------------------------------------------------------------------------ - OpenBSD 7.3 RELEASED ------------------------------------------------- April 10, 2023. We are pleased to announce the official release of OpenBSD 7.3. This is our 54th release. We remain proud of OpenBSD's record of more than twenty years with only two remote holes in the default install. As in our previous releases, 7.3 provides significant improvements, including new features, in nearly all areas of the system: - Various kernel improvements: o Added waitid(2), wait for process state change. o Added pinsyscall(2), specify the call stub for a specific system call. o Added getthrname(2) and setthrname(2), get or set thread name. o Added WTRAPPED option for waitid(2) to control whether CLD_TRAPPED state changes, i.e., ptrace(2) on a process, are reported. o Introduced clockintr(9), a machine-independent clock interrupt scheduler. Switched all architectures to use this new kernel subsystem. o Added a priority queue to clockintr(9). o Introduced a new kern.autoconf_serial sysctl(8) that can be used by userland to monitor state changes of the kernel device tree. o Fixed pmap(9) bugs involving entering an executable mapping for a page before synchronizing the data and instruction cache on arm64 and riscv64. o Removed copystr(9) from public API. o Add getnsecruntime(9) to the kernel timecounting API. Together with getbinruntime(), it provides a fast, monotonic clock that only advances while the system is not suspended. o Add detection for Spectre-BHB Branch History Injection vulnerability related CLRBHB, ECBHB and CSV2_3/HCXT feature bits. o Prevent detaching ("bioctl -d detach") of a boot volume on a RAID managed by bioctl(8). o On arm64, avoid using 1GB mappings for the identity map in the early kernel bootstrap phase and when booting the secondary CPUs. This avoids accidentally mapping memory regions that should not be mapped (i.e. secure memory) as all mapped memory can be accessed speculatively. o Added arm64 detection of EPAN feature bit. Enhanced Privileged Access Never (EPAN) allows Privileged Access Never to be used with Execute-only mappings. o On arm64, add a machdep.lidaction sysctl(8) for aplsmc(4) Apple Silicon laptops. The arm64 default for the machdep.lidaction is 1, making the system suspend when the lid is closed. aplsmc(4) provides support for the lid position sensor. o Changed arm64 suspend idle loop from WFE to WFI, avoiding spurious wakeups while other CPUs are still active. o Added new dt(4) tracing ioctl DTIOCARGS to get the type of probe arguments. - SMP Improvements o Unlocked mmap(2), munmap(2), and mprotect(2). o Unlocked sched_yield(2). o Added support for per-cpu event counters, to be used for clock and IPI counters where the event counted occurs across all CPUs in the system. o Moved pf(4) purge tasks out from under the kernel lock. o Unlocked ioctl(2) SIOCGIFCONF, SIOCGIFGMEMB, SIOCGIFGATTR, and SIOCGIFGLIST. o Protected interface tables in pf(4) with PF_LOCK(), allowing removal of NET_LOCK() protection from the ioctl(2) code path in pf. o Unlocked getsockopt(2) and setsockopt(2). o Completed removing kernel lock from IPv6 read ioctls. o Unlocked minherit(2). o Made tun(4) and tap(4) event filters MP-safe. o Unlocked utrace(2). o Stopped holding the vm_map lock while flushing pages in msync(2) and madvise(2). Prevents a 3-thread deadlock between msync(2), page-fault and mmap(2). o Unlocked select(2), pselect(2), poll(2), and ppoll(2). - Direct Rendering Manager and graphics drivers o Updated drm(4) to Linux 6.1.15 o amdgpu(4): Added support for Ryzen 7000 "Raphael", Ryzen 7020 series "Mendocino", Ryzen 7045 series "Dragon Range", Radeon RX 7900 XT/XTX "Navi 31", Radeon RX 7600M (XT), 7700S, and 7600S "Navi 33." o Fixed frame buffer corruption and additional bugs after wakeup on Apple Silicon laptops and the Lenovo x13s. o Added support for the backlight connector property to amdgpu(4) as in inteldrm(4), making xbacklight(1) work when using the Xorg modesetting driver. - VMM/VMD improvements o Updated vmm(4) to allow guests to read MSR_HWCR and MSR_PSTATEDEF, which is necessary to determine the TSC frequency on AMD families 17h and 19h. o Allocated reference for vm and vcpu SLISTs in vmm(4), keeping vmm from triggering excessive wakeup calls while iterating through the list of vms while servicing an ioctl(2). o Set vmm(4) RAX guest register state based on VMCB. o Removed locking in vmm(4) vmm_intr_pending, reducing slowdowns due to requests for a lock held while the VM is running. o Increased speed of delivery of interrupts to a running vcpu in vmm(4). o Made vmm(4) treat vcpu lists as immutable, removing the need to reference count individual vcpu objects and use a rwlock. o Implemented zero-copy operations on virtqueues in vmd(8). o Provided a detailed e820 memory map when booting vmd(8) guests with SeaBIOS. When a vm initializes memory ranges, we now track what each range represents. This information can be used to supply the e820 memory map to SeaBIOS via the fw_cfg interface allowing it to properly communicate memory ranges to a guest operating system. With this special cases in ports can be removed. o Added thread names to vm processes in vmd(8), visible in ps(1). o Hid the WAITPKG cpu feature from vmm(4) guests, preventing invalid instruction exceptions. Also added WAITPKG feature identification to i386 and amd64. o Changed vmd(8) to only open /dev/vmm once, having the parent process send the fd to the vmm child process. o Restricted vmm(4) exposed cpuid extended feature flags. o Adjusted vmd(8) error paths to avoid removal of configuration-defined (known) VMs on error. o Stopped being paranoid about hypervisor correct PKU handling. Added saving and restoring guest PKRU to vmm(4). Expose the PKU cpuid bit to the guest if in use on the host. o Made vmd(8) scan the PCI bus to determine bootorder strings. - Various new userland features: o Added kdump(1) argument support for msyscall, pledge, unveil, __realpath, ypconnect and __tmpfd. o Added mimmutable(2) and munmap(2) reporting to kdump(1). o Added lastcomm(1) reporting for process kills due to execve(2) from non-pinned syscall address. - Various bugfixes and tweaks in userland: o Allow TZ to contain absolute paths starting with /usr/share/zoneinfo. All absolute paths were ignored in 7.2 to avoid unveil(2) violations. o Made ldomctl(8) accept more descriptive name-based paths in addition to number-based paths in ldom.conf(5). o Dropped support for $rc_exec in rc.subr(8). The rc_exec function should be used instead. o Excluded /tmp/*.shm files from /tmp cleaning in daily(8). Removing them interferes with programs that use shared memory via shm_open(3). o Added zap-to-char and zap-up-to-char to mg(1). Bound zap-to-char to M-z. o Fixed handling of escaped backslashes in vi(1) ex_range. o Added support to gunzip(1) for zip files that contain a single member. o Fixed ed(1) to print bytes read/written and the ? prompt to stdout, not stderr. o Modified the vmstat view in systat(1) to measure elapsed time using clock_gettime(2). o Implemented periodic display in iostat(8). o Corrected top(1) display of online CPUs which can change based on the sysctl(2) sysctl setting. o Added support for a personal units(1) library by passing -f multiple times. o Changed df(1) to round up fractional percentages. o Fixed unbounded variable expansion in pkg-config(1). o Switched to use llvm-strip(1) on architectures that use ld.lld(1). o Made rc(8) reorder libraries in parallel to netstart(8), as this does not depend on network access. o Made rc(8) print the name of each library before relinking as a signal to the operator that boot has not stalled. o Added the audioctl(8) -w option to display variables periodically. o Added short options for timeout(1) --foreground and --preserve-status. Added signal as a full argument name for timeout(1) -s. o Fixed .wav files generated by aucat(1) by using extended header format. o In disklabel(8), use the size of the largest chunk of free space, not the total of all such chunks, when checking for sufficient space to add a partition. o Extended disklabel(8) template parsing to allow "[mount point] *" as the specification for putting the maximum available free space into a partition. Extended command line parsing to allow "T-" as the specification to read the template from stdin. o Repaired disklabel(8) to check for D_VENDOR flag in d_flags, not d_secpercyl. o Removed remnents of DEC standard 144 bad sector code from disklabel(8) and disktab(5). o Removed last references to d_drivedata field from disklabel(8) o Enhanced disklabel(8) auto allocation to use all possible free space. o Enhanced disklabel(8) to ensure valid partition offsets and sizes after rounding. o Enhanced disklabel(8) simple editor to allow '*' when the action is 'delete'. o Removed disklabel(8) code related to defunct disk types 'hd' and 'svnd'. o Repaired fdisk(8) to set the correct 'bootable' bit in GPT partitions. o Repaired fdisk(8) to use GPT_UUID_NBSD_UFS for NetBSD GPT partition entries. o Added UEFI defined GPT partition type GPT_UUID_LEGACY_MBR to the partition types fdisk(8) recognizes. o Enhanced fdisk(8) to avoid spurious warnings when editing unused GPT partition. o Fixed cdio(1) error displays and plugged a leak in the error path. o Removed pointless :ob#0:pb#0:[tb=swap:] and :pb#N:ob#0: lines from various disktab(5) entries. - Improved hardware support and driver bugfixes, including: o Suspend/Resume improvements - Extended arm64 suspend/resume to include support for parking CPUs in a WFE/WFI loop. - Put CPUs in the lowest P-state before the final suspend step, needed for systems where we park CPUs in a low-power idle state ourselves. o system-on-chip devices - Added support for the Rockchip RK3566/RK3568 SoCs. - Added support for the Rockchip RK3568 processor. - Added support for the RK3568 PCIe controller to dwpcie(4). - Added qcdwusb(4), a driver controlling the interface logic for the Synopsys DesignWare USB 3.0 controller found on various Qualcomm Snapdragon SoCs. - Added support for the PCIe controller on the Qualcomm SC8280XP to dwpcie(4). - Added qcpmicgpio(4), a driver for the GPIO block inside the Qualcomm PMICs. - Added qcpmic(4), a driver for the SPMI-connected PMICs found on Qualcomm SoCs. - Added qcspmi(4), a driver for the SPMI PMIC Arbiter found on Qualcomm SoCs. - Added qcpdc(4), a driver for the Qualcomm Power Domain controller found on Qualcomm SoCs. - Added qcpwm(4), a driver for the PWM found on Qualcomm SoCs. - Added qcpon(4), a driver for the Qualcomm PMIC block that hosts the powerkey and reset input. - In rkgpio(4), handled different register layouts in modern Rockchip SoCs as seen in the RK356x and RK3588. - Added support for RK356x TSADC clocks to rkclock(4). - Added GMAC-related RK356x clocks to rkclock(4). - Added RK3588 support to rkclock(4) and rkpinctrl(4). - Added mvortc(4), a driver for the RTC on the ARMADA 38x series. - Added mvodog(4), a driver for the watchdog on the ARMADA 38x series. - Implemented rkpinctrl(4) support for explicit routing to use alternative pin muxings. - Added ytphy(4), a driver for the MotorComm YT8511 PHY. - Made rktemp(4) work on RK356x with U-Boot. - Added initialization code for RK356x in dwpcie(4) to prevent kernel hangs. - Implemented setting the parent clock for RK356x in rkclock(4). - Added dwpcie(4) code to bring up the PCIe controller on the RK356x. - Added rkpciephy(4), a driver for the PCIe 3.0 PHY found on the RK356x. - Added rkcomphy(4), a driver for the "naneng" combo PHY found on the RK356x (and RK3588). Only PCIe, SATA and USB3 support are implemented. o Improved support for Apple arm64 hardware - Made aplhidev(4) recognize M1 laptops with touchbars and translated Fn+(1-10,-,=) keys to F1-F12 on these systems. - Added suspend/resume support to aplns(4). - Implemented wakeup interrupt support in aplintc(4). - Added suspend/resume support to control the power domain to aplsart(4). - Made the power button function as a wakeup button during suspend in aplsmc(4). - Added aplpwm(4), a driver for the PWM controller found on Apple Silicon. - Improve Apple support by increasing the apliic(4) transfer completion timeout to 100ms to accommodate USB Type-C PD chips. - Added tipd(4), a driver fixing USB hotplug of type-C connectors on Apple Silicon hardware. - Improved aplpmu(4) range check to protect against overflow. - Added aplefuse(4), a driver for the eFuses on Apple Silicon SoCs. - Enabled aplpcie(4) power management for PCI devices. - Disable the screen backlight with aplsmc(4) on Apple Silicon laptops when the lid is closed. o X13s support - Worked around incomplete ACPI tables on the Lenovo x13s by loading the alternate device tree binaries from disk. - Set console output to the framebuffer on Lenovo x13s machines. - Made the USB ports work after a suspend/resume cycle on the x13s. o Improved audio devices - Made aplaudio(4) calculate the bit clock based on numbers of channels, bytes/sample and sample rate. - Set sncodec(4) and tascodec(4) default volume to -30dB instead of the hardware default of 0dB (maximum). - Added sncodec(4), a driver for the TI SNO12776/TAS2764 digital amplifier. o Other changes - Added support for the Wacom One M CTL-672 tablet to uwacom(4). - Hooked up the same USB device drivers on riscv64 as done in the arm64 architecture kernel. Enabled access to usb(4), ugen(4), ulpt(4), ucom(4) and ujoy(4). - Added uftdi(4) support for FTDI FT232R. - Added uhidpp(4) support for Bolt receivers and the Unified Battery feature often found on newer Logitech HID++ hardware. - Converted more RTC drivers to use todr_attach(). Quality of the RTC is set such that "discrete" RTC chips are preferred over RTCs integrated on a SoC. - Added support for the DS1339 RTC as found on the PiJuice. - Added qcrtc(4), a driver for the RTC found on Qualcomm PMICs. - Improved qcrtc(4) RTC reliability. - Added cursor back tab support to wscons(4) VT100 emulation. Added aixterm bright color sequences (SGR 90-97 and 100-107). - Added missing wscons(4) bounds checks when processing terminal escape sequences. - Replaced broken UTF-8 logic in wscons(4) with a better one borrowed from Citrus. - Introduced pijuice(4), an apm/sensor driver for the PiJuice HAT UPS. - Added pwmleds(4), a driver for PWM controlled LEDs. - Implemented dwpcie(4) support for the (optional) MSI controller of the Synopsys DesignWare PCIe host bridge. - Added icc(4) driver for I2C Consumer Control devices. - Prevented a possible crash when a ugen(4) device is detached. - Implemented wakeup interrupt handling in agintc(4). - Enabled pcagpio(4) and pcamux(4), making the SFP port on the ClearFog Base (CN9130) work. - Adopted a workaround for a bug in the ARM generic timer on the A64, disabling userland timecounter support on affected hardware pending a similar libc workaround. - Made amd64 cpuid recognize protection keys for Protection Key Supervisor (PKS). - Implemented access to EFI variables ESRT through an ioctl(2) interface compatible with what FreeBSD and NetBSD have. Created /dev/efi on amd64 and arm64. - Added dwge(4) support for "enhanced descriptor" mode found on some variants of the Synopsys DesignWare GMAC. - Removed the elansc(4) driver for AMD Elan SC520 System Controller. - Made ppb(4) bus range available after detaching, fixing unplugging and replugging thunderbolt devices that were plugged in when the machine was booted. - Reworked the arm64 architecture cpu_init_secondary() function to allow use for both initial powerup and wakeup from deeper sleep states. - Added ufshci(4), a driver for Universal Flash Storage (UFS) Host Controllers. - Added scmi(4), a driver for the ARM System Control and Management Interface. - Added support for the Shenzhen Tangcheng Technology TCS4525 voltage regulator to fanpwr(4). - Added psci(4) (ARM Power State Coordination Interface) support for available deep idle states as advertised in device trees. - Added eephy(4), found on the Turris Omnia WAN port, to armv7. - Added polling to tipmic(4) driver when starting from a cold boot, fixing a hang on boot. - Added a workaround for Intel Braswell/Cherry Trail mwait hang. - Added the Armada 380 temperature sensor to mvtemp(4) and enabled the driver on armv7. - New or improved network hardware support: o Enabled em(4) IPv4, TCP and UDP checksum offloading and hardware VLAN tagging on devices with 82575, 82576, i350 and i210 chipsets. o Improved mcx(4) performance by using interrupt-based command completion. o Fixed a panic seen with rge(4) RTL8125 with MCLGETL. o Add dwqe(4), a driver for the Synopsys DesignWare Ethernet QoS controller used on the NXP i.MX8MP, the Rockchip RK35xx series and Intel Elkhart Lake. o Worked around an issue on the StarFive JH7100 SoC to make dwge(4) Ethernet work reliably on the StarFive VisionFive 1 board. o In mvneta(4), passed MII flags depending on the phy mode specified in the device tree, making the WAN port work on the Turris Omnia. - Added or improved wireless network drivers: o Bumped tsleep timeout for bwfm(4) PCI devices to help prevent failures loading firmware, particularly on Apple M2 laptops. o Implemented alternative mailbox handling mechanism required by newer bwfm(4) firmware. o Fixed bwfm(4) issues with suspend/resume and possible firmware crashes on the M2 MacBook Air. o Prevented an iwx(4) firmware error when authentication to the AP times out. o Fixed a crash in iwx(4) when connecting to WEP networks via ifconfig(8) join. o Fixed an alignment issue in iwx(4) Rx descriptors. o Avoided trying to remove keys while doing crypto in hardware if the station is not active in iwx(4) firmware, fixing a firmware panic. o Prevented potential panics by disallowing the iwx(4) init task from running in parallel to wakeup code during resume. o Switched all iwx(4) devices to -77 firmware images. o Upgraded firmware images for iwm(4) 9260 and 9560 devices. o Made iwx(4) get the primary channel number from AP beacon info, preventing problems on 40/80Mhz channels if there is a mismatch. o Fixed iwx(4) session protection event duration. - IEEE 802.11 wireless stack improvements and bugfixes: o Made net80211 drop beacons received on secondary HT/VHT channels, preventing iwm(4) firmware panics and making association work with 11ac APs which transmit beacons on channels other than their primary. o Made WEP encryption work on bwfm(4). - Installer, upgrade and bootloader improvements: o Made installer answers ! and (S)hell drop into a ksh(1) environment rather than the more limited sh(1). o Added support for configuring interfaces by lladdr (MAC). o Made the installer skip interface configuration questions when no interfaces are available. o Fixed resizing partitions on an auto-allocated disk that had a boot partition. o Stopped the installer from asking to initialize disks that have softraid(4) chunks. o Made efiboot fdt support device trees with NOPs in them (like the kernel version). o Improved the default choice for the installer's install media disk question to show the first disk that (a) is not the root disk and (b) is not a disk with softraid chunks (hosting the root disk, for example). o Stopped offering WEP in the installer if not supported. o Fixed lock file error on installer exit/abort. o Made installboot(8) -p support softraid(4). o Made installboot(8) silently skip softraid(4) keydisks. o Fixed passing explicit stages files to installboot(8). o Added mount_nfs(8) to the sparc64 installer, to fetch sets over NFS. o Copy the apple-boot firmware to EFI system partition, enabling automatic bootloader updates on Apple Silicon computers. o Made the installer stop printing MD post installation instructions on upgrades. o Made it possible to set keyboard layout(s) in arm64's installer. o Added initial support in the installer for guided disk encryption for amd64, i386, riscv64 and sparc64. o Added passing of boot device information from the bootloader to the kernel on luna88k. o Switched luna88k boot loader to MI boot code. o Made the luna88k bootloader display a puffy boot logo. o Made ls(1) work correctly in the luna88k bootloader. o Made time(1) work correctly in the luna88k bootloader. o Removed dangerous user-settable "addr" variable from MI bootloader, only compiling tty-related code on platforms where it makes sense for the bootloader to control it. o Added "machine poweroff" command on luna88k bootloader. o Switched alpha to machine-independent boot blocks. o Switched all architectures' ramdisks (except alpha's and luna88k's) to use installboot(8) -p. o Fixed ofwboot OpenFirmware map call to unbreak boot on some machines. o Reduced ofwboot.net size after libz update to unbreak netboot on some machines. o Made riscv64 bootloader support boot from RAID 1C softraid volumes. o Made installboot(8) support softraid(4) on riscv64. o Stopped creating defunct Vax (ra, rx), HP-300 (hd) and Sparc (xy, xd) devices in /dev. - Security improvements: o Permissions (RWX, MAP_STACK, etc.) on address space regions can be made immutable, so that mmap(2), mprotect(2) or munmap(2) fail with EPERM. Most of the program static address space is now automatically immutable (main program, ld.so, main stack, load-time shared libraries, and dlopen()'d libraries mapped without RTLD_NODELETE). Programmers can request non-immutable static data using the "openbsd.mutable" section, or manually bring immutability to (page aligned heap objects) using mimmutable(2). The main internal data of malloc(3) is marked immutable. o Some architectures now have non-readable code ("xonly"), both from the perspective of userland reading its own memory, or the kernel trying to read memory in a system call. Many sloppy practices in userland code had to be repaired to allow this. The linker (ld.lld(1)) option --execute-only is enabled by default. In order of development: arm64, riscv64, hppa, amd64, powerpc64, powerpc (G5 only), octeon, and sparc64 (sun4u only; unfinished). o On all architectures which lack hardware-enforcement of xonly, system calls are now prevented from reading (via copyin(9)/copyinst) inside the program's main text, ld.so text, sigtramp text, or libc.so text. o These can still benefit from switching to --execute-only binaries if the cpu generates different traps for instruction-fetch versus data-fetch. The VM system will not allow memory to be read before it was executed which is valuable together with library relinking. Architectures switched over include loongson. o ld.so(1) and crt0 register the location of the execve(2) stub with the kernel using pinsyscall(2), after which the kernel only accepts an execve call from that specific location. o Added execve(2) violations of pinsyscall(2) policy to the daily mail, available by setting rc.conf.local(5) accounting=YES. o Added retguard (consistency-check the return address on the stack) to amd64 syscalls. o sshd random relinking at boot: Randomly relink and install sshd(8), resulting in a sshd binary with unknown address layout after every reboot. o Add another mitigation against classic BROP on systems without execute-only mmu hardware-enforcement. A range-checking wrapper in front of copyin(9) and copyinstr(9) ensures the userland source address doesn't overlap the main program text and other text segments, thereby making these address ranges unreadable to the kernel. No programs have been discovered which require reading their own text segments with a system call. o On arm64, introduce mitigation of the Spectre-BHB (Branch History Injection) CPU vulnerability by using core-specific trampoline vectors. o Enabled the arm64 Data Independent Timing (DIT) feature in both the kernel and userland on CPUs that support it to mitigate timing side-channel attacks. - Changes in the network stack: o Made /dev/pf a clonable device to better track kernel resources used by processes. o Modified TCP receive buffer size auto-scaling to use the smoothed RTT (SRTT) instead of the timestamp option, which improves performance on high latency networks if the timestamp option isn't available. o Relaxed the requirement for multicast support of interfaces for configuring IPv6. This allows non-multicast interfaces such as point-to-point interfaces and the NBMA / point-to-multipoint interfaces like mpe(4), mgre(4) and wg(4) to work with IPv6. o Use the new getnsecruntime(9) timer to check the TCP_KEEPALIVE timer only against the system runtime, not the uptime. Prevents TCP connections to fail after waking up from suspend. o Used stoeplitz (symmetric Toeplitz hash algorithm) to generate a hash/flowid for pf(4) state keys. With this change, pf will hash traffic the same way that hardware using a stoeplitz key will hash incoming traffic on rings. stoeplitz is also used by the TCP stack to generate a flow id, which is used to pick which transmit ring is used on nics with multiple queues, too. Using the same algorithm throughout the stack encourages affinity of packets to rings and softnet threads the whole way through. o Prevented possible kernel crashes by dropping TCP packets with destination port 0 in pf(4) and the stack. o Fixed an endian swap bug causing problems with vlan(4) on em(4) sparc64 systems. o Denied "pipex no" tunnel setting for pppx(4) interfaces. o Fixed pfsync(4) crashing on pf_state_key removal. o Fixed a panic in pfsync(4) when there is no data ready for bulk transfer. o Turned off TCP Segmentation Offload (TSO) if interface is added to layer 2 devices. o Improved vnet(4) to work better in busy conditions. o Added a bpf(4) timeout (BIOCSWTIMEOUT) between capturing a packet and making the buffer readable, preventing, for example, pflogd(8) waking every half second even if there is nothing to read. By default this buffer is infinite and must be filled to become readable. o Avoided enabling TSO on interfaces which are already attached to a bridge. - Routing daemons and other userland network improvements: o IPsec support was improved: - Added iked(8) support for configuring multiple name servers. - Synced proc.c from vmd(8) to iked(8) to enable fork + exec for all processes. This gives each process a fresh and unique address space to further improve randomization of ASLR and stack protector. o In bgpd(8), bgpctl(8) and bgplgd(8): - Improved performance by optimising the output filters. - Add Autonomous System Provider Authorization (ASPA) validation based on draft-ietf-sidrops-aspa-verification-12 - Introduce avs (ASPA validation state) filter and bgpctl filter argument. - Add ASPA support for the RTR protocol based on draft-ietf-sidrops-8210bis-10. - Improve open policy (RFC 9234) support and enable the capability automatically if a role is specified for the peer. - Introduce a per-neighbor 'role' configuration option to specify the session role used by ASPA verification and the open policy capability. The 'announce policy' statement was simplified at the same time. - Improve startup behaviour by introducing a small delay before opening the connection to a new peer. - Support for aspa-set table config which can be provided by rpki-client(8). - Make it possible to filter the RIB by invalid and leaked prefixes in bgpctl and bgplgd. - Add OpenMetrics output to bgpctl for various BGP statistics and add /metrics endpoint to bgplgd. - Fix of incorrect length checks that allowed an out-of-bounds read in bgpd. o rpki-client(8) saw some changes: - Add a new '-H' command line option to create a shortlist of repositories to synchronize to. For example, when invoking "rpki-client -H rpki.ripe.net -H chloe.sobornost.net", the utility will not connect to any other hosts other than the two specified through the -H option. - Add support for validating Geofeed (RFC 9092) authenticators. To see an example download https://sobornost.net/geofeed.csv and run "rpki-client -f geofeed.csv" - Add support for validating Trust Anchor Key (TAK) objects. TAK objects can be used to produce new Trust Anchor Locators (TALs) signed by and verified against the previous Trust Anchor. See draft-ietf-sidrops-signed-tal for the full specification. - Log lines related to RRDP/HTTPS connection problems now include the IP address of the problematic endpoint (in brackets). - Improve the error message when an invalid filename is encountered in the rpkiManifest field in the Subject Access Information (SIA) extension. - Emit a warning when unexpected X.509 extensions are encountered. - Restrict the ROA ipAddrBlocks field to only allow two ROAIPAddressFamily structures (one per address family). See draft-ietf-sidrops-rfc6482bis. - Check the absence of the Path Length constraint in the Basic Constraints extension. - Restrict the SIA extension to only allow the signedObject and rpkiNotify accessMethods. - Check that the Signed Object access method is present in ROA, MFT, ASPA, TAK, and GBR End-Entity certificates. - In addition to the 'rsync://' scheme, also permit other schemes (such as 'https://') in the SIA signedObject access method. - Check that the KeyUsage extension is set to nothing but digitalSignature on End-Entity certificates. - Check that the KeyUsage extension is set to nothing but keyCertSign and CRLSign on CA certificates. - Check that the ExtendedKeyUsage extension is absent on CA certificates. - Fix a bug in the handling of the port of http_proxy. - The '-r' command line option has been deprecated. - Filemode (-f) output is now presented as a text based table. - The 'expires' key in the JSON/CSV/OpenBGPD output formats is now calculated with more accuracy. The calculation takes into account the nextUpdate value of all intermediate CRLs in the signature path towards the trust anchor, in addition to the expiry moment of the leaf-CRL and CAs. - Handling of CRLs and Manifests in the face of inconsistent RRDP delta publications has been improved. A copy of an alternative version of the applicable CRL is kept in the staging area of the cache directory, in order to increase the potential for establishing a complete publication point, in cases where a single publication point update was smeared across multiple RRDP delta files. - The OpenBGPD configuration output now includes validated Autonomous System Provider Authorization (ASPA) payloads as an 'aspa-set {}' configuration block. - When rpki-client is invoked with increased verbosity ('-v'), the current RRDP Serial and Session ID are shown to aid debugging. - Self-signed X.509 certificates (such as Trust Anchor certificates) now are considered invalid if they contain an X.509 AuthorityInfoAccess extension. - Signed Objects where the CMS signing-time attribute contains a timestamp later then the X.509 certificate's notAfter timestamp are considered invalid. - Manifests where the CMS signing-time attribute contains a timestamp later then the Manifest eContent nextUpdate timestamp are considered invalid. - Any objects whose CRL Distribution Points extension contains a CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are considered invalid in accordance with RFC 6487 section 4.8.6. - For every X.509 certificate the SHA-1 of the Subject Public Key is calculated and compared to the Subject Key Identifier (SKI). If a mismatch is found the certificate is not trusted. - Require the outside-TBS signature OID for every X.509 intermediate CA certificate and CRL to be sha256WithRSAEncryption. - Require the RSA key pair modulus and public exponent parameters to strictly conform to the RFC 7935 profile. - Ensure there is no trailing garbage present in Signed Objects beyond the self-embedded length field. - Require RRDP Session IDs to strictly be version 4 UUIDs. - When decoding and validating an individual RPKI file using filemode (rpki-client -f file), display the signature path towards the trust anchor and the timestamp when the signature path will expire. - When decoding and validating an individual RPKI file using filemode (rpki-client -f file), display the optional CMS signing-time, non-optional X.509 notBefore timestamp and non-optional X.509 notAfter timestamp. o Updated zlib to 1.2.13. o Fixed a long-standing bug in a libreadline header that broke the interactive Python command line interface. o Switched tftpd(8) to default to read-only unless -w is specified for write access (the previous default). o Stopped printing the prompt for non-interactive usage of tftp(1). o Changed rarpd(8) to only unveil /tftpboot if -t is specified. o Added client certificate authentication and an optional SASL EXTERNAL bind to ypldap(8). o Adjusted ipv6 address width to align the display columns better in the output of ndp(8), route(8) and netstat(1) as already available in systat(1)'s netstat. o Used stravis(3) to sanitize redirect URIs from ftp(1) fetch before printing. o Prevent an unwind(8) crash when a TCP query is larger than the length field indicated. o Preserve the original order of nameservers as configured via resolv.conf(5) in resolvd(8). o Restrict the characters allowed in the hostname argument of getaddrinfo(3) to the set [A-z0-9-_.]. Additionally, two consecutive dots ('.') are not allowed nor can the string start with - or '.'. This removes characters like '$', '`', '\n' or '*' that can traverse the DNS without problems but have special meaning as in a shell. o Fixed a number of out of bounds reads in DNS response parsing of the async DNS resolver in libc. o Added ifconfig(8) -M (mac) to find the mac address on an interface and print it. o Added support for configuring interfaces by lladdr to support interface configurations bound to a specific hardware device. The "if" part of the hostname.if(5) configuration file can now be a MAC address. o Limited display of wireguard peers by ifconfig(8) to when either a wireguard interface is specified or the flag "-A" is used. o Implemented the RFC 8781 PREF64 router advertisement option in rad(8) which is used to communicate NAT64 prefixes to hosts. o Moved the documentation of flag mappings displayed by "route show" from the netstat(1) manpage to route(8). o Improvements in nc(1): - Stop claiming connection success in UDP mode unless true. - Do not test the connection in non-interactive mode. The test writes characters to the socket which can corrupt data that is possibly piped into nc. - Some refactoring and code cleanup. o Improvements in acme-client(1): - Added support for newlines inside the alternative names block in acme-client.conf(5). - Use proper data structures for retrieving subject alternative names in certificates rather than printing them to a buffer and tokenizing and parsing the undocumented string. - Simplified, corrected and modernized the use of libcrypto interfaces. - Plugged various memory leaks. - Use ASN1_TIME_to_tm(3) instead of a poor man's hand-rolled version of it. - Use timegm(3) instead of mktime(3) to eliminate time-zone variation. - Encode Subject Alternative Name (SAN) entries before printing. - Prevent acme-client(1) from leaking an http get request when receiving a redirect without a location header. o Prevented smtpd(8) abort due to a connection from a local, scoped ipv6 address. o Fixed a potential NULL dereference in the unpriv child expanding %{mda} in smtpd(8). o Corrected the order of arguments for calls to shutdown(2) on the route socket of slaacd(8), dhcpleased(8) and unwind(8). o Made route(8) sourceaddr print the used addresses for inet and inet6, or "default" if no sourceaddr is set and the default algorithm is used. o Added -mpls option to the route(8) monitor command. It can be used to restrict displayed route messages to the mpls address family. o Fixed rsync(1) handling of port numbers in rsync://host[:port]/module URLS. o Made tcpdrop(8) accept netstat-style address.port syntax. o Ensured pfctl(8) correctly adds addresses to the undefined/inactive table. o Switched tftpd(8) to default to read-only unless -w is specified for write access (the previous default). o Changed rarpd(8) to only unveil /tftpboot if -t is specified. o Fixed the DIOCIGETIFACES ioctl so all network interfaces and interface groups are reported in pfctl(8). - tmux(1) improvements and bug fixes: o Added scroll-top and scroll-bottom tmux(1) commands to scroll so cursor is at the top or bottom respectively. o Added a -T flag to tmux(1) capture-pane to capture up to the last used cell and not the full width of the pane. o Preserved the marked pane when renumbering windows in tmux(1). o Added modified tab key sequences to tmux(1). o Changed tmux(1) to only set the extended flag when searching, which allows send-keys to work. o Added a -l flag to tmux(1) display-message to disable format expansion. o Fixed a tmux(1) crash when there are no window buffers. o Fixed tmux(1) C-S-Tab without extended keys. o Added tmux(1) send-keys -K to handle keys directly as if typed. o Made tmux(1) tty-keys accept \007 as terminator to OSC 10 or 11. o Made tmux(1) recognize pasted texts wrapped in bracket paste sequences, rather than only forwarding to the program inside. o Supported -1 without -N for list-keys in tmux(1). o Added a flag to tmux(1) display-menu to select the menu item chosen first. o Added Backtab key support to tmux(1) o Disallowed multiple consecutive line separators in tmux(1) menu. o Extended display-message to work for control clients in tmux(1). o Added -f to list-clients in tmux(1). o Added a tmux(1) L modifier like P, W, S to loop over clients. - LibreSSL version 3.7.2 o New features - Added Ed25519 support both as a primitive and via OpenSSL's EVP interfaces. - X25519 is now also supported via EVP. - The OpenSSL 1.1 raw public and private key API is available with support for EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519. Poly1305 is not currently supported via this interface. - Added EVP_CIPHER_meth_*() setter API. - Added various X.509 accessor functions. o Compatibility changes - BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in various corner cases. o Bug fixes - Added EVP_chacha20_poly1305() to the list of all ciphers. - Fixed potential leaks of EVP_PKEY in various printing functions - Fixed potential leak in OBJ_NAME_add(). - Avoid signed overflow in i2c_ASN1_BIT_STRING(). - Cleaned up EVP_PKEY_ASN1_METHOD related tables and code. - Fixed long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod(). - Fixed segfaults in BN_{dec,hex}2bn(). - Fixed NULL dereference in x509_constraints_uri_host() reachable only in the process of generating certificates. - Fixed a variety of memory corruption issues in BIO chains coming from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next(). - Avoid potential divide by zero in BIO_dump_indent_cb() - Fixed a memory leak, a double free and various other issues in BIO_new_NDEF(). - Fixed various crashes in the openssl(1) testing utility. - Do not check policies by default in the new X.509 verifier. - Avoid crash with ASN.1 BOOLEANS in openssl(1) asn1parse. - Added missing error checking in PKCS7. - Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup(). o Documentation improvements - Numerous improvements and additions for ASN.1, BIO, BN, and X.509. - The BN documentation is now considered to be complete. - Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3), BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented. - Documented various BIO_* interfaces. - Documented ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3). - Documented EVP_PKEY raw private/public key interfaces. - Documented ASN1_buf_print(3). - Documented DH_get0_*, DSA_get0_*, ECDSA_SIG_get0_* and RSA_get0_*. - Merged documentation of UI_null() from OpenSSL 1.1 - Various spelling and other documentation improvements. o Internal improvements - Remove dependency on system timegm() and gmtime() by replacing traditional Julian date conversion with POSIX epoch-seconds date conversion from BoringSSL. - Removed old and unused BN code dealing with primes. - Started rewriting name constraints code using CBS. - Removed support for the HMAC PRIVATE KEY. - Reworked DSA signing and verifying internals. - Rewrote the TLSv1.2 key exporter. - Cleaned up and refactored various aspects of the legacy TLS stack. - Initial overhaul of the BIGNUM code: # Added a new framework that allows architecture-dependent replacement implementations for bignum primitives. # Imported various s2n-bignum's constant time assembly primitives and switched amd64 to them. # Lots of cleanup, simplification and bug fixes. - Changed Perl assembly generators to move constants into .rodata, allowing code to run with execute-only permissions. - Capped the number of iterations in DSA and ECDSA signing (avoiding infinite loops), added additional sanity checks to DSA. - ASN.1 parsing improvements. - Cleanup and improvements in EC code, including always clearing EC groups and points on free. - Various openssl(1) improvements. - Various nc(1) improvements. o Security fixes - A malicious certificate revocation list or timestamp response token would allow an attacker to read arbitrary memory. - OpenSSH 9.3 and OpenSSH 9.2 This release of OpenBSD includes the changes made to OpenSSH since release 9.1: o Security - ssh-add(1): when adding smartcard keys to ssh-agent(1) with the per-hop destination constraints (ssh-add -h ...) added in OpenSSH 8.9, a logic error prevented the constraints from being communicated to the agent. This resulted in the keys being added without constraints. The common cases of non-smartcard keys and keys without destination constraints are unaffected. This problem was reported by Luci Stanescu. - ssh(1): Portable OpenSSH provides an implementation of the getrrsetbyname(3) function if the standard library does not provide it, for use by the VerifyHostKeyDNS feature. A specifically crafted DNS response could cause this function to perform an out-of-bounds read of adjacent stack data, but this condition does not appear to be exploitable beyond denial-of-service to the ssh(1) client. The getrrsetbyname(3) replacement is only included if the system's standard library lacks this function and portable OpenSSH was not compiled with the ldns library (--with-ldns). getrrsetbyname(3) is only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This problem was found by the Coverity static analyzer. - sshd(8): fix a pre-authentication double-free memory fault introduced in OpenSSH 9.1. This is not believed to be exploitable, and it occurs in the unprivileged pre-auth process that is subject to chroot(2) and is further sandboxed on most major platforms. - ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen option would ignore its first argument unless it was one of the special keywords "any" or "none", causing the permission list to fail open if only one permission was specified. bz3515 - ssh(1): if the CanonicalizeHostname and CanonicalizePermittedCNAMEs options were enabled, and the system/libc resolver did not check that names in DNS responses were valid, then use of these options could allow an attacker with control of DNS to include invalid characters (possibly including wildcards) in names added to known_hosts files when they were updated. These names would still have to match the CanonicalizePermittedCNAMEs allow-list, so practical exploitation appears unlikely. o Potentially-incompatible changes - ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that controls whether the client-side ~C escape sequence that provides a command-line is available. Among other things, the ~C command-line could be used to add additional port-forwards at runtime. This option defaults to "no", disabling the ~C command-line that was previously enabled by default. Turning off the command-line allows platforms that support sandboxing of the ssh(1) client (currently only OpenBSD) to use a stricter default sandbox policy. o New features - ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when outputting SSHFP fingerprints to allow algorithm selection. bz3493 - sshd(8): add a `sshd -G` option that parses and prints the effective configuration without attempting to load private keys and perform other checks. This allows usage of the option before keys have been generated and for configuration evaluation and verification by unprivileged users. - sshd(8): add support for channel inactivity timeouts via a new sshd_config(5) ChannelTimeout directive. This allows channels that have not seen traffic in a configurable interval to be automatically closed. Different timeouts may be applied to session, X11, agent and TCP forwarding channels. - sshd(8): add a sshd_config UnusedConnectionTimeout option to terminate client connections that have no open channels for a length of time. This complements the ChannelTimeout option above. - sshd(8): add a -V (version) option to sshd like the ssh client has. - ssh(1): add a "Host" line to the output of ssh -G showing the original hostname argument. bz3343 - scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to allow control over some SFTP protocol parameters: the copy buffer length and the number of in-flight requests, both of which are used during upload/download. Previously these could be controlled in sftp(1) only. This makes them available in both SFTP protocol clients using the same option character sequence. - ssh-keyscan(1): allow scanning of complete CIDR address ranges, e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then it will be expanded to all possible addresses in the range including the all-0s and all-1s addresses. bz#976 - ssh(1): support dynamic remote port forwarding in escape command-line's -R processing. bz#3499 o Bugfixes - scp(1), sftp(1): fix progressmeter corruption on wide displays; bz3534 - ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability of private keys as some systems are starting to disable RSA/SHA1 in libcrypto. - sftp-server(8): fix a memory leak. GHPR363 - ssh(1), sshd(8), ssh-keyscan(1): remove vestigial protocol compatibility code and simplify what's left. - Fix a number of low-impact Coverity static analysis findings. These include several reported via bz2687 - ssh_config(5), sshd_config(5): mention that some options are not first-match-wins. - Rework logging for the regression tests. Regression tests will now capture separate logs for each ssh and sshd invocation in a test. - ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage says it should; bz3532. - ssh(1): ensure that there is a terminating newline when adding a new entry to known_hosts; bz3529 - ssh(1): when restoring non-blocking mode to stdio fds, restore exactly the flags that ssh started with and don't just clobber them with zero, as this could also remove the append flag from the set. bz3523 - ssh(1): avoid printf("%s", NULL) if using UserKnownHostsFile=none and a hostkey in one of the system known hosts file changes. - scp(1): switch scp from using pipes to a socket-pair for communication with its ssh sub-processes, matching how sftp(1) operates. - sshd(8): clear signal mask early in main(); sshd may have been started with one or more signals masked (sigprocmask(2) is not cleared on fork/exec) and this could interfere with various things, e.g. the login grace timer. Execution environments that fail to clear the signal mask before running sshd are clearly broken, but apparently they do exist. - ssh(1): warn if no host keys for hostbased auth can be loaded. - sshd(8): Add server debugging for hostbased auth that is queued and sent to the client after successful authentication, but also logged to assist in diagnosis of HostbasedAuthentication problems. bz3507 - ssh(1): document use of the IdentityFile option as being usable to list public keys as well as private keys. GHPR352 - sshd(8): check for and disallow MaxStartups values less than or equal to zero during config parsing, rather than failing later at runtime. bz3489 - ssh-keygen(1): fix parsing of hex cert expiry times specified on the command-line when acting as a CA. - scp(1): when scp(1) is using the SFTP protocol for transport (the default), better match scp/rcp's handling of globs that don't match the globbed characters but do match literally (e.g. trying to transfer a file named "foo.[1]"). Previously scp(1) in SFTP mode would not match these pathnames but legacy scp/rcp mode would. bz3488 - ssh-agent(1): document the "-O no-restrict-websafe" command-line option. - ssh(1): honour user's umask(2) if it is more restrictive then the ssh default (022). - Ports and packages: o Pre-built packages are available for the following architectures on the day of release: - aarch64 (arm64): 11561 - amd64: 11764 - i386: 10572 - mips64: 8936 - powerpc64: 8474 - riscv64: 10191 - sparc64: 9325 o Packages for the following architectures will be made available as their builds complete: - arm - powerpc - Some highlights: o Asterisk 16.30.0, 18.17.0 and o Mozilla Thunderbird 102.9.0 20.2.0 o Mutt 2.2.9 and NeoMutt 20220429 o Audacity 3.2.5 o Node.js 18.15.0 o CMake 3.25.2 o OCaml 4.12.1 o Chromium 111.0.5563.110 o OpenLDAP 2.6.4 o Emacs 28.2 o PHP 7.4.33, 8.0.28, 8.1.16 and o FFmpeg 4.4.3 8.2.3 o GCC 8.4.0 and 11.2.0 o Postfix 3.5.17 and 3.7.3 o GHC 9.2.7 o PostgreSQL 15.2 o GNOME 43.3 o Python 2.7.18, 3.9.16, 3.10.10 o Go 1.20.1 and 3.11.2 o JDK 8u362, 11.0.18 and 17.0.6 o Qt 5.15.8 and 6.4.2 o KDE Applications 22.12.3 o R 4.2.1 o KDE Frameworks 5.103.0 o Ruby 3.0.5, 3.1.3 and 3.2.1 o Krita 5.1.5 o Rust 1.68.0 o LLVM/Clang 13.0.0 o SQLite 2.8.17 and 3.41.0 o LibreOffice 7.5.1.2 o Shotcut 22.12.21 o Lua 5.1.5, 5.2.4, 5.3.6 and o Sudo 1.9.13.3 5.4.4 o Suricata 6.0.10 o MariaDB 10.9.4 o Tcl/Tk 8.5.19 and 8.6.13 o Mono 6.12.0.182 o TeX Live 2022 o Mozilla Firefox 111.0 and o Vim 9.0.1388 and Neovim 0.8.3 ESR 102.9.0 o Xfce 4.18 - As usual, steady improvements in manual pages and other documentation. - The system includes the following major components from outside suppliers: o Xenocara (based on X.Org 7.7 with xserver 21.1.6 + patches, freetype 2.12.1, fontconfig 2.14, Mesa 22.3.4, xterm 378, xkeyboard-config 2.20, fonttosfnt 1.2.2, and more) o LLVM/Clang 13.0.0 (+ patches) o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches) o Perl 5.36.0 (+ patches) o NSD 4.6.1 o Unbound 1.17.0 o Ncurses 5.7 o Binutils 2.17 (+ patches) o Gdb 6.3 (+ patches) o Awk September 12, 2022 version o Expat 2.5.0 ------------------------------------------------------------------------ - SECURITY AND ERRATA -------------------------------------------------- We provide patches for known security threats and other important issues discovered after each release. Our continued research into security means we will find new security problems -- and we always provide patches as soon as possible. Therefore, we advise regular visits to https://www.OpenBSD.org/security.html and https://www.OpenBSD.org/errata.html ------------------------------------------------------------------------ - MAILING LISTS AND FAQ ------------------------------------------------ Mailing lists are an important means of communication among users and developers of OpenBSD. For information on OpenBSD mailing lists, please see: https://www.OpenBSD.org/mail.html You are also encouraged to read the Frequently Asked Questions (FAQ) at: https://www.OpenBSD.org/faq/ ------------------------------------------------------------------------ - DONATIONS ------------------------------------------------------------ The OpenBSD Project is a volunteer-driven software group funded by donations. Besides OpenBSD itself, we also develop important software like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet filter, the quality work of our ports development process, and many others. This ecosystem is all handled under the same funding umbrella. We hope our quality software will result in contributions that maintain our build/development infrastructure, pay our electrical/internet costs, and allow us to continue operating very productive developer hackathon events. All of our developers strongly urge you to donate and support our future efforts. Donations to the project are highly appreciated, and are described in more detail at: https://www.OpenBSD.org/donations.html ------------------------------------------------------------------------ - OPENBSD FOUNDATION --------------------------------------------------- For those unable to make their contributions as straightforward gifts, the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian not-for-profit corporation that can accept larger contributions and issue receipts. In some situations, their receipt may qualify as a business expense write-off, so this is certainly a consideration for some organizations or businesses. There may also be exposure benefits since the Foundation may be interested in participating in press releases. In turn, the Foundation then uses these contributions to assist OpenBSD's infrastructure needs. Contact the foundation directors at directors@openbsdfoundation.org for more information. ------------------------------------------------------------------------ - HTTPS INSTALLS ------------------------------------------------------- OpenBSD can be easily installed via HTTPS downloads. Typically you need a single small piece of boot media (e.g., a USB flash drive) and then the rest of the files can be installed from a number of locations, including directly off the Internet. Follow this simple set of instructions to ensure that you find all of the documentation you will need while performing an install via HTTPS. 1) Read either of the following two files for a list of HTTPS mirrors which provide OpenBSD, then choose one near you: https://www.OpenBSD.org/ftp.html https://ftp.openbsd.org/pub/OpenBSD/ftplist As of April 10, 2023, the following HTTPS mirror sites have the 7.3 release: https://cdn.openbsd.org/pub/OpenBSD/7.3/ Global https://ftp.eu.openbsd.org/pub/OpenBSD/7.3/ Stockholm, Sweden https://ftp.hostserver.de/pub/OpenBSD/7.3/ Frankfurt, Germany https://ftp.bytemine.net/pub/OpenBSD/7.3/ Oldenburg, Germany https://ftp.fr.openbsd.org/pub/OpenBSD/7.3/ Paris, France https://mirror.aarnet.edu.au/pub/OpenBSD/7.3/ Brisbane, Australia https://ftp.usa.openbsd.org/pub/OpenBSD/7.3/ CO, USA https://ftp5.usa.openbsd.org/pub/OpenBSD/7.3/ CA, USA https://mirror.esc7.net/pub/OpenBSD/7.3/ TX, USA https://openbsd.cs.toronto.edu/pub/OpenBSD/7.3/ Toronto, Canada https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.3/ Global https://fastly.cdn.openbsd.org/pub/OpenBSD/7.3/ Global The release is also available at the master site: https://ftp.openbsd.org/pub/OpenBSD/7.3/ Alberta, Canada However it is strongly suggested you use a mirror. Other mirror sites may take a day or two to update. 2) Connect to that HTTPS mirror site and go into the directory pub/OpenBSD/7.3/ which contains these files and directories. This is a list of what you will see: ANNOUNCEMENT armv7/ octeon/ root.mail README hppa/ openbsd-73-base.pub sparc64/ SHA256 i386/ packages/ src.tar.gz SHA256.sig landisk/ packages-stable/ sys.tar.gz alpha/ loongson/ ports.tar.gz xenocara.tar.gz amd64/ luna88k/ powerpc64/ arm64/ macppc/ riscv64/ It is quite likely that you will want at LEAST the following files which apply to all the architectures OpenBSD supports. README - generic README root.mail - a copy of root's mail at initial login. (This is really worthwhile reading). 3) Read the README file. It is short, and a quick read will make sure you understand what else you need to fetch. 4) Next, go into the directory that applies to your architecture, for example, amd64. This is a list of what you will see: BOOTIA32.EFI* bsd* floppy73.img pxeboot* BOOTX64.EFI* bsd.mp* game73.tgz xbase73.tgz BUILDINFO bsd.rd* index.txt xfont73.tgz INSTALL.amd64 cd73.iso install73.img xserv73.tgz SHA256 cdboot* install73.iso xshare73.tgz SHA256.sig cdbr* man73.tgz base73.tgz comp73.tgz miniroot73.img If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64 and install73.iso. The install73.iso file (roughly 626MB in size) is a one-step ISO-format install CD image which contains the various *.tgz files so you do not need to fetch them separately. If you prefer to use a USB flash drive, fetch install73.img and follow the instructions in INSTALL.amd64. 5) If you are an expert, follow the instructions in the file called README; otherwise, use the more complete instructions in the file called INSTALL.amd64. INSTALL.amd64 may tell you that you need to fetch other files. 6) Just in case, take a peek at: https://www.OpenBSD.org/errata.html This is the page where we talk about the mistakes we made while creating the 7.3 release, or the significant bugs we fixed post-release which we think our users should have fixes for. Patches and workarounds are clearly described there. ------------------------------------------------------------------------ - X.ORG FOR MOST ARCHITECTURES ----------------------------------------- X.Org has been integrated more closely into the system. This release contains X.Org 7.7. Most of our architectures ship with X.Org, including amd64, sparc64 and macppc. During installation, you can install X.Org quite easily using xenodm(1), our simplified X11 display manager forked from xdm(1). ------------------------------------------------------------------------ - PACKAGES AND PORTS --------------------------------------------------- Many third party software applications have been ported to OpenBSD and can be installed as pre-compiled binary packages on the various OpenBSD architectures. Please see https://www.openbsd.org/faq/faq15.html for more information on working with packages and ports. Note: a few popular ports, e.g., NSD, Unbound, and several X applications, come standard with OpenBSD and do not need to be installed separately. ------------------------------------------------------------------------ - SYSTEM SOURCE CODE --------------------------------------------------- The source code for all four subsystems can be found in the pub/OpenBSD/7.3/ directory: xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.3/README) file explains how to deal with these source files. ------------------------------------------------------------------------ - THANKS --------------------------------------------------------------- Ports tree and package building by Jeremie Courreges-Anglas, Visa Hankala, Stuart Henderson, Peter Hessler, George Koehler, Kurt Mosiejczuk, and Christian Weisgerber. Base and X system builds by Kenji Aoyama, Theo de Raadt, and Miod Vallat. Release art by George Mager. We would like to thank all of the people who sent in bug reports, bug fixes, donation cheques, and hardware that we use. We would also like to thank those who bought our previous CD sets. Those who did not support us financially have still helped us with our goal of improving the quality of the software. Our developers are: Aaron Bieber, Adam Wolk, Aisha Tammy, Alexander Bluhm, Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov, Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe, Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar, Caspar Schutijser, Charlene Wendling, Charles Longeau, Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman, Daniel Jakots, Darren Tucker, Dave Voutila, David Coppa, David Gwynne, David Hill, Denis Fondras, Edd Barrett, Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus, George Koehler, George Rosamond, Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez, Greg Steuck, Helg Bredow, Henning Brauer, Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze, Inoguchi Kinichiro, James Hastings, James Turner, Jan Klemkow, Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani, Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Josh Rickmar, Joshua Sing, Joshua Stein, Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill Bychkov, Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil, Lawrence Teo, Lucas Raab, Marc Espie, Marcus Glocker, Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano, Martin Pieuchot, Martin Reindl, Martynas Venckus, Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos, Mike Belopuhov, Mike Larkin, Miod Vallat, Moritz Buhl, Nam Nguyen, Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen, Omar Polo, Ori Bernstein, Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin, Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel, Renato Westphal, Ricardo Mestre, Richard Procter, Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha, Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie, Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf, Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider, Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove, Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov, Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Yasuoka Masahiko, Yojiro Uo