allowed passage of unencrypted 802.11 frames during hardware decryption post-processing, fixing failure of some ral(4) devices to receive packets on encrypted networks.
• Added support to urtwn(4) for TP-Link TL-WN822N-EU v5 (and v4).
• Restricted ssh-agent(1) from signing web challenges for FIDO keys, preventing ssh-agent forwarding on a host that has FIDO keys attached from granting the ability for the remote side to also sign challenges for web authentication using those keys.
• Increased the default number of ldom and ttyV devices for sparc64 from eight to sixteen.
• Passed boothowto from the sparc64 bootloader to the kernel using .openbsd.bootdata.
• Added wsmoused(8) support to efifb(4).
• Added support for the ThingM blink(1) USB notification light.
• Stopped syslogd(8) from closing UDP sockets for sending messages when DNS lookup of a UDP loghost fails, alloiwing them to be used to send if DNS is working during the next SIGHUP.
• Made non-root filesystems FFS2 for landisk, sgi and luna88k.
• Made ldomctl(8) "init-system -n" check vcpu and memory constraints.
• Relaxed filename checks in syspatch(8) to allow use of hyphens.
• Adjusted dwpcie(4) timing to improve likelihood of a successful PCIe link on the i.MX8MM. Avoids a failure to detect em(4) on the HummingBoard Pulse.
• Added RB_GOODRANDOM passed from bootloader to kernel in boothowto, indicating confidence a "great seed" was loaded.
• Added an Atheros QCA986x/988x pci(4) ID.
• Enabled the FFS2 option on the luna88k ramdisk.
• Added support for the Marvell Xenon SDHC, used as storage on the Armada 3700 and 8040 SoCs. This should make eMMC7CD show up on the MACCHIATObin.
• Added support for the SD card detect pins on the Turris Mox.
• Added mkvpcie(4), a driver for the Aardvark PCIe controller found on the Armada 3700 SoC.
• Fixed the ksh(1) exit code when evaluating a || compound list to prevent termination of the shell when running under -e.
• Added an ASMedia ASM1182e PCIe switch pci(4) id.
• Fixed an uninitialized variable and potential stack overflow with IPv6 connections in smtpd(8).
• Implemented a carp(4) transmit bypassing the ifq on output, enqueuing the packet directly on the parent interface.
• Opened up a 4GB memory bus window for mvneta(4) on the Marvell Armada 3700, making the second ethernet controller/port work on the Turris Mox.
• Released OpenSMTPD 6.7.0p1.
• Moved back to FFS1 by default for MFS.
• Updated unbound(8) to 1.10.1.
• Added support for TLS 1.3 server to send certificate status messages with oscp staples.
• Released rpki-client(8) 6.7p0.
• Offloaded CCMP (WPA2) encryption and decryption to iwm(4) hardware, reducing CPU load during traffic bursts.
• Introduced a "dark mode" for directory listings and error pages in httpd(8).
• Made OpenBSD boot on the odroid c4 with power domain in amldwusb(4).
• Added amlpwrc(4), a driver for the power domain controller found on Amlogic SoCs.
• Fixed a hang in rpki-client(8) by properly waiting for exiting openrsync(1) processes.
• Made FFS2 the default for newfs(8).
• Changed install images called *.fs to *.img to accommodate some UEFI bootloaders.
• Restored VGA fonts on VT switch, preventing an unusable screen when switching to a VT with a custom VGA font from X.
• Added a decode error alert when a TLS server provides an empty certificate list.
• Began initial development of an OpenBSD/powerpc64 port.
• In tmux(1):
  • Added an option to set the pane border lines style as single lines, double or heavy, simple or number (the pane numbers).
  • Added a client flag 'active-pane' which stores the active pane in the client and allows it to be changed independently from the real active pane stored in the window.
  • Added a -D flag to run in non-daemonized mode.
  • Added a customize mode (C) where keys and options can be browsed and changed.
  • Added M-+ and M-- to expand and collapse all items in tree mode.
  • Changed refresh-client -F to -f and added -f flags to attach-session and switch-client.
  • Added -e for new-session to set environment variables.
  • Added the 'e' key in buffer mode to open the buffer in an editor.
  • Added -W and -T flags to command-prompt to only complete a window and a target.
• Ensured that a TLSv1.3 server has provided a certificate before attempting validation.
• Implemented kqueue(2) support for video(4).
• Updated to xkbprint 1.0.5.
• Updated to libXxf86dga 1.1.5.
• Updated to libXrandr 1.5.2 and xrandr(1) 1.5.1.
• Updated to libxcb 1.14 and xcb-proto 1.14.
• Fixed CCMP replay checks with 11n Rx aggregation and CCMP hardware offloading.
• Disabled ohci(4) on the amd64 ramdisk kernel.
• Fixed dhclient(8) domain-search option processing.
• Enabled TLSv1.3 support in relayd(8).
• Set ddb(4) "/t" to show a trace via TID on all architectures.
• Updated nsd(8) to 4.3.1.
• Added -rls1_3 and -no_tls1_3 options to openssl(1) s_server.
• Preserved group/world read permission on known_hosts files across runs of ssh-keygen(1) "-Rf /path".
• Fixed an iked(8) policy lookup edge case for simultaneous transport and tunnel mode SAs.
• Enabled the TLSv1.3 server in openssl(1).
• Improved reporting of remaining power with batteries of different capacities in acpi(4).
• Allowed specifying -d multiple times in slowcgi(8).
• Added bgpctl(8) support for VPNv6 in the family option of the "show rib" command.
• Fixed two out-of-bounds array accesses in ioctl code pathways in wscons(4).
• Made "reason" parsing in bgpctl(8) more generic and introduced it to the "reload" command.
• Added an optional "domain name" acme-client.conf(5) option allowing use of multiple domain sections with the same name and creation of an rsa and an ecdsa key for the same domain name.
• Fixed a crash on landisk in unwind(8) due to cmsg buffer misalignment.
• Prevented hangs in existing processes due to an indefinite wait for flushing when closing a tty.
• Moved to 6.7-current.