forked from openbsd/www
-
Notifications
You must be signed in to change notification settings - Fork 0
/
63.html
961 lines (887 loc) · 42 KB
/
63.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
<!doctype html>
<html lang=en id=release>
<meta charset=utf-8>
<title>OpenBSD 6.3</title>
<meta name="description" content="OpenBSD 6.3">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/63.html">
<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
6.3
</h2>
<table>
<tr>
<td>
<a href="images/Harry.gif">
<img width="227" height="343" src="images/Harry.gif" alt="Harry"></a>
<td>
Released Apr 15, 2018<br>
Copyright 1997-2018, Theo de Raadt.<br>
<br>
<br>
Artwork by Sam Hester.<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/6.3/</code> directory on
one of the mirror sites.
<li>Have a look at <a href="errata63.html">the 6.3 errata page</a> for a list
of bugs and workarounds.
<li>See a <a href="plus63.html">detailed log of changes</a> between the
6.2 and 6.3 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
pubkeys for this release:<p>
<table class=signify>
<tr><td>
openbsd-63-base.pub:
<td>
RWRxzbLwAd76ZZxHU7wuIFUOVGwl6SjNNzanKWTql8w+hui7WLE/72mW
<tr><td>
openbsd-63-fw.pub:
<td>
RWT3tdmiAc+DH/CJOxPFT10kUM90/UcLTgSEUEKzhKm9QEhy+UD4CWPy
<tr><td>
openbsd-63-pkg.pub:
<td>
RWT58k1AWz/zZO9DHcPHXiHhDNP6hdwGjxNkyMoc/sh4O5NI8Zz1R1lD
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>
<hr>
<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 6.3.
For a comprehensive list, see the <a href="plus63.html">changelog</a> leading
to 6.3.
<ul>
<li>Improved hardware support, including:
<ul>
<li>SMP support on OpenBSD/arm64 platforms.
<li>VFP and NEON support on OpenBSD/armv7 platforms.
<li>New <a href="https://man.openbsd.org/acrtc.4">acrtc(4)</a> driver
for X-Powers AC100 audio codec and Real Time Clock.
<li>New <a href="https://man.openbsd.org/axppmic.4">axppmic(4)</a> driver
for X-Powers AXP Power Management ICs.
<li>New <a href="https://man.openbsd.org/bcmrng.4">bcmrng(4)</a> driver
for Broadcom BCM2835/BCM2836/BCM2837 random number generator.
<li>New <a href="https://man.openbsd.org/bcmtemp.4">bcmtemp(4)</a> driver
for Broadcom BCM2835/BCM2836/BCM2837 temperature monitor.
<li>New <a href="https://man.openbsd.org/bgw.4">bgw(4)</a> driver
for Bosch motion sensor.
<li>New <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> driver
for Broadcom and Cypress FullMAC 802.11 devices (still experimental and not compiled into the kernel by default)
<li>New <a href="https://man.openbsd.org/efi.4">efi(4)</a> driver
for EFI runtime services.
<li>New <a href="https://man.openbsd.org/imxanatop.4">imxanatop(4)</a> driver
for i.MX6 integrated regulator.
<li>New <a href="https://man.openbsd.org/rkpcie.4">rkpcie(4)</a> driver
for Rockchip RK3399 Host/PCIe bridge.
<li>New <a href="https://man.openbsd.org/sxirsb.4">sxirsb(4)</a> driver
for Allwinner Reduced Serial Bus controller.
<li>New <a href="https://man.openbsd.org/sxitemp.4">sxitemp(4)</a> driver
for Allwinner temperature monitor.
<li>New <a href="https://man.openbsd.org/sxits.4">sxits(4)</a> driver
for temperature sensor on Allwinner A10/A20 touchpad controller.
<li>New <a href="https://man.openbsd.org/sxitwi.4">sxitwi(4)</a> driver
for two-wire bus found on several Allwinner SoCs.
<li>New <a href="https://man.openbsd.org/sypwr.4">sypwr(4)</a> driver
for the Silergy SY8106A regulator.
<li>Support for Rockchip RK3328 SoCs has been added to the
<a href="https://man.openbsd.org/dwge.4">dwge(4)</a>,
<a href="https://man.openbsd.org/rkgrf.4">rkgrf(4)</a>,
<a href="https://man.openbsd.org/rkclock.4">rkclock(4)</a> and
<a href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a>
drivers.
<li>Support for Rockchip RK3288/RK3328 SoCs has been added to the
<a href="https://man.openbsd.org/rktemp.4">rktemp(4)</a>
driver.
<li>Support for Allwinner A10/A20, A23/A33, A80 and R40/V40
SoCs has been added to the
<a href="https://man.openbsd.org/sxiccmu.4">sxiccmu(4)</a> driver.
<li>Support for Allwinner A33, GR8 and R40/V40 SoCs has been
added to the
<a href="https://man.openbsd.org/sxipio.4">sxipio(4)</a> driver.
<li>Support for SAS3.5 MegaRAIDs has been added to the
<a href="https://man.openbsd.org/mfii.4">mfii(4)</a> driver.
<li>Support for Intel Cannon Lake and Ice Lake integrated Ethernet
has been added to the
<a href="https://man.openbsd.org/em.4">em(4)</a> driver.
<li><a href="https://man.openbsd.org/cnmac.4">cnmac(4)</a> ports are now
assigned to different CPU cores for distributed interrupt processing.
<li>The <a href="https://man.openbsd.org/pms.4">pms(4)</a> driver now
detects and handles reset announcements.
<li>On amd64 Intel CPU microcode is loaded on boot and installed/updated by
<a href="https://man.openbsd.org/fw_update.1">fw_update(1)</a>.
<li>Support the sun4v hypervisor interrupt cookie API, adding support
for SPARC T7-1/2/4 machines.
<li>Hibernate support has been added for SD/MMC storage attached to
<a href="https://man.openbsd.org/sdhc.4">sdhc(4)</a> controllers.
<li><a href="https://man.openbsd.org/clang.1">clang(1)</a>
is now used as the system compiler on armv7,
and it is also provided on sparc64.
</ul>
<li><a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a>/
<a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> improvements:
<ul>
<li>Add CD-ROM/DVD ISO support to <a
href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> via <a
href="https://man.openbsd.org/vioscsi.4">vioscsi(4)</a>.
<li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> no longer
creates an underlying bridge interface for virtual switches defined in
<a href="https://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>.
<li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> receives
switch information (rdomain, etc) from underlying switch interface in
conjunction of settings in <a
href="https://man.openbsd.org/amd64/vm.conf.5">vm.conf(5)</a>.
<li>Time Stamp Counter (TSC) support in guest VMs.
<li>Support ukvm/Solo5 unikernels in
<a href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a>.
<li>Handle valid (but uncommon) instruction encodings better.
<li>Better PAE paging support for 32-bit Linux guest VMs.
<li><a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> now allows up
to four network interfaces in each VM.
<li>Add paused migration and snapshotting support to <a
href="https://man.openbsd.org/amd64/vmm.4">vmm(4)</a> for AMD SVM/RVI
hosts.
<li>BREAK commands sent over a
<a href="https://man.openbsd.org/pty.4">pty(4)</a> are now understood by
<a href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
<li>Many fixes to <a href="https://man.openbsd.org/amd64/vmctl.8">vmctl(8)</a>
and <a href="https://man.openbsd.org/amd64/vmd.8">vmd(8)</a> error handling.
</ul>
<li>IEEE 802.11 wireless stack improvements:
<ul>
<li>The <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> and
<a href="https://man.openbsd.org/iwn.4">iwn(4)</a> drivers will
automatically roam between access points which share an ESSID.
Forcing a particular AP's MAC address with ifconfig's <b>bssid</b>
command disables roaming.
<li>Automatically clear configured WEP/WPA keys when a new network ESSID
is configured.
<li>Removed the ability for userland to read configured WEP/WPA keys back
from the kernel.
<li>The <a href="https://man.openbsd.org/iwm.4">iwm(4)</a> driver can now
connect to networks with a hidden SSID.
<li>USB devices supported by the
<a href="https://man.openbsd.org/athn.4">athn(4)</a> driver
now use an open source firmware, and hostap mode now works with
these devices.
</ul>
<li>Generic network stack improvements:
<ul>
<li>The network stack no longer runs with the KERNEL_LOCK() when IPsec is
enabled.
<li>Processing of incoming TCP/UDP packets is now done without
KERNEL_LOCK().
<li>The socket splicing task runs without KERNEL_LOCK().
<li>Cleanup and removal of code in sys/netinet6 since autoconfiguration
runs in userland now.
<li><a href="https://man.openbsd.org/bridge.4">bridge(4)</a> members can
now be prevented to talk to each others with the new <b>protected</b>
option.
<li>The pf divert-packet feature has been simplified.
The IP_DIVERTFL socket option has been removed from <a
href="https://man.openbsd.org/divert.4">divert(4)</a>.
<li>Various corner cases of pf divert-to and divert-reply are
more consistent now.
<li>Enforce in <a href="https://man.openbsd.org/pf.4">pf(4)</a>
that all neighbor discovery packets have 255 in their IPv6
header hop limit field.
<li>New <code>set syncookies</code> option in
<a href="https://man.openbsd.org/pf.conf.5">pf.conf(5)</a>.
<li>Support for GRE over IPv6.
<li>New <a href="https://man.openbsd.org/egre.4">egre(4)</a>
driver for Ethernet over GRE tunnels.
<li>Support for the optional GRE key header and GRE key entropy in
<a href="https://man.openbsd.org/gre.4">gre(4)</a> and
<a href="https://man.openbsd.org/egre.4">egre(4)</a>.
<li>New <a href="https://man.openbsd.org/nvgre.4">nvgre(4)</a>
driver for Network Virtualization using Generic Routing Encapsulation.
<li>Support for configuring the Don't Fragment flag on packets encapsulated
by tunnel interfaces.
</ul>
<li>Installer improvements:
<ul>
<li>if install.site or upgrade.site fails, notify the user and error out
after storing rand.seed.
<li>allow CIDR notation when entering IPv4 and IPv6 addresses.
<li>repair selection of a HTTP mirror from the list of mirrors.
<li>allow '-' in usernames.
<li>ask a question at the end of the install/upgrade process so
carriage return causes the appropriate action, e.g. reboot.
<li>display the mode (install or upgrade) shell prompts as
long as no hostname is known.
<li>correctly detect which interface has the default route and if it was
configured via DHCP.
<li>ensure sets can be read from the prefetch area.
<li>ensure URL redirection is effective for entire install/upgrade.
<li>add the HTTP proxy used when fetching sets to rc.firsttime, where
fw_update and syspatch can find and use it.
<li>add logic to support RFC 7217 with SLAAC.
<li>ensure that IPv6 is configured for dynamically created network
interfaces like <a href="https://man.openbsd.org/vlan.4">vlan(4)</a>.
<li>create correct hostname when both domain-name and
domain-search options are provided in the DHCP lease.
</ul>
<li>Routing daemons and other userland network improvements:
<ul>
<li><a href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> has a new
<b>ssv</b> option which outputs rib entries as a single semicolon-separated
like for selection before output.
<li><a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> generates
random but stable IPv6 stateless autoconfiguration addresses according
to RFC 7217.
These are enabled per default in accordance with RFC 8064.
<li><a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a> follows
RFC 4862 by removing an artificial limitation on /64 sized prefixes
using RFC 7217 (random but stable) and RFC 4941 (privacy) style
stateless autoconfiguration addresses.
<li><a href="https://man.openbsd.org/ospfd.8">ospfd(8)</a> can now set the
metric for a route depending on the status of an interface.
<li><a href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> has a new
<b>staticarp</b> option to make interfaces reply to ARP requests only.
<li><a href="https://man.openbsd.org/ipsecctl.8">ipsecctl(8)</a> can now
collapse flow outputs having the same source or destination.
<li>The <code>-n</code> option in
<a href="https://man.openbsd.org/netstart.8">netstart(8)</a> no longer
messes with the default route.
It is now documented as well.
</ul>
<li>Security improvements:
<ul>
<li>Use even more trap-sleds on various architectures.
<li>More use of .rodata for constant variables in assembly source.
<li>Stop using x86 "repz ret" in dusty corners of the tree.
<li>Introduce "execpromises" in
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a>.
<li>The elfrdsetroot utility used to build ramdisks and the
<a href="https://man.openbsd.org/rebound">rebound(8)</a>
monitoring process now use
<a href="https://man.openbsd.org/pledge.2">pledge(2)</a>.
<li>Prepare for the introduction of <b>MAP_STACK</b> to
<a href="https://man.openbsd.org/mmap.2">mmap(2)</a> after 6.3.
<li>Push a small piece of KARL-linked kernel text into the random
number generator as entropy at startup.
<li>Put a small random gap at the top of thread stacks, so that attackers
have yet another calculation to perform for their ROP work.
<li>Mitigation for Meltdown vulnerability for Intel brand amd64 CPUs.
<li>OpenBSD/arm64 now uses kernel page table isolation to mitigate
Spectre variant 3 (Meltdown) attacks.
<li>OpenBSD/armv7 and OpenBSD/arm64 now flush the Branch Target Buffer
(BTB) on processors that do speculative execution to
mitigate Spectre variant 2 attacks.
<li><a href="https://man.openbsd.org/pool_get.9">pool_get(9)</a> perturbs
the order of items on newly allocated pages, making the kernel heap
layout harder to predict.
<li>The
<a href="https://man.openbsd.org/OpenBSD-6.2/ktrace.2">fktrace(2)</a>
system call was deleted.
</ul>
<li><a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a> improvements:
<ul>
<li>Parsing <a href="https://man.openbsd.org/dhclient.conf.5">
dhclient.conf(5)</a> no longer leaks SSID strings, strings that are
too long for the parsing buffer or repeated string options and commands.
<li>Storing leases in <a href="https://man.openbsd.org/dhclient.conf.5">
dhclient.conf(5)</a> is no longer supported.
<li>'DENY' is no longer valid in <a href="https://man.openbsd.org/dhclient.conf.5">
dhclient.conf(5)</a>.
<li><a href="https://man.openbsd.org/dhclient.conf.5">
dhclient.conf(5)</a> and
<a href="https://man.openbsd.org/dhclient.leases.5">
dhclient.leases(5)</a>
parsing error messages have been simplified and clarified, with
improved behaviour in the presence of unexpected semicolons.
<li>More care is taken to only use configuration information that was
successfully parsed.
<li>'-n' has been added, which causes
<a href="https://man.openbsd.org/dhclient.8">
dhclient(8)</a> to exit after parsing
<a href="https://man.openbsd.org/dhclient.conf.5">
dhclient.conf(5)</a>.
<li>Default routes in options classless-static-routes (121) and
classless-ms-static-routes (249) are now correctly represented in
<a href="https://man.openbsd.org/dhclient.leases.5">
dhclient.leases(5)</a> files.
<li>Overwrite the file specified with '-L' rather than appending to it.
<li>Leases in <a href="https://man.openbsd.org/dhclient.leases.5">
dhclient.leases(5)</a> now contain an 'epoch' attribute recording
the time the lease was accepted, which is used to calculate correct
renewal, rebinding and expiry times.
<li>No longer nag about underscores in names violating RFC 952.
<li>Unconditionally send host-name information when
requesting a lease, eliminating the need for
<a href="https://man.openbsd.org/dhclient.conf.5">
dhclient.conf(5)</a> in the default installation.
<li>Be quiet by default. '-q' has been removed and '-v' added to
enable verbose logging.
<li>Decline duplicate offers for the requested address.
<li>Unconditionally go into the background after link-timeout seconds.
<li>Significantly reduce logging when being quiet, but make '-v' log
all debug information without needing to compile a custom executable.
<li>Ignore 'interface' statements in
<a href="https://man.openbsd.org/dhclient.leases.5">
dhclient.leases(5)</a> and assume all leases in the file are
for the interface being configured.
<li>Display the source of the lease bound to the interface.
<li>'ignore', 'request' and 'require' declarations in
<a href="https://man.openbsd.org/dhclient.conf.5">
dhclient.conf(5)</a> now add the specified options to the relevant
list rather than replacing the list.
<li>Eliminate a startup race that could result in
<a href="https://man.openbsd.org/dhclient.8">
dhclient(8)</a> exiting without configuring the interface.
</ul>
<li>Assorted improvements:
<ul>
<li>Code reorganization and other improvements to
<a href="https://man.openbsd.org/malloc.3">malloc(3)</a>
and friends to make them more efficient.
<li>When performing suspend or hibernate operations, ensure all filesystems
are properly synchronized and marked clean, or if they cannot be
put into perfectly clean state on disk (due to open+unlinked files)
then mark them dirty, so that a failed resume/unhibernate is guaranteed
to perform <a href="https://man.openbsd.org/fsck.8">fsck(8)</a>.
<li><a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>
autodetects the agreement URL and follows 30x HTTP redirects.
<li>Added __cxa_thread_atexit() to support modern C++ tool chains.
<li>Added EVFILT_DEVICE support to
<a href="https://man.openbsd.org/kqueue.2">kqueue(2)</a> for
monitoring changes to
<a href="https://man.openbsd.org/drm.4">drm(4)</a> devices.
<li><a href="https://man.openbsd.org/ldexp.3">ldexp(3)</a> now handles
the sign of denormal numbers correctly on mips64.
<li>New <a href="https://man.openbsd.org/sincos.3">sincos(3)</a>
functions in libm.
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> now ensures the
validity of MBR partition offsets entered while editing.
<li><a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a> now ensures that
default values lie within the valid range.
<li><a href="https://man.openbsd.org/less.1">less(1)</a> now splits only
the environment variable LESS on '$'.
<li><a href="https://man.openbsd.org/less.1">less(1)</a> no longer creates
a spurious file when encountering '$' in the initial command.
<li><a href="https://man.openbsd.org/softraid.4">softraid(4)</a> now validates
the number of chunks when assembling a volume, ensuring the on-disk
and in-memory metadata are in sync.
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> now
always offers to edit an FFS partition's fragment size before offering to
edit the blocksize.
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> now
allows editing the cylinders/group (cpg) attribute whenever the partition
blocksize can be edited.
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> now
detects ^D and invalid input during (R)esize commands.
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> now
detects underflows and overflows when -/+ operators are used.
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> now
avoids an off-by-one when calculating the number of cylinders in a free
chunk.
<li><a href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> now
validates the requested partition size against the size of the largest free
chunk instead of the total free space.
<li>Support for dumping USB transfers via
<a href="https://man.openbsd.org/bpf.4">bpf(4)</a>.
<li><a href="https://man.openbsd.org/tcpdump.8">tcpdump(8)</a> can now
understand dumps of USB transfers in the
<a href="http://desowin.org/usbpcap/captureformat.html">USBPcap</a>
format.
<li>The default prompts of <a href="https://man.openbsd.org/csh.1">csh(1)</a>,
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a> and
<a href="https://man.openbsd.org/sh.1">sh(1)</a> now include the hostname.
<li>Memory allocation in
<a href="https://man.openbsd.org/ksh.1">ksh(1)</a> was switched from
<a href="https://man.openbsd.org/calloc.3">calloc(3)</a> back to
<a href="https://man.openbsd.org/malloc.3">malloc(3)</a>,
making it easier to recognize uninitialized memory.
As a result, a history-related bug in emacs editing mode was discovered
and fixed.
<li>New <a href="https://man.openbsd.org/script.1">script(1)</a>
<code>-c</code> option to run a command instead of a shell.
<li>New <a href="https://man.openbsd.org/grep.1">grep(1)</a>
<code>-m</code> option to limit the number of matches.
<li>New <a href="https://man.openbsd.org/uniq.1">uniq(1)</a>
<code>-i</code> option for case-insensitive comparison.
<li>The <a href="https://man.openbsd.org/printf.3">printf(3)</a> format
string is no longer validated when looking for <code>%</code> formats.
Based on a commit by android and following most other operating systems.
<li>Improved error checking in
<a href="https://man.openbsd.org/vfwprintf.3">vfwprintf(3)</a>.
<li>Many base programs have been audited and fixed for stale file descriptors,
including
<a href="https://man.openbsd.org/cron.8">cron(8)</a>,
<a href="https://man.openbsd.org/ftp.1">ftp(1)</a>,
<a href="https://man.openbsd.org/mandoc.1">mandoc(1)</a>,
<a href="https://man.openbsd.org/openssl.1">openssl(1)</a>,
<a href="https://man.openbsd.org/ssh.1">ssh(1)</a> and
<a href="https://man.openbsd.org/sshd.8">sshd(8)</a>.
<li>Various bug fixes and improvements in
<a href="https://man.openbsd.org/jot.1">jot(1)</a>:
<ul>
<li>Arbitrary length limits for the arguments for the
<code>-b</code>, <code>-s</code>, <code>-w</code> options were removed.
<li>The <code>%F</code> format specifier is now supported and a bug
in the <code>%D</code> format was fixed.
<li>Better code coverage in regression tests.
<li>Several buffer overruns were fixed.
</ul>
<li>The <a href="https://man.openbsd.org/patch.1">patch(1)</a> utility now
copes better with git diffs that create or delete files.
<li><a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>
now has improved support for HTTP(S) redirectors such as
<i>cdn.openbsd.org</i>.
<li><a href="https://man.openbsd.org/ftp.1">ftp(1)</a> and
<a href="https://man.openbsd.org/pkg_add.1">pkg_add(1)</a>
now support HTTPS session resumption for improved speed.
<li><a href="https://man.openbsd.org/mandoc.1">mandoc(1)</a>
<code>-T ps</code> output file size reduced by more than 50%.
<li><a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
logs if there were warnings during startup.
<li><a href="https://man.openbsd.org/syslogd.8">syslogd(8)</a>
stopped logging to files in a full filesystem. Now it
writes a warning and continues after space has been made
available.
<li><a href="https://man.openbsd.org/vmt.4">vmt(4)</a> now allows cloning and
taking disk-only snapshots of running guests.
</ul>
<li>OpenSMTPD 6.0.4
<ul>
<li>Add <b>spf walk</b> option to
<a href="https://man.openbsd.org/smtpctl.8">smtpctl(8)</a>.
<li>Assorted cleanups and improvements.
<li>Numerous manual page fixes and improvements.
</ul>
<li>OpenSSH 7.7
<ul>
<li>New/changed features:
<ul>
<li>All: Add experimental support for PQC XMSS keys (Extended Hash-
Based Signatures) based on the algorithm described in
https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
The XMSS signature code is experimental and not compiled in by
default.
<li>sshd(8): Add a "rdomain" criteria for the sshd_config Match keyword
to allow conditional configuration that depends on which routing
domain a connection was received on (currently supported on OpenBSD
and Linux).
<li>sshd_config(5): Add an optional rdomain qualifier to the
ListenAddress directive to allow listening on different routing
domains. This is supported only on OpenBSD and Linux at present.
<li>sshd_config(5): Add RDomain directive to allow the authenticated
session to be placed in an explicit routing domain. This is only
supported on OpenBSD at present.
<li>sshd(8): Add "expiry-time" option for authorized_keys files to
allow for expiring keys.
<li>ssh(1): Add a BindInterface option to allow binding the outgoing
connection to an interface's address (basically a more usable
BindAddress).
<li>ssh(1): Expose device allocated for tun/tap forwarding via a new
%T expansion for LocalCommand. This allows LocalCommand to be used
to prepare the interface.
<li>sshd(8): Expose the device allocated for tun/tap forwarding via a
new SSH_TUNNEL environment variable. This allows automatic setup of
the interface and surrounding network configuration automatically on
the server.
<li>ssh(1)/scp(1)/sftp(1): Add URI support to ssh, sftp and scp, e.g.
ssh://user@host or sftp://user@host/path. Additional connection
parameters described in draft-ietf-secsh-scp-sftp-ssh-uri-04 are not
implemented since the ssh fingerprint format in the draft uses the
deprecated MD5 hash with no way to specify the any other algorithm.
<li>ssh-keygen(1): Allow certificate validity intervals that specify
only a start or stop time (instead of both or neither).
<li>sftp(1): Allow "cd" and "lcd" commands with no explicit path
argument. lcd will change to the local user's home directory as
usual. cd will change to the starting directory for session (because
the protocol offers no way to obtain the remote user's home
directory). bz#2760
<li>sshd(8): When doing a config test with sshd -T, only require the
attributes that are actually used in Match criteria rather than (an
incomplete list of) all criteria.
</ul>
<li>The following significant bugs have been fixed in this release:
<ul>
<li>ssh(1)/sshd(8): More strictly check signature types during key
exchange against what was negotiated. Prevents downgrade of RSA
signatures made with SHA-256/512 to SHA-1.
<li>sshd(8): Fix support for client that advertise a protocol version
of "1.99" (indicating that they are prepared to accept both SSHv1 and
SSHv2). This was broken in OpenSSH 7.6 during the removal of SSHv1
support. bz#2810
<li>ssh(1): Warn when the agent returns a ssh-rsa (SHA1) signature when
a rsa-sha2-256/512 signature was requested. This condition is possible
when an old or non-OpenSSH agent is in use. bz#2799
<li>ssh-agent(1): Fix regression introduce in 7.6 that caused ssh-agent
to fatally exit if presented an invalid signature request message.
<li>sshd_config(5): Accept yes/no flag options case-insensitively, as
has been the case in ssh_config(5) for a long time. bz#2664
<li>ssh(1): Improve error reporting for failures during connection.
Under some circumstances misleading errors were being shows. bz#2814
<li>ssh-keyscan(1): Add -D option to allow printing of results directly
in SSHFP format. bz#2821
<li>regress tests: fix PuTTY interop test broken in last release's SSHv1
removal. bz#2823
<li>ssh(1): Compatibility fix for some servers that erroneously drop the
connection when the IUTF8 (RFC8160) option is sent.
<li>scp(1): Disable RemoteCommand and RequestTTY in the ssh session
started by scp (sftp was already doing this.)
<li>ssh-keygen(1): Refuse to create a certificate with an unusable
number of principals.
<li>ssh-keygen(1): Fatally exit if ssh-keygen is unable to write all the
public key during key generation. Previously it would silently
ignore errors writing the comment and terminating newline.
<li>ssh(1): Do not modify hostname arguments that are addresses by
automatically forcing them to lower-case. Instead canonicalise them
to resolve ambiguities (e.g. ::0001 => ::1) before they are matched
against known_hosts. bz#2763
<li>ssh(1): Don't accept junk after "yes" or "no" responses to hostkey
prompts. bz#2803
<li>sftp(1): Have sftp print a warning about shell cleanliness when
decoding the first packet fails, which is usually caused by shells
polluting stdout of non-interactive startups. bz#2800
<li>ssh(1)/sshd(8): Switch timers in packet code from using wall-clock
time to monotonic time, allowing the packet layer to better function
over a clock step and avoiding possible integer overflows during
steps.
<li>Numerous manual page fixes and improvements.
</ul>
</ul>
<li>LibreSSL 2.7.2
<ul>
<li> Added support for many OpenSSL 1.0.2 and 1.1 APIs, based on
observations of real-world usage in applications. These are
implemented in parallel with existing OpenSSL 1.0.1 APIs - visibility
changes have not been made to existing structs, allowing code written
for older OpenSSL APIs to continue working.
<li> Extensive corrections, improvements, and additions to the
API documentation, including new public APIs from OpenSSL that had
no pre-existing documentation.
<li> Added support for automatic library initialization in libcrypto,
libssl, and libtls. Support for pthread_once or a compatible
equivalent is now required of the target operating system. As a
side-effect, minimum Windows support is Vista or higher.
<li> Converted more packet handling methods to CBB, which improves
resiliency when generating TLS messages.
<li> Completed TLS extension handling rewrite, improving consistency of
checks for malformed and duplicate extensions.
<li>Rewrote ASN1_TYPE_{get,set}_octetstring() using templated ASN.1.
This removes the last remaining use of the old M_ASN1_* macros
(asn1_mac.h) from API that needs to continue to exist.
<li> Added support for client-side session resumption in libtls.
A libtls client can specify a session file descriptor (a regular
file with appropriate ownership and permissions) and libtls will
manage reading and writing of session data across TLS handshakes.
<li> Improved support for strict alignment on ARMv7 architectures,
conditionally enabling assembly in those cases.
<li> Fixed a memory leak in libtls when reusing a tls_config.
<li> Merged more DTLS support into the regular TLS code path, removing
duplicated code.
</ul>
<li><p>Ports and packages:
<ul>
<li><a href="https://man.openbsd.org/dpb.1">dpb(1)</a> and normal
<a href="https://man.openbsd.org/ports.7">ports(7)</a> can
now enjoy the same privilege separated model by setting
<code>PORTS_PRIVSEP=Yes</code>
</ul>
<p>Many pre-built packages for each architecture:
<!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
<ul style="column-count: 4">
<li>aarch64: 7990
<li>alpha: 1
<li>amd64: 9912
<li>arm: 6582
<li>i386: 9861
<li>mips64: 8149
<li>mips64el: 8254
<li>powerpc: 8809
<li>sh: 1
<li>sparc64: 8401
</ul>
<p>Some highlights:
<ul style="column-count: 2">
<li>AFL 2.52b
<li>CMake 3.10.2
<li>Chromium 65.0.3325.181
<li>Emacs 21.4 and 25.3
<li>GCC 4.9.4
<li>GHC 8.2.2
<li>Gimp 2.8.22
<li>GNOME 3.26.2
<li>Go 1.10
<li>Groff 1.22.3
<li>JDK 8u144
<li>KDE 3.5.10 and 4.14.3 (plus KDE4 core updates)
<li>LLVM/Clang 5.0.1
<li>LibreOffice 6.0.2.1
<li>Lua 5.1.5, 5.2.4 and 5.3.4
<li>MariaDB 10.0.34
<li>Mozilla Firefox 52.7.3esr and 59.0.2
<li>Mozilla Thunderbird 52.7.0
<li>Mutt 1.9.4 and NeoMutt 20180223
<li>Node.js 8.9.4
<li>Ocaml 4.03.0
<li>OpenLDAP 2.3.43 and 2.4.45
<li>PHP 5.6.34 and 7.0.28
<li>Postfix 3.3.0 and 3.4-20180203
<li>PostgreSQL 10.3
<li>Python 2.7.14 and 3.6.4
<li>R 3.4.4
<li>Ruby 2.3.6, 2.4.3 and 2.5.0
<li>Rust 1.24.0
<li>Sendmail 8.16.0.21
<li>SQLite3 3.22.0
<li>Sudo 1.8.22
<li>Tcl/Tk 8.5.19 and 8.6.8
<li>TeX Live 2017
<li>Vim 8.0.1589
<li>Xfce 4.12
</ul>
<li>As usual, steady improvements in manual pages and other documentation.
<li>The system includes the following major components from outside suppliers:
<ul>
<li>Xenocara (based on X.Org 7.7 with xserver 1.19.6 + patches,
freetype 2.8.1, fontconfig 2.12.4, Mesa 13.0.6, xterm 330,
xkeyboard-config 2.20 and more)
<li>LLVM/Clang 5.0.1 (+ patches)
<li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
<li>Perl 5.24.3 (+ patches)
<li>NSD 4.1.20
<li>Unbound 1.6.8
<li>Ncurses 5.7
<li>Binutils 2.17 (+ patches)
<li>Gdb 6.3 (+ patches)
<li>Awk Aug 10, 2011 version
<li>Expat 2.2.5
</ul>
</ul>
</section>
<hr>
<section id=install>
<h3>How to install</h3>
<p>
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 6.3 on your machine:
<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/alpha/INSTALL.alpha">
.../OpenBSD/6.3/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/amd64/INSTALL.amd64">
.../OpenBSD/6.3/amd64/INSTALL.amd64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/arm64/INSTALL.arm64">
.../OpenBSD/6.3/arm64/INSTALL.arm64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/armv7/INSTALL.armv7">
.../OpenBSD/6.3/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/hppa/INSTALL.hppa">
.../OpenBSD/6.3/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/i386/INSTALL.i386">
.../OpenBSD/6.3/i386/INSTALL.i386</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/landisk/INSTALL.landisk">
.../OpenBSD/6.3/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/loongson/INSTALL.loongson">
.../OpenBSD/6.3/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/luna88k/INSTALL.luna88k">
.../OpenBSD/6.3/luna88k/INSTALL.luna88k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/macppc/INSTALL.macppc">
.../OpenBSD/6.3/macppc/INSTALL.macppc</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/octeon/INSTALL.octeon">
.../OpenBSD/6.3/octeon/INSTALL.octeon</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/sgi/INSTALL.sgi">
.../OpenBSD/6.3/sgi/INSTALL.sgi</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.3/sparc64/INSTALL.sparc64">
.../OpenBSD/6.3/sparc64/INSTALL.sparc64</a>
</ul>
</section>
<hr>
<section id=quickinstall>
<p>
Quick installer information for people familiar with OpenBSD, and the use of
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!
<h3>OpenBSD/alpha:</h3>
<p>
Write <i>floppy63.fs</i> or <i>floppyB63.fs</i> (depending on your machine)
to a diskette and enter <i>boot dva0</i>.
Refer to INSTALL.alpha for more details.
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
<h3>OpenBSD/amd64:</h3>
<p>
If your machine can boot from CD, you can write <i>install63.iso</i> or
<i>cd63.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install63.fs</i> or
<i>miniroot63.fs</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.
<p>
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.
<h3>OpenBSD/arm64:</h3>
<p>
Write <i>miniroot63.fs</i> to a disk and boot from it after connecting
to the serial console. Refer to INSTALL.arm64 for more details.
<h3>OpenBSD/armv7:</h3>
<p>
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console. Refer to INSTALL.armv7 for more details.
<h3>OpenBSD/hppa:</h3>
<p>
Boot over the network by following the instructions in INSTALL.hppa or the
<a href="hppa.html#install">hppa platform page</a>.
<h3>OpenBSD/i386:</h3>
<p>
If your machine can boot from CD, you can write <i>install63.iso</i> or
<i>cd63.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.
<p>
If your machine can boot from USB, you can write <i>install63.fs</i> or
<i>miniroot63.fs</i> to a USB stick and boot from it.
<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.
<p>
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.
<h3>OpenBSD/landisk:</h3>
<p>
Write <i>miniroot63.fs</i> to the start of the CF
or disk, and boot normally.
<h3>OpenBSD/loongson:</h3>
<p>
Write <i>miniroot63.fs</i> to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.
<h3>OpenBSD/luna88k:</h3>
<p>
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.
<h3>OpenBSD/macppc:</h3>
<p>
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the <i>C</i> key until the display turns on and
shows <i>OpenBSD/macppc boot</i>.
<p>
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
/6.3/macppc/bsd.rd</i>
<h3>OpenBSD/octeon:</h3>
<p>
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.
<h3>OpenBSD/sgi:</h3>
<p>
To install, burn cd63.iso on a CD-R, put it in the CD drive of your
machine and select <i>Install System Software</i> from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.
<p>
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.
<h3>OpenBSD/sparc64:</h3>
<p>
Burn the image from a mirror site to a CDROM, boot from it, and type
<i>boot cdrom</i>.
<p>
If this doesn't work, or if you don't have a CDROM drive, you can write
<i>floppy63.fs</i> or <i>floppyB63.fs</i>
(depending on your machine) to a floppy and boot it with <i>boot
floppy</i>. Refer to INSTALL.sparc64 for details.
<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.
<p>
You can also write <i>miniroot63.fs</i> to the swap partition on
the disk and boot with <i>boot disk:b</i>.
<p>
If nothing works, you can boot over the network as described in INSTALL.sparc64.
</section>
<hr>
<section id=upgrade>
<h3>How to upgrade</h3>
<p>
If you already have an OpenBSD 6.2 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
<a href="faq/upgrade63.html">Upgrade Guide</a>.
</section>
<hr>
<section id=sourcecode>
<h3>Notes about the source code</h3>
<p>
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
</pre></blockquote>
<p>
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src/sys</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
</pre></blockquote>
<p>
Both of these trees are a regular CVS checkout. Using these trees it
is possible to get a head-start on using the anoncvs servers as
described <a href="anoncvs.html">here</a>.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
</section>
<hr>
<section id=ports>
<h3>Ports Tree</h3>
<p>
A ports tree archive is also provided. To extract:
<blockquote><pre>
# <kbd>cd /usr</kbd>
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
</pre></blockquote>
<p>
Go read the <a href="faq/ports/index.html">ports</a> page
if you know nothing about ports
at this point. This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
<p>
The <i>ports/</i> directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
<a href="anoncvs.html">AnonCVS</a>.
So, in order to keep up to date with the -stable branch, you must make
the <i>ports/</i> tree available on a read-write medium and update the tree
with a command like:
<blockquote><pre>
# <kbd>cd /usr/ports</kbd>
# <kbd>cvs -d [email protected]:/cvs update -Pd -rOPENBSD_6_3</kbd>
</pre></blockquote>
<p>
[Of course, you must replace the server name here with a nearby anoncvs
server.]
<p>
Note that most ports are available as packages on our mirrors. Updated
ports for the 6.3 release will be made available if problems arise.
<p>
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
<a href="mail.html">[email protected]</a> is a good place to know.
</section>