------------------------------------------------------------------------
- OpenBSD 7.8 RELEASED -------------------------------------------------
October 22, 2025.
We are pleased to announce the official release of OpenBSD 7.8.
This is our 59th release. We remain proud of OpenBSD's record of
thirty years with only two remote holes in the default install.
As in our previous releases, 7.8 provides significant improvements,
including new features, in nearly all areas of the system:
- Platforms specific improvements:
o arm64:
- Added support for Raspberry Pi 5 (with console on serial
port).
- Implement acpicpu(4) for arm64.
- On Apple variants, enter DDB when exuart(4) detects a BREAK.
- On arm64 and riscv64, avoid multiple threads of a process
continuously faulting on a single page when pmap_enter(9) is
asked to enter a mapping that already exists.
- Make apm and hw.cpuspeed work on Snapdragon X Elite machines.
o amd64:
- Fix processing of GPIO events for pin numbers less than 256
with an _EVT method. Fixes power button on various ThinkPads
with AMD CPUs.
o Other architectures:
- Added a sparc64-specific _raw flavour to the softintr
routines for those drivers that need to be able to schedule
soft interrupts at actual hardware levels.
o More platform specific changes can be found in the hardware
support section below.
- Various kernel improvements:
o Set an upper limit on the value of sysctl(2) kern.seminfo.semopm
to avoid a possible kernel panic.
o On arm64, avoid decoding instructions when ELR isn't pointing into
the kernel part of the virtual address space and use fault()
instead of panic() to provide better error reports.
o Inherit PS_NOBTCFI at fork(2) so forked children do not get killed
by BTCFI safeguards.
o Inherit PS_PROFILE at fork(2). This lets child processes
disable/reenable profiling when they deemed appropriate.
o Implement the POSIX-2024 close-on-fork flag, but modified to be
reset on exec as preserving it across exec is not necessary for
its original purpose and has security and usability concerns.
o Improve handling of lock nesting by witness(4).
o Add MI high-level software interrupt dispatcher, providing a
common subsystem for the high-level allocation, scheduling, and
dispatching of soft interrupts.
o Remove the functionality of fs.posix.setuid sysctl.
o Use a FIFO queue for passing dead threads to the reaper, reducing
latency with large numbers of CPUs and jobs.
o Skip filesystem mount time update in BOOT kernels to enable crude
timekeeping across reboots without RTC and NTP.
o Move the kernel to using nanoseconds for the sleep time argument
instead of ticks. Userland functions don't change but precision is
no longer lost converting nanoseconds into ticks.
o Show SEV or SEV-ES guest mode in dmesg when running with AMD SEV.
o Support the GHCB protocol for IO and MMIO with SEV-ES. This makes
OpenBSD work with SEV-ES on kvm/qemu in 1-vCPU VMs
o Add psp(4) ioctl(2) to encrypt and measure state for AMD SEV-ES.
o Add cpu_xcall(9), an API for CPU xcalls (crosscalls), allowing
dispatching of code to run on the specified CPU from an interrupt
context.
o Add dt(4) trace points to rwlock(9).
o Teach btrace(8) how to resolve addresses in callstacks to symbols.
o Improve the documentation of dt(4) and btrace(8)
o Improve compatibility of the FUSE filesystem with the Linux
libfuse implementation.
o Make it possible to run the upper part of the fault handler in
parallel.
o Improve mtx_enter() for machines with a huge number of CPUs.
- Suspend/Hibernate Support:
o Preallocate hibernate work area during boot to fix failures where
the needed region can't be late-allocated.
o Implement lid suspend/resume for lids that use a GPIO.
o Implement support for wakeup interrupts in amdgpio(4), making it
possible to resume laptops with AMD CPUs from S0ix suspend.
o Introduce a generic powerbutton_event() function that does
everything we expect from a power button event in a consistent
manner, ensuring all drivers now prevent shutdown within the first
10 seconds after resume.
o Implement a ddb.suspend sysctl that will force "S0ix" suspend and
skip suspend of inteldrm(4) and amdgpu(4) such that the display
remains on during suspend.
o Fix dead USB ports after suspend/resume on the ThinkPad Z13.
o Make amdgpu(4) S3 suspend more reliable.
o Double the size of the amd64 unhibernate chunk table for machines
with large amounts of memory.
- SMP Improvements:
o Up to 8 softnet threads are used to handle network input. The
number of threads is also limited by the number of CPUs.
o TCP stack is now running in parallel on multiple CPUs. Up to 8
threads are used to process TCP traffic. Note that each connection
can only be handled by one CPU. Use multiple streams and a network
interface capable of multi queue to distribute packets.
o IPv6 fragment reassembly is now running in parallel.
o IPv6 destination option and routing header parsing is now running
in parallel.
o System calls close(2) and listen(2) run without exclusive net
lock.
- Direct Rendering Manager and graphics drivers:
o Updated drm(4) to Linux 6.12.50.
o New qcdrm(4) driver for Qualcomm Snapdragon DRM subsystem.
o New qcdpc(4) driver for Qualcomm DisplayPort Controller.
- VMM/VMD improvements:
o On AMD processors SEV-ES technology is supported to start
confidential virtual machines. SEV-ES works with the vmm/vmd
hypervisor and with OpenBSD guests on KVM/qemu.
o Add option for vmd(8) to run guests in AMD SEV-ES mode and keyword
"seves" for vm.conf(5) to enable it.
o Allow SEV-ES enabled guests to run on vmm(4)/vmd(8).
o Make vmctl(8) show file path in error messages.
o Sanitize vmd(8)s interprocess communication.
o Back vmm(4) guest memory with UVM aobjs, simplifying how guest
memory is represented and managed.
o Allow Linux guests to use kvm-clock in vmm(4).
o Remove vmd(8) send & receive functionality.
o Prevent vmd(8) guests from reading outside pci config space.
o Emulate PKRU XSAVE area and features in vmm(4).
- Various new userland features:
o Switched pkg-config(1) to the widely used C-based pkgconf 2.4.3
due to major performance issues with the unmaintained homegrown
Perl script.
o Import IIJ's iwatch as watch(1), a utility to periodically execute
a command and display its output.
o security(8) creates backups of GPT/MBR.
o fdisk(8) -R recovers/creates GPT/MBR from a file.
o fdisk(8) interactive editor supports one-line partition
addition/modification.
o Add [-w percent] and /etc/apm/warnlow hook to apmd(8).
o Introduced a new gprof profiling system using profil(2) system
call and removed the monstartup(3) interface.
o Add ibufq(3) API to support multithreaded use of ibufs.
- More bugfixes and tweaks in userland:
o As usual, many improvements and corrections in documentation were
made.
o fdisk(8) interactive editor displays verbose information if -v was
set.
o fdisk(8) displays GPT partitions in disk offset order with free
areas shown.
o fdisk(8) can create GPT partitions with any well formed UUID as
the type.
o Only GPT partitions with recognized filesystems are included in
the default disklabel(5).
o Version 0 disklabel(5) no longer supported.
o Fix a crash in vi(1) when executing commands.
o Fix vi(1) crash with expandtab and running external commands.
o Make vi(1) 'p' command paste in the correct place.
o Improve the flockfile(3) implementation by switching from external
locks to per FILE recursive mutexes.
o Do not log OTP secrets in login_yubikey(8).
o Change gmtime(3) to return time in UTC rather than GMT, as
required by our own manpage, POSIX, C standards, and other OSes.
o Make exit(), fclose(), fflush(), and freopen() comply with
POSIX-2008 requirements for setting the underlying file position
when flushing read-mode streams, and make an
fseek()-after-fflush() not change the underlying file position.
o Improve externs for KEYMAPE(), extern in .c files resulted in the
use of a wrongly sized anonymous struct.
o Make bioctl(8) properly indicate key disk for RAID 1C.
o Fix sign of %z output in zic(8), and add DST offset.
o Add -t and -V options from tzcode2013d to zdump(8).
o Fix an rm(1) bug where "mkdir exampledir; ln -s examplelink
exampledir; rm examplelink/" didn't remove exampledir like POSIX
requires.
o In ksh(1) VI mode, prevent display corruption when the command
line being edited starts with a UTF-8 continuation byte.
o Make mdoc(7) support the input syntax ".Lb libname [...]" with
multiple arguments in the SYNOPSIS.
o Make sndiod(8) use per-program level controls instead of
per-client.
o Stop tar(1) from exiting silently if the mtime didn't fit in the
ustar header when writing out the extended headers.
o Fix memleak in syslogd(8) when a client aborts a TLS connection,
and ensure that syslogd(8) runs TLS handshake callback.
o Support for embedded PNG bitmaps in Freetype (often used for fonts
with colour emoji).
- Improved hardware support and driver bugfixes, including:
o New acpiwmi(4) driver for Windows Management Instrumentation.
o New amdpmc(4) driver for AMD power management controller.
o New bcmmip driver for BCM2712 MSI controller.
o New bcmstbgpio(4) driver for Broadcom Set-top Box GPIO controller.
o New bcmstbintc(4) driver for Broadcom Set-to Box interrupt
controller.
o New bcmstbpinctrl(4) driver for Broadcom Set-top Box pin
multiplexing.
o New bcmstbrescal(4) driver for Broadcom Set-top Box reset
calibration controller.
o New bcmstbreset(4) driver for Broadcom Set-top Box reset
controller.
o New rpone(4) driver for Raspberry Pi RP1 peripheral controller.
o New rpiclock(4) driver for Raspberry Pi RP1 clock controller.
o New rpipwm(4) driver for Raspberry Pi RP1 PWM controller.
o New rpirtc(4) driver for Raspberry Pi real-time clock.
o New iasuskbd(4) driver for ASUS I2C HID keyboards.
o Add support for the SDHC controllers found on the Raspberry Pi 5.
o In virtio(4), allow to use memory above 4G on amd64 for virtio
rings and descriptors.
o Add support for H.264 advanced video coding to uvideo(4).
o Prevent a kernel panic in wsdisplay(4) when asked to switch VTs
during resume.
o Avoid a use-after-free in psp(4).
o Do not attach YubiKeys as keyboards anymore in ukbd(4). This
disables the OTP functionality, but makes it easier to use the
FIDO function without the need to configure the YubiKeys correctly
first.
o Implement support for "vmmc-supply" in sdhc(4), needed to power on
the WiFi chip on the Raspberry Pi 5.
o Add RK3528 support to rkpinctrl(4).
o Add RK3528 support to rkclock(4).
o Add RK3528 support to rkusbphy(4).
o Fix and add time sensor to pvclock(4).
- New or improved network hardware support:
o Make the cad(4) Ethernet interface on the Raspberry Pi 5 work by
configuring the delays for RGMII PHYs correctly.
o Add support for the Realtek RTL8125D and RTL8127 chips to the
rge(4) driver and update microcode for RTL8125B.
o Add a software implementation of TCP Large Receive Offload to
ixl(4).
o Intel E810 network devices ice(4) are supported for 100 and 25
GBit in QSFP and SFP variants.
o Add support for the ifconfig transceiver command to ice(4).
o Add Rx checksum offload and TSO (TCP Segmentation Offload) support
to ice(4).
o Enable RSS in ice(4), and enable Tx/Rx across multiple queues.
o Use SoftLRO in ice(4), but default off.
o Add SoftLRO support to bnxt(4).
o Add support for TSO to iavf(4).
o Disable hvn(4) TCP checksum offload, broken on newer hyper-v
versions.
- Added or improved wireless network drivers:
o Add 802.11n/HT and roaming support to qwx(4).
o Fix TKIP crypto offload in qwx(4).
o Fix suspend/resume instability caused by qwx(4).
o Make WPA handshakes succeed more reliably with the bwfm(4) driver.
o Unbreak support for a subset of Intel AX210 devices by making
iwx(4) load the correct firmware image for them.
- Installer, upgrade, bootloader, and pkg-tools improvements:
o Add installer preference for disks bigger than 1G as default root
disk.
o Stop offering http/nfs for offline installation.
o Prevent installing a corrupted /bsd on relink errors.
o Prevent pkg_add(1) update from advising file removal appropriate
only when deleting packages.
- Security improvements:
o Permit setsockopt/getsockopt IPPROTO_IP/IP_TOS and
IPPROTO_IPV6/IPV6_TCLASS in pledge "stdio". Previously these were
restricted to "inet". However, setting TOS is low risk and this
way a lot more attack surface from inet can be removed.
o Allow low-risk getsockname() and getpeername() in stdio.
o Pledge fc-cache(1) and mkfontscale(1) and change ownership of the
fontconfig cache to the _fc-cache user to run unprivileged when
installing fonts.
o Add IPV6_RECVTCLASS to the authorized setsockopt operations for
IPPROTO_IPV6 in pledge, fixing recent chromium browser with IPv6.
o Add an MI mechanism for creating an (unmapped) guard page between
the PCB and the kernel stack and enable on 64-bit architectures
with 4k pages.
- New features in the network stack:
o Stop adding interfaces with blackhole and reject routes to the
egress group, even if a default route points at them.
o Some network drivers allow to use soft LRO for TCP. If the
hardware does not support to concatenate received TCP packets,
this can be done at driver level. As the upper layers handle less
packets, performance improves. Currently the feature is disabled
by default, activate with ifconfig(8) tcplro. Software LRO has
been implemented for bnxt(4), ice(4), ixl(4).
o New erspan(4) driver for ERSPAN Type II tunnel networks.
- Further changes and bugfixes in the network stack:
o For divert(4) protocols sysctl(8) knobs have been consolidated.
o ARP and ND6 list use iterators to be MP safe. This also avoids a
race when timeouts handled multipath link layer entries.
o TCP keepalive intervals have been fixed.
o Do not allow negative values for sysctl(2)
net.inet6.ip6.neighborgcthresh, which would disable the limit ND6
entries, and disallow setting negative values for
net.inet6.ip6.maxdynroutes, which previously allowed unlimited
redirect routes.
o Fix error handling in IPv6 multicast sysctl.
o Fix refcnt leak in veb(4).
o Use VLAN hardware tagging in veb(4).
o Use VLAN hardware tagging in bridge(4).
o Use checksum offload in veb(4) and bridge(4).
o Unbreak vport.4 to vport communication on the same veb(4).
o Remove net.inet6.ip6.soiikey sysctl.
o Make lo(4).4 attach multiple interface queues, allowing local
network connections to use multiple softnets.
o Allow packets being sent out pppoe(4) interfaces to bypass queues
and go straight onto the underlying interface.
- The following changes were made to the pf(4) firewall:
o The check whether a TCP RST packet belongs to a connection was too
strict. Now resetting a TCP state also works if there were gaps in
the sequence number space due to lost packets.
o Repair "least-states" in pf(4) by decrementing the state counter
properly when the state is removed.
- Routing daemons and other userland network programs saw the following
improvements:
o Make getaddrinfo(3) convert numeric host addresses for all address
families, independent of them being listed in /etc/resolv.conf.
o Added lldpd(8), Link Layer Discovery Protocol (LLDP) daemon, and
lldp(8) control program.
o Added bpflogd(8), Berkeley Packet Filter logging daemon.
o Disallow nc(1) -T with = when arguments are not key=value pairs.
o Add SOCKS4A support to nc(1) proxy (-X) mode.
o Add ALPN TLS option, so you can specify -T alpn=value in nc(1).
o Make iked(8) load multiple certificates as a certificate chain
from a file.
o In relayd(8) add tighter checks on inter-process messages.
o Remove the currently useless "status memory" command in
unwindctl(8).
o Disable aggressive-nsec when "force" is in use in unwind.
o Repair the printing of IPv6 route commands with netstart(8) -n,
which was broken in 2022.
o Change dhcpd(8) to use the rdomain/rtable it was started in.
o Reduce the number of times that dhcpleased(8) uses
if_indextoname(3) to translate an interface index to an interface
name.
o In dhcp6leased(8) Install reject route for prefix delegation, to
prevent routing loops in case only parts of the delegated prefix
are configured on interfaces.
o Introduce a lower bound for the IPv6-Only preferred timelimit in
dhcpleased(8).
o Network statistics reporting using netstat(1) was changed:
- The output of netstat(1) for multicast route and divert
protocol statistics have been improved.
- Export TCP send congestion window for IPv6 also to allow its
display with netstat(1) -B.
- Harmonize netstat(1) ip4 and ip6 multicast counter output.
- Provide m_pool_alloc() failures in mbstat, making the count
visible in netstat(1) -m.
- Remove specific divert6 netstat counters, use divert instead.
o acme-client(1) saw several changes:
- Made acme-client(1) handle "processing" status by retrying.
- Remove http support from acme-client(1), using https for the
API server per RFC 8555.
- Allow port numbers in API URLs, letting acme-client(1) talk
to Let's Encrypt's pebble server.
- Implement draft-ietf-acme-profiles for acme-client(1).
- Adapt renewal calculation for shortlived certificates in
acme-client(1).
o In bgpd(8):
- In verbose mode log the NOTIFICATION data for UPDATE errors.
- Fix a busy loop error in the pfkey handling.
- Introduce monotime - an internal time API using microsecond
resolution.
- Fix accounting of the pending update counter
- Use new ibufq interface instead of handrolling the same.
- Large refactoring of internal APIs to make the code easier to
share and cleaner.
o In rpki-client(8):
- The parser process now uses parallel threads for object
validation. The new -p option can be used to adjust the
number of threads.
- Support for Canonical Cache Representation has been added.
CCR is a new DER-encoded data interchange format to support
audit trail keeping, validated payload dissemination, and
analytics pipelines.
https://datatracker.ietf.org/doc/html/draft-spaghetti-sidrops
-rpki-ccr
- Certificate parsing and validation has been completely
reworked. In particular, a more stringent set of compliance
checks based on RFC 6487, RFC 8209, and RFC 8608 is imposed
on end entity certificates.
- Filemode is now able to detect most file types without
recourse to the file name extension.
- Experimental support for P-256 Trust Anchor keys was added.
- Marshalling and unmarshalling of privsep messages was
improved.
- In verbose mode, warnings are emitted about uncompressed
HTTP/RRDP transfers larger than one megabyte. Publication
server operators are strongly encouraged to offer gzip
compressed HTTP content-encoding, see
draft-ietf-sidrops-publication-server-bcp, section 6.3.
- Emit all key identifiers (AKI and SKI) encoded in JSON as
bare hex strings without colons.
- Fixed numerous minor issues flagged by the Coverity static
analyzer.
- tmux(1) improvements and bug fixes:
o Allow tmux(1) bind -r and -N to change an existing key binding if
no command is specified.
o Add more features for boolean expressions in tmux(1) formats.
o Add an option variation-selector-always-wide to instruct tmux(1)
not to always interpret VS16 as a wide character and assume the
terminal does likewise.
o Add R format modifier to tmux(1) to repeat an argument.
o Add -E to run-shell to forward stderr as well as stdout in
tmux(1).
o Fix several memory leaks.
o Flush scrolling when wrapping so UTF-8 in last position draws
correctly.
o Treat Shift-Tab just like the up arrow in completion popup menu.
o Fix PageDown in menus.
o Replace invalid UTF-8 with the placeholder instead of ignoring
them.
o Add pane-border-lines value to use spaces for pane borders.
o Add a nicer default second and third status line.
o Add a tmux(1) set-default style attribute which replaces the
current default colours and attributes completely.
o Add S: to list tmux(1) sessions with modifiers for sorting.
o Add tmux(1) support for DECRQSS SP q (report cursor style), DECRQM
?12 (report cursor blink state) and DECRQM ?2004, ?1004, ?1006
(report mouse state).
o Introduce tmux(1) new window option: tiled-layout-max-columns,
which configures the maximum number of columns in the tiled
layout.
- LibreSSL version 4.2.0:
o Portable changes:
- Added explicit OpenBSD/ISC license to build system / scripts.
- Fixed compilation on more CPU targets by removing
architecture-specific definitions from header files.
- Fixed builds in deep paths by using relative paths for
linking.
- Fixed Windows builds with Clang and CMake.
- Fixed Windows error handling accepting connections with nc.
o Internal improvements:
- Cleaned up code implementing block cipher modes of operation.
Includes untangling a horrible #ifdef mess and removing a few
instances of undefined behavior.
- Removed assembly implementations of AES using bit slicing
(BS-AES) and vector permutation (VP-AES).
- Removed OPENSSL_SMALL_FOOTPRINT and OPENSSL_FIPSAPI.
- Implemented constant time EC field element operations to
allow elliptic curve operations without bignum arithmetic.
- Implemented an EC method using homogeneous projective
coordinates. This will allow exception-free elliptic curve
arithmetic in constant time in future releases.
- Started cleaning up the openssl speed implementation.
- The last SIGILL-based CPU capability detection was removed.
Instead, capabilities are now detected using a constructor on
library load, which improves the incomplete coverage by calls
to OPENSSL_init_crypto() on various entry points.
- Rework and simplify AES handling in EVP. In particular,
AES-NI is now handled in the AES internal code and no longer
requires the use of EVP.
- Added a public API for ML-KEM. This is not yet documented in
a manpage and may not be in its final form. This will be used
to support X25519MLKEM768 in libssl.
o Compatibility changes:
- Removed the -msie_hack option from the openssl(1) ca
subcommand.
- Removed parameters of the 239-bit prime curves from X9.62,
H.5.2: prime239v1, prime239v2, prime239v3.
- Increased default MAC salt length used by PKCS12_set_mac(3)
to 16 per recommendation of NIST SP 800-132.
- Encrypted PKCS#8 key files now use a default password-based
key derivation function that is acceptable in the present
millennium.
- const corrected EVP_PKEY_get{0,1}_{DH,DSA,EC_KEY,RSA}().
- X509_CRL_verify() now checks that the AlgorithmIdentifiers in
the signature and the tbsCertList are identical.
- Of the old *err() only PEMerr(), RSAerr(), and SSLerr()
remain.
- Removed BIO_s_log(), X509_PKEY_{new,free}(),
PEM_X509_INFO_read() and PEM_X509_INFO_write_bio().
- Re-expose the ASN.1 Boolean template items.
- opensslconf.h is now machine-independent.
o New features:
- Allow specifying ALPN in nc(1) via
-Talpn="http/1.1,http:/1.0".
o Bug fixes:
- Avoid pointer arithmetic on NULL for memory BIOs.
- Fix leaks and use-after-frees in PKCS7 attribute handling.
- Ensure p and q in RSA private key have a minimum distance of
2^(bits/2 - 100) as specified in NIST SP 800-56B Revision 2.
o Security fixes:
- Fix out-of-bounds read and write, memory leaks and incorrect
error check for CMS enveloped data.
o Documentation:
- Rewrote most of the EC documentation from scratch to be at
least somewhat accurate and intelligible.
- Updated documentation for SMIME_{read,write}* to match
reality.
o Testing and proactive security:
- Added a testing framework that will help deduplicating lots
of ad-hoc code in the regression tests.
- Converted the Wycheproof testing framework to use
testvectors_v1. This in combination with a few new tests
significantly increases regress coverage.
- OpenSSH 10.2:
o Security fixes:
- ssh(1): disallow control characters in usernames passed via
the commandline or expanded using %-sequences from the
configuration file, and disallow \0 characters in ssh://
URIs.
If an ssh(1) commandline was constructed using usernames or
URIs obtained from an untrusted source, and if a ProxyCommand
that uses the %r expansion was configured, then it may be
possible for an attacker to inject shell expressions that may
be executed when the proxy command is started.
We strongly recommend against using untrusted inputs to
construct ssh(1) commandlines.
This change also relaxes the validity checks in one small
way: usernames supplied via the configuration file as
literals (i.e. that have no % expansion characters) are not
subject to these validity checks. This allows usernames that
contain arbitrary characters to be used, but only via
configuration files. This is done on the basis that ssh's
configuration is trusted.
This issue was reported by David Leadbeater.
o Potentially incompatible changes:
- ssh(1): add a warning when the connection negotiates a
non-post quantum safe key agreement algorithm.
This warning has been added due to the risk of "store now,
decrypt later" attacks. More details at the OpenSSH
Post-Quantum Cryptography page.
This warning may be controlled via a new WarnWeakCrypto
ssh_config option, defaulting to on. This option is likely to
control additional weak crypto warnings in the future.
- ssh(1), sshd(8): major changes to handling of DSCP
marking/IPQoS
Both the client and the server have changed the default DSCP
(a.k.a IPQoS) values and the way these values are selected at
runtime.
Both endpoints now use Expedited Forward (EF) for interactive
traffic by default. This provides better prioritisation,
especially on wireless media (cf. RFC 8325). Non-interactive
traffic now uses the operating system default DSCP marking.
Both the interactive and non-interactive DSCP values may be
overridden via the IPQoS keyword in ssh_config(5) and
sshd_config(5).
The DSCP value selected may now change over the course of a
connection. ssh(1) and sshd(8) will automatically select
between the interactive and non-interactive IPQoS values
depending on the type of SSH channels open. E.g. if an sftp
session is using the connection, then the non-interactive
value will be used.
This is important now that the default interactive IPQoS is
EF (Expedited Forwarding), as many networks are configured to
allow only relatively small amounts of traffic of this class
and they will aggressively deprioritise the entire connection
if this is exceeded.
- ssh(1), sshd(8): deprecate support for IPv4 type-of-service
(TOS) keywords in the IPQoS configuration directive.
Type of Service (ToS) was deprecated in the late nineties and
replaced with the Differentiated Services architecture.
Diffserv has significant advantages for operators because
this mechanism offers more granularity.
OpenSSH switched its default IPQoS from ToS to DSCP values in
2018.
IPQoS configurations with 'lowdelay', 'reliability', or
'throughput' will be ignored and instead the system default
QoS settings apply. Additionally, a debug message is logged
about the deprecation with a suggestion to use DSCP.
- ssh-add(1): when adding certificates to an agent, set the
expiry to the certificate expiry time plus a short (5 min)
grace period.
This will cause the agent to automatically remove
certificates shortly after they expire. A new ssh-add -N
option disables this behaviour.
- All: remove experimental support for XMSS keys. This was
never enabled by default. We expect to implement a new
post-quantum signature scheme in the near future.
- ssh-agent(1), sshd(8): move agent listener sockets from /tmp
to under ~/.ssh/agent for both ssh-agent(1) and forwarded
sockets in sshd(8).
This ensures processes that have restricted filesystem access
that includes /tmp do not ambiently have the ability to use
keys in an agent.
Moving the default directory has the consequence that the OS
will no longer clean up stale agent sockets, so ssh-agent now
gains this ability.
To support $HOME on NFS, the socket path includes a truncated
hash of the hostname. ssh-agent will by default only clean up
sockets from the same hostname.
ssh-agent(1) gains some new flags: -U suppresses the
automatic cleanup of stale sockets when it starts. -u forces
a cleanup without keeping a running agent, -uu forces a
cleanup that ignores the hostname. -T makes ssh-agent put the
socket back in /tmp.
o New features:
- ssh(1), sshd(8): add SIGINFO handlers to log active channel
and session information.
- sshd(8): when refusing a certificate for user authentication,
log enough information to identify the certificate in
addition to the reason why it was being denied. Makes
debugging certificate authorisation problems a bit easier.
- ssh(1), ssh-agent(1): support ed25519 keys hosted on PKCS#11
tokens.
- ssh(1): add a ssh_config(5) RefuseConnection option that,
when encountered while processing an active section in a
configuration terminates ssh(1) with an error message that
contains the argument to the option.
This may be useful for expressing reminders or warnings in
config files, for example:
Match host foo
RefuseConnection "foo is deprecated, use splork instead"
- sshd(8): make the X11 display number check relative to
X11DisplayOffset. This will allows people to use
X11DisplayOffset to configure much higher port ranges if they
really want, while not changing the default behaviour.
- unit tests: the unit test framework now includes some basic
benchmarking capabilities. Run with "make
UNITTEST_BENCHMARK=yes".
o Bugfixes:
- sshd(8): fix mistracking of MaxStartups process exits in some
situations. At worst, this could cause all MaxStartups slots
to fill and sshd to refuse new connections.
- ssh(1): fix delay on X client startup when
ObscureKeystrokeTiming is enabled.
- sshd(8): increase the maximum size of the supported
configuration from 256KB to 4MB, which ought to be enough for
anybody. Fail early and visibly when this limit is breached.
- sftp(1): during sftp uploads, avoid a condition where a
failed write could be ignored if a subsequent write
succeeded. This is unlikely but technically possible because
sftp servers are allowed to reorder requests.
- sshd(8): avoid a race condition when the sshd-auth process
exits that could cause a spurious error message to be logged.
- sshd(8): log at level INFO when PerSourcePenalties actually
blocks access to a source address range. Previously this was
logged at level VERBOSE, which hid enforcement actions under
default config settings.
- sshd(8): GssStrictAcceptor was missing from sshd -T output;
fix
- sshd(8): Make the MaxStartups and PerSourceNetBlockSize
options first-match-wins as advertised.
- ssh(1): fix an incorrect return value check in the local
forward cancellation path that would cause failed
cancellations not to be logged.
- sshd(8): make "Match !final" not trigger a 2nd pass
ssh_config parsing pass (unless hostname canonicalisation or
a separate "Match final" does).
- ssh(1): better debug diagnostics when loading keys. Will now
list key fingerprint and algorithm (not just algorithm
number) as well as making it explicit which keys didn't load.
- All: fix a number of memory leaks found by LeakSanitizer,
Coverity and manual inspection.
- sshd(8): : Output the current name for PermitRootLogin's
"prohibit-password" in sshd -T instead of its deprecated
alias "without-password".
- ssh(1): make writing known_hosts lines more atomic by writing
the entire line in one operation and using unbuffered stdio.
Usually writes to this file are serialised on the "Are you
sure you want to continue connecting?" prompt, but if host
key checking is disabled and connections were being made with
high concurrency then interleaved writes might have been
possible.
- Ports and packages:
o Pre-built packages are available for the following architectures on
the day of release:
- aarch64 (arm64): 12506
- amd64: 12651
- i386: 10457
- mips64: 8484
- powerpc64: 9698
o Packages for the following architectures will be made available as
their builds complete:
- arm
- powerpc
- riscv64
- sparc64
- Some highlights:
o Asterisk 16.30.1, 18.26.4, o Mozilla Firefox 143.0.3 and
20.15.2 and 22.5.2 ESR 140.3.1
o Audacity 3.7.5 o Mozilla Thunderbird 143.3.1
o CMake 3.31.8 o Mutt 2.2.15 and NeoMutt 2025905
o Chromium 141.0.7390.54 o Node.js 22.20.0
o Emacs 30.2 o OCaml 4.14.2
o FFmpeg 6.1.3 o OpenLDAP 2.6.10
o GCC 8.4.0 and 11.2.0 o PHP 8.2.29, 8.3.26 and 8.4.13
o GHC 9.8.3 o Postfix 3.5.25 and 3.10.1
o GNOME 48 o PostgreSQL 17.6
o Go 1.25.1 o Python 2.7.18 and 3.12.11
o JDK 8u462, 11.0.28, 17.0.16, o Qt 5.15.16 (+ kde patches) and
21.0.8 and 25.0.0 6.8.3
o KDE Applications 25.08.1 o R 4.5.1
o KDE Frameworks 6.18.0 o Ruby 3.2.9, 3.3.9 and 3.4.6
o KDE Plasma 6.4.5 o Rust 1.90.0
o Krita 5.2.13 o SQLite 3.50.4
o LLVM/Clang 19.1.7, 20.1.8 o Shotcut 25.08.16
21.1.2 o Sudo 1.9.17p2
o LibreOffice 25.8.1.1 o Suricata 7.0.7
o Lua 5.1.5, 5.2.4, 5.3.6 and o Tcl/Tk 8.5.19 and 8.6.16
5.4.7 o TeX Live 2025
o MariaDB 11.4.7 o Vim 9.1.1706 and Neovim 0.11.4
o Mono 6.12.0.199 o Xfce 4.20.0
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.7 with xserver 21.1.18 + patches,
freetype 2.13.3, fontconfig 2.15.0, Mesa 25.0.7, xterm 399,
xkeyboard-config 2.20, fonttosfnt 1.2.4, and more)
o LLVM/Clang 19.1.7 (+ patches)
o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
o Perl 5.40.1 (+ patches)
o pkgconf 2.4.3
o NSD 4.13.0
o Unbound 1.24.0
o Ncurses 6.4
o Binutils 2.17 (+ patches)
o Gdb 6.3 (+ patches)
o Awk 20250116
o Expat 2.7.3
o zlib 1.3.1 (+ patches)
------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------
We provide patches for known security threats and other important
issues discovered after each release. Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible. Therefore, we advise regular
visits to
https://www.OpenBSD.org/security.html
and
https://www.OpenBSD.org/errata.html
------------------------------------------------------------------------
- MAILING LISTS AND FAQ ------------------------------------------------
Mailing lists are an important means of communication among users and
developers of OpenBSD. For information on OpenBSD mailing lists, please
see:
https://www.OpenBSD.org/mail.html
You are also encouraged to read the Frequently Asked Questions (FAQ) at:
https://www.OpenBSD.org/faq/
------------------------------------------------------------------------
- DONATIONS ------------------------------------------------------------
The OpenBSD Project is a volunteer-driven software group funded by
donations. Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others. This ecosystem is all handled under the same funding umbrella.
We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon
events.
All of our developers strongly urge you to donate and support our future
efforts. Donations to the project are highly appreciated, and are
described in more detail at:
https://www.OpenBSD.org/donations.html
------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------
For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.
There may also be exposure benefits since the Foundation may be
interested in participating in press releases. In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at directors@openbsdfoundation.org for
more information.
------------------------------------------------------------------------
- HTTPS INSTALLS -------------------------------------------------------
OpenBSD can be easily installed via HTTPS downloads. Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet. Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.
1) Read either of the following two files for a list of HTTPS mirrors
which provide OpenBSD, then choose one near you:
https://www.OpenBSD.org/ftp.html
https://ftp.openbsd.org/pub/OpenBSD/ftplist
As of October 22, 2025, the following HTTPS mirror sites have the
7.8 release:
https://cdn.openbsd.org/pub/OpenBSD/7.8/ Global
https://ftp.eu.openbsd.org/pub/OpenBSD/7.8/ Stockholm, Sweden
https://ftp.hostserver.de/pub/OpenBSD/7.8/ Frankfurt, Germany
https://ftp.bytemine.net/pub/OpenBSD/7.8/ Oldenburg, Germany
https://ftp.fr.openbsd.org/pub/OpenBSD/7.8/ Paris, France
https://mirror.aarnet.edu.au/pub/OpenBSD/7.8/ Brisbane, Australia
https://ftp.usa.openbsd.org/pub/OpenBSD/7.8/ CO, USA
https://ftp5.usa.openbsd.org/pub/OpenBSD/7.8/ CA, USA
https://mirror.esc7.net/pub/OpenBSD/7.8/ TX, USA
https://openbsd.cs.toronto.edu/pub/OpenBSD/7.8/ Toronto, Canada
https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.8/ Global
https://fastly.cdn.openbsd.org/pub/OpenBSD/7.8/ Global
The release is also available at the master site:
https://ftp.openbsd.org/pub/OpenBSD/7.8/ Alberta, Canada
However it is strongly suggested you use a mirror.
Other mirror sites may take a day or two to update.
2) Connect to that HTTPS mirror site and go into the directory
pub/OpenBSD/7.8/ which contains these files and directories.
This is a list of what you will see:
ANNOUNCEMENT armv7/ octeon/ root.mail
README hppa/ openbsd-78-base.pub sparc64/
SHA256 i386/ packages/ src.tar.gz
SHA256.sig landisk/ packages-stable/ sys.tar.gz
alpha/ loongson/ ports.tar.gz xenocara.tar.gz
amd64/ luna88k/ powerpc64/
arm64/ macppc/ riscv64/
It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.
README - generic README
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).
3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.
4) Next, go into the directory that applies to your architecture,
for example, amd64. This is a list of what you will see:
BOOTIA32.EFI* bsd* floppy78.img pxeboot*
BOOTX64.EFI* bsd.mp* game78.tgz xbase78.tgz
BUILDINFO bsd.rd* index.txt xfont78.tgz
INSTALL.amd64 cd78.iso install78.img xserv78.tgz
SHA256 cdboot* install78.iso xshare78.tgz
SHA256.sig cdbr* man78.tgz
base78.tgz comp78.tgz miniroot78.img
If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
and install78.iso. The install78.iso file (roughly 774MB in size)
is a one-step ISO-format install CD image which contains the various
*.tgz files so you do not need to fetch them separately.
If you prefer to use a USB flash drive, fetch install78.img and
follow the instructions in INSTALL.amd64.
5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.amd64. INSTALL.amd64 may tell you that you
need to fetch other files.
6) Just in case, take a peek at:
https://www.OpenBSD.org/errata.html
This is the page where we talk about the mistakes we made while
creating the 7.8 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.
------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------
X.Org has been integrated more closely into the system. This release
contains X.Org 7.7. Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc. During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).
------------------------------------------------------------------------
- PACKAGES AND PORTS ---------------------------------------------------
Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures. Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.
Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed
separately.
------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------
The source code for all four subsystems can be found in the
pub/OpenBSD/7.8/ directory:
xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.8/README) file
explains how to deal with these source files.
------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------
Ports tree and package building by Jeremie Courreges-Anglas,
Visa Hankala, Stuart Henderson, Peter Hessler, George Koehler,
Kurt Mosiejczuk, and Christian Weisgerber. Base and X system builds by
Kenji Aoyama, Theo de Raadt, and Miod Vallat. Release art by Apsephion.
We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who bought our previous CD sets. Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.
Our developers are:
Aaron Bieber, Adam Wolk, Aisha Tammy, Alexander Bluhm,
Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin,
Alexandre Ratchov, Andrew Hewus Fresh, Anil Madhavapeddy,
Anthony J. Bentley, Antoine Jacoutot, Anton Lindqvist, Asou Masato,
Ayaka Koshibe, Benoit Lecocq, Bjorn Ketelaars, Bob Beck,
Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele,
Can Erkin Acar, Caspar Schutijser, Charlene Wendling,
Charles Longeau, Chris Cappuccio, Christian Ludwig,
Christian Weisgerber, Christopher Zimmermann, Claudio Jeker,
Dale Rahn, Damien Miller, Daniel Dickman, Daniel Jakots,
Darren Tucker, Dave Voutila, David Coppa, David Gwynne, David Hill,
Denis Fondras, Edd Barrett, Eric Faurot, Florian Obser,
Florian Riehm, Frederic Cambus, George Koehler, Gerhard Roth,
Giannis Tsaraias, Gilles Chehade, Giovanni Bechis, Gleydson Soares,
Gonzalo L. Rodriguez, Greg Steuck, Hans-Joerg Hoexer, Helg Bredow,
Henning Brauer, Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer,
Ingo Schwarze, Inoguchi Kinichiro, James Hastings, James Turner,
Jan Klemkow, Jason McIntyre, Jasper Lievisse Adriaanse,
Jeremie Courreges-Anglas, Jeremy Evans, Job Snijders, Joel Sing,
Joerg Jung, Johannes Thyssen Tishman, Jonathan Armani,
Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Josh Rickmar,
Joshua Sing, Joshua Stein, Juan Francisco Cantero Hurtado,
Kazuya Goda, Kenji Aoyama, Kenjiro Nakayama, Kenneth R Westerback,
Kent R. Spillner, Kevin Lo, Kirill A. Korinsky, Kirill Bychkov,
Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil,
Lawrence Teo, Lucas Gabriel Vuotto, Lucas Raab, Marcus Glocker,
Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren,
Martin Natano, Martin Pieuchot, Martin Reindl, Martynas Venckus,
Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos,
Mike Belopuhov, Mike Larkin, Miod Vallat, Moritz Buhl, Nam Nguyen,
Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen,
Omar Polo, Ori Bernstein, Otto Moerbeek, Paco Esteban,
Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt, Paul Irofti,
Pavel Korovin, Peter Hessler, Philip Guenther,
Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski,
Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel,
Renato Westphal, Ricardo Mestre, Richard Procter, Rob Pierce,
Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf,
Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider,
Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Volker Schlecht,
Yasuoka Masahiko, Yojiro Uo
No comments:
Post a Comment