Released March 29, 2016 Copyright 1997-2016, Theo de Raadt. ISBN 978-0-9881561-7-3 5.9 Songs: "Doctor W^X", "Systemagic (Anniversary Edition)"
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via |
This is a partial list of new features and systems included in OpenBSD 5.9. For a comprehensive list, see the changelog leading to 5.9.
lookup yp
in
resolv.conf(5).
SOCK_DNS
socket(2) flag that makes an SS_DNS
tagged socket
conceptually different from a plain socket.
mode
subcommand.
default-lease-time
,
max-lease-time
and bootp-lease-time
options.
-y IEEE802_11_RADIO
and -v
options.
-g
flag is used.
-b
flag that specifies the size of the EFI System
partition to create.
-v
flag that causes a verbose display of both MBR
and GPT information.
-B
and
-b
flags being removed.
The associated fields in the disklabel were also removed.
These functions are now all performed by
installboot(8).
kevent
structures are now dumped.
PermitRootLogin=prohibit-password/without-password
that could,
depending on compile-time configuration, permit password authentication
to root while preventing other forms of authentication.
SECURITY
extension.
diffie-hellman-group-exchange
to 2048 bits.
blowfish-cbc
, cast128-cbc
,
all arcfour
variants and the rijndael-cbc
aliases
for AES.
draft-rsa-dsa-sha2-256-03.txt
and
draft-ssh-ext-info-04.txt
.
AddKeysToAgent
client option which can be set to
yes
, no
, ask
, or confirm
, and
defaults to no
. When enabled, a private key that is used
during authentication will be added to
ssh-agent(1)
if it is running (with confirmation enabled if set to confirm
).
authorized_keys
option restrict
that
includes all current and future key restrictions
(no-*-forwarding
, etc.).
Also add permissive versions of the existing restrictions, e.g.
no-pty
-> pty
. This simplifies the task of setting up
restricted keys and ensures they are maximally-restricted,
regardless of any permissions we might implement in the future.
ssh-keygen -lf ~/.ssh/authorized_keys
. (bz#1319)
none
as an argument for
sshd_config(5)
Foreground
and ChrootDirectory
. Useful inside
Match
blocks to override a global default. (bz#2486)
-f -
") for ssh-keygen -L
.
ssh-keyscan -c ...
flag to allow fetching certificates
instead of plain keys.
cvs.openbsd.org.
) in
hostname canonicalisation - treat them as already canonical and
trailing '.
' before matching
ssh_config(5).
first_kex_follows
option during the
initial key exchange.
SSH2_MSG_UNIMPLEMENTED
replies to
unexpected messages during key exchange. (bz#2949)
ConnectionAttempts=0
, which does not
make sense and would cause ssh to print an uninitialised stack
variable. (bz#2500)
Match
blocks. (bz#2489)
PubkeyAcceptedKeyTypes +...
inside a Match
block.
-i
options
before checking whether or not the identity file exists. Avoids
confusion for cases where shell doesn't expand (e.g.
-i ~/file
vs. -i~/file
). (bz#2481)
Match exec
in a config file, which could cause some commands to fail in certain
environments. (bz#2471)
ChrootDirectory
is active. (bz#2485)
PubkeyAcceptedKeyTypes
in ssh -G
config dump.
TunnelForwarding
device flags if they are
already what is needed; makes it possible to use
tun(4)/
tap(4)
networking as non-root user if device permissions and interface flags
are pre-established.
RekeyLimits
could be exceeded by one packet. (bz#2521)
fatal()
for PKCS11 tokens that present empty key IDs.
(bz#1773)
RekeyLimits
larger than 4GB. (bz#2521)
known_hosts
file edits when known_hosts
doesn't exist.
%i
in ControlPath
to UID. (bz#2449)
openssh_RSA_verify
. (bz#2460)
ssh -G ...
) of HostKeyAlgorithms=+...
HostkeyAlgorithms=+...
ClientHello
messages
that do not include TLS extensions, resulting in such handshakes being
aborted.
ECDH_compute_key
that can lead to silent
truncation of the result key without error. A coding error could cause
software to use much shorter keys than intended.
DTLS_BAD_VER
. Pre-DTLSv1 implementations
are no longer supported.
engine
command and parameters are removed from
openssl(1).
Previous releases removed dynamic and built-in engine support already.
Certplus CA
root certificate to the default
cert.pem
file.
sizeof(RC4_CHUNK)
.
AEAD
construction introduced in RFC 7539, which is different
than that already used in TLS with
EVP_aead_chacha20_poly1305(3).
COMODO RSA Certification Authority
and
QuoVadis
root certificates to cert.pem
.
C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority
"
(serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be)
root certificate from cert.pem
.
s_time
command now performs a proper shutdown which allows a
full TLS connection to be benchmarked more accurately. A new
-no_shutdown
flag
makes s_time
adopt the previous behavior so that comparisons
can still be made with OpenSSL's version.
SSLEAY_CONF
backwards compatibility
environment variable in
openssl(1).
CVE-2015-3194
—NULL pointer dereference in client
side certificate validation.
CVE-2015-3195
—memory leak in PKCS7, not reachable
from TLS/SSL.
CVE-2015-3193
—carry propagating bug in the x86_64
Montgomery squaring procedure.
CVE-2015-3196
—double free race condition of the
identify hint data.
cmake
builds.
pkgconfig
files to correctly report the release
version number, not the individual library ABI version numbers.
libtls
API is changed from the 2.2.x series:
libtls
no longer implicitly closes the passed in sockets.
The caller is responsible for closing them in this case.
OPENSSL_cpu_caps
is provided that does not
allow software to inadvertently modify cpu capability flags.
OPENSSL_ia32cap
and OPENSSL_ia32cap_loc
are removed.
out_len
argument of AEAD
changed from
ssize_t
to size_t
.
libtls
for client and server operations; it is
included in the libressl-portable distribution as an example of how
to use the libtls
library. This is intended to be a simpler
and more robust replacement for openssl s_client
and
openssl s_server
for day-to-day operations.
unsigned long
to
time_t
. LibreSSL now checks if the host OS supports 64-bit
time_t
.
libtls
.
libtls
,
tls_peer_cert_notbefore(3)
and
tls_peer_cert_notafter(3).
EVP_CHECK_DES_KEY
code
(non-functional since initial commit in 2004).
probable_prime_dh_safe()
.
LIBRESSL_VERSION_NUMBER
to match that of
OPENSSL_VERSION_NUMBER
.
AES_decrypt
.
SSL_OP_SINGLE_DH_USE
flag.
Many pre-built packages for each architecture:
Some highlights:
Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate form of install. The instructions for doing an HTTP (or other style of) install are very similar; the CDROM instructions are left intact so that you can see how much easier it would have been if you had purchased a CDROM instead.
Please refer to the following files on the three CDROMs or mirror site for extensive details on how to install OpenBSD 5.9 on your machine:
Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above!
If you already have an OpenBSD 5.8 system, and do not want to reinstall, upgrade instructions and advice can be found in the Upgrade Guide.
src.tar.gz
contains a source archive starting at /usr/src
.
This file contains everything you need except for the kernel sources, which are
in a separate archive. To extract:
# mkdir -p /usr/src # cd /usr/src # tar xvfz /tmp/src.tar.gz
sys.tar.gz
contains a source archive starting at /usr/src/sys
.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
# mkdir -p /usr/src/sys # cd /usr/src # tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as described here. Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree.
A ports tree archive is also provided. To extract:
# cd /usr # tar xvfz /tmp/ports.tar.gz
Go read the ports page if you know nothing about ports at this point. This text is not a manual of how to use ports. Rather, it is a set of notes meant to kickstart the user on the OpenBSD ports system.
The ports/ directory represents a CVS (see the manpage for cvs(1) if you aren't familiar with CVS) checkout of our ports. As with our complete source tree, our ports tree is available via AnonCVS. So, in order to keep up to date with the -stable branch, you must make the ports/ tree available on a read-write medium and update the tree with a command like:
# cd /usr/ports # cvs -d [email protected]:/cvs update -Pd -rOPENBSD_5_9
[Of course, you must replace the server name here with a nearby anoncvs server.]
Note that most ports are available as packages on our mirrors. Updated ports for the 5.9 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just would like to know more, the mailing list [email protected] is a good place to know.