This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
Added iked(8) connection statistics for successful and failed connections, error types, and other events that can be printed with "ikectl show stats".
Added sftp(1) client support for "users-groups-by-id@openssh.com".
Added a "user-groups-by-id@openssh.com" extension request to sftp-server(8) that allows the client to obtain user/group names that correspond to a set of uids/gids.
Added RequiredRSASize for sshd(8). RSA keys that fail to meet this minimum length will be ignored for user and host-based authentication.
Changed ftp(1) to use non-blocking connect(2) with ppoll(2) and timeout instead of alarm(3). This allows failing over to another IP address for hosts that have more than one.
Changed ssh-agent(1) to attempt FIDO key signing without a PIN and use the error to determine whether a PIN is required and prompt only if necessary.
Moved the relayd(8)daemon(3) call to just before forking the children so the parent disassociates from its controlling terminal and shell, but not from its children.
Made rpki-client(8) handle multiple X.509 locations by picking the first location and issuing a warning.
Added apldcms(4), a driver for the touchpad on Apple M2 laptops.
Stopped vnconfig(8) from printing the device name on failure.
Changed ts(1) to parse the user format string once.
Added qcgpio(4) and qciic(4) drivers for the Qualcomm GPIO and I2C controllers found on the SC8280XP SoC. These drivers make the keyboard, trackpoint and touchpad work on the ThinkPad X13s.
Added apldc(4), apldchidev(4), apldckdb(4), and aplrtkit(4) to arm64. These drivers implement support for the Dockchannel-base keyboard found on Apple M2 laptops.
Made sure only one bgpd(8) roa softreconfig runner is run at any time.
In cases where a file in the rpki-client(8) validated cache directory is no longer valid while the newer file in the .rrdp directory is not yet valid, stopped rpki-client(8) from copying the old file over the newer file.
Fixed the growth check in compress(1) and gzip(1) in cases of small files or files with sufficiently random data.
Made fdisk(8) print a warning when a GPT partition start or end is outside the usable LBA area of the device.
Changed rc.subr(8) to copy the message to stdout when using logger(1) to avoid needing to check syslog when running in debug mode.
Fixed installboot(8) messaging when verbose (-v) and dry-run (-n) modes are combined with softraid(4).
Fixed integer overflows in the iwm(4) and iwx(4) firmware file parsers.
Changed the /sbin daemons dhcpleased(8), mountd(8), nfsd(8), pflogd(8), resolvd(8), slaacd(8), and unwind(8) to be dynamically linked to allow them to benefit from all the additional mitigations that dynamically linked executables gain. NFS mounting of /usr must now use statically configured IP addresses.
Added a printed message when ld.so(1) fails inside execve(2) to clarify the failure mode when a dynamic executable is run while /usr isn't mounted.
Changed rpki-client(8) verbose filemode to print details about encapsulated certificates and allow specifying verbose filemode a second time to print in PEM format.
Added delay_init() to provide basic delay(9) implementation management on i386 and amd64.
Fixed a potential kernel panic when an msdosfs partition is filled by fixing instances where msdosfs passed a NULL proc pointer to detrunc().
Added NFS client support to the luna88k RAMDISK kernel.
Stopped building Mesa against llvm on 32-bit powerpc.
Changed mips64, octeon, and loongson to trigger deferred clock interrupts from splx(9).
Dropped detection code for Cyrix CPUs older than the Cyrix M2.
Improved bioctl(8) RAID level parsing to check numeric levels before checking single character levels. This allows recognition of RAID 10 as a valid but unsupported level.
Changed ssh(1) to attempt fido(4) key signing without a PIN and use the error code returned to fall back only if necessary. This avoids PIN prompts for FIDO tokens that don't require them.
Added local bind mode to ypldap(8). In this mode ypldap binds its RPC sockets to loopback, so YP services are only available to the host ypldap is running on. In local bind mode one does not need to run portmap(8).
Made the UTC timezone acceptable for certificate validity intervals, sshsig verification times, and authorized_keys expiry-time options by suffixing dates/times with a 'Z' character for sshd(8) and ssh-keygen(1). Also added certificate validity intervals specified in raw seconds-since-epoch as a hex value (e.g. "-V 0x1234:0x4567890") to ssh-keygen(1).
Added display of an error with the failing path if the xterm(1)unveil(2) fails.
Added a slowcgi(8) -t flag to change the request timeout.
Added support for wildcards in fw_update(8) patterns.
Corrected sparc64 ofwboot to default to the softraid volume on the boot device to make root on softraid work out of the box on sparc64 and be more consistent with softraid boot on other architectures.
Added aplaudio(4), a driver that ties together aplmca(4) and various codecs to present an audio(4) interface to the system.
Added aplmca(4), a driver that controls the hardware block that takes data from apldma(4), serializes it and sends it out on the i2s ports.
Fixed a tmux(1) crash when searching for .* with extremely long lines.
Fixed a bug in pf(4) where a pool defined like "172.16.0.0/16" would count as a pool size of one address. Also fixed random selection of source address to be uniform across the whole pool.
Killed virtual address randomization for the arm64 EFI runtime.
Enforced allowance of only one image specified for vmctl(8) create.
Added stack frames to crypto(3) AES-NI x86_64 assembly to silence a false positive from valgrind.
Added a "show swap" command to ddb(4) to help debugging.
Added a "processing" message for when pkg_add(1) is transferring data to inform the user that pkg_add is still working.
Added "show all routes" and the ability to show individual routes (e.g. "show route 0xfffffd807e9b0000") to ddb(4).
Changed rc(8) to only attempt to set the yp(8) domainname if it has not been set yet.
Retired identification code for Rise CPUs.
Fixed an fdisk(8) regression to allow editing an MBR of all zeroes.
Changed fdisk(8) to restrict user actions if neither GPT nor MBR structures can be found on the disk.
Updated libX11 to version 1.8.1.
Updated freetype to version 2.12.1.
Modified pms(4) to discard relative movement packets outside of the [-127, 127] range to prevent cursor jumps when using the trackpoint on some Lenovo laptops.
Added an OpenIKED Vendor ID payload in the iked(8) initial handshake to make it easier to handle interoperability problems with older versions in the future.
Added support for the new DART variant found on the Apple M2 SoC.
Moved to 7.2-beta.
Changed ssh-keygen(1) to prompt the user for confirmation when enrolling a resident key on a security token before overwriting a key with matching application and user ID strings.
Restrict pledge("vminfo") callers to read-only swapctl(2) operations.
Added handling for framebuffers where the first pixel isn't page-aligned to wsfb(4).
Added support for using the power button to wake up from suspend to axppmic(4).
Implemented support for framebuffers that don't start on a page boundary (like those on the new 14" and 16" Macbook Pro).
New ypconnect(2) system call creates a socket based upon the IP address encoded directly in a locked ypbinding file, thereby removing a horrible hack to support YP lookups in programs using strong pledge(2) rules.
Changed ypbind(8) to immediately reach out to learn the TCP port number for a remote ypserv(8) once we've learned the UDP port number and append the answer to the binding file.
Got rid of mandoc(1) archaic table markup for header and footer lines in favor of flexbox CSS. Rendering now adapts to browser windows of arbitrary narrowness.
Added xhci(4) support for the dual role controllers integrated on the Qualcomm Snapdragon 8cx gen 3 SoC.
Added support for using non-standard UARTs (such as the Synopsys DesignWare UART) as an early console.
Added support for the Synopsys DesignWare UART found on the Ryzen Embedded V1000 SoCs to com(4).
Ensured that uvm_swap_get() will always sleep rather than returning an error. Previously an error could be returned to the fault handler which would result in processes dying when a system was under a lot of memory pressure.
Made the page daemon consider pmemrange regions when trying to free pages from the inactive list. Previously the page daemon could use a lot of CPU without freeing a page because the global limits were satisfied.
Ensured progress in the swapper by pre-allocating pages in a DMA-reachable region.
Ensure uvm_swap_io() can succeed, even in out of memory situations, by reserving a second segment for the page daemon.
Added bgplgd(8), a fastcgi daemon that provides a REST JSON API to bgpctl(8).
Fixed pf(4) syncookies during fast tcp port reuse.
Altered installer behavior so the vlan(4) question won't be asked unless another network interface exists.
Started allowing arguments to the sftp(1) -D option. (e.g. sftp -D "/usr/libexec/sftp-server -el debug3")
Reworked the rttimer code to fix icmp_pmtu_timeout crashes.
Introduced Large Receive Offloading of TCP segment offloading for ix(4). Also added a tso option to ifconfig(8) to enable and disable this feature.
Improved accessibility of mandoc(1) -T html -O toc output by using the <nav> element in the DPUB-ARIA doc-toc role.
Fixed crypto(3) prime recognition when doing trial divisions.
Fixed gzip byte counts with 32-bit integers.
Fixed an issue where a device could show up 32 times by only probing device 0 on PCI busses corresponding to a PCIe root port or a PCIe switch/bridge downstream port.
Bumped MAXCPUS to 256 on arm64.
Ensured cursor remains on selected item on menu in tmux(1).
Replaced rc.d(8) $rcexec variable with an rc_exec function. This will require a mechanical change from ${rcexec} to rc_exec in rc.d scripts. Kept compatibility to give people a chance to fix their custom scripts.
Fixed system(3) to ignore SIGINT and SIGQUIT until the shell exits.
Made vmm(4) load the vmcs before reading vcpu registers. This fixes vmctl(8) send on Intel hosts using vmd(8).
Changed the semantics of "hid_none" for hid_start_parse(3) to allow matching of all possible kinds of report IDs.
Made mandoc(1)'s roff_expand() parse left-to-right rather than right-to-left.
Fixed luna88k MULTIPROCESSOR kernels booting with CPU modules installed in arbitrary slots.
Fixed a memory leak on the session-bind path of ssh-agent(1).
Protected the global lists with a mutex and moved rttimer entries into a temporary list to make route timers MP safe.
Decoupled IP input and forwarding from protocol input to allow parallel IP processing while the upper layers are still not MP safe.
Removed the ASN.1 decoder tag/length cache (TLC) from crypto(3).
Added dt(4) tracepoints for vmm(4) vm exit reporting.
Added cpu frequency sensors for each core on CPUs that have MPERF/APERF support.
Reimplemented the page allocation code using bus_dma(9) APIs to make sure DMA addresses are translated properly on architectures with an IOMMU. This fixed amdgpu(4) and radeondrm(4) on powerpc, sparc64, and arm64 machines.
Changed crypto(3) to avoid expensive RFC 3779 checks during certificate verification.
Updated Mesa to version 21.3.8.
Added concatenated JSON output to rpki-client(8) filemode.
Made ssh(1) try to continue running local I/O for channels in OPEN state during transport rekeying to allow escapes to work in the client if the connection stalls during a rekey event.
Made rpki-client(8) hard error when parse_filepath() is passed an unknown repository id.
Restored vte(4) original MDC speed control register value on vte_reset, needed for Vortex86DX3 machines.
Fixed kbd(8) so it doesn't fail silently when executed by a regular user.
Made device matching in iwx(4) more similar to linux iwlwifi.
Allowed more than one CRL URI in certificates for rpki-client(8)
Made use of the fact that repositories are unique objects in pkg_add(1) and annotated the quirks repository as cached, allowing for a large speed increase.
Relaxed address availability check for multicast(4) binds so processes listening for the same multicast address do not need to be the same UID.
Fixed witness lock issue found where pfsync(4) holds the mutex and an interrupt grabs the kernel lock.
Updated afterboot(8) to direct the user to use binary packages.
Changed to a simpler formula to calculate a default kern.maxthread value: 2*NPROCESS.