Software Update: OpenBSD 5.1

On Tuesday, the new semi-annual release of OpenBSD came out. on this page a comprehensive list of ftp and http download locations can be found. OpenBSD descends from the original Berkeley Software Distribution and has the characteristic that the developers only want to use open source software. Furthermore, the OS is known for its excellent documentation and security. As usual with a new version of OpenBSD, there is also a new theme designed around the OS, accompanied by a real theme song and available on audio CD, as a poster and as a T-shirt. As the title of the theme this time they chose Bug Busters. Below is an extensive overview of the changes implemented in version 5.1.

Improved hardware support, including:

• umsm(4) supports additional mobile broadband devices.
• Non-GigE ale(4) devices can now establish link to a GigE link partner.
• Support for Intel 82580 has been added to em(4).
• Support for MegaRAID 9240 has been added to mfi(4).
• Support for Nuvoton NCT6776F has been added to lm(4).
• Support for Centrino Advanced-N 6205 has been added to iwn(4).
• Support for SiS 1182/1183 SATA has been added to pciide(4).
• Support for Synaptics touch pads through the synaptic(4) X.Org input driver is now enabled by default.
• Support for Intel Sandy Bridge integrated graphics cards has been added to the intel(4) X.Org driver.
• Assembler implementation of the AES-GCM mode for new Intel and future AMD CPUs has been added.
• usb(4) probes bus after resume, improves functionality for some laptops.

Generic network stack improvements:

• RFC4638 MTU negotiation for pppoe(4).
• nppdctl(8) replaced with npppctl(8), written from scratch. Includes support for IPv6 as tunnel source address.
• Improve performance (throughput and loss rate) for PPTP, pppd(8) or L2TP(/IPsec) on unstable latency networks (eg mobile).
• Improved IPv6 fragment handling.
• Many robustness improvements for IEEE 802.11 (particularly hostap).
• Improved vlan priority support, including mapping to interface queues.
• Initial rdomains support for IPv6.
• Robustness improvements for carp(4).
• Various IPv6 and rdomain related improvements for carp(4).

Routing daemons and other userland network improvements:

• fstat(8) now displays routing table ID and socket-splicing information and ps can display routing table ID.
• traceroute(8) and traceroute6(8) can look up ASNs for each hop.
• snmpd(8) adds a MIB to show statistics for carp(4) interfaces.
• bgpctl(8) parses and display MRT routing table dumps.
• ntpd(8) supports multiple rdomains.
• when ospfd(8) detects route socket overflow, it now delays before it reloads the fib.
• Improved and more consistent ToS support in various network tools
• (tcpbench(8), nc(8), ping(8), traceroute(8)).
• Initial import of login_yubikey(8) for logging in using yubikeys.

pf(4) improvements:

• One-shot rule support for pf(4)for use with proxies via anchors.
• NAT64 support in PF using the off-to keyword.
• Much improved IPv6 fragment handling.
• Various enhancements with ICMP and especially ICMPv6 states
• Improved IPv6 Neighbor Discovery and Multicast Listener Discovery handling.
• pfctl(8) now prints port numbers instead of service names by default.
• Netflow v9 and ipfix support for pflow(4).
• many pfsync(4) fixes and improvements including jumbo frames and automatically requesting a bulk update after a physical interface comes online.

Assorted improvements:

• Improved local support.
• Support for MSG_NOSIGNAL.
• CORE_PROC_CWD sysctl(3) for fetching the path to a process’s working directory.
• Improved fnmatch(3), glob(3)and regcomp(3) implementations to resist
• DoS attacks.
• Lots of HISTORY and AUTHORS information added to manpages.
• Improved checking or file offset wraparound.
• pwrite(2)/pwritev(2) now correctly by ignored O_APPEND.
• Improved conformance of header files with standards.
• Improved cancellation support in both user-threads (libpthread) and rthreads.
• Improved correctness of execution, core dumping, signal delivery,
• alternate signal stacks, blocking socket accepts(), mutexes and
• condition variables, per-thread errno, symbol binding, and
• ktracing when rthreads are in use.
• Architecture-independent kernel support for thread-control-block
• handling for rthreads.
• Small improvements to Linux compat (only available on i386).
• Multiple bugs have been fixed in the Intel 10Gb driver ix(4).
• soft raid(4) now supports a concatenating discipline.
• On amd64, i386, and sparc64, the root filesystem can reside in a soft raid(4) volume. The kernel needs to be booted from a non-softraid partition.
• On amd64, the system can be booted from a soft raid(4) RAID1 volume.
• aucat(1) adds a “device number” component in sndio(7) device names, allowing a single aucat instance to handle all audio and MIDI services.
• Built-in sndiod(1) sound daemon now uses default rate 48kHz and the default block size 10ms. These settings ensure video players and programs using MTC are smooth by default.
• Many updates to smtpd(8): a new scheduler_backend API introduced, more MIME 1.0 support added, new filter callbacks for network events, improved DNS error reporting and envelope handling, and the purge/ directory is now cleared via a privilege-separated child.
• tmux(1) is extended to support a larger history, minimizes redundant log messages and does some code reordering for more local and less global variables. Support is added for the ESC[sandESC[usave/restorecursor-positionkeysequences$HOME(or~)maynowbeusedasdefault-pathintmuxconf[sandESC[usave/restorecursor-positionkeysequences$HOME(or~)maynowbeusedasdefault-pathintmuxconf
• Enhanced cwm(1) event support, added {r,}cycleingroup to cycle through clients belonging to the same group as the active client, simplified color initialization.
• the mg(1) emacs-like editor: now uses absolute filenames while pushing and popping off the stack. In directed mode: corrected cursor movements and added missing keybindings.

OpenSSH 6.0:

• New features:
  • ssh-keygen(1):
  • add optional checkpoints for moduli screening.
  • ssh add(1):
  • new -k option to load plain keys (skipping certificates).
  • sshd(8):
  • add wildcard support to PermitOpen, allowing things like
  • “PermitOpen localhost:*”. (bz#1857)
  • ssh(1):
  • support for canceling local and remote port forwards via the multiplex
  • socket. Use “ssh -O cancel -L xx:xx:xx -R yy:yy:yy user@host” to request
  • the cancellation of the specified forwardings.
  • support cancellation of local/dynamic forwardings from ~C commandline.
• The following significant bugs have been fixed in this release:
  • ssh(1):
  • ensure that $DISPLAY contains only valid characters before using it to
  • extract xauth data so that it can’t be used to play local shell
  • metacharacter games.
  • ssh(1):
  • unbreak remote port forwarding with dynamic allocated listen ports.
  • scp(1):
  • suppress adding ‘–‘ to remote commandlines when the first argument does
  • not start with ‘-‘. Saves breakage on some difficult-to-upgrade
  • embedded/router platforms.
  • ssh(1) and
  • sshd(8):
  • fix typo in IPQoS parsing: there is no “AF14” class, but there is an
  • “AF21” class.
  • ssh(1) and
  • sshd(8):
  • do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during rekeying.
  • ssh(1):
  • skip attempting to create ~/.ssh when -F is passed.
  • sshd(8):
  • unbreak stdio forwarding when ControlPersist is in use. (bz#1943)
  • sshd(8):
  • send tty break to pty master instead of (probably already closed) slave
  • side. (bz#1859)
  • sftp(1):
  • silence error spam for “ls */foo” in directory with files.
  • (bz#1683)
  • Fixed a number of memory and file descriptor leaks.

Over 7,000 ports, major performance and stability improvements in the package build process

• Downloading of distfiles is simpler, can resume interrupted download,
• discover file moves, and expire old files. Distfiles mirror sites now use
• the new and improved method.
• Dependency handling during ports build and package creation is at least
• twice as fast, twenty times as fast in pathological cases. This also affects
• user scripts such as out-of-date
• More checks are done during package builds, for increased user friendliness
• The long term process of documenting the infrastructure is now 100% done.
• The distributed ports builder (dpb) can now clean up old dependencies,
• thus helping package builds be more reproducible.
• This found tens of hidden build dependencies in the ports tree already.
• The semantics of pkg_add -a have been nailed down and a few minor bugs
• have been fixed.
• The arch-dependent issues are better classified, leading to better builds on
• old architectures in some complicated cases. In particular, dpb explicitly
• purges from memory info about packages it cannot build and stuff that
• depends on it, leading to better life on sparc and vax which have very
• small data size limits.
• dpb recognizes full builds and trims some duplicate package builds

Many pre-built packages for each architecture:

• i386: 7229
• sparc64: 6599
• alpha: 5943
• sh: 2459
• amd64: 7181
• power pc: 6852
• spark: 4152
• arm: 5536
• hppa: 6159
• vax: 2199
• mips64: 5785
• mips64el: 5807

Some highlights:

• GNOME 3.2.1 (fallback mode)
• KDE 3.5.10
• Xfce 4.8.3
• MySQL 5.1.60
• PostgreSQL 9.1.2
• Postfix 2.8.8
• OpenLDAP 2.3.43 and 2.4.26
• Mozilla Firefox 3.5.19, 3.6.25 and 9.0.1
• Mozilla Thunderbird 9.0.1
• GHC 7.0.4
• LibreOffice 3.4.5.2
• Emacs 21.4, 22.3 and 23.4
• Vim 7.3.154
• PHP 5.2.17 and 5.3.10
• Python 2.5.4, 2.7.1 and 3.2.2
• Ruby 1.8.7.357 and 1.9.3.0
• Tcl/Tk 8.5.11
• Jdk 1.7
• Mono 2.10.6
• Chrome 16.0.912.77
• Coarse 1.21

Misc:

• As usual, steady improvements in manual pages and other documentation.
• Base system and Xenocara manuals are now installed as source code, making grep(1) more useful in /usr/share/man/ and /usr/X11R6/man/.
• If both formatted and source versions of manuals are installed, husband(1) automatically displays the newer version of each page.

The system includes the following major components from outside suppliers:

• Xenocara (based on X.Org 7.6 with xserver 1.11.4 + patches, freetype 2.4.8, fontconfig 2.8.0, Mesa 7.10.3, xterm 276, xkeyboard-config 2.5 and more)
• In the Xenocara Radeon driver: version 6.12.2 (the last known working version in “zaphod” mode) is renamed to radeonold; xf86-video-ati is updated to 6.14.3, supporting most Radeon cards.
• Gcc 4.2.1 (+patches), 3.3.5 (+patches) and 2.95.3 (+patches)
• Perl 5.12.2 (+patches)
• Our improved and secured version of Apache 1.3, with SSL/TLS and DSO support
• OpenSSL 1.0.0f (+patches)
• Sendmail 8.14.5, with libmilter
• Bind 9.4.2-P2 (+ patches)
• Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches)
• sudo 1.7.2p8
• Ncurses 5.7
• Heimdal 0.7.2 (+ patches)
• Arla 0.35.7
• Binutils 2.15 (+patches)
• Gdb 6.3 (+patches)
• Less 444 (+ patches)
• Awk Aug 10, 2011 version