File: [local] / www / 79.html (download) (as text)
Revision 1.62, Tue May 26 13:48:32 2026 UTC (10 days, 7 hours ago) by naddy
Branch: MAIN
CVS Tags: HEAD
Changes since 1.61: +1 -1 lines
9554 arm packages
|
<!doctype html>
<html lang="en" id="release">
<head>
<meta charset="utf-8">
<title>OpenBSD 7.9</title>
<meta name="description" content="OpenBSD 7.9">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/79.html">
</head><body>
<h2 id="OpenBSD">
<a href="index.html">
<i>Open</i><b>BSD</b></a>
7.9
</h2>
<table>
<tr>
<td>
<a href="images/PinkPuffy.png">
<img width="200" height="300" src="images/PinkPuffy-s.gif" alt="PinkPuffy"></a>
<td>
Released May 19, 2026. (60th OpenBSD release)<br>
Copyright 1997-2026, Theo de Raadt.<br>
<br>
7.9 Song: "<a href="lyrics.html#79">Diamond in the Rough</a>"<br>
Artwork by Lyra Henderson.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class="reldir">pub/OpenBSD/7.9/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata79.html">the 7.9 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus79.html">detailed log of changes</a> between the
7.8 and 7.9 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<p>
<table class="signify">
<tr><td>
openbsd-79-base.pub:
<td>
<a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/openbsd-79-base.pub">
RWTSdNN9A3yvWNn7mUjXwv9DOCOUnyfuV+mq1iGPIfD+NhN8EYnEQ1at</a><tr><td>
openbsd-79-fw.pub:
<td>
RWQdmBb/OCe1hXE08xCj5VLnBpGpphy7kYPdU3oWyfnrwswjtl8K385E
<tr><td>
openbsd-79-pkg.pub:
<td>
RWSw1kDLJJy6OYgnayEMReLV57z2rzx5jYNCghO+2ARwqd6KuwGFWSn7
<tr><td>
openbsd-79-syspatch.pub:
<td>
RWTJmz/ur68S9e26/JVRr7T88lAPZIF3YgZ3w2lDnf/frAxTerC/DrZ6
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id="new">
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 7.9.
For a comprehensive list, see the <a href="plus79.html">changelog</a> leading to 7.9.
<p>
<ul>
<li>Platform-specific improvements:
<ul>
<li><a href="arm64.html">arm64</a>:
<ul>
<li>Enabled <a href="https://man.openbsd.org/ice.4">ice(4)</a> on arm64.
<li>Added support for the RK3588 and RK3576 SoCs with new or additions to existing drivers.
<li>Added support for the Genesys Logic GL9755 SDHC controller
(which includes the SDHC controller on some of the Apple Silicon
laptops) to <a href="https://man.openbsd.org/sdmmc.4">sdmmc(4)</a>.
</ul>
<li><a href="amd64.html">amd64</a>:
<ul>
<li>Added SMU support to <a
href="https://man.openbsd.org/amdpmc.4">amdpmc(4)</a>. The SMU is a
microcontroller buried deep in the bowels of AMD SoCs and needs to be
tickled in order to reach the lowest power states in suspend.
<li>Disabled Panel Self Refresh (PSR) in amdgpu to avoid a potential hang on a ThinkPad X13 gen 6.
<li>Increased MAXCPUs on amd64 to 255.
<li>On amd64, we now zero the DM PTE/PDE pages before use. This fixes a bug on machines with more than 512GB RAM.
<li>Mitigated floating point state leakage observed on AMD Zen/Zen+ (Zen 1).
</ul>
<li><a href="luna88k.html">luna88k</a>:
<ul>
<li>Switched luna88k compiler to gcc4.
<li>Switched luna88k to PIE (Position Independent Executables) by default.
</ul>
<li><a href="riscv64.html">riscv64</a>:<br>
Systems with a SpacemiT K1 SoC gained support with the following (and more) changes:
<ul>
<li>Added <a href="https://man.openbsd.org/smtclock.4">smtclock(4)</a>, a driver for the clock/reset controller on the SpacemiT K1 SoC.
<li>Added many more drivers to support the SpacemiT K1 SoC.
<li>Implemented support for the Zicbom (Cache-Block Management) and Svpbmt (Page-Based Memory Types) extensions.
<li>Added the SpacemiT K1 device trees onto the riscv64 miniroot making them accessible during installation.
<li>Made "Instruction access fault" (EXCP_FAULT_FETCH) traps being treated as PROT_EXEC. This fixes random SIGSEGV on the SpacemiT X60 cores.
<li>Added SpacemiT K1 support to <a href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>.
</ul>
<li>Other <a href="plat.html">architectures</a>:
<ul>
<li>Fixed various errors on big-endian systems in <a href="https://man.openbsd.org/ice.4">ice(4)</a> to make it work on sparc64.
<li>Changed <a href="powerpc64.html">powerpc64</a> memory barriers to "sync".
<li>Reworked and improved TLB shootdown on <a href="alpha.html">alpha</a>.
<li>Hoisted mips64 CPU accounting to get multiple softnet threads on MP systems.
<li>Made sure to initialize all FPU registers on sparc64 to all 1 (or -NaN), and not only the lower 32 registers.
<li>Fixed parking mutex on sun4u sparc64 cpus.
</ul>
<li>More platform-specific changes can be found in the <a href="#hardware_support">hardware support</a> section below.
</ul>
<li>Various kernel improvements:
<ul>
<li>Introduced a mechanism to manage CPU cores with different speeds
in the scheduler. The <a
href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> variable
"hw.blockcpu" takes a sequence of 4 letters: S (for SMT), P (regular
performance CPU), E (efficient CPU, generally 80% to 50% as fast), and
L (lethargic CPU) which are even slower. Set this to select CPUs to
kick out of the scheduler (SL by default). Currently works on amd64 and arm64.
<li>Replaced the cas spinlock in kernel mutexes with a "parking" lock.
<li>Stopped forcing the page daemon to sleep when there are outstanding paging requests.
<li>Implemented a <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> stop command that sends a SIGSTOP to the specified pid.
<li>Made <a href="https://man.openbsd.org/ddb.4">ddb(4)</a> output visible when entering ddb from X on amdgpu.
<li>Added infrastructure to allow future support of up to 52 partitions per disk.
<li>Made changes to avoid memory allocation from within the swapencrypt path of the
pagedaemon by pre-allocating 32 swapclusters up-front.
<li>Changed the strategy by which the pagedaemon creates free memory
by overshooting the creation of inactive and free pages, in order to
defragment memory.
<li>Refuse to load a binary without a PT_LOAD exec segment.
</ul>
<li>Suspend/Hibernate Support:
<ul>
<li>Implemented delayed hibernation:<br>
In order to prevent running out of battery while suspended, this
feature wakes up a suspended system after a configurable time to then
immediately perform a hibernation. The <code>machdep.hibernatedelay</code> <a
href="https://man.openbsd.org/sysctl.2">sysctl(2)</a> is used to
configure the number of seconds after which the system will wake up
from suspend and hibernate itself.
</ul>
<li id="SMP_Improvements">SMP Improvements:
<ul>
<li>Unlocked <a href="https://man.openbsd.org/sosplice.9">socket splicing</a>.
<li>Unlocked icmp6_sysctl().
<li>Unlocked the IGMP slow timeout.
<li>Enabled parallel fault handling on amd64 and arm64.
<li>Made <a href="https://man.openbsd.org/bse.4">bse(4)</a> interrupts mp-safe.
<li>Protected the IGMP and MLD6 fast timers with an rwlock.
</ul>
<li>Direct Rendering Manager and graphics drivers:
<ul>
<li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a> to
Linux 6.18.22.
</ul>
<li>VMM/VMD and virtualization improvements:
<ul>
<li>Adopted PCI-based semantics for reading unsupported or invalid registers by returning all 1's. Newer Linux kernels have started using 128-bit feature spaces.
<li>Added <a href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> machdep.vmmode to indicate status as a host or guest (and SEV mode).
<li>Added vmboot, a tiny kernel that allows <a href="https://man.openbsd.org/sysupgrade.8">sysupgrade(8)</a> to work for <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> VMs.
<li>Allowed <a href="https://man.openbsd.org/cd.4">cd(4)</a>/<a
href="https://man.openbsd.org/vioscsi.4">vioscsi(4)</a> on a VM
to use confidential computing methods, e.g. AMD SEV.
<li>Fixed a segfault in <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> during vmmci timeout firing.
<li>Enabled 32-bit direct kernel launch for both amd64 and i386 in vmd(8).
<li>Fixed a race in <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> vm pause barrier usage.
<li>Fixed a race in vmm(4) vm termination path.
<li>Added emulation of AMD SysCfg MSR in vmm(4).
<li>Made OpenBSD work on Apple Virtualization.
<li>Only expose <a href="https://man.openbsd.org/pvclock.4">pvclock(4)</a> in <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> if tsc frequency is known.
<li>Reduced <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> lowmem area in the memory map to help Linux guest reboot issues.
<li>Prevented <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> pause deadlock when vcpu doesn't halt.
<li>Fixed timer emulation-related OpenBSD-i386 VM hangs when using the i8254 hardware timecounter with <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>.
<li>Made <a href="https://man.openbsd.org/vio.4">vio(4)</a> recover from missed RX interrupts.
<li>Fixed <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> vionet reset race leading to broken networking.
</ul>
<li>Various new userland features:
<ul>
<li>Dynamically determine the possible partition names to show in the
<a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> editor
a(dd) command help message.
<li>Allow the <a
href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> 'd'elete
editor command to zero out FS_UNUSED partitions despite current value
of d_npartitions.
<li>Added display of the close-on-fork flag as 'f' in R/W column to <a href="https://man.openbsd.org/fstat.1">fstat(1)</a>.
<li>Added support for the XDG_RUNTIME_DIR environment variable in <a href="https://man.openbsd.org/login.1">login(1)</a> and <a href="https://man.openbsd.org/xenodm.1">xenodm(1)</a> via <a href="https://man.openbsd.org/login_cap.3">login_cap(3)</a>. Set it by default, pointing to <tt>/tmp/run/user/${uid}</tt> which gets created if needed.
</ul>
<li>More bugfixes and tweaks in userland:
<ul>
<li>Made <a href="https://man.openbsd.org/sio_open.3">libsndio</a>
restart the audio(4) device upon underrun.
<li>Enable fall-back audio devices by default in <a href="https://man.openbsd.org/sndiod.8">sndiod(8)</a>.
<li>Simplified the Unix socket binding code in <a href="https://man.openbsd.org/sndiod.8">sndiod(8)</a>.
<li>Simplified cookie handling in <a href="https://man.openbsd.org/sio_open.3">libsndio</a>.
<li>Enabled recording and monitoring at the same time in <a href="https://man.openbsd.org/sndiod.8">sndiod(8)</a>.
<li>In the <a href="https://man.openbsd.org/clang.1">LLVM compiler</a>, fixed x86 frame lowering for -msave-args.
<li>Made <a href="https://man.openbsd.org/pthread_set_name_np.3">pthread_set_name_np(3)</a> succeed with long thread names instead of silently failing.
<li>Handle calls to libc's <a href="https://man.openbsd.org/freeaddrinfo.3">freeaddrinfo(3)</a> function with a NULL argument, instead of crashing, and improve the manpage.
<li>Made <a href="https://man.openbsd.org/pcidump.8">pcidump(8)</a> print PCI bridge windows when they are "open".
<li>Fixed an <a href="https://man.openbsd.org/editline.3">editline(3)</a> bug that truncates completion candidates when the input wraps to a new line.
<li>Added <a href="https://man.openbsd.org/file.1">file(1)</a> support for PSF2 fonts detection.
<li>Added <a href="https://man.openbsd.org/file.1">file(1)</a> support for Web Open Font Format (WOFF) detection.
<li>Fixed <a href="https://man.openbsd.org/mg.1">mg(1)</a> replace-regexp issues.
<li>Improved handling of <a href="https://man.openbsd.org/strdup.3">strdup(3)</a> failures in <a href="https://man.openbsd.org/mg.1">mg(1)</a>.
<li>Improved the "No changes need to be saved" check in <a href="https://man.openbsd.org/mg.1">mg(1)</a>.
<li>Dropped the initialization of <a href="https://man.openbsd.org/ncurses.3">curses</a> when <a href="https://man.openbsd.org/ksh.1">ksh(1)</a> is
not started interactively. This avoids opening and parsing of the <a
href="https://man.openbsd.org/terminfo.3">terminfo(3)</a> file.
<li>Added <a href="https://man.openbsd.org/echo.1">echo(1)</a> <code>-e</code> to
process escape sequences and support for multiple groups of dash args
like ksh's echo.
<li>Increased the length of arguments that can be given to <a
href="https://man.openbsd.org/pkill.1">pkill(1)</a>. This allows
matching of commands with longer command line arguments.
<li>Made the <code>-0</code> option override <code>-E</code> in <a
href="https://man.openbsd.org/xargs.1">xargs(1)</a>.
<li>Set <code>metaSendsEscape</code> by default in <a
href="https://man.openbsd.org/xterm.1">xterm(1)</a>.
<li>Fixed leap year detection in <a href="https://man.openbsd.org/newsyslog.8">newsyslog(8)</a>.
<li>Fixed <a href="https://man.openbsd.org/less.1">less(1)</a> crash on reading an invalid tags file.
<li>Fixed a memory leak on <a href="https://man.openbsd.org/sensorsd.8">sensorsd(8)</a> configuration reload.
</ul>
<li id="hardware_support">Improved hardware support and driver bugfixes, including:
<ul>
<li>Tweaked PCI device power management such that drivers can change their own power state. Let <a
href="https://man.openbsd.org/xhci.4">xhci(4)</a> power itself down
such that its companion USB4 controller can go to sleep in its DVACT_POWERDOWN implementation.
<li>Added <a href="https://man.openbsd.org/nhi.4">nhi(4)</a>, a driver for USB4 controllers.
<li>Added an <a href="https://man.openbsd.org/audio.9">audio(9)</a> driver interface to expose the hardware's display name.
<li>Changed <a href="https://man.openbsd.org/envy.4">envy(4)</a> and <a href="https://man.openbsd.org/uaudio.4">uaudio(4)</a> devices to return the product name as the display name.
<li>Handle <a href="https://man.openbsd.org/uaudio.4">uaudio(4)</a> devices with a single clock exposed in multiple domains.
<li>Fixed unintended truncation of <a href="https://man.openbsd.org/uaudio.4">uaudio(4)</a> device names when printing them in libsndio applications.
<li>Improved <a href="https://man.openbsd.org/acpi.4">acpi(4)</a> handling of PCI bridges.
<li>Implemented "StorageD3Enable" support in <a href="https://man.openbsd.org/acpi.4">acpi(4)</a>.
<li>Stopped <a href="https://man.openbsd.org/acpi.4">acpi(4)</a> from calling the PCI function when an AML node has neither _ADR nor _HID, and avoid a panic on the ThinkPad X40.
<li>Added <a href="https://man.openbsd.org/iasuskbd.4">iasuskbd(4)</a> support for special keys on the ASUS I2C laptop keyboards.
<li>Added <a href="https://man.openbsd.org/sgmsi.4">sgmsi(4)</a>, a driver for the MSI controller implementation on Sophgo SG2042 SoCs.
<li>Added <a href="https://man.openbsd.org/cdpcie.4">cdpcie(4)</a>, a driver for the Cadence PCIe controller, supporting the variant found on the Sophgo SG2042 SoC.
<li>Added <a href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a> Qualcomm SC7280 support.
<li>Added <a href="https://man.openbsd.org/qcuart.4">qcuart(4)</a>, a driver for Qualcomm GENI UART serial consoles.
<li>Added <a href="https://man.openbsd.org/smtgpio.4">smtgpio(4)</a>, a driver for the GPIO controller found on SpacemiT K1 SoCs.
<li>Added <a href="https://man.openbsd.org/rkusbdpphy.4">rkusbdpphy(4)</a>, a driver for the USB DP Combo PHY on Rockchip SoCs.
<li>Added support for blocking reads to <a href="https://man.openbsd.org/fuse.4">fuse(4)</a>.
<li>Added basic implementation of the low-level FUSE API sufficient to compile and run lowntfs-3g.
<li>Allowed <a href="https://man.openbsd.org/uhidev.4">uhidev(4)</a> to attach to and work with devices that don't have an input interrupt endpoint.
<li>Added the <a href="https://man.openbsd.org/ispi.4">ispi(4)</a> driver for Intel LPSS SPI controller.
<li>Added an Apple variant to the "de" keyboard encoding for <a href="https://man.openbsd.org/wskbd.4">wskbd(4)</a>.
<li>Added <a href="https://man.openbsd.org/acpihid.4">acpihid(4)</a>, a driver for the Generic Buttons Device defined by the ACPI specification.
<li>Made <a href="https://man.openbsd.org/viogpu.4">viogpu(4)</a> viogpu_wsmmap() return a physical address via <a href="https://man.openbsd.org/bus_dmamem_mmap.9">bus_dmamem_mmap(9)</a>.
<li>Added support for "Apple Inc. Virtual USB Digitizer", to expose the touchpad on Apple Virtualization.
<li>Added support for the PSP found on the AMD EPYC 9005 to <a href="https://man.openbsd.org/psp.4">psp(4)</a>.
<li>Added support for the AlphaSmart Dana to <a href="https://man.openbsd.org/uvisor.4">uvisor(4)</a> as a PALM4 device.
<li>Added support for more line speeds to <a href="https://man.openbsd.org/uplcom.4">uplcom(4)</a>.
<li>Added support for the RK3528 SoC to the <a href="https://man.openbsd.org/dwmshc.4">dwmshc(4)</a> eMMC controller driver.
<li>In <a href="https://man.openbsd.org/wscons.4">wscons(4)</a> disallowed loading if mapchar emulops require a question mark character that is missing.
</ul>
<li>New or improved network hardware support:
<ul>
<li>Fixed memory leaks in <a href="https://man.openbsd.org/bnxt.4">bnxt(4)</a>.
<li>In <a href="https://man.openbsd.org/umb.4">umb(4)</a>, made uplink and downlink speeds visible through <a href="https://man.openbsd.org/kstat.4">kstat(4)</a>.
<li>Added support for Quectel EC200A LTE modems to <a href="https://man.openbsd.org/umsm.4">umsm(4)</a>.
<li>Added <a href="https://man.openbsd.org/rge.4">rge(4)</a> support for RTL8126 chip revision 0x64a00000.
<li>Turned on SoftLRO by default on <a href="https://man.openbsd.org/bnxt.4">bnxt(4)</a> and <a href="https://man.openbsd.org/ice.4">ice(4)</a>.
<li>Fixed the <a href="https://man.openbsd.org/ice.4">ice(4)</a> "too many data commands" error on TSO packets.
<li>Increased the <a href="https://man.openbsd.org/urndis.4">urndis(4)</a> buffer size to 16k.
<li>Fixed an issue where <a
href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>, e.g. on a <a
href="https://man.openbsd.org/veb.4">veb(4)</a>, doesn't recover when the link is down but packets are bridged.
<li>Made the output of <a href="https://man.openbsd.org/bse.4">bse(4)</a> mp-safe.
<li>Enabled 64-bit DMA transfers on <a
href="https://man.openbsd.org/aq.4">aq(4)</a>, <a
href="https://man.openbsd.org/em.4">em(4)</a>, <a
href="https://man.openbsd.org/rge.4">rge(4)</a>, <a
href="https://man.openbsd.org/re.4">re(4)</a>, <a
href="https://man.openbsd.org/iavf.4">iavf(4)</a>, <a
href="https://man.openbsd.org/ix.4">ix(4)</a>, <a
href="https://man.openbsd.org/ixv.4">ixv(4)</a>, <a
href="https://man.openbsd.org/ixl.4">ixl(4)</a>, <a
href="https://man.openbsd.org/igc.4">igc(4)</a>, <a
href="https://man.openbsd.org/ice.4">ice(4)</a> and <a
href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
<li>Added support for BCM575xx devices (also known as Thor or P5) to
<a href="https://man.openbsd.org/bnxt.4">bnxt(4)</a>.
<li>Added <a href="https://man.openbsd.org/smte.4">smte(4)</a>, a
driver for the ethernet interfaces of the SpacemiT K1 SoC.
</ul>
<li>IEEE 802.11 wireless stack improvements and bugfixes:
<ul>
<li>Fixed association to access points which have all 802.11b rates disabled.
<li>Updated <a
href="https://man.openbsd.org/ieee80211_classify.9">ieee80211_classify()</a>
to RFC8325 to prioritize interactive SSH sessions correctly, and
rate-limit high-prio QoS packets.
<li>Initialized TIDs 4-7 to improve QoS behaviour during Tx aggregation.
<li>Added basic 802.11ax support.
<li>Added support for a 160 MHz window at 5 GHz and enabled it on <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
</ul>
<li>Added or improved wireless network drivers:
<ul>
<li>Improved chances of <a href="https://man.openbsd.org/qwx.4">qwx(4)</a> receiving the initial WPA handshake message.
<li>Reinitialized the <a href="https://man.openbsd.org/qwx.4">qwx(4)</a> HAL state when resuming from suspend.
<li>Enabled <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> on i386.
<li>Added PMF (Protected Management Frames) support to <a
href="https://man.openbsd.org/iwm.4">iwm(4)</a>, <a
href="https://man.openbsd.org/iwx.4">iwx(4)</a>, and <a
href="https://man.openbsd.org/qwx.4">qwx(4)</a>, and add support for
802.11 AKM SHA256-PSK to <a
href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> and enable
it by default if the driver supports PMF.
<li>Fixed <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> issues related to roaming and PMF and firmware crypto keys.
<li>Set the assoc ID field in <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> firmware commands correctly.
<li>Added support for BZ devices with WiFi 6e radio to <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
<li>Made iwx(4) not load incomplete firmware images and report a proper error instead.
<li>Fixed <a href="https://man.openbsd.org/iwn.4">iwn(4)</a> setting of DMA base addresses of Tx rings 17 and beyond.
<li>Added powersave support to <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> and enable by default.
<li>Added support for 160 MHz channel width to <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
<li>Increased the VHT frame aggregation size limit from 64k to 1024k on <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>.
<li>Aligned <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> antenna patterns and STBC with iwlwifi.
</ul>
<li>Installer, upgrade, bootloader, and pkg-tools improvements:
<ul>
<!-- installboot -->
<li>Allow <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> to finish, even if <a href="https://man.openbsd.org/efi.4">efi(4)</a> can't be accessed.
<!-- sysupgrade -->
<li>Made sysupgrade fail if <code>df /usr</code> says the filesystem is over 90% full, rather than potentially completely breaking the system.
<!-- fw_update -->
<li>Scan both dmesg.boot and <a href="https://man.openbsd.org/dmesg.8">dmesg(8)</a> output for devices with <a href="https://man.openbsd.org/fw_update.8">fw_update(8)</a>.
<!-- installer proper -->
<li>On amd64, added support for loading files (kernels) from the EFI system
partition. This means one can put the OpenBSD boot loader and bsd.rd
on the EFI boot partition and run the installer that way. This already works on arm64.
<li>Improved <a href="https://man.openbsd.org/bioctl.8">keydisk partition</a> detection in the installer.
<li>Added <a href="https://man.openbsd.org/aggr.4">aggr(4)</a> support to arm64 RAMDISK and i386/amd64 RAMDISK_CD.
<li>Increased the auto-allocated partition size of <code>/usr/obj</code> in <a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>.
<li>Floppy install users on i386/amd64 may find <a
href="https://man.openbsd.org/fw_update.8">fw_update(8)</a> for some
drivers will not work because pci strings in the kernel have become
too large.
<!-- updates/sysmerge -->
<!-- pkg_ -->
</ul>
<li>Security improvements:
<ul>
<li>Stop allowing root to bypass the effects of <a
href="https://man.openbsd.org/bpf.4">bpf(4)</a> BIOCLOCK.
BIOCLOCK is intended to remove the ability to reconfigure
a BPF descriptor, but root processes were not subject to
this revocation of privileges. No software relied on root
being able to reconfigure a BPF descriptor, so this exemption
was been removed.
<li>Retired the <a
href="https://man.openbsd.org/pledge.2">pledge(2)</a> 'tmppath'
promise. The use of <code><a
href="https://man.openbsd.org/unveil.2">unveil</a> /tmp rwc</code>,
<code>unveil / r</code> or similar together with <code>pledge "rpath wpath cpath"</code>
replaces all use cases of 'tmppath' in a safer way.
<li>Introduced the <a
href="https://man.openbsd.org/__pledge_open.2">__pledge_open(2)</a>
system call, allowing libc to open a small set of tightly controlled
internal files even when pledge(2) and unveil(2) would otherwise
disallow direct access. File descriptors obtained this way are
restricted to read-only use and cannot be used with write(2),
chmod(2), chflags(2), chown(2), ftruncate(2), or fdpassing. This lets
libc handle required devices, pledge-dependent files, and zoneinfo
data without preserving the old pledge_namei() shortcut that allowed
non-libc code to open the same special files.
<li>In pledged processes, made <code>/etc/localtime</code> and
<code>/usr/share/zoneinfo</code> scans much stricter.
<li>In <a href="https://man.openbsd.org/dig.1">dig(1)</a>, fixed
pledge/unveil issues relating to manual opening of <code>/etc/resolv.conf</code>.
<li>Fixed <a href="https://man.openbsd.org/unveil.2">unveil(2)</a> to
handle a filesystem that is mounted on a mount point that is itself
the root of another filesystem.
<li>Start <a href="https://man.openbsd.org/fork.2">fork(2)</a>'ed children without a <a href="https://man.openbsd.org/getpgrp.2">pgrp</a> set (i.e. NULL) and update the
pgrp pointer late to fix a potential race.
<li>Do not expose p_addr kernel address through <a href="https://man.openbsd.org/sysctl.2">sysctl(2)</a> unless root.
<li>For sysctl({CTL_KERN, KERN_TTY, KERN_TTY_INFO), only export the
t_session kernel address pointer if the caller is root.
</ul>
<li>New features in the network stack:
<ul>
<li>Made the Virtual Ethernet Bridge <a
href="https://man.openbsd.org/veb.4">veb(4)</a> a VLAN-aware
bridge.<br> Ports in veb(4) now have a PVID (port VLAN identifier)
used to determine which VLAN untagged packets get associated with, and
a bitmap of allowed VIDs (VLAN IDs) that say what VLANs tagged traffic
can interact with. Ports can be configured as "access" ports by only
configuring a pvid but with no entries in the vid map, or as a "trunk"
by disabling the pvid and adding entries to the vid map, or a "hybrid"
port by configuring both a pvid and entries in the vid map. To
maintain compatibility with existing (simple) setups, veb defaults to
using pvid 1 on ports added to the bridge.
<li>Added a LOCKED flag to <a
href="https://man.openbsd.org/veb.4">veb(4)</a> ports that are added
to a <a href="https://man.openbsd.org/bridge.4">bridge(4)</a>. This
makes sure that the source MAC address of frames received by these
ports has an entry in the fib/address cache pointing at the same
interface.
<li>In <a href="https://man.openbsd.org/pflow.4">IPFIX/Netflow
v10</a>, added a NAT template with post-NAT source and destination IP
address and ports, allowing use of pflow to track internal to external
translations.
<li>Enabled IPv6 autoconf (SLAAC) by default.
</ul>
<li>Further changes and bugfixes in the network stack:
<ul>
<li>Implemented "checksum offload" between <a
href="https://man.openbsd.org/rport.4">rport(4)</a> pairs. This allows
the kernel to skip ip/tcp/udp checksum calculation for packets between
rdomains.
<li>Implemented IFCAP_TSO in <a
href="https://man.openbsd.org/rport.4">rport(4)</a>. This allows
the stack to pass large tcp frames between rdomains.
<li>In <a href="https://man.openbsd.org/rport.4">rport(4)</a>, made changes to use
multiple txqs to spread traffic handling over softnet threads.
<li>Fixed a panic when autodial (link1) on <a
href="https://man.openbsd.org/pppoe.4">pppoe(4)</a> tries to run.
<li>Allowed <a href="https://man.openbsd.org/bpf.4">bpf(4)</a> in
tun_dev_read to see VLAN tags when IFCAP_VLAN_HWTAGGING is enabled.
<li>Added XOR and MOD operations to <a
href="https://man.openbsd.org/bpf.4">bpf(4)</a>.
<li>Made <a href="https://man.openbsd.org/tpmr.4">tpmr(4)</a> work
with ether_offload_ifcap like <a
href="https://man.openbsd.org/veb.4">veb(4)</a> and <a
href="https://man.openbsd.org/bridge.4">bridge(4)</a>.
<li>Added Private VLAN support to veb(4) as per RFC 5517.
<li>Allowed VLAN tags (and therefore VLAN interfaces) on top of vports.
<li>Made use of per-CPU refs in the input path instead of doing one refcnt per port
to improve performance on <a
href="https://man.openbsd.org/tpmr.4">tpmr(4)</a>, <a
href="https://man.openbsd.org/veb.4">veb(4)</a> and <a
href="https://man.openbsd.org/aggr.4">aggr(4)</a>.
<li>Removed lacp support from <a
href="https://man.openbsd.org/trunk.4">trunk(4)</a>, now better
supported by <a href="https://man.openbsd.org/aggr.4">aggr(4)</a>.
<li>Introduced a global interface queue limit.
Limit all multiqueue network interfaces to common IF_MAX_VECTORS.
Currently it is set to 8. One global limit helps to find an optimal
value, stops wasting interrupt vectors, and clarifies what the
actual hardware or driver limitations are.
<li>Updated codel implementation to comply with RFCs 8289 and 8290.
<li>Improved <a href="https://man.openbsd.org/vio.4">vio(4)</a> feature negotiation for Large Receive Offload/TCP Segmentation Offload.
<li>Prevented false ELOOP error in socket splicing with <a href="https://man.openbsd.org/setsockopt.2">SO_SPLICE</a>.
<li>Made the network stack ignore TCP SACK packets with invalid sequence numbers to prevent potential kernel crash.
</ul>
<li>The following changes were made to the <a
href="https://man.openbsd.org/pf.4">pf(4)</a> firewall:
<ul>
<li>Introduced source and state limiters in <a href="https://man.openbsd.org/pf.4">pf(4)</a>. See the <em>Source Limiters</em> section in <a href="https://man.openbsd.org/pf.conf.5">pf.conf(5)</a>.
<li>Extended <a href="https://man.openbsd.org/pf.4">pf(4)</a> limiters so an administrator can specify the action the rule executes when limit is reached.
<li>In <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>, changed default limiter action from no-match to block.
<li>Have <a href="https://man.openbsd.org/pf.4">pf(4)</a> state and source limiter state cleanup assert on the right lock.
<li>Fixed <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> with
<code>-nvf ...</code> option to provide output which matches pfctl
grammar for rules that use source/state limiters.
<li>Print both nat-to and rdr-to in <code><a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a> show rules</code>.
</ul>
<li>Routing daemons, network services and other userland network programs saw the following improvements:
<ul>
<li>Do not log an error when <a
href="https://man.openbsd.org/dhcp6leased.8">dhcp6leased(8)</a> cannot
add a route because it already exists.
<li>In <a
href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a>, do not
pass pointers over process privilege boundaries via imsg, only data.
<li>Do not log an error when <a
href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> cannot
add a route because it already exists.
<li>Fixed a buffer overflow reachable via rogue router advertisements in <a
href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>.
<li>Prevented potential <a
href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> crash if an
attacker on the same layer 2 network sends rogue router
advertisements.
<li>Changed <a href="https://man.openbsd.org/ospf6d.8">ospf6d(8)</a>
rc.d script to disallow reload, since ospf6d does not support it.
<li>Fixed <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a> dying
if a malformed imsg is sent on the local socket.
<li>Improved the logging of filter processing in <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>.
<li>Changed the default "tagged" operation for <a
href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> to add VLAN
IDs rather than replace them.
<li>Allowed the <a
href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> and <a
href="https://man.openbsd.org/brconfig.8">brconfig(8)</a> "tagged"
operation to accept multiple VIDs and/or ranges of VIDs.
<li>Added support for non-default config file paths to <a
href="https://man.openbsd.org/unbound.8">unbound(8)</a> rc.d script.
<li>In <a href="https://man.openbsd.org/unwind.8">unwind(8)</a>,
allow one to configure forced resolvers outside of preference blocks.
<li>Added a "no banner" option to suppress the Server header in <a
href="https://man.openbsd.org/httpd.8">httpd(8)</a>.
<li>Restored <a href="https://man.openbsd.org/httpd.8">httpd(8)</a> server_http_time() use of GMT.
<li>Made <a href="https://man.openbsd.org/httpd.8">httpd(8)</a>
error out on presence of Content-Length and Transfer-Encoding headers
for GET, HEAD and other methods that should have no body.
<li>Made relayd(8) and httpd(8) use the same internal log functions as bgpd(8) (and several other daemons).
<li>Restored <a href="https://man.openbsd.org/relayd.8">relayd(8)</a> relay_http_time() use of GMT.
<li>Added <a href="https://man.openbsd.org/relayd.8">relayd(8)</a> support for PROXY protocol in TCP relays.
<li>Set a User-Agent in HTTP health checks sent by <a href="https://man.openbsd.org/relayd.8">relayd(8)</a>.
<li>Fixed a race condition in <a href="https://man.openbsd.org/relayd.8">relayd(8)</a> that could cause a crash during configuration reload.
<li>Made <a href="https://man.openbsd.org/relayd.8">relayd(8)</a> support TLS with multiple listeners.
<li>Fixed <a href="https://man.openbsd.org/ftp.1">ftp(1)</a> http_time() to use GMT, not UTC, per RFC 9110.
<li>Report success in <a href="https://man.openbsd.org/ftp.1">ftp(1)</a> when a file is fully retrieved.
<li>Made <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> show the 802.11 QoS TID with -v.
<li>Added printing of NetBIOS and DNS servers in IPCP to <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a>.
<li>Extended <a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> for printing of DHCPv6 information.
<li>Made sure that internal counters do not go out of bounds if the
<code>-n</code> or <code>-A</code> <a
href="https://man.openbsd.org/traceroute.8">traceroute(8)</a> options
are specified more than once.
<li>Raised <a href="https://man.openbsd.org/rad.8">rad(8)</a>
lifetimes for the router, DNS and NAT64 to 60 minutes and lower the
prefix valid lifetime to 60 minutes. It does not make sense for one piece of
information to time out before another when these are transmitted in one router
advertisement packet.
<li>Fixed a hang in <a href="https://man.openbsd.org/rad.8">rad(8)</a>
and <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> when they
receive an RA from the local network with an ND option of length zero.
</ul>
<li><a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a> saw several changes:
<ul>
<li>Made <a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a> only display port numbers in Host headers when the port is not 443.
<li>Added support for IP Address certificates in <a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>.
<li>Made changes to use ASN1_STRING_* accessor functions instead of reaching into ASN1_STRING objects directly.
</ul>
<li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>:
<ul>
<li>Rewrote the Adj-RIB-Out handling to be more memory efficient and
faster. For large IXP route server deployments a reduction in memory
usage of more than 50% should be feasible.
<li>Process UPDATE messages in two phases: first update Adj-RIB-In,
Loc-RIB, and FIB, then process all the Adj-RIB-Out tables. This
significantly reduces the latency since updating all the Adj-RIB-Out
tables could take a fair amount of time.
<li>Introduced CH hash tables - a scalable hash map implementation
that boosts performance through improved cache locality.
<li>Introduce new metrics that track the amount of time spent in
various parts of the main event loop of the route decision engine.
<li>Fixed various non-critical things uncovered by Coverity scanner.
<li>Improved outbound filter performance by storing the rules in
an array and also deduplicate equal filters across peers.
This and the filter_set change reduce the initial sync duration of
large route servers by more than 25%.
<li>Improved performance of filter_sets processing in the RDE process
by moving to a linear array of set objects to reduce cache misses.
<li>Added better logging for attribute parse errors which cause a
session reset via UPDATE ATTRLIST error notification.
<li>Introduced various additional memory metrics which are part
of the 'show rib memory' command. Some values are also tracked
per-neighbor and visible via 'show neighbor'.
<li>Fixed logic error when handling per-peer and per-group MRT message
dump configurations.
</ul>
<li>In <a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>:
<ul>
<li>The Canonical Cache Representation underwent a breaking change after the
adoption of <a href="https://datatracker.ietf.org/doc/draft-ietf-sidrops-rpki-ccr/">draft-ietf-sidrops-rpki-ccr</a>
as a SIDROPS working group item. Apart from several CMS-related cosmetics,
it now uses an IANA-assigned content type. As a result, rpki-client 9.7
cannot parse rpki-client 9.6's .ccr files and vice versa.
<li>Support for Ghostbusters Record objects (RFC 6493) has been removed.
Nobody showed interest in deploying this and there are other, widely
supported ways of exchanging operational contact information such as
RDAP. RFC 6493 is undergoing a status review to be marked as historic:
<a href="https://datatracker.ietf.org/doc/status-change-rpki-ghostbusters-record-to-historic/">status-change-rpki-ghostbusters-record-to-historic</a>
<li>Prepare the code base for the opaque ASN1_STRING structure in OpenSSL 4.
<li>Fixed two reliability issues: one where a malicious RPKI Certification
Authority can trigger a crash, one where a malicious Trust Anchor can
provoke memory exhaustion. Thanks to Xie Yifan for reporting.
<li>Various refactoring for improved compatibility with various libcrypto
implementations and in CA/BGPsec certificate handling.
<li>Fixed an accounting issue in HTTP gzip compression detection.
<li>Added a warning in extra verbose mode (<code>-vv</code>) about standards
non-compliant Issuer and Subject ASN.1 string encodings.
<li>Added a check for canonical encoding of ASPA eContent in alignment
with <em>draft-ietf-sidrops-aspa-profile-22</em>.
<li>Ensure that a repository timeout correctly stops repository
processing. Thanks to Fedor Vompe from Deutsche Telekom for reporting.
<li>Fixed a defect in Canonical Cache Representation ROAIPAddressFamily
sort order. As a result, rpki-client 9.8 cannot parse rpki-client
9.7's .ccr files and vice versa. Thanks to Bart Bakker from RIPE NCC
for reporting.
<li>Fixed an issue in the parser for the locally configured constraints.
Thanks to Daniel Anderson.
<li>A malicious RRDP Publication Server can cause a NULL dereference.
Thanks to Daniel Anderson for reporting.
<li>A malicious RPKI Publication Server can cause an incorrect error exit.
Thanks to Yuheng Zhang, Qi Wang, Jianjun Chen from Tsinghua University,
and Teatime Lab for reporting.
</ul>
<!-- (end) Routing daemons and other userland network improvements -->
<li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes:
<ul>
<li>Fixed the logic of the no-detached case for detach-on-destroy option.
<li>Support case-insensitive search in <a
href="https://man.openbsd.org/tmux.1">tmux(1)</a> modes in the same
way as copy mode (like emacs, so all-lowercase means case
insensitive).
<li>Added <code>-l</code> flag to <a
href="https://man.openbsd.org/tmux.1">tmux(1)</a> command-prompt to
disable splitting into multiple prompts.
<li>Allowed <code>show-messages</code> to work without a client.
<li>Added seconds to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> clock mode.
<li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> clock mode seconds synchronized to the second.
<li>Added support for synchronized output mode (DECSET 2026).
<li>Added a focus-follows-mouse option.
<li>Reduced request timeout to 500 milliseconds to match the extended escape time and discard palette requests if receiving a reply for a different index.
<li>Added an <code>-e</code> flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> <code>command-prompt</code> to close if empty.
<li>Fixed window-size=latest not resizing on switch-client in session groups.
<li>Made tmux respond to DECRQM 2026.
<li>Break out the sorting code into a common file so formats and modes use the same code and add <code>-O</code> for sorting to the list commands.
<li>Added sorting (-O flag) and a custom format (-F) to list-keys.
<li>Fixed several memory leaks.
<li>Allow copy mode to work for readonly clients, except for copy commands.
<li>Avoid a crash by checking for NULL before dereferencing.
<li>Make -c (shell command) work with new-session -A.
<li>Draw message as one format, allowing prompts and messages to occupy only
a portion of the status bar, overlaying the normal status content rather
than replacing the entire line.
<li>Add a short built-in help text for each mode accessible with C-h.
<li>Add extkeys feature to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> itself so nested tmux works.
<li>Add -C flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> command-prompt to match display-message -C.
</ul>
<li>LibreSSL version 4.3.0:
<ul>
<li>Portable changes
<ul>
<li>Rework portable assembly handling with <code>LIBRESSL_USE_ASSEMBLY</code>
<li>Add SHA assembly for elf-aarch64
<li>Add definition of ssize_t to cms.h for Windows
<li>Fix posix_open() implementation so it properly signals failure
<li>Fix <code>SIGALRM</code> handler for openssl speed on Windows
</ul>
<li>Internal improvements
<ul>
<li>Remove the unused sequence number from <code>X509_REVOKED</code>.
<li>Replace a call to atoi(3) with strtonum(3) in nc(1) and replace a
misleading use of ntohs(3) with htons(3).
<li>openssl(1) speed now uses <code>HMAC-SHA256</code> for its hmac benchmark.
<li>Reimplemented only use of ASN1_PRINTABLE_type() in openssl(1) ca.
The API will be removed in an upcoming release.
<li>Add curve NID to <code>EC_POINT</code> objects so the library has a clue on which
curve a given <code>EC_POINT</code> is supposed to live.
<li>Use curve NID to check for compatibility between group and points
in various EC API. This isn't 100% failsafe but good enough for sane
uses.
<li>Require SSE in order to use gcm_{gmult,ghash}_4bit_mmx().
On rare i386 machines supporting MMX but not SSE this could result
in an illegal instruction.
<li>Cleaned up asn1t.h to make it somewhat readable and more robust by
using C99 initializers in particular.
<li>Further assembly macro improvements for -portable.
<li>Add fast path for well-known DH primes in DH_check(3) (including
those from RFC 7919). Some projects still fiddle with this in 2025.
<li>Rewrite ec_point_cmp() for readability and robustness.
<li>Improve EVP_{Open,Seal}Init(3) internals. This is legacy API that
cannot be removed since one scripting language still exposes it.
<li>ASN1_BIT_STRING_set_bit(3) now trims trailing zero bits itself rather
than relying on i2c_ASN1_BIT_STRING(3) to do that when encoding.
<li>Fix and add workarounds to libtls to improve const correctness and
to avoid warnings when compiling with OpenSSL 4.
<li>Prefix <code>EC_KEY</code> methods with ec_key_ to avoid problems in
some static links.
<li>Remove <code>mac_packet</code>, a leftover from accepting SSLv2 ClientHellos.
<li>Remove <code>ssl_server_legacy_first_packet()</code>.
<li>In addition to what was done in LibreSSL 4.0 for the version
handling, disable TLSv1.1 and lower also on the method level.
<li>Remove workaround for SSL 3.0/TLS 1.0 CBC vulnerability.
<li>Refactor <code>ocsp_find_signer_sk()</code> to avoid neglecting the ASN.1's
semantics by directly reaching into deeply nested OCSP structures.
</ul>
<li>Compatibility changes
<ul>
<li>Expose X509_VERIFY_PARAM_set_hostflags(3) as a public symbol.
<li>Provide SSL_SESSION_dup(3).
<li>BIGNUMs now use the C99 types uint64_t/uint32_t for the word width.
Fixes long-standing issues with 32-bit longs on 64-bit Windows.
<li>Many unused BN_* macros with incomprehensible names were removed:
<code>BN_LONG</code>, <code>BN_BITS{,4}</code>,
<code>BN_MASK2{,l,h,h1}</code>, <code>BN_TBIT</code>,
<code>BN_DEC_CONV</code>, <code>BN_{DEC,HEX}_FMT{1,2}</code>, ...
<li>openssl(1) cms no longer accepts the unsupported <code>-compress</code>
and <code>-uncompress</code> switches.
<li>Added <code>PKCS7_NO_DUAL_CONTENT</code> flag/behavior. This is
incorrect legacy behavior but some language bindings decided to
rely on it in 2025.
<li>Remove <code>STABLE_FLAGS_MALLOC</code> but keep
<code>STABLE_NO_MASK</code> because there is still one user...
<li>Fix <code>ASN1_ADB_END</code> macro to have compatible signature
with OpenSSL. The <code>adb_cb()</code> argument is currently ignored.
<li>Unexport <code>ASN1_LONG_UNDEF</code>.
</ul>
<li>New features
<ul>
<li>Support for
<a href="https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-mlkem/"><code>MLKEM768_X25519</code> keyshare in TLS</a>.
<li>Added <code>ML-KEM</code> benchmarks to openssl(1) speed.
<li>Added support for starttls protocol <code>sieve</code>.
<li>Add support for <code>RSASSA-PSS</code> with pubkey OID
<code>RSASSA-PSS</code> to libssl.
</ul>
<li>Bug fixes
<ul>
<li>Ensure the group selected by a TLSv1.3 server for a
HelloRetryRequest is not one for which the client has
already sent a key share.
<li>Plug memory leak in CMS_EncryptedData_encrypt(3).
<li>Plug possible memory leak and double free in <code>nref_nos()</code>.
<li>Removed always zero test results for some no longer available
legacy primitives in openssl(1) speed.
<li>List SHA-3 digests in openssl(1) help output.
<li>Fix encoding of bit strings with trailing zeroes on which
<code>ASN1_STRING_FLAG_BITS_LEFT</code> is not set.
<li>Add missing NULL pointer check to PKCS12_item_decrypt_d2i(3).
<li>Avoid type confusion leading to 1-byte read at address 0x00-0xff
in PKCS#12 parsing.
<li>Fix type confusion in timestamp response parsing for v2 signing
certs.
<li>Fix EVP_SealInit(3) to return 0 on error, not -1.
<li>Replace incorrect strncmp(3) with strcmp(3) in CRL distribution point
config parsing.
<li><code>openssl x509 -text</code> writes its output to the file
specified by <code>-out</code> like all other openssl(1) subcommands.
<li>Stop Delta CRL processing in the verifier if the cRLNumber is
missing. This is flagged on deserialization, but nothing checks
that flag. This can lead to a <code>NULL</code> dereference if the
verification has enabled Delta CRL checking by setting
<code>X509_V_FLAG_USE_DELTAS</code>.
<li>Fix <code>NULL</code> dereference that can be triggered with malformed
OAEP parameter encoding for CMS decryption.
<li>Add missing length checks before BIO_new_mem_buf(3) in libtls.
<li>Improve libtls error reporting consistency, avoid reporting
unrelated errnos.
<li>Fix SAN dNSName constraints: instead of substring matching,
match exactly and allow zero or more components in front of
the candidate.
</ul>
<li>Reliability fix
<ul>
<li>Fix off-by-one error in the X.509 verifier depth checking. This can
lead to a 4-byte overwrite on heap allocated memory for clients
talking to a malicious server or for servers that have client
certificate verification enabled. In addition, the maximum depth
must be set to the maximum allowed value of 32.
</ul>
<li>Testing and proactive security
<ul>
<li>Port Wycheproof tests to <code>testvectors_v1</code> and improve
coverage and correctness. Add tests for ML-KEM in particular.
</ul>
</ul>
<li>OpenSSH 10.3:
<ul>
<li>Security fixes:
<ul>
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: validation of shell
metacharacters in user names supplied
on the command-line was performed too late to prevent some
situations where they could be expanded from %-tokens in
ssh_config. For certain configurations, such as those that use a
"%u" token in a "Match exec" block, an attacker who can control
the user name passed to <a href='https://man.openbsd.org/ssh.1'
>ssh(1)</a> could potentially execute arbitrary
shell commands. Reported by Florian Kohnhäuser.
We continue to recommend against directly exposing <a
href='https://man.openbsd.org/ssh.1'>ssh(1)</a> and
other tools' command-lines to untrusted input. Mitigations such
as this cannot be absolute given the variety of shells and user
configurations in use.
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: when matching
an authorized_keys principals="" option
against a list of principals in a certificate, an incorrect
algorithm was used that could allow inappropriate matching in
cases where a principal name in the certificate contains a
comma character. Exploitation of the condition requires an
authorized_keys principals="" option that lists more than one
principal *and* a CA that will issue a certificate that encodes
more than one of these principal names separated by a comma
(typical CAs strongly constrain which principal names they will
place in a certificate). This condition only applies to user-
trusted CA keys in authorized_keys, the main certificate
authentication path (TrustedUserCAKeys/AuthorizedPrincipalsFile)
is not affected. Reported by Vladimir Tokarev.
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: when downloading
files as root in legacy (-O) mode and
without the -p (preserve modes) flag set, scp did not clear
setuid/setgid bits from downloaded files as one might typically
expect. This bug dates back to the original Berkeley rcp program.
Reported by Christos Papakonstantinou of Cantina and Spearbit.
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: fix incomplete
application of PubkeyAcceptedAlgorithms
and HostbasedAcceptedAlgorithms with regard to ECDSA keys.
Previously if one of these directives contains any ECDSA algorithm
name (say "ecdsa-sha2-nistp384"), then any other ECDSA algorithm
would be accepted in its place regardless of whether it was
listed or not. Reported by Christos Papakonstantinou of Cantina
and Spearbit.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: connection
multiplexing confirmation (requested using
"ControlMaster ask/autoask") was not being tested for proxy mode
multiplexing sessions (i.e. "ssh -O proxy ..."). Reported by
Michalis Vasileiadis.
</ul>
<li>Potentially incompatible changes:
<ul>
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a
href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: remove bug
compatibility for implementations
that don't support rekeying. If such an implementation tries to
interoperate with OpenSSH, it will now eventually fail when the
transport needs rekeying.
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: prior to this
release, a certificate that had an empty
principals section would be treated as matching any principal
(i.e. as a wildcard) when used via authorized_keys principals=""
option. This was intentional, but created a surprising and
potentially risky situation if a CA accidentally issued a
certificate with an empty principals section: instead of being
useless as one might expect, it could be used to authenticate as
any user who trusted the CA via authorized_keys. [Note that this
condition did not apply to CAs trusted via the <a
href='https://man.openbsd.org/sshd_config.5'>sshd_config(5)</a>
TrustedUserCAKeys option.]
This release treats an empty principals section as never matching
any principal, and also fixes interpretation of wildcard
characters in certificate principals. Now they are consistently
implemented for host certificates and not supported for user
certificates.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: the -J and
equivalent -oProxyJump="..." options now
validate user and host names for ProxyJump/-J options passed
via the command-line (no such validation is performed for this
option in configuration files). This prevents shell injection in
situations where these were directly exposed to adversarial
input, which would have been a terrible idea to begin with.
Reported by rabbit.
</ul>
<li>New features:
<ul>
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a
href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: support IANA-assigned
codepoints for SSH agent
forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new
names is advertised via the EXT_INFO message. If a server offers
support for the new names, then they are used preferentially.
Support for the pre-standardisation "@openssh.com" extensions for
agent forwarding remains supported.
<li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>:
implement support for draft-ietf-sshm-ssh-agent
"query" extension.
<li><a href='https://man.openbsd.org/ssh-add.1'>ssh-add(1)</a>: support
querying the protocol extensions via the
agent "query" extension with a new -Q flag.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: support multiple
files in ssh_config and sshd_config RevokedHostKeys directive. <a
href='https://bugzilla.mindrot.org/show_bug.cgi?id=3918'>bz3918</a>
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add a ~I escape
option that shows information about the current SSH connection.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add an "ssh
-Oconninfo user@host" multiplexing command that shows connection
information, similar to the ~I escapechar.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: add an <code>ssh -O
channels user@host</code> multiplexing command to
get a running mux process to show information about what channels
are currently open.
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: add
<code>invaliduser</code> penalty to PerSourcePenalties, which is
applied to login attempts for usernames that do not match real
accounts. Defaults to 5s to match 'authfail' but allows
administrators to block such attempts for longer if desired.
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: add a
GSSAPIDelegateCredentials option for the server,
controlling whether it accepts delegated credentials offered by
the client. This option mirrors the same option in ssh_config.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a
href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: support the VA DSCP
codepoint in the IPQoS directive.
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: convert
PerSourcePenalties to using floating point time,
allowing penalties to be less than a second. This is useful if you
need to penalise things you expect to occur at >=1 QPS.
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>:
support writing ED25519 keys in PKCS8 format.
<li>Support the ed25519 signature scheme via libcrypto.
</ul>
<li>Bugfixes:
<ul>
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: make IPQoS
first-match-wins in sshd_config, like other configuration directives. <a
href='https://bugzilla.mindrot.org/show_bug.cgi?id=3924'>bz3924</a>
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: fix potential
crash when MaxStartups is set to a single
argument (i.e. not using the MaxStartups x:y:z form) with a value
below 10. <a
href='https://bugzilla.mindrot.org/show_bug.cgi?id=3941'>bz3941</a>
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: fix a potential
hang during key exchange if needed DH
group values were missing from /etc/moduli.
<li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: fix
return values from extensions to be correct with respect to
draft-ietf-sshm-ssh-agent: extension requests should indicate
failure using SSH_AGENT_EXTENSION_FAILURE rather than the generic
SSH_AGENT_FAILURE error code. This allows the client to discern
between "the request failed" and "the agent doesn't support this
extension".
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: use fmprintf for
showing challenge-response name and info
to preserve UTF-8 characters where appropriate.
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: when uploading a
directory using SFTP (e.g. during a recursive transfer), don't
clobber the remote directory permissions unless either we created the
directory during the transfer or the -p flag was set. <a
href='https://bugzilla.mindrot.org/show_bug.cgi?id=3925'>bz3925</a>
<li>All: implement missing pieces of FIDO/webauthn signature support,
mostly related to certificate handling and enable acceptance of this
signature format by default. <a
href='https://bugzilla.mindrot.org/show_bug.cgi?id=3748'>bz3748</a>
<li><a href='https://man.openbsd.org/sshd_config.5'>sshd_config(5)</a>:
make it clear that DenyUsers/DenyGroups overrides
AllowUsers/AllowGroups. Previously we specified the order in which
the directives are processed but it was ambiguous as to what
happened if both matched.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>: don't try to match
certificates held in an agent to
private keys. This matching is done to support certificates that
were loaded without their private key material, but is
unnecessary for agent-hosted certificates, which always have
private key material available in the agent. Worse, this matching
would mess up the request sent to the agent in such a way as to
break usage of these keys when the key usage was restricted in
the agent. <a
href='https://bugzilla.mindrot.org/show_bug.cgi?id=3752'>bz3752</a>
<li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>: if editline has
been switched to vi mode (i.e. via "bind -v" in .editrc), set up a
keybinding so that command mode can be entered.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a
href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: improve performance
of keying the sntrup761 key agreement algorithm.
<li><a href='https://man.openbsd.org/ssh.1'>ssh(1)</a>, <a
href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: enforce maximum
packet/block limit during pre-authentication phase.
<li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>: don't misuse the
sftp limits extension's open-handles
field. This value is supposed to be the number of handles a
server will allow to be opened and not a number of outstanding
read/write requests that can be sent during an upload/download.
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: don't crash at
connection time if the main sshd_config
lacks any subsystem directive but one is defined in a Match block.
<a href='https://bugzilla.mindrot.org/show_bug.cgi?id=3906'>bz3906</a>
<li><a href='https://man.openbsd.org/sshd_config.5'>sshd_config(5)</a>: add
a warning next to the ForceCommand directive
that forcing a command doesn't automatically disable forwarding.
<li><a href='https://man.openbsd.org/sshd_config.5'>sshd_config(5)</a>: add
a warning that TOKENS are replaced without filtering or escaping and that
it's the administrator's responsibility to ensure they are used safely in
context.
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: correctly quote
filenames in verbose output for local->local copies. <a
href='https://bugzilla.mindrot.org/show_bug.cgi?id=3900'>bz3900</a>
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: don't mess up the
PerSourceNetBlockSize IPv6 mask if sscanf didn't decode it.
<li><a href='https://man.openbsd.org/ssh-add.1'>ssh-add(1)</a>: when
loading FIDO2 resident keys, set the comment to the FIDO application
string. This matches the behaviour of ssh-keygen -K.
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: don't strnvis()
log messages that are going to be logged
by sshd-auth via its parent sshd-session process, as the parent
will also run them through strnvis(). Prevents double-escaping of
non-printing characters in some log messages. <a
href='https://bugzilla.mindrot.org/show_bug.cgi?id=3896'>bz3896</a>
<li><a href='https://man.openbsd.org/ssh-agent.1'>ssh-agent(1)</a>: escape
SSH_AUTH_SOCK paths that are sent to the shell as setenv commands.
Unbreaks ssh-agent for home directory paths that contain whitespace. <a
href='https://bugzilla.mindrot.org/show_bug.cgi?id=3884'>bz3884</a>
<li>All: Remove unnecessary checks for ECDSA public key validity.
<li><a href='https://man.openbsd.org/sshd.8'>sshd(8)</a>: activate
UnusedConnectionTimeout only after the last
channel has closed. Previously UnusedConnectionTimeout could fire
early after a ChannelTimeout. This was not a problem for the
OpenSSH client because it terminates once all channels have
closed but could cause problems for other clients (e.g. API
clients) that do things differently. <a
href='https://bugzilla.mindrot.org/show_bug.cgi?id=3827'>bz3827</a>
<li>All: fix PKCS#11 key PIN entry problems introduced in
openssh-10.1/10.2. <a
href='https://bugzilla.mindrot.org/show_bug.cgi?id=3879'>bz3879</a>
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>: when using the
SFTP protocol for transfers, fix implicit destination path selection
when source path ends with "..". <a
href='https://bugzilla.mindrot.org/show_bug.cgi?id=3871'>bz3871</a>
<li><a href='https://man.openbsd.org/sftp.1'>sftp(1)</a>: when
tab-completing a filename, ensure that the completed
string does not end up mid-way through a multibyte character, as
this will cause a fatal() later on.
<li><a href='https://man.openbsd.org/ssh-keygen.1'>ssh-keygen(1)</a>: fix
crash at exit (visible via ssh-keygen -D) when multiple keys loaded.
<li><a href='https://man.openbsd.org/scp.1'>scp(1)</a>/<a
href='https://man.openbsd.org/sftp.1'>sftp(1)</a>: correctly display
bandwidths greater than 2 GBps in the progress meter.
</ul>
</ul>
<li>Ports and packages:
<p>Many pre-built packages for each architecture:
<!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
<ul style="column-count: 3">
<li>aarch64: 12883
<li>amd64: 13044
<li>arm: 9554
<li>i386: 10631
<li>mips64: 9309
<li>powerpc: 10253
<li>powerpc64: 9507
<li>riscv64: 11142
<li>sparc64: 10079
</ul>
<p>Some highlights:
<ul style="column-count: 3"><!-- checked 2026-05-07 -->
<li>Asterisk 16.30.1, 18.26.4, 20.19.0 and 22.9.0
<li>Audacity 3.7.7
<li>CMake 4.2.3
<li>Chromium 147.0.7727.101
<li>Emacs 30.2
<li>FFmpeg 8.0.1
<li>GCC 15.2.0
<li>GHC 9.10.3
<li>GNOME 49
<li>Go 1.26.2
<li>JDK 11.0.30, 17.0.18, 21.0.10 and 25.0.2
<li>KDE Applications 25.12.3
<li>KDE Frameworks 6.23.0
<li>KDE Plasma 6.6.4
<li>Krita 5.2.16
<li>LLVM/Clang 19.1.7, 20.1.8 and 21.1.8
<li>LibreOffice 26.2.2.2
<li>Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.8
<li>MariaDB 11.4.10
<li>Mono 6.14.1
<li>Mozilla Firefox 150.0 and ESR 140.10.0
<li>Mozilla Thunderbird 140.10.0
<li>Mutt 2.3.1 and NeoMutt 20260406
<li>Node.js 22.22.2
<li>OCaml 4.14.2
<li>OpenLDAP 2.6.13
<li>PHP 8.2.30, 8.3.30, 8.4.20 and 8.5.5
<li>Postfix 3.5.25 and 3.11.1
<li>PostgreSQL 18.3
<li>Python 2.7.18 and 3.13.13
<li>Qt 5.15.18 (+ kde patches) and 6.10.2
<li>R 4.5.2
<li>Ruby 3.3.11, 3.4.9 and 4.0.2
<li>Rust 1.94.1
<li>SQLite 3.51.3
<li>Shotcut 26.2.26
<li>Sudo 1.9.17p2
<li>Suricata 7.0.7
<li>Tcl/Tk 8.5.19, 8.6.17 and 9.0.3
<li>TeX Live 2025
<li>Vim 9.2.0357 and Neovim 0.12.1
<li>Vulkan 1.4.341.0
<li>Wayland 1.24.0 with compositors Labwc, Mango, Niri, Sway and Wayfire
<li>Xfce 4.20.0
</ul>
<p>
<li>As usual, steady improvements in manual pages and other documentation.
<li>The system includes the following major components from outside suppliers:
<ul><!-- updated 2026-04-26 -->
<li>Xenocara (based on X.Org 7.7 with xserver 21.1.21 + patches,
freetype 2.14.2, fontconfig 2.17.1, Mesa 25.0.7, xterm 406,
xkeyboard-config 2.20, fonttosfnt 1.2.4 and more)
<li>LLVM/Clang 19.1.7 (+ patches)
<li>GCC 4.2.1 (+ patches)
<li>Perl 5.42.2 (+ patches)
<li>pkgconf 2.4.3
<li>NSD 4.14.2
<li>Unbound 1.24.2
<li>Ncurses 6.4
<li>Binutils 2.17 (+ patches)
<li>GDB 6.3 (+ patches)
<li>Awk 20250116
<li>Expat 2.7.5
<li>zlib 1.3.2 (+ patches)
</ul>
</ul>
</section>
<hr>
<section id="install">
<h3>How to install</h3>
<p>
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 7.9 on your machine:
<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/alpha/INSTALL.alpha">
.../OpenBSD/7.9/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/amd64/INSTALL.amd64">
.../OpenBSD/7.9/amd64/INSTALL.amd64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/arm64/INSTALL.arm64">
.../OpenBSD/7.9/arm64/INSTALL.arm64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/armv7/INSTALL.armv7">
.../OpenBSD/7.9/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/hppa/INSTALL.hppa">
.../OpenBSD/7.9/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/i386/INSTALL.i386">
.../OpenBSD/7.9/i386/INSTALL.i386</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/landisk/INSTALL.landisk">
.../OpenBSD/7.9/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/loongson/INSTALL.loongson">
.../OpenBSD/7.9/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/luna88k/INSTALL.luna88k">
.../OpenBSD/7.9/luna88k/INSTALL.luna88k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/macppc/INSTALL.macppc">
.../OpenBSD/7.9/macppc/INSTALL.macppc</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/octeon/INSTALL.octeon">
.../OpenBSD/7.9/octeon/INSTALL.octeon</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/powerpc64/INSTALL.powerpc64">
.../OpenBSD/7.9/powerpc64/INSTALL.powerpc64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/riscv64/INSTALL.riscv64">
.../OpenBSD/7.9/riscv64/INSTALL.riscv64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.9/sparc64/INSTALL.sparc64">
.../OpenBSD/7.9/sparc64/INSTALL.sparc64</a>
</ul>
</section>
<hr>
<section id="quickinstall">
<p>
Quick installer information for people familiar with OpenBSD, and the use of
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
<h3>OpenBSD/alpha:</h3>
<p>
If your machine can boot from CD, you can write <i>install79.iso</i> or
<i>cd79.iso</i> to a CD and boot from it.
Refer to INSTALL.alpha for more details.
<h3>OpenBSD/amd64:</h3>
<p>
If your machine can boot from CD, you can write <i>install79.iso</i> or
<i>cd79.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install79.img</i> or
<i>miniroot79.img</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
<p>
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
<h3>OpenBSD/arm64:</h3>
<p>
Depending on your hardware, you can write <i>install79.iso</i>
or <i>cd79.iso</i> to a CD and boot from it, or write a system specific
miniroot to an SD card and boot from it after connecting to the serial
console. Refer to INSTALL.arm64 for more details.
<h3>OpenBSD/armv7:</h3>
<p>
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.
<h3>OpenBSD/hppa:</h3>
<p>
Boot over the network by following the instructions in INSTALL.hppa or the
<a href="hppa.html#install">hppa platform page</a>.
<h3>OpenBSD/i386:</h3>
<p>
If your machine can boot from CD, you can write <i>install79.iso</i> or
<i>cd79.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install79.img</i> or
<i>miniroot79.img</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
<p>
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
<h3>OpenBSD/landisk:</h3>
<p>
Write <i>miniroot79.img</i> to the start of the CF
or disk, and boot normally.
<h3>OpenBSD/loongson:</h3>
<p>
Write <i>miniroot79.img</i> to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
<h3>OpenBSD/luna88k:</h3>
<p>
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
<h3>OpenBSD/macppc:</h3>
<p>
Burn the <i>install79.iso</i> image from a mirror site to a CDROM,
and power on your machine while holding down the <i>C</i> key until
the display turns on and shows <i>OpenBSD/macppc boot</i>.
<p>
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
/7.9/macppc/bsd.rd</i>
<h3>OpenBSD/octeon:</h3>
<p>
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
<h3>OpenBSD/powerpc64:</h3>
<p>
To install, write <i>install79.img</i> or <i>miniroot79.img</i> to a
USB stick, plug it into the machine and choose the <i>OpenBSD
install</i> menu item in Petitboot.
Refer to the instructions in INSTALL.powerpc64 for more details.
<h3>OpenBSD/riscv64:</h3>
<p>
To install, write <i>install79.img</i> or <i>miniroot79.img</i> to a
USB stick, and boot with that drive plugged in.
Make sure you also have the microSD card plugged in that shipped with the
HiFive Unmatched board.
Refer to the instructions in INSTALL.riscv64 for more details.
<h3>OpenBSD/sparc64:</h3>
<p>
Burn the image from a mirror site to a CDROM, boot from it, and type
<i>boot cdrom</i>.
<p>
If this doesn't work, or if you don't have a CDROM drive, you can write
<i>floppy79.img</i> or <i>floppyB79.img</i>
(depending on your machine) to a floppy and boot it with <i>boot
floppy</i>. Refer to INSTALL.sparc64 for details.
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
<p>
You can also write <i>miniroot79.img</i> to the swap partition on
the disk and boot with <i>boot disk:b</i>.
<p>
If nothing works, you can boot over the network as described in INSTALL.sparc64.
</section>
<hr>
<section id="upgrade">
<h3>How to upgrade</h3>
<p>
If you already have an OpenBSD 7.8 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
<a href="faq/upgrade79.html">Upgrade Guide</a>.
</section>
<hr>
<section id="sourcecode">
<h3>Notes about the source code</h3>
<p>
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
</pre></blockquote>
<p>
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src/sys</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
</pre></blockquote>
<p>
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described <a href="anoncvs.html">here</a>.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
</section>
<hr>
<section id="ports">
<h3>Ports Tree</h3>
<p>
A ports tree archive is also provided. To extract:
<blockquote><pre>
# <kbd>cd /usr</kbd>
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
</pre></blockquote>
<p>
Go read the <a href="faq/ports/index.html">ports</a> page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
<p>
The <i>ports/</i> directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
<a href="anoncvs.html">AnonCVS</a>.
So, in order to keep up to date with the -stable branch, you must make
the <i>ports/</i> tree available on a read-write medium and update the tree
with a command like:
<blockquote><pre>
# <kbd>cd /usr/ports</kbd>
# <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_9</kbd>
</pre></blockquote>
<p>
[Of course, you must replace the server name here with a nearby anoncvs
server.]
<p>
Note that most ports are available as packages on our mirrors. Updated
ports for the 7.9 release will be made available if problems arise.
<p>
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
<a href="mail.html">ports@openbsd.org</a> is a good place to know.
</section>
</body>
</html>
![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to 79.html CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [local] / www