This selection is intended to include all important
and all user-visible changes.
For a complete record of all changes, please see the "source-changes"
mailing list, called "OpenBSD CVS"
in the archives,
or use CVS.
Note: Problems for which patches exist are marked in red.
5.8 and 5.9 RELIABILITY FIX: When signaling an error to an HTTP relay client, the connection can be terminated prematurely, leading to a crash. A source code patch exists which remedies this problem for 5.8 and 5.9.
In the installer, back out the automatic pkg.conf(5) installpath changes.
In dhclient(8), back out the change that narrowed the BPF read filter rules so only packets sent to the interface's LLADDR pass. Some DHCP servers send frames to the ethernet broadcast address.
In imxuart(4/armv7), re-create the i.MX6 console with the correct minor number on attach.
Disable POOL_DEBUG.
In newfs(8), scale the default "density" value so that on 4K disks the same number of inodes are creates as on DEV_BSIZE devices.
In stty(1), error out if the display and modify mode are combined on the command line. This avoids a pledge(2) violation.
In softraid(4), plug potential leak of device list.
In switchd(8), parse and print OpenFlow 1.3 PACKET_IN and OXM (Openflow eXtended Match).
In netstat(1), print the relevant counters to tune the TCP SYN cache.
In iwm(4), disable the beacon filter. This make it possible to keep track of HT protection changes.
In net80211, enable RTS for frames above a particular size. This change allows for reasonable throughput on loaded 11g networks whereas before they were practically unusable.
In switchd(8), update OpenFlow 1.3 stub based on the 1.0 code.
In switchd(8), add the -n flag to check the configuration and exit.
In iwm(4), properly keep track of HT protection changes while associated.
Unbreak ural(4), which had been dropping frames on Tx while the IFF_RUNNING flag was set.
In ehci(4), use for ATI controllers the same workaround as for VIA controllers. This should hopefully help people reporting errors with SB700.
Add the tcp.synhashsize sysctl(8) to make the size for the syn cache hash array tunable.
In dhclient(8), narrow the BPF read filter rules so only packets sent to the interface's LLADDR pass. This limits the number of packets that get dropped as a result of dhclient setting BIOCSFILDROP on the bpf descriptor.
Import switch(4), switchd(8) and switchctl(8), a basic work-in-progress OpenFlow implementation (not build by default).
In carp(4), fix the check supposed to prevent "ip" and "ip-stealth" balancing modes from leaking the multicast address.
In sshd_config(5), allow wildcard for PermitOpen hosts as well as ports (bz#2582).
In "rcctl ls", skip all files with a "." in the name, because pkg_add(1) renames files in this way when the checksums don't match.
In virtio, always allow MSI/MSI-X. This enables MSI-X with qemu's old "82441FX" pci-bridge.
In sxitimer(4/armv7), explicitly stop the timers before reloading them. This fixes a hang on the Olimex A10s boards.
In doas(1), copy the path to the shell from struct passwd to prevent it from being overridden by a getpwuid(3) call. This happens in a double doas call.
Update per-neighbor GTSM options on config reload.
Explicitly ignore the Hop Count and Path Vector TLVs.
Improve logging of reserved labels.
Disable acpicbkbd(4) by default until after the release. It causes the kernel to spin forever on certain Chromebooks.
In ssh(1), reduce the syslog level of some relatively common protocol events from LOG_CRIT (bz#2585).
Add a ProxyJump ssh_config(5) option and a corresponding -J ssh(1) command-line flag to allow simplified indirection through a SSH bastion or "jump host".
5.8 and 5.9 RELIABILITY FIX: Splicing sockets in a loop could cause a kernel spin. A source code patch is available for 5.8 and 5.9.
5.8 and 5.9 RELIABILITY FIX: ufs_readdir failed to limit size of memory allocation, leading to panics. A source code patch is available for 5.8 and 5.9.
5.8 and 5.9 SECURITY FIX: The mmap extension __MAP_NOFAULT could overcommit resources and crash the system. A source code patch is available for 5.8 and 5.9.
5.8 and 5.9 RELIABILITY FIX: Tick counting overflows could cause a kernel crash. A source code patch is available for 5.8 and 5.9.
5.8 and 5.9 RELIABILITY FIX: Invalid file descriptor use with kevent(2) could lead to a kernel crash. A source code patch is available for 5.8 and 5.9.
5.8 and 5.9 RELIABILITY FIX: Unchecked parameters and integer overflows in the amap allocation routines could cause malloc(9) to either not allocate enough memory, leading to memory corruption, or to trigger a "malloc: allocation too large" panic. A source code patch is available for 5.8 and 5.9.
5.9 RELIABILITY FIX: Multiple processes exiting with a fd-passing control message on a shared socket could crash the system. A source code patch is available for 5.9.
5.9 RELIABILITY FIX: A race occuring in the unlocked ARP input path can lead to a kernel NULL dereference. A source code patch is available for 5.9.
Ensure that amap slot calculation does not overflow. This prevents from too small amaps being allocated by forcing the allocation of a large number of slots.
Ignore the kern.usermount sysctl(8). It is unsafe, because it allows any non-pledge(2)'d program to call the mount/umount system calls. The sysctl will be completely removed in 6.1.
In ip6(4), drop received packets with an IPv4-compatible address as source or destination as per RFC4213.
In fec(4/armv7), do board-specific delay/skew corrections for the Micrel KSZ9021 and KSZ9031 PHYs based on device tree properties instead of the board ID.
Prevent a use-after-free by not updating an ARP entry that has been removed from the table.
Avoid a panic caused by very big mallocs for the ufs_readdir() buffer which should have been limited to 64 kB.
Avoid a panic caused by very big mallocs that result from uint64-to-int32 truncation when kevent does fd validation.
On amd64, add hvn(4), a work-in-progress driver for the Hyper-V NetVSC.
In calendar(1), when matching a day in the month, ensure the date is still in the month we are interested in. This
fixes things like Sunday+5 for months where there is not a 5th Sunday.
In bpgd(8), output the no-longer-so-new AS operators when printing the configuration.
In libtls, split the existing TLS cipher suite groups into four: secure, compat, legacy and insecure.
Check resource limits for mappings established using __MAP_NOFAULT. This prevents callers from triggering a kernel panic and a potential integer overflow in the amap code by forcing the allocation of too many slots.
In imxehci(4), use the device tree voltage regulator information to supply power to the USB bus, because this only supports "fixed" regulators that are controlled through a gpio.
Fix a crash when MNT_DOOMED is passed in the flags to unmount(2).
In syslogd(8), add support for TLS client certificates in syslogd. This allows the remote server to verify the authenticity of received messages.
In tmpfs, don't allow mounting with noval owner. It causes a panic later on.
In factor(6), use an integer version of the Newton method instead of the floating point square root. This fixes a rounding issue.
In imxesdhc(4/armv7) and fec(4/armv7), use the gpio framework to implement card detect instead of hardcoding particular gpios based on board IDs.
Hook up imxgpio(4) to the FDT gpio framework.
Fix path MTU discovery which was slightly broken: it took two ICMP packets to create and change the dynamic route.
In tcp(4), do not increase the size of the socket buffer under memory pressure.
In tcpdump(8), recognize MPLS pseudowire with control words. Also print encapsulated ethernet packets.
In acpimadt(4), properly handle Processor Local X2APIC structures. This makes secondary CPUs attach on the HP DL360 gen 9.
Dynamically attach imxgpio(4) using the FDT.
In mandoc(1), fix a bug causing .so links to gzipped manuals to fail in the absence of a mandoc.db(5) database.
In omap(4/armv7), follow imx and match based on the compatible property of the root node in the fdt instead of attaching the device based on board IDs.
In ssh(1), improve crypto ordering for Encrypt-then-MAC (EtM) mode MAC algorithms. This prevents the possibility of a side-channel oracle, though no such oracle has been identified.
In perl(1), fix a bug where XSLoader could try to load from a subdir of the cwd when called via eval (CVE-2016-6185).
In malloc(3), correctly implement the three-valued J/j option.
In syslogd.conf(5), allow space-deliminated fields in syslog.conf in addition to traditional tabs-deliminated fields.
Avoid an integer overflow of the thrsleep() timeout. This prevents a panic.
On the Quad-G5, make hpb(4) attach first when iterating PCI buses to allow openpic(4) to properly map interrupt for the devices instead of possibly dereferencing garbage.
Decrease the initialization FSM timeout. This allows quicker recovery of a session with a neighbor.
Improve RFC 4447 compliance.
In cat(1), indent the '$' on blank lines when the -ne options are used.
Make accepted sockets inherit IP_TTL from the listening socket.
Allow resetting the IP_TTL and IP_MINTTL sockopts.
Fix an issue where syslogd.8 would print 15 NUL bytes followed by two blank spaces before the log message for warnings generated while parsing syslog.conf.
Add acpicbkbd(4), a simple keyboard backlight driver for some Chromebooks.
On armv7, allow booting on SolidRun's HummingBoards and CuBoxes.
In sndiod(8), avoid triggering watchdog time-outs which prevent sndiod from resuming.
In malloc(3), adapt the S option: add C, and remove F and P.
In inet6(4), restore the automagically added /64 route on p2p interfaces in order to send traffic to link-local addresses without default route.
In ssh(1), explicitly check for 100% completion in the progress meter. This avoids a potential floating point rounding error which could cause the progress meter to report 99% on completion.
In vi(1), if /tmp/vi.recover doesn't exist, don't create it. Warn once that it doesn't exist, afterwards fail silently.
In smtpd(8), explicitly enclose SMTP transactions between BEGIN and COMMIT/ROLLBACK filter events.
In ioapic(4/amd64), don't write to the read-only RIRR bit in the IOAPIC redirection register. This may subsequently block interrupt delivery.
In nc(1), add the -M and -m options to specify the outgoing and incoming minimum TTL.
Do not return an error if one of the paths in argv is empty. This prevents programs using fts(3) from reporting an error if one of the paths is empty.
When the list passed is empty, return EINVAL instead of pretending to succeed. This avoids a NULL pointer dereference in a later fts_read(3) call.
Add the net.inet.ip.arptimeout and net.inet.ip.arpdown sysctl(8)'s for ARP timers.
In bgpd(8), use IPV6_MINHOPCOUNT to finish implementing ttl-security for IPv6.
Update to xkeyboard-config 2.18.
In pkg_info(1), implement -z that uses is-branch info to produce "complete" stem--[flavor][%branch] listing.
Add UDP unicast and multicast support for IP_MINTTL and IPV6_MINHOPCOUNT.
On vmm(4/amd64), fix a panic when CPUs fail to spin up for other reasons during boot.
On amd64 and i386, enable the UMIP feature if present.
Enable ure(4) on the architectures where url(4) already is.
5.9 SECURITY FIX: Correct a problem that could result in incorrect parsing/encoding of times in OCSP messages. A source code patch is available for 5.9.
In doas(1), revise environment handling. Add a "setenv" keyword to doas.conf(5) for manipulating the environment, the "keepenv" now means only retain everything.
Add ure(4), a driver for Realtek RTL8152 10/100 USB Ethernet adapters.
Fix the ocsp code to actually check for errors when comparing time values. Ensure that it only compared GERNERALIZEDTIME values as per RFC6960.
Ensure that OCSP uses Generalized Time on requests as per RFC6960.
In pf(4), make nat-to usable by in rules and together with divert-to. Collisions with existing states are found and produce a "NAT proxy port allocation failed" message.
Update to nsd 4.1.10.
Log to syslogd(8) when the dmesg(8) buffer overflows and messages are lost.
When pf_test() returns something but PF_PASS, set error to EACCES instead of EHOSTUNREACH. On the latter, ip_forward() can generate undesired ICMP errors.
In pax(1), allow creation of devices or fifo without -p.
In sshd(8), fix AuthenticationMethods during configuration re-parse.
In ld.so(1), when handling DT_TEXTREL only set the mapping to READ+WRITE, ignore possible EXEC permission for the section, because the proper permission is set late, and there are no thread concerns in this case. This avoids W^X issues.
In efifb(4), add support for drawing a console on a coreboot framebuffer. This is useful on chromebooks that have no legacy vga device or, for newer chipsets, a full console and X with wsfb(4).
In pf.conf(5), change the parser to make af-to on pass out rules an error. This fixes a bug where a nonworking configuration could be loaded.
On m88k, add sc_cookie in sigcontext, as same as other ports.
In libcrypto, disable DSA_FLAG_NO_EXP_CONSTTIME, always enable constant-time behavior.
In openssl(1), fix a bug loading the default certificate path locations. The files would only be loaded if the CAfile or CApath locations were successfully loaded first.
In ld(1), make creation of text-relocations a fatal error by default, with -znotext to permit it and -ztext to reenable the default of forbidding it.
In bgpd(8), show the "nexthop 1.2.3.4 now valid: via 192.168.0.1" message only in debug mode.
Add ds1307(4), an I2C driver for the Maxim DS1307 Real Time Clock chip.
In iwm(4), send PHY DB commands as async commands. This change makes it work better in RAMDISK kernels.
Make umb(4) also work with devices that implement both NCM 1.0 and MBIM.
Do not allow configuring the same interface for both LDP and VPLS.
In smtpd(8), also add missing date or message-id when listening on the submit port.
In sshd_config(5), ban AuthenticationMethods="" and accept AuthenticationMethods=any for the default behaviour of not requiring multiple authentication (bz#2398).
Automatically exit all modes after 180 seconds of inactivity and if there is pending output.
In ssh(1), remove "POSSIBLE BREAK-IN ATTEMPT!" from log message about forward and reverse DNS not matching (part of bz#2585).
Update to tzdata2016e.
In pkg_add(1), restrict %m and friends to "separate words" so they won't collide with branch specifiers.
In pppoe(4) and sppp(4), don't hardcode vlan/queue priority for pppoe packets, but instead inherit it from the new "llprio" setting on the pppoe(4) interface.
Rework the handling of Hello packets in order to improve IPv6 support.
Implement a timeout for the session initialization FSM. This prevents neighbors stuck in the initialization FSM to linger forever as long as the associated transport connection is up.
Implement support for the Configuration Sequence Number TLV.
In utvfu(4), start/stop the audio bulk thread as the consumer opens/closes device.
In uvm_map(9), avoid grabbing the kernel lock for interrupt-safe pools.
In uhidev(4), do not execute the callback if the device is beeing detached. This should prevent a race triggering a use-after-free.
In sxie(4/armv7) and sxiuart(4/armv7), handle both the nintr 1 (allwinner a10/cortex a8) and nintr 3 (allwinner a20/cortex a7) cases.
On armv7, ignore everything from ":" onward in stdout-path when finding the console node. Characters after this are device-specific settings.
Dynamically attach imxuart using the FDT.
In exuart(4/armv7), override the address found with FDT if the board ID is c210, because the qemu smdkc210 target uses serial0 for console while the exynos4210-universal_c210 dtb specifies stdout as serial2.
Fix parsing of multiple optional TLVs in label and notification messages. This fixes IxANVL LDP test 15.3.
Make it possible to parse unknown TLVs in the future.
Send an "Unknown FEC" Notification for unexpected wildcard FECs. This fixes ANVL LDP test 15.6.
Add missing ntohl(3) when recording a label request. This fixes the following ANVL LDP tests: 1.5 and 9.4.
Parse the whole Hello packet before processing it. This fixes a bug where we could create a dynamic targeted neighbor in response to a malformed packet.
In ifconfig(8), add the "llprio" parameter to set the priority of packets that do not go through pf(4).
In acpi(4), don't attempt to attach acpitimer(4) if the timer isn't present. The power management timer has been made optional in ACPI 5.0A.
In tetris(6), when eliding a row, clear the invisible row zero, so that no columns can become unusable during game play.
Add one more safety check for Initialization messages. This fixes the following ANVL LDP tests: 6.5, 6.6 and 6.11.
Change what is considered a NACK for our Initialization messages. This fixes the following ANVL LDP tests: 6.19, 6.21 and 6.22.
Discard Hello packet if advertised transport address is of different AF. This fixes IxANVL LDP test 5.13.
Fix quick reconnect when the transport address is changed.
Remove octhci(4). It has been superseded by dwctwo(4).
Do the full W^X check on hppa and mips64.
On armv7, use FDT to find the console to initialize.
Attach acpitoshiba(4) on Libretto, Dynabook and SPA40 laptops.
Enforce W^X and map W|X segments without X permission initially. The dynamic linker will make these read-only and add back X permission after relocation processing.
In ld.so(1), some ELF ABIs still require a PLT that is both writable and executable. To avoid W^X violations, initially map such segments as writable and non-executable, and change the mapping to non-writable and executable after initial relocation processing.
In ld.so(1), accommodate ELF ABIs that require a PLT that is both writable and executable, without causing W^X violations.
In sshd(8), revert src/usr.bin/ssh/kexgexs.c r1.28 ("Check min and max sizes sent by the client"). It caused "key_verify failed for server_host_key" in clients that send a DH-GEX min value less that DH_GRP_MIN.
Abort a process if it trips the W^X violation check, unless it came from a filesystem with the wxallowed flag set.
In video(1), add -q to only display the device properties and quit.
In bgpd.conf(5), add the =, !=, - (range), >< (exclusive range) operators to the as-path filters (AS, peer-as, source-as, transit-as).
In iwm(4), fix multicast Rx by updating the MAC context again after sending multicast filter and STA settings during association. This makes ARP and inet6 autoconf work again.
Avoid decreasing uvm_maxkaddr which may cause the "address selector returned unavailable address" panic.
In ssh(1), allow ExitOnForwardFailure and ClearAllForwardings to be overridden when using "ssh -W" (but still default to "yes" in that case) (bz#2577).
In dhclient(8), change the reboot default value to 1 second.
In kdump(1), allow printing timestamps relative to the beginning of the trace.
On amd64, fix two issues in the MSI-X code: actually read the MSI-X capability register, and correctly decode the table sizefromits contents.
In gcc(1), fix internal compiler error with long long arithmetic.
In mmap(2), prevent vsize_t underflow when checking RLIMIT_DATA, which made the check ineffective when you already had more memory than your limit allowed.
In iked(8), use the last 32-bits of the IPv6 address to dynamically assign addresses from the pool, instead of the fourth byte.
In intel(4), fix an undefined symbol crash when opting into uxa.
In aucat(1), set exit status to 1 if -n is used without -i and -o.
In nc(1), support the use of service names instead of port numbers.
Let rmdir(2) return EINVAL intead of EBUSY when trying to remove ".". This restores POSIX compliance for rmdir(2) and rmdirat(2).
In newsyslog.conf(5), increase permitted sizes for the daemon and messages logs.
In disklabel(8), unbreak automatic disk allocation based on a template.
In umsm(4), add support for Netgear/Sierra Aircard 340U.
In uvideo(4), correctly set the V4L2_BUF_FLAG_QUEUED and V4L2_BUF_FLAG_DONE buffer flags.
In binutils, port over the binutils fix for PR ld/3111: greatly speed up linking of object files that contain lots of dwarf2 symbols by caching symbol tables.
In libedit, fix a crash that occurred when the history contained more than twice as many entries as the new limit.
Ensure that softraid(4) crypto is not run on the crypto taskq.
In video(1), guard against using tp_start uninitialized in case no frame was grabbed in verbose mode.
Stop creating and inserting a route entry for ARP and ND automagically.
Flush dynamic route entries attached to an interface when its link state becomes DOWN. This should fix stale RTF_DYNAMIC routes when switching WiFi network during suspend/resume.
Plug a route entry leak triggered under memory pressure.
In video(1), add In mmap(2) support for frame grabbing and make it default over read.(2) unless overriden by the -g flag.
Identify W^X labelled binaries at execve(2) time based upon the WX_OPENBSD_WXNEEDED flag set by ld -zwxneeded.
Fix -verbose mode when used on a Unix domain socket.
Fix a pledge(2) violation when -P is used and a passwords needs to be supplied.
In iwm(4), add support for Intel Wireless 3165 devices.
In fsirand(8) and fsck_msdos(8), fix a pledge(2) violation that can be triggered by using DIOCGDINFO on a file that is not a disk device.
In disklabel(8), don't crash if no filename is provided.
In iwm(4), add support for Intel Wireless 8260 devices.
In aucat(1), fix file block size rounding and ensure it's large enough to store a full audio block.
In the install script, set the "wxallowed" mount(8) option for the filesystem /usr/local resides on.
No longer allow W^X violations by default. A kernel log message is generated, and mprotect(2) and mmap(2) return ENOTSUP. If the kern.wxabort sysctl(8) is set, a SIGABRT occurs instead. W^X-violating programs can be permitted per FFS/NFS filesystem, using the "wxallowed" mount(8) option.
In aucat(1), when resampling, use the exact resampling factor instead of the ratio between input and output block sizes. This change makes playback/recording rate match exactly the requested sample rate.
In httpd(8), return 400 (Bad Request) instead of 500 (Internal Server Error) for requests not specifying the HTTP version.
When initializing the console, add a short delay so that baud rate changes on the console have a chance of working. This prevents the serial console on the APU from hanging when garbage is echoed to the tty.
In procmap(1), reintroduce vnode-to-filename mapping.
On armv7, dynamically attach imxiic(4/armv7) and use the FDT to enumerate devices on i2c busses. The CuBox-i and Hummingboard now need to be booted with an FDT to see the RTC.
In cnmac(4/octeon), make the TX path MP-safe and add some ifq oactive logic.
On armv7, resolve problems with ommmc(4/armv7) sometimes not attaching properly with recent u-boot versions.
On macppc, hook up smu(4/macppc) to the thermal management framework.
On macppc, add a thermal management framework which controls the fan speed based on the temperature sensor values.
In the install script, log questions and answers during install/upgrade and mail them to the root user in a format usable as a response file for autoinstall(8).
In libcrypto, fix a short-read bug in the previous version of asn1_d2i_read_bio.
On i386, split the ACPI resume trampoline into code and data pages, and protect with proper permissions.
5.9 RELIABILITY FIX: Possible data corruption in bnx(4). A source code patch is available for 5.9.
In ieee80211(9), in hostap mode, don't re-use association IDs (AIDs) of nodes which are still lingering in the node cache. This could cause an AID to be assigned twice.
Split the i386 mp hatch trampoline into code and data pages, and protect each with proper W^X policy.
On octeon, accept cnmac as a valid rootdev from uboot (e.g. rootdev=/dev/cnmac0).
Rework the fix to prevent a kernel crash when sendsyslog(2) is called with LOG_CONS and the console device has not been intialized yet.
In regex(3), fix a one-byte buffer underflow (read access only).
Change the random event buffer from a queue to an endless ring so that no events are dropped when the queue is full. They are instead mixed into previous events.
5.8 and 5.9 SECURITY FIX: Insufficient checks in the uvideo(4) V4L2 ioctl(2) handling leak kernel memory contents to a local user. A source code patch is available for 5.8 and 5.9.
Completely skip link-layer address resolution and NUD on gif(4).
In uvideo(4), plug some holes in the V4L2 ioctl(2) interfaces that would leak kernel memory to a local user. Also fix a potential integer overflow issue.
In sysmerge(8), no longer handle /etc/example files.
In install(1), add -F to call fsync(2) on the installed file right before closing it.
In tmux(1), add -q to source-file to suppress errors about nonexistent files.
In eigrpd(8), disable EIGRPv6 on an interface when it loses its link-local address.
Remove the hppa64 port.
Allow zaudio(4) to start when large blocks are requested.
Make the mips64 pmap MP-safe.
In top(1), allow to filter process arguments if they are being displayed.
Avoid a kernel crash when sendsyslog(2) is called with LOG_CONS and the console device has not been intialized yet.
Do SROP mitigation. sendsig() stores a cookie inside the sigcontext. sigreturn(2) checks the syscall entry was from the exact PC addr in the (per-process ASLR) sigtramp, verifies the cookie, and clears it to prevent sigcontext reuse
Try harder to avoid using random data on the disk as an inode, because FFS2 does lazy inode initialization. This avoids crashes when translating a bogus filehandle to a vnode.
Update to libexpat 2.1.1.
In rcs(1), implement Mdocdate keyword substitution.
In imxesdhc(4), add DMA support. It uses ADMA2 "Internal DMA" that is compatible with the SD Host Controller standard.
In chvgpio(4), add support for level, active low gpio interrupts.
In wall(1), enable UTF-8 detection in wall(1). This deliberately ignores UTF-8 characters and replaces them with a single question mark.
In sdmmc(4), add high-speed support for SD cards. This causes serious improvement in the read speeds.
In bytgpio(4), don't mask pins configured as direct IRQ. This nbreaks the keyboard on the Asus x205ta.
In ssh(1), fix overriding of StreamLocalBindMask and StreamLocalBindUnlink in Match blocks.
Stop using a soft-interrupt context to process incoming network packets. Use a new task that runs holding the KERNEL_LOCK to execute MP-unsafe code.
5.8 and 5.9 SECURITY FIX: Issues in the libcrypto library (CVE-2016-2108, CVE-2016-2107, CVE-2016-2105, CVE-2016-2106 and CVE-2016-2109). Refer to the advisory. A source code patch is available for 5.8 and 5.9.
In libssl, fix several issues: missing padding check in aesni functions, overflow in evp encode functions, and use of invalid negative asn.1 types.
Reduce the number of lookups to 1 for non-multicast traffic when pf(4) is disabled.
In ssh, implement IUTF8 as per draft-sgtatham-secsh-iutf8-00.
In telnet(1), don't check if the hostname is a fully qualified domain. This prevents pledge(2) "dns" issues.
In tmpfs, fix some issues regarding timestamp updating.
In ssh:
Support SHA256 and SHA512 RSA signatures in certificates.
Add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03.
On arm and armv7, rework mainbus and implement simplebus to be able to span a tree-like topology based on device tree information.
In ommmc(4/armv7), add support for changing the bus width to ommmc and set the 4-bit mode capability.
Add bus width switching support for MMC. Enable 8-bit bus support on sdhc(4) controllers that support it. This makes the raw transfer rate of the eMMC on the Lenovo Ideacentre Stick 300 go up to 40 MB/s.
Add support for changing the bus width to the sdmmc(4) subsystem and the sdhc(4) controller. Use this to switch SD cards to a 4-bit bus if they support it.
In sppp(4), fix a bug causing breakage with LCP echoes.
5.9 RELIABILITY FIX: A problem in m_dup_pkt() can result in kernel crashes with carp(4). A source code patch is available for 5.9.
Implement DMA support (only ADMA2 is supported). There is a remaining issue with simultaneous use of eMMC and external SD card on (some) Intel Bay Trail hardware.
Enable the ADMA error interrupt.
Enable high speed timing for bus clock frequencies over 26MHz and advertise support for it.
In tmux(1), add options to include status text in the pane borders.
Fix several bugs due to uninitialized struct nameidata's.
In softraid(4), panic when attempting to execute a scsi command with no discipline defined.
Fix a bug causing gzip(1) to think the resulting file was got larger during compression.
In sysmerge(8), in interactive mode, check syntax of several important files after merging to give some protection against bad merges.
Don't allow the routing table of a bound socket to be changed. This is not intended and will behave unexpectedly if the address is already used in another domain.
In tmux(1), fix keys parsing again to correctly accept Unicode when not prefixed with Escape.
In smtpd(8), fix "smtpctl show queue" reporting "invalid" envelope state.
In ssh(1), close the ControlPersist background process stderr when the daemon is not in debug mode or when logging to a file or syslog (bz#1988).
In MAKEDEV(8), replace /dev/bpf[0-9] with /dev/bpf and /dev/bpf0.
In dhclient(8), if the attempt to broadcast a DHCPDISCOVER packet returns EAFNOSUPPORT, just print an error message and exit.
In libssl, allow ^C to break operations such as reading passwords.
In libssl, implement the IETF ChaCha20-Poly1305 cipher suites. The old Google implementation continues to be supported, but the ChaCha20-Poly1305 cipher suites names now refer to the ciphers from draft-ietf-tls-chacha20-poly1305-04.
In sysmerge(8), be consistent in batch and interactive mode: ensure sysmerge can be re-run if a file is left for later.
In acpitz(4), if the temperature is below the active cooling level for a tz, turn the fan off regardless of what state it is currently in.
In rtsx(4), match on RTS522A found in 2016 ThinkPads.
Remove systrace support.
In the install script, when upgrading automatically run sysmerge(8) in batch mode before fw_update(1).
On macppc and socppc, don't check if the CPU is inside the idle loop when entering ddb(4). This allows putting breakpoints in interrupt context and have them work if an interrupt fires while the CPU is idle.
In httpd(8), always pass the QUERY_STRING variable to the FastCGI handler.
In puc(4), match on Intel 100 series and 100 series LP PCH.
In azalia(4), enable snooping on Intel 100 Series LP HDA.
Fix an issue where the 32-bit UEFI bootloader (BOOTIA32.EFI) would not detect a GPT leading to a failure to boot.
On mips64, sync dcaches and invalidate icaches of all active CPUs of a pmap when making a page executable. This prevents some icache inconsistencies that caused process crashes on multiprocessor IP27/IP30 systems under load.
In synaptics(4), don't stop scrolling when handling TOUCH_RESET events.
In asmc(4), don't try to probe light sensors for machines with none available.
In mpbios(4), don't attach if "default configuration" mode is detected during probe rather than panicking.
In smtpd(8), use automatic DH parameters instead of fixed ones. Also disable DHE by default since it is computationally expensive and a potential DoS vector.
In perl(1), apply fix for perl bug 123562 (CVE-2015-8853).
In re(4), if RTL8111E on PC Engines APU is detected, configure NIC LEDs to display link (instead of the default of a normally-off light for network activity and nothing for ethernet link).
Re-enable pckbd(4) on resume. This fixes problems on (at least) various HP laptops that previously had no working keyboard after resuming from zzz(8).
On amd64 and i386, use a CPUID function to determine presence of general purpose architectural performance counters. This fixes a panic seen on some hypervisors when pctr(1) is used when the hypervisor masks out the counters.
In libedit, reset the terminal to its initial state before exiting a program that is using libedit.
In bgpd(8), don't exit when receiving an RTM_CHANGE message for an RTF_MPATH route that is actually on an interface.
In pf(4), don't panic if an mbuf(9) already has a statekey. This should help finding the remaining corner cases of packets looped back in the stack.
In vmd(8), place a BOOTARG_END section at the end of the boot arguments list pushed to the VM during boot. This makes it possible to install and run an OpenBSD i386 guest VM using vmm(4).
In grep(1), don't do reverse search optimization if looking for all matches in a line.
On armv7, map and use the bootconfig/FDT area passed by u-boot and try to init FDT on it. This allows for the use of device tree information.
In Xserver(1), implement VT switching (based on the USL compat interface) in the wscons console backend and use it by default.
Update to xf86-video-ati 7.6.1.
In ihidev(4) and dwiic(4), add support for I2C HID devices with GPIO signalled interrupts.
In rcctl(8), rename the "faulty" list action to "failed".
In tftpd(8), go in the background much later to reduce possible silent failures.
If one of the TCP SYN cache buckets overflow, it might be a collision attack against the hash function. Mitigate this attack by reseeding the hash function as soon as possible.
In uslcom(4), add support for the USB console port on Aruba 7xxx wireless controllers.
In ssh(1), remove fallback from moduli to "primes" file that was deprecated in 2001 and fix log messages referring to primes file (bz#2559).
Implement proxy ARP for ART based on mpath support.
In acpi(4), hook up the gpio interrupt on devices that use it for card detection. This makes the SD card slot on machines based on Intel's Bay Trail SoC fully functional.
In bytgpio(4), add support for gpio-based interrupts.
Add getlogin_r(2) system call that checks and returns errors like the userspace getlogin_r() API.
Remove MLINKS from base. They are no longer required by mandoc(1).
In binutils, fix fallout from the switch to binutils 2.17: the binaries created by 2.17 aren't recognized by the in-tree gdb(1) because it's built with the bfd code from 2.15.
Add the net.inet.tcp.synuselimit sysctl(8) to adjust tcp_syn_use_limit. This is convenient to test the feature and may be useful to defend against syn flooding in a denial of service condition.
In authpf(8), avoid a dereference of a null object.
In tcpdump(8), properly check for the end of captured packet while printing CDP packets.
Ensure that a thread that calls sched_yield(2) ends up on the run queue behind all its sibling threads. This results in significant improvements for processes that suffer from lock, most notably firefox.
Add bytgpio(4), a driver for the gpio controllers found on Intel's Bay Trail SoC.
In netstart(8), don't delete the 224/4 route unless it's being done to ensure that a -reject route can be added. This restores the ability to set an interface route before daemons are started.
Avoid an attack that could prevent reseeding of the hash function used for the hash buckets in the TCP SYN cache.
In sdhc(4), make it possible to override the standard card detect mechanism to appease the SD controller on Intel's Bay Trail SoC.
Avoid a NULL pointer dereference when pulling and unmounting a umass(4) USB stick.
In libssl, fix a memory leak.
Switch from the SolidRun i.MX6 U-Boot to mainline U-Boot on the CuBox-i.
Always include the route priority in routing messages.
Do not populate RTAX_NETMASK when sending a routing message for RTF_HOST entries. This preserves old behavior with ART and fixes a regression.
In rc.d(8), make it possible to get usage as a non-root user.
In less(1) and ul(1), improve handling of ambiguous overstrike sequences.
In gcc(1) on arm, change the default arch target from strongarm (armv4) to arm9e (armv5te without xscale extensions).
Enable ART (Allotment Routing Table).
Ensure that a found proxy ARP entry has the correct flag.
In kernel clock, set ticks 15 seconds before its value wraps. This helps to identify issues around ticks wrap in 15 minutes instead of 240ish days.
In npppd(8), transition to "Req-Sent" had been missing when RTA in "Opened". This caused a timer event leak.
Update to tzdata2016b from ftp.iana.org.
Allocate amap slots for a virtual memory range reserved with sbrk(2) lazily. This avoids wasting kernel memory if the user process does not make use of the allocated memory.
For amaps with only a few slots, allocate the slots via pool(9). This saves some memory and reduces kmem pressure.
5.9 RELIABILITY FIX: Incorrect path processing in pledge_namei() could result in unexpected program termination of pledge(2)'d programs. A source code patch is available for 5.9.
5.7, 5.8 and 5.9 SECURITY FIX: Insufficient checks in IPv6 socket binding and UDP IPv6 option processing allow a local user to send UDP packets with a source (IPv6 address + port) already reserved by another user. A source code patch is available for 5.7, 5.8 and 5.9.
In puc(4), add support for the Exar XR17V354 device.
In ssh(1), unbreak authentication using lone certificate keys in ssh-agent (bz#2550).
In acpicpu(4), correct the value of SRT_ENDTAG: it was documented incorrectly in early ACPI specs.
In libfontconfig, enable atomics operations on mips64 and mips64el.
In vmm(4), introduce memory ranges to support VMs with 4G or more of RAM.
In ichiic(4), ignore the SMBALERT# interrupt. This fixes booting the GENERIC kernel on ADI RCC-VE with buggy BIOS versions, rendering the internal eMMC flash unusable.
In kdump(1), recognize ipmi, vscsi, pvbus, udl, fuse, trunk, pipex and memrange ioctl(2) requests.
In sd(4), avoid a kernel panic when unplugging an USB umass stick because of a use after free.
Avoid corrupt mount points without a valid device when unmounting.
5.7, 5.8 and 5.9 SECURITY FIX: Lack of credential sanitization allows injection of commands to xauth(1). A source code patch is available for 5.7, 5.8 and 5.9.
In httpd(8), set the content charset for auto index generated pages.
Make "cp -i" behave as "mv -i" or "rm -i", independently of whether stdin is a tty or not.
Do not remove RTF_STATIC L2 entries from the routing table. Static entries might not have a cloning route to re-create them and hence be gone when their timer expires.
In kdump(1), improve display of unknown and KTR_START records.
Avoid refetching blocks already in the buffer cache. This significantly improves read operations on MSDOSFS.
In ntpd(8) constraints, avoid using %Z specification of strptime(3) which disagress with RFC7231 and can give surprising results on other operating systems.
In acpi(4), add more Windows versions for _OSI checks.
In cpsw(4), detect and only enable the port that is actually used. This avoids device timeouts. Also enable interrupt pacing to limit interrupts at 2K/s.
Set the IFF_MULTICAST flag on tun(4) interfaces so IPv6 addresses can be assigned.
In diff(1), rectify line numbers for "s/.//" commands in ed-style diffs.
In libedit, fix a segfault and functional error in c_gets().
In libssl, remove support for ancient, broken DSA implementations.
Fix a bug when IPsec UDP encapsulation is used for IPv6.
In gcc(1), fix an Internal Compiler Error on alpha when using __sync builtins.
In fnmatch(3), fix negation of POSIX character classes.
