Movatterモバイル変換

177 captures

01 Oct 2017 - 30 Jun 2025

Sep	OCT	Nov
	12
2016	2017	2018

success

fail

About this capture

COLLECTED BY

Organization:Alexa Crawls

Starting in 1996,Alexa Internet has been donating their crawl data to the Internet Archive. Flowing in every day, these data are added to theWayback Machine after an embargo period.

Collection:Alexa Crawls

Starting in 1996,Alexa Internet has been donating their crawl data to the Internet Archive. Flowing in every day, these data are added to theWayback Machine after an embargo period.

TIMESTAMPS

• See the information onthe FTP page for a list of mirror machines.
• Go to the directory on one of the mirror sites.
• Have a look atthe 6.2 errata page for a list of bugs and workarounds.
• See adetailed log of changes between the 6.1 and 6.2 releases.

• signify(1) pubkeys for this release:
  

  base: RWRVWzAMgtyg7g27STK1h1xA6RIwtjex6Vr5Y9q5SC5q5+b0GN4lLhfufw:   RWSbA8C2TPUQLi48EqHtg7Rx7KGDt6E/2d8OeJinGZPbpoqGRxA0N2oWpkg:  RWRvEq+UPCq0VGI9ar7VMy+HYKDrOb4WS5JLhdUBiX3qvJgPQjyZSTxI

  All applicable copyrights and credits are in the src.tar.gz,sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in thefiles fetched via ports.tar.gz.

• Improved hardware support, including:
  • arm: Newrkgrf(4) driver for the Rockchip RK3399/RK3288 register file.
  • arm: Newrkclock(4) driver for Rockchip RK3399/RK3288 clocks.
  • arm: Newrkpinctrl(4) driver for controlling Rockchip RK3399/RK3288 pins.
  • arm: Newrkgpio(4) driver for GPIO on Rockchip SoCs.
  • arm: Newrktemp(4) driver for Rockchip RK3399 temperature sensors.
  • arm: Newrkiic(4) driver for Rockchip RK3399 I2C controllers.
  • arm: Newrkpmic(4) driver for the RK808 Power Management IC.
  • arm: Newdwmmc(4) driver for Synopsis DesignWare SD/MMC controllers.
  • arm: Newdwdog(4) driver for the Synopsys DesignWare watchdog timer.
  • arm: Newdwxe(4) driver for the Synopsys DesignWare Ethernet controller.
  • arm: Newsxitwi(4) driver for the two-wire bus on Allwinner SoCs.
  • arm: Newaxppmic(4) driver for the AXP209 I2C PMIC.
  • arm: Newbcmaux(4) driver for clocks and interrupts on the auxilliary UART on BCM2835 devices.
  • arm: Newmvmpic(4) driver for an interrupt controller on Marvell ARMADA 38x.
  • arm: Newmvpxa(4) driver for the SD Host Controller on Marvell ARMADA 38x.
  • arm: Newmvpinctrl(4) driver to configure pins on Marvell ARMADA 38x.
  • arm: Newmvneta(4) driver the Ethernet controller on Marvell ARMADA 38x.
  • arm: Newamdisplay(4) &nxphdmi(4) drivers for the Texas Instruments AM335x LCD controller.
  • octeon: Newoctcib(4) driver for the interrupt bus widget on CN70xx/CN71xx.
  • octeon: Newoctcit(4) driver for the central interrupt unit version 3 on CN72xx/CN73xx/CN77xx/CN78xx.
  • octeon: Newoctsctl(4) driver for the OCTEON SATA controller bridge.
  • octeon: Newoctxctl(4) driver for the OCTEON USB3 controller bridge.
  • octeon: Rhino Labs Inc. SDNA Shasta, and Ubiquiti Networks EdgeRouter 4 and 6 are now supported.
  • Newhvs(4) driver for Hyper-V storage.
  • Newpcxrtc(4) driver for the NXP PCF8563 Real Time Clock.
  • Newurng(4) driver for USB random number generator devices.
  • Intel 8265 and 3168 support was added to theiwm(4) driver.
  • RTL8192CE support was added to thertwn(4) driver.
  • RT5360 support was added to theral(4) driver.
  • RTS525A support was added to thertsx(4) driver.
  • Theacpibat(4) driver now supports _BIX entries from ACPI 4.0.
  • ACPI hibernate support was added to thenvme(4) driver.
  • Substantially improved ACPI hibernate performance in theahci(4) driver.
  • Theinteldrm(4) driver was updated to code based on Linux 4.4.70 - it now supports Skylake, Kaby Lake, and Cherryview devices and has better support for Broadwell and Valleyview devices.
  • Thepuc(4) driver now supports ASIX AX99100 devices.
  • Xen platform support and thexbf(4) driver in particular have been substantially improved.
  • Thenvme(4) driver now reports correct last sector address to SCSI, allowing a valid GPT to be created.
  • Repairioapic(4) misconfigurations.

• vmm(4)/vmd(8) improvements:
  • vmctl(8) supports paused VM migration and memory snapshotting using send and receive commands.
  • VPID/ASID reuse/rollover invmm(4).
  • SGABIOS imported as an option ROM payload in SeaBIOS (for VGA to serial console redirection).
  • vmd(8) resets the guest VM RTC (real time clock) on host resume from suspend/hibernate (OpenBSD guests only).
  • Allow guest VMs access to AVX/AVX2 host CPU features.
  • Support for AMD SVM/RVI hosts.
  • Allow larger guest VM memory sizes (up to MAXDSIZ sized guests - e.g. 32GB on amd64 hosts).
  • Better handling of guest VM MONITOR/MWAIT and HLT instructions.
  • Various device emulation improvements invmd(8).
  • Increase thevirtio(4) queue size provided byvmd(8) from 64 to 128 entries, to increase performance.
  • Many fixes tovmctl(8) andvmd(8) error handling.

• IEEE 802.11 wireless stack improvements:
  • MiRA 802.11n TX rate scaling now supports devices with unequal numbers of Tx and Rx streams. Fixes 11n mode for someathn(8) devices.
  • Theiwn(8) andiwm(8) drivers will now start scanning for a new access point if they no longer receive beacons from the current AP.
  • Prefer the 5GHz band over the 2GHz band during access point selection.
  • Improved debug output indmesg(8) when a wireless interface is put into debug mode withifconfig(8).

• Generic network stack improvements:
  • Incoming and forwarded IP packets are now processed without KERNEL_LOCK, resulting in better performances and reduced latency.
  • The kernel no longer handles IPv6 Stateless Address Autoconfiguration (RFC 4862), allowing cleanup and simplification of the IPv6 network stack.
  • The kernel sends IPv6 router solicitations for link local addresses with a link local source address.
  • FQ-CoDel algorithm has been implemented for use withpf(4) queueing.
  • Improved IPv6 checks for IPsec policies and made them consistentwith IPv4.
  • Refactored local IP delivery to process IPsec packets in a flow and avoid enqueueing a second time.
  • pf(4)now inspects AH packets and matches on the inner protocol.This makes IPv4 authentication headers work like IPv6.
  • The length of extension header chains in pf(4) is limited.This prevents spending excessive CPU time on crafted packets.
  • Block IPv6 packets inpf(4) that have a hop-by-hop options header or a destination options header.Such packets can be passed by adding "allow-opts" to the rule. This makes IPv6 option handling consistent with IPv4.
  • If the IPv4 ID gets reused too fast, pf(4) fragment reassemblyuses a smarter strategy to drop packets.
  • Enabled the use of per-CPU caches in the network packet allocators.

• Installer improvements:
  • The installer now uses the Allotment Routing Table (ART).
  • A unique kernel is now created by the installer to boot from after install/upgrade.
  • On release installs of architectures supported by syspatch, "syspatch -c" is now added to rc.firsttime.
  • Backwards compatibility code to support the 'rtsol' keyword inhostname.if(5) has been removed.
  • Theinstall.site andupgrade.site scripts are now executed at the end of the install/upgrade process.
  • More detailed information is shown to identify disks.
  • The IPv6 default router selection has been fixed.
  • On the amd64 platform, AES-NI is used if present.

• Routing daemons and other userland network improvements:
  • A new daemon,slaacd(8) handles IPv6 Stateless Address Autoconfiguration (RFC 4862).
  • rtadvd(8) now supports "Reducing Energy Consumption of Router Advertisements" (RFC 7772).
  • rtadvd(8) has been fixed to quickly handle IPv6 prefix changes on the system.
  • ipsecctl(8)can now show SA bundles and the "bundle" keyword allows them to be explicitly created. This avoids confusion as they were previously used implicitly.
  • nc(1) now has a-W recvlimit option to terminate netcat after receiving the specified number of packets. This allows for a UDP request to be sent, a reply to be received and the result checked on the command line.
  • nc(1) now has a-Z option, allowing the peer certificate and chain to be saved to a file in PEM format.
  • A new-T tlscompat option was added tonc(1), which enables the use of all TLS protocols and libtls "compat" ciphers.
  • Various races have been fixed inrelayd(8),expecially in HTTP chunked mode.
  • ndp(8) now shows the relevant NDP information when run in a non-default routing domain.
  • ifstated(8) now copes with interface departures/arrivals.
  • bgpd(8) can now be started multiple times in differentrouting domains, this provides virtual router functionality.

• Security improvements:
  • A new functionfreezero(3)to easily clear and free memory holding sensitive data has been added.
  • Double free detection has been improved when the Fmalloc(3) option is used. The existing S option now includes F.
  • TheTIOCSTItty ioctl has been removed. The I/O-loops in the last two consumerscsh(1) andmail(1)were rewritten to cope with the removal.
  • Trapsleds, a new mitigation that significantly reduces the amount of nops in the instruction stream, replacing them with trap instructions or jump-over-trap sequences, thereby requiring greater accuracy for targetting potential gadgets.
  • Kernel Address Randomized Link (KARL), a new "link-kit" allows the .o files of the kernel to be relinked in a random order, creating a unique kernel for each boot. /bsd is now non-readable to users, to try to keep the secret.
  • Like with libc previously,rc(8) re-links libcrypto on startup, placing the objects in a random order.
  • In addition to libcrypto, to deter code reuse exploits,rc(8) re-linksld.so on startup, placing the objects in a random order.
  • If process accounting is activated withaccton(8),the daily mail shows pledge violations and program crashes.lastcomm(1)uses the flags P and T for such processes.
  • pflogd(8) uses thefork+exec model.
  • tcpdump(8) uses thefork+exec model.
  • ifstated(8) usespledge(2).
  • snmpd(8) andsnmpctl(8) now usepledge(2).
  • Tighter pledge forat(1).
  • Fixed and simplified pledge logic fornc(1).
  • More application ofrecallocarray(3) in userland, and tracked sizes tofree(9) in the kernel.
  • Achieve higher levels of paranoia regarding structure packing, and clear many kernel objects before passing to userland.
  • Disable some optimizations inclang(1)due to incompatibility with security.
  • For instance, cope withclang(1)'s assumption that static or const objects placed in unknown sections (such as .openbsd.randomdata) are surely always 0, and therefore such memory accesses can be optimized away.
  • In kernel, randomly bias down the top-of-stack per kthread.

• dhcpd(8)/dhcrelay(8) improvements:
  • Add support for echo-client-id statement todhcpd.conf(5).
  • Take greater care to process all data read, and only data read, from thebpf(4) socket.
  • Use /dev/bpf instead of /dev/bpf0.
  • Handle DHCPINFORM messages from clients behind a DHCP relay.
  • Fix handling ofcarp(4) interfaces indhcrelay(8).
  • Don't stopdhcrelay(8) logging to stderr when it is started with the -d option.

• dhclient(8) improvements:
  • Log messages reworked and clarified, in particular by prefixingthe name of the relevant network interface.
  • Treat SSID as 0 to 32 bytes of binary data, not a string.
  • Use RTM_PROPOSAL to take control of an interface rather than flipping interface down and up in the hope that otherdhclient(8) instances notice.
  • Reduce file operations needed by -L option by opening file at startup and using it throughout process lifetime.
  • Improveresolv.conf(5) handling by reducing writes and more reliably determining which interface has the current default route.
  • Take greater care to process all data read, and only data read, from thebpf(4) socket.
  • Improve the determination of the link state of an interface.
  • Decline inappropriate lease offers as soon as they are deemed inappropriate.
  • Drop support for the timestamp formats used in lease files created more than four years ago.
  • Accept an offer from the server that sent the first copy of the offer, not the server that sent the last copy.
  • Don't delete addresses and routes when exiting.
  • Ensure IPv6 packets are not read from sockets.
  • Don't silently ignore obsolete keywords indhclient.conf(5).
  • Reduce memory footprint by shrinking oversized static buffers.
  • Eliminate repeated socket opens by opening the required sockets during startup.
  • Fix construction of unicast UDP packets, broken in 5.6.
  • Improve determination of when a renewed lease requires interface configuration changes.
  • Don't exit when addresses are manually added or deleted from an interface.
  • Don't support option 33, classfull IP addresses.
  • Fix configuration of default routes supplied by classless route options.
  • Considerdhclient.conf(5) contents when determining what MTU value to configure.
  • Considerdhclient.conf(5) contents when creating the content ofresolv.conf(5).
  • Delete direct routes when routes are flushed.
  • Don't label routes with "DHCLIENT nnnn".
  • Don't delete addresses or routes that will be immediately added back.
  • Delete addresses and routes only when a renewal request is NAK'ed.
  • Don't wait forever for requested information on the default route.
  • Don't exit when an attempt to send a packet fails.
  • Don't log a packet send when the send fails.
  • Remove the -u option, broken since 2013 without complaints.
  • Use /dev/bpf instead of /dev/bpf0.

• Assorted improvements:
  • Thei386 andamd64 platforms have switched to usingclang(1) as the base system compiler.
  • Improved UTF-8 line editing support forksh(1)Emacs and Vi input mode.
  • The HISTFILE ofksh(1) now uses a plain text format. Support for theHISTCONTROL environment variable was added.
  • The performance of the memory deallocator used byksh(1) has been fixed.
  • Theemacs-usemetaksh(1) flag is no longer needed and is now deprecated.
  • Newfutex(2) syscall.
  • New pthreadmutex andcondition variable implementations improving latency of threaded applications.
  • New POSIXxlocale implementation written from scratch, complete in the sense that all POSIX *locale(3) and *_l(3) functions are included, but in OpenBSD, we of course only really care aboutLC_CTYPE and we only support ASCII and UTF-8.
  • Automatic hibernation and suspend byapmd when battery is low.
  • Newctfdump(1) andctfconv(1) tools to manipulate CTF (Compact C Type Format).
  • The error handling insyslogd(8)has been improved.Even if internal errors occur, the daemon tries to keepunaffected subsystems active.So as many messages as possible are logged.They can be filtered by severity and facility "syslog".
  • syslogd(8) can now suppress "last message repeated" which isuseful for remote logging.
  • syslogd(8) can listen on multiple TLS sockets.
  • syslogd(8) closes the *.514 UDP sockets when they are notneeded.
  • Truncate log messages at 8192 bytes everywhere.
  • newsyslog(8) now skips and logs invalid config lines.
  • Nested mount points are umounted in correct order.
  • Fix creation ofsoftraid(4) CONCAT volumes.
  • Includesoftraid(4) volume and backing disk information in i/o error messages.
  • Makevioscsi(4) a normalscsi(4) device by eliminating its use of the obsolete XS_NO_CCB mechanism.
  • Remove last vestiges of now unused XS_NO_CCB mechanism.
  • Userspace can now get the address of the thread control block without a system call on OCTEON II and later.
  • FPU is enabled on OCTEON III.
  • GENERIC kernels now include a .SUNW_ctf section containing CTF data.
  • Newddb(4)kill command, send an uncatchable SIGABRT to a process.
  • Newddb(4)pprint command, using CTF information to "pretty print" global symbols.
  • Newddb(4)show struct command, using CTF information to display the content of in memory C structures.
  • x86:ddb(4) uses CTF data to display the correct number of function arguments in backtraces.
  • Power off all codecs inazalia(4) to avoid static noise in speakers and headphones on reboot.
  • Fix i386 boot regression seen on very old 486DX CPUs.
  • Newwitness(4) tool for debugging lock order issues in the kernel. The tool is not built in by default, and only amd64, hppa and i386 are supported.
  • Modernize some bizzare tty behaviours of getty(8).
  • Some subtle changes to pledge(2) to satisfy requirements observed in real life.
  • Prefer use of waitpid(2) rather than wait(3) where possible, to avoid problems with pre-existing children.
  • Rewrite swaths of machine-dependent system call stub code in ld.so(1) in a more portable fashion.
  • Per-CPU caches implemented in pools.
  • Mutex,condition-variable,thread-specific data,pthread_once(3),andpthread_exit(3)routines moved to libc from libpthread for ease of libraryuse and compatibility with other OSes.
  • Addedgetptmfd(3),fdopenpty(3), andfdforkpty(3)to simplify privilege separation and use of pledge(2).
  • Improved computational complexity in various cases ofstrstr(3),qsort(3),andglob(3).
  • Added support forEV_RECEIPT andEV_DISPATCH tokqueue(2).
  • Addedfktrace(2).

• OpenSMTPD 6.0.0
  • Fix an off-by-one in the config parser that made 65535 an invalid port.
  • Fix a fd leak in the session congestion mechanism.
  • Fix a possible crash when relaying with smtps.
  • Remove support for the "listen secure" syntax (expicitely define two listeners for tls and smtps instead).
  • Remove experimental support for filters.
  • Assorted code and documentation cleanups and improvements.

• OpenSSH 7.6
  • Security:
    • sftp-server(8): in read-only mode, sftp-server was incorrectly permitting creation of zero-length files.
  • New/changed features:
    • Add RemoteCommand option to specify a command in thessh(1)config file instead of giving it on the client's commandline.The feature allows to automate tasks using ssh config.
    • sshd(8): add ExposeAuthInfo option that enables writing details of the authentication methods used (including public keys where applicable) to a file that is exposed via a $SSH_USER_AUTH environment variable in the subsequent session.
    • ssh(1): add support for reverse dynamic forwarding. In this mode, ssh will act as a SOCKS4/5 proxy and forward connections to destinations requested by the remote SOCKS client. This mode is requested using extended syntax for the -R and RemoteForward options and, because it is implemented solely at the client, does not require the server be updated to be supported.
    • sshd(8): allow LogLevel directive in sshd_config Match blocks.
    • ssh-keygen(1): allow inclusion of arbitrary string or flag certificate extensions and critical options.
    • ssh-keygen(1): allow ssh-keygen to use a key held in ssh-agent as a CA when signing certificates.
    • ssh(1)/sshd(8): allow IPQoS=none in ssh/sshd to not set an explicit ToS/DSCP value and just use the operating system default.
    • ssh-add(1): added -q option to make ssh-add quiet on success.
    • ssh(1): expand the StrictHostKeyChecking option with two new settings. The first "accept-new" will automatically accept hitherto-unseen keys but will refuse connections for changed or invalid hostkeys. This is a safer subset of the current behaviour of StrictHostKeyChecking=no. The second setting "off", is a synonym for the current behaviour of StrictHostKeyChecking=no: accept new host keys, and continue connection for hosts with incorrect hostkeys. A future release will change the meaning of StrictHostKeyChecking=no to the behaviour of "accept-new".
    • ssh(1): add SyslogFacility option to ssh(1) matching the equivalent option in sshd(8).
  • The following significant bugs have been fixed in this release:
    • ssh(1): use HostKeyAlias if specified instead of hostname for matching host certificate principal names.
    • sftp(1): implement sorting for globbed ls.
    • ssh(1): add a user@host prefix to client's "Permission denied" messages, useful in particular when using "stacked" connections (e.g. ssh -J) where it's not clear which host is denying.
    • ssh(1): accept unknown EXT_INFO extension values that contain \0 characters. These are legal, but would previously cause fatal connection errors if received.
    • ssh(1)/sshd(8): repair compression statistics printed at connection exit.
    • sftp(1): print '?' instead of incorrect link count (that the protocol doesn't provide) for remote listings.
    • ssh(1): return failure rather than fatal() for more cases during session multiplexing negotiations. Causes the session to fall back to a non-mux connection if they occur.
    • ssh(1): mention that the server may send debug messages to explain public key authentication problems under some circumstances.
    • Translate OpenSSL error codes to better report incorrect passphrase errors when loading private keys.
    • sshd(8): adjust compatibility patterns for WinSCP to correctly identify versions that implement only the legacy DH group exchange scheme.
    • ssh(1): print the "Killed by signal 1" message only at LogLevel verbose so that it is not shown at the default level; prevents it from appearing during ssh -J and equivalent ProxyCommand configs.
    • ssh-keygen(1): when generating all hostkeys (ssh-keygen -A), clobber existing keys if they exist but are zero length. zero-length keys could previously be made if ssh-keygen failed or was interrupted part way through generating them.
    • ssh(1): fix pledge(2) violation in the escape sequence "~&" used to place the current session in the background.
    • ssh-keyscan(1): avoid double-close() on file descriptors.
    • sshd(8): avoid reliance on shared use of pointers shared between monitor and child sshd processes.
    • sshd_config(8): document available AuthenticationMethods.
    • ssh(1): avoid truncation in some login prompts.
    • ssh(1): make "--" before the hostname terminate argument processing after the hostname too.
    • ssh-keygen(1): switch from aes256-cbc to aes256-ctr for encrypting new-style private keys. Fixes problems related to private key handling for no-OpenSSL builds.
    • ssh(1): warn and do not attempt to use keys when the public and private halves do not match.
    • sftp(1): don't print verbose error message when ssh disconnects from under sftp.
    • sshd(8): fix keepalive scheduling problem: activity on a forwarded port from preventing the keepalive from being sent.
    • sshd(8): when started without root privileges, don't require the privilege separation user or path to exist. Makes running the regression tests easier without touching the filesystem.
    • Make integrity.sh regression tests more robust against timeouts.
    • ssh(1)/sshd(8): correctness fix for channels implementation: accept channel IDs greater than 0x7FFFFFFF.

• LibreSSL 2.6.3
  • Added support for providing CRLs to libtls - once a CRL is provided viatls_config_set_crl_file(3) ortls_config_set_crl_mem(3), CRL checking is enabled and required for the full certificate chain.
  • Reworked TLS certificate name verification code to more strictly follow RFC 6125.
  • Cleaned up and simplified server key exchange EC point handling.
  • Removed inconsistent IPv6 handling from BIO_get_accept_socket(), simplified BIO_get_host_ip() and BIO_accept().
  • Added definitions for three OIDs used in EV certificates.
  • Relaxed SNI validation to allow non-RFC-compliant clients using literal IP addresses with SNI to connect to a libtls-based TLS server.
  • Added tls_peer_cert_chain_pem() to libtls, useful in private certificate validation callbacks such as those in relayd.
  • Converted explicit clear/free sequences to usefreezero(3).
  • Fixed theopenssl(1) ca command so that it generates certificates with RFC 5280-conformant time.
  • AddedASN1_TIME_set_tm(3) to set an ASN.1 time from a struct tm *.
  • AddedSSL{,_CTX}_set_{min,max}_proto_version(3) functions.
  • Imported HKDF (HMAC Key Derivation Function) from BoringSSL.
  • Provided atls_unload_file(3) function that frees the memory returned from atls_load_file(3) call, ensuring that the contents become inaccessible.
  • Implemented reference counting for libtls tls_config, allowingtls_config_free(3) to be called as soon as it has been passed to the finaltls_configure(3) call, simplifying lifetime tracking for the application.
  • Dropped cipher suites using DSS authentication.
  • Removed support for DSS/DSA from libssl.
  • Distinguish between self-issued certificates and self-signed certificates. The certificate verification code has special cases for self-signed certificates and without this change, self-issued certificates (which it seems are common place with openvpn/easyrsa) were also being included in this category.
  • Added a new TLS extension handling framework and converted all TLS extensions to use it.
  • Improved and added many new manpages. UpdatedSSL_{CTX_,}check_private_key(3) manpages with additional cautions regarding their use.
  • Cleaned up and simplified EC key/curve configuration handling.
  • Addedtls_config_set_ecdhecurves(3) to libtls, which allows the names of the elliptical curves that may be used during client and server key exchange to be specified.
  • Converted more code paths to use CBB/CBS.
  • Removed NPN support - NPN was never standardised and the last draft expired in October 2012.
  • Removed SSL_OP_CRYPTOPRO_TLSEXT_BUG workaround for old/broken CryptoPro clients.
  • Removed support for the TLS padding extension, which was added as a workaround for an old bug in F5's TLS termination.
  • Added ability to clamp notafter values in certificates for systems with 32-bit time_t. This is necessary to conform to RFC 5280 4.1.2.5.
  • Removed the original (pre-IETF) chacha20-poly1305 cipher suites.
  • Reclassified ECDHE-RSA-DES-CBC3-SHA from HIGH to MEDIUM.
  • Provide a useful error with libtls if there are no OCSP URLs in a peer certificate.
  • Keep track of which keypair is in use by a TLS context, fixing a bug where a TLS server with SNI would only return the OCSP staple for the default keypair.
  • Iftls_config_parse_protocols(3) is called with a NULL pointer it now returns the default protocols.

• mandoc 1.14.3
  • Fullmandoc.db(5) databases are now enabled by default, allowing semantic searching withapropos(1) without any local configuration changes.
  • Full integration of the formermdoclint(1) utility intomandoc(1)-Wall, new-Wstyle and-Wopenbsd message levels, and many new messages, for example about typos in.Sh lines, unknown.Xr targets, and links to self.
  • Additional steps unifying themdoc(7),man(7), androff(7) parsers: use one common data type andohash_init(3) for all requests and macros and support creation of syntax tree nodes in the roff(7) parser, allowing support for many new low-level roff(7) features. Only about 25 ports still needUSE_GROFF now.
  • Many improvements totbl(7) parsing and formatting, including automatic line wrapping inside table columns.
  • Many improvements toeqn(7) parsing and formatting, including better font selection, recognition of well-known mathematical function names, and writing of<mn> and<mo> HTML tags.
  • Intelligible rendering of mathematical symbols in-Tascii output.
  • Several parsing and rendering improvements for themdoc(7).Lk macro.
  • Some CSS improvements in HTML output, in particular for themdoc(7).Bl macro.

• Ports and packages:

  A massive amount of clang-related fixes happened between 6.1 and 6.2.

  Many pre-built packages for each architecture:

  aarch64: 7942 alpha: XXXX amd64: 9728

  arm: XXXX hppa: XXXX i386: 9685

  mips64: XXXX mips64el: XXXX powerpc: XXXX

  sparc64: XXXX

  Some highlights:

  AFL 2.51b CMake 3.9.3 Chromium 61.0.3163.100 Emacs 21.4 and 25.3 GCC 4.9.4 GHC 7.10.3 Gimp 2.8.22 GNOME 3.24.2 Go 1.9 Groff 1.22.3 JDK 8u144 KDE 3.5.10 and 4.14.3 (plus KDE4 core updates) LLVM/Clang 5.0.0 LibreOffice 5.2.7.2 Lua 5.1.5, 5.2.4, and 5.3.4 MariaDB 10.0.32 Mozilla Firefox 52.4.0esr and 56.0.0 Mozilla Thunderbird 52.2.1

  Mutt 1.9.1 and NeoMutt 20170912 Node.js 6.11.2 Ocaml 4.03.0 OpenLDAP 2.3.43 and 2.4.45 PHP 5.6.31 and 7.0.23 Postfix 3.2.2 and 3.3-20170910 PostgreSQL 9.6.5 Python 2.7.14 and 3.6.2 R 3.4.1 Ruby 1.8.7.374, 2.1.9, 2.2.8, 2.3.5 and 2.4.2 Rust 1.20.0 Sendmail 8.16.0.21 SQLite3 3.20.1 Sudo 1.8.21.2 Tcl/Tk 8.5.19 and 8.6.6 TeX Live 2016 Vim 8.0.0987 Xfce 4.12

• As usual, steady improvements in manual pages and other documentation.

• The system includes the following major components from outside suppliers:
  • Xenocara (based on X.Org 7.7 with xserver 1.18.4 + patches, freetype 2.8.0, fontconfig 2.12.4, Mesa 13.0.6, xterm 330, xkeyboard-config 2.20 and more)
  • LLVM/Clang 4.0.0 (+ patches)
  • GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
  • Perl 5.24.2 (+ patches)
  • NSD 4.1.17
  • Unbound 1.6.6
  • Ncurses 5.7
  • Binutils 2.17 (+ patches)
  • Gdb 6.3 (+ patches)
  • Awk Aug 10, 2011 version
  • Expat 2.2.4

• .../OpenBSD/6.2/alpha/INSTALL.alpha
• .../OpenBSD/6.2/amd64/INSTALL.amd64
• .../OpenBSD/6.2/arm64/INSTALL.arm64
• .../OpenBSD/6.2/armv7/INSTALL.armv7
• .../OpenBSD/6.2/hppa/INSTALL.hppa
• .../OpenBSD/6.2/i386/INSTALL.i386
• .../OpenBSD/6.2/landisk/INSTALL.landisk
• .../OpenBSD/6.2/loongson/INSTALL.loongson
• .../OpenBSD/6.2/luna88k/INSTALL.luna88k
• .../OpenBSD/6.2/macppc/INSTALL.macppc
• .../OpenBSD/6.2/octeon/INSTALL.octeon
• .../OpenBSD/6.2/sgi/INSTALL.sgi
• .../OpenBSD/6.2/sparc64/INSTALL.sparc64

Quick installer information for people familiar with OpenBSD, and the use ofthe "disklabel -E" command.If you are at all confused when installing OpenBSD, read the relevantINSTALL.* file as listed above!

• Writefloppy62.fs orfloppyB62.fs (depending on your machine)to a diskette and enterboot dva0.Refer to INSTALL.alpha for more details.

• Make sure you use a properly formatted floppy with NO BAD BLOCKS or your installwill most likely fail.

• If your machine can boot from CD, you can writeinstall62.iso orcd62.iso to a CD and boot from it.You may need to adjust your BIOS options first.

• If your machine can boot from USB, you can writeinstall62.fs orminiroot62.fs to a USB stick and boot from it.

• If you can't boot from a CD, floppy disk, or USB,you can install across the network using PXE as described in the includedINSTALL.amd64 document.

• If you are planning to dual boot OpenBSD with another OS, you will need toread INSTALL.amd64.

• Writeminiroot62.fs to a disk and boot from it after connectingto the serial console. Refer to INSTALL.arm64 for more details.

• Write a system specific miniroot to an SD card and boot from it after connectingto the serial console. Refer to INSTALL.armv7 for more details.

• Boot over the network by following the instructions in INSTALL.hppa or thehppa platform page.

• If your machine can boot from CD, you can writeinstall62.iso orcd62.iso to a CD and boot from it.You may need to adjust your BIOS options first.

• If your machine can boot from USB, you can writeinstall62.fs orminiroot62.fs to a USB stick and boot from it.

• If you can't boot from a CD, floppy disk, or USB,you can install across the network using PXE as described inthe included INSTALL.i386 document.

• If you are planning on dual booting OpenBSD with another OS, you will need toread INSTALL.i386.

• Writeminiroot62.fs to the start of the CFor disk, and boot normally.

• Writeminiroot62.fs to a USB stick and boot bsd.rd from itor boot bsd.rd via tftp.Refer to the instructions in INSTALL.loongson for more details.

• Copy `boot' and `bsd.rd' to a Mach or UniOS partition, and boot the bootloaderfrom the PROM, and then bsd.rd from the bootloader.Refer to the instructions in INSTALL.luna88k for more details.

• Burn the image from a mirror site to a CDROM, and power on your machinewhile holding down theC key until the display turns on andshowsOpenBSD/macppc boot.

• Alternatively, at the Open Firmware prompt, enterboot cd:,ofwboot/6.2/macppc/bsd.rd

• After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.Refer to the instructions in INSTALL.octeon for more details.

• To install, burn cd62.iso on a CD-R, put it in the CD drive of yourmachine and selectInstall System Software from the System Maintenancemenu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically fromCD-ROM, and need a proper invocation from the PROM prompt.Refer to the instructions in INSTALL.sgi for more details.

• If your machine doesn't have a CD drive, you can setup a DHCP/tftp networkserver, and boot using "bootp()/bsd.rd.IP##" using the kernel matching yoursystem type. Refer to the instructions in INSTALL.sgi for more details.

• Burn the image from a mirror site to a CDROM, boot from it, and typeboot cdrom.

• If this doesn't work, or if you don't have a CDROM drive, you can writefloppy62.fs orfloppyB62.fs(depending on your machine) to a floppy and boot it withbootfloppy. Refer to INSTALL.sparc64 for details.

• Make sure you use a properly formatted floppy with NO BAD BLOCKS or your installwill most likely fail.

• You can also writeminiroot62.fs to the swap partition onthe disk and boot withboot disk:b.

• If nothing works, you can boot over the network as described in INSTALL.sparc64.

#mkdir -p /usr/src#cd /usr/src#tar xvfz /tmp/src.tar.gz

#mkdir -p /usr/src/sys#cd /usr/src#tar xvfz /tmp/sys.tar.gz

#cd /usr#tar xvfz /tmp/ports.tar.gz

Theports/ directory represents a CVS checkout of our ports.As with our complete source tree, our ports tree is available viaAnonCVS.So, in order to keep up to date with the-stable branch, you must maketheports/ tree available on a read-write medium and update the treewith a command like:

#cd /usr/ports#cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_2

Note that most ports are available as packages on our mirrors. Updatedports for the 6.2 release will be made available if problems arise.

If you're interested in seeing a port added, would like to help out, or justwould like to know more, the mailing listports@openbsd.org is a good place to know.