67.html

<!doctype html>
<html lang=en id=release>
<meta charset=utf-8>

<title>OpenBSD 6.7</title>
<meta name="description" content="OpenBSD 6.7">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<link rel="canonical" href="https://www.openbsd.org/67.html">

<h2 id=OpenBSD>
<a href="index.html">
<i>Open</i><b>BSD</b></a>
6.7
</h2>

<table>
<tr>
<td>
<a href="images/CoralFever.gif">
<img width="227" height="343" src="images/CoralFever-s.gif" alt="Coral Fever"></a>
<td>
Released May 19, 2020<br>
Copyright 1997-2020, Theo de Raadt.<br>
<br>
<br>
Artwork by Jonni Phillips.
<br>
<ul>
<li>See the information on <a href="ftp.html">the FTP page</a> for
    a list of mirror machines.
<li>Go to the <code class=reldir>pub/OpenBSD/6.7/</code> directory on
    one of the mirror sites.
<li>Have a look at <a href="errata67.html">the 6.7 errata page</a> for a list
    of bugs and workarounds.
<li>See a <a href="plus67.html">detailed log of changes</a> between the
    6.6 and 6.7 releases.
<p>
<li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
    pubkeys for this release:<p>

<table class=signify>
<tr><td>
openbsd-67-base.pub:
<td>
<a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/openbsd-67-base.pub">
RWRmkIA877Io3oCILSZoJGhAswifJbFK4r18ICoia+3c0PfwANueolNj</a>
<tr><td>
openbsd-67-fw.pub:
<td>
RWSOSlsdN/fgAY1SvEyFdbTkouV2cIsUBXdJhEIhRscq8TT3bz9iOYRL
<tr><td>
openbsd-67-pkg.pub:
<td>
RWTR60UGd2MbnaRg+upZbbBYO00ZhHJehXy7tH2ORHvCjGcDH2pZpsxv
<tr><td>
openbsd-67-syspatch.pub:
<td>
RWTLqtfkjXfBADZEVkBDwSU0EAhy45nb5ovn1xHtQmD3DcqUWe+CouTL
</table>
</ul>
<p>
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via <code>ports.tar.gz</code>.
</table>

<hr>

<section id=new>
<h3>What's New</h3>
<p>
This is a partial list of new features and systems included in OpenBSD 6.7.
For a comprehensive list, see the <a href="plus67.html">changelog</a> leading
to 6.7.

<ul>

<li>General improvements and bugfixes:
  <ul>
    <li>Reduced the minimum allowed number of chunks in a CONCAT
	volume from 2 to 1, increasing the number of volumes which can be
	created on a single disk with <a
	href="https://man.openbsd.org/bioctl">bioctl(8)</a> from 7 to 15. This
	can be used to create more partitions than previously.
    <li>Rewrote the <a href="https://man.openbsd.org/cron">cron(8)</a>
	flag-parsing code to be getopt-like, allowing tight formations like
	-ns and flag repetition. Renamed the "options" field in <a
	href="https://man.openbsd.org/crontab.5">crontab(5)</a> to "flags".
    <li>Added <a
	href="https://man.openbsd.org/man5/crontab.5">crontab(5)</a> -s flag
	to the command field, indicating that only a single instance of the
	job should run concurrently.
    <li>Added <a href="https://man.openbsd.org/cron">cron(8)</a>
	support for random time values using the ~ operator.
    <li>Allowed <a href="https://man.openbsd.org/cwm">cwm(1)</a>
	configuration of window size based on percentage of the master window
	during horizontal and vertical tiling actions.
    <li>Allowed use of window-htile and window-vtile with the "empty"
	group clients in <a href="https://man.openbsd.org/cwm">cwm(1)</a>.
    <li>Switched powerpc to a machine-independent mplock implementation,
	allowing use of <a href="https://man.openbsd.org/witness">
	witness(4)</a>.
    <li>Added <a href="https://man.openbsd.org/acpi">acpi(4)</a>
	support for the _CCA method, indicating whether DMA is cache-coherent.
    <li>Switched the default compiler on powerpc to clang.
    <li>Bumped <a href="https://man.openbsd.org/nvme">nvme(4)</a> max
	physio() i/o size to 128K.
    <li>Improved <a href="https://man.openbsd.org/apmd">apmd(8)</a>
	support for automatic suspend/hibernate (-z/-Z).  The daemon now
	reacts to power changes messages sent by the battery driver.
	Those messages are ignored for 60 seconds after a resume, so
	that the user can take control before the machine goes back to
	sleep.
    <li>Prevented a kernel hang when no unlocked ffs_softdep worklist
	items could be processed.
    <li>Stopped counting pages mapped as PROT_NONE against the
	RLIMIT_DATA limit, helping code which reserves large chunks of address
	space but populates it sparsely.
    <li>Added the $REQUEST_SCHEME variable to <a
	href="https://man.openbsd.org/httpd.conf">httpd.conf(5)</a>, allowing
	preservation of the original connection type (http or https) for
	redirect locations
    <li>Implemented "strip" option in <a
	href="https://man.openbsd.org/httpd.conf">httpd.conf(5)</a> for
	fastcgi to be able to have multiple chroots under /var/www for FastCGI
	servers.
    <li>Changed <a href="https://man.openbsd.org/httpd">httpd(8)</a>
	to send a 408 response when a timeout happens while headers are being
	received, but close the connection if no request is received.
    <li>Updated en_US.UTF-8.src to Unicode 12.1.
    <li>Added a new __tmpfd system call which creates a new, unnamed file in
	/tmp, intended for shm/fd passing, but in programs that may otherwise
	lack filesystem access (due to restrictions imposed by
	<a href="https://man.openbsd.org/unveil.2">unveil(2)</a> or
	<a href="https://man.openbsd.org/pledge.2">pledge(2)</a>).
    <li>Imported <a href="https://man.openbsd.org/dt">dt(4)</a>, a
	driver and framework for Dynamic Profiling, and an accompanying bug
	tracer that speaks the <a href="https://man.openbsd.org/dt">dt(5)</a>
	language.
    <li>Added a human-readable mode (-h) to <a
	href="https://man.openbsd.org/systat">systat(1)</a>.
    <li>Implemented scrolling in <a
	href="https://man.openbsd.org/top">top(1)</a> using the 9 and 0 keys.
    <li>Added <a
	href="https://man.openbsd.org/timeout_set_flags">timeout_set_flags(9)</a>
	and TIMEOUT_INITIALIZER_FLAGS(9) to the timeout API, allowing the
	caller to initialize timeouts with arbitrary flags.
    <li>Introduced TIMEOUT_SCHEDULED flag and tos_scheduled statistic
	to <a href="https://man.openbsd.org/timeout.9">timeout(9)</a>.
    <li>Switched to tickless backend in <a
	href="https://man.openbsd.org/timeout.9">timeout(9)</a>, adding new
	interface <a
	href="https://man.openbsd.org/timeout_add_ts">timeout_add_ts(9)</a> to
	avoid backwardly compatible behavior.
    <li>Added the system clock interface <a
	href="https://man.openbsd.org/nanoboottime">nanoboottime(9)</a>,
	returning the UTC time at which the system booted in seconds and
	nanoseconds.
    <li>Introduced efficient page freeing in reverse order from uvm,
	greatly improving cases of massive page freeing.
    <li>Added uvm_objfree to uvm to efficiently free all pages from a
	uvm object, used in the buffer cache for considerable speedup when
	freeing pages.
    <li>Modified buffer cache to use individual uvm_objs per buffer to
	speed page lookups.
    <li>Speed up <a href="https://man.openbsd.org/sort">sort(1)</a> by
	not performing a top-level sort when -c is used with a -k field.
    <li>Modified -z mode verification in <a
	href="https://man.openbsd.org/signify">signify(1)</a> to save the
	header and output it, so signify -zV >saved.tgz will keep the
	signature for later checks.
    <li>Enabled DNSSEC validation in <a
	href="https://man.openbsd.org/unbound">unbound(8)</a> by default.
    <li><a href="https://man.openbsd.org/ntpd">ntpd(8)</a> now does
	constraint validation against 9.9.9.9 and 2620:fe::fe by default.
    <li>Fixed <a href="https://man.openbsd.org/arp.4">arp(4)</a>
	issues created by <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
	modifying existing routes.
    <li>Fixed <a href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a>
	handling by <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
	when an interface loses link.
    <li>Restored previous <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
	behaviour of rejecting leases that lack a subnet mask.
    <li>Enabled <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
	to configure <a href="https://man.openbsd.org/carp.4">carp(4)</a>
	interfaces.
    <li>Fixed <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
	releasing leases without a server identifier.
    <li>Improved <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
	NAK handling in various corner cases.
    <li>Fixed <a href="https://man.openbsd.org/dhclient.8">dhclient(8)</a>
	endlessly sending REQUEST messages when an ACK is never received.
    <li>Prevented
	<a href="https://man.openbsd.org/dhcpd.8">dhcpd(8)</a>
	from referencing freed memory when releasing a lease with
	an unusually long uid.
    <li>Corrected parsing of classless static default route "0/0" in
	<a href="https://man.openbsd.org/dhcpd.conf.5">dhcpd.conf(5)</a>.
    <li>Increased to 15 the number of
	<a href="https://man.openbsd.org/softraid.4">softraid(4)</a>
	CONCAT volumes that can be created on a single disk.
    <li>Fixed
	<a href="https://man.openbsd.org/softraid.4">softraid(4)</a>
	CRYPTO volumes on 4K-sector disks.
  </ul>

<!-- FFS2 -->
<li>The FFS2 filesystem, which uses 64bit timestamps and block numbers
	is now the default for new installs on nearly all architectures:
  <ul>
    <li>Enabled ffs2 in sgi bootblocks and ramdisks.
    <li>Made ffs2 the default filesystem type on installs except for landisk, luna88k and sgi.
    <li>Changed the sparc64 bootblocks to be able to read from ffs1, ffs2 and softraid, and enabled the ffs2 option for both floppies.
    <li>Enabled FFS2 on the landisk ramdisk.
    <li>Taught i386 boot(8), cdboot(8) and pxeboot(8) about ffs2.
    <li>Taught macppc boot(8) about ffs2.
    <li>Taught sparc64 boot(8) about ffs2.
    <li>Allowed hppa <a href="https://man.openbsd.org/man8/hppa/boot.8">boot(8)</a>  to read from an ffs2 filesystem.
    <li>Allowed alpha boot(8) to read from an ffs2 filesystem and adapted its custom installboot to deal with ffs2. Also fixed the partition read code to deal with offsets greater than 2G.
    <li>Adapted <a href="https://man.openbsd.org/biosboot">biosboot(8)</a> so that it can read <a href="https://man.openbsd.org/boot.8">boot(8)</a> from an ffs2 filesystem.
    <li>Allowed amd64 <a href="https://man.openbsd.org/man8/amd64/boot.8">boot(8)</a> to read from an ffs2 filesystem. Enabled ffs2 for floppy.
    <li>Allowed loongson boot(8) to read from an ffs2 filesystem.
    <li>Allowed arm64 and armv7 efiboot(8) to read from an ffs2 filesystem.
  </ul>

<li>SMP-Improvements:
  <ul>
    <li>
    <a href="https://man.openbsd.org/__thrsleep">__thrsleep(2)</a>,
    <a href="https://man.openbsd.org/__thrwakeup">__thrwakeup(2)</a>,
    <a href="https://man.openbsd.org/close">close(2)</a>,
    <a href="https://man.openbsd.org/closefrom">closefrom(2)</a>,
    <a href="https://man.openbsd.org/dup">dup(2)</a>,
    <a href="https://man.openbsd.org/dup2">dup2(2)</a>,
    <a href="https://man.openbsd.org/dup3">dup3(2)</a>,
    <a href="https://man.openbsd.org/flock">flock(2)</a>,
    <a href="https://man.openbsd.org/fcntl">fcntl(2)</a>,
    <a href="https://man.openbsd.org/kqueue">kqueue(2)</a>,
    <a href="https://man.openbsd.org/pipe">pipe(2)</a>,
    <a href="https://man.openbsd.org/pipe2">pipe2(2)</a> and
    <a href="https://man.openbsd.org/nanosleep">nanosleep(2)</a>
    are run without KERNEL_LOCK.
    <li>The generic part of <a href="https://man.openbsd.org/ioctl">ioctl(2)</a>
    is run without KERNEL_LOCK.
    <li>Reworked AMD smt/core/package detection, helping prevent cores being
    misidentified as threads.
    <li>Avoided false positives in
    <a href="https://man.openbsd.org/witness">witness(4)</a> when detecting
    lock order reversals by using separate rwlock initializations for
    userland and kernel maps.
    <li>Allowed sleeping inside kqueue event filters.
    <li>Made <a href="https://man.openbsd.org/vmx">vmx(4)</a> transmit MP-safe.
  </ul>

<li>Improved hardware support, including:
  <ul>
    <li>Improvements in the <a href="https://man.openbsd.org/em">em(4)</a> driver.
    <li>Added <a href="https://man.openbsd.org/dsxrtc">dsxrtc(4)</a>,
	a driver for the Maxim DS3231/DS3232 I2C RTC.
    <li>Added <a href="https://man.openbsd.org/ure">ure(4)</a> support
	for Lenovo OneLine Plus Dock Ethernet.
    <li>Improved <a href="https://man.openbsd.org/ucom">ucom(4)</a> to
	fix firmware upload on some microcontroller boards using DTR and RTS
	as signaling lines to reset the device and enter the bootloader.
    <li>Added a PCI attachment driver for <a
	href="https://man.openbsd.org/com">com(4)</a> to support memory-mapped
	PCI devices which are part of a Low Power Subsystem (LPSS).
    <li>Implemented microsecond resolution using <a
	href="https://man.openbsd.org/microuptime">microuptime(9)</a> to avoid
	a hard hang when starting X on Intel Cherry Trail Atom processors.
    <li>Added support for X553 controllers to <a
	href="https://man.openbsd.org/ix">ix(4)</a>.
    <li>Added <a href="https://man.openbsd.org/usb">usb(4)</a> device
	support for an AMD hub on the APU2 and a Synaptics vendor id and two
	fingerprint readers.
    <li>Prevented buffer overflows with <a
	href="https://man.openbsd.org/uthum">uthum(4)</a> by not assuming the
	report length given by the hardware is necessarily smaller than the
	length of the on-stack buffer.
    <li>Added <a href="https://man.openbsd.org/rge">rge(4)</a>, a driver
	for the Realtek 8125 PCI Express 2.5Gb Ethernet devices.
    <li>Fixed cursor issues and suspend/resume on <a
	href="https://man.openbsd.org/amdgpu">amdgpu(4)</a> and
	<a href="https://man.openbsd.org/radeondrm">radeondrm(4)</a>.
    <li>Fixed support for additional I2C busses in <a
	href="https://man.openbsd.org/piixpm">piixpm(4)</a> for older SB800
	SMBus controllers. Prevented sensors from attaching four times on old
	AMD machines.
    <li>Invalidated the <a
	href="https://man.openbsd.org/knote">knote(9)</a> list of <a
	href="https://man.openbsd.org/uhid">uhid(4)</a> after device detach,
	preventing a crash that can happen when kqueue still holds references
	to knotes pointing to the device.
    <li>Prevented a use-after-free causing crashes with <a
	href="https://man.openbsd.org/uhidev">uhidev(4)</a> devices.

    <li>Prevented <a href="https://man.openbsd.org/mcx">mcx(4)</a>
	interface lockups due to completion queue overflow.
    <li>Fixed brightness keys on various laptops with AMD graphics.
    <li>Fixed brightness controls on machines where the
	initial brightness values are returned out of range.
    <li>Set the default brightness level on attachment for <a
	href="https://man.openbsd.org/pwmbl">pwmbl(4)</a>.
    <li>Fixed <a
	href="https://man.openbsd.org/acpivout">acpivout(4)</a> screen
	brightness adjustment through function keys, better supporting
	machines using exponential brightness scaling.
    <li>Changed <a
	href="https://man.openbsd.org/acpivout">acpivout(4)</a> to increment
	and decrement screen brightness based only on brightness level changes
	of 5% or higher.
    <li>Fixed Etron EJ168 USB 3.0 Host Controllers via USB 2 devices.
    <li>Added support for the SIERRA MC7700 to <a
	href="https://man.openbsd.org/umsm">umsm(4)</a> UMTS and LTE modem device.
    <li>Fixed RAID volume WWIDs for <a
	href="https://man.openbsd.org/mpii">mpii(4)</a> LSI controllers on
	sparc64, allowing <a
	href="https://man.openbsd.org/autoconf">autoconf(9)</a> to identify
	the volume as the root device and boot off hardware RAID.
    <li>Populated logical disk port WWNs with their RAID volume's WWID
	in <a href="https://man.openbsd.org/mpii">mpii(4)</a>.
    <li>Added <a href="https://man.openbsd.org/fido">fido(4)</a>, an
	HID driver for FIDO/U2F security keys.
    <li>Added parsing of DDR4 and LPDDDR3/4 SPD memories to <a
	href="https://man.openbsd.org/spdmem">spdmem(4)</a>.
    <li>Added support to <a
	href="https://man.openbsd.org/lm">lm(4)</a> for NCT6775F, NCT5104D,
	NCT6779D and NCT679[1235]D sensors.
    <li>Updated <a href="https://man.openbsd.org/piixpm">piixpm(4)</a>
	to support newer AMD chips like Hudson-2 and KERNCZ and implemented
	multi-bus support for SB800, Hudson-2 and KERNCZ.
    <li>Extended the expected SPD types to include DDR4 and low-power DDR3/DDR4.
    <li>Enabled full use of jumbo frames on <a
	href="https://man.openbsd.org/bnx">bnx(4)</a> devices.
    <li>Fixed <a href="https://man.openbsd.org/scsi">scsi(8)</a>
	softraid crypto volumes on 4K-sector disks.
    <li>Faked disk info to match expected boot disk when EFI
	bootloader has been received via TFTP, fixing a hang during HP
	Elitebook UEFI boot.
    <li>Implemented a hexdump command in the bootloader, helping to
	inspect the memory layout created by the firmware and useful for UEFI
	debugging.
    <li>Improved <a href="https://man.openbsd.org/ksmn">ksmn(4)</a>
	temperature conversion precision.
    <li>Added a quirk to handle Apollo Lake, Gemini Lake and 100
	Series Intel SD/MMC <a href="https://man.openbsd.org/sdhc">sdhc(4)</a>
	controllers which should not have voltages set to 0V.
    <li>Prevented a local user from causing the system to hang by
	reading specific registers when Intel Gen8/Gen9 graphics hardware is
	in a low power state.
    <li>Prevented writes to memory allowed by the Intel Gen9 graphics hardware.
    <li>Added support for buttons 2 and 3 to <a
	href="https://man.openbsd.org/imt">imt(4)</a>.
    <li>Added <a href="https://man.openbsd.org/ogx">ogx(4)</a>, a
	driver for the OCTEON III network processor.
    <li>Fixed endian swapping in <a
	href="https://man.openbsd.org/xhci">xhci(4)</a>, allowing it to work
	again on octeon and other big endian architectures.
    <li>Implemented the "parallel boot" feature on compatible sparc64 firmware.
    <li>Introduced <a href="https://man.openbsd.org/iwx">iwx(4)</a>, a
	driver for Intel AX200 WiFi devices.
    <li>Added <a href="https://man.openbsd.org/iwm">iwm(4)</a> support
	for Intel 9260 and 9560 wifi devices.
    <li>Updated firmware for all devices supported by the
	<a href="https://man.openbsd.org/iwm">iwm(4)</a> driver.
    <li>Fixed <a href="https://man.openbsd.org/iwm">iwm(4)</a> support
	for Intel 3168 wifi devices.
    <li>Added support for the tp-link tl-wn823n to the <a
	href="https://man.openbsd.org/urtwn">urtwn(4)</a> driver.
    <li>The <a href="https://man.openbsd.org/athn">athn(4)</a> driver
	now offloads CCMP (WPA2) encryption and decryption to hardware.
    <li>Prevented an overflow due to <a
	href="https://man.openbsd.org/xen">xen(4)</a> failing to release the
	interrupt source when unmasking the interrupt.
    <li>Fixed <a href="https://man.openbsd.org/usb.4">usb(4)</a>
	handling USB 2.0 devices on various USB 3.0 controllers.
    <li>Fixed <a href="https://man.openbsd.org/usb.4">usb(4)</a>
	handling of controllers that STALL to indicate a short read.
    <li>Fixed <a href="https://man.openbsd.org/xhci.4">xhci(4)</a>
	handling of i/o's that are exact multiples of the max packet size.
    <li>Bumped <a href="https://man.openbsd.org/nvme.4">nvme(4)</a>
	maximum physio i/o size to 128K.
    <li>Fixed probing of modern <a href="https://man.openbsd.org/scsi.4">scsi(4)</a>
	devices to ignore the SYNC and WIDE flags used by parallel SCSI.
  </ul>

<li>Removed hardware support
  <ul>
	<li>Removed the rtfps(4) driver, a multiplexing serial communications interface for IBM RT PC boards 
	<li>Removed the dpt(4) driver for DPT EATA SCSI RAID.
	<li>Removed gpr(4), a driver for GemPlus GPR400 PCMCIA smartcard readers.
	<li>Removed mesh(4), a driver for old world Apple Power Macintosh SCSI cards.
  </ul>

<li>Improvements in audio drivers and the
	<a href="https://man.openbsd.org/sndio">sndio(7)</a> framework:
  <ul>
    <li>Introduced the <a
	href="https://man.openbsd.org/sioctl_open">sioctl_open(3)</a>
	API to manipulate audio controls exposed by <a
	href="https://man.openbsd.org/sndiod">sndiod(8)</a>.
    <li>Modified <a
	href="https://man.openbsd.org/sndiod">sndiod(8)</a> to
	use and expose hardware volume controls if available.
    <li>Modified all ports manipulating audio controls to use <a
	href="https://man.openbsd.org/sndio">sndio(7)</a> instead of the
	kernel <a href="https://man.openbsd.org/OpenBSD-6.6/mixer">mixer(4)</a> interface.
    <li>Introduced the <a
	href="https://man.openbsd.org/sndioctl">sndioctl(1)</a> utility to
	manipulate audio controls exposed by <a
	href="https://man.openbsd.org/sndiod">sndiod(8)</a>.
    <li>Exposed the first 4 <a
	href="https://man.openbsd.org/audio">audio(4)</a> devices
	and the first 8 <a
	href="https://man.openbsd.org/midi">midi(4)</a> devices through <a
	href="https://man.openbsd.org/sndiod">sndiod(8)</a> by default.
    <li>Disabled access for regular users to /dev/audio* and
	/dev/rmidi*, for improved security.
    <li>Modified <a
	href="https://man.openbsd.org/mixerctl">mixerctl(1)</a> to use
	/dev/audioctl* instead of /dev/mixer*.
    <li>Removed /dev/mixer*
    <li>Fixed support for <a
	href="https://man.openbsd.org/uaudio">uaudio(4)</a>
	devices with different recording and playback rate sets.
    <li>Fixed volume control of many <a
	href="https://man.openbsd.org/uaudio">uaudio(4)</a>
	devices.
    <li>Fixed channel duplication (-j option) in <a
	href="https://man.openbsd.org/sndiod">sndiod(8)</a>.
    <li>Allowed <a href="https://man.openbsd.org/rc.d">rc.d(8)</a>
	script to reload <a
	href="https://man.openbsd.org/sndiod">sndiod(8)</a>.
    <li>Added an <a
	href="https://man.openbsd.org/azalia">azalia(4)</a> quirk for the
	ALC285 on the X1C7 to avoid a clicking noise on the headphone output.
    <li>Disabled MSI for the AMD Hudson2 <a
	href="https://man.openbsd.org/azalia">azalia(4)</a> HDA to fix random lock ups.
  </ul>

<li>A large number of drivers were written to improve <a href="https://www.openbsd.org/arm64.html">arm64</a>
and <a href="https://www.openbsd.org/armv7.html">armv7</a> hardware support, including:
  <ul>
    <li>Better hardware support for the i.MX8MM platform.
    <li>Support for the Raspberry Pi 4 on arm64.
    <li>Better support for the Raspberry Pi 3 on arm64.
    <li>Proper support for the Raspberry Pi 2 and 3 on armv7.
    <li>Better support for Rockchip based systems, especially the Pinebook Pro.
    <li>Switched USB to use non-coherent buffers for data transfers, dramatically improving performance on some ARM SoCs where the USB controller is not coherent with the caches.
    <li>Allowed switching to framebuffer "glass" console on armv7 in the bootloader, mirroring previous changes to arm64.
    <li>Corrected cache flush operations on arm64 which were being incorrectly treated as write operations. This fixes a bug where cache flushing caused Firefox to abort.
    <li>Added the capability for armv7 boot from another block device than the one from which efiboot was loaded.
    <br><br>
    Specifically the following device drivers were added or fixed:
    <li>Added <a href="https://man.openbsd.org/bcmbsc">bcmbsc(4)</a>, a driver for the Broadcom Serial Control (BSC) controller.
    <li>Added <a href="https://man.openbsd.org/bcmgpio">bcmgpio(4)</a>, a driver for the Broadcom BCM283x GPIO controller.
    <li>Added <a href="https://man.openbsd.org/bcmsdhost">bcmsdhost(4)</a>, a driver for the Broadcom "sdhost" SD controller found on the Raspberry Pi.
    <li>Added <a href="https://man.openbsd.org/bcmdmac">bcmdmac(4)</a>, a driver for the DMA controller found on BCM283x SoCs.
    <li>Added support for the additional <a href="https://man.openbsd.org/sdhc">sdhc(4)</a> controller found on the Raspberry Pi.
    <li>Added quirks for the <a href="https://man.openbsd.org/sdhc">sdhc(4)</a> controller on the Raspberry Pi, providing microSD card or WiFi support depending on the firmware configuration.
    <li>Added support for hardware with <a href="https://man.openbsd.org/sdhc">sdhc(4)</a> controllers on busses only supporting 32-bit access.
    <li>Added <a href="https://man.openbsd.org/bcmirng">bcmirng(4)</a>, a driver for the RNG200 random number generator found on the Raspberry Pi 4.
    <li>Added <a href="https://man.openbsd.org/bcmclock">bcmclock(4)</a>, a driver for the BCM283X CPRMAN clock controller.
    <li>Added <a href="https://man.openbsd.org/bcmmbox">bcmmbox(4)</a>, a driver for the VideoCore messagebox interface on BCM283X.
    <li>Added <a href="https://man.openbsd.org/bcmpcie">bcmpcie(4)</a>, a driver for the PCIe controller found on the Raspberry Pi 4.
    <li>Added <a href="https://man.openbsd.org/bse">bse(4)</a>, a driver for the Broadcom GENET v5 network interface found on the Raspberry Pi 4.
    <li>Added <a href="https://man.openbsd.org/brgphy">brgphy(4)</a> support for the Broadcom BCM54210E.
    <li>Added support for the Armada 3720 CPU clock to <a href="https://man.openbsd.org/mvclock">mvclock(4)</a>.
    <li>Fixed address filter in <a href="https://man.openbsd.org/mvneta">mvneta(4)</a>.
    <li>Added <a href="https://man.openbsd.org/omcm">omcm(4)</a>, <a href="https://man.openbsd.org/omclock">omclock(4)</a> and <a href="https://man.openbsd.org/omsysc">omsysc(4)</a> drivers that support the new bus structure used in current mainline Linux device trees.
    <li>Added <a href="https://man.openbsd.org/omrng">omrng(4)</a>, a driver for the random number generator found on TI OMAP SoCs.
    <li>Fixed the MAC address on Pandaboard-ES by increasing <a href="https://man.openbsd.org/smsc">smsc(4)</a> buffer size used to fetch device tree properties.
    <li>Added support for additional Allwinner A80 clocks and resets in <a href="https://man.openbsd.org/sxiccmu">sxiccmu(4)</a>.
    <li>Fixed <a href="https://man.openbsd.org/amlpciephy">amlpciephy(4)</a> USB3 support when USB has not been initialized by U-Boot.
    <li>Added clock support for i.MX8MM.
    <li>Fixed CPU frequency scaling support on the Librem5 Devkit.
    <li>Added <a href="https://man.openbsd.org/imxpwm">imxpwm(4)</a>, a driver for the PWM controller found on various NXP i.MX SoCs.
    <li>Added support for reading the i.MX8MM temperature sensors to <a href="https://man.openbsd.org/imxtmu">imxtmu(4)</a>.
    <li>Added <a href="https://man.openbsd.org/bdpmic">bdpmic(4)</a>, a driver for the ROHM BD71837 and BD71847 Power Management IC.
    <li>Allowed <a href="https://man.openbsd.org/ipmi">ipmi(4)</a> to attach using mmio.
    <li>Added <a href="https://man.openbsd.org/rkrng">rkrng(4)</a>, a driver for the random number generator found on various Rockchip SoCs.
    <li>Added glass console support to <a href="https://man.openbsd.org/rkdrm">rkdrm(4)</a> in Rockchip SoCs, including kernel modesetting support.
    <li>Added <a href="https://man.openbsd.org/rkdrm">rkdrm(4)</a>, a driver providing kernel mode setting (KMS) functionality for the graphics hardware integrated on Rockchip SoCs.
    <li>Added <a href="https://man.openbsd.org/rkdwhdmi">rkdwhdmi(4)</a>, a driver for the HDMI transmitter found on the Rockchip RK3399 SoC.
    <li>Added <a href="https://man.openbsd.org/rkanxdp">rkanxdp(4)</a>, a driver for the Analogix Display Port controller on the RK3399.
    <li>Added <a href="https://man.openbsd.org/rkvop">rkvop(4)</a>, a driver for the RK3399's Video Output Processors.
    <li>Added <a href="https://man.openbsd.org/rkpwm">rkpwm(4)</a>, a driver for the RK3399's PWM controller.
    <li>Added <a href="https://man.openbsd.org/rkemmcphy">rkemmcphy(4)</a>, a driver for the RK3399's eMMC PHY.
    <li>Added support for gen2 negotiation to <a href="https://man.openbsd.org/rkpcie">rkpcie(4)</a> and enabled gen2 link state training when the dtb is configured with max-link-speed = 2.
    <li>Enabled backlight control use on the Pinebook Pro via <a href="https://man.openbsd.org/wsconsctl">wsconsctl(8)</a>.
    <li>Fixed the Pinebook Pro's trackpad by ensuring only hid_input items are accepted when walking the HID descriptor.
    <li>Fixed <a href="https://man.openbsd.org/pwmbl">pwmbl(4)</a> attachment on the Pinebook Pro.
    <li>Added <a href="https://man.openbsd.org/simplepanel">simplepanel(4)</a>, a driver for simple display panels such as the one found on the Pinebook Pro.
    <li>Recognized BCM4345 rev 9 as shipped with the Pinebook Pro as an AMPAK AP6256 module in <a href="https://man.openbsd.org/bwfm">bwfm(4)</a>.
    <li>Improved <a href="https://man.openbsd.org/bwfm">bwfm(4)</a> on the Pinebook Pro by acking SDIO interrupts earlier on <a href="https://man.openbsd.org/dwmmc">dwmmc(4)</a>.
    <li>Added <a href="https://man.openbsd.org/amltemp">amltemp(4)</a>, a driver for the temperature sensors on various Amlogic SoCs.
    <li>Added <a href="https://man.openbsd.org/pwmfan">pwmfan(4)</a>, a driver for PWM-regulated fans.
    <li>Enabled <a href="https://man.openbsd.org/umt">umt(4)</a> (USB HID multitouch touchpad devices) on arm64.
  </ul>

<li>IEEE 802.11 wireless stack improvements and bugfixes:
  <ul>
    <li>Stop connecting to any available unencrypted wifi networks when an
	interface is marked up. This behavior must now be explicitly enabled
	with <code><a href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> join
	""</code>.
    <li>A background scan is now triggered when root runs the <a
	href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> scan command.
	This updates the list of cached APs displayed by the scan command and
	forces a search for a better AP to roam to.
    <li>Add <code>nwflag nomimo</code> which can be set with <a
	href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> to work
	around packet loss in 11n mode if the wireless network device has
	unused antenna connectors.
    <li>Increased the net80211 node cache size to allow more APs to be viewed during scans.
    <li>Fixed the <a
	href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> "media:" line
	displayed during and after a background scan in 11n mode.
    <li>Made background scans less frequent if they keep choosing the same AP.
    <li>Fix kernel crashes in net80211 hostap mode due to mbuf corruption
	which occurred if a relatively long SSID was configured.
    <li>Added support for active scanning to <a
	href="https://man.openbsd.org/bwfm">bwfm(4)</a>.
    <li>Fix <a href="https://man.openbsd.org/bwfm">bwfm(4)</a> behavior which
	could trigger the ifq pressure drop mechanism under moderate load.
    <li>Improved error handling for <a
	href="https://man.openbsd.org/bwfm">bwfm(4)</a> connection attempts.
    <li>Improved automatic switching between wifi networks by lowering the priority
	of networks in the <a
	href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> join list which
	fail to connect.
    <li>Avoid repeated switching between APs in areas where APs
	are tuned for low transmit range.
    <li>Raised net80211's "beacon miss" threshold to avoid frequent
	reconnects under conditions which cause loss of beacons.
    <li>Reduced stalls on packet loss in 11n mode by improving net80211 handling
	of the Rx block ack sequence number window and queue.
    <li>Fixed a bug where outstanding frames on the <a
	href="https://man.openbsd.org/iwn">iwn(4)</a> aggregation queue
	interfered with roaming to another AP.
    <li>Fixed a race condition in <a
	href="https://man.openbsd.org/iwm">iwm(4)</a> Rx interrupt handling.
    <li>Implemented a workaround for missing Tx completion interrupts
	in <a href="https://man.openbsd.org/iwm">iwm(4)</a> which could lead
	to failures when roaming to another AP.
    <li>Re-enabled firmware-based Tx retries at lower rates for <a
	href="https://man.openbsd.org/iwm">iwm(4)</a>, reducing packet loss.
    <li>Fixed automatic Tx rate control issues in <a
	href="https://man.openbsd.org/iwm">iwn(4)</a>, and <a
	href="https://man.openbsd.org/iwm">iwm(4)</a>.
    <li>Fixed a use-after-free that caused a kernel crash during <a
	href="https://man.openbsd.org/zyd">zyd(4)</a> device detach.
  </ul>

<li>Generic network stack improvements and bugfixes:
  <ul>

    <li>Fixed a panic when using <a href="https://man.openbsd.org/pppac">
	pppac(4)</a> without <a href="https://man.openbsd.org/pipex">pipex(4)</a>.
    <li>Fixed a "route contains no arp information" bug where a kernel routing
	table entry was incorrectly deleted upon insertion of a new entry.
    <li>Stopped processing packets under non-exclusive netlock, preventing
	concurrency in the socket layer.
    <li>Prevented data corruption on UDP receive socket buffers by grabbing the
	exclusive NET_LOCK() in the softnet thread.
    <li>Fixed a kernel crash due to unlimited recursion caused by
	local outbound UDP broadcast/multicast packets sent by a spliced
	socket.
    <li>Added IPv6 support to <a href="https://man.openbsd.org/umb">umb(4)</a>.
    <li>Added support for very old firmware umsm devices with <a
	href="https://man.openbsd.org/umsm">umsm(4)</a> rather than <a
	href="https://man.openbsd.org/umb">umb(4)</a>.
    <li>Added <a href="https://man.openbsd.org/pppac">pppac(4)</a>
	code for a dedicated PPP Access Concentrator interface and switched <a
	href="https://man.openbsd.org/npppd.conf">npppd.conf(5)</a> to use <a
	href="https://man.openbsd.org/pppac">pppac(4)</a> instead of <a
	href="https://man.openbsd.org/tun">tun(4)</a>.
    <li>Added a check when IP forwarding is disabled to ensure packet
	destination address matches interface address.
    <li>Fixed kernel crash in pf_ioctl with WITH_PF_LOCK and NET_TASKQ > 1.
    <li>Ensured proper kernel stack alignment on mips64, fixing a
	panic on octeon related to <a
	href="https://man.openbsd.org/pppoe">pppoe(4)</a>.
    <li>Added <a href="https://man.openbsd.org/rge">rge(4)</a>, a new
	driver for Realtek 8125 PCI Express 2.5Gb ethernet devices.
    <li>Repaired the "set delay" option for <a
	href="https://man.openbsd.org/pf">pf(4)</a> to function as specified
	in <a href="https://man.openbsd.org/pf.conf">pf.conf(5)</a>.
    <li>Prevented non-root users from using <a
	href="https://man.openbsd.org/ioctl">ioctl(2)</a> to alter the address
	of a network interface.
    <li>Prevented non-root users from setting the parameters of <a
	href="https://man.openbsd.org/pppoe">pppoe(4)</a> interfaces.
    <li>Removed mobileip(4).
    <li>Stopped checking whether the IPv6 source address of a neighbor
	advertisement is from a neighbor's address, not required in accordance
	with RFC 4861.

  </ul>

<li>Installer improvements:
  <ul>
    <li>Simplified <a
	href="https://man.openbsd.org/sysupgrade">sysupgrade(8)</a> directory
	check and creation (/home/_syspatch). It can now be a symlink.
    <li>Printed the URL when <a
	href="https://man.openbsd.org/sysupgrade">sysupgrade(8)</a> fetches
	new sets.
    <li>Added an opportunistic run of <a
	href="https://man.openbsd.org/fw_update">fw_update(1)</a> to <a
	href="https://man.openbsd.org/sysupgrade">sysupgrade(8)</a> before
	rebooting to run the upgrade.
  </ul>

<li>Security improvements:
  <ul>
    <li><a href="https://man.openbsd.org/unveil.2">unveil(2)</a> is
      now used in 82 userland programs to redact filesystem access.
    <li>Used <a href="https://man.openbsd.org/unveil">unveil(2)</a> to
	reduce filesystem access in <a
	href="https://man.openbsd.org/vmstat">vmstat(8)</a>, <a
	href="https://man.openbsd.org/iostat">iostat(8)</a> and <a
	href="https://man.openbsd.org/systat">systat(1)</a>.

<!-- dig -->

    <li>Extracted <a href="https://man.openbsd.org/dig">dig(1)</a>, <a
	href="https://man.openbsd.org/host">host(1)</a> and <a
	href="https://man.openbsd.org/nslookup">nslookup(1)</a> from the
	bind(8) source code and cleaned up the source code by removing not
	needed features and auditing it. The kernel API accessible to these
	programs is now restricted through <a
	href="https://man.openbsd.org/pledge">pledge(2)</a>.
    <li>System calls may now only be performed from selected code regions:
	the main program, <a href="https://man.openbsd.org/ld.so">ld.so(1)</a>,
	libc.so and the signal trampoline. A new system call
	<a href="https://man.openbsd.org/msyscall">msyscall(2)</a> indicates
	the libc range, and activates the locking.  This change hardens
	against some attack methods.
    <li>Prevented stack trace saving from inspecting untrusted data on
	amd64, arm64 and i386.
    <li>Used lfence in place of stac/clac on pre-SMAP CPUs to protect
	against Load-Value-Injection attacks against the kernel.
    <li>Prevented a panic due to missing <a
	href="https://man.openbsd.org/sysctl">sysctl(2)</a> input validation.
    <li>Injected failure to fetch entropy with an rdrand() timeout as
	an entropic event, along with an additional rdtsc measuring the vmexit
	latency.
    <li>Enforced that <a href="https://man.openbsd.org/ksh">ksh(1)</a>
	TMOUT is an integer literal to prevent command execution from the
	environment at shell initialization time.
    <li>Ensured the first 2MB page of the amd64 kernel is correctly
	mapped read-only in the direct map.
    <li>Addressed an armv7/arm64 speculative execution issue by changing the
	system call ABI to skip two instructions and inserting a barrier
	after each system call.
    <li>Fixed arm64 speculative execution of instructions after ERET,
	which had led to spectre-like effects on some processors.
    <li>Tightened permissions for USB device nodes.
    <li>Ensured that <a
	href="https://man.openbsd.org/ld.so">ld.so(1)</a> removed the
	LD_LIBRARY_PATH environment variable for set-user-ID and set-group-ID
	executables in low memory conditions.
    <li>Added support for RSA-PSS to <a
	href="https://man.openbsd.org/crypto">crypto(3)</a>.
    <li>Added retguard for octeon/mips64.

    <li>The following security bugs were addressed:
      <ul>
	<li>Reset the login class each time through the loop when using -L
	    (loop) mode with <a href="https://man.openbsd.org/su">su(1)</a>. Fixes
	    CVE-2019-19519.
	<li>Fixed insufficient username validation performed by libc's
	    authentication privilege separation layer and added additional
	    validation points, further validating in <a
	    href="https://man.openbsd.org/login">login(1)</a> and <a
	    href="https://man.openbsd.org/su">su(1)</a>.
	<li>Prevented escalation to the auth group in <a
	    href="https://man.openbsd.org/xlock">xlock(1)</a> through path-related
	    environment variables and disabled mesa and opengl functionality.
      </ul>
  </ul>

<li>Routing daemons and other userland network improvements:
  <ul>
<!-- bgpd -->
    <li>Add initial support for JSON output in
	<a href="https://man.openbsd.org/bgpctl">bgpctl(8)</a>.
    <li>Allow setting both IPv4 and IPv6 local-addresses at the same time in
	<a href="https://man.openbsd.org/bgpd.conf">bgpd.conf(5)</a> group
	blocks.  Introduced <code>no local-address</code> to reset a previously
	set local address.
    <li>Properly aggregate duplicate <a href="https://man.openbsd.org/bgpd">
	bgpd(8)</a> roa table prefix/source-as combinations into a single entry
	with the longest maxlen length.
    <li>Implemented <a
	href="https://man.openbsd.org/bgpd.conf">bgpd.conf(5)</a>
	<code>max-prefix NUM out</code> to limit the number of announced
	prefixes, avoiding leaks of full tables to upstreams and peers.
    <li>Extended <a href="https://man.openbsd.org/bgpctl">bgpctl(8)</a>
	<code>show neighbor</code> to include the received and set prefix
	count, as well as the max-prefix out limit if set.
    <li>Improved reporting of notifications to include the suberror cause.
    <li>Also report the last received error cause in
	<a href="https://man.openbsd.org/bgpctl">bgpctl(8)</a> <code>show
	neighbor</code> output.
    <li>Fix softreconfig out handling to also work for neighbors using
	<code>export default-route</code>.
    <li>Mark stale prefixes in the Adj-RIB-Out so that graceful reload
	operates properly.
<!-- OSPF -->
    <li>Allowed configuration of the <a
	href="https://man.openbsd.org/ospfd">ospfd(8)</a> interface setting
	"type p2p" to be configured globally or per area.
    <li>Added point-to-point <a
	href="https://man.openbsd.org/ospf6d">ospf6d(8)</a> support for
	broadcast interfaces.
<!-- other daemons -->
    <li>Validated authentication lengths in <a
	href="https://man.openbsd.org/ripd">ripd(8)</a> before use to prevent
	crashes.
    <li>Fixed empty response packages sent out by <a
	href="https://man.openbsd.org/ripd">ripd(8)</a> when entries are
	skipped due to split-horizon simple.
    <li>Reduced temporary address valid lifetime to 2 days in <a
	href="https://man.openbsd.org/slaacd">slaacd(8)</a>.
    <li>Made <a href="https://man.openbsd.org/slaacd">slaacd(8)</a>
	honor the rdomain in which it runs when configuring the default route.
    <li>Withdrew all proposals on <a
	href="https://man.openbsd.org/slaacd">slaacd(8)</a> startup to prevent
	indefinite retention of nameservers on interfaces no longer flagged
	for autoconf.
    <li>Modified <a href="https://man.openbsd.org/ldpd">ldpd(8)</a> to
	lookup the adjacency by LSR id as well as source IP address, as the
	remote peer may change its LSR id.

<!-- other programs -->
    <li>Added support for printing RFC 2332 NBMA Next Hop Resolution Protocol
	(NHRP) to <a href="https://man.openbsd.org/tcpdump">tcpdump(8)</a>.
    <li>Added <a href="https://man.openbsd.org/tcpdump">tcpdump(8)</a>
	support for printing RFC 8300 Network Service Header (NSH).
    <li>Added <a href="https://man.openbsd.org/tcpdump">tcpdump(8)</a>
	support for VXLAN-GPE.
    <li>Fixed a <a href="https://man.openbsd.org/tcpdump">tcpdump(8)</a>
	crash when printing the contents of a malformed packet where the
	packet length was smaller than the size of the usbpcap header.

    <li>Rewrote dhcpv6 parsing in <a
	href="https://man.openbsd.org/tcpdump">tcpdump(8)</a> to match the
	RFC, correctly handling dhcpv6 messages.
    <li>Accept netmask for IPv6 in <a
	href="https://man.openbsd.org/ifconfig">ifconfig(8)</a> instead of
	ignoring it and using only the prefixlen argument.

    <li>Fixed <a href="https://man.openbsd.org/snmp">snmp(1)</a> agent
	address parsing to allow IPv6 addresses to be used based on format,
	allow those without brackets to skip the port if it results in a
	nonsensical address (allowing use of ::1), and try to connect to the
	address immediately.
    <li>Implemented a df subcommand for <a
	href="https://man.openbsd.org/snmp">snmp(1)</a> which outputs disk and
	memory information in a <a href="https://man.openbsd.org/df">df(1)</a>
	format.
    <li>Implemented a -Cs option in <a
	href="https://man.openbsd.org/snmp">snmp(1)</a> for snmp walk and
	bulkwalk, allowing subsections of a tree to be skipped.
    <li>Introduced option filter-pf-addresses to <a
	href="https://man.openbsd.org/snmpd.conf">snmpd.conf(5)</a>, allowing
	the OPENBSD-PF-MIB::pfTblAddrTable tree to be filtered out when many
	prefixes are stored in pf tables, reducing CPU usage during bulk
	walks.

    <li>Added retries and timeouts for test packets to <a
	href="https://man.openbsd.org/radiusctl">radiusctl(8)</a>.


    <li>Corrected http auth combined with proxy auth in <a
	href="https://man.openbsd.org/ftp">ftp(1)</a>.
    <li>Corrected <a href="https://man.openbsd.org/ftp">ftp(1)</a>
	access to an https server with user/password through the "http_proxy"
	environment variable.
    <li>Prevented <a href="https://man.openbsd.org/ftp">ftp(1)</a>
	from following remote redirects to local files.
    <li>Implemented HTTP/1.1 in <a href="https://man.openbsd.org/ftp">ftp(1)</a>.
    <li>Added new -N name option to <a
	href="https://man.openbsd.org/ftp">ftp(1)</a>, allowing calling
	scripts to change the progname and produce better error messages.

    <li>Allowed <a href="https://man.openbsd.org/pfctl">pfctl(8)</a>
	to recursively flush rules and tables.
    <li>In <a href="https://man.openbsd.org/pf">pf(4)</a>, ensured
	rdr-to with loopback destination will work even when IP forwarding is
	disabled.

<!-- rpki-client -->

    <li>Enabled <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a>, a free,
	easy-to-use implementation of the Resource Public Key Infrastructure
	(RPKI) for Relying Parties (RP) to facilitate validation of the Route
	Origin of a BGP announcement. The program queries the RPKI repository
	system and outputs Validated ROA Payloads in the configuration format
	of OpenBGPD, BIRD, and also as CSV or JSON objects for consumption by
	other routing stacks.
    <li>Modified root's <a
	href="https://man.openbsd.org/crontab">crontab(1)</a> to run <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> and
	reload <a href="https://man.openbsd.org/bgpd">bgpd(8)</a>
	configuration, enabling RPKI ROA filtering.
    <li>Stopped hardcoding the cache directory in <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a>. Cache
	and output directory will use defaults for root users and must be
	specified by non-root users.
    <li>Made <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> use
	the existing cache and not exit if rsync(1) exits non-zero.
    <li>Fixed <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> -j
	option, which had not been producing any output.
    <li>Rewrote the time validity check for mtfs in <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> to
	correctly account for the timezone.
    <li>Added <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> output
	formats for the BIRD routing daemon and CSV.
    <li>For BIRD <a
	href="https://man.openbsd.org/rpki-client">rpki-client(8)</a> can
	generate three different output formats with the option
	<code>-B</code>: v1 with IPv4 and IPv6 routes, and v2.
  </ul>

<li><a href="https://man.openbsd.org/unwind">unwind(8)</a> improvements:
  <ul>
    <li>Implemented <a
	href="https://man.openbsd.org/unwindctl">unwindctl(8)</a> status
	memory to show cache memory usage.
    <li>Allowed forcing specific domains to be resolved by specific
	resolvers in <a
	href="https://man.openbsd.org/unwind.conf">unwind.conf(5)</a>,
	handling typical split-horizon setups.
    <li>Measured performance of resolving strategies in <a
	href="https://man.openbsd.org/unwind">unwind(8)</a>, sorting them and
        choosing the next best strategy when one fails.
        Performance data decays over time.
    <li>Switched captive portal detection from HTTP probing to DNS probing in <a
	href="https://man.openbsd.org/unwind">unwind(8)</a>.
    <li>Implemented DNS proposals in <a
	href="https://man.openbsd.org/unwind">unwind(8)</a> to learn
	nameservers from network autoconfiguration daemons.
    <li>Added opportunistic DoT support to <a
	href="https://man.openbsd.org/unwind">unwind(8)</a>.
    <li>Added an ASR resolver type to <a
	href="https://man.openbsd.org/unwind">unwind(8)</a>, using the libc
        asynchronous resolver directly with DHCP-provided nameservers to work
        around broken middle boxes.
  </ul>

<li><a href="https://man.openbsd.org/ipsec">ipsec(4)</a> improvements and
    bugfixes:
  <ul>
    <li>Added support for automatically moving traffic between
	rdomains on <a href="https://man.openbsd.org/ipsec">ipsec(4)</a>
	encryption or decryption, reducing the attack surface for network
	sidechannel attacks.
    <li>Added <a href="https://man.openbsd.org/iked">iked(8)</a>
	support for switching rdomain on <a
	href="https://man.openbsd.org/ipsec">ipsec(4)</a>
	encryption/decryption, configurable per policy with the new
	'rdomain' option in <a
	href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>.
    <li>Changed the default ipsec level set by <a
	href="https://man.openbsd.org/iked">iked(8)</a> and <a
	href="https://man.openbsd.org/isakmpd">isakmpd(8)</a> to
	IPSEC_LEVEL_REQUIRE. Unencrypted packets matching incoming
	ipsec flows are no longer accepted by default.
    <li>Added curve25519, ecp256, ecp384, ecp521, modp3072 and modp4096 to
	the default Diffie-Hellman group configuration for IKE SAs in
	<a href="https://man.openbsd.org/iked">iked(8)</a>.
    <li>Removed support for the insecure EC2N Diffie-Hellman groups in <a
	href="https://man.openbsd.org/iked">iked(8)</a>.
    <li>Changed the default authentication method in <a
	href="https://man.openbsd.org/iked">iked(8)</a> to
	generic signature authentication (RFC 7427).
    <li>Added ESN configuration options for ikesa in <a
	href="https://man.openbsd.org/iked.conf">iked.conf(5)</a>.
    <li>Added transport mode for child SAs to <a
	href="https://man.openbsd.org/iked">iked(8)</a>.
    <li>Added active probing for lost connection in <a
	href="https://man.openbsd.org/iked">iked(8)</a> resulting in a
	faster connection reset.
    <li>Added a -p command line option to <a
	href="https://man.openbsd.org/iked">iked(8)</a> allow configuration
	of a non-standard UDP encapsulation port.
    <li>Added support for multiple X.509 extensions and multiple
	subjectAltName fields in certificates used with <a
	href="https://man.openbsd.org/iked">iked(8)</a>.
    <li>Added support for certificates with uppercase subjectAltNames
	in <a href="https://man.openbsd.org/iked">iked(8)</a>.
    <li>Removed automatically installed <a
	href="https://man.openbsd.org/ipsec">ipsec(4)</a> flow blocking
	unencrypted IPv6 traffic in <a
	href="https://man.openbsd.org/iked">iked(8)</a>.
    <li>Reduced size of IKE_AUTH message by eliminating duplicate traffic
	selectors in <a href="https://man.openbsd.org/iked">iked(8)</a>.
    <li>Added an <a
	href="https://man.openbsd.org/ikectl">ikectl(8)</a> "show sa"
	command to print information about the state of negotiated IKE SAs,
	their child SAs and the resulting IPsec flows.
    <li>Added an <a
	href="https://man.openbsd.org/ikectl">ikectl(8)</a> "reset id"
	command to reset all SAs from policies with matching destination IDs.
    <li>Added support for UDP encapsulation in manual SAs set up with <a
	href="https://man.openbsd.org/ipsec.conf">ipsec.conf(5)</a>.
    <li>Fixed an <a href="https://man.openbsd.org/iked">iked(8)</a>
	bug that lead to connection loss after simultaneous rekeying.
    <li>Fixed an <a href="https://man.openbsd.org/iked">iked(8)</a>
	public key leak in the CA process for ASN-DN IDs.
    <li>Fixed  a bug that lead to a lost EAP ID after rekeying in <a
	href="https://man.openbsd.org/iked">iked(8)</a>.
    <li>Fixed EAP user database corruption resulting from use of the <a
	href="https://man.openbsd.org/ikectl">ikectl(8)</a> reload command.
    <li>Corrected <a href="https://man.openbsd.org/iked">iked(8)</a>
	calculation of IPv6 address leases from small address pools.
    <li>Fixed several bugs that could lead to <a
	href="https://man.openbsd.org/iked">iked(8)</a> selecting a false policy
	for incoming requests, resulting in a failed handshake.
    <li>Fixed a bug that broke PSK authentication against Strongswan.
    <li>Enabled UDP-encapsulation in Child SAs if <a
	href="https://man.openbsd.org/iked">iked(8)</a> was started with -t.
    <li>Fixed <a href="https://man.openbsd.org/isakmpd">isakmpd(8)</a>
	IKE pcap file creation.
  </ul>

<li><a href="https://man.openbsd.org/tmux">tmux(1)</a> improvements and bug fixes:
  <ul>
    <li>Indicated the marked pane in <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> choose mode in
	reverse, and added keys to set (m) and clear it (M), and to jump to
	the starting pane (H).
    <li>Allowed <a href="https://man.openbsd.org/tmux">tmux(1)</a>
	main-pane-width and height to be specified as percentages.
    <li>Added a -f filter argument to the <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> list commands like
	choose-tree.
    <li>Added an -s flag to <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> copy-mode to specify a
	different pane for the source content.
    <li>Added a -T flag to <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> resize-pane to trim
	lines below the cursor.
    <li>Added support for <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> overlay popup boxes,
	created with the display-popup command.
    <li>Added a <a href="https://man.openbsd.org/tmux">tmux(1)</a> -d
	flag to run-shell to wait for delay before running the command (or
	delay with no command).
    <li>Added a <a href="https://man.openbsd.org/tmux">tmux(1)</a>
	copy-mode -H flag to hide the position marker in the top right.
    <li>Added <a href="https://man.openbsd.org/tmux">tmux(1)</a> C-g
	to cancel command prompt with <a
	href="https://man.openbsd.org/vi">vi(1)</a> keys as well as emacs, and
	q in command mode.
    <li>Modified <a href="https://man.openbsd.org/tmux">tmux(1)</a> -S
	server socket to be created with umask 177 rather than 117.
    <li>Introduced a <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> selection_active
	format for when the selection is present but not moving with the
	cursor.
    <li>Added -a to the list-keys command in <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> to also list keys
	without notes with -N.
    <li>Added <a href="https://man.openbsd.org/tmux">tmux(1)</a> support
	for adding a note to a key binding with bind-key -N and using this to
	add descriptions to the default key binding. Using list-keys -N shows
	key bindings with notes. Changed the default ? binding to show a
	readable summary of keys.
    <li>Added -Z to the default <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> switch-client command
	in tree mode.
    <li>Prevented read-only <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> clients from limiting
	the size of other clients.
    <li>Added support for regex searches in <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> copy mode.
    <li>Modified <a href="https://man.openbsd.org/tmux">tmux(1)</a>
	source-file to allow reading from stdin.
    <li>Added a <a href="https://man.openbsd.org/tmux">tmux(1)</a> p
	format modifier for padding to width.
    <li>Added -f for full size to join-pane in <a
	href="https://man.openbsd.org/tmux">tmux(1)</a>.
    <li>Changed <a href="https://man.openbsd.org/tmux">tmux(1)</a>
	new-session -A to attach to the best existing session when a session
	name is not specified, rather than creating a new session.
    <li>Added an option to <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> to set the key sent by
	backspace for systems using ^H.
    <li>Added -F flag to <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> send-keys to expand
	formats in search-backward and forward copy mode commands.
    <li>Added support for percentage sizes to <a
	href="https://man.openbsd.org/tmux">tmux(1)</a> resize-pane ("-x 10%")
	and changed split-window and join-pane -l to accept similar
	percentages, deprecating the -p option.
  </ul>

<li>VMM/VMD improvements
  <ul>
    <li>Added <a href="https://man.openbsd.org/vmm">vmm(4)</a> IOCTL
	handler to set the access protections of the ept.
    <li>Added a check in <a
	href="https://man.openbsd.org/vmm">vmm(4)</a> for <a
	href="https://man.openbsd.org/pvclock">pvclock(4)</a> struct crossing
	of page boundaries, which could potentially corrupt host memory.
    <li>Tightened rdmsr on svm in <a href="https://man.openbsd.org/vmm">vmm(4)</a>.
    <li>Fixed an issue where a <a
	href="https://man.openbsd.org/vmm">vmm(4)</a> guest could write to
	host memory by passing bogus addresses in <a
	href="https://man.openbsd.org/pvclock">pvclock(4)</a>.
    <li>Run <a href="https://man.openbsd.org/cu">cu(1)</a> in
	restricted mode using -r in <a
	href="https://man.openbsd.org/vmctl">vmctl(8)</a> and <a
	href="https://man.openbsd.org/ldomctl">ldomctl(8)</a>.
    <li>Started virtual machines defined in <a
	href="https://man.openbsd.org/vm.conf">vm.conf(5)</a> in a staggered
	fashion, helping prevent overload of the host and improper tsc
	calibration in guests.
    <li>Provided proper concurrency control when pausing a vm in <a
	href="https://man.openbsd.org/vmd">vmd(8)</a>.
    <li>Fixed a panic when tearing down vms with <a
	href="https://man.openbsd.org/vmm">vmm(4)</a>.
  </ul>


<li>ldom/sparc64 virtualization improvements
  <ul>
    <li>Added support for devaliases for vnet in <a
	href="https://man.openbsd.org/ldom.conf">ldom.conf(5)</a>.
    <li>Implemented <a
	href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> "panic -c" to
	panic a guest domain (and enter <a
	href="https://man.openbsd.org/ddb">ddb(4)</a>).
    <li>Implemented "start -c" in <a
	href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> to automatically
	connect to the console.
    <li>Introduced a -n option to <a
	href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> to validate the
	configuration file and exit.
    <li>Added a create-vdisk command to <a
	href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> analogous to
	amd64's <a href="https://man.openbsd.org/vmctl">vmctl(8)</a> create.
    <li>Added the "console" command to <a
	href="https://man.openbsd.org/ldomctl">ldomctl(8)</a> which executes
	<a href="https://man.openbsd.org/cu">cu(1)</a> on the domain's
	console.
    <li>Printed guest domain <a
	href="https://man.openbsd.org/vcctty">vcctty(4)</a> devices in status
	output in <a href="https://man.openbsd.org/ldomctl">ldomctl(8)</a>.
    <li>Added list-io command to <a
	href="https://man.openbsd.org/ldomctl">ldomctl(8)</a>, listing the
	available PCIe devices to be used with the iodevice parameter in <a
	href="https://man.openbsd.org/ldom.conf">ldom.conf(5)</a>.
  </ul>

<li>OpenSMTPD 6.7.0
  <ul>
    <li>New Features
      <ul>
	<li>Allowed use of the <a
	    href="https://man.openbsd.org/smtpd">smtpd(8)</a> session username in
	    built-in filters when available.
	<li>Introduced a bypass keyword to <a
	    href="https://man.openbsd.org/smtpd">smtpd(8)</a> so that built-in
	    filters can bypass processing when a condition is met.
	<li>Allowed use of 'auth' as an origin in <a
	    href="https://man.openbsd.org/smtpd.conf">smtpd.conf(5)</a>.
	<li>Allowed use of mail-from and rctp-to as for and from parameters
	    in <a href="https://man.openbsd.org/smtpd.conf">smtpd.conf(5)</a>.
      </ul>

    <li>Bug fixes
      <ul>
	<li>Ensured legacy <a href="https://man.openbsd.org/ssl">ssl(8)</a>
	    session ID is persistent during a client TLS session, fixing an issue
	    using TLSv1.3 with smtp.mail.yahoo.com.
	<li>Fixed security vulnerabilities in <a
	    href="https://man.openbsd.org/smtpd">smtpd(8)</a>. Corrected an
	    out-of-bounds read in smtpd allowing an attacker to inject arbitrary
	    commands into the envelope file to be executed as root, and ensured
	    privilege revocation in <a
	    href="https://man.openbsd.org/smtpctl">smtpctl(8)</a> to prevent
	    arbitrary commands from being run with the _smtpq group.
	<li>Allowed <a
	    href="https://man.openbsd.org/mail.local">mail.local(8)</a> to be run
	    as non-root, opening a pipe to <a
	    href="https://man.openbsd.org/lockspool">lockspool(1)</a> for file
	    locking.
	<li>Fixed a security vulnerability in <a
	    href="https://man.openbsd.org/smtpd">smtpd(8)</a> which could lead to
	    a privilege escalation on mbox deliveries and unprivileged code
	    execution on lmtp deliveries.
	<li>Added support for CIDR in a: spf atoms in <a
	    href="https://man.openbsd.org/smtpd">smtpd(8)</a>.
	<li>Fixed a possible crash in <a
	    href="https://man.openbsd.org/smtpd">smtpd(8)</a> when combining "from
	    rdns" with nested virtual aliases under a particular configuration.
      </ul>

    <li>Experimental Features
      <ul>
	<li>Introduced smtp-out event reporting.
	<li>Improved filtering protocol.
      </ul>
  </ul>

<li>LibreSSL 3.1.1
  <ul>
    <li>New Features
    <ul>
	<li>Completed initial TLS 1.3 implementation with a completely new state
	    machine and record layer. TLS 1.3 is now enabled by default for the
	    client side, with the server side to be enabled in a future release.
	    Note that the OpenSSL TLS 1.3 API is not yet visible/available.
	<li>Improved cipher suite handling to automatically include TLSv1.3
            cipher suites when they are not explicitly referred to in the
            cipher string.
	<li>Provided TLSv1.3 cipher suite aliases to match the names used
	    in RFC 8446.
	<li>Added cms subcommand to openssl(1).
	<li>Added -addext option to openssl(1) req subcommand.
	<li>Added -groups option to openssl(1) s_server subcommand.
	<li>Added TLSv1.3 extension types to openssl(1) -tlsextdebug.
    </ul>

    <li>API and Documentation Enhancements
    <ul>
	<li>Added RSA-PSS and RSA-OAEP methods from OpenSSL 1.1.1.
	<li>Ported Cryptographic Message Syntax (CMS) implementation from OpenSSL
	    1.1.1 and enabled by default.
    </ul>

    <li>Compatibility Changes
    <ul>
	<li>Improved compatibility by backporting functionality and documentation
	    from OpenSSL 1.1.1.
	<li>Adjusted EVP_chacha20()'s behavior to match OpenSSL's semantics.
    </ul>

    <li>Testing and Proactive Security
    <ul>
	<li>Added many new additional crypto test vectors.
	<li>Fix to disallow setting the AES-GCM IV length to zero.
    </ul>

    <li>Internal Improvements
      <ul>
	<li>Many more code cleanups, fixes, and improvements to memory handling
	    and protocol parsing.
      </ul>

    <li>Portable Improvements
    <ul>
	<li>Default CA bundle location is now configurable in portable builds.
	<li>Improved portable builds to support for use of static MSVC runtimes.
	<li>Fixed portable builds to avoid exporting a sleep() symbol.
    </ul>

    <li>Bug Fixes
    <ul>
	<li>Fixed printing the serialNumber with X509_print_ex() fall back to
	    the colon separated hex bytes in case greater than int value.
    </ul>
  </ul>

<li>OpenSSH 8.3
  <ul>
    <li>Potentially incompatible changes.
      <ul>
	<li><a href="https://man.openbsd.org/sftp">sftp(1)</a>:
	    reject an argument of "-1" in the same way as ssh(1) and
	    scp(1) do instead of accepting and silently ignoring it.
	<li>Removed ssh-rsa (SHA1) from the list of allowed CA signature algorithms.
	<li>Removed diffie-hellman-group14-sha1 from the default <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a> key exchange.
	<li><a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>:
	    the command-line options related to the generation
	    and screening of safe prime numbers used by the
	    diffie-hellman-group-exchange-* key exchange algorithms have
	    changed. Most options have been folded under the -O flag.
	<li><a href="https://man.openbsd.org/sshd.8">sshd(8)</a>:
	    the sshd listener process title visible to ps(1) has
	    changed to include information about the number of connections that
	    are currently attempting authentication and the limits configured
	    by MaxStartups.
	<li><a href="https://man.openbsd.org/ssh-sk-helper.8">ssh-sk-helper(8)</a>:
	    this is a new binary. It is used by the FIDO/U2F
	    support to provide address-space isolation for token middleware
	    libraries (including the internal one). It needs to be installed
	    in the expected path under /usr/libexec.
	</ul>
    <li>New Features
      <ul>
	<li>Allowed use of the IgnoreRhosts directive anywhere in an <a
	    href="https://man.openbsd.org/sshd_config">sshd_config(5)</a> file,
	    not just before Match blocks, and made it a tri-state option.
	<li>Added TOKEN percent expansion (i.e. userid, hostnames etc.) to <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a> LocalForward and
	    RemoteForward when used for Unix domain socket forwarding.
	<li>all: allow loading public keys from the unencrypted envelope of a
	    private key file if no corresponding public key file is present.
	<li>Gave <a
	    href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> the
	    ability to dump the contents of a binary key revocation list with
	    <code>ssh-keygen -lQf /path</code>.
	<li>Added <a href="https://man.openbsd.org/ssh">ssh(1)</a> -Q key-sig
	    option for all key and signature types, teaching ssh -Q to accept <a
	    href="https://man.openbsd.org/ssh_config">ssh_config(5)</a> and <a
	    href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>
	    algorithm keywords as an alias for the corresponding query.
	<li>Updated to libfido2 780ad3c25.
	<li>Added an <a
	    href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>
	    "Include" directive to allow inclusion of files.
	<li>Renamed <a href="https://man.openbsd.org/ssh-add">ssh-add(1)</a>
	    -O to -K to load resident keys from a FIDO authenticator.
	<li>Added the ability to download FIDO2 resident keys from a token
	    via the <a href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>
	    -K option and save public/private keys into the current directory.
	<li>Implemented support for generating FIDO2 resident keys. "ssh-add
	    -O" will load resident keys from a FIDO2 token and add them to an
	    ssh-agent. Removed the -x option currently used for the
	    FIDO/U2F-specific key flags, now under -O.
	<li>Removed single letter flags for moduli generation in <a
	    href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> and moved
	    all moduli generation options to under the -O flag. Breaks existing
	    ssh-keygen commandline syntax for moduli-related operations.
	<li>Allowed forwarding of a different agent socket to a specified
	    path in <a href="https://man.openbsd.org/ssh">ssh(1)</a>.
	<li>Allowed <a href="https://man.openbsd.org/ssh">ssh(1)</a> security
	    keys to act as host keys as well as user keys.
	<li>Used ssh-sk-helper for all security key signing operations and
	    security key enrollment. Most <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a> tools no longer need to
	    link against libfido2 or interact with /dev/uhid* directly.
	<li>Added "no-touch-required" options to <a
	    href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> and <a
	    href="https://man.openbsd.org/sshd">sshd(8)</a> to disable touch
	    requirement for authorized_keys and certificates.
	<li>Added an <a
	    href="https://man.openbsd.org/sshd_config">sshd_config(5)</a>
	    PubkeyAuthOptions directive allowing specification of whether <a
	    href="https://man.openbsd.org/sshd">sshd(8)</a> should check whether
	    user presence was tested before a security key was made.
        <li>Added direct support for U2F/FIDO2 security keys in <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a>.
        <li>Added initial infrastructure for U2F/FIDO support in <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a>.
	<li>Notified the user via TTY or $SSH_ASKPASS when <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a> security keys must be
	    tapped/touched in order to perform a signature operation.
	<li>Enabled ed25519 support in <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a>.
      </ul>
    <li>Bugfixes
      <ul>
	<li>Detected and prevented simple <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a> configuration loops when
	    using ProxyJump.
	<li>Fixed PIN entry bugs on FIDO in <a
	    href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a>.
	<li>Fixed <a
	    href="https://man.openbsd.org/ssh-keygen">ssh-keygen(1)</a> not
	    displaying the authenticator touch prompt.
	<li>Prevented a timeout in <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a> when the server doesn't
	    immediately send a banner, such as with multiplexers like sslh.
	<li>Adjusted on-wire signature encoding for ecdsh-sk <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a> keys to better match
	    ec25519-sk keys.
	<li>Fixed a potential NULL dereference for revoked hostkeys in <a
	    href="https://man.openbsd.org/ssh">ssh(1)</a>.
	<li>ssh(1): fix IdentitiesOnly=yes to also apply to keys loaded from
	    a PKCS11Provider
	<li>ssh-keygen(1): avoid NULL dereference when trying to convert an
	    invalid RFC4716 private key.
	<li>scp(2): when performing remote-to-remote copies using "scp -3",
	    start the second ssh(1) channel with BatchMode=yes enabled to
	    avoid confusing and non-deterministic ordering of prompts.
 	<li>ssh(1): fix incorrect error message for "too many known hosts
	    files."
	<li>ssh(1): make failures when establishing "Tunnel" forwarding
	    terminate the connection when ExitOnForwardFailure is enabled
	<li>ssh-keygen(1): fix printing of fingerprints on private keys and add
	    a regression test for same.
	<li>sshd(8): document order of checking AuthorizedKeysFile (first) and
	    AuthorizedKeysCommand (subsequently, if the file doesn't match)
	<li>sshd(8): document that /etc/hosts.equiv and /etc/shosts.equiv are
	    not considered for HostbasedAuthentication when the target user is
	    root
	<li>ssh(1), ssh-keygen(1): fix NULL dereference in private certificate
	    key parsing (oss-fuzz #20074).
	<li>ssh(1), sshd(8): more consistency between sets of %TOKENS are
	    accepted in various configuration options.
	<li>ssh(1), ssh-keygen(1): improve error messages for some common
	    PKCS#11 C_Login failure cases
	<li>ssh(1), sshd(8): make error messages for problems during SSH banner
	    exchange consistent with other SSH transport-layer error messages
	    and ensure they include the relevant IP addresses
	<li>various: fix a number of spelling errors in comments and debug/error
	    messages
 	<li>ssh-keygen(1), ssh-add(1): when downloading FIDO2 resident keys
	    from a token, don't prompt for a PIN until the token has told us
	    that it needs one. Avoids double-prompting on devices that
	    implement on-device authentication.
 	<li>sshd(8), ssh-keygen(1): no-touch-required FIDO certificate option
	    should be an extension, not a critical option.
 	<li>ssh(1), ssh-keygen(1), ssh-add(1): offer a better error message
	    when trying to use a FIDO key function and SecurityKeyProvider is
	    empty.
	<li>ssh-add(1), ssh-agent(8): ensure that a key lifetime fits within
	    the values allowed by the wire format (u32). Prevents integer
	    wraparound of the timeout values
	</ul>
  </ul>

<li>Mandoc 1.14.6
  <ul>
    <li>Introduced a new <a
	href="https://man.openbsd.org/mdoc">mdoc(7)</a> macro .Tg ("tag") to
	explicitly mark a place as defining a term, and improved automatic
	tagging in various ways.
    <li>Print the manpath when the <a
	href="https://man.openbsd.org/man.1#w">man(1) -w</a> option
	is given without an argument, for compatibility with the man-1.6
	and man-db implementations.
    <li>Deleted support for the <a
	href="https://man.openbsd.org/OpenBSD-6.6/man.conf.5#_whatdb"
	>_whatdb</a> configuration directive from
	<a href="https://man.openbsd.org/man.conf.5">man.conf(5)</a>
	five years after it was declared obsolete; use <a
	href="https://man.openbsd.org/man.conf.5#manpath">manpath</a> instead.
    <li>Added a Content-Security-Policy HTTP header to <a
	href="https://man.openbsd.org/man.cgi.8">man.cgi(8)</a>
	that allows only CSS.
    <li>Provide a STYLE message when <a
	href="https://man.openbsd.org/mandoc.1">mandoc(1)</a> knows the
	filename and the extension disagrees with the section number
	given in the .Dt or .TH macro.
    <li>When the <a href="https://man.openbsd.org/mdoc.7">mdoc(7)</a> .Dd
	macro lacks an argument, use the empty string, and always
	concatenate all arguments, no matter their number.
	The same change was applied to groff.
  </ul>

<li>Ports and packages:
<p>The package system provides an easy way to install 3rd party software. New features include:
  <ul>
    <li>Provide debug package information that can be installed
	alongside packages and used to provide better bug reports.
    <li>Added DEBUG_PKG_CACHE functionality to <a
	href="https://man.openbsd.org/pkg_add">pkg_add(1)</a>, fetching debug
	patches when packages are installed.
    <li>Added a -d option to <a
	href="https://man.openbsd.org/pkg_add">pkg_add(1)</a> to add debug
	packages if present alongside intended updates or additions.
    <li>Added support for "alpha" suffixes in <a
	href="https://man.openbsd.org/packages-specs">packages-specs(7)</a>,
	removing the need for workarounds in certain ports distfiles.
  </ul>

  <p>Many pre-built packages for each architecture:
  <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
  <ul style="column-count: 3">
    <li>aarch64:     10848
    <li>amd64:       11268
    <li>arm:          8596
    <li>i386:        10715
    <li>mips64:       9281
    <li>mips64el:     6503
    <li>powerpc:      9890
    <li>sparc64:      9850
  </ul>

<li>As usual, steady improvements in manual pages and other documentation.

<li>The system includes the following major components from outside suppliers:
  <ul>
    <li>Xenocara (based on X.Org 7.7 with xserver 1.20.8 + patches,
        freetype 2.10.1, fontconfig 2.12.4, Mesa 19.2.8, xterm 351,
        xkeyboard-config 2.20 and more)
    <li>LLVM/Clang 8.0.1 (+ patches)
    <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    <li>Perl 5.30.2 (+ patches)
    <li>NSD 4.2.4
    <li>Unbound 1.10.0
    <li>Ncurses 5.7
    <li>Binutils 2.17 (+ patches)
    <li>Gdb 6.3 (+ patches)
    <li>Awk Dec 20, 2012 version
    <li>Expat 2.2.8
  </ul>
</ul>
</section>

<hr>

<section id=install>
<h3>How to install</h3>
<p>
Please refer to the following files on the mirror site for
extensive details on how to install OpenBSD 6.7 on your machine:

<ul>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/alpha/INSTALL.alpha">
	.../OpenBSD/6.7/alpha/INSTALL.alpha</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/amd64/INSTALL.amd64">
	.../OpenBSD/6.7/amd64/INSTALL.amd64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/arm64/INSTALL.arm64">
	.../OpenBSD/6.7/arm64/INSTALL.arm64</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/armv7/INSTALL.armv7">
	.../OpenBSD/6.7/armv7/INSTALL.armv7</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/hppa/INSTALL.hppa">
	.../OpenBSD/6.7/hppa/INSTALL.hppa</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/i386/INSTALL.i386">
	.../OpenBSD/6.7/i386/INSTALL.i386</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/landisk/INSTALL.landisk">
	.../OpenBSD/6.7/landisk/INSTALL.landisk</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/loongson/INSTALL.loongson">
	.../OpenBSD/6.7/loongson/INSTALL.loongson</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/luna88k/INSTALL.luna88k">
	.../OpenBSD/6.7/luna88k/INSTALL.luna88k</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/macppc/INSTALL.macppc">
	.../OpenBSD/6.7/macppc/INSTALL.macppc</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/octeon/INSTALL.octeon">
	.../OpenBSD/6.7/octeon/INSTALL.octeon</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/sgi/INSTALL.sgi">
	.../OpenBSD/6.7/sgi/INSTALL.sgi</a>
<li><a href="https://ftp.openbsd.org/pub/OpenBSD/6.7/sparc64/INSTALL.sparc64">
	.../OpenBSD/6.7/sparc64/INSTALL.sparc64</a>
</ul>
</section>

<hr>

<section id=quickinstall>
<p>
Quick installer information for people familiar with OpenBSD, and the use of
the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
If you are at all confused when installing OpenBSD, read the relevant
INSTALL.* file as listed above!

<h3>OpenBSD/alpha:</h3>

<p>
If your machine can boot from CD, you can write <i>install67.iso</i> or
<i>cd67.iso</i> to a CD and boot from it.
Refer to INSTALL.alpha for more details.

<h3>OpenBSD/amd64:</h3>

<p>
If your machine can boot from CD, you can write <i>install67.iso</i> or
<i>cd67.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.

<p>
If your machine can boot from USB, you can write <i>install67.fs</i> or
<i>miniroot67.fs</i> to a USB stick and boot from it.

<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in the included
INSTALL.amd64 document.

<p>
If you are planning to dual boot OpenBSD with another OS, you will need to
read INSTALL.amd64.

<h3>OpenBSD/arm64:</h3>

<p>
Write <i>miniroot67.fs</i> to a disk and boot from it after connecting
to the serial console.  Refer to INSTALL.arm64 for more details.

<h3>OpenBSD/armv7:</h3>

<p>
Write a system specific miniroot to an SD card and boot from it after connecting
to the serial console.  Refer to INSTALL.armv7 for more details.

<h3>OpenBSD/hppa:</h3>

<p>
Boot over the network by following the instructions in INSTALL.hppa or the
<a href="hppa.html#install">hppa platform page</a>.

<h3>OpenBSD/i386:</h3>

<p>
If your machine can boot from CD, you can write <i>install67.iso</i> or
<i>cd67.iso</i> to a CD and boot from it.
You may need to adjust your BIOS options first.

<p>
If your machine can boot from USB, you can write <i>install67.fs</i> or
<i>miniroot67.fs</i> to a USB stick and boot from it.

<p>
If you can't boot from a CD, floppy disk, or USB,
you can install across the network using PXE as described in
the included INSTALL.i386 document.

<p>
If you are planning on dual booting OpenBSD with another OS, you will need to
read INSTALL.i386.

<h3>OpenBSD/landisk:</h3>

<p>
Write <i>miniroot67.fs</i> to the start of the CF
or disk, and boot normally.

<h3>OpenBSD/loongson:</h3>

<p>
Write <i>miniroot67.fs</i> to a USB stick and boot bsd.rd from it
or boot bsd.rd via tftp.
Refer to the instructions in INSTALL.loongson for more details.

<h3>OpenBSD/luna88k:</h3>

<p>
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
from the PROM, and then bsd.rd from the bootloader.
Refer to the instructions in INSTALL.luna88k for more details.

<h3>OpenBSD/macppc:</h3>

<p>
Burn the image from a mirror site to a CDROM, and power on your machine
while holding down the <i>C</i> key until the display turns on and
shows <i>OpenBSD/macppc boot</i>.

<p>
Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
/6.7/macppc/bsd.rd</i>

<h3>OpenBSD/octeon:</h3>

<p>
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
Refer to the instructions in INSTALL.octeon for more details.

<h3>OpenBSD/sgi:</h3>

<p>
To install, burn cd67.iso on a CD-R, put it in the CD drive of your
machine and select <i>Install System Software</i> from the System Maintenance
menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from
CD-ROM, and need a proper invocation from the PROM prompt.
Refer to the instructions in INSTALL.sgi for more details.

<p>
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network
server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your
system type. Refer to the instructions in INSTALL.sgi for more details.

<h3>OpenBSD/sparc64:</h3>

<p>
Burn the image from a mirror site to a CDROM, boot from it, and type
<i>boot cdrom</i>.

<p>
If this doesn't work, or if you don't have a CDROM drive, you can write
<i>floppy67.fs</i> or <i>floppyB67.fs</i>
(depending on your machine) to a floppy and boot it with <i>boot
floppy</i>. Refer to INSTALL.sparc64 for details.

<p>
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
will most likely fail.

<p>
You can also write <i>miniroot67.fs</i> to the swap partition on
the disk and boot with <i>boot disk:b</i>.

<p>
If nothing works, you can boot over the network as described in INSTALL.sparc64.
</section>

<hr>

<section id=upgrade>
<h3>How to upgrade</h3>
<p>
If you already have an OpenBSD 6.6 system, and do not want to reinstall,
upgrade instructions and advice can be found in the
<a href="faq/upgrade67.html">Upgrade Guide</a>.
</section>

<hr>

<section id=sourcecode>
<h3>Notes about the source code</h3>
<p>
<code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/src.tar.gz</kbd>
</pre></blockquote>
<p>
<code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
<blockquote><pre>
# <kbd>mkdir -p /usr/src/sys</kbd>
# <kbd>cd /usr/src</kbd>
# <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
</pre></blockquote>
<p>
Both of these trees are a regular CVS checkout.  Using these trees it
is possible to get a head-start on using the anoncvs servers as
described <a href="anoncvs.html">here</a>.
Using these files
results in a much faster initial CVS update than you could expect from
a fresh checkout of the full OpenBSD source tree.
</section>

<hr>

<section id=ports>
<h3>Ports Tree</h3>
<p>
A ports tree archive is also provided.  To extract:
<blockquote><pre>
# <kbd>cd /usr</kbd>
# <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
</pre></blockquote>
<p>
Go read the <a href="faq/ports/index.html">ports</a> page
if you know nothing about ports
at this point.  This text is not a manual of how to use ports.
Rather, it is a set of notes meant to kickstart the user on the
OpenBSD ports system.
<p>
The <i>ports/</i> directory represents a CVS checkout of our ports.
As with our complete source tree, our ports tree is available via
<a href="anoncvs.html">AnonCVS</a>.
So, in order to keep up to date with the -stable branch, you must make
the <i>ports/</i> tree available on a read-write medium and update the tree
with a command like:
<blockquote><pre>
# <kbd>cd /usr/ports</kbd>
# <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_7</kbd>
</pre></blockquote>
<p>
[Of course, you must replace the server name here with a nearby anoncvs
server.]
<p>
Note that most ports are available as packages on our mirrors. Updated
ports for the 6.7 release will be made available if problems arise.
<p>
If you're interested in seeing a port added, would like to help out, or just
would like to know more, the mailing list
<a href="mail.html">ports@openbsd.org</a> is a good place to know.
</section>