OpenBSD

Il progetto OpenBSD è sistema operativo UNIX basato su 4.4 BSD ed è gratuito e multipiattaforma. OpenBSD supporta l’emulazione binaria di molti programmi da Solaris, FreeBSD, Linux, BSD/OS, SunOS e HP-UX.

Versione 6.9

Questa versione contiene (in Inglese):

• New/extended platforms:
  • Support for the powerpc64 platform was improved:
    • Added astfb(4), a driver for the framebuffer of the Aspeed BMC found on many POWER8 and POWER9 systems.
    • Added bsd.mp to powerpc64’s installXX.{img,iso}.
    • Added RETGUARD implementation for powerpc and powerpc64.
    • Added a workaround for PCIO devices that cannot address the full 64-bit PCI address space to powerpc64. Needed for radeondrm(4) and amdgpu(4) since Radeon GPUs only implement 36, 40, or 44 bits of address space.
    • Added limited emulation of unaligned access in the powerpc64 kernel.
    • Added support for netbooting to the powerpc64 RAMDISK kernel.
    • Fixed booting on powerpc64 machines with memory banks higher in physical address space, needing a larger TCE table.
    • Introduced power-saving mode on POWER9 CPUs.
    • Enabled floating-point exceptions on powerpc64.
    • Added support for ipmi(4) on PowerNV systems.
  • Preliminary support was added for devices using the Apple M1 SoC:
    • Recognized Apple Icestorm/Firestorm cores on arm64.
    • Added support for BCM4378 chips, as found on the Apple M1 SoCs, to bwfm(4).
    • Added exuart(4) support for the UART found on the Apple M1 SoC.
    • Added apldog(4), a driver for the watchdog on Apple M1 SoCs, allowing reboot of the machine.
    • Added aplintc(4), a driver for the interrupt controller found on Apple M1 SoCs.
    • Added aplpcie(4), a driver for the PCIe host bridge on Apple M1 SoCs.
    • Added apldart(4), a driver for the IOMMU on Apple M1 SoCs.
    • Added support for CPUs with 8-bit ASIDs such as those on Apple’s M1 SoC.
  • The arm64 platform support was improved with the following changes:
    • Optimized arm64 copyin(9), copyout(9) and kcopy(9) by doing 16-byte copies if possible.
    • Added recognition of Cortex-A78AE, Cortex-X1 and Neoverse V1 arm64 CPUs.
    • Added clock support for i.MX8MP SoCs.
    • Added support for the VF610 I2C controller to imxiic(4).
    • Added dwgpio(4), a driver for the Synopsys DesignWare GPIO controller.
    • Added amlpinctrl(4) support for the “Always On” GPIOs.
    • Made large read and write transactions work in amliic(4).
    • Added support for the PCIe controller found on Amlogic G12A/G12B/SM1 SoCs to dwpcie(4).
    • Implemented legacy interrupt support to mvkpcie(4).
    • Added cryptox(4), a driver for armv8 cryptographic extensions.
    • Added support for PCIe on the NanoPi R4S to rkpcie(4).
    • Added smmu(4), a driver for the ARM System MMU.
    • Introduced an IOVA early-allocation scheme in smmu(4), mitigating the performance penalty of typical IOVA allocation designs.
    • Introduced Guard Pages in smmu(4), to spot misuse and misconfiguration of I/O devices more easily.
    • Added support for RK809 to rkpmic(4), as seen on the Rock Pi N10 with the rk3399pro.
    • Added support for sdhc(4) on the Raspberry Pi in ACPI mode.
    • Enabled ixl(4) on arm64.
    • Updated device-tree bindings for cwfg(4) battery capacity driver to correct attaching and account for monitoring interval change, making cwfg(4) export values under hw.sensors as expected when using a Pinebook Pro.
    • Added ARMv8-5 instruction set related CPU features to arm64.
• Various kernel improvements:
  • Added the RAID1C (encrypted raid1) softraid(4) discipline, encrypting data like the CRYPTO discipline and accepting multiple chunks during creation and assembly like the RAID1 discipline.
  • Corrected raidlevel verification specified by the -c option in bioctl(8).
  • Introduced kern.video.record for video(4) devices, a privacy feature analog to the kern.audio.record sysctl(8) parameter for audio(4) devices. By default, kern.video.record will be set to zero and blank all data delivered by drivers attaching to video(4).
  • Allowed a process to open a video(4) device multiple times. Fixes webcam usage with Firefox and BigBlueButton.
  • Enabled multiple opens of a video(4) device as described in the V4L2 specification.
  • Added basic support for kclock timeouts to timeout(9).
  • Changed the pool(9) timeouts to use the system uptime instead of ticks.
  • Ensured sleep(3) calls nanosleep(2) if seconds is zero, now delegating all decisions about whether or not to yield the CPU.
  • Added a top-level ‘reboot’ command to ddb(4).
  • Added witness(4) check for uninitialized (or zeroed) lock usage.
  • Added fd close notification for kqueue-based poll(2) and select(2).
  • Added a global “nowake” channel for threads avoiding wakeup(9) to tsleep(9).
  • Added trace points for malloc(9) and free(9), making them traceable via dt(4) and btrace(8).
  • Added btrace(8) -n (no action) mode, which parses the program and then exits.
  • Fixed a boot-time crash on sparc64 due to mutex use during the message buffer initialization.
  • Prevented a panic in some ACPI firmware that provided invalid memory regions in their reserved memory region reporting table.
  • Added a barrier between reading the cqe flags and the command ID to prevent completion of the wrong SCSI I/O for nvme(4) drives.
  • Prevented attachment of nvme(4) devices of zero size.
  • Introduced new function if_unit(9), returning a pointer to the interface descriptor corresponding to the unique name.
  • Clear interrupts on luna88k processors more efficiently at boot time.
  • Added acpiiort(4), a driver for the ACPI I/O Remapping Table.
  • Updated clock interrupt count atomically on mips64.
  • Prevented an amd64 kernel crash with protection fault due to an invalid offset when reading /dev/kmem.
  • Permitted access to kern.somaxconn sysctl information when the unix pledge(2) is used, allowing Go programs to use “unix” without also including “inet”.
  • Excluded the first page and added a guard page between I/O virtual address space allocations on arm64.
  • Prevented attachment of SCSI devices that fail to provide adequate INQUIRY data.
• SMP Improvements
  • Introduced “if_cloners_lock” rwlock and used it to serialize if_clone_{create,destroy}(), avoiding multiple race conditions.
  • Introduced a system-wide mutex that serializes msgbuf operations.
  • Made uvm_pagealloc(9) of the physical memory allocator mp-safe.
  • Unlocked getppid(2).
  • Introduced locking for amaps and anons, improving build performance.
  • Moved UNIX domain sockets out of the kernel lock, using the new “unp_lock” rwlock(9) as solock()’s backend to protect the whole layer.
  • Unlocked sendsyslog(2).
  • Used per-CPU counter for fault and stats counters reached in uvm_fault().
• Direct Rendering Manager
  • Fixed wsconsctl(8) backlight commands when using drm(4) drivers on macppc.
  • Fixed a radeondrm(4) panic on macppc with Powerbook5,6 and RV350.
  • Fixed DRI3 support on amdgpu(4) and ati(4).
  • /dev/dri/ device nodes are created to be more compatible with Linux.
• VMM/VMD improvements
  • Prevented memory corruption or improper page access in vmm(4) due to improper TLB flushing for now by wiring the pages used by virtual machines.
  • Removed the ability of vmd(8) to boot from kernels in raw/qcow2 images.
  • Made vmctl(8) properly indicate VMs are stopping instead of “running” with “vmctl status”.
  • Simplify argument parsing of vmctl(8) stop thereby avoiding a printf(3) “%s” NULL, a use of uninitialized and a dead else branch.
  • Cleaned up events on vmd(8) pause or resume and fixed an issue leading to broken serial console by cleanly tearing down and restoring emulated device state on vm send/receive.
  • Propagated host-side tap(4) lladdr to guest vm process to allow unicast dhcp and bootp renewals with vmd(8)‘s built-in dhcp server.
  • Added veb(4) to the list of supported bridges for vmd(8).
  • Improved MSR exit handling in vmm(4) on SVM and VMX hosts preventing invalid reads and fixing support for 9front.
  • Added ability to boot compressed ramdisks to vmd(8).
• Various new userland features:
  • Added doas.conf(5) “nolog” option to avoid syslog(3).
  • Allowed specific sndio(7) devices to be used for play-only and rec-only modes.
  • Use an 8th order FIR low-pass filter for resampling in sndiod(8) and for aucat(1), removing most of the aliasing noise during resampling.
  • Disabled sndiod(8) autovolume by default and set the default volume to 127. Setting “-w on” will replicate the previous behavior of automatically decreasing playback volume when new programs start playing.
  • Allowed mixing of alternative devices (-F) with different capabilities in sndiod(8) by treating any device as full-duplex.
  • Fixed visibility of sndioctl(1) output when used through a pipe.
  • Enabled build and install of lldb(1).
  • Added logger(1) support to rcctl(8), rc.subr(8) and rc.d(8) for daemons logging to stdout/stderr.
  • Added a configurable button mapping for tap gestures on touchpads to wsconsctl(8).
  • Made wscons(4) touchpad tap detection less restrictive for multi-finger taps and improved tap detection.
  • Enable apm(4) on arm64 to display meaningful information about battery use and capacity.
• Various bugfixes and tweaks in userland:
  • Fixed a pledge violation in csh(1) where redirecting input from a file containing ^T would cause csh(1) to perform a tty ioctl operation against a non-tty.
  • Made syspatch(8) work again when fewer than 3 patches are available.
  • Stopped exempting file systems from security(8) on the basis of nodev and nosuid options, which may not be used for file systems mounted beneath.
  • Modified daily(8) to stop reporting disk status and networking statistics.
  • Made sysupgrade(8) specify a version when it uses fw_update(1) to avoid the situation where upgrading a pre-6.8 snapshot to 6.8 release with “-r” would install firmware packages from snapshots.
  • Increased speed of the dependency check pass for pkg_add(1).
  • Prevented process exit in multithreaded programs from reporting the wrong error code.
  • Allowed booting of amd64/i386 from GPT formatted disks larger than 4TB.
  • When using the cat(1) -n flag, correctly enumerate files with more than INT_MAX lines.
  • Fixed a memory leak in ld.so’s malloc.
  • Added a “xenodm” login class for xenodm(1) and increased openfiles to 512 to avoid running out of file descriptors with a busy desktop.
  • Stopped xenodm(1) from adding authorizations for TCP connections by default and added “listenTCP” to explicitly add authorizations for existing IP addresses on startup.
  • Skip adding the IPv6 link local addresses for TCP listener authorizations in xenodm(1), matching what is done by startx(1).
  • Fixed -s option for cmp(1).
  • Improve pledge in doas(1), specifically added pledge to the “-C” code path.
  • Improved performance of malloc(3)‘s cache.
  • Made editing GPT in fdisk(8) safer by defaulting offset to the beginning of the largest free space and preventing the creation of overlapping partitions.
  • Fixed a crash that could occur in sndiod(8) when a USB device is unplugged.
  • Append .html suffixes to temporary files in mandoc(1) to allow recognition by browsers.
  • Allow specification of a path to the mg(1) startup file on the command line.
  • Added a “batch” mode to mg(1) via the “-b” command line option, which will initialize a pty, run the specified file of mg commands and then exit.
  • Inverted the mg(1) “R” indicator to mean that a “*” next to a file’s name indicates that it is read-only. Made the active buffer indicator more visible by changing it to “>”.
  • Fixed ksh(1) redrawing of a multiline PS1 prompt in vi mode and added support for ^R (redraw) in insert mode.
  • Used unveil(2) to restrict filesystem access in apmd(8).
  • Removed the 30s minimum delay for xlock(1) timeouts.
  • Stopped deleting the control socket on exit in apmd(8), as deleting the socket after calling unveil(2) would cause an unveil violation.
• Improved hardware support and driver bugfixes, including:
  • Corrected accounting of zero length Transfer Descriptors in xhci(4), preventing running out of free Transfer Ring Blocks.
  • Moved mfokclock(4) from loongson to make it available for other platforms and renamed it to mfokrtc(4).
  • Fixed brightness setting on MacBooks.
  • Added AMD Vi and Intel VTD IOMMU support. This creates separate domains for each PCI device and can provide protection against invalid memory access.
  • Enabled brightness keys on powerbooks where the keyboard attaches as ukbd(4).
  • Set initial default display brightness on macppc via of_setbrightness() to ensure wscons(4) and ofw are in sync.
  • Added support for the PL2303HXN series chips to uplcom(4).
  • Added support for the PCA9547 I2C mux to pcamux(4).
  • Extended pcamux(4) with ACPI support.
  • Added acpige(4), a driver for ACPI generic event devices, used on various systems to implement power button handling.
  • Added pchgpio(4), a driver for the GPIO controllers found on modern Intel PCHs.
  • Added ACPI support to imxiic(4).
  • Fixed panics on the HoneyComb LX2K with amdgpu(4).
  • Fixed very old umass(4) devices where the INQUIRY command succeeds but with a residue equal to the requested bytes.
  • Added Gemini Lake I2C id to dwiic(4), making the touchpad work on the Teclast F7 Plus laptop.
  • Introduced ujoy(4), a restricted subset of uhid(4) for game controllers which uses /dev/ujoy/* device nodes.
  • Set up ims(4) devices in X11 to behave like touchpads.
  • Stopped relying on USB devices to correctly present their indices, instead searching for the correct interfaces. This fixes E+ Corp. DAC Audio devices.
  • Introduced uhidpp(4), a driver for Logitech HID++ devices.
  • Separated reading of general and touchpad-specific wsmouse(4) settings and corrected identification of device type when reading touchpad parameters fails.
  • Added support for 30-bit color modes to simplefb(4) and wsfb(4).
  • Made loongson kernels recognize Lynloong LM9002/9003 and LM9013 models.
  • Use native display resolution 1368×768 for Lynloong all-in-one computers.
• New or improved network hardware support:
  • Fixed link state change behavior in 82598 ix(4) chips.
  • Fixed issues with network stopping after the first down/up cycle in mvpp(4) Marvel Armada Ethernet device.
  • Added SFP+ support to ofw, including support for direct attach cables.
  • Added 10G media support to mvpp(4).
  • Added support for 1000base-x and 2500base-x connections to mvneta(4).
  • Added mvsw(4), a driver for Marvel “SOHO” switches.
  • Enabled auto-negotiation on the SerDes links, allowing in-band-status to work between mvpp(4) and mvsw(4) on the ClearFog GT 8K.
  • Added support for the i.MX8MP PCIe clocks, USB clocks and second ethernet.
  • Added Wake on LAN support to rge(4).
  • Enabled IPv4 and TCP/UDP checksum offload on transmission in ogx(4).
  • Raised the maximum number of queues/interrupts from 1 to 16 on mcx(4) devices.
  • Added support for the Netgear ProSecure UTM25 to octeon.
  • Added vid/pid table to umb(4) allowing matching to alternate configurations.
• Added or improved wireless network drivers:
  • Fixed the athn(4) and urtwn(4) drivers in client mode against access points which use WPA1/TKIP as the group cipher.
  • Added multicast support to bwfm(4) to allow IPv6.
  • Fixed urtwn(4) repeated DEAUTH and loss/restoration of link.
  • Introduced a delay to work around an issue in bwfm(4) on the BCM43602 that was triggering “unexpected pairwise key update” errors.
  • Enabled athn(4) for arm64.
  • Implemented a new 802.11n Tx rate adaptation algorithm (“RA”) for iwm(4), iwn(4), and athn(4).
  • Fixed association problems with the ipw(4) and iwi(4) drivers.
  • Made iwx(4) attach to AX201 devices with PCI IDs 0x34f0 and 0x06f0. Needs fw_update(1).
  • Fixed a problem where iwn(4) firmware would generate bogus block ack requests and stall traffic.
  • Fixed automatic channel selection in the athn(4) driver when running in hostap or monitor mode.
• IEEE 802.11 wireless stack improvements and bugfixes:
  • Fixed length calculations in iwm(4) and iwx(4) when there are multiple MPDUs in one packet.
  • Fixed 802.11n interoperability with access points that offer management frame protection.
  • Flush the A-MPDU reorder buffer after gap timeout to prevent frames from remaining in the buffer until the next frame is received.
  • Avoid spurious “input packet decapsulations failed” errors in netstat(1) -W with A-MSDU enabled.
  • Fixed automatic selection of the 11a/b/g/n/ac operating mode when the interface is running as an access point.
  • Ensured crypto keys are installed before the link is brought up.
• Generic network stack improvements and bugfixes:
  • Removed the maxburst feature from tcp_output(). Sending out TCP segments was limited to 4 packets per burst. This did not scale well on high bandwidth, high latency links. Especially when the receiving side delays ACK packets aggressively, the maxburst limitation could seriously reduce TCP throughput per connection.
  • Added a MONITOR feature to interfaces. Packets received on these interfaces do not enter the network stack for further processing. This can be used to watch traffic, for example with bpf(4) without risk of the packets interfering with the system.
  • Added etherbridge, the internals of a reusable learning bridge interface providing common code reusable for other drivers needing a mac learning bridge.
  • Introduced veb(4), a Virtual Ethernet Bridge driver.
  • Added the ability to force the selection of source IP address for programs that do not specify a source IP, overriding the default source IP selection algorithm. This is configurable via route(8) sourceaddr command.
  • Bring interfaces up when autoconfiguration for inet or inet6 is enabled (AUTOCONF4 or AUTOCONF6 flags).
  • Adjust terminology in ifconfig(8) to refer to “temporary address extensions” rather than the former “privacy extensions,” including the addition of an AUTOCONF6TEMP flag (to replace the negative flag “INET6_NOPRIVACY”). The autoconfprivacy option in ifconfig(8) has been deprecated.
  • Made it possible to disable the “autoconf” flag but keep “temporary” enabled in ifconfig(8).
  • For IPv6 addresses, added tracking of address proposal creation times to be able to establish total lifetime. This information is used to renew pltime/vltime of privacy addresse per RFC 4941.
  • Prevented kernel reuse of mbuf memory when generating the ICMP6 response to an IPv6 packet.
  • Use the toeplitz hash algorithm to set a flowid for tcp packets, which in turn is used to choose the tx ring on network cards with multiple rings.
  • Fixed wg(4) on macppc by keeping track of allowed ips pointer correctly.
  • Fixed wg(4) ioctl to handle multiple wgpeers.
  • Fixed a race between tx/rx handshakes in wg(4).
  • Prevented a potential hang when trying to remove a tun(4) interface.
  • Used the correct rdomain when adding and deleting routes with mpip(4) and mpw(4).
  • Made ifconfig(8) “-mplslabel” work with mpw(4).
• Installer and upgrade improvements:
  • Prevented a race in dhclient(8) privsep which could cause autoinstall to fail by calling ftp(1) without a local address.
  • Fixed hangs on amd64 bsd.rd due to misreported core clock frequency on newer Intel Comet Lake models.
  • Began distributing the gzip’d version of bsd.rd on all platforms with boot methods supporting it.
  • Fixed a problem which prevented use of sysupgrade(8) when an interface failed to come up and dhclient(8) didn’t notice link-timeout expiration.
  • Prevented disklabel(8) from adjusting the swap ‘b’ partition size if physmem is zero to keep the auto-allocate code from putting a filesystem on that partition.
  • Emulate “[inet] autoconf” hostname.if(5) lines with “dhcp” so users testing dhcpleased(8) will still be able to upgrade manually while the installer uses only dhclient(8).
  • Restored dhclient.conf(5) to the group of network configuration files used during upgrades.
• Security improvements:
  • Added notices to syslog whenever the “%n” format string component of printf(3) is used.
  • Removed workaround permitting Go executables to do syscalls directly, forcing them to use shared libc like all other dynamic binaries.
• Routing daemons and other userland network improvements:
  • The bgpd(8) daemon saw the following changes:
    • Introduced bgpd(8) rde evaluate all to reduce path hiding in IXP route-server environments.
    • Added RTR support to OpenBGPD.
    • Added bgpctl(8) “show rtr” to display basic information about RTR sessions.
    • Added bgpctl(8) “show sets” to display information about the roa-set, as-sets and prefix-sets loaded into bgpd(8).
    • Properly implemented “rde med compare strict” in bgpd(8) and ensured that the order of prefixes is always correct.
    • Introduced a send hold timer in bgpd(8) to detect stalls on the sending side of a TCP connection, acting as a last resort to detect faulty peers.
    • Introduced the bgpd.conf(5) per neighbor and global config option “reject as-set yes/no” to allow rejection of received UPDATES with AS_SET segments. These rejected prefixes can be viewed with bgpctl(8) “show rib in error”.
    • No longer allow configuration of the same neighbor multiple times in bgpd(8).
    • pf(4) tables now track prefixes correctly even when received by multiple sessions.
    • Fixed a memory leak when parsing bgpd(8) roa-set lists.
  • The ospfd(8) and ospf6d(8) routing daemons were refactored to keep the code similar to changes in other routing daemons and to improve maintainability.
    Additionally, support for point-to-point interfaces in ospf6d(8) was fixed and ospfd(8) now works with point-to-point interfaces which use a common IP address.
  • The pf(4) packet filter and its userland utility:
    • Relaxed checks in pfctl(8) and pf(4) to accept any valid routing domain, even if it does not yet exist.
    • Made pfctl(8) detect and reject bogus ranges before loading the ruleset to prevent a panic.
    • Changed route-to in pf.conf(5) to send packets to IPs instead of interfaces.
    • Changed pf_route so pf(4) only runs when packets enter and leave the stack. Running the same packet through pf multiple times creates confusion for the state table. By default, pf states are floating, meaning that packets are matched to states regardless of which interface they’re going over. This diff avoids multiple pf(4) traversals of one packet causing confusion in the state table.
    • Prevented the kernel from being stuck in an endless recursion during TCP path MTU discovery when pf(4) changes the routing table when sending packets.
    • When cutting off the head of an overlapping fragment during pf(4) reassembly, reinserted the fragment into the lookup table with the correct index.
    • Improved <href=”https: man.openbsd.org=”” tftpd.8″=””>tftpd(8) logging to report the reasons a transfer failed. </href=”https:>
  • IPSEC support in the kernel and the iked(8) userland daemon:
    • Added support to request IP addresses as IKEv2 initiator to iked(8). If ‘request addr 0.0.0.0’ is configured, any address will be accepted.
    • Make iked(8) accept ANY dynamic address with ‘request addr 0.0.0.0’.
    • Added ‘dynamic’ keyword to iked.conf(5) to allow configuration of flows to dynamically assigned addresses.
    • Added the ‘any’ keyword to iked.conf(5) for requests to allow “request address any”.
    • Enabled iked(8) support for ASN1_DN ipsec identifiers.
    • Implemented iked(8) “from dynamic,” installing flows where “dynamic” is replaced by the received dynamic IP address.
    • Made sure not to replace 0.0.0.0 with a dynamic address in iked(8) if it is a network address.
    • Added iked(8) -s socket option to specify a control socket.
    • Used a counter instead of random IV for AES-GCM in iked(8), eliminating the risk of random collisions.
    • Added iked(8) support for multiple address pools.
    • Added the iked(8) “set stickyaddress” option, which attempts to assign the same “config address” when an IKESA is negotiated with the DSTID of an existing IKESA.
    • Ensured rekeying of every child SA in iked(8).
    • Added iked(8) support for RSASSA-PSS signature verification (RFC 7427).
    • Corrected the first packet of an ipsec(4) SA to have sequence number 1.
    • Accepted reject and blackhole routes for IPsec PMTU discovery.
    • Prevented leaking of ipsec_hosts in iked(8) when building hosts_list.
    • Prevented initiation of new additional SAs for each policy upon every ikectl(8) config reload.
    • Fixed “any” and “dynamic” keywords for flows in iked(8) and added proper IPv6 support.
    • Created a path MTU host route for IPsec(4) over IPv6.
    • Added support for INVALID_KE_PAYLOAD in iked(8) CREATE_CHILD_SA exchange.
    • Added support for RSA-PSS PKCS1 signatures to iked(8).
    • Fixed path MTU discovery for ESP tunnels in IPv6.
    • Upgraded to OpenSSL 1.1 compatible crypto API in iked(8).
    • Added an optional “group none” transform for child SAs in iked(8) to ensure the ability to negotiate optional PFS.
    • Added iked(8) dynamic address configuration for roadwarrior clients, with a new “iface” config option which can be used to specify an interface for the virtual addresses received from the peer.
    • Fixed an iked(8) interop problem with strongswan if make-before-break is enabled.
  • The httpd(8) webserver saw numerous improvements:
    • Prevented a crash due to httpd(8) listening on port 443 with missing TLS certificates.
    • Created a new “location (found|notfound)” option for httpd.conf(5) to allow testing for resource path existence.
    • Fixed detection of duplicate locations in httpd(8).
    • Fixed leak of access and error log filenames on config reload in httpd(8).
    • Avoid leaking the log message in httpd(8)‘s server_sendlog.
    • Incorrect order of close(2) and tls_close(3) together with a bug in libssl led to leaking memory in httpd(8) for each TLS connection.
    • Fixed the httpd(8) example configuration not to generate errors when running without TLS keys already in place.
    • Optimized disk reads of httpd(8) by using st_blocksize as high water mark instead of the socket buffer size.
    • Do not compare TLS config params for non-TLS servers. This allows using listen on * port 80 and listen on * port 443 in the same server block in httpd.conf(5).
  • rpki-client(8) received the following new features and bugfixes:
    • Added RRDP (The RPKI Repository Delta Protocol, RFC 8182) support as a ‘technology preview’. To use it, the “-r” flag needs to be used.
    • Support the use of more than one URI in the TAL file, sorting with a preference for https.
    • Validation of ghostbuster records (RFC 6493).
    • Fixed checks of the manifest validity interval.
    • The rsync connection is now killed when the rsync server stalls.
    • Limited the URL embedded in .cer files to alphanumeric characters and punctuation.
    • Added a “-V” option to show version.
    • Included the default cert.pem file path in tls_load_file error messages.
  • The dig(1) DNS utility received the following updates:
    • Implemented RFC 8914 Extended DNS Errors for dig(1).
    • Fixed dig(1) EDNS Client Subnet option (+subnet=).
    • Fixed IPv6 link-local address handling for nameservers to talk to and for address to bind to in dig(1).
    • Implemented ZONEMD (RFC 8976) in dig(1) to convey a message digest of the content of a DNS zone.
  • Changes to dhclient(8):
    • Fixed incorrect behavior when using dhclient.conf(5) to change the lease renew/rebind/expiry timing.
    • Allowed the provision of dhclient(8) options on “dhcp” lines in hostname.if(5) files.
    • Converted all timers from time(3) values to clock_gettime(2) CLOCK_MONOTONIC values.
    • Removed -L command line option.
    • Improved debug output.
    • Improved re-acquisition of a previous address by immediately accepting any OFFER for the address, rather than waiting for ‘select-timeout’ to expire.
    • Exit immediately if the -c option specifies a non-existent file.
    • Exit immediately if the -i option contains invalid information.

Risorse

La distribuzione può essere scaricata da:

• 32 bit (399MB): https://cdn.openbsd.org/pub/OpenBSD/6.9/i386/install69.iso
• 64 bit (5MB): https://cdn.openbsd.org/pub/OpenBSD/6.9/amd64/install69.iso

Il sito web della dstribuzione è: http://www.openbsd.org/

Screenshot

OpenBSD 5.3

Conclusioni

Si può aggiornare dalla versione precedente.