File: [local] / www / 78.html (download) (as text)
Revision 1.64, Wed May 6 17:11:29 2026 UTC (4 weeks, 2 days ago) by tj
Branch: MAIN
CVS Tags: HEAD
Changes since 1.63: +1 -1 lines
"platforms specific" -> "platform-specific"
|
<!doctype html>
<html lang="en" id="release">
<head>
<meta charset=utf-8>
<title>OpenBSD 7.8</title>
<meta name="description" content="OpenBSD 7.8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/78.html">
</head><body>
<h2 id="OpenBSD">
<a href="index.html">
<i>Open</i><b>BSD</b></a>
7.8
</h2>
<table>
<tr>
<td>
<a href="images/Terraodontidae.png">
<img width="200" height="300" src="images/Terraodontidae-s.gif" alt="Terraodontidae"></a>
<td>
Released Oct 22, 2025. (59th OpenBSD release)<br>
Copyright 1997-2025, Theo de Raadt.<br>
<br>
Artwork by Apsephion.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/7.8/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata78.html">the 7.8 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus78.html">detailed log of changes</a> between the
7.7 and 7.8 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<p>
<table class=signify>
<tr><td>
openbsd-78-base.pub:
<td>
<a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/openbsd-78-base.pub">
RWS3/nvFmk4SWSmt/5QIk9yB4+uoAGoiYvFhVlDQBG3rWENeeIys0LWB</a><tr><td>
openbsd-78-fw.pub:
<td>
RWSFPOE2F7PQul5Fu/3G/JKMmqJD76vKKQh30UrwSslcMcU5/MEBVqTd
<tr><td>
openbsd-78-pkg.pub:
<td>
RWRdSyJORZBFeOu7a8K3nODBr9GrFJlGZUG2j93jDSds8Zc+NLTP8v60
<tr><td>
openbsd-78-syspatch.pub:
<td>
RWRYSW9gIG/XToA9BM+s+ehGgxdWe0+ZShwt85+/dFXYOZFRUi4uqhiR
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id="new">
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 7.8.
For a comprehensive list, see the <a href="plus78.html">changelog</a> leading to 7.8.
<p>
<ul>
<li>Platform-specific improvements:
<ul>
<li><a href="arm64.html">arm64</a>:
<ul>
<li>Added support for Raspberry Pi 5 (with console on serial port).
<li>Implement <a href="https://man.openbsd.org/acpicpu.4">acpicpu(4)</a> for arm64.
<li>On Apple variants, enter DDB when exuart detects a BREAK.
<li>On arm64 and riscv64, avoid multiple threads of a process
continuously faulting on a single page when <a
href="https://man.openbsd.org/pmap_enter.9">pmap_enter(9)</a> is asked
to enter a mapping that already exists.
<li>Make apm and <code>hw.cpuspeed</code> work on Snapdragon X Elite
machines.
</ul>
<li><a href="amd64.html">amd64</a>:
<ul>
<li>Fix processing of GPIO events for pin numbers less than 256 with
an _EVT method. Fixes power button on various ThinkPads with AMD CPUs.
</ul>
<li>Other <a href="plat.html">architectures</a>:
<ul>
<li>Added a sparc64-specific _raw flavour to the softintr routines for
those drivers that need to be able to schedule soft interrupts at
actual hardware levels.
</ul>
<li>More platform specific changes can be found in the <a href="#hardware_support">hardware support</a> section below.
</ul>
<li>Various kernel improvements:
<ul>
<li>Set an upper limit on the value of
<a href="https://man.openbsd.org/sysctl.2#KERN_SEMINFO_SEMOPM~2">
sysctl(2) kern.seminfo.semopm</a> to avoid a possible kernel panic.
<li>On arm64, avoid decoding instructions when ELR isn't pointing
into the kernel part of the virtual address space and use fault()
instead of panic() to provide better error reports.
<li>Inherit <code>PS_NOBTCFI</code> at
<a href="https://man.openbsd.org/fork.2">fork(2)</a>
so forked children do not get killed by BTCFI safeguards.
<li>Inherit <code>PS_PROFILE</code> at
<a href="https://man.openbsd.org/fork.2">fork(2)</a>.
This lets child processes
disable/reenable profiling when they deemed appropriate.
<li>Implement the POSIX-2024 close-on-fork flag, but modified to be
reset on exec as preserving it across exec is not necessary for its
original purpose and has security and usability concerns.
<li>Improve handling of lock nesting by <a
href="https://man.openbsd.org/witness.4">witness(4)</a>.
<li>Add MI high-level software interrupt dispatcher, providing a
common subsystem for the high-level allocation, scheduling, and
dispatching of soft interrupts.
<li>Remove the functionality of the <code>fs.posix.setuid</code> sysctl.
<li>Use a FIFO queue for passing dead threads to the reaper,
reducing latency with large numbers of CPUs and jobs.
<li>Skip filesystem mount time update in BOOT kernels to enable
crude timekeeping across reboots without RTC and NTP.
<li>Move the kernel to using nanoseconds for the sleep time argument
instead of ticks. Userland functions don't change but precision is no
longer lost converting nanoseconds into ticks.
<li>Show SEV or SEV-ES guest mode in dmesg when running with AMD SEV.
<li>Support the GHCB protocol for IO and MMIO with SEV-ES.
This makes OpenBSD work with SEV-ES on kvm/qemu in 1-vCPU VMs
<li>Add <a href="https://man.openbsd.org/psp.4">psp(4)</a> <a
href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> to encrypt and
measure state for AMD SEV-ES.
<li>Add <a
href="https://man.openbsd.org/cpu_xcall.9">cpu_xcall(9)</a>, an API
for CPU xcalls (crosscalls), allowing dispatching of code to run on
the specified CPU from an interrupt context.
<li>Add <a href="https://man.openbsd.org/dt.4">dt(4)</a> trace points
to <a href="https://man.openbsd.org/rwlock.9">rwlock(9)</a>.
<li>Teach <a href="https://man.openbsd.org/btrace.8">btrace(8)</a>
how to resolve addresses in callstacks to symbols.
<li>Improve the documentation of <a
href="https://man.openbsd.org/dt.4">dt(4)</a> and <a
href="https://man.openbsd.org/btrace.8">btrace(8)</a>
<li>Improve compatibility of the FUSE filesystem with
the Linux libfuse implementation.
<li>Make it possible to run the upper part of the fault handler in parallel.
<li>Improve mtx_enter() for machines with a huge number of CPUs.
</ul>
<li>Suspend/Hibernate Support:
<ul>
<li>Preallocate hibernate work area during boot to fix failures where the needed region can't be late-allocated.
<li>Implement lid suspend/resume for lids that use a GPIO.
<li>Implement support for wakeup interrupts in <a
href="https://man.openbsd.org/amdgpio.4">amdgpio(4)</a>, making it
possible to resume laptops with AMD CPUs from S0ix suspend.
<li>Introduce a generic powerbutton_event() function that does
everything we expect from a power button event in a consistent manner,
ensuring all drivers now prevent shutdown within the first 10 seconds
after resume.
<li>Implement a <code>ddb.suspend</code> sysctl that will force "S0ix"
suspend and skip suspend of <a
href="https://man.openbsd.org/inteldrm.4">inteldrm(4)</a> and <a
href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> such that the
display remains on during suspend.
<li>Fix dead USB ports after suspend/resume on the ThinkPad Z13.
<li>Make <a href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> S3 suspend more reliable.
<li>Double the size of the amd64 unhibernate chunk table for machines with large amounts of memory.
</ul>
<li id="SMP_Improvements">SMP Improvements:
<ul>
<li>Up to 8 softnet threads are used to handle network input.
The number of threads is also limited by the number of CPUs.
<li>TCP stack is now running in parallel on multiple CPUs.
Up to 8 threads are used to process TCP traffic.
Note that each connection can only be handled by one CPU.
Use multiple streams and a network interface capable of
multi queue to distribute packets.
<li>IPv6 fragment reassembly is now running in parallel.
<li>IPv6 destination option and routing header parsing is now
running in parallel.
<li>System calls
<a href="https://man.openbsd.org/close.2">close(2)</a> and
<a href="https://man.openbsd.org/listen.2">listen(2)</a>
run without exclusive net lock.
</ul>
<li>Direct Rendering Manager and graphics drivers:
<ul>
<li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
to Linux 6.12.50.
<li>New <a href="https://man.openbsd.org/qcdrm.4">qcdrm(4)</a>
driver for Qualcomm Snapdragon DRM subsystem.
<li>New <a href="https://man.openbsd.org/qcdpc.4">qcdpc(4)</a>
driver for Qualcomm DisplayPort Controller.
</ul>
<li>VMM/VMD improvements:
<ul>
<li>On AMD processors SEV-ES technology is supported to start
confidential virtual machines.
SEV-ES works with the vmm/vmd hypervisor and with OpenBSD
guests on KVM/qemu.
<li>Add option for <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>
to run guests in AMD SEV-ES mode and keyword "seves" for <a
href="https://man.openbsd.org/vm.conf.5">vm.conf(5)</a> to enable it.
<li>Allow SEV-ES enabled guests to run on <a
href="https://man.openbsd.org/vmm.4">vmm(4)</a>/<a
href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
<li>Make <a href="https://man.openbsd.org/vmctl.8">vmctl(8)</a> show file path in error messages.
<li>Sanitize <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>'s interprocess communication.
<li>Back <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> guest
memory with UVM aobjs, simplifying how guest memory is represented and
managed.
<li>Allow Linux guests to use kvm-clock in <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>.
<li>Remove <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> send & receive functionality.
<li>Prevent <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> guests from reading outside pci config space.
<li>Emulate PKRU XSAVE area and features in <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>.
<li>Update <a href="https://man.openbsd.org/vmd.8">vmd(8)</a>'s
emulated Virtio network, block, entropy, and scsi devices
to support Virtio 1.2 in non-transitional mode.
</ul>
<li>Various new userland features:
<ul>
<li>Switched <a href="https://man.openbsd.org/pkg-config.1">pkg-config(1)</a>
to the widely used C-based pkgconf 2.4.3 due to major performance issues
with the unmaintained homegrown Perl script.
<li>Import IIJ's iwatch as <a href="https://man.openbsd.org/watch.1">watch(1)</a>, a utility to periodically execute a command and display its output.
<li><a href="https://man.openbsd.org/security.8">security(8)</a>
creates backups of GPT/MBR.
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
<code>-R</code> recovers/creates GPT/MBR from a file.
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
interactive editor supports one-line partition addition/modification.
<li>Add [-w percent] and /etc/apm/warnlow hook to <a href="https://man.openbsd.org/apmd.8">apmd(8)</a>.
<li>Introduced a new gprof profiling system using <a
href="https://man.openbsd.org/profil.2">profil(2)</a> system call and
removed the <a
href="https://man.openbsd.org/OpenBSD-7.7/monstartup.3">monstartup(3)</a>
interface.
<li>Add <a href="https://man.openbsd.org/ibufq_new.3">ibufq(3)</a>
API to support multithreaded use of ibufs.
</ul>
<li>More bugfixes and tweaks in userland:
<ul>
<li>As usual, many improvements and corrections in documentation were made.
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
interactive editor displays verbose information if <code>-v</code>
was set.
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
displays GPT partitions in disk offset order with free areas shown.
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
can create GPT partitions with any well formed UUID as the type.
<li>Only GPT partitions with recognized filesystems are
included in the default <a href="https://man.openbsd.org/disklabel.5">disklabel(5)</a>.
<li>Version 0 <a href="https://man.openbsd.org/disklabel.5">disklabel(5)</a>
no longer supported.
<li>Fix a crash in <a href="https://man.openbsd.org/vi.1">vi(1)</a> when executing commands.
<li>Fix <a href="https://man.openbsd.org/vi.1">vi(1)</a> crash with expandtab and running external commands.
<li>Make <a href="https://man.openbsd.org/vi.1">vi(1)</a> 'p' command paste in the correct place.
<li>Improve the
<a href="https://man.openbsd.org/flockfile.3">flockfile(3)</a>
implementation by switching from external
locks to per FILE recursive mutexes.
<li>Do not log OTP secrets in
<a href="https://man.openbsd.org/login_yubikey.8">login_yubikey(8)</a>.
<li>Change <a href="https://man.openbsd.org/gmtime.3">gmtime(3)</a>
to return time in UTC rather than GMT, as
required by our own manpage, POSIX, C standards, and other OSes.
<li>Make <a href="https://man.openbsd.org/exit.3">exit(3)</a>,
<a href="https://man.openbsd.org/fclose.3">fclose(3)</a>,
<a href="https://man.openbsd.org/fflush.3">fflush(3)</a>, and
<a href="https://man.openbsd.org/freopen.3">freopen(3)</a> comply with
POSIX-2008 requirements for setting the underlying file position when
flushing read-mode streams, and make an
<a href="https://man.openbsd.org/fseek.3">fseek(3)</a>-after-<a
href="https://man.openbsd.org/fflush.3">fflush(3)</a> not
change the underlying file position.
<li>FILE is now opaque. Its member representing the file descriptor has been
widened from type short to int.
<li>Improve externs for KEYMAPE(), extern in .c files resulted in the use of a wrongly sized
anonymous struct.
<li>Make <a href="https://man.openbsd.org/bioctl.8">bioctl(8)</a> properly indicate key disk for RAID 1C.
<li>Fix sign of <code>%z</code> output in
<a href="https://man.openbsd.org/zic.8">zic(8)</a>, and add DST offset.
<li>Add <code>-t</code> and <code>-V</code> options from tzcode2013d to
<a href="https://man.openbsd.org/zdump.8">zdump(8)</a>.
<li>Fix an <a href="https://man.openbsd.org/rmdir.1">rmdir(1)</a> bug where "mkdir exampledir; ln -s exampledir examplelink; rmdir examplelink/" didn't remove exampledir like POSIX requires.
<li>Fix a POSIX-violating
<a href="https://man.openbsd.org/grep.1">grep(1)</a> bug where
arguments starting with a hyphen-minus character were misinterpreted
as options even when appearing behind non-option operands.
<li>Improve handling of UTF-8 input in
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a> VI mode
in several ways. This work is not yet complete.
<li>In <a href="https://man.openbsd.org/ksh.1">ksh(1)</a> VI mode, make the
behaviour of "1P" consistent with the behaviour of "2P" such that
both back up to the first byte of the last character inserted.
<li>Make <a href="https://man.openbsd.org/mdoc.7">mdoc(7)</a>
support the input syntax ".Lb libname [...]" with multiple arguments
in the SYNOPSIS.
<li>For better consistency with POSIX and traditional UNIX and BSD
<a href="https://man.openbsd.org/man.1">man(1)</a>, if the
<code>-l</code> option is not specified, never interpret "name"
command line arguments as absolute or relative path names, not
even for arguments that contain a slash and that do not resolve
to a manual page name.
<li>Make <a href="https://man.openbsd.org/sndiod.8">sndiod(8)</a> use
per-program level controls instead of per-client.
<li>Stop <a href="https://man.openbsd.org/tar.1">tar(1)</a> from
exiting silently if the mtime didn't fit in the ustar header when
writing out the extended headers.
<li>Fix memleak in <a
href="https://man.openbsd.org/syslogd.8">syslogd(8)</a> when a client
aborts a TLS connection, and ensure that <a
href="https://man.openbsd.org/syslogd.8">syslogd(8)</a> runs TLS
handshake callback.
<li>Support for embedded PNG bitmaps in Freetype (often used for fonts
with colour emoji).
<li>Backport TearFree page flips for the modesetting driver from X.Org master.
</ul>
<li id="hardware_support">Improved hardware support and driver bugfixes, including:
<ul>
<li>New <a href="https://man.openbsd.org/acpiwmi.4">acpiwmi(4)</a>
driver for Windows Management Instrumentation.
<li>New <a href="https://man.openbsd.org/amdpmc.4">amdpmc(4)</a>
driver for AMD power management controller.
<li>New bcmmip
driver for BCM2712 MSI controller.
<li>New <a href="https://man.openbsd.org/bcmstbgpio.4">bcmstbgpio(4)</a>
driver for Broadcom Set-top Box GPIO controller.
<li>New <a href="https://man.openbsd.org/bcmstbintc.4">bcmstbintc(4)</a>
driver for Broadcom Set-to Box interrupt controller.
<li>New <a href="https://man.openbsd.org/bcmstbpinctrl.4">bcmstbpinctrl(4)</a>
driver for Broadcom Set-top Box pin multiplexing.
<li>New <a href="https://man.openbsd.org/bcmstbrescal.4">bcmstbrescal(4)</a>
driver for Broadcom Set-top Box reset calibration controller.
<li>New <a href="https://man.openbsd.org/bcmstbreset.4">bcmstbreset(4)</a>
driver for Broadcom Set-top Box reset controller.
<li>New <a href="https://man.openbsd.org/arm64/rpone.4">rpone(4)</a>
driver for Raspberry Pi RP1 peripheral controller.
<li>New <a href="https://man.openbsd.org/arm64/rpiclock.4">rpiclock(4)</a>
driver for Raspberry Pi RP1 clock controller.
<li>New <a href="https://man.openbsd.org/arm64/rpipwm.4">rpipwm(4)</a>
driver for Raspberry Pi RP1 PWM controller.
<li>New <a href="https://man.openbsd.org/arm64/rpirtc.4">rpirtc(4)</a>
driver for Raspberry Pi real-time clock.
<li>New <a href="https://man.openbsd.org/iasuskbd.4">iasuskbd(4)</a>
driver for ASUS I2C HID keyboards.
<li>Add support for the SDHC controllers found on the Raspberry Pi 5.
<li>In <a href="https://man.openbsd.org/virtio.4">virtio(4)</a>,
allow to use memory above 4G on amd64 for virtio rings and
descriptors.
<li>Add support for H.264 advanced video coding to
<a href="https://man.openbsd.org/uvideo.4">uvideo(4)</a>.
<li>Prevent a kernel panic in
<a href="https://man.openbsd.org/wsdisplay.4">wsdisplay(4)</a>
when asked to switch VTs during resume.
<li>Avoid a use-after-free in
<a href="https://man.openbsd.org/psp.4">psp(4)</a>.
<li>Do not attach YubiKeys as keyboards anymore in
<a href="https://man.openbsd.org/ukbd.4">ukbd(4)</a>.
This disables the OTP functionality, but makes it easier to use
the FIDO function without the need to configure the YubiKeys
correctly first.
<li>Implement support for "vmmc-supply" in
<a href="https://man.openbsd.org/sdhc.4">sdhc(4)</a>,
needed to power on the WiFi chip on the Raspberry Pi 5.
<li>Add RK3528 support to <a href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a>.
<li>Add RK3528 support to <a href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>.
<li>Add RK3528 support to <a href="https://man.openbsd.org/rkusbphy.4">rkusbphy(4)</a>.
<li>Fix and add time sensor to <a href="https://man.openbsd.org/pvclock.4">pvclock(4)</a>.
</ul>
<li>New or improved network hardware support:
<ul>
<li>Make the <a href="https://man.openbsd.org/cad.4">cad(4)</a>
Ethernet interface on the Raspberry Pi 5 work by
configuring the delays for RGMII PHYs correctly.
<li>Add support for the Realtek RTL8125D and RTL8127 chips to the <a
href="https://man.openbsd.org/rge.4">rge(4)</a> driver and update
microcode for RTL8125B.
<li>Add a software implementation of TCP Large Receive Offload to <a
href="https://man.openbsd.org/ixl.4">ixl(4)</a>.
<li>Intel E810 network devices
<a href="https://man.openbsd.org/ice.4">ice(4)</a> are
supported for 100 and 25 GBit in QSFP and SFP variants.
<li>Add support for the ifconfig
<a href="https://man.openbsd.org/ifconfig.8#transceiver">transceiver</a>
command to <a href="https://man.openbsd.org/ice.4">ice(4)</a>.
<li>Add Rx checksum offload and TSO (TCP Segmentation Offload) support to <a
href="https://man.openbsd.org/ice.4">ice(4)</a>.
<li>Enable RSS in <a
href="https://man.openbsd.org/ice.4">ice(4)</a>, and enable Tx/Rx
across multiple queues.
<li>Use SoftLRO in <a href="https://man.openbsd.org/ice.4">ice(4)</a>, but default off.
<li>Add SoftLRO support to <a href="https://man.openbsd.org/bnxt.4">bnxt(4)</a>.
<li>Add support for TSO to <a
href="https://man.openbsd.org/iavf.4">iavf(4)</a>.
<li>Disable <a href="https://man.openbsd.org/hvn.4">hvn(4)</a> TCP
checksum offload, broken on newer hyper-v versions.
<li>Add support for the RTL8157 chipset in <a href="https://man.openbsd.org/ure.4">ure(4)</a>.
</ul>
<li>Added or improved wireless network drivers:
<ul>
<li>Add 802.11n/HT and roaming support to
<a href="https://man.openbsd.org/qwx.4">qwx(4)</a>.
<li>Fix TKIP crypto offload in
<a href="https://man.openbsd.org/qwx.4">qwx(4)</a>.
<li>Fix suspend/resume instability caused by
<a href="https://man.openbsd.org/qwx.4">qwx(4)</a>.
<li>Make WPA handshakes succeed more reliably with the
<a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> driver.
<li>Unbreak support for a subset of Intel AX210 devices by making
<a href="https://man.openbsd.org/iwx.4">iwx(4)</a> load the
correct firmware image for them.
</ul>
<li>Installer, upgrade, bootloader, and pkg-tools improvements:
<ul>
<!-- installboot -->
<!-- sysupgrade -->
<!-- fw_update -->
<!-- installer proper -->
<li>Add installer preference for disks bigger than 1G as default root disk.
<li>Stop offering http/nfs for offline installation.
<li>Prevent installing a corrupted <code>/bsd</code> on relink errors.
<!-- updates/sysmerge -->
<!-- pkg_ -->
<li>Prevent <a
href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a> update from
advising file removal appropriate only when deleting packages.
</ul>
<li>Security improvements:
<ul>
<li>Permit <a href="https://man.openbsd.org/setsockopt.2">setsockopt(2)</a>
and <a href="https://man.openbsd.org/getsockopt.2">getsockopt(2)</a>
<code>IPPROTO_IP</code>/<code>IP_TOS</code> and
<code>IPPROTO_IPV6</code>/<code>IPV6_TCLASS</code> in
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a> "stdio".
Previously these were restricted to "inet".
However, setting TOS is low risk and this way a
lot more attack surface from inet can be removed.
<li>Allow low-risk
<a href="https://man.openbsd.org/getsockname.2">getsockname(2)</a> and
<a href="https://man.openbsd.org/getpeername.2">getpeername(2)</a>
in stdio.
<li>Pledge <a
href="https://man.openbsd.org/fc-cache.1">fc-cache(1)</a> and <a
href="https://man.openbsd.org/mkfontscale.1">mkfontscale(1)</a> and
change ownership of the fontconfig cache to the
<code>_fc-cache</code> user to run unprivileged when installing fonts.
<li>Add <code>IPV6_RECVTCLASS</code> to the authorized
<a href="https://man.openbsd.org/setsockopt.2">setsockopt(2)</a>
operations for <code>IPPROTO_IPV6</code> in
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a>
fixing recent chromium browser with IPv6.
<li>Add an MI mechanism for creating an (unmapped) guard page between
the PCB and the kernel stack and enable on 64-bit architectures with
4k pages.
</ul>
<li>New features in the network stack:
<ul>
<li>Stop adding interfaces with blackhole and reject routes to the
egress group, even if a default route points at them.
<li>Some network drivers allow to use soft LRO for TCP.
If the hardware does not support to concatenate received
TCP packets, this can be done at driver level.
As the upper layers handle less packets, performance
improves.
Currently the feature is disabled by default, activate with ifconfig(8)
<a href="https://man.openbsd.org/ifconfig.8#tcplro">tcplro</a>.
Software LRO has been implemented for
<a href="https://man.openbsd.org/bnxt.4">bnxt(4)</a>,
<a href="https://man.openbsd.org/ice.4">ice(4)</a>,
<a href="https://man.openbsd.org/ixl.4">ixl(4)</a>.
<li>New <a href="https://man.openbsd.org/erspan.4">erspan(4)</a>
driver for ERSPAN Type II tunnel networks.
</ul>
<li>Further changes and bugfixes in the network stack:
<ul>
<li>For
<a href="https://man.openbsd.org/divert.4">divert(4)</a>
protocols
<a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a>
knobs have been consolidated.
<li>ARP and ND6 list use iterators to be MP safe.
This also avoids a race when timeouts handled multipath
link layer entries.
<li>TCP keepalive intervals have been fixed.
<li>Do not allow negative values for
<a href="https://man.openbsd.org/sysctl.2">sysctl(2)</a>
<code>net.inet6.ip6.neighborgcthresh</code>, which would disable
the limit ND6 entries, and disallow setting negative values for
<code>net.inet6.ip6.maxdynroutes</code>, which previously allowed
unlimited redirect routes.
<li>Fix error handling in IPv6 multicast sysctl.
<li>Fix refcnt leak in <a href="https://man.openbsd.org/veb.4">veb(4)</a>.
<li>Use VLAN hardware tagging in <a href="https://man.openbsd.org/veb.4">veb(4)</a>.
<li>Use VLAN hardware tagging in <a href="https://man.openbsd.org/bridge.4">bridge(4)</a>.
<li>Use checksum offload in <a href="https://man.openbsd.org/veb.4">veb(4)</a>
and <a href="https://man.openbsd.org/bridge.4">bridge(4)</a>.
<li>Unbreak <a href="https://man.openbsd.org/vport.4">vport(4)</a> to
vport communication on the same <a
href="https://man.openbsd.org/veb.4">veb(4)</a>.
<li>Remove <code>net.inet6.ip6.soiikey</code> sysctl.
<li>Make <a href="https://man.openbsd.org/lo.4">lo(4)</a> attach
multiple interface queues, allowing local network connections to use
multiple softnets.
<li>Allow packets being sent out <a
href="https://man.openbsd.org/pppoe.4">pppoe(4)</a> interfaces to
bypass queues and go straight onto the underlying interface.
</ul>
<li>The following changes were made to the <a
href="https://man.openbsd.org/pf.4">pf(4)</a> firewall:
<ul>
<li>The check whether a TCP RST packet belongs to a connection
was too strict.
Now resetting a TCP state also works if there were gaps in
the sequence number space due to lost packets.
<li>Repair "least-states" in
<a href="https://man.openbsd.org/pf.4">pf(4)</a> by decrementing
the state counter properly when the state is removed.
</ul>
<li>Routing daemons and other userland network programs saw the following improvements:
<ul>
<li>Make <a href="https://man.openbsd.org/getaddrinfo.3">getaddrinfo(3)</a>
convert numeric host addresses for all address families,
independent of them being listed in /etc/resolv.conf.
<li>Added <a href="https://man.openbsd.org/lldpd.8">lldpd(8)</a>,
Link Layer Discovery Protocol (LLDP) daemon, and
<a href="https://man.openbsd.org/lldp.8">lldp(8)</a> control program.
<li>Added <a href="https://man.openbsd.org/bpflogd.8">bpflogd(8)</a>,
Berkeley Packet Filter logging daemon.
<li>Disallow <a href="https://man.openbsd.org/nc.1">nc(1)</a>
<code>-T</code> with = when arguments are not key=value pairs.
<li>Add SOCKS4A support to <a
href="https://man.openbsd.org/nc.1">nc(1)</a>
proxy (<code>-X</code>) mode.
<li>Add ALPN TLS option, so you can specify <code>-T</code> alpn=value
in <a href="https://man.openbsd.org/nc.1">nc(1)</a>.
<li>Make <a href="https://man.openbsd.org/iked.8">iked(8)</a> load
multiple certificates as a certificate chain from a file.
<li>In <a href="https://man.openbsd.org/relayd.8">relayd(8)</a>
add tighter checks on inter-process messages.
<li>Remove the currently useless "status memory" command in
<a href="https://man.openbsd.org/unwindctl.8">unwindctl(8)</a>.
<li>Disable aggressive-nsec when "force" is in use in
<a href="https://man.openbsd.org/unwind.8">unwind(8)</a>.
<li>Repair the printing of IPv6 route commands with
<a href="https://man.openbsd.org/netstart.8">netstart(8)</a>
<code>-n</code>, which was broken in 2022.
<li>Change <a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a> to
use the rdomain/rtable it was started in.
<li>Reduce the number of times that
<a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> uses
<a href="https://man.openbsd.org/if_indextoname.3">if_indextoname(3)</a>
to translate an interface index to an interface name.
<li>In <a href="https://man.openbsd.org/dhcp6leased.8">dhcp6leased(8)</a>,
install reject route for prefix delegation, to
prevent routing loops in case only parts of the delegated prefix are
configured on interfaces.
<li>Introduce a lower bound for the IPv6-Only preferred timelimit in
<a href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>.
<li>Network statistics reporting using <a
href="https://man.openbsd.org/netstat.1">netstat(1)</a> was changed:
<ul>
<li>The output of
<a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
for multicast route and divert protocol statistics
have been improved.
<li>Export TCP send congestion window for IPv6 also to allow its
display with <a
href="https://man.openbsd.org/netstat.1">netstat(1)</a>
<code>-B</code>.
<li>Harmonize <a
href="https://man.openbsd.org/netstat.1">netstat(1)</a> ip4 and ip6
multicast counter output.
<li>Provide m_pool_alloc() failures in mbstat, making the count
visible in <a href="https://man.openbsd.org/netstat.1">netstat(1)</a>
<code>-m</code>.
<li>Remove specific divert6 netstat counters, use divert instead.
</ul>
<li><a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a> saw several changes:
<ul>
<li>Made <a
href="https://man.openbsd.org/acme-client.1">acme-client(1)</a> handle
"processing" status by retrying.
<li>Remove http support from <a
href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>, using
https for the API server per RFC 8555.
<li>Allow port numbers in API URLs, letting <a
href="https://man.openbsd.org/acme-client.1">acme-client(1)</a> talk
to Let's Encrypt's pebble server.
<li>Implement draft-ietf-acme-profiles for <a
href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>.
<li>Adapt renewal calculation for shortlived certificates in <a
href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>.
</ul>
<li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>:
<ul>
<li>In verbose mode log the NOTIFICATION data for UPDATE errors.
<li>Fix a busy loop error in the pfkey handling.
<li>Introduce monotime - an internal time API using microsecond resolution.
<li>Fix accounting of the pending update counter
<li>Use new ibufq interface instead of handrolling the same.
<li>Large refactoring of internal APIs to make the code easier to share
and cleaner.
</ul>
<li>In <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>:
<ul>
<li>The parser process now uses parallel threads for object
validation. The new <code>-p</code> option can be used
to adjust the number of threads.
<li>Support for Canonical Cache Representation has been added.
<a href="https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops-rpki-ccr">CCR</a>
is a new DER-encoded data interchange format to support audit trail
keeping, validated payload dissemination, and analytics pipelines.
<li>Certificate parsing and validation has been completely reworked.
In particular, a more stringent set of compliance checks based on RFC
6487, RFC 8209, and RFC 8608 is imposed on end entity certificates.
<li>Filemode is now able to detect most file types without recourse
to the file name extension.
<li>Experimental support for P-256 Trust Anchor keys was added.
<li>Marshalling and unmarshalling of privsep messages was improved.
<li>In verbose mode, warnings are emitted about uncompressed
HTTP/RRDP transfers larger than one megabyte. Publication server
operators are strongly encouraged to offer gzip compressed HTTP
content-encoding, see draft-ietf-sidrops-publication-server-bcp,
section 6.3.
<li>Emit all key identifiers (AKI and SKI) encoded in JSON as bare
hex strings without colons.
<li>Fixed numerous minor issues flagged by the Coverity static analyzer.
</ul>
</ul><!-- Routing daemons and other userland network improvements -->
<li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes:
<ul>
<li>Allow <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> bind -r and -N to change an existing key binding if no command is specified.
<li>Add more features for boolean expressions in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> formats.
<li>Add an option variation-selector-always-wide to instruct <a
href="https://man.openbsd.org/tmux.1">tmux(1)</a> not to always
interpret VS16 as a wide character and assume the terminal does
likewise.
<li>Add R format modifier to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> to repeat an argument.
<li>Add -E to run-shell to forward stderr as well as stdout in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
<li>Fix several memory leaks.
<li>Flush scrolling when wrapping so UTF-8 in last position draws correctly.
<li>Treat Shift-Tab just like the up arrow in completion popup menu.
<li>Fix PageDown in menus.
<li>Replace invalid UTF-8 with the placeholder instead of ignoring them.
<li>Add pane-border-lines value to use spaces for pane borders.
<li>Add a nicer default second and third status line.
<li>Add a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> set-default style attribute which replaces the current default colours and attributes completely.
<li>Add S: to list <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> sessions with modifiers for sorting.
<li>Add <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> support for DECRQSS SP q (report cursor style), DECRQM ?12 (report cursor blink state) and DECRQM ?2004, ?1004, ?1006 (report mouse state).
<li>Introduce <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> new window option: tiled-layout-max-columns, which configures the maximum number of columns in the tiled layout.
</ul>
<li>LibreSSL version 4.2.0:
<ul>
<li>Portable changes:
<ul>
<li>Added explicit OpenBSD/ISC license to build system / scripts.</li>
<li>Fixed compilation on more CPU targets by removing architecture-specific definitions from header files.</li>
<li>Fixed builds in deep paths by using relative paths for linking.</li>
<li>Fixed Windows builds with Clang and CMake.</li>
<li>Fixed Windows error handling accepting connections with nc.</li>
</ul>
<li>Internal improvements:
<ul>
<li>Cleaned up code implementing block cipher modes of operation.
Includes untangling a horrible <code>#ifdef</code> mess and removing a few
instances of undefined behavior.
<li>Removed assembly implementations of AES using bit slicing (BS-AES)
and vector permutation (VP-AES).
<li>Removed <code>OPENSSL_SMALL_FOOTPRINT</code> and <code>OPENSSL_FIPSAPI</code>.
<li>Implemented constant time EC field element operations to allow
elliptic curve operations without bignum arithmetic.
<li>Implemented an EC method using homogeneous projective coordinates.
This will allow exception-free elliptic curve arithmetic in
constant time in future releases.
<li>Started cleaning up the openssl speed implementation.
<li>The last <code>SIGILL</code>-based CPU capability detection was removed.
Instead, capabilities are now detected using a constructor on
library load, which improves the incomplete coverage by calls
to <a href="https://man.openbsd.org/OPENSSL_init_crypto.3"
>OPENSSL_init_crypto(3)</a> on various entry points.
<li>Rework and simplify AES handling in EVP. In particular, AES-NI
is now handled in the AES internal code and no longer requires
the use of <a href="https://man.openbsd.org/evp.3">EVP</a>.
<li>Added a public API for ML-KEM. This is not yet documented in a
manpage and may not be in its final form. This will be used to
support X25519MLKEM768 in libssl.
</ul>
<li>Compatibility changes:
<ul>
<li>Removed the -msie_hack option from the
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a>
<a href="https://man.openbsd.org/openssl.1#ca">ca</a>
subcommand.
<li>Removed parameters of the 239-bit prime curves from X9.62, H.5.2:
prime239v1, prime239v2, prime239v3.
<li>Increased default MAC salt length used by PKCS12_set_mac(3) to 16
per recommendation of NIST SP 800-132.
<li>Encrypted PKCS#8 key files now use a default password-based key
derivation function that is acceptable in the present millennium.
<li>const corrected
<a href="https://man.openbsd.org/EVP_PKEY_get1_RSA.3"
>EVP_PKEY_get{0,1}_{DH,DSA,EC_KEY,RSA}(3)</a>.
<li><a href="https://man.openbsd.org/X509_CRL_verify.3"
>X509_CRL_verify(3)</a> now checks that the AlgorithmIdentifiers in the
signature and the tbsCertList are identical.
<li>Of the old *err() only PEMerr(), RSAerr(), and SSLerr() remain.
<li>Remove BIO_s_log(),
<a href="https://man.openbsd.org/OpenBSD-7.7/X509_PKEY_new.3"
>X509_PKEY_{new,free}(3)</a>,
<a href="https://man.openbsd.org/OpenBSD-7.7/PEM_X509_INFO_read.3"
>PEM_X509_INFO_read(3)</a>, and PEM_X509_INFO_write_bio().
<li>Re-expose the ASN.1 Boolean template items.
<li>opensslconf.h is now machine-independent.
</ul>
<li>New features:
<ul>
<li>Allow specifying ALPN in <a href="https://man.openbsd.org/nc.1#T">nc(1)</a>
via -Talpn="http/1.1,http:/1.0".
</ul>
<li>Bug fixes:
<ul>
<li>Avoid pointer arithmetic on <code>NULL</code> for memory BIOs.
<li>Fix leaks and use-after-frees in PKCS7 attribute handling.
<li>Ensure p and q in RSA private key have a minimum distance of
2^(bits/2 - 100) as specified in NIST SP 800-56B Revision 2.
</ul>
<li>Security fixes:
<ul>
<li>Fix out-of-bounds read and write, memory leaks and incorrect
error check for CMS enveloped data.
</ul>
<li>Documentation:
<ul>
<li>Rewrote most of the EC documentation from scratch to be at least
somewhat accurate and intelligible.
<li>Updated documentation for SMIME_{read,write}* to match reality.
</ul>
<li>Testing and proactive security:
<ul>
<li>Added a testing framework that will help deduplicating lots of
ad-hoc code in the regression tests.
<li>Converted the Wycheproof testing framework to use testvectors_v1.
This in combination with a few new tests significantly increases
regress coverage.
</ul>
</ul>
<li>OpenSSH 10.2:
<ul>
<li>Security fixes:
<ul>
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
disallow control characters in usernames passed via the
commandline or expanded using %-sequences from the configuration
file, and disallow \0 characters in ssh:// URIs.
<br>
If an ssh(1) commandline was constructed using usernames or URIs
obtained from an untrusted source, and if a ProxyCommand that uses
the %r expansion was configured, then it may be possible for an
attacker to inject shell expressions that may be executed when the
proxy command is started.
<br>
We strongly recommend against using untrusted inputs to construct
ssh(1) commandlines.
<br>
This change also relaxes the validity checks in one small way:
usernames supplied via the configuration file as literals (i.e.
that have no % expansion characters) are not subject to these
validity checks. This allows usernames that contain arbitrary
characters to be used, but only via configuration files. This is
done on the basis that ssh's configuration is trusted.
<br>
This issue was reported by David Leadbeater.
</ul>
<li>Potentially incompatible changes:
<ul>
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
add a warning when the connection negotiates a non-post
quantum safe key agreement algorithm.
<br>
This warning has been added due to the risk of "store now, decrypt
later" attacks. More details at the
<a href="https://openssh.com/pq.html"
>OpenSSH Post-Quantum Cryptography</a> page.
<br>
This warning may be controlled via a new <code>WarnWeakCrypto</code>
<a href="https://man.openbsd.org/ssh_config">ssh_config(5)</a>
option, defaulting to on. This option is likely to control
additional weak crypto warnings in the future.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
major changes to handling of DSCP marking/<code>IPQoS</code>
<br>
Both the client and the server have changed the default DSCP
(a.k.a IPQoS) values and the way these values are selected at
runtime.
<br>
Both endpoints now use Expedited Forward (EF) for interactive
traffic by default. This provides better prioritisation,
especially on wireless media (cf. RFC 8325). Non-interactive
traffic now uses the operating system default DSCP marking.
Both the interactive and non-interactive DSCP values may be
overridden via the <code>IPQoS</code> keyword in <a
href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a> and
<a href="https://man.openbsd.org/sshd_config.5">sshd_config(5)</a>.
<br>
The DSCP value selected may now change over the course of a
connection. ssh(1) and sshd(8) will automatically select between
the interactive and non-interactive IPQoS values depending on
the type of SSH channels open. E.g. if an sftp session is using
the connection, then the non-interactive value will be used.
<br>
This is important now that the default interactive IPQoS is EF
(Expedited Forwarding), as many networks are configured to allow
only relatively small amounts of traffic of this class and they will
aggressively deprioritise the entire connection if this is exceeded.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
deprecate support for IPv4 type-of-service (TOS)
keywords in the IPQoS configuration directive.
<br>
Type of Service (ToS) was deprecated in the late nineties and
replaced with the Differentiated Services architecture. Diffserv
has significant advantages for operators because this mechanism
offers more granularity.
<br>
OpenSSH switched its default IPQoS from ToS to DSCP values in 2018.
<br>
IPQoS configurations with 'lowdelay', 'reliability', or
'throughput' will be ignored and instead the system default QoS
settings apply. Additionally, a debug message is logged about the
deprecation with a suggestion to use DSCP.
<li><a href="https://man.openbsd.org/ssh-add.1">ssh-add(1)</a>:
when adding certificates to an agent, set the expiry
to the certificate expiry time plus a short (5 min) grace period.
<br>
This will cause the agent to automatically remove certificates shortly
after they expire. A new ssh-add(1) <code>-N</code> option
disables this behaviour.
<li>All: remove experimental support for XMSS keys. This was never
enabled by default. We expect to implement a new post-quantum
signature scheme in the near future.
<li><a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>: move agent
listener sockets from /tmp to under ~/.ssh/agent
for both ssh-agent(1) and forwarded sockets in sshd(8).
<br>
This ensures processes that have restricted filesystem access
that includes /tmp do not ambiently have the ability to use keys
in an agent.
<br>
Moving the default directory has the consequence that the OS will
no longer clean up stale agent sockets, so ssh-agent(1) now gains
this ability.
<br>
To support $HOME on NFS, the socket path includes a truncated hash of
the hostname. ssh-agent(1) will by default only clean up sockets from
the same hostname.
<br>
ssh-agent(1) gains some new flags: <code>-U</code> suppresses the
automatic cleanup of stale sockets when it starts.
<code>-u</code> forces a cleanup without keeping a running agent,
<code>-uu</code> forces a cleanup that ignores the hostname.
<code>-T</code> makes ssh-agent(1) put the socket back in /tmp.
</ul>
<li>New features:
<ul>
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
add <code>SIGINFO</code> handlers to log active channel and
session information.
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
when refusing a certificate for user authentication, log
enough information to identify the certificate in addition to the
reason why it was being denied. Makes debugging certificate
authorisation problems a bit easier.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>,
<a href="https://man.openbsd.org/ssh-agent.1">ssh-agent(1)</a>:
support ed25519 keys hosted on PKCS#11 tokens.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
add a <a href="https://man.openbsd.org/ssh_config.5">ssh_config(5)</a>
RefuseConnection option that, when encountered while processing
an active section in a configuration terminates ssh(1) with an
error message that contains the argument to the option.
<br>
This may be useful for expressing reminders or warnings in config
files, for example:
<pre>
Match host foo
RefuseConnection "foo is deprecated, use splork instead"
</pre>
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
make the X11 display number check relative to
X11DisplayOffset. This will allows people to use X11DisplayOffset
to configure much higher port ranges if they really want, while
not changing the default behaviour.
<li>unit tests: the unit test framework now includes some basic
benchmarking capabilities. Run with "make UNITTEST_BENCHMARK=yes".
</ul>
<li>Bugfixes:
<ul>
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
fix mistracking of MaxStartups process exits in some
situations. At worst, this could cause all MaxStartups slots to
fill and sshd(8) to refuse new connections.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
fix delay on X client startup when ObscureKeystrokeTiming is enabled.
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
increase the maximum size of the supported configuration
from 256KB to 4MB, which ought to be enough for anybody. Fail
early and visibly when this limit is breached.
<li><a href="https://man.openbsd.org/sftp.1">sftp(1)</a>:
during sftp uploads, avoid a condition where a failed
write could be ignored if a subsequent write succeeded. This is
unlikely but technically possible because sftp servers are
allowed to reorder requests.
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
avoid a race condition when the sshd-auth process exits
that could cause a spurious error message to be logged.
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
log at level <code>INFO</code> when PerSourcePenalties actually
blocks access to a source address range. Previously this was
logged at level <code>VERBOSE</code>, which hid enforcement
actions under default config settings.
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
GssStrictAcceptor was missing from sshd(8) <code>-T</code> output; fix
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Make the MaxStartups and PerSourceNetBlockSize options
first-match-wins as advertised.
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
fix an incorrect return value check in the local forward
cancellation path that would cause failed cancellations not to be
logged.
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
make "Match !final" not trigger a 2nd pass ssh_config
parsing pass (unless hostname canonicalisation or a separate
"Match final" does).
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
better debug diagnostics when loading keys. Will now list
key fingerprint and algorithm (not just algorithm number) as well
as making it explicit which keys didn't load.
<li>All: fix a number of memory leaks found by LeakSanitizer,
Coverity and manual inspection.
<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
Output the current name for PermitRootLogin's
"prohibit-password" in sshd(8) <code>-T</code> instead of its
deprecated alias "without-password".
<li><a href="https://man.openbsd.org/ssh.1">ssh(1)</a>:
make writing known_hosts lines more atomic by writing
the entire line in one operation and using unbuffered stdio.
<br>
Usually writes to this file are serialised on the "Are you sure you
want to continue connecting?" prompt, but if host key checking is
disabled and connections were being made with high concurrency
then interleaved writes might have been possible.
</ul>
</ul>
<li>Ports and packages:
<p>Many pre-built packages for each architecture:
<!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
<ul style="column-count: 3">
<li>aarch64: 12506
<li>amd64: 12651
<li>arm: 8903
<li>i386: 10457
<li>mips64: 8484
<li>powerpc: 10073
<li>powerpc64: 9698
<li>riscv64: 10593
<li>sparc64: 9088
</ul>
<p>Some highlights:
<ul style="column-count: 3"><!-- checked 2025-10-XX -->
<li>Asterisk 16.30.1, 18.26.4, 20.15.2 and 22.5.2
<li>Audacity 3.7.5
<li>CMake 3.31.8
<li>Chromium 141.0.7390.54
<li>Emacs 30.2
<li>FFmpeg 6.1.3
<li>GCC 8.4.0 and 11.2.0
<li>GHC 9.8.3
<li>GNOME 48
<li>Go 1.25.1
<li>JDK 8u462, 11.0.28, 17.0.16, 21.0.8 and 25.0.0
<li>KDE Applications 25.08.1
<li>KDE Frameworks 6.18.0
<li>KDE Plasma 6.4.5
<li>Krita 5.2.13
<li>LLVM/Clang 19.1.7, 20.1.8 and 21.1.2
<li>LibreOffice 25.8.1.1
<li>Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.7
<li>MariaDB 11.4.7
<li>Mono 6.12.0.199
<li>Mozilla Firefox 143.0.3 and ESR 140.3.1
<li>Mozilla Thunderbird 143.3.1
<li>Mutt 2.2.15 and NeoMutt 20250905
<li>Node.js 22.20.0
<li>OCaml 4.14.2
<li>OpenLDAP 2.6.10
<li>PHP 8.2.29, 8.3.26 and 8.4.13
<li>Postfix 3.5.25 and 3.10.1
<li>PostgreSQL 17.6
<li>Python 2.7.18 and 3.12.11
<li>Qt 5.15.16 (+ kde patches) and 6.8.3
<li>R 4.5.1
<li>Ruby 3.2.9, 3.3.9 and 3.4.6
<li>Rust 1.90.0
<li>SQLite 3.50.4
<li>Shotcut 25.08.16
<li>Sudo 1.9.17p2
<li>Suricata 7.0.7
<li>Tcl/Tk 8.5.19 and 8.6.16
<li>TeX Live 2025
<li>Vim 9.1.1706 and Neovim 0.11.4
<li>Xfce 4.20.0
</ul>
<p>
<li>As usual, steady improvements in manual pages and other documentation.
<li>The system includes the following major components from outside suppliers:
<ul><!-- updated 2025-10-09 -->
<li>Xenocara (based on X.Org 7.7 with xserver 21.1.18 + patches,
freetype 2.13.3, fontconfig 2.15.0, Mesa 25.0.7, xterm 399,
xkeyboard-config 2.20, fonttosfnt 1.2.4 and more)
<li>LLVM/Clang 19.1.7 (+ patches)
<li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
<li>Perl 5.40.1 (+ patches)
<li>pkgconf 2.4.3
<li>NSD 4.13.0
<li>Unbound 1.24.0
<li>Ncurses 6.4
<li>Binutils 2.17 (+ patches)
<li>GDB 6.3 (+ patches)
<li>Awk 20250116
<li>Expat 2.7.3
<li>zlib 1.3.1 (+ patches)
</ul>
</ul>
</section>
<hr>
<section id="install">
<h3>How to install</h3>
<p>
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 7.8 on your machine:
<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/alpha/INSTALL.alpha">
.../OpenBSD/7.8/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/amd64/INSTALL.amd64">
.../OpenBSD/7.8/amd64/INSTALL.amd64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/arm64/INSTALL.arm64">
.../OpenBSD/7.8/arm64/INSTALL.arm64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/armv7/INSTALL.armv7">
.../OpenBSD/7.8/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/hppa/INSTALL.hppa">
.../OpenBSD/7.8/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/i386/INSTALL.i386">
.../OpenBSD/7.8/i386/INSTALL.i386</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/landisk/INSTALL.landisk">
.../OpenBSD/7.8/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/loongson/INSTALL.loongson">
.../OpenBSD/7.8/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/luna88k/INSTALL.luna88k">
.../OpenBSD/7.8/luna88k/INSTALL.luna88k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/macppc/INSTALL.macppc">
.../OpenBSD/7.8/macppc/INSTALL.macppc</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/octeon/INSTALL.octeon">
.../OpenBSD/7.8/octeon/INSTALL.octeon</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/powerpc64/INSTALL.powerpc64">
.../OpenBSD/7.8/powerpc64/INSTALL.powerpc64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/riscv64/INSTALL.riscv64">
.../OpenBSD/7.8/riscv64/INSTALL.riscv64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.8/sparc64/INSTALL.sparc64">
.../OpenBSD/7.8/sparc64/INSTALL.sparc64</a>
</ul>
</section>
<hr>
<section id="quickinstall">
<p>
Quick installer information for people familiar with OpenBSD, and the use of
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
<h3>OpenBSD/alpha:</h3>
<p>
If your machine can boot from CD, you can write <i>install78.iso</i> or
<i>cd78.iso</i> to a CD and boot from it.
Refer to INSTALL.alpha for more details.
<h3>OpenBSD/amd64:</h3>
<p>
If your machine can boot from CD, you can write <i>install78.iso</i> or
<i>cd78.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install78.img</i> or
<i>miniroot78.img</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
<p>
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
<h3>OpenBSD/arm64:</h3>
<p>
Depending on your hardware, you can write <i>install78.iso</i>
or <i>cd78.iso</i> to a CD and boot from it, or write a system specific
miniroot to an SD card and boot from it after connecting to the serial
console. Refer to INSTALL.armv64 for more details.
<h3>OpenBSD/armv7:</h3>
<p>
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.
<h3>OpenBSD/hppa:</h3>
<p>
Boot over the network by following the instructions in INSTALL.hppa or the
<a href="hppa.html#install">hppa platform page</a>.
<h3>OpenBSD/i386:</h3>
<p>
If your machine can boot from CD, you can write <i>install78.iso</i> or
<i>cd78.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install78.img</i> or
<i>miniroot78.img</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
<p>
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
<h3>OpenBSD/landisk:</h3>
<p>
Write <i>miniroot78.img</i> to the start of the CF
or disk, and boot normally.
<h3>OpenBSD/loongson:</h3>
<p>
Write <i>miniroot78.img</i> to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
<h3>OpenBSD/luna88k:</h3>
<p>
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
<h3>OpenBSD/macppc:</h3>
<p>
Burn the <i>install78.iso</i> image from a mirror site to a CDROM,
and power on your machine while holding down the <i>C</i> key until
the display turns on and shows <i>OpenBSD/macppc boot</i>.
<p>
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
/7.8/macppc/bsd.rd</i>
<h3>OpenBSD/octeon:</h3>
<p>
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
<h3>OpenBSD/powerpc64:</h3>
<p>
To install, write <i>install78.img</i> or <i>miniroot78.img</i> to a
USB stick, plug it into the machine and choose the <i>OpenBSD
install</i> menu item in Petitboot.
Refer to the instructions in INSTALL.powerpc64 for more details.
<h3>OpenBSD/riscv64:</h3>
<p>
To install, write <i>install78.img</i> or <i>miniroot78.img</i> to a
USB stick, and boot with that drive plugged in.
Make sure you also have the microSD card plugged in that shipped with the
HiFive Unmatched board.
Refer to the instructions in INSTALL.riscv64 for more details.
<h3>OpenBSD/sparc64:</h3>
<p>
Burn the image from a mirror site to a CDROM, boot from it, and type
<i>boot cdrom</i>.
<p>
If this doesn't work, or if you don't have a CDROM drive, you can write
<i>floppy78.img</i> or <i>floppyB78.img</i>
(depending on your machine) to a floppy and boot it with <i>boot
floppy</i>. Refer to INSTALL.sparc64 for details.
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
<p>
You can also write <i>miniroot78.img</i> to the swap partition on
the disk and boot with <i>boot disk:b</i>.
<p>
If nothing works, you can boot over the network as described in INSTALL.sparc64.
</section>
<hr>
<section id="upgrade">
<h3>How to upgrade</h3>
<p>
If you already have an OpenBSD 7.7 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
<a href="faq/upgrade78.html">Upgrade Guide</a>.
</section>
<hr>
<section id="sourcecode">
<h3>Notes about the source code</h3>
<p>
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
</pre></blockquote>
<p>
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src/sys</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
</pre></blockquote>
<p>
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described <a href="anoncvs.html">here</a>.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
</section>
<hr>
<section id="ports">
<h3>Ports Tree</h3>
<p>
A ports tree archive is also provided. To extract:
<blockquote><pre>
# <kbd>cd /usr</kbd>
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
</pre></blockquote>
<p>
Go read the <a href="faq/ports/index.html">ports</a> page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
<p>
The <i>ports/</i> directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
<a href="anoncvs.html">AnonCVS</a>.
So, in order to keep up to date with the -stable branch, you must make
the <i>ports/</i> tree available on a read-write medium and update the tree
with a command like:
<blockquote><pre>
# <kbd>cd /usr/ports</kbd>
# <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_8</kbd>
</pre></blockquote>
<p>
[Of course, you must replace the server name here with a nearby anoncvs
server.]
<p>
Note that most ports are available as packages on our mirrors. Updated
ports for the 7.8 release will be made available if problems arise.
<p>
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
<a href="mail.html">ports@openbsd.org</a> is a good place to know.
</section>
</body>
</html>
![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to 78.html CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [local] / www