Contributed by weerd on 2010-05-19 from the superpuffy's-superrelease dept.

The OpenBSD team is pleased to announce the release of OpenBSD 4.7. See the announcement for more information.

Place an order worldwide or order it from the shop closest to you, or if you only download from FTP then make a donation. If you do FTP your release, be sure to use a local mirror and not the main ftp server:

Highlights of OpenBSD 4.7 are listed below.

New/extended platforms: OpenBSD/alpha Added support for the DS15/DS25/ES45. OpenBSD/loongson

New platform for systems based on the Loongson 2E and 2F MIPS-compatible processors. Supported machines include: Lemote Fuloong 2F mini-PC Lemote Lynloong all-in-one-PC Lemote Yeeloong netbook (8.9" and 10.1" models) EMTEC Gdium Liberty 1000 netbook OpenBSD/sgi Added support for multi-node SGI Origin systems, in M mode. Added support for the SGI Origin 350, Onyx 350, Onyx 4 and Tezro systems. Added SMP support on the SGI Octane. Support for many more onboard devices on Octane and Origin systems. (see below) OpenBSD/socppc Added support for the RouterBOARD RB600A. OpenBSD/sparc64 Preliminary support for running OpenBSD in a guest domain on top of an OpenBSD control domain on sun4v machines.

Improved hardware support, including: Revamped SCSI midlayer and improved driver support. UDF 2.5 and 2.6 (HDDVD and Blu-ray) disks support. Added mpath(4), a driver that steals paths to scsi devices if they could be available via multiple paths and then made available via mpath(4). New aibs(4) driver for ASUSTeK AI Booster hardware monitoring. New uthum(4) driver for the TEMPerHUM USB temperature and humidity sensors. New utrh(4) driver for USBRH temperature and humidity sensors. New uyurex(4) driver for the Maywa-denki & KAYAC YUREX twitch/jiggle of knee sensor. New urndis(4) driver for remote NDIS Ethernet over USB devices (phones). New xf86-video-wsudl(4) Xorg driver for USB DisplayLink devices supported by udl(4). New mpii(4) driver for LSI Logic Fusion MPT Message Passing Interface II based SAS 2 controllers. New athn(4) driver for Atheros IEEE 802.11a/g/n wireless network devices. New alc(4) driver for Atheros AR8131/AR8132 10/100/Gigabit Ethernet devices. New lisa(4) driver for STMicroelectronics LIS331DL MEMS motion sensors. New gcu(4) driver for Intel EP80579 Global Configuration Unit. New lom(4) driver for LOMLite and LOMLite2 as found on many of Sun's UltraSPARC-IIi servers. New vsw(4) driver for virtual switches on sun4v machines. New vds(4) driver for virtual disk servers on sun4v machines. Support for EP80579 integrated Ethernet and ICH9 M V has been added to em(4). Support for 82599 and SFP+ 82598 devices has been added to ix(4). Support for the Sun GigabitEthernet SBus Adapter 1.0/1.1 has been added to ti(4). Support for SBus variants of the QLogic Fibre Channel host adapters has been added to isp(4). Support for SBus variants of the Sun Gigabit Ethernet has been added to gem(4). Support for Intel WiFi Link 1000 and Intel Centrino Advanced-N 6200/Ultimate-N 6300 has been added to iwn(4). Support for Ralink RT3572 based 802.11n devices has been added to run(4). VIA Tremor 5.1, M-Audio Revolution 5.1 cards has been added to envy(4). New uhts(4) driver for USB HID touchscreens. Improved touchscreen support in the xf86-input-ws(4) Xorg driver and improved calibration using the new device properties from Xinput. Support for ON CAT6095 and ON CAT34TS02 temperature sensors added to sdtemp(4). Several improvements and bug fixes to existing Ethernet drivers, including em(4), re(4), ti(4) and vge(4). Support for the PIC PCI-X controller added to the SGI xbridge(4) driver. Support for the onboard Fast Ethernet interface found on SGI Octane and many SGI Origin family systems, iec(4). Support for more SGI input and video devices on Octane and Origin systems, with iockbc(4), impact(4), and odyssey(4). Improved PCI resource allocation; more hardware left unconfigured by the machine's firmware (including hotplugged hardware) should work now. Support for recording/full-duplex added to mavb(4). Improved support for USB audio devices in uaudio(4). Improved support for bwi(4) devices on strict-alignment architectures like armish. Eliminate usage of SCSI tagged queueing mechanisms other than simple queuing, thus avoiding incorrect implementations on various disk devices. Eliminate spurious dhclient(8) error messages when the specified interface does not exist. Eliminate spurious softraid(4) error messages for removable devices without media.

New tools: newfs_ext2fs(8) for creating ext2 filesystems. mkuboot(8) for creating U-Boot boot loader images. midicat(1) MIDI server allowing MIDI programs to communicate POSIX-compliant fuser(1) to identify process IDs holding a file open

Filesystem midlayer improvements: Dynamic Buffer Cache now supported to a max size set with sysctl kern.bufcachepercent Dynamic VFS name cache rewrite, now uses Red/Black trees instead of linked lists. Numerous NFS client stability fixes. Fix FAT32 mounting. Fix cd9660 directory handling to eliminate looping and random truncation of directory entries. Fix various internal locking problems with cd9660, udf, msdosfs and ffs file systems.

pf(4) improvements: nat-to, rdr-to, binat-to options replace the nat, rdr and binat translation rules. See pf(4) address translation changes for more info. The route-to, reply-to, dup-to and fastroute options in pf.conf move to filteropts. See pf(4) route-to/reply-to syntax change for more info. pf(4) can now translate packets between different routing domains. Added -S and -L options to pfctl(8) to store and load pf state table from a file. Added support for IPV4 and IPv6 divert sockets.

OpenBGPD, OpenOSPFD and other routing daemon improvements: Update capability code in bgpd(8) to follow RFC 5492. BGP MPLS VPN (RFC 4364) support added to the bgpd RIB. In bgpd(8), implement the RFC4486 BGP Cease Notification Message subcodes. It is now possible to enable/disable specific BGP capabilities. Update bgpctl(8) irrfilter to support IPv6 and 4-byte AS numbers. Minimal router-dead-time of 1 second and sub-second hello intervals added to ospfd(8). Additionally it is now possible to specify sub-second SPF timers for faster route fail-over. ospf6d(8) is now installed by default. The RIB can be synced with the kernel routing table now. Support for AS-ext LSA has been added. This is still work-in-progress but testing is highly appreciated. ldpd -- the MPLS label distribution protocol daemon -- is now installed by default. A custom kernel with option MPLS is needed to use it.

Generic network stack improvements: brconfig is now integrated into ifconfig(8) Added vether(4), a virtual Ethernet device. Two bugs in IPsec/HMAC-SHA2 were fixed, resulting in an incompatibility with the HMAC-SHA-256/384/512 hash algorithms with previous versions of OpenBSD and other IPsec implementations sharing the bugs. In dhcpd(8), echo back the Relay Agent Information option if present, and add support for the ipsec-tunnel hardware type. Make dhcrelay(8) pick up the routing domain from the specified interface and use that rdomain for relaying the packets to the server. Added support in dhcrelay(8) for RFC3046 "DHCP-over-ipsec". Make the tcpdump(8) BGP OPEN capability parser RFC 5492 compliant. Added an exec command to route(8) to run a process and its children in a specified routing domain. ifconfig(8) now deals with more than 64 alias addresses. Various fixes to mbuf defragmenting and mbuf chain copying improve reliability.

Assorted improvements: malloc(3) now has an S flag to turn on the options that help debugging and improve security. Updated terminfo(3) database and ncurses(3) library. Added support for lazy binding in ld.so(1) on hppa. Added POSIX silent check option ( -C ) to sort(1). Added POSIX extended regular expression support to sed(1) ( -E option). Added GNU-compatible macro prefix option ( -P ) to m4(1). Make it possible to specify a port in resolv.conf(5). Improved FILE locking support in stdio(3). Added SO_SNDTIMEO and SO_RCVTIMEO support in pthreads(3). cdio(1) no longer prints bogus information if no TOC is found on the disk. New -v flag causes cdio(1) to print profile and feature information. whois(1) no longer attempts to keep the memory of 6Bone alive. Added per-application MIDI-controlled volume knob to aucat(1) Added MMC and MTC support to aucat(1) making possible MIDI-to-audio synchronization Added mio_open(3) interface to access hardware and software MIDI ports Many memory leaks found by parfait and eliminated. Make handling of floppy disk disklabels more reliable by properly initializing starting label.

Install/Upgrade process changes: Take more care to ensure all filesystems are umount'ed when restarting an install or upgrade. If no possible root disk is found, keep checking until one appears. The default ftp directory for -stable is now the release directory instead of the snapshot directory. Selection of TZ during installs is no longer confused by trailing slashes. If /etc/X11 is found during upgrades, add the X sets to the list of default sets to install.

OpenSSH 5.5: New features: SSH protocol 1 is disabled by default. Remove the libsectok/OpenSC-based smartcard code and add support for PKCS#11 tokens. Add support for certificate authentication of users and hosts using a new, minimal OpenSSH certificate format (not X.509). Added a 'netcat mode' to ssh(1). Add the ability to revoke keys in sshd(8) and ssh(1). Rewrite the ssh(1) multiplexing support to support non-blocking operation of the mux master. Add a 'read-only' mode to sftp-server(8) that disables open in write mode and all other fs-modifying protocol methods. (bz#430) Allow setting an explicit umask on the sftp-server(8) commandline to override whatever default the user has. (bz#1229) Many improvements to the sftp(1) client. New RSA keys will be generated with a public exponent of 65537 instead of the previous value 35. Passphrase-protected SSH protocol 2 private keys are now protected with AES-128 instead of 3DES. The following significant bugs have been fixed in this release: Fixed a minor information leak of environment variables specified in authorized_keys if an attacker happens to know the public key in use. When using ChrootDirectory, make sure we test for the existence of the user's shell inside the chroot and not outside. (bz#1679) Cache user and group name lookups in sftp-server using user_from_[ug]id(3) to improve performance on hosts where these operations are slow. (bz#1495) Fix problem that prevented passphrase reading from being interrupted in some circumstances. (bz#1590) Ignore and log any Protocol 1 keys where the claimed size is not equal to the actual size. Make HostBased authentication work with a ProxyCommand. (bz#1569) Avoid run-time failures when specifying hostkeys via a relative path by prepending the current working directory in these cases. (bz#1290) Do not prompt for a passphrase if we fail to open a keyfile, and log the reason why the open failed to debug. (bz#1693) Document that the PubkeyAuthentication directive is allowed in a sshd_config(5) Match block. (bz#1577) When converting keys, truncate key comments at 72 chars as per RFC4716. (bz#1630) Do not allow logins if /etc/nologin exists but is not readable by the user logging in. Output a debug log if sshd(8) can't open an existing authorized_keys. (bz#1694) Quell tc[gs]etattr(3) warnings when forcing a tty (ssh -tt), since we usually don't actually have a tty to read/set. (bz#1686) Prevent sftp(1) from crashing when given a "-" without a command; also, allow whitespace to follow a "-". (bz#1691) After sshd(8) receives a SIGHUP, ignore subsequent HUPs while sshd(8) re-execs itself; prevents two HUPs in quick succession from resulting in sshd(8) dying. (bz#1692) Clarify in sshd_config(5) that StrictModes does not apply to ChrootDirectory; permissions and ownership are always checked when chrooting. (bz#1532) Set close-on-exec on various descriptors so they don't get leaked to child processes. (bz#1643) Fix very rare race condition in x11/agent channel allocation Fix incorrect exit status when multiplexing and channel ID 0 is recycled. (bz#1570) Fail with an error when an attempt is made to connect to a server with ForceCommand=internal-sftp with a shell session. (bz#1606) Warn but do not fail if stat(2)ing the subsystem binary fails. (bz#1599) Change "Connecting to host..." message to "Connected to host." and delay it until after the sftp protocol connection has been established. (bz#1588) Use the HostKeyAlias rather than the hostname specified on the commandline when prompting for passwords. (bz#1039) Correct off-by-one in percent_expand(). (bz#1607) Fix passing of empty options from scp(1) and sftp(1) to the underlying ssh(1); also add support for the stop option "--". Fix an incorrect magic number and typo in PROTOCOL. (bz#1688) Don't escape backslashes when displaying the SSH2 banner. (bz#1533) Don't unnecessarily dup() the in and out fds for sftp-server(8). (bz#1566) Force use of the correct hash function for random-art signature display. (bz#1611) Do not fall back to adding keys without constraints when the agent refuses the constrained add request. (bz#1612) Fix a race condition in ssh-agent(1) that could result in a wedged or spinning agent. (bz#1633) Flush stdio before exec() to ensure that everything has made it out before the streams go away. (bz#1596) Set FD_CLOEXEC on in/out sockets in sshd(8). (bz#1706)

Over 5,800 ports, major robustness and speed improvements in package tools.

Many pre-built packages for each architecture: i386: 5951 sparc64: 5745 alpha: 5641 sh: 768 amd64: 5879 powerpc: 5785 sparc: 4053 arm: 3711 hppa: 5500 vax: 1785 mips64: 3690 mips64el: 4316 Some highlights: Gnome 2.28.2. KDE 3.5.10. Xfce 4.6.1. MySQL 5.1.42. PostgreSQL 8.4.2. Postfix 2.6.5. OpenLDAP 2.3.43. Mozilla Firefox 3.0.18 and 3.5.8. Mozilla Thunderbird 2.0.0.23. OpenOffice.org 3.1.1. Emacs 21.4 and 22.3 Vim 7.2.267. PHP 5.2.12. Python 2.4.6, 2.5.4 and 2.6.3. Ruby 1.8.6.369.

Some highlights: As usual, steady improvements in manual pages and other documentation.

The system includes the following major components from outside suppliers: Xenocara (based on X.Org 7.4 with xserver 1.6.5 + patches, freetype 2.3.9, fontconfig 2.6.0, Mesa 7.4.2, xterm 250 and more) Gcc 2.95.3 (+ patches) and 3.3.5 (+ patches) Perl 5.10.1 (+ patches) Our improved and secured version of Apache 1.3, with SSL/TLS and DSO support OpenSSL 0.9.8k (+ patches) Groff 1.15 Sendmail 8.14.3, with libmilter Bind 9.4.2-P2 (+ patches) Lynx 2.8.6rel.5 with HTTPS and IPv6 support (+ patches) Sudo 1.7.2 Ncurses 5.7 Latest KAME IPv6 Heimdal 0.7.2 (+ patches) Arla 0.35.7 Binutils 2.15 (+ patches) Gdb 6.3 (+ patches)



Remember, you can download the release, but you can't download the stickers !