------------------------------------------------------------------------ - OpenBSD 6.2 RELEASED ------------------------------------------------- October 9, 2017. We are pleased to announce the official release of OpenBSD 6.2. This is our 43rd release. We remain proud of OpenBSD's record of more than twenty years with only two remote holes in the default install. As in our previous releases, 6.2 provides significant improvements, including new features, in nearly all areas of the system: - Improved hardware support, including: o arm: New rkgrf(4) driver for the Rockchip RK3399/RK3288 register file. o arm: New rkclock(4) driver for Rockchip RK3399/RK3288 clocks. o arm: New rkpinctrl(4) driver for controlling Rockchip RK3399/RK3288 pins. o arm: New rkgpio(4) driver for GPIO on Rockchip SoCs. o arm: New rktemp(4) driver for Rockchip RK3399 temperature sensors. o arm: New rkiic(4) driver for Rockchip RK3399 I2C controllers. o arm: New rkpmic(4) driver for the RK808 Power Management IC. o arm: New dwmmc(4) driver for Synopsis DesignWare SD/MMC controllers. o arm: New dwdog(4) driver for the Synopsys DesignWare watchdog timer. o arm: New dwxe(4) driver for the Synopsys DesignWare Ethernet controller. o arm: New sxitwi(4) driver for the two-wire bus on Allwinner SoCs. o arm: New axppmic(4) driver for the AXP209 I2C PMIC. o arm: New bcmaux(4) driver for clocks and interrupts on the auxilliary UART on BCM2835 devices. o arm: New mvmpic(4) driver for an interrupt controller on Marvell ARMADA 38x. o arm: New mvpxa(4) driver for the SD Host Controller on Marvell ARMADA 38x. o arm: New mvpinctrl(4) driver to configure pins on Marvell ARMADA 38x. o arm: New mvneta(4) driver the Ethernet controller on Marvell ARMADA 38x. o arm: New amdisplay(4) & nxphdmi(4) drivers for the Texas Instruments AM335x LCD controller. o octeon: New octcib(4) driver for the interrupt bus widget on CN70xx/CN71xx. o octeon: New octcit(4) driver for the central interrupt unit version 3 on CN72xx/CN73xx/CN77xx/CN78xx. o octeon: New octsctl(4) driver for the OCTEON SATA controller bridge. o octeon: New octxctl(4) driver for the OCTEON USB3 controller bridge. o octeon: Rhino Labs Inc. SDNA Shasta, and Ubiquiti Networks EdgeRouter 4 and 6 are now supported. o New hvs(4) driver for Hyper-V storage. o New pcxrtc(4) driver for the NXP PCF8563 Real Time Clock. o New urng(4) driver for USB random number generator devices. o Intel 8265 and 3168 support was added to the iwm(4) driver. o RTL8192CE support was added to the rtwn(4) driver. o RT5360 support was added to the ral(4) driver. o RTS525A support was added to the rtsx(4) driver. o The acpibat(4) driver now supports _BIX entries from ACPI 4.0. o ACPI hibernate support was added to the nvme(4) driver. o Substantially improved ACPI hibernate performance in the ahci(4) driver. o The inteldrm(4) driver was updated to code based on Linux 4.4.70 - it now supports Skylake, Kaby Lake, and Cherryview devices and has better support for Broadwell and Valleyview devices. o The puc(4) driver now supports ASIX AX99100 devices. o Xen platform support and the xbf(4) driver in particular have been substantially improved. o The nvme(4) driver now reports correct last sector address to SCSI, allowing a valid GPT to be created. o Repair ioapic(4) misconfigurations. - vmm(4)/ vmd(8) improvements: o vmctl(8) supports paused VM migration and memory snapshotting using send and receive commands. o VPID/ASID reuse/rollover in vmm(4). o SGABIOS imported as an option ROM payload in SeaBIOS (for VGA to serial console redirection). o vmd(8) resets the guest VM RTC (real time clock) on host resume from suspend/hibernate (OpenBSD guests only). o Allow guest VMs access to AVX/AVX2 host CPU features. o Support for AMD SVM/RVI hosts. o Allow larger guest VM memory sizes (up to MAXDSIZ sized guests - e.g. 32GB on amd64 hosts). o Better handling of guest VM MONITOR/MWAIT and HLT instructions. o Various device emulation improvements in vmd(8). o Increase the virtio(4) queue size provided by vmd(8) from 64 to 128 entries, to increase performance. o Many fixes to vmctl(8) and vmd(8) error handling. - IEEE 802.11 wireless stack improvements: o MiRA 802.11n TX rate scaling now supports devices with unequal numbers of Tx and Rx streams. Fixes 11n mode for some athn(8) devices. o The iwn(8) and iwm(8) drivers will now start scanning for a new access point if they no longer receive beacons from the current AP. o Prefer the 5GHz band over the 2GHz band during access point selection. o Improved debug output in dmesg(8) when a wireless interface is put into debug mode with ifconfig(8). - Generic network stack improvements: o Incoming and forwarded IP packets are now processed without KERNEL_LOCK, resulting in better performances and reduced latency. o The kernel no longer handles IPv6 Stateless Address Autoconfiguration (RFC 4862), allowing cleanup and simplification of the IPv6 network stack. o The kernel sends IPv6 router solicitations for link local addresses with a link local source address. o FQ-CoDel algorithm has been implemented for use with pf(4) queueing. o Improved IPv6 checks for IPsec policies and made them consistent with IPv4. o Refactored local IP delivery to process IPsec packets in a flow and avoid enqueueing a second time. o pf(4) now inspects AH packets and matches on the inner protocol. This makes IPv4 authentication headers work like IPv6. o The length of extension header chains in pf(4) is limited. This prevents spending excessive CPU time on crafted packets. o Block IPv6 packets in pf(4) that have a hop-by-hop options header or a destination options header. Such packets can be passed by adding "allow-opts" to the rule. This makes IPv6 option handling consistent with IPv4. o If the IPv4 ID gets reused too fast, pf(4) fragment reassembly uses a smarter strategy to drop packets. o Enabled the use of per-CPU caches in the network packet allocators. - Installer improvements: o The installer now uses the Allotment Routing Table (ART). o A unique kernel is now created by the installer to boot from after install/upgrade. o On release installs of architectures supported by syspatch, "syspatch -c" is now added to rc.firsttime. o Backwards compatibility code to support the 'rtsol' keyword in hostname.if(5) has been removed. o The install.site and upgrade.site scripts are now executed at the end of the install/upgrade process. o More detailed information is shown to identify disks. o The IPv6 default router selection has been fixed. o On the amd64 platform, AES-NI is used if present. - Routing daemons and other userland network improvements: o A new daemon, slaacd(8) handles IPv6 Stateless Address Autoconfiguration (RFC 4862). o rtadvd(8) now supports "Reducing Energy Consumption of Router Advertisements" (RFC 7772). o rtadvd(8) has been fixed to quickly handle IPv6 prefix changes on the system. o ipsecctl(8) can now show SA bundles and the "bundle" keyword allows them to be explicitly created. This avoids confusion as they were previously used implicitly. o nc(1) now has a -W recvlimit option to terminate netcat after receiving the specified number of packets. This allows for a UDP request to be sent, a reply to be received and the result checked on the command line. o nc(1) now has a -Z option, allowing the peer certificate and chain to be saved to a file in PEM format. o A new -T tlscompat option was added to nc(1), which enables the use of all TLS protocols and libtls "compat" ciphers. o Various races have been fixed in relayd(8), expecially in HTTP chunked mode. o ndp(8) now shows the relevant NDP information when run in a non-default routing domain. o ifstated(8) now copes with interface departures/arrivals. o bgpd(8) can now be started multiple times in different routing domains, this provides virtual router functionality. - Security improvements: o A new function freezero(3) to easily clear and free memory holding sensitive data has been added. o Double free detection has been improved when the F malloc(3) option is used. The existing S option now includes F. o The TIOCSTI tty ioctl has been removed. The I/O-loops in the last two consumers csh(1) and mail(1) were rewritten to cope with the removal. o Trapsleds, a new mitigation that significantly reduces the amount of nops in the instruction stream, replacing them with trap instructions or jump-over-trap sequences, thereby requiring greater accuracy for targetting potential gadgets. o Kernel Address Randomized Link (KARL), a new "link-kit" allows the .o files of the kernel to be relinked in a random order, creating a unique kernel for each boot. /bsd is now non-readable to users, to try to keep the secret. o Like with libc previously, rc(8) re-links libcrypto on startup, placing the objects in a random order. o In addition to libcrypto, to deter code reuse exploits, rc(8) re-links ld.so on startup, placing the objects in a random order. o If process accounting is activated with accton(8), the daily mail shows pledge violations and program crashes. lastcomm(1) uses the flags P and T for such processes. o pflogd(8) uses the fork+exec model. o tcpdump(8) uses the fork+exec model. o ifstated(8) uses pledge(2). o snmpd(8) and snmpctl(8) now use pledge(2). o Tighter pledge for at(1). o Fixed and simplified pledge logic for nc(1). o More application of recallocarray(3) in userland, and tracked sizes to free(9) in the kernel. o Achieve higher levels of paranoia regarding structure packing, and clear many kernel objects before passing to userland. o Disable some optimizations in clang(1) due to incompatibility with security. o For instance, cope with clang(1)'s assumption that static or const objects placed in unknown sections (such as .openbsd.randomdata) are surely always 0, and therefore such memory accesses can be optimized away. o In kernel, randomly bias down the top-of-stack per kthread. - dhcpd(8)/ dhcrelay(8) improvements: o Add support for echo-client-id statement to dhclient.conf(5). o Take greater care to process all data read, and only data read, from the bpf(4) socket. o Use /dev/bpf instead of /dev/bpf0. o Handle DHCPINFORM messages from clients behind a DHCP relay. o Fix handling of carp(4) interfaces in dhcrelay(8). o Don't stop dhcrelay(8) logging to stderr when it is started with the -d option. - dhclient(8) improvements: o Log messages reworked and clarified, in particular by prefixing the name of the relevant network interface. o Treat SSID as 0 to 32 bytes of binary data, not a string. o Use RTM_PROPOSAL to take control of an interface rather than flipping interface down and up in the hope that other dhclient(8) instances notice. o Reduce file operations needed by -L option by opening file at startup and using it throughout process lifetime. o Improve resolv.conf(5) handling by reducing writes and more reliably determining which interface has the current default route. o Take greater care to process all data read, and only data read, from the bpf(4) socket. o Improve the determination of the link state of an interface. o Decline inappropriate lease offers as soon as they are deemed inappropriate. o Drop support for the timestamp formats used in lease files created more than four years ago. o Accept an offer from the server that sent the first copy of the offer, not the server that sent the last copy. o Don't delete addresses and routes when exiting. o Ensure IPv6 packets are not read from sockets. o Don't silently ignore obsolete keywords in dhclient.conf(5). o Reduce memory footprint by shrinking oversized static buffers. o Eliminate repeated socket opens by opening the required sockets during startup. o Fix construction of unicast UDP packets, broken in 5.6. o Improve determination of when a renewed lease requires interface configuration changes. o Don't exit when addresses are manually added or deleted from an interface. o Don't support option 33, classfull IP addresses. o Fix configuration of default routes supplied by classless route options. o Consider dhclient.conf(5) contents when determining what MTU value to configure. o Consider dhclient.conf(5) contents when creating the content of resolv.conf(5). o Delete direct routes when routes are flushed. o Don't label routes with "DHCLIENT nnnn". o Don't delete addresses or routes that will be immediately added back. o Delete addresses and routes only when a renewal request is NAK'ed. o Don't wait forever for requested information on the default route. o Don't exit when an attempt to send a packet fails. o Don't log a packet send when the send fails. o Remove the -u option, broken since 2013 without complaints. o Use /dev/bpf instead of /dev/bpf0. - Assorted improvements: o The i386 and amd64 platforms have switched to using clang(1) as the base system compiler. o Improved UTF-8 line editing support for ksh(1) Emacs and Vi input mode. o The HISTFILE of ksh(1) now uses a plain text format. Support for the HISTCONTROL environment variable was added. o The performance of the memory deallocator used by ksh(1) has been fixed. o The emacs-usemeta ksh(1) flag is no longer needed and is now deprecated. o New futex(2) syscall. o New pthread mutex and condition variable implementations improving latency of threaded applications. o New POSIX xlocale implementation written from scratch, complete in the sense that all POSIX *locale(3) and *_l(3) functions are included, but in OpenBSD, we of course only really care about LC_CTYPE and we only support ASCII and UTF-8. o Automatic hibernation and suspend by apmd when battery is low. o New ctfdump(1) and ctfconv(1) tools to manipulate CTF (Compact C Type Format). o The error handling in syslogd(8) has been improved. Even if internal errors occur, the daemon tries to keep unaffected subsystems active. So as many messages as possible are logged. They can be filtered by severity and facility "syslog". o syslogd(8) can now suppress "last message repeated" which is useful for remote logging. o syslogd(8) can listen on multiple TLS sockets. o syslogd(8) closes the *.514 UDP sockets when they are not needed. o Truncate log messages at 8192 bytes everywhere. o newsyslog(8) now skips and logs invalid config lines. o Nested mount points are umounted in correct order. o Fix creation of softraid(4) CONCAT volumes. o Include softraid(4) volume and backing disk information in i/o error messages. o Make vioscsi(4) a normal scsi(4) device by eliminating its use of the obsolete XS_NO_CCB mechanism. o Remove last vestiges of now unused XS_NO_CCB mechanism. o Userspace can now get the address of the thread control block without a system call on OCTEON II and later. o FPU is enabled on OCTEON III. o GENERIC kernels now include a .SUNW_ctf section containing CTF data. o New ddb(4) kill command, send an uncatchable SIGABRT to a process. o New ddb(4) pprint command, using CTF information to "pretty print" global symbols. o New ddb(4) show struct command, using CTF information to display the content of in memory C structures. o x86: ddb(4) uses CTF data to display the correct number of function arguments in backtraces. o Power off all codecs in azalia(4) to avoid static noise in speakers and headphones on reboot. o Fix i386 boot regression seen on very old 486DX CPUs. o New witness(4) tool for debugging lock order issues in the kernel. The tool is not built in by default, and only amd64, hppa and i386 are supported. o Modernize some bizzare tty behaviours of getty(8). o Some subtle changes to pledge(2) to satisfy requirements observed in real life. o Prefer use of waitpid(2) rather than wait(3) where possible, to avoid problems with pre-existing children. o Rewrite swaths of machine-dependent system call stub code in ld.so(1) in a more portable fashion. o Per-CPU caches implemented in pools. o Mutex, condition-variable, thread-specific data, pthread_once(3), and pthread_exit(3) routines moved to libc from libpthread for ease of library use and compatibility with other OSes. o Added getptmfd(3), fdopenpty(3), and fdforkpty(3) to simplify privilege separation and use of pledge(2). o Improved computational complexity in various cases of strstr(3), qsort(3), and glob(3). o Added support for EV_RECEIPT and EV_DISPATCH to kqueue(2). o Added fktrace(2). - OpenSMTPD 6.0.0 o Fix an off-by-one in the config parser that made 65535 an invalid port. o Fix a fd leak in the session congestion mechanism. o Fix a possible crash when relaying with smtps. o Remove support for the "listen secure" syntax (expicitely define two listeners for tls and smtps instead). o Remove experimental support for filters. o Assorted code and documentation cleanups and improvements. - OpenSSH 7.6 o Security: - sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files. o New/changed features: - Add RemoteCommand option to specify a command in the ssh(1) config file instead of giving it on the client's command line. The feature allows to automate tasks using ssh config. - sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session. - ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported. - sshd(8): allow LogLevel directive in sshd_config Match blocks. - ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options. - ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates. - ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default. - ssh-add(1): added -q option to make ssh-add quiet on success. - ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new". - ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8). o The following significant bugs have been fixed in this release: - ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names. - sftp(1): implement sorting for globbed ls. - ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying. - ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received. - ssh(1)/sshd(8): repair compression statistics printed at connection exit. - sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings. - ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur. - ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances. - Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys. - sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme. - ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs. - ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them. - ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background. - ssh-keyscan(1): avoid double-close() on file descriptors. - sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes. - sshd_config(8): document available AuthenticationMethods. - ssh(1): avoid truncation in some login prompts. - ssh(1): make "--" before the hostname terminate argument processing after the hostname too. - ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds. - ssh(1): warn and do not attempt to use keys when the public and private halves do not match. - sftp(1): don't print verbose error message when ssh disconnects from under sftp. - sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent. - sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem. - Make integrity.sh regression tests more robust against timeouts. - ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF. - LibreSSL 2.6.3 o Added support for providing CRLs to libtls - once a CRL is provided via tls_config_set_crl_file(3) or tls_config_set_crl_mem(3), CRL checking is enabled and required for the full certificate chain. o Reworked TLS certificate name verification code to more strictly follow RFC 6125. o Cleaned up and simplified server key exchange EC point handling. o Removed inconsistent IPv6 handling from BIO_get_accept_socket(), simplified BIO_get_host_ip() and BIO_accept(). o Added definitions for three OIDs used in EV certificates. o Relaxed SNI validation to allow non-RFC-compliant clients using literal IP addresses with SNI to connect to a libtls-based TLS server. o Added tls_peer_cert_chain_pem() to libtls, useful in private certificate validation callbacks such as those in relayd. o Converted explicit clear/free sequences to use freezero(3). o Fixed the openssl(1) ca command so that it generates certificates with RFC 5280-conformant time. o Added ASN1_TIME_set_tm(3) to set an ASN.1 time from a struct tm *. o Added SSL{,_CTX}_set_{min,max}_proto_version(3) functions. o Imported HKDF (HMAC Key Derivation Function) from BoringSSL. o Provided a tls_unload_file(3) function that frees the memory returned from a tls_load_file(3) call, ensuring that the contents become inaccessible. o Implemented reference counting for libtls tls_config, allowing tls_config_free(3) to be called as soon as it has been passed to the final tls_configure(3) call, simplifying lifetime tracking for the application. o Dropped cipher suites using DSS authentication. o Removed support for DSS/DSA from libssl. o Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category. o Added a new TLS extension handling framework and converted all TLS extensions to use it. o Improved and added many new manpages. Updated SSL_{CTX_,}check_private_key(3) manpages with additional cautions regarding their use. o Cleaned up and simplified EC key/curve configuration handling. o Added tls_config_set_ecdhecurves(3) to libtls, which allows the names of the elliptical curves that may be used during client and server key exchange to be specified. o Converted more code paths to use CBB/CBS. o Removed NPN support - NPN was never standardised and the last draft expired in October 2012. o Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken CryptoPro clients. o Removed support for the TLS padding extension, which was added as a workaround for an old bug in F5's TLS termination. o Added ability to clamp notafter values in certificates for systems with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5. o Removed the original (pre-IETF) chacha20-poly1305 cipher suites. o Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM. o Provide a useful error with libtls if there are no OCSP URLs in a peer certificate. o Keep track of which keypair is in use by a TLS context, fixing a bug where a TLS server with SNI would only return the OCSP staple for the default keypair. o If tls_config_parse_protocols(3) is called with a NULL pointer it now returns the default protocols. - mandoc 1.14.3 o Full mandoc.db(5) databases are now enabled by default, allowing semantic searching with apropos(1) without any local configuration changes. o Full integration of the former mdoclint(1) utility into mandoc(1) -Wall, new -Wstyle and -Wopenbsd message levels, and many new messages, for example about typos in .Sh lines, unknown .Xr targets, and links to self. o Additional steps unifying the mdoc(7), man(7), and roff(7) parsers: use one common data type and ohash_init(3) for all requests and macros and support creation of syntax tree nodes in the roff(7) parser, allowing support for many new low-level roff(7) features. Only about 25 ports still need USE_GROFF now. o Many improvements to tbl(7) parsing and formatting, including automatic line wrapping inside table columns. o Many improvements to eqn(7) parsing and formatting, including better font selection, recognition of well-known mathematical function names, and writing of and HTML tags. o Intelligible rendering of mathematical symbols in -Tascii output. o Several parsing and rendering improvements for the mdoc(7) .Lk macro. o Some CSS improvements in HTML output, in particular for the mdoc(7) .Bl macro. - Ports and packages: o A massive amount of clang-related fixes happened between 6.1 and 6.2. o Pre-built packages are available for the following architectures on the day of release: - amd64: 9728 - i386: 9285 o Packages for the following architectures will be made available as their builds complete: - alpha - arm - hppa - mips64 - mips64el - powerpc - sparc64 - Some highlights: o AFL 2.51b o Mutt 1.9.1 and NeoMutt 20170912 o Cmake 3.9.3 o Node.js 6.11.2 o Chromium 61.0.3163.100 o Ocaml 4.03.0 o Emacs 21.4 and 25.3 o OpenLDAP 2.3.43 and 2.4.45 o GCC 4.9.4 o PHP 5.6.31 and 7.0.23 o GHC 7.10.3 o Postfix 3.2.2 and 3.3-20170910 o Gimp 2.8.22 o PostgreSQL 9.6.5 o GNOME 3.24.2 o Python 2.7.14 and 3.6.2 o Go 1.9 o R 3.4.1 o Groff 1.22.3 o Ruby 1.8.7.374, 2.1.9, 2.2.8, o JDK 8u144 2.3.5 and 2.4.2 o KDE 3.5.10 and 4.14.3 (plus o Rust 1.20.0 KDE4 core updates) o Sendmail 8.16.0.21 o LLVM/Clang 5.0.0 o SQLite 3.20.1 o LibreOffice 5.2.7.2 o Sudo 1.8.21.2 o Lua 5.1.5, 5.2.4, and 5.3.4 o Tcl/Tk 8.5.19 and 8.6.6 o MariaDB 10.0.32 o TeX Live 2016 o Mozilla Firefox 52.4.0esr and o Vim 8.0.0987 56.0.0 o Xfce 4.12 o Mozilla Thunderbird 52.2.1 - As usual, steady improvements in manual pages and other documentation. - The system includes the following major components from outside suppliers: o Xenocara (based on X.Org 7.7 with xserver 1.18.4 + patches, freetype 2.8.0, fontconfig 2.12.4, Mesa 13.0.6, xterm 330, xkeyboard-config 2.20 and more) o LLVM/Clang 4.0.0 (+ patches) o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches) o Perl 5.24.2 (+ patches) o NSD 4.1.17 o Unbound 1.6.6 o Ncurses 5.7 o Binutils 2.17 (+ patches) o Gdb 6.3 (+ patches) o Awk Aug 10, 2011 version o Expat 2.2.4 ------------------------------------------------------------------------ - SECURITY AND ERRATA -------------------------------------------------- We provide patches for known security threats and other important issues discovered after each release. Our continued research into security means we will find new security problems -- and we always provide patches as soon as possible. Therefore, we advise regular visits to https://www.OpenBSD.org/security.html and https://www.OpenBSD.org/errata.html ------------------------------------------------------------------------ - MAILING LISTS AND FAQ ------------------------------------------------ Mailing lists are an important means of communication among users and developers of OpenBSD. For information on OpenBSD mailing lists, please see: https://www.OpenBSD.org/mail.html You are also encouraged to read the Frequently Asked Questions (FAQ) at: https://www.OpenBSD.org/faq/ ------------------------------------------------------------------------ - DONATIONS ------------------------------------------------------------ The OpenBSD Project is volunteer-driven software group funded by donations. Besides OpenBSD itself, we also develop important software like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet filter, the quality work of our ports development process, and many others. This ecosystem is all handled under the same funding umbrella. We hope our quality software will result in contributions that maintain our build/development infrastructure, pay our electrical/internet costs, and allow us to continue operating very productive developer hackathon events. All of our developers strongly urge you to donate and support our future efforts. Donations to the project are highly appreciated, and are described in more detail at: https://www.OpenBSD.org/donations.html ------------------------------------------------------------------------ - OPENBSD FOUNDATION --------------------------------------------------- For those unable to make their contributions as straightforward gifts, the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian not-for-profit corporation that can accept larger contributions and issue receipts. In some situations, their receipt may qualify as a business expense write-off, so this is certainly a consideration for some organizations or businesses. There may also be exposure benefits since the Foundation may be interested in participating in press releases. In turn, the Foundation then uses these contributions to assist OpenBSD's infrastructure needs. Contact the foundation directors at directors@openbsdfoundation.org for more information. ------------------------------------------------------------------------ - RELEASE SONGS -------------------------------------------------------- Every OpenBSD release is accompanied by artwork and a song. The song for OpenBSD 6.2 will be coming in December 2017. Lyrics (and an explanation) of the song may be found at: https://www.OpenBSD.org/lyrics.html#62 ------------------------------------------------------------------------ - HTTP/HTTPS INSTALLS -------------------------------------------------- OpenBSD can be easily installed via HTTP/HTTPS downloads. Typically you need a single small piece of boot media (e.g., a USB flash drive) and then the rest of the files can be installed from a number of locations, including directly off the Internet. Follow this simple set of instructions to ensure that you find all of the documentation you will need while performing an install via HTTP/HTTPS. 1) Read either of the following two files for a list of HTTP/HTTPS mirrors which provide OpenBSD, then choose one near you: https://www.OpenBSD.org/ftp.html https://ftp.openbsd.org/pub/OpenBSD/ftplist As of October 15, 2017, the following HTTP/HTTPS mirror sites have the 6.2 release: https://ftp.eu.openbsd.org/pub/OpenBSD/6.2/ Stockholm, Sweden http://ftp.bytemine.net/pub/OpenBSD/6.2/ Oldenburg, Germany https://ftp.fr.openbsd.org/pub/OpenBSD/6.2/ Paris, France https://mirror.aarnet.edu.au/pub/OpenBSD/6.2/ Brisbane, Australia https://ftp.usa.openbsd.org/pub/OpenBSD/6.2/ CO, USA https://ftp5.usa.openbsd.org/pub/OpenBSD/6.2/ CA, USA https://mirror.esc7.net/pub/OpenBSD/6.2/ TX, USA https://openbsd.cs.toronto.edu/pub/OpenBSD/6.2/ Toronto, Canada https://fastly.cdn.openbsd.org/pub/OpenBSD/6.2/ Global The release is also available at the master site: https://ftp.openbsd.org/pub/OpenBSD/6.2/ Alberta, Canada However it is strongly suggested you use a mirror. Other mirror sites may take a day or two to update. 2) Connect to that HTTP/HTTPS mirror site and go into the directory pub/OpenBSD/6.2/ which contains these files and directories. This is a list of what you will see: ANNOUNCEMENT arm64/ macppc/ src.tar.gz Changelogs/ armv7/ octeon/ sys.tar.gz README hppa/ packages/ tools/ SHA256 i386/ ports.tar.gz xenocara.tar.gz SHA256.sig landisk/ root.mail alpha/ loongson/ sgi/ amd64/ luna88k/ sparc64/ It is quite likely that you will want at LEAST the following files which apply to all the architectures OpenBSD supports. README - generic README root.mail - a copy of root's mail at initial login. (This is really worthwhile reading). 3) Read the README file. It is short, and a quick read will make sure you understand what else you need to fetch. 4) Next, go into the directory that applies to your architecture, for example, amd64. This is a list of what you will see: BOOTIA32.EFI* bsd* floppy62.fs pxeboot* BOOTX64.EFI* bsd.mp* game62.tgz xbase62.tgz BUILDINFO bsd.rd* index.txt xfont62.tgz INSTALL.amd64 cd62.iso install62.fs xserv62.tgz SHA256 cdboot* install62.iso xshare62.tgz SHA256.sig cdbr* man62.tgz base62.tgz comp62.tgz miniroot62.fs If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64 and install62.iso. The install62.iso file (roughly 346MB in size) is a one-step ISO-format install CD image which contains the various *.tgz files so you do not need to fetch them separately. If you prefer to use a USB flash drive, fetch install62.fs and follow the instructions in INSTALL.amd64. 5) If you are an expert, follow the instructions in the file called README; otherwise, use the more complete instructions in the file called INSTALL.amd64. INSTALL.amd64 may tell you that you need to fetch other files. 6) Just in case, take a peek at: https://www.OpenBSD.org/errata.html This is the page where we talk about the mistakes we made while creating the 6.2 release, or the significant bugs we fixed post-release which we think our users should have fixes for. Patches and workarounds are clearly described there. ------------------------------------------------------------------------ - X.ORG FOR MOST ARCHITECTURES ----------------------------------------- X.Org has been integrated more closely into the system. This release contains X.Org 7.7. Most of our architectures ship with X.Org, including amd64, sparc64 and macppc. During installation, you can install X.Org quite easily. Be sure to try out xenodm(1), our new, simplified X11 display manager forked from xdm(1). ------------------------------------------------------------------------ - PACKAGES AND PORTS --------------------------------------------------- Many third party software applications have been ported to OpenBSD and can be installed as pre-compiled binary packages on the various OpenBSD architectures. Please see https://www.openbsd.org/faq/faq15.html for more information on working with packages and ports. Note: a few popular ports, e.g., NSD, Unbound, and several X applications, come standard with OpenBSD and do not need to be installed separately. ------------------------------------------------------------------------ - SYSTEM SOURCE CODE --------------------------------------------------- The source code for all four subsystems can be found in the pub/OpenBSD/6.2/ directory: xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz The README (https://ftp.OpenBSD.org/pub/OpenBSD/6.2/README) file explains how to deal with these source files. ------------------------------------------------------------------------ - THANKS --------------------------------------------------------------- Ports tree and package building by Pierre-Emmanuel Andre, Landry Breuil, Visa Hankala, Stuart Henderson, Peter Hessler, Paul Irofti, and Christian Weisgerber. Base and X system builds by Kenji Aoyama, Theo de Raadt, and Visa Hankala. We would like to thank all of the people who sent in bug reports, bug fixes, donation cheques, and hardware that we use. We would also like to thank those who bought our previous CD sets. Those who did not support us financially have still helped us with our goal of improving the quality of the software. Our developers are: Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov, Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot, Anton Lindqvist, Ayaka Koshibe , Benoit Lecocq, Bob Beck, Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar, Charles Longeau, Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller, Daniel Boulet, Daniel Dickman, Daniel Jakots, Darren Tucker, David Coppa, David Gwynne, David Hill, Denis Fondras, Dmitrij Czarkoff, Doug Hogan, Edd Barrett, Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus, Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez, Henning Brauer, Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze, Inoguchi Kinichiro, James Turner, Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray, Jonathan Matthew, Joris Vink, Joshua Stein, Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov, Kurt Miller, Landry Breuil, Lawrence Teo, Luke Tymowski, Marc Espie, Marco Pfatschbacher, Marcus Glocker, Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano, Martin Pieuchot, Martynas Venckus, Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Mike Belopuhov, Mike Larkin, Miod Vallat, Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen, Otto Moerbeek, Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin, Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski, Rafael Zalamena, Remi Pointel, Renato Westphal, Reyk Floeter, Ricardo Mestre, Richard Procter, Rob Pierce, Robert Nagy, Robert Peichaer, Sasano Takayoshi, Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie, Stefan Fritsch, Stefan Kempf, Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt, Tim van der Molen, Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov, Vincent Gross, Visa Hankala, Yasuoka Masahiko, Yojiro Uo