[prev in list] [next in list] [ prev in thread ] [next in thread] List: openbsd-misc Subject: OpenBSD 5.0 released Nov 1, 2011 From: Theo de Raadt <deraadt () cvs ! openbsd ! org> Date: 2011-11-01 14:38:26 Message-ID: 201111011438.pA1EcQEu012645 () cvs ! openbsd ! org [Download RAW message or body] ------------------------------------------------------------------------ Nov 1, 2011. We are pleased to announce the official release of OpenBSD 5.0. This is our 30th release on CD-ROM (and 31th via FTP). We remain proud of OpenBSD's record of more than ten years with only two remote holes in the default install. As in our previous releases, 5.0 provides significant improvements, including new features, in nearly all areas of the system: - Improved hardware support, including: o MSI interrupts for many devices, on those architectures which can support them (amd64, i386, sparc64 only so far). o A new dma_alloc(9) API makes it easier for kernel code to allocate dma-safe memory. Many drivers (especially network drivers) and subsystems (in particular scsi and the buffer cache) were adapted to use this. o As a result, big-memory support has been enabled on all possible architectures. o The rather rare bce(4) driver now copies mbufs all the time, to cope with the hardware having a 1GB limit. o Added hds(4), a driver for Hitachi Modular Storage SCSI devices. o Added myx(4), a driver for the Myricom Myri-10G 10GB Ethernet devices. o Added dfs(4), a driver for Dynamic Frequency Switching on some macppc systems. o cardbus(4) and pcmcia(4) support on sgi. o Suspend/resume support on Loongson Yeelong laptops. o Interrupt handlers for bnx(4), em(4), ix(4) and sis(4) have been improved reducing overhead and increasing performance. o New acpitoshiba(4) driver providing ACPI support for Toshiba laptops. o Added nvt(4), a driver for the W83795G and W83795ADG hardware monitor. o Added support to sdhc(4) for the Ricoh 5U823 SD/MMC controller. o A new fw_update(1) tool to install and update non-free firmware packages. - Generic network stack improvements: o Added support for sending Wake on LAN packets using arp(8). o Permit turning Wake on LAN support on/off using ifconfig(8). o Added Wake on LAN support to xl(4), re(4), and vr(4). o Allow ftp-proxy to proxy across rdomains. o The IPv4 stack will no longer accept ICMP redirects when acting as a router. o By default the IPv6 stack will not process ICMP6 redirects. rtsol(8) will turn it back if -F is used. o Reworked large parts of the dhclient(8) options processing for better interoperability. o Fixed carp(4) to work in IPv6 only setups. o Make it possible to bind(2) to the local network broadcast address on datagram and raw sockets. o The default multicast reject route is now ignored if the UDP socket uses the IP_MULTICAST_IF socket option. o Make gre(4) work between systems in the same LAN. o Removed the link1 mode special addressing mode on lo(4). o New net.inet.tcp.always_keepalive sysctl, effectively enabling SO_KEEPALIVE on all TCP sockets. - Routing daemons and other userland network improvements: o bgpd(8) no longer bumps the rlimits: the rc.d framework respects login classes which is a much better solution. o Correctly set the network filtersets on reload in bgpd(8). o The routing socket is now sending RTM_DESYNC messages if the socketbuffer overflows. o Allow ospfd(8) to send out LS updates and other messages larger than the MTU. o Fixed nexthop calculation in ospfd(8) for directly connected P2P links. o First bits to support opaque LSA in ospfd(8). Only basic redistribute logic and LSDB handling for now. o Creating new interfaces will no longer cause a fatal error in ospf6d(8). o ospf6d(8) handles link-state changes better. o Better loopback handling in ospf6d(8). o No longer install extra multicast routes in ripd(8) and ldpd(8). o Make kqueue(2) work with sosplice(9). o Enabled sosplice(9) in relayd(8) for TCP. o Added support for divert-to which provides some benefits over rdr-to in relayd(8). o Reload support in relayd(8) has been fixed. o Fixed trap sending in snmpd(8). o Make ping6(8) compare minimum amount of bytes between what was received and what was sent out. o Make traceroute(8) with type-of-service setted (-t) display a message if the returned packet has a different tos type. o Added the socket splicing fields of struct socket to netstat -vP output. o tcpbench(1) now uses libevent and supports both TCP and UDP modes. o TCP socket buffer sizes can now be displayed using the netstat(1) -B flag. o tcpdump(8) can now filter on icmptype and tcpflags. o bgplg(8) now supports "show ip bgp peer-as". - pf(4) improvements: o Make pf(4) reassemble IPv6 fragments. In the forward case, pf refragments the packets with the same maximum size. o Allow pf(4) to filter on the rdomain a packet belongs to. o Make pf(4) allow userland proxies to establish cross rdomain proxy sessions. o Added IPv6 ACK prioritization in pf(4). o Change 'set skip on <...>' to work with interface groups. o pfsync(4) supports IPv6 as network protocol. o Switched ftp-proxy(8) over to divert-to instead of rdr-to. o Switched tftp-proxy(8) over to divert-to instead of rdr-to. o New very low overhead priority queueing implementation for pf(4) used via the "prio" keyword. o Support for least-states in load balancing pools and tables. o Support for weighted round-robin in load balancing pools and tables. - SCSI improvements: o Most SCSI hardware drivers now use the new iopools infrastructure. o scsi(4) devices are now all provided with a unique devid, which is displayed during the probe process. o ASC/ASCQ error codes and verbiage now in sync with http://www.t10.org/lists/asc-num.txt. o Progress on iSCSI includes better login, better logout, preliminary FSM support in iscsid(8), and improved logging and debug information. o uk(4) can now safely and reliably detach an unknown SCSI device. o SCSI multipath device and kernel support has been improved. o vscsi(4) now ensures output always goes to the correct connection. o vscsi(4) connections can now be reset gracefully. o scsi(4) devices on fibre channel fabrics no longer inherit the adapter's address. - Assorted improvements: o Kernel randomization speed and quality improved substantially. o For additional security, security(8) was rewritten in Perl. o Mandoc 1.11.4: Now accepts eqn(7) input (no fancy formatting yet) and supports -Tutf8 output (but no utf8 input yet). o Removed a variety of OS-compat emulation code, leaving just the Linux support. o Small improvements to Linux compat (only available on i386). o Improved our own pkg-config(1) implementation with extended comparison scheme and implementing various new options. o The math library, libm, was fully fleshed out to support all C99 required parts. Many bugs for various architectures were fixed along the way. o malloc(3) is a lot faster and has a few further security features (more randomization, as well as the 'S' flag to enable all paranoia checks). o 'make depend' is no longer neccessary in kernel compilation directories since the dependencies are calculated automatically. o Increased the default size of the buffer cache. o kqueue(2) now works on /dev/random and spliced sockets o On MBR-based disks, scan through up to 256 extended partition tables when looking for an OpenBSD partition table. o Added POSIX 2008 fdopendir(3) and openat(2) functions, as well as the O_CLOEXEC, O_DIRECTORY, and F_DUPFD_CLOEXEC flags. o Improved lint format string checks and added a few other checks. o kdump(8) now dumps stat and sockaddr structures, sysctl mib strings, and decodes syscall flags and operation bits. o Improved kernel pool debug checking. o Improved correctness of signals and various syscalls when rthreads are in use. o Kernel malloc(9) space and stacks moved to non-dma memory. o Fixed some shutdown/reboot hangs on NFS clients. o UNIX-domain socket paths are now guaranteed to be NUL-terminated. o Added support for *wprintf(3), wcs{,n}casecmp(3), and wcsdup(3). o NULL is now a (void *). o grep(1) now supports a -H option to always print filename headers. o Whitelist expiry for spamlogd(8) can now be configured via a -W flag. o ls(1) now supports the POSIX -H option to follow symbolic links specified on the command line. o disklabel(8) now tries the next auto-allocation scheme if the current one fails due to insufficient available partitions. o bc(1) gained editline(3) support. o Many enhancements and new functionality has been added to tmux(1). o disklabel(8) supports absolute resizing of partitions in auto-allocated labels. o newfs(8) accepts k/m/g suffixes for the -S and -s options. - Install/Upgrade process changes: o Completed support for DUID disk installs, and enabled it fully. o Install non-free firmwares from the internet upon first boot, based on a question in the installer. o svnd(4)-like behaviour became the default for vnd(4) devices. This is what is used to build the media. - rc.d(8) framework improvements: o rc.d(8) is now also used for the base system daemons. o Backward compatible with the historic way of starting daemons. o Notify the user by appending (ok) or (failed) in interactive mode. o Better diagnostics with the introduction of RC_DEBUG. - OpenSSH 5.9: o New features: - Introduce sandboxing of the pre-auth privsep child using an optional sshd_config(5) "UsePrivilegeSeparation=sandbox" mode that enables mandatory restrictions on the syscalls the privsep child can perform. - Add new SHA256-based HMAC transport integrity modes from http://www.ietf.org/id/draft-dbider-sha2-mac-for-ssh-02.txt These modes are hmac-sha2-256, hmac-sha2-256-96, hmac-sha2-512, and hmac-sha2-512-96, and are available by default in ssh(1) and sshd(8). - The pre-authentication sshd(8) privilege separation slave process now logs via a socket shared with the master process, avoiding the need to maintain /dev/log inside the chroot. - ssh(1) now warns when a server refuses X11 forwarding. - sshd_config(5)'s AuthorizedKeysFile now accepts multiple paths, separated by whitespace. The undocumented AuthorizedKeysFile2 option is deprecated (though the default for AuthorizedKeysFile includes .ssh/authorized_keys2). - sshd_config(5): similarly deprecate UserKnownHostsFile2 and GlobalKnownHostsFile2 by making UserKnownHostsFile and GlobalKnownHostsFile accept multiple options and default to include known_hosts2. - sshd_config(5)'s ControlPath option now expands %L to the host portion of the destination host name. - sshd_config(5) "Host" options now support negated Host matching. - sshd_config(5): a new RequestTTY option provides control over when a TTY is requested for a connection, similar to the existing -t/-tt/-T ssh(1) commandline options. - ssh-keygen(1): Add -A option. For each of the key types (rsa1, rsa, dsa and ecdsa) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment. This is useful for system initialisation scripts. - ssh(1): Allow graceful shutdown of multiplexing: request that mux server removes its listener socket and refuse future multiplexing requests but don't kill existing connections. This may be requested using "ssh -O stop ...". - ssh-add(1): now accepts keys piped from standard input. - Retain key comments when loading v.2 keys. These will be visible in "ssh-add -l" and other places. (bz#439) - ssh(1) and sshd(8): set IPv6 traffic class from IPQoS (as well as IPv4 ToS/DSCP). (bz#1855) o The following significant bugs have been fixed in this release: - sshd(8): allow GSSAPI authentication to detect when a server-side failure causes authentication failure and don't count such failures against MaxAuthTries. (bz#1244) - ssh-keysign(8): now signs hostbased authentication challenges correctly using ECDSA keys. (bz#1858) - Over 7,200 ports, major robustness and speed improvements in package tools. - Many pre-built packages for each architecture: o i386: 7008 o sparc64: 6456 o alpha: 6046 o sh: 3721 o amd64: 6960 o powerpc: 6691 o sparc: 3277 o arm: 2963 o hppa: 6125 o vax: 1409 o mips64: 5689 o mips64el: 5709 - Some highlights: o Gnome 2.32.2 o KDE 3.5.10 o Xfce 4.8.0 o MySQL 5.1.54 o PostgreSQL 9.0.5 o Postfix 2.8.4 o OpenLDAP 2.3.43 and 2.4.25 o Mozilla Firefox 3.5.19, 3.6.18 and 5.0 o Mozilla Thunderbird 5.0 o GHC 7.0.4 o LibreOffice 3.4.1.3 o Emacs 21.4, 22.3 and 23.3 o Vim 7.3.154 o PHP 5.2.17 and 5.3.6 o Python 2.4.6, 2.5.4 and 2.7.1 o Ruby 1.8.7.352 and 1.9.2.200 o Mono 2.10.2 o Chromium 12.0.742.122 o Groff 1.21 - As usual, steady improvements in manual pages and other documentation. o Base system and Xenocara manuals are now installed as source code, making grep(1) more useful in /usr/share/man/ and /usr/X11R6/man/. o If both formatted and source versions of manuals are installed, man(1) automatically displays the newer version of each page. - The system includes the following major components from outside suppliers: o Xenocara (based on X.Org 7.6 with xserver 1.9 + patches, freetype 2.4.5, fontconfig 2.8.0, Mesa 7.8.2, xterm 270, xkeyboard-config 2.3 and more) o Gcc 2.95.3 (+ patches), 3.3.5 (+ patches) and 4.2.1 (+patches) o Perl 5.12.2 (+ patches) o Our improved and secured version of Apache 1.3, with SSL/TLS and DSO support o OpenSSL 1.0.0a (+ patches) o Sendmail 8.14.5, with libmilter o Bind 9.4.2-P2 (+ patches) o Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches) o Sudo 1.7.2p8 o Ncurses 5.7 o Heimdal 0.7.2 (+ patches) o Arla 0.35.7 o Binutils 2.15 (+ patches) o Gdb 6.3 (+ patches) If you'd like to see a list of what has changed between OpenBSD 4.9 and 5.0, look at http://www.OpenBSD.org/plus50.html Even though the list is a summary of the most important changes made to OpenBSD, it still is a very very long list. We provide patches for known security threats and other important issues discovered after each CD release. As usual, between the creation of the OpenBSD 5.0 FTP/CD-ROM binaries and the actual 4.9 release date, our team found and fixed some new reliability problems (note: most are minor and in subsystems that are not enabled by default). Our continued research into security means we will find new security problems -- and we always provide patches as soon as possible. Therefore, we advise regular visits to http://www.OpenBSD.org/security.html and http://www.OpenBSD.org/errata.html Security patch announcements are sent to the security-announce@OpenBSD.org mailing list. For information on OpenBSD mailing lists, please see: http://www.OpenBSD.org/mail.html OpenBSD 5.0 is also available on CD-ROM. The 3-CD set costs $50 CDN and is available via mail order and from a number of contacts around the world. The set includes a colourful booklet which carefully explains the installation of OpenBSD. A new set of cute little stickers is also included (sorry, but our FTP mirror sites do not support STP, the Sticker Transfer Protocol). As an added bonus, the second CD contains an audio track, a song entitled "What Me Worry?". MP3 and OGG versions of the audio track can be found on the first CD. Lyrics (and an explanation) for the songs may be found at: http://www.OpenBSD.org/lyrics.html#50 Profits from CD sales are the primary income source for the OpenBSD project -- in essence selling these CD-ROM units ensures that OpenBSD will continue to make another release six months from now. The OpenBSD 5.0 CD-ROMs are bootable on the following four platforms: o i386 o amd64 o macppc o sparc64 (Other platforms must boot from floppy, network, or other method). For more information on ordering CD-ROMs, see: http://www.OpenBSD.org/orders.html The above web page lists a number of places where OpenBSD CD-ROMs can be purchased from. For our default mail order, go directly to: https://https.OpenBSD.org/cgi-bin/order All of our developers strongly urge you to buy a CD-ROM and support our future efforts. Additionally, donations to the project are highly appreciated, as described in more detail at: http://www.OpenBSD.org/goals.html#funding For those unable to make their contributions as straightforward gifts, the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian not-for-profit corporation that can accept larger contributions and issue receipts. In some situations, their receipt may qualify as a business expense write-off, so this is certainly a consideration for some organizations or businesses. There may also be exposure benefits since the Foundation may be interested in participating in press releases. In turn, the Foundation then uses these contributions to assist OpenBSD's infrastructure needs. Contact the foundation directors at directors@openbsdfoundation.org for more information. The OpenBSD distribution companies also sell tshirts and polo shirts. And our users like them, too. We have a variety of shirts available, with the new and old designs, from our web ordering system at, as described above. If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily installed via FTP or HTTP downloads. Typically you need a single small piece of boot media (e.g., a boot floppy) and then the rest of the files can be installed from a number of locations, including directly off the Internet. Follow this simple set of instructions to ensure that you find all of the documentation you will need while performing an install via FTP or HTTP. With the CD-ROMs, the necessary documentation is easier to find. 1) Read either of the following two files for a list of ftp/http mirrors which provide OpenBSD, then choose one near you: http://www.OpenBSD.org/ftp.html ftp://ftp.OpenBSD.org/pub/OpenBSD/5.0/ftplist As of Nov 1, 2011, the following ftp mirror sites have the 5.0 release: ftp://ftp.eu.openbsd.org/pub/OpenBSD/5.0/ Stockholm, Sweden ftp://ftp.bytemine.net/pub/OpenBSD/5.0/ Oldenburg, Germany ftp://ftp.ch.openbsd.org/pub/OpenBSD/5.0/ Zurich, Switzerland ftp://ftp.fr.openbsd.org/pub/OpenBSD/5.0/ Paris, France ftp://ftp5.eu.openbsd.org/pub/OpenBSD/5.0/ Vienna, Austria ftp://mirror.aarnet.edu.au/pub/OpenBSD/5.0/ Brisbane, Australia ftp://ftp.usa.openbsd.org/pub/OpenBSD/5.0/ CO, USA ftp://ftp5.usa.openbsd.org/pub/OpenBSD/5.0/ CA, USA ftp://obsd.cec.mtu.edu/pub/OpenBSD/5.0/ Michigan, USA The release is also available at the master site: ftp://ftp.openbsd.org/pub/OpenBSD/5.0/ Alberta, Canada However it is strongly suggested you use a mirror. Other mirror sites may take a day or two to update. 2) Connect to that ftp mirror site and go into the directory pub/OpenBSD/5.0/ which contains these files and directories. This is a list of what you will see: ANNOUNCEMENT armish/ mvme68k/ sparc64/ Changelogs/ ftplist mvme88k/ src.tar.gz HARDWARE hp300/ packages/ sys.tar.gz PACKAGES hppa/ ports.tar.gz tools/ PORTS i386/ root.mail vax/ README landisk/ sgi/ xenocara.tar.gz alpha/ mac68k/ socppc/ zaurus/ amd64/ macppc/ sparc/ It is quite likely that you will want at LEAST the following files which apply to all the architectures OpenBSD supports. README - generic README HARDWARE - list of hardware we support PORTS - description of our "ports" tree PACKAGES - description of pre-compiled packages root.mail - a copy of root's mail at initial login. (This is really worthwhile reading). 3) Read the README file. It is short, and a quick read will make sure you understand what else you need to fetch. 4) Next, go into the directory that applies to your architecture, for example, i386. This is a list of what you will see: INSTALL.i386 cd50.iso floppyB50.fs pxeboot* INSTALL.linux cdboot* floppyC50.fs xbase50.tgz MD5 cdbr* game50.tgz xetc50.tgz base50.tgz cdemu50.iso index.txt xfont50.tgz bsd* comp50.tgz install50.iso xserv50.tgz bsd.mp* etc50.tgz man50.tgz xshare50.tgz bsd.rd* floppy50.fs misc50.tgz If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386 and the appropriate floppy*.fs or install50.iso files. Consult the INSTALL.i386 file if you don't know which of the floppy images you need (or simply fetch all of them). If you use the install50.iso file (roughly 250MB in size), then you do not need the various *.tgz files since they are contained on that one-step ISO-format install CD. 5) If you are an expert, follow the instructions in the file called README; otherwise, use the more complete instructions in the file called INSTALL.i386. INSTALL.i386 may tell you that you need to fetch other files. 6) Just in case, take a peek at: http://www.OpenBSD.org/errata.html This is the page where we talk about the mistakes we made while creating the 5.0 release, or the significant bugs we fixed post-release which we think our users should have fixes for. Patches and workarounds are clearly described there. Note: If you end up needing to write a raw floppy using Windows, you can use "fdimage.exe" located in the pub/OpenBSD/5.0/tools directory to do so. X.Org has been integrated more closely into the system. This release contains X.Org 7.6. Most of our architectures ship with X.Org, including amd64, sparc, sparc64 and macppc. During installation, you can install X.Org quite easily. Be sure to try out xdm(1) and see how we have customized it for OpenBSD. The OpenBSD ports tree contains automated instructions for building third party software. The software has been verified to build and run on the various OpenBSD architectures. The 5.0 ports collection, including many of the distribution files, is included on the 3-CD set. Please see the PORTS file for more information. Note: some of the most popular ports, e.g., the Apache web server and several X applications, come standard with OpenBSD. Also, many popular ports have been pre-compiled for those who do not desire to build their own binaries (see BINARY PACKAGES, below). A large number of binary packages are provided. Please see the PACKAGES file (ftp://ftp.OpenBSD.org/pub/OpenBSD/5.0/PACKAGES) for more details. The CD-ROMs contain source code for all the subsystems explained above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/5.0/README) file explains how to deal with these source files. For those who are doing an FTP install, the source code for all four subsystems can be found in the pub/OpenBSD/5.0/ directory: xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz Ports tree and package building by Jasper Lievisse Adriaanse, Landry Breuil, Michael Erdely, Stuart Henderson, Peter Hessler, Paul Irofti, Antoine Jacoutot, Robert Nagy, and Christian Weisgerber. System builds by Theo de Raadt, Mark Kettenis, and Miod Vallat. X11 builds by Todd Fries and Miod Vallat. ISO-9660 filesystem layout by Theo de Raadt. We would like to thank all of the people who sent in bug reports, bug fixes, donation cheques, and hardware that we use. We would also like to thank those who pre-ordered the 5.0 CD-ROM or bought our previous CD-ROMs. Those who did not support us financially have still helped us with our goal of improving the quality of the software. Our developers are: Alexander Bluhm, Alexander Hall, Alexander Schrijver, Alexander Yurchenko, Alexandr Shadchin, Alexandre Ratchov, Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot, Ariane van der Steldt, Austin Hook, Benoit Lecocq, Bernd Ahlers, Bob Beck, Bret Lambert, Charles Longeau, Chris Kuethe, Christian Weisgerber, Christiano F. Haesbaert, Claudio Jeker, Dale Rahn, Damien Bergamini, Damien Miller, Darren Tucker, David Coppa, David Gwynne, David Hill, David Krause, Edd Barrett, Eric Faurot, Federico G. Schwindt, Felix Kronlage, Gilles Chehade, Giovanni Bechis, Gleydson Soares, Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze, Jacek Masiulaniec, Jakob Schlyter, Janne Johansson, Jason George, Jason McIntyre, Jason Meltzer, Jasper Lievisse Adriaanse, Jeremy Evans, Jim Razmus II, Joel Sing, Joerg Zinke, Jolan Luff, Jonathan Armani, Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Joshua Stein, Kenneth R Westerback, Kevin Lo, Kevin Steves, Kurt Miller, Landry Breuil, Laurent Fanis, Marc Espie, Marco Peereboom, Marco Pfatschbacher, Marcus Glocker, Mark Kettenis, Mark Lumsden, Mark Uemura, Markus Friedl, Martin Pieuchot, Martynas Venckus, Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Erdely, Mike Belopuhov, Mike Larkin, Miod Vallat, Nayden Markatchev, Nicholas Marriott, Nick Holland, Nigel Taylor, Nikolay Sturm, Okan Demirmen, Otto Moerbeek, Owain Ainsworth, Paul de Weerd, Paul Irofti, Peter Hessler, Peter Valchev, Philip Guenther, Pierre-Emmanuel Andre, Pierre-Yves Ritschard, Remi Pointel, Reyk Floeter, Robert Nagy, Ryan Freeman, Ryan Thomas McBride, Sasano, Sebastian Reitenbach, Simon Bertrang, Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh, Stuart Henderson, Takuya Asada, Ted Unangst, Theo de Raadt, Thordur I Bjornsson, Tobias Weingartner, Todd C. Miller, Todd Fries, Will Maier, William Yodlowsky, Yasuoka Masahiko, Yojiro Uo [prev in list] [next in list] [ prev in thread ] [next in thread]