This is a partial list of new features and systems included in OpenBSD 6.5. For a comprehensive list, see the changelog leading to 6.5.

• Improved hardware support, including:
  • clang(1) is now provided on mips64.
  • The default linker has been switched from the binutils bfd-based linker to lld on amd64 and i386.
  • octeon: Now the system automatically detects the number of available cores. However, manual setting of the numcores, or coremask, boot parameter is still needed to enable secondary cores.
  • octeon: It is now possible to use the root disk's DUID as the value of the rootdev boot parameter.
  • New octgpio(4) driver for the OCTEON GPIO controller.
  • New pvclock(4) driver for KVM paravirtual clock.
  • New ixl(4) driver for Intel Ethernet 700 series controller devices.
  • New abcrtc(4) driver for Abracon AB1805 real-time clock.
  • New imxsrc(4) driver for i.MX system reset controller.
  • New uxrcom(4) driver for Exar XR21V1410 USB serial adapters.
  • New mvgicp(4) driver for Marvell ARMADA 7K/8K GICP controller.
  • Support for QCA AR816x/AR817x in alc(4).
  • Support for isochronous transfers in xhci(4).
  • uaudio(4) has been replaced by a new driver which supports USB audio class v2.0.
  • Improved support for nmea(4) devices, providing altitude and ground speed values as sensors.
• IEEE 802.11 wireless stack improvements:
  • Reduced usage of RTS frames improves overall throughput and latency.
  • Improved transmit rate selection in the iwm(4) driver.
  • Improved radio hardware calibration in the athn(4) driver.
  • The bwfm(4) driver now provides more accurate device configuration information to userland.
  • Added new routing socket message RTM_80211INFO to provide details of 802.11 interface state changes to dhclient(8) androute(8).
  • If an auto-join list is configured, wireless interfaces will no longer connect to unknown open networks by default. This behaviour must now be explicitly enabled by adding the empty network name to the auto-join list, e.g. ifconfig iwm0 join "", or join "" in hostname.if files.
  • The iwn(4) and iwm(4) drivers will now automatically try to connect to a network if the radio kill switch is toggled to allow radio transmissions while the interface is marked UP.
• Generic network stack improvements:
  • New bpe(4) Backbone Provider Edge pseudo-device.
  • New mpip(4) MPLS IP layer 2 pseudowire driver.
  • MPLS encapsulation interfaces support configuration of alternative MPLS route domains.
  • The vlan(4) driver bypasses queue processing and outputs directly to the parent interface.
  • New per SAD counters visible via ipsecctl(8).
  • The bpf(4) filter drop mechanism has been extended to allow dropping without capturing packets, and use of the mechanism withtcpdump(8) as a filtering mechanism early in the device receive path.
  • ifconfig(8) gains txprio for controlling the encoding of priority in tunnel headers, and support in drivers including vlan(4), gre(4),gif(4), and etherip(4).
• Installer improvements:
  • rdsetroot(8) (a build-time tool) is now available for general use.
  • During upgrades, some components of old releases are deleted.
• Security improvements:
  • unveil(2) has been improved to understand and find covering unveil matches above the working directory of the running process for relative path accesses. As a result many programs now can use unveil in broad ways such as unveil("/", "r").
  • unveil(2) no longer silently allows stat(2) and access(2) to work on any unveiled path component.
  • Now using unveil(2) in ospfd(8), ospf6d(8), rebound(8), getconf(1), kvm_mkdb(8), bdftopcf(1), Xserver(1), passwd(1),spamlogd(8), spamd(8), sensorsd(8), snmpd(8), htpasswd(1), ifstated(8). Some pledge(2) changes were required to accommodate unveil.
  • ROP mitigations in clang(1) have been improved, resulting in a significant decrease in the number of polymorphic ROP gadgets in binaries on i386/amd64.
  • RETGUARD performance and security has been improved in clang(1) by keeping data on registers instead of on the stack when possible, and lengthening the epilogue trapsled on amd64 to consume the rest of the cache line before the return.
  • RETGUARD replaces the stack protector on amd64 and arm64, since RETGUARD instruments every function that returns and provides better security properties than the traditional stack protector.
• Routing daemons and other userland network improvements:
  • pcap-filter(3) can now filter on MPLS packets.
  • The routing priority for ospfd(8), ospf6d(8) and ripd(8) is now configurable.
  • ripd(8) is now pledged.
  • First release of unwind(8), a validating, recursive nameserver for 127.0.0.1. It is particularly suitable for laptops moving between networks.
  • ifconfig(8) gains sff and sffdump modes, displaying diagnostic information from fibre transceivers and similar modules. Currently ix(4) and ixl(4) are supported.
  • ldpd(8) now supports configuration of TCP MD5 for networks, not just specific neighbors.
• bgpd(8) improvements:
  • bgpd(8) has now a real Adj-RIB-Out which improved overall memory usage.
  • Implemented a simple ruleset optimizer that merges filter rules that differ only by filter sets.
  • First release of OpenBGPD-portable. There is currently no FIB support in the portable version and some other features are also disabled.
  • The configuration of BGP MPLS VPN changed and the config needs to be adjusted if VPNs are used.
  • Added support for IPv6 BGP MPLS VPNs.
  • Implemented as-override in bgpd(8), a feature where the neighbor AS is replaced by the local AS in AS paths.
  • It is now possible to match multiple communities, ext-communities or large-communities per filter rule.
  • Added support for *, local-as and neighbor-as for ext-community matching and addition or removal.
  • Prevent bgpd(8) from being started more than once with the same config.
  • announce inet none no longer clears announce settings of other address families.
  • Removed potential for a spurious End-of-RIB marker being sent.
  • Fixed mrt table dumps and the route collector mode.
  • Improved throttling of initial routing table dump.
  • bgpd(8) terminates RIB table walks if bgpctl(8) terminates early.
  • Improved handling of communities, large-communities and ext-communities in bgpctl(8)
  • It is now possible to use neighbor group  to run bgpctl(8) commands against the specified group of neighbors:bgpctl neighbor group [clear|destroy|down|refresh|up]
bgpctl show neighbor group [messages|terse|timers]
bgpctl show rib neighbor group ...

  • bgpctl(8) can now add networks into BGP VPN tables by specifying the route distinguisher rd on the network command.
  • bgplg(8) and bgplgsh(8) can now filter on Origin Validation State and Extended Communities.
  • bgplgsh(8) can now [clear|destroy|down|refresh|up] and show groups of neighbors.
• Assorted improvements:
  • kcov(4) gained support for KCOV_MODE_TRACE_CMP.
  • A 'video' promise was added to pledge(2).
  • The kern.witnesswatch sysctl(8) has been renamed to kern.witness.watch.
  • New pthread rwlock implementation improving latency of threaded applications.
  • kubsan(4) capable of detecting undefined behavior in the kernel.
  • signify -n option to zero date header in -z mode.
  • Remove OXTABS from default pty flags.
  • install(1) now always copies files safely (as with -S), avoiding race conditions.
  • syslog.conf(5) now supports program names containing dots and underscores.
  • tcpdump(8) already used privsep, pledge(2) and unveil(2) containment. It now also drops root privileges completely (switching to a reserved uid).
  • The multi-threaded performance of malloc(3) has been improved.
  • malloc(3) now uses sysctl(2) to get its settings, making it respect the system-wide settings in chroots as well.
  • Various improvements to the join command.
  • Work has started on a ISC-licensed rsync-compatible program called OpenRSYNC. In this release it has basic functionality such as -a, --delete, but lacks --exclude. Work will continue.
  • New Spleen font 8x16, 12x24, 16x32 and 32x64 variants added and enabled in wsfont, along with font selection logic to allow selecting larger fonts when available at runtime in rasops(9).
• OpenSMTPD 6.5.0
  • New Features
    • Added the new matching criteria "from rdns" to smtpd.conf(5) to allow matching of sessions based on the reverse DNS of the client.
    • Added regex(3) support to table lookups in smtpd.conf(5).
• LibreSSL 2.9.1
  • API and Documentation Enhancements
    • CRYPTO_LOCK is now automatically initialized, with the legacy callbacks stubbed for compatibility.
    • Added the SM3 hash function from the Chinese standard GB/T 32905-2016.
    • Added the SM4 block cipher from the Chinese standard GB/T 32907-2016.
    • Added more OPENSSL_NO_* macros for compatibility with OpenSSL.
    • Partial port of the OpenSSL EC_KEY_METHOD API for use by OpenSSH.
    • Implemented further missing OpenSSL 1.1 API.
    • Added support for XChaCha20 and XChaCha20-Poly1305.
    • Added support for AES key wrap constructions via the EVP interface.
  • Compatibility Changes
    • Added pbkdf2 key derivation support to openssl(1) enc.
    • Changed the default digest type of openssl(1) enc to sha256.
    • Changed the default digest type of openssl(1) dgst to sha256.
    • Changed the default digest type of openssl(1) x509 -fingerprint to sha256.
    • Changed the default digest type of openssl(1) crl -fingerprint to sha256.
  • Testing and Proactive Security
    • Added extensive interoperability tests between LibreSSL and OpenSSL 1.0 and 1.1.
    • Added additional Wycheproof tests and related bug fixes.
  • Internal Improvements
    • Simplified sigalgs option processing and handshake signing algorithm selection.
    • Added the ability to use the RSA PSS algorithm for handshake signatures.
    • Added bn_rand_interval() and use it in code needing ranges of random bn values.
    • Added functionality to derive early, handshake, and application secrets as per RFC8446.
    • Added handshake state machine from RFC8446.
    • Removed some ASN.1 related code from libcrypto that had not been used since around 2000.
    • Unexported internal symbols and internalized more record layer structs.
    • Removed SHA224 based handshake signatures from consideration for use in a TLS 1.2 handshake.
  • Portable Improvements
    • Added support for assembly optimizations on 32-bit ARM ELF targets.
    • Added support for assembly optimizations on Mingw-w64 targets.
    • Improved Android compatibility
  • Bug Fixes
    • Improved protection against timing side channels in ECDSA signature generation.
    • Coordinate blinding was added to some elliptic curves. This is the last bit of the work by Brumley et al. to protect against the Portsmash vulnerability.
    • Ensure transcript handshake is always freed with TLS 1.2.
• OpenSSH 8.0
  • New Features
    • ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in PKCS#11 tokens.
    • ssh(1), sshd(8): Add experimental quantum-computing resistant key exchange method, based on a combination of Streamlined NTRU Prime 4591^761 and X25519.
    • ssh-keygen(1): Increase the default RSA key size to 3072 bits, following NIST Special Publication 800-57's guidance for a 128-bit equivalent symmetric security level.
    • ssh(1): Allow "PKCS11Provider=none" to override later instances of the PKCS11Provider directive in ssh_config; bz#2974
    • sshd(8): Add a log message for situations where a connection is dropped for attempting to run a command but a sshd_config ForceCommand=internal-sftp restriction is in effect; bz#2960
    • ssh(1): When prompting whether to record a new host key, accept the key fingerprint as a synonym for "yes". This allows the user to paste a fingerprint obtained out of band at the prompt and have the client do the comparison for you.
    • ssh-keygen(1): When signing multiple certificates on a single command-line invocation, allow automatically incrementing the certificate serial number.
    • scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp and sftp command-lines.
    • ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v" command-line flags to increase the verbosity of output; pass verbose flags though to subprocesses, such as ssh-pkcs11-helper started from ssh-agent.
    • ssh-add(1): Add a "-T" option to allowing testing whether keys in an agent are usable by performing a signature and a verification.
    • sftp-server(8): Add a "[email protected]" protocol extension that replicates the functionality of the existing SSH2_FXP_SETSTAT operation but does not follow symlinks. bz#2067
    • sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they do not follow symlinks.
    • sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741
    • sshd(8): Add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906
    • sftp(1): Support a prefix of '@' to suppress echo of sftp batch commands; bz#2926
    • ssh-keygen(1): When printing certificate contents using "ssh-keygen -Lf /path/certificate", include the algorithm that the CA used to sign the cert.

The post OpenBSD 6.5 Released appeared first on GAMING NEWS.