OpenBSD -current Changelog

This selection is intended to include all important and all user-visible changes. For a complete record of all changes, please see the "source-changes" mailing list, called "OpenBSD CVS" in the archives, or use CVS.

For changes in other releases, click below:
2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.6, 2.7, 2.8, 2.9, 3.0, 3.1, 3.2, 3.3, 3.4, 3.5, 3.6,
3.7, 3.8, 3.9, 4.0, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6, 4.7, 4.8, 4.9, 5.0, 5.1, 5.2, 5.3,
5.4, 5.5, 5.6, 5.7, 5.8, 5.9, 6.0, 6.1, 6.2, 6.3, 6.4, 6.5, 6.6, 6.7, 6.8, 6.9, 7.0,
7.1, 7.2, 7.3, 7.4, 7.5, 7.6. 7.7,

Changes made between OpenBSD 7.6 and -current

• Released OpenSSH 10.0.
• Fixed a RRDP repo stall because of bad internal state in rpki-client.8.
• Allowed 8 DMA segments per frame on ice(4), providing a good throughput increase.
• Disabled lazy cr3 switching on i386 as the implementation was incompatible with the locking to make the pmap mpsafe.
• Changed rc(8)to only run sysctl(8) -f if the sysctl.conf file exists and is non-zero length.
• Fixed cpu idle percentage in top(1) on macppc
• Fixed a (mostly) hypothetical race in pinsyscalls(2) by making it return an error if called in a multi-threaded process.
• Make IPv6 link-local scope identifiers in "HTTP Server?" answers work in the installer.
• Made installboot(8) only set BootOrder if our boot option isn't already part of it. This means sysupgrade (or reinstalls) will no longer set OpenBSD as the default OS if users change the boot order by some other means. Fresh installs will still make OpenBSD the default OS.
• Replaced the rc(8) shell parser with sysctl(8)'s new -f to apply /etc/sysctl.conf
• Added [-f file] to sysctl(8) to apply sysctl.conf in one go.
• Enabled MSI-X interrupts for ice(4) tx queues.
• Started clearing the OACTIVE flag on tx queues when ixl(4) is reset.
• Started clearing the OACTIVE flag on tx queues when ice(4) is reset.
• Added a counter for non-functional CAs to rpki-client(8).
• Fixed a potential buffer overflow from oversized USB chunks.
• Added minimal gbr validation and printing fixes to rpki-client(8).
• Made tmux(1) only align panes and windows, not sessions.
• Made bgpctl(8) properly escape ASCII control characters in JSON rather than erroring.
• Removed ssh(1)'s ability to enable DSA support.
• Started using acpipci(4) on hypervisors. If the hypervisor cpuid bit is set, use acpipci to attach PCI busses. As virtualization is not that old, we can assume that in VMs we don't need the quirk for old, broken ACPI. This solves problems with PCI BAR access and recent seabios versions on qemu.
• Restricted ice(4) firmware to features actually supported by the driver. Avoids traffic stalls due to firmware trying to use multiple queues, which the driver does not handle yet.
• Ported ice(4) code for loading DDP firmware packages from FreeBSD. Loading firmware is a prerequisite for performance features such as checksum offload and TSO. These features are not yet implemented by our version of this driver and will be added during the next release cycle.
• Added support setting the new variable PASSWDSKIP in /etc/daily.local to prevent security(8) from complaining about specific accounts that have no password. This is typically used for services like anoncvs and gotd.
• Updated libexpat to 2.7.1.
• Fixed scope of the sa_mpls sockaddr variable.
• Changed to only opening bulk usb(4) pipes once for the lifetime of the device.
• Allowed ice(4) to work when phy type does not map to a known media type.
• Add support for QCA2066 to qwx(4).
• Added ice(4) to the fw_update(8) driver list.
• Started passing "ControlMaster no" to ssh(1) when invoked by scp(1) and sftp(1). This explicitly disables persistent session *creation* by scp and sftp. It will not prevent them from using an existing session if one has already been created.
• Reset Tx/Rx ring software state when an ice(4) interface is put down.
• Fixed a crash with ifp->if_linkstatetask NULL pointer during ice(4) attachment.
• Updated tzinfo(5) to 2025bgtz from https://github.com/JodaOrg/global-tz.
• Enable mtxhci(4) on armv7 and arm64.
• Added mtxhci(4), a driver for the xHCI USB controller found on MediaTek SoCs.
• Made ksh(1) use timespeccmp() and st_mtim intead of comparing st_mtime to fix comparison of files with modification times that differ by less than a second.
• Added a digit to vsz and rss to accomodate larger procs with ps(1).
• Made tmux(1) correctly skip wide characters in hyperlinks.
• Made test(1) use timespeccmp() and st_mtim intead of comparing st_mtime to fix comparison of files with modification times that differ by less than a second.
• Started ignoring sub-nodes of non-functional nodes in the ACPI tree walk to fix doubel and triple attachments of the same PCIe root bridges.
• Made ifconfig(8) scan display wpa3.
• Allowed using a different dmesg for fw_update(8) driver detection.
• Fixed mouse_hyperlink format in tmux(1) copy mode.
• Added S-Up and S-Down to move windows in tmux(1) tree mode.
• Prevented a theoretical ssh(1) NULL deref in throughlocal_sftp.
• Fixed ssh(1) NULL dereference for Match conditions missing arguments, e.g. "Match user".
• Started using shared net lock when calling shutdown(2) on internet socket.
• Updated libXau to 1.0.12
• Updated libexpat to version 2.7.0.
• Implement busdma(9) bounce buffering for raw memory.
• Removed the sshd(8) assumption that the sshd_config(5) and any configs included from it can fit in a (possibly enlarged) socket buffer.
• Adjusted the alignment when df prints inode columns. This makes 'df -hi' on systems with large partitions easier on the eyes.
• Provided an accelerated SHA-512 assembly implementation for aarch64.
• Fixed the problem that skips the various checks for packets for broadcast mistakenly introduced by the revision 1.103 imported from NetBSD 24 years ago.
• Reworked how processes are stopped because of a signal. Now multithreaded processes can be reliably stopped and continued. This should fix problems seen in golang, mpv and in our regress tests.
• Updated to libfreetype 2.13.3.
• Made security(8) use GMT rather than the local timezone when checking for changes in device nodes and setuid files. Avoids false positives when changing timezones.
• Fixed a uvideo(4) crash on close of anisochronous endpoint's webcam.
• Provided an accelerated SHA-256 assembly implementation for aarch64 making use of the ARM CE found on many arm64 CPUs.
• Fixed incorrect ICMP error translation in af-to NAT.
• Prevented incorrect warnings indicating that a system won't boot after bootblocks have been installed but EFI variables haven't been set.
• Cache route per softnet thread with netstack.
• Updated to xserver 21.1.16.
• Fixed RunTimeToEmpty on some EATON models in upd(4).
• Add %-token and environment variable expansion to SetEnv in ssh_config(5).
• Fixed ssh(1) PerSourcePenalty incorrectly using "crash" penalty when LoginGraceTime was exceeded.
• Fixed TCP checksum for IPv6 packets with extension headers.
• Moved to 7.7-beta.
• Added USB 3.0 speed support to xhci(4) and uvideo(4).
• Allow ssh_config(5) %-token and environment variable expansion in User, with the exception of %r and %C which are self-referential.
• Forced update of backlight level on init following 6.12 drm update.
• Fixed moduser use-after-free when locking/unlocking an account.
• Support colorformat from uvideo(4) device.
• Added options to interactive sdiff(1) merge for choosing both sides of a diff.
• Fixed connector initialization in intel_dp_add_mst_connector(), avoiding NULL deref on certain docks.
• Introduced calendar(1) RECIPIENT_EMAIL.
• Prevented use of comma in hostnames in ssh(1).
• Updated unbound to 1.22.0.
• Abstracted bgpd(8) internal time into monotime and increased resolution to microseconds.
• Added installboot -c option that sets up the machine to boot from the specified disk.
• Added use of Toeplitz hash for UDP and IPv6 TCP output, giving an improvement in traffic distribution over the queues and 20% performance increase with UDP send on v4/v6 and TCP send on v6 without pf.
• Pushed KERNEL_LOCK() inside __realpath(2).
• Made wakeup of parent process in dowait6 reliable even without kernel lock.
• Used ps_mtx to lock the child process that is being checked by dowait6.
• Introduced ps_trapped, a pointer to the struct proc that is stopped in the debugger trap.
• Added support for reading eeprom pages for aq(4) cards with SFP slots.
• Fixed userland console output display on some Alder Lake machines after 6.12 drm update.
• On amd64, with ACPI >= 5, assume UEFI and default to GPT.
• Added tunneldf support to sec(4).
• Added kern.audio.kbdcontrol sysctl(2) variable, allowing the volume keys on multimedia keyboards to be handled as regular keys if set to 0.
• Added "Match version" support to ssh_config(5), allowing matching on the local version of OpenSSH.
• Added support for "Match sessiontype" to ssh_config(5), allowing matching on the type of session requested.
• Added mtrng(4), a driver supporting the 32-bit random number generator on MediaTek SoCs.
• Use socket lock for inpcb notify.
• Changes to the per-process unveil datastructures can be raced by either pledge() [removing all path promises] or unveil() [adding new paths], against namei() inspecting in other thread system calls, use SINGLE_UNWIND.
• Implemented support for SVE (Scalable Vector Extension) on arm64.
• Introduced a pckbc@acpi attachment for use instead of pckbc@isa when interruption configuration will not be handled correctly, unbreaking keyboards including some from various ChromeBooks.
• Cache CRLs in issuer cache (libcrypto).
• Reworked the "Default IPv6 router?" question in the installer to behave like the others.
• Respect checksum offloading in dhcrelay(8) and dhcrelay6(8).
• Respect checksum offloading for incoming UDP in dhcpd(8).
• Prevented installation of path MTU routes for IPsec transport mode SAs.
• Updated drm to linux 6.12.12.
• Limited net.bpf.maxbufsize sysctl(8) to a value that malloc(9) can handle.
• Fixed race in inpcb mutex to socket lock conversion.
• Restricted scanned channels appropriately when qwx(4) runs in a fixed phy mode.
• Updated awk(1) to the Jan 14, 2025 version.
• Enabled reception and redistribution of EVPN NLRI to allow bgpd(8) to act as an EVPN route-reflector.
• Limited RX queue of loopback interfaces with 8192 packets, preventing unlimited queues from reaching mbuf limits and making network unusable on some architectures.
• Added RSS/multiqueue support for AQC11x models ("aq2").
• Enabled PAC on hardware that uses the new QARMA3 cipher.
• Forced 32-bit accesses when reading 8-bit or 16-bit registers, allowing use of xhci(4) on a Cadence xHCI controller as seen on the Radxa Orion O6.
• Optimized pmap teardown by skipping TLB flushes, giving ~5% performance boost for kernel build on arm64.
• Improved bgpd(8) default multiproto capability announcement selection.
• Made wsmouse(4) and wstpad filterops mp-safe.
• Added missing pieces to run the lower fault handler in parallel (off by default).
• Made radiusd(8) reserve NAS-{Identifier,IP-Address,IPV6-Address} of Access-Request to delete the records before Accounting-Start with Acct-On or Acct-Off.
• Fall back to parsing the DBG2 table on arm64 if there's no SPCR table or usable serial console, allowing the user to use the port as serial console by entering "set tty com0" on the bootloader prompt.
• Made virtio(4) 1.x the default if the hypervisor offers both 0.9 and 1.x.
• Added mtintc(4) a driver supporting interrupt controllers found on MediaTek SoCs.
• Added L = Leaked to the flags list in the header of bgpctl(8) show rib.
• Unlocked open(2) and openat(2).
• Made iscsid send out all the values for session and connection params for each login stage, keeping control of what is selected, making it possible to connect to a lio target.
• Changed bgpd(8) reject as-set from default no to yes.
• Updated to perl-5.40.1.
• Added wg(4) logging of IP addresses of remote endpoints.
• Made process_continue take a process as argument and prevented a possible panic in setrunnable.
• Provided a readable assembly implementation for MD5 on amd64.
• When syslogd8 acting as logserver with TLS (-S) and client-certificates are used for authentication (-K), use the CN from the client's certificate as hostname.
• Fixed inpcb leak in divert attach.
• Made btrace(8) support additional interval/profile units (hz, us, ms, s).
• Fixed out-of-band data in socket splicing.
• Make single_thread_check() always return when deep is true and not suspend the curproc.
• Implemented iscsid(8) handling of HeaderDigest and DataDigest params.
• Completely removed SB_MTXLOCK.
• Fixed riscv64 sigcode copying.
• Used `ws_mtx' mutex(9) to make wsmux(4) filterops mp-safe.
• Unlocked wskbd(4) kqueue filterops.
• Pushed the KERNEL_LOCK() down to namei(9) in stat(2), lstat(2) & fstatat(2)
• Made mandoc "-T html" output translate ".%R RFC <number>" to a hyperlink to rfc-editor.org.
• Implemented a new pmap_populate() interface on arm64 and riscv64 to help pmap_enter(9) succeed when there's enough free physical memory but we can't allocate KVA to map that memory.
• Unveiled privileged child's write/create to mountdtab file, drop exec.
• Included ARIN's RPKI Trust Anchor Locator in rpki-client(8).
• Synced video(4) V4L2 with Linux-6.13-rc7.
• Added pkg-config(1) support for relocatable .pc files.
• Let pppoe(4) data packets go through if_vinput instead of the pppoeinq, improving throughput and possibly reducing packet loss.
• Unlocked sysctl_malloc().
• Enabled multiqueue for vio(4).
• Made uvideo(4) bypass unknown pixelformat to consumer rather than rejecting unknown driver formats.
• Extended bgpd(8) nexthop encoding support (RFC8950) for the RIB.
• Stopped zeroing free pages to reduce time needed to suspend when there are many.
• Made security(8) ignore quota(1) files and all subdirectories of /var/mail when checking the ownership and mode of mailboxes.
• Added 'socket' refcnt type to dt(4).
• Began adding bgpd(8) RFC 8950 support (IPv4 routes with IPv6 nexthop).
• Adjusted bgpd.conf(5) config of announce statement to allow for RFC 8654 extended message support.
• Increased the default count of /dev/videoX from 2 to 4.
• Added LED support for ikbd(4) keyboards.
• Added ifconfig(8) vxlan "[-]endpoint" command.
• Unlocked fstat(2).
• Unlocked accept(2) for tcp sockets.
• Updated to fontconfig 2.15.0.
• Fixed uaudio(4) devices that don't support sample rate changes.
• Streamlined the BIRD output in rpki-client(8) and removed the -T option, structuring BIRD outputs similar to bgpd(8) output.
• Released rpki-client 9.4.
• Reworked rwlocks to reduce pressure on the scheduler and SCHED_LOCK.
• Made nfsd(8) default to UDP when using only -n.
• Deprecated rpki-client(8) -T.
• Replaced BIRD v1 output with BIRD v3 output in rpki-client(8).
• Introduced reference counts on struct mount.
• Improved lldp output of tcpdump(8).
• Added a tmux(1) option allowing users to override the width of individual Unicode codepoints.
• Added uvideo(4) support for devices which report bulk and isochronous endpoints.
• Abandoned hibernate or resume when an i/o or memory allocation fails.
• Ensured uvideo(4) fills v4l2_capability correctly (allowing some V4L consumers to use bus_info to identify the desired webcam when attempting to switch devices).
• Adjusted rDNS lifetime to RFC 8106 default (minimum) value in rad(8).
• Implemented zoneversion edns option (RFC 9660) in dig(1).
• Run TCP output in parallel.
• Prevented a possible crash in qemu where the clang -fzero-call-used-regs feature is used with retguard.
• Set pltime to 0 in dhcp6leased when upstream interface goes down so clients form and prefer new addresses.
• Added preservation of fdisk info to libexec/security daily script.
• Limited hibernate writes to within the area of the swap partition allocated by uvm_hibswap() for hibernation.
• Added support for the 'AttribRawProcessBytes' attribute, which makes the HP Omnibook X 14 boot in ACPI mode.
• Made tcp_mss() MP safe so it can be called with socket lock.
• Updated to util-macros 1.20.2.
• Updated to xprop 1.2.8.
• Updated to xlogo 1.0.7.
• Updated to xkbevd 1.1.6.
• Updated to xcompmgr 1.1.10.
• Updated to oclock 1.0.6.
• Made uvideo forward error bits to the consumer, fixing the integrated cameras on ThinkPad T14 Gen 5, ThinkPad X1 nano 2 and Lenovo x13.
• Based offsets for ISOCHRONOUS IN frames on a fixed packet size, ensuring accuracy even with shorter frames.
• Updated to xserver 21.1.15.
• Used per-sockbuf mutex(9) to protect `'so_rcv' buffer of tcp(4) sockets.
• Implemented regulator-based signal voltage switch support in dwmmc(4), fixing bootup on the MNT Reform2 with the RK3588 module.
• Scheduled future rpki-client(8) rejection of ultra long-lived TA certificates (02-02-2026/03-03-2027).
• Let LLDP packets fall through to being handled on the port interfaces for aggr(4).
• Unlocked sysctl_video()
• Added an AF_FRAME socket domain and an IFT_ETHER protocol family under it, allowing userland to use sockets to send and receive Ethernet frames.
• Made `video_filtops' mp-safe.
• Unlocked KERN_GLOBAL_PTRACE.
• Unlocked KERN_WXABORT.
• Implemented Notification Message Support for BGP Graceful Restart (RFC 8538) in bgpd(8).
• Cached the Adj-RIB-Out for bgpd(8) sessions that have not been down for more than INTERVAL_SESSION_DOWN (3600) seconds.
• Corrected behavior of sed(1) c command to match POSIX.
• Added bgpd(8) support for extended messages (RFC 8654), extending the maximum message size of BGP from 4096 to 65535.
• Added ratelimits to logging of connections dropped by sshd(8) PerSourcePenalties.
• Allowed glob(3) patterns for sshd_config(5) AuthorizedKeysFile and AuthorizedPrincipalsFile directives.
• Provided a SHA-1 assembly implementation for amd64 using SHA-NI, providing a 2-2.5x performance gain on some Intel CPUs and many AMD CPUs.
• Made qcpon(4) query hardware for the button state to detect release even if the press event is missed, and to signal wakeup when the button is pressed.
• Fixed ssh-keygen(1) -l output when the file contains CR characters.
• Provided a replacement assembly implementation for SHA-1 on amd64.
• Prevent integer overflow in x11 port handling in ssh(1) in cases of admin or user misconfiguration.
• Unlocked gre_sysctl().
• Unlocked virtio.
• Added support for FIDO tokens that return no attestation data, e.g. recent WinHello.
• In rpki-client(8), when AS0 TALs are provided, by default omit VRPs derived from them.
• Prefer AES-GCM to AES-CTR.
• Made pkg_add run ldconfig(8) after each updateset if the list of shared libraries was changed.
• Added PercentLoad sensor to upd.4, reporting the % of the available UPS power drawn by output outlets.
• Added uvideo(4) support for Jabra PanaCast 20.
• Added support for read/write of xmm/ymm registers to lldb(1).
• Added a missed abort of transfer pipe in uvideo(4).
• Fixed argument of "Compression" directive in ssh(1) -G config dump.
• Fixed a powerpc64 bug where a pte could be put into an incorrect pteg, leading to a crash.
• Made lock changes to reduce lock contention in __thrsleep and __thrwakeup syscalls. go performance particularly benefits from this.
• Added copy-mode-position-style and copy-mode-selection-style options to tmux(1).
• Add ptrace(2) commands used to read/write the XSAVE area of a traced process.
• Enabled rx/tx checksum offloading on iavf(4).
• Fixed xbf(4) and xnf(4) not attaching on XCP-ng 8.3/Xen 4.17.
• Let bpf(4) pick the first attached dlt when attaching to an interface instead of the lowest numbered.
• Started accounting for in-flight pages being written to disk when the page daemon is computing page shortage.
• Added scmi(4) mailbox transport and perf protocol for cpu frequency management on Snapdragon X Elite.
• Added dwmmc(4) support for the "post-power-on-delay-ms" in the MMC power sequencing.
• Added RK3399 support to rkusbphy(4).
• Added unwind(8) block list wildcard support using domains starting with '.'.
• Disabled small builtin EC curves.
• Implemented rkpmic(4) power down if the PMIC is marked as the system power controller in the device tree.
• Started flushing the interrupt status register in ahci(4) attach.
• Ensured the correct address family propagates during IP deliver.
• Allowed the user to provide an alternative perfpolicy when on battery, extending the semantics of hw.perfpolicy to provide two buttons to specify desired behavior.
• Developed a new imsg API and applied it across the tree.
• Taught ddb(4) how to disassemble endbr64.
• Provided tun(4) network offloads between the kernel and userland and introduced a new TUNSCAP ioctl .
• Added qccpucp(4), a driver for the CPUSS Control Processor (CPUCP) mailbox controller.
• Provided a SHA-256 assembly implementation for amd64 using SHA-NI, providing a 3-5x performance gain on some Intel CPUs and many AMD CPUs.
• Removed sha512-x86_64.pl.
• Provided a replacement assembly implementation for SHA-512 on amd64.
• Added a tmux(1) no-detach-on-destroy client option, useful for control mode clients.
• Added tmux(1) scrollbar style parameters width and pad.
• Updated to xterm 395.
• Moved the hppa stack 1GB higher.
• Enabled ixv(4) on RAMDISK_CD.
• Started taking into account how long the ntpd(8) DNS probe takes before deciding to punt.
• Fixed simplefb(4) colours for BPP16 and BPP24.
• Added support for BPP16 16-bit color EFI framebuffer format as offered by u-boot.
• Updated libexpat to 2.6.4.
• Added tmux(1) scrollbar mouse support.
• Allowed pfctl(8) specification of interface and queue bandwidths greater than ~4Gbit.
• Updated to libXcursor 1.2.3.
• Updated to xwud 1.0.7.
• Updated to xrandr 1.5.3.
• Updated to xmag 1.0.8.
• Updated to xkbprint 1.0.7.
• Updated to xcmsdb 1.0.7.
• Updated to xclipboard 1.1.5.
• Updated to xbacklight 1.2.4.
• Updated to fonttosnft 1.2.4.
• Updated to bdftopcf 1.1.2.
• Added tmux(1) option to control the input buffer size.
• Locked send socket buffer for fstat syscall.
• Fixed a bug where getty(8) dx flag was supposed to set decctlq, but was setting ixany instead.
• Added fw_update(8) -l flag to list drivers or files.
• Made qcpas send APM_POWER_CHANGE events on AC/battery life changes, allowing upowerd to react.
• Used a mutex to make psp(4) MP safe.
• Provided a replacement assembly implementation for SHA-256 on amd64.
• Changed luna88k disklabel labeloffset to 0.
• Made CPU frequencies human-readable with systat(1) sensors -h.
• Implemented an interrupt depth counter for sparc64.
• Added support for MA devices to iwx(4).
• Changed to only install a second copy of the bootloader if the EFI System Partition is at least 1MB to avoid filling up the tiny ESPs we used to create a few releases ago.
• Added ice(4), a driver for Intel E810 devices.
• Added a helper to check if memory has been freed for a given request to improve speed of the page daemon loop.
• Optimized page daemon active and inactive list traversals when looking only for low pages.
• Added multi-line strings support to the bt(5) script parser.
• Made radiusd(8) log the username when rejecting by ipcp.
• Added an ssh-agent(1) "websafe-allow" option to override the default allow-list of FIDO application IDs.
• Added wsconscfg(8) -g option to get the index of the current virtual terminal.
• Added TLS support to tcpbench(1).
• Implemented CSI s and CSI u to save and restore cursor position in wscons(4).
• Prevented a race where a mapped object is being truncated while we are spinning to unwire it.
• Implemented psp(4) shutdown command and ioctl(2) PSP_IOC_SHUTDOWN, which will be used by vmd(8) to reset psp(4) on startup.
• Replaced rwlock with iterator in UDP input multicast loop, preventing a potential kernel crash.
• Correctly honored the count optional argument of the ddb(4) break command, ensuring execution does not stop until the breakpoint is hit at least that many times.
• Added tmux(1) support for a scrollbar at the side of each pane using new options pane-scrollbars, pane-scrollbars-positions and pane-scrollbars-styles.
• Unlocked ptsignal, psignal and prsignal.
• Updated to libXi 1.8.2.
• Updated to libXfont2 2.0.7.
• Updated to xserver 21.1.14.
• Added support for CSI b control sequence (repeat last printed character) to the wscons(4) vt100 emulation.
• Removed the ability to specify root/dump/swap on st(4).
• Ignored extra groups that don't fit in the buffer passed to getgrouplist(3), reading only the maximum of sixteen.
• Made getgrouplist(3) always return the total number of groups found.
• Implemented aplsmc(4) support for the new CHLS key used to control the battery charge level in newer SMC firmware.
• Added iked "natt" option that forces negotiation of nat-t (and udpencap).
• Allowed fw_update(8) to download firmware without root.
• Moved dt(4) to using a ringbuffer per CPU.
• Improved rpki-client(8) detection of gaps in ManifestIssuance.
• Updated APNIC trust anchor constraints for rpki.
• Added ixv(4), a driver for virtual functions of Intel 82598EB, 82559 and X540.
• Made macppc ofwboot sync instruction cache before entering kernel, preventing a potential boot failure.
• Implemented the AMD SEV psp(4) download firmware command to load new firmware onto the chip and made the AMD SEV automatically load psp(4) firmware during vmd(8) startup.
• Made installboot(8) install a copy of the UEFI bootloader in /efi/openbsd on the EFI system partition, allowing creation of boot options for the firmware boot manager other OSes will leave alone.
• Made tcpdump(8) print pppoe tags as hex dumps.
• Prevented newsyslog(8) running through time checks when an entry is definitely oversized.
• Moved hfsc to keep time using nanoseconds.
• Included cdXX.iso in MDEXT on arm64.
• Fixed xkb buffer overflow.
• Added support for client certificates to relayd(8).
• Set AP power state, fixing the SMC initialization on the M1 MacBook with the latest system firmware.
• Unlocked KERN_ALLOWKMEM.
• Unlocked timeout_sysctl().
• Allowed control characters prefixed with C-v to be entered at the tmux.1 command prompt.
• Added support for performing a sysupgrade.8 from a path.
• Promoted mlkem768x25519-sha256 to be the default key exchange.
• Mapped ucom unit number to cuaU number using the same scheme MAKEDEV uses, fixing problems with ucom units > 10.
• Stopped amd64 leak of kernel stack guard pages.
• Made ssh-agent(1) drop all keys when it receives SIGUSR1.
• Reduced kernel lock contention when tearing down file-backed regions.
• Corrected reporting of print screen key in raw mode.
• Changed sdhc bus power behavior to no longer perform a power-off voltage switch request when the card is already operating at the requested voltage.
• Started enforcing that elliptic curve parameters correspond to a built-in curve.
• Moved to send only a single reset during attach for ihidev(4) devices, preventing issues with some devices like the built-in keyboard on the Thinkpad T14s Gen 6.
• Reworked cert signature security level so it handles RSA-PSS and EdDSA certificates correctly and the handshake with such can progress a bit further. Of note, we check that the certs are actually suitable for use in TLS per RFC 8446 contrary to what OpenSSL does.
• Added pinctrl(4) support.
• Required control-escape character sequences passed to ssh(1) via the '-e ^x' commandline to be exactly two characters long to avoid a possible OOB read.
• Altered ssh(1) _ssh_order_hostkeyalgs() to consider ECDSA curve type when arranging the hostkey algorithms. Code is unused in OpenSSH but others are using it.
• Allowed "-" as output file for ssh-keygen(1) module screening.
• Updated libdrm to 2.4.123
• Moved the a.out specific defines and macros, but the MID_xxx values, from <sys/exec.h> to <a.out.h>.
• Moved to indicating that a process has stopped by setting PS_STOPPED flag.
• Stopped using the ssh(1) ObscureKeystrokeTiming mitigations if there has been traffic on a X11 forwarding channel recently. Should fix performance regressions with X11 Forwarding.
• Split the user authentication code from the sshd-session binary into a separate sshd-auth binary. This will be executed by sshd-session to complete the user authentication phase of the protocol only. Splitting this code into a separate binary ensures that the crucial pre-authentication attack surface has an entirely disjoint address space from the code used for the rest of the connection.
• Added sshd-auth to the binaries that relink at boot.
• Made fw_update(8) -a mean all when downloading or installing, not just deleting.
• Introduced a new build class to be used by the build user in login.conf(5).
• Added firmware keys to the signify key bundles. sysupgrade(8) will now extract the firmware key also, allowing fw_update fetch the most up-to-date firmware before upgrading.
• Allowed use of MSI with the QEMU default pc-i440fx machine.
• Neutered the tun/tap ioctls that try and modify interface flags.
• Made acme-client(1) always print account URI on first creation of an account key.
• Changed ps(1) print the session id (PID of the session leader) instead of a pointer.
• Added a tmux(1) sixel_support format variable which is 1 if SIXEL is supported (always 0 on OpenBSD).
• Made it possible to configure tcp md5 and ipsec on rtr in bgpd(8).
• Added the ablity for bus_dmamem_alloc(9) to recognize the BUS_DMA_64BIT flag and allocate memory for DMA without any 4GB restrictions on amd64.
• Made acme-client(1) -v show the account URI from the Location header sent by the server in response to the newAccount API call.
• Updated unbound to 1.21.1.
• Provided a mechanism for getting required keys to sysupgrade(8) older machines, providing a new set of keybundles signed by older keys to allow sysupgrade to securely and automatically download the required key.
• Added tmux(1) prompt-cursor-colour and prompt-cursor-style to set the style of the cursor in the command prompt and remove the emulated cursor.
• Added tmux(1) initial-repeat-time option to allow the first repeat time to be increased and later reduced.
• Added support for AX88772D to axen(4).
• Fixed the bnxt(4) rx refill timeout to only refill rings that are currently empty, preventing possible corruption and crashes.
• Turned off finite field (a.k.a modp) Diffie-Hellman key exchange in sshd(8) by default.
• Made scaling available for normal wsmouse.4 mice, not just touchpads.
• Allowed boot loader to run as AMD SEV guest on QEMU with EFI.
• Allowed kernel boot on QEMU with AMD SEV.
• Added copy-mode-position-format to configure the tmux(1) position indicator.
• Added -y flag to disable tmux(1) confirmation prompts in modes.
• Reworked tmux(1) copy mode commands ("send-keys -X") to parse the arguments so that flags may be detected propertly rather than just looking for strings ("-O" and so on). Also added -C and -P flags to the copy commands. -C prevents the commands from sending the text to the clipboard and -P prevents them from adding the text as a paste buffer.
• Increased psp(4) timeouts, allowing the EPYC 9124 time to attach.
• Added printing of number of queues and interrupt and ethernet address details to mcx(4).
• Increased rx mbuf size with lro in vio(4), helping tcp splice performance.
• Improved the heuristic for detecting i2c devices (making type-A ports on the vivobook work in acpi mode).
• Added MSYSTEM to tmux(1) default update-environment.
• Improved responsiveness in OOM situations and made free target checks coherent.
• Adjusted the ptrace interface to properly support single-threaded continue.
• Added a way to make the preview larger in tmux(1) tree mode.
• Fixed tmux(1) problems with pasted text being interpreted as extended keys.
• Made tmux(1) only use default-shell for popups, returning to /bin/sh for run-shell, if-shell and #().
• Fixed grey color in tmux(1).
• Added an ipi for executing INVEPT to flush EPT on remote cpus, a first step toward allowing guest memory not to be wired by UVM.
• Corrected an indexing error that could leave stale data in the wsconsctl(8).
• Added sysupgrade(8) -R #.# to try to use a specific release version rather than the immediate +0.1.
• Reintroduced support for "Match criteria=argument" to ssh(1) for those using the unintentional syntax.