------------------------------------------------------------------------ - OpenBSD 6.1 RELEASED ------------------------------------------------- April 11, 2017. We are pleased to announce the official release of OpenBSD 6.1. This is our 42nd release. We remain proud of OpenBSD's record of more than twenty years with only two remote holes in the default install. As in our previous releases, 6.1 provides significant improvements, including new features, in nearly all areas of the system: - New/extended platforms: o New arm64 platform, using clang(1) as the base system compiler. o The loongson platform now supports systems with Loongson 3A CPU and RS780E chipset. o The following platforms were retired: armish, sparc, zaurus. - Improved hardware support, including: o New acpials(4) driver for ACPI ambient light sensor devices. o New acpihve(4) driver for feeding Hyper-V entropy into the kernel pool. o New acpisbs(4) driver for ACPI Smart Battery devices. o New dwge(4) driver for Designware GMAC 10/100/Gigabit Ethernet devices. o New htb(4) driver for Loongson 3A PCI host bridges. o New hvn(4) driver for Hyper-V networking interfaces. o New hyperv(4) driver for the Hyper-V guest nexus device. o New iatp(4) driver for the Atmel maXTouch touchpad and touchscreen. o New imxtemp(4) driver for Freescale i.MX6 temperature sensors. o New leioc(4) driver for the Loongson 3A low-end IO controller. o New octmmc(4) driver for the OCTEON MMC host controller. o New ompinmux(4) driver for OMAP pin multiplexing. o New omwugen(4) driver for OMAP wake-up generators. o New psci(4) driver for the ARM Power State Coordination Interface. o New simplefb(4) driver for the simple frame buffer on systems using a device tree. o New sximmc(4) driver for Allwinner A1X/A20 MMC/SD/SDIO controllers. o New tpm(4) driver for Trusted Platform Module devices. o New uwacom(4) driver for Wacom USB tablets. o New vmmci(4) VMM control interface. o New xbf(4) driver for Xen Blkfront virtual disks. o New xp(4) driver for the LUNA-88K HD647180X I/O processor. o Support for Kaby Lake and Lewisburg PCH Ethernet MACs with I219 PHYs has been added to the em(4) driver. o Support for RTL8153 USB 3.0 Gigabit Ethernet based devices has been added to the ure(4) driver. o Improved ACPI support for modern Apple hardware, including S3 suspend and resume. o Support for X550 family of 10 Gigabit Ethernet based devices has been added to the ix(4) driver. - New vmm(4)/ vmd(8): o Support was partially integrated in 6.0, but disabled. o Support for amd64 and i386 hosts. o BIOS payload provided via vmm-firmware, delivered via fw_update(1). o Support for Linux guest VMs. o Better interrupt handling and legacy device emulation. o vmm(4) no longer requires VMX unrestricted guest capability (Nehalem and later CPUs are sufficient). o Removed bounce buffers previously used by vmd(8) for vio(4) and vioblk(4) devices. o Support VMs with > 2GB RAM. o vmd(8) uses pledge(2) and the fork+exec model. o vm.conf(5) expanded to include VM ownership rules (uid/gid). o vmd(8)/ vm.conf(5) supports automatic bridge(4) and switch(4) configuration for VM network interfaces. o vmctl(8) supports graceful VM shutdown via vmmci(4). - IEEE 802.11 wireless stack improvements: o The ral(4) driver now supports Ralink RT3900E (RT5390, RT3292) devices. o The iwm(4) and iwn(4) drivers now support the short guard interval (SGI) in 11n mode. o Added a new implementation of MiRa, a rate adapation algorithm designed for 802.11n. o The iwm(4) driver now supports 802.11n MIMO (MCS 0-15). o The athn(4) driver now supports 802.11n, featuring MIMO (MCS 0-15) and hostap mode. o The iwn(4) driver now receives MIMO frames in monitor mode. o The rtwn(4) and urtwn(4) drivers now use AMRR rate adaptation (8188EU and 8188CE devices only). o TKIP/WPA1 was disabled by default because of inherent weaknesses in this protocol. - Generic network stack improvements: o New switch(4) pseudo-device together with new switchd(8) and switchctl(8) programs. o New mobileip(4) operation mode for the gre(4) pseudo-device. o Multipoint-to-multipoint mode in vxlan(4). o route(8) and netstat -r display all routing flags correctly and they are completely documented in the netstat(1) man page. o When sending TCP streams they are locally stored in large mbuf clusters to improve memory management. The maximum TCP send and receive buffer size has been increased from 256KB to 2MB. Note that this results in a different pf(4) OS fingerprint for OpenBSD. The default limit for mbuf clusters has been increased. You can check the values with netstat(1) -m and adjust them with sysctl(8) kern.maxclusters. o Make the TCP_NOPUSH flag work for listen(2) sockets. It is inherited by the socket returned from accept(2). o A lot of code has been removed or simplified to make the transition to multi-processor easier. Redesign the interrupt and multi-processor locks in the network stack. o When passing packets from the network stack to the interface layer, make sure that they have no pointers to pf(4) which could result in a memory free operation at the wrong protection level. o Fix checksum calculation in pf(4) af-to ICMP packet conversions. Simplify af-to processing in and fix path MTU discovery in some corner cases. o Improve IPv6 fragment processing. Drop empty atomic fragments early. Be more paranoid when IPv6 hop-by-hop headers appear after fragment headers. Follow RFC 5722 "Handling of Overlapping IPv6 Fragments" more strictly in pf(4). RFC 8021 "IPv6 Atomic Fragments Considered Harmful" deprecates generating atomic fragments, so do not send them anymore. o Depending on the addresses, ipsecctl(8) may automatically group SA bundles together. To make clear what is going on, the kernel provides this information and ipsecctl -s sa prints IPsec SA bundles. o A new routing socket message type, RTM_PROPOSAL, was added to facilitate future improvements to the network configuration process. - Installer improvements: o The installer now uses privilege separation for fetching and verifying the install sets. o Install sets are now fetched over an HTTPS connection by default when using a mirror that supports it. o The installer now considers all of the DHCP information in filename, bootfile-name, server-name, tftp-server-name, and next-server when attempting to do automatic installs or upgrades. o The installer no longer adds a route to an alias IP via 127.0.0.1, due to improvements in the kernel routing components. - Routing daemons and other userland network improvements: o ping(8) and ping6(8) are now the same binary and share the engine. o ripd(8) now supports p2p links with addresses in different subnets. o UDP speakers can specify an IPv4 source address using IP_SENDSRCADDR. iked(8) and snmpd(8) now use the proper source address when sending replies. o iked(8) now supports ECDSA and RFC 7427 signatures for authentication. o iked(8) now supports replying to IKEv2 responder cookies. o Many fixes and improvements for iked(8) and ikectl(8), including various fixes for rekeying. o ospfd(8) and ospf6d(8) now cope with interface MTU change at runtime. o bgpd(8) now supports BGP Large Communities (RFC 8092). o bgpd(8) now supports BGP Administrative Shutdown Communication (draft-ietf-idr-shutdown). - Security improvements: o Enforcement of userland W^X on OCTEON Plus and later. o All shared libraries, all dynamic and static-PIE executables, and ld.so(1) itself use the RELRO ("read-only after relocation") design such that more of the initial data is protected as read-only. o The size of user virtual address space has been increased from 2GB to 1TB on mips64. o PIE and -static -pie on arm. o route6d(8) now runs with fewer privileges. o For incoming TLS connections syslogd(8) can validate client certificates with a given CA file. o The privileged parent process of syslogd(8) calls exec(2) to reshuffle its random memory layout. o New function recallocarray(3) to reduce the risk of incorrect clearing of memory before and after reallocarray(3). o SHA512_256 family of functions added to libc. o arm added to the list of archs where the setjmp(3) family of functions apply XOR cookies to stack and return-address values in the jmpbuf. o printf(3) family of formatting functions now report to syslog when the %s format is used with a NULL pointer. o Heap buffer overflow detection has been improved when the C malloc(3) option is used. The existing S option now includes C. o Support for permitting non-root users to mount(8) filesystems has been removed. o bioctl(8) now uses bcrypt PBKDF to derive keys for crypto volumes. - dhclient(8)/ dhcpd(8)/ dhcrelay(8) improvements: o Add DHO_BOOTFILE_NAME and DHO_TFTP_SERVER to the options requested by default. o Add support for RFC 6842 (Client Identifier Option in DHCP Server Replies). o Stop leaking option data received on the udp socket. o Stop pretending we use RFC 3046/Option 82/Relay Agent Information. o Stop recording ignored DHO_ROUTERS and DHO_STATIC_ROUTES options in the effective lease. o Use only leases from no SSID or the current SSID when restarting. o Reduce default values for various timeouts to something more appropriate to modern networks. o Fix issues with redundant dhcpd servers and CARP'd interfaces. o Switch to standard logging functions o Fix vis/unvis of strings in dhclient(8) leases files. - Assorted improvements: o New syspatch(8) utility for security and reliability binary updates to the base system. o acme-client(1), a privilege separated Automatic Certificate Management Environment (ACME) client written by Kristaps Dzonsons has been imported. o New, simplified xenodm(1) X11 display manager forked from xdm(1). o Unicode version 8 character properties in the C library. o Partial UTF-8 line editing support for ksh(1) Vi input mode. o UTF-8 support in column(1). o The performance and concurrency of the malloc(3) family in multi-threaded processes has been improved. o Estonian keyboard support. o read(2) on directories now fails instead of returning 0. o Support for the RES_USE_EDNS0 and RES_USE_DNSSEC flags has been added to the resolver(3) implementation. o syslogd(8) limits the socket buffer for TCP and TLS connections to 64K to avoid wasting kernel memory. o syslogd(8) supports the option -Z to print the timestamp in RFC 5424 ISO format. This logs everything in UTC including the year, timezone and fractions of seconds. The default is still RFC 3164 BSD syslog time format. o When log files are rotated, newsyslog(8) writes the creation time in UTC ISO format into the first line. o The syslogd(8) options -a, -T, and -U can be given more than once to specify multiple input sources. o Improve the syslogd(8) output and diagnostics in case the klog buffer overflows. o Make SIGHUP handling in syslogd(8) more reliable. o Let syslogd(8) tolerate most errors on startup. Keep running and receive messages from all working subsystems, but do not die. o The syslog(3) priority of fatal and warning messages of various daemons has been adjusted. o An NMI sends the amd64 kernel into ddb(4) more reliably. o ld.so(1) now supports the DT_PREINITARRAY, DT_INITARRAY, DT_FINIARRAY, DT_FLAGS, and DT_RUNPATH dynamic tags. o kdump(1) now dumps the fds returned by pipe(2) and socketpair(2). o Added support to doas(1) for session-locked persistent authentication. o Use a hardware register for the thread pointer on arm for improved performance in multi-threaded processes. o SGI boot blocks now consult the OpenBSD disklabel(5) to locate the root filesystem. This reduces constraints on disk partitioning. o iec(4) no longer hangs when its transmit ring gets full. o sq(4) has been fixed to accept broadcast frames in non-promiscuous mode when no IP address is configured. This lets the interface work with DHCP. o Multiprocessor-safe PCI interrupt handlers are run without the kernel lock on OpenBSD/sgi. o fdisk(8) now unconditionally sets the size of the protective MBR's EFI GPT partition to UINT32_MAX. o fdisk(8) now respects the current MBR or GPT format when initializing a disk. o softraid(4) now uses sufficient parallel i/o's to efficiently rebuild RAID5 volumes. o asr now accepts UDP packets of up to 4096 bytes to account for broken DNS servers. o umass(4) no longer assumes that ATAPI or UFI devices have only 1 LUN. o scsi(4) now correctly detects end of tape on LTO5 devices. o httpd(8) supports SNI via libtls to allow for multiple https sites on a single IP address. o ocspheck(8) has been added, and can be used to check the OCSP status of certificates. The corresponding responses can be saved for later use in OCSP stapling. o httpd(8) supports OCSP stapling via libtls to permit OCSP responses to be stapled to the tls handshake o nc(1) now also supports OCSP stapling server side, and will show the stapling information client side. o Both relayd(8) and httpd(8) support now TLS session resumption using TLS session tickets. See the respective configuration man page for more information. o With the -f option sensorsd(8) can use an alternative config file. - OpenSMTPD 6.0.0 o Added support for providing an alternate subaddressing delimiter. o Made the daemon less verbose in logs when exiting. o Improved the io layer to simplify code accross the daemon. o Added support for matching authenticated sessions in the ruleset. o Assorted code and documentation cleanups. - OpenSSH 7.4 o Security: - ssh-agent(1): Will now refuse to load PKCS#11 modules from paths outside a trusted whitelist (run-time configurable). Requests to load modules could be passed via agent forwarding and an attacker could attempt to load a hostile PKCS#11 module across the forwarded agent channel: PKCS#11 modules are shared libraries, so this would result in code execution on the system running the ssh-agent if the attacker has control of the forwarded agent-socket (on the host running the sshd server) and the ability to write to the filesystem of the host running ssh-agent (usually the host running the ssh client). - sshd(8): When privilege separation is disabled, forwarded Unix- domain sockets would be created by sshd(8) with the privileges of 'root' instead of the authenticated user. This release refuses Unix-domain socket forwarding when privilege separation is disabled (Privilege separation has been enabled by default for 14 years). - sshd(8): Avoid theoretical leak of host private key material to privilege-separated child processes via realloc() when reading keys. No such leak was observed in practice for normal-sized keys, nor does a leak to the child processes directly expose key material to unprivileged users. - sshd(8): The shared memory manager used by pre-authentication compression support had a bounds checks that could be elided by some optimising compilers. Additionally, this memory manager was incorrectly accessible when pre-authentication compression was disabled. This could potentially allow attacks against the privileged monitor process from the sandboxed privilege-separation process (a compromise of the latter would be required first). This release removes support for pre-authentication compression from sshd(8). - sshd(8): Fix denial-of-service condition where an attacker who sends multiple KEXINIT messages may consume up to 128MB per connection. - sshd(8): Validate address ranges for AllowUser and DenyUsers directives at configuration load time and refuse to accept invalid ones. It was previously possible to specify invalid CIDR address ranges (e.g. user@127.1.2.3/55) and these would always match, possibly resulting in granting access where it was not intended. - ssh(1), sshd(8): Fix weakness in CBC padding oracle countermeasures that allowed a variant of the attack fixed in OpenSSH 7.3 to proceed. o New/changed features: - Server support for the SSH v.1 protocol has been removed. - ssh(1): Remove 3des-cbc from the client's default proposal. 64-bit block ciphers are not safe in 2016 and we don't want to wait until attacks like SWEET32 are extended to SSH. As 3des-cbc was the only mandatory cipher in the SSH RFCs, this may cause problems connecting to older devices using the default configuration, but it's highly likely that such devices already need explicit configuration for key exchange and hostkey algorithms already anyway. - sshd(8): Remove support for pre-authentication compression. Doing compression early in the protocol probably seemed reasonable in the 1990s, but today it's clearly a bad idea in terms of both cryptography (cf. multiple compression oracle attacks in TLS) and attack surface. Pre-auth compression support has been disabled by default for >10 years. Support remains in the client. - ssh-agent will refuse to load PKCS#11 modules outside a whitelist of trusted paths by default. The path whitelist may be specified at run-time. - sshd(8): When a forced-command appears in both a certificate and an authorized keys/principals command= restriction, sshd will now refuse to accept the certificate unless they are identical. The previous (documented) behaviour of having the certificate forced-command override the other could be a bit confusing and error-prone. - sshd(8): Remove the UseLogin configuration directive and support for having /bin/login manage login sessions. - ssh(1): Add a proxy multiplexing mode to ssh(1) inspired by the version in PuTTY by Simon Tatham. This allows a multiplexing client to communicate with the master process using a subset of the SSH packet and channels protocol over a Unix-domain socket, with the main process acting as a proxy that translates channel IDs, etc. This allows multiplexing mode to run on systems that lack file- descriptor passing (used by current multiplexing code) and potentially, in conjunction with Unix-domain socket forwarding, with the client and multiplexing master process on different machines. Multiplexing proxy mode may be invoked using "ssh -O proxy ..." - sshd(8): Add a sshd_config DisableForwarding option that disables X11, agent, TCP, tunnel and Unix domain socket forwarding, as well as anything else we might implement in the future. Like the 'restrict' authorized_keys flag, this is intended to be a simple and future-proof way of restricting an account. - sshd(8), ssh(1): Support the "curve25519-sha256" key exchange method. This is identical to the currently-supported method named "curve25519-sha256@libssh.org". - sshd(8): Improve handling of SIGHUP by checking to see if sshd is already daemonised at startup and skipping the call to daemon(3) if it is. This ensures that a SIGHUP restart of sshd(8) will retain the same process-ID as the initial execution. sshd(8) will also now unlink the PidFile prior to SIGHUP restart and re-create it after a successful restart, rather than leaving a stale file in the case of a configuration error. - sshd(8): Allow ClientAliveInterval and ClientAliveCountMax directives to appear in sshd_config Match blocks. - sshd(8): Add %-escapes to AuthorizedPrincipalsCommand to match those supported by AuthorizedKeysCommand (key, key type, fingerprint, etc.) and a few more to provide access to the contents of the certificate being offered. - Added regression tests for string matching, address matching and string sanitisation functions. - Improved the key exchange fuzzer harness. - Deprecate the sshd_config UsePrivilegeSeparation option, thereby making privilege separation mandatory. Privilege separation has been on by default for almost 15 years and sandboxing has been on by default for almost the last five. - ssh(1), sshd(8): Support "=-" syntax to easily remove methods from algorithm lists, e.g. Ciphers=-*cbc. o The following significant bugs have been fixed in this release: - ssh(1): Allow IdentityFile to successfully load and use certificates that have no corresponding bare public key. certificate id_rsa-cert.pub (and no id_rsa.pub). - ssh(1): Fix public key authentication when multiple authentication is in use and publickey is not just the first method attempted. - ssh-agent(1), ssh(1): improve reporting when attempting to load keys from PKCS#11 tokens with fewer useless log messages and more detail in debug messages. - ssh(1): When tearing down ControlMaster connections, don't pollute stderr when LogLevel=quiet. - sftp(1): On ^Z wait for underlying ssh(1) to suspend before suspending sftp(1) to ensure that ssh(1) restores the terminal mode correctly if suspended during a password prompt. - ssh(1): Avoid busy-wait when ssh(1) is suspended during a password prompt. - ssh(1), sshd(8): Correctly report errors during sending of ext- info messages. - sshd(8): fix NULL-deref crash if sshd(8) received an out-of- sequence NEWKEYS message. - sshd(8): Correct list of supported signature algorithms sent in the server-sig-algs extension. - sshd(8): Fix sending ext_info message if privsep is disabled. - sshd(8): more strictly enforce the expected ordering of privilege separation monitor calls used for authentication and allow them only when their respective authentication methods are enabled in the configuration - sshd(8): Fix uninitialised optlen in getsockopt() call; harmless on Unix/BSD but potentially crashy on Cygwin. - Fix false positive reports caused by explicit_bzero(3) not being recognised as a memory initialiser when compiled with -fsanitize-memory. - sshd_config(5): Use 2001:db8::/32, the official IPv6 subnet for configuration examples. - sshd(1): Fix NULL dereference crash when key exchange start messages are sent out of sequence. - ssh(1), sshd(8): Allow form-feed characters to appear in configuration files. - sshd(8): Fix regression in OpenSSH 7.4 support for the server-sig-algs extension, where SHA2 RSA signature methods were not being correctly advertised. - ssh(1), ssh-keygen(1): Fix a number of case-sensitivity bugs in known_hosts processing. - ssh(1): Allow ssh to use certificates accompanied by a private key file but no corresponding plain *.pub public key. - ssh(1): When updating hostkeys using the UpdateHostKeys option, accept RSA keys if HostkeyAlgorithms contains any RSA keytype. Previously, ssh could ignore RSA keys when only the ssh-rsa-sha2-* methods were enabled in HostkeyAlgorithms and not the old ssh-rsa method. - ssh(1): Detect and report excessively long configuration file lines. - Merge a number of fixes found by Coverity and reported via Redhat and FreeBSD. Includes fixes for some memory and file descriptor leaks in error paths. - ssh-keyscan(1): Correctly hash hosts with a port number. - ssh(1), sshd(8): When logging long messages to stderr, don't truncate "\r\n" if the length of the message exceeds the buffer. - ssh(1): Fully quote [host]:port in generated ProxyJump/-J command- line; avoid confusion over IPv6 addresses and shells that treat square bracket characters specially. - ssh-keygen(1): Fix corruption of known_hosts when running "ssh-keygen -H" on a known_hosts containing already-hashed entries. - Fix various fallout and sharp edges caused by removing SSH protocol 1 support from the server, including the server banner string being incorrectly terminated with only \n (instead of \r\n), confusing error messages from ssh-keyscan a segfault in sshd if protocol v.1 was enabled for the client and sshd_config contained references to legacy keys. - ssh(1), sshd(8): Free fd_set on connection timeout. - sshd(8): Fix Unix domain socket forwarding for root (regression in OpenSSH 7.4). - sftp(1): Fix division by zero crash in "df" output when server returns zero total filesystem blocks/inodes. - ssh(1), ssh-add(1), ssh-keygen(1), sshd(8): Translate OpenSSL errors encountered during key loading to more meaningful error codes. - ssh-keygen(1): Sanitise escape sequences in key comments sent to printf but preserve valid UTF-8 when the locale supports it. - ssh(1), sshd(8): Return reason for port forwarding failures where feasible rather than always "administratively prohibited". - sshd(8): Fix deadlock when AuthorizedKeysCommand or AuthorizedPrincipalsCommand produces a lot of output and a key is matched early. - ssh(1): Fix typo in ~C error message for bad port forward cancellation. - ssh(1): Show a useful error message when included config files can't be opened. - sshd(8): Make sshd set GSSAPIStrictAcceptorCheck=yes as the manual page (previously incorrectly) advertised. - sshd_config(5): Repair accidentally-deleted mention of %k token in AuthorizedKeysCommand. - sshd(8): Remove vestiges of previously removed LOGIN_PROGRAM; - ssh-agent(1): Relax PKCS#11 whitelist to include libexec and common 32-bit compatibility library directories. - sftp-client(1): Fix non-exploitable integer overflow in SSH2_FXP_NAME response handling. - ssh-agent(1): Fix regression in 7.4 of deleting PKCS#11-hosted keys. It was not possible to delete them except by specifying their full physical path. - LibreSSL 2.5.3 o libtls now supports ALPN and SNI o libtls adds a new callback interface for integrating custom IO functions. Thanks to Tobias Pape. o libtls now handles 4 cipher suite groups: - "secure" (TLSv1.2+AEAD+PFS) - "compat" (HIGH:!aNULL) - "legacy" (HIGH:MEDIUM:!aNULL) - "insecure" (ALL:!aNULL:!eNULL) This allows for flexibility and finer grained control, rather than having two extremes (an issue raised by Marko Kreen some time ago). o Tightened error handling for tls_config_set_ciphers(). o libtls now always loads CA, key and certificate files at the time the configuration function is called. This simplifies code and results in a single memory based code path being used to provide data to libssl. o Added support for OCSP intermediate certificates. o Added X509_check_host(), X509_check_email(), X509_check_ip(), and X509_check_ip_asc() functions, via BoringSSL. o Added initial support for iOS, thanks to Jacob Berkman. o Improved behavior of arc4random on Windows when using memory leak analysis software. o Correctly handle an EOF that occurs prior to the TLS handshake completing. Reported by Vasily Kolobkov, based on a diff from Marko Kreen. o Limit the support of the "backward compatible" SSLv2 handshake to only be used if TLS 1.0 is enabled. o Fix incorrect results in certain cases on 64-bit systems when BN_mod_word() can return incorrect results. BN_mod_word() now can return an error condition. Thanks to Brian Smith. o Added constant-time updates to address CVE-2016-0702. o Fixed undefined behavior in BN_GF2m_mod_arr(). o Removed unused Cryptographic Message Support (CMS). o More conversions of long long idioms to time_t. o Improved compatibility by avoiding printing NULL strings with printf. o Reverted change that cleans up the EVP cipher context in EVP_EncryptFinal() and EVP_DecryptFinal(). Some software relies on the previous behaviour. o Avoid unbounded memory growth in libssl, which can be triggered by a TLS client repeatedly renegotiating and sending OCSP Status Request TLS extensions. o Avoid falling back to a weak digest for (EC)DH when using SNI with libssl. o X509_cmp_time() now passes a malformed GeneralizedTime field as an error. Reported by Theofilos Petsios. o Check for and handle failure of HMAC_{Update,Final} or EVP_DecryptUpdate(). o Massive update and normalization of manpages, conversion to mandoc format. Many pages were rewritten for clarity and accuracy. Portable doc links are up-to-date with a new conversion tool. o Curve25519 and TLS X25519 Key Exchange support. o Support for alternate chains for certificate verification. o Code cleanups, CBB conversions, further unification of DTLS/SSL handshake code, further ASN1 macro expansion and removal. o Private symbols are now hidden in libssl and libcrypto. o Friendly certificate verification error messages in libtls, peer verification is now always enabled. o Added OCSP stapling support to libtls and nc. o Added ocspcheck utility to validate a certificate against its OCSP responder and save the reply for stapling o Enhanced regression tests and error handling for libtls. o Added explicit constant and non-constant time BN functions, defaulting to constant time wherever possible. o Moved many leaked implementation details in public structs behind opaque pointers. o Added ticket support to libtls. o Added support for setting the supported EC curves via SSL{_CTX}_set1_groups{_list}() - also provide defines for the previous SSL{_CTX}_set1_curves{_list} names. This also changes the default list of curves to be X25519, P-256 and P-384. All other curves must be manually enabled. o Added -groups option to openssl(1) s_client for specifying the curves to be used in a colon-separated list. o Merged client/server version negotiation code paths into one, reducing much duplicate code. o Removed error function codes from libssl and libcrypto. o Fixed an issue where a truncated packet could crash via an OOB read. o Added SSL_OP_NO_CLIENT_RENEGOTIATION option that disallows client-initiated renegotiation. This is the default for libtls servers. o Avoid a side-channel cache-timing attack that can leak the ECDSA private keys when signing. This is due to BN_mod_inverse() being used without the constant time flag being set. Reported by Cesar Pereida Garcia and Billy Brumley (Tampere University of Technology). The fix was developed by Cesar Pereida Garcia. o iOS and MacOS compatibility updates from Simone Basso and Jacob Berkman. o Added the recallocarray(3) memory allocation function, and converted various places in the library to use it, such as CBB and BUF_MEM_grow. recallocarray(3) is similar to reallocarray. Newly allocated memory is cleared similar to calloc(3). Memory that becomes unallocated while shrinking or moving existing allocations is explicitly discarded by unmapping or clearing to 0. o Added new root CAs from SECOM Trust Systems / Security Communication of Japan. o Added EVP interface for MD5+SHA1 hashes. o Improved nc(1) TLS handshake CPU usage and server-side error reporting. o Added a constant time version of BN_gcd and use it default for BN_gcd to avoid the possibility of sidechannel timing attacks against RSA private key generation - Thanks to Alejandro Cabrera - mandoc 1.14.1 o New mandoc.db(5) file format: man(1), apropos(1), and makewhatis(8) no longer need SQLite3. o Much improved HTML output and CSS. o In man(1), internal searching with less(1) :t has been improved. o New mandoc(1) -mdoc -T markdown output mode (already a post-1.14.1 feature). - Ports and packages: o Many pre-built packages for each architecture: - alpha: 7413 - mips64: 8072 - amd64: 9714 - mips64el: 6880 - arm: 7501 - powerpc: 7703 - hppa: 6422 - sparc64: 8606 - i386: 9697 - Some highlights: o Afl 2.39b o Mutt 1.8.0 o Chromium 57.0.2987.133 o Node.js 6.10.1 o Emacs 21.4 and 24.5 o Ocaml 4.03.0 o GCC 4.9.4 o OpenLDAP 2.3.43 and 2.4.44 o GHC 7.10.3 o PHP 5.5.38, 5.6.30 and 7.0.16 o Gimp 2.8.18 o Postfix 3.2.0 and 3.3-20170218 o GNOME 3.22.2 o PostgreSQL 9.6.2 o Go 1.8 o Python 2.7.13, 3.4.5, 3.5.2 and o Groff 1.22.3 3.6.0 o JDK 7u80 and 8u121 o R 3.3.3 o KDE 3.5.10 and 4.14.3 (plus o Ruby 1.8.7.374, 2.1.9, 2.2.6, KDE4 core updates) 2.3.3 and 2.4.1 o LLVM/Clang 4.0.0 o Rust 1.16.0 o LibreOffice 5.2.4.2 o Sendmail 8.15.2 o Lua 5.1.5, 5.2.4, and 5.3.4 o SQLite 3.17.0 o MariaDB 10.0.30 o Sudo 1.8.19.2 o Mono 4.6.2.6 o Tcl/Tk 8.5.18 and 8.6.4 o Mozilla Firefox 52.0.2esr and o TeX Live 2015 52.0.2 o Vim 8.0.0388 o Mozilla Thunderbird 45.8.0 o Xfce 4.12 - As usual, steady improvements in manual pages and other documentation. - The system includes the following major components from outside suppliers: o Xenocara (based on X.Org 7.7 with xserver 1.18.3 + patches, freetype 2.7.1, fontconfig 2.12.1, Mesa 13.0.6, xterm 327, xkeyboard-config 2.20 and more) o LLVM/Clang 4.0.0 (+ patches) o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches) o Perl 5.24.1 (+ patches) o NSD 4.1.15 o Unbound 1.6.1 o Ncurses 5.7 o Binutils 2.17 (+ patches) o Gdb 6.3 (+ patches) o Awk Aug 10, 2011 version o Expat 2.1.1 If you'd like to see a list of what has changed between OpenBSD 6.0 and 6.1, look at http://www.OpenBSD.org/plus61.html Even though the list is a summary of the most important changes made to OpenBSD, it still is a very very long list. ------------------------------------------------------------------------ - SECURITY AND ERRATA -------------------------------------------------- We provide patches for known security threats and other important issues discovered after each release. Our continued research into security means we will find new security problems -- and we always provide patches as soon as possible. Therefore, we advise regular visits to http://www.OpenBSD.org/security.html and http://www.OpenBSD.org/errata.html ------------------------------------------------------------------------ - MAILING LISTS AND FAQ ------------------------------------------------ Mailing lists are an important means of communication among users and developers of OpenBSD. For information on OpenBSD mailing lists, please see: http://www.OpenBSD.org/mail.html You are also encouraged to read the Frequently Asked Questions (FAQ) at: http://www.OpenBSD.org/faq/ ------------------------------------------------------------------------ - DONATIONS ------------------------------------------------------------ The OpenBSD Project is volunteer-driven software group funded by donations. Besides OpenBSD itself, we also develop important software like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet filter, the quality work of our ports development process, and many others. This ecosystem is all handled under the same funding umbrella. We hope our quality software will result in contributions that maintain our build/development infrastructure, pay our electrical/internet costs, and allow us to continue operating very productive developer hackathon events. All of our developers strongly urge you to donate and support our future efforts. Donations to the project are highly appreciated, and are described in more detail at: http://www.OpenBSD.org/donations.html ------------------------------------------------------------------------ - OPENBSD FOUNDATION --------------------------------------------------- For those unable to make their contributions as straightforward gifts, the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian not-for-profit corporation that can accept larger contributions and issue receipts. In some situations, their receipt may qualify as a business expense write-off, so this is certainly a consideration for some organizations or businesses. There may also be exposure benefits since the Foundation may be interested in participating in press releases. In turn, the Foundation then uses these contributions to assist OpenBSD's infrastructure needs. Contact the foundation directors at directors@openbsdfoundation.org for more information. ------------------------------------------------------------------------ - RELEASE SONGS -------------------------------------------------------- Every OpenBSD release is accompanied by artwork and a song. OpenBSD 6.1 comes with the song "Winter of 95". Lyrics (and an explanation) of the song may be found at: http://www.OpenBSD.org/lyrics.html#61 ------------------------------------------------------------------------ - HTTP INSTALLS -------------------------------------------------------- OpenBSD can be easily installed via HTTP downloads. Typically you need a single small piece of boot media (e.g., a USB flash drive) and then the rest of the files can be installed from a number of locations, including directly off the Internet. Follow this simple set of instructions to ensure that you find all of the documentation you will need while performing an install via HTTP. 1) Read either of the following two files for a list of HTTP mirrors which provide OpenBSD, then choose one near you: http://www.OpenBSD.org/ftp.html http://ftp.openbsd.org/pub/OpenBSD/ftplist As of April 11, 2017, the following HTTP mirror sites have the 6.1 release: http://ftp.eu.openbsd.org/pub/OpenBSD/6.1/ Stockholm, Sweden http://ftp.bytemine.net/pub/OpenBSD/6.1/ Oldenburg, Germany http://ftp.ch.openbsd.org/pub/OpenBSD/6.1/ Zurich, Switzerland http://ftp.fr.openbsd.org/pub/OpenBSD/6.1/ Paris, France http://ftp5.eu.openbsd.org/pub/OpenBSD/6.1/ Vienna, Austria http://mirror.aarnet.edu.au/pub/OpenBSD/6.1/ Brisbane, Australia http://ftp.usa.openbsd.org/pub/OpenBSD/6.1/ CO, USA http://ftp5.usa.openbsd.org/pub/OpenBSD/6.1/ CA, USA http://mirror.esc7.net/pub/OpenBSD/6.1/ TX, USA The release is also available at the master site: http://ftp.openbsd.org/pub/OpenBSD/6.1/ Alberta, Canada However it is strongly suggested you use a mirror. Other mirror sites may take a day or two to update. 2) Connect to that HTTP mirror site and go into the directory pub/OpenBSD/6.1/ which contains these files and directories. This is a list of what you will see: ANNOUNCEMENT amd64/ luna88k/ sgi/ Changelogs/ arm64/ macppc/ sparc64/ README armv7/ octeon/ src.tar.gz SHA256 hppa/ packages/ sys.tar.gz SHA256.sig i386/ ports.tar.gz tools/ alpha/ landisk/ root.mail xenocara.tar.gz It is quite likely that you will want at LEAST the following files which apply to all the architectures OpenBSD supports. README - generic README root.mail - a copy of root's mail at initial login. (This is really worthwhile reading). 3) Read the README file. It is short, and a quick read will make sure you understand what else you need to fetch. 4) Next, go into the directory that applies to your architecture, for example, amd64. This is a list of what you will see: BOOTIA32.EFI* bsd* floppy61.fs pxeboot* BOOTX64.EFI* bsd.mp* game61.tgz xbase61.tgz BUILDINFO bsd.rd* index.txt xfont61.tgz INSTALL.amd64 cd61.iso install61.fs xserv61.tgz SHA256 cdboot* install61.iso xshare61.tgz SHA256.sig cdbr* man61.tgz base61.tgz comp61.tgz miniroot61.fs If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64 and install61.iso. The install61.iso file (roughly 220MB in size) is a one-step ISO-format install CD image which contains the various *.tgz files so you do not need to fetch them separately. If you prefer to use a USB flash drive, fetch install61.fs and follow the instructions in INSTALL.amd64. 5) If you are an expert, follow the instructions in the file called README; otherwise, use the more complete instructions in the file called INSTALL.amd64. INSTALL.amd64 may tell you that you need to fetch other files. 6) Just in case, take a peek at: http://www.OpenBSD.org/errata.html This is the page where we talk about the mistakes we made while creating the 6.1 release, or the significant bugs we fixed post-release which we think our users should have fixes for. Patches and workarounds are clearly described there. ------------------------------------------------------------------------ - X.ORG FOR MOST ARCHITECTURES ----------------------------------------- X.Org has been integrated more closely into the system. This release contains X.Org 7.7. Most of our architectures ship with X.Org, including amd64, sparc64 and macppc. During installation, you can install X.Org quite easily. Be sure to try out xenodm(1), our new, simplified X11 display manager forked from xdm(1). ------------------------------------------------------------------------ - PACKAGES AND PORTS --------------------------------------------------- Many third party software applications have been ported to OpenBSD and can be installed as pre-compiled binary packages on the various OpenBSD architectures. Please see http://www.openbsd.org/faq/faq15.html for more information on working with packages and ports. Note: a few popular ports, e.g., NSD, Unbound, and several X applications, come standard with OpenBSD and do not need to be installed separately. ------------------------------------------------------------------------ - SYSTEM SOURCE CODE --------------------------------------------------- The source code for all four subsystems can be found in the pub/OpenBSD/6.1/ directory: xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz The README (http://ftp.OpenBSD.org/pub/OpenBSD/6.1/README) file explains how to deal with these source files. ------------------------------------------------------------------------ - THANKS --------------------------------------------------------------- Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil, Visa Hankala, Stuart Henderson, Peter Hessler, Paul Irofti, and Christian Weisgerber. Base and X system builds by Kenji Aoyama, Theo de Raadt, Jonathan Gray, and Visa Hankala. We would like to thank all of the people who sent in bug reports, bug fixes, donation cheques, and hardware that we use. We would also like to thank those who bought our previous CD sets. Those who did not support us financially have still helped us with our goal of improving the quality of the software. Our developers are: Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov, Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot, Benoit Lecocq, Bob Beck, Brandon Mercer, Brent Cook, Bret Lambert, Bryan Steele, Can Erkin Acar, Charles Longeau, Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller, Daniel Boulet, Daniel Dickman, Daniel Jakots, Darren Tucker, David Coppa, David Gwynne, David Hill, Dmitrij Czarkoff, Doug Hogan, Edd Barrett, Eric Faurot, Florian Obser, Frederic Cambus, Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez, Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Feinerer, Ingo Schwarze, Inoguchi Kinichiro, James Turner, Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray, Jonathan Matthew, Joris Vink, Joshua Stein, Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner, Kirill Bychkov, Kurt Miller, Landry Breuil, Lawrence Teo, Luke Tymowski, Marc Espie, Marcus Glocker, Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano, Martin Pieuchot, Martynas Venckus, Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michal Mazurek, Mike Belopuhov, Mike Larkin, Miod Vallat, Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen, Otto Moerbeek, Pascal Stumpf, Patrick Wildt, Paul Irofti, Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Rafael Zalamena, Remi Pointel, Renato Westphal, Reyk Floeter, Ricardo Mestre, Richard Procter, Robert Nagy, Robert Peichaer, Sasano Takayoshi, Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie, Stefan Fritsch, Stefan Kempf, Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt, Tim van der Molen, Tobias Stoeckmann, Todd C. Miller, Tom Cosgrove, Ulf Brosziewski, Vadim Zhukov, Vincent Gross, Visa Hankala, Yasuoka Masahiko, Yojiro Uo