gmane.os.openbsd.announce

OpenBSD 5.1 released May 1, 2012

Bob Beck — 2012-05-01T14:46:17

- OpenBSD 5.1 RELEASED -------------------------------------------------

May 1, 2012.

We are pleased to announce the official release of OpenBSD 5.1.
This is our 31st release on CD-ROM (and 31th via FTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 5.1 provides significant improvements,
including new features, in nearly all areas of the system:

 - Improved hardware support, including:
   o umsm(4) supports additional mobile broadband devices.
   o Non-GigE ale(4) devices can now establish link to a GigE link partner.
   o Support for Intel 82580 has been added to em(4).
   o Support for MegaRAID 9240 has been added to mfi(4).
   o Support for Nuvoton NCT6776F has been added to lm(4).
   o Support for Centrino Advanced-N 6205 has been added to iwn(4).
   o Support for SiS 1182/1183 SATA has been added to pciide(4).
   o Support for Synaptics touch pads through the synaptics(4) X.Org
     input driver is now enabled by default.
   o Support for Intel Sandy Bridge integrated graphics cards has been
     added to the intel(4) X.Org driver.
   o Assembler implementation of the AES-GCM mode for new Intel and
     future AMD CPUs has been added.
   o usb(4) probes bus after resume, improves functionality for some laptops. 

 - Generic network stack improvements:
   o RFC4638 MTU negotiation for pppoe(4).
   o npppdctl(8) replaced with npppctl(8), written from scratch.
     Includes support for IPv6 as tunnel source address.
   o Improve performance (throughput and loss rate) for PPTP, pppd(8)
     or L2TP(/IPsec) on unstable latency networks (eg mobile).
   o Improved IPv6 fragment handling.
   o Many robustness improvements for IEEE 802.11 (particularly hostap).
   o Improved vlan priority support, including mapping to interface queues.
   o Initial rdomains support for IPv6.
   o Robustness improvements for carp(4).
   o Various IPv6 and rdomain related improvements for carp(4). 

 - Routing daemons and other userland network improvements:
   o fstat(8) now displays routing table ID and socket-splicing information
     and ps can display routing table ID.
   o traceroute(8) and traceroute6(8) can look up ASNs for each hop.
   o snmpd(8) adds a MIB to show statistics for carp(4) interfaces.
   o bgpctl(8) parses and display MRT routing table dumps.
   o ntpd(8) supports multiple rdomains.
   o When ospfd(8) detects route socket overflow, it now delays before
     it reloads the fib.
   o Improved and more consistent ToS support in various network
     tools (tcpbench(8), nc(8), ping(8), traceroute(8)).
   o Initial inport of login_yubikey(8) for logging in using yubikeys. 

 - pf(4) improvements:
   o One-shot rule support for pf(4), for use with proxies via anchors.
   o NAT64 support in PF using the af-to keyword.
   o Much improved IPv6 fragment handling.
   o Various enhancements with ICMP and especially ICMPv6 states
   o Improved IPv6 Neighbor Discovery and Multicast Listener Discovery handling.
   o pfctl(8) now prints port numbers instead of service names by default.
   o Netflow v9 and ipfix support for pflow(4).
   o Many pfsync(4) fixes and improvements including jumbo frames and
     automatically requesting a bulk update after a physical interface
     comes online. 

- Assorted improvements:
   o Improved locale support.
   o Support for MSG_NOSIGNAL.
   o KERN_PROC_CWD sysctl(3) for fetching the path to a process's
     working directory.
   o Improved fnmatch(3), glob(3), and regcomp(3) implementations
     to resist DoS attacks.
   o Lots of HISTORY and AUTHORS information added to manpages.
   o Improved checking of file-offset wraparound.
   o pwrite(2)/pwritev(2) now correctly by ignored O_APPEND.
   o Improved conformance of header files with standards.
   o Improved cancelation support in both user-threads (libpthread)
     and rthreads.
   o Improved correctness of execing, coredumping, signal delivery,
     alternate signal stacks, blocking socket accepts(), mutexes
     and condition variables, per-thread errno, symbol binding,
     and ktracing when rthreads are in use.
   o Architecture-independent kernel support for thread-control-block
     handling for rthreads.
   o Small improvements to Linux compat (only available on i386).
   o Multiple bugs have been fixed in the Intel 10Gb driver ix(4).
   o softraid(4) now supports a concatenating discipline.
   o On amd64, i386, and sparc64, the root filesystem can reside in
     a softraid(4) volume. The kernel needs to be booted from a
     non-softraid partition.
   o On amd64, the system can be booted from a softraid(4) RAID1 volume.
   o aucat(1) adds a "device number" component in sndio(7) device
     names, allowing a single aucat instance to handle all audio
     and MIDI services.
   o Built-in sndiod(1) sound daemon now uses default rate 48kHz and
     the default block size 10ms. These settings ensure video players
     and programs using MTC are smooth by default.
   o Many updates to smtpd(8): a new scheduler_backend API introduced,
     more MIME 1.0 support added, new filter callbacks for network events,
     improved DNS error reporting and envelope handling, and the
     purge/ directory is now cleared via a privilege-separated child.
   o tmux(1) is extended to support a larger history, minimizes redundant
     log messages and does some code reordering for more local and less
     global variables. Support is added for the ESC[s and ESC[u
     save/restore cursor-position key sequences. $HOME (or ~) may now
     be used as default-path in tmux.conf.
   o Enhanced cwm(1) event support, added {r,}cycleingroup to cycle
     through clients belonging to the same group as the active client,
     simplified color initialization.
   o The mg(1) emacs-like editor: now uses absolute filenames while
     pushing and popping off the stack. In dired mode: corrected
     cursor movements and added missing keybindings. 

 - OpenSSH 6.0:
    o New features:
      - ssh-keygen(1): add optional checkpoints for moduli screening.
      - ssh-add(1): new -k option to load plain keys (skipping
        certificates).
      - sshd(8): add wildcard support to PermitOpen, allowing things
        like "PermitOpen localhost:*". (bz#1857)
      - ssh(1): support for cancelling local and remote port forwards
        via the multiplex socket. Use "ssh -O cancel -L xx:xx:xx -R
        yy:yy:yy user< at >host" to request the cancellation of the
        specified forwardings.
      - support cancellation of local/dynamic forwardings from ~C commandline.
    o The following significant bugs have been fixed in this release:
      - ssh(1): ensure that $DISPLAY contains only valid characters
        before using it to extract xauth data so that it can't be
        used to play local shell metacharacter games.
      - ssh(1): unbreak remote port forwarding with dynamic allocated
        listen ports.
      - scp(1): uppress adding '--' to remote commandlines when the
        first argument does not start with '-'. Saves breakage on
        some difficult-to-upgrade embedded/router platforms.
      - ssh(1) and sshd(8): fix typo in IPQoS parsing: there is
        no "AF14" class, but there is an "AF21" class.
      - ssh(1) and sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT
        during rekeying.
      - ssh(1): skip attempting to create ~/.ssh when -F is passed.
      - sshd(8): unbreak stdio forwarding when ControlPersist is
        in use. (bz#1943)
      - sshd(8): send tty break to pty master instead of (probably
        already closed) slave side. (bz#1859)
      - sftp(1): silence error spam for "ls */foo" in directory
        with files. (bz#1683)
      - Fixed a number of memory and file descriptor leaks. 

 - Over 7,000 ports, major performance and stability improvements in
   the package build process
   o Downloading of distfiles is simpler, can resume interrupted
     download, discover file moves, and expire old files. Distfiles
     mirror sites now use the new and improved method.
   o Dependency handling during ports build and package creation is
     at least twice as fast, twenty times as fast in pathological
     cases. This also affects user scripts such as out-of-date
   o More checks are done during package builds, for increased
     user friendliness
   o The long term process of documenting the infrastructure
     is now 100% done.
   o The distributed ports builder (dpb) can now clean up old
     dependencies, thus helping package builds be more reproducible.
     This found tens of hidden build dependencies in the ports tree already.
   o The semantics of pkg_add -a have been nailed down and a few minor
     bugs have been fixed.
   o The arch-dependent issues are better classified, leading to
     better builds on old architectures in some complicated cases.
     In particular, dpb explicitly purges from memory info about
     packages it cannot build and stuff that depends on it,
     leading to better life on sparc and vax which have very small
     data-size limits.
   o dpb recognizes full builds and trims some duplicate package builds 

 - Many pre-built packages for each architecture:
    o i386: 7229                      o sparc64: 6599
    o alpha: 5943                     o sh: 2459
    o amd64: 7181                     o powerpc: 6852
    o sparc: 4152                     o arm: 5536
    o hppa: 6159                      o vax: 2199
    o mips64: 5785                    o mips64el: 5807

 - Some highlights:
    o Gnome 3.2.1                     o KDE 3.5.10
    o Xfce 4.8.3                      o MySQL 5.1.60
    o PostgreSQL 9.1.2                o Postfix 2.8.8
    o OpenLDAP 2.3.43 and 2.4.26      o GHC 7.0.4
    o Mozilla Firefox 3.5.19, 3.6.25 and 9.0.1
    o Mozilla Thunderbird 9.0.1       o LibreOffice 3.4.5.2
    o Emacs 21.4, 22.3 and 23.4       o Vim 7.3.154
    o PHP 5.2.17 and 5.3.10           o Python 2.5.4, 2.7.1 and 3.2.2
    o Ruby 1.8.7.357 and 1.9.3.0      o Tcl 8.5.11
    o Jdk 1.7                         o Mono 2.10.6
    o Chromium 16.0.912.77            o Groff 1.21 

 - As usual, steady improvements in manual pages and other documentation.
    o Base system and Xenocara manuals are now installed as source code,
      making grep(1) more useful in /usr/share/man/ and /usr/X11R6/man/.
    o If both formatted and source versions of manuals are installed,
      man(1) automatically displays the newer version of each page.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.6 with xserver 1.11.4 + patches,
      freetype 2.4.8, fontconfig 2.8.0, Mesa 7.10.3, xterm 276,
      xkeyboard-config 2.5 and more)
    o Gcc 4.2.1 (+patches), 3.3.5 (+ patches) and 2.95.3 (+ patches)
    o Perl 5.12.2 (+ patches)
    o Our improved and secured version of Apache 1.3, with SSL/TLS
      and DSO support
    o OpenSSL 1.0.0f (+ patches)
    o Sendmail 8.14.5, with libmilter
    o Bind 9.4.2-P2 (+ patches)
    o Lynx 2.8.7rel.2 with HTTPS and IPv6 support (+ patches)
    o Sudo 1.7.2p8
    o Ncurses 5.7
    o Heimdal 0.7.2 (+ patches)
    o Arla 0.35.7
    o Binutils 2.15 (+ patches)
    o Gdb 6.3 (+ patches) 
    o Less 444 (+ patches)
    o Awk Aug 10, 2011 version 

If you'd like to see a list of what has changed between OpenBSD 5.0
and 5.1, look at

        http://www.OpenBSD.org/plus51.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each CD release.  As usual, between the
creation of the OpenBSD 5.1 FTP/CD-ROM binaries and the actual 5.1
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default).  Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible.  Therefore, we advise regular visits to

        http://www.OpenBSD.org/security.html
and
        http://www.OpenBSD.org/errata.html

Security patch announcements are sent to the security-announce< at >OpenBSD.org
mailing list.  For information on OpenBSD mailing lists, please see:

        http://www.OpenBSD.org/mail.html

------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------

OpenBSD 5.1 is also available on CD-ROM.  The 3-CD set costs $50 CDN and
is available via mail order and from a number of contacts around the
world.  The set includes a colourful booklet which carefully explains the
installation of OpenBSD.  A new set of cute little stickers is also
included (sorry, but our FTP mirror sites do not support STP, the Sticker
Transfer Protocol).  As an added bonus, the second CD contains an audio
track, a song entitled "Bug Busters".  MP3 and OGG versions of
the audio track can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

    http://www.OpenBSD.org/lyrics.html#51

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 5.1 CD-ROMs are bootable on the following four platforms:

  o i386
  o amd64
  o macppc
  o sparc64

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

        http://www.OpenBSD.org/orders.html

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from.  For our default mail order, go directly to:

        https://https.OpenBSD.org/cgi-bin/order

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts.  Additionally, donations to the project are
highly appreciated, as described in more detail at:

        http://www.OpenBSD.org/goals.html#funding

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.  There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs.  Contact the foundation directors at
directors< at >openbsdfoundation.org for more information.

------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------

The OpenBSD distribution companies also sell tshirts and polo shirts.
And our users like them, too.  We have a variety of shirts available,
with the new and old designs, from our web ordering system at, as
described above.

-----------------------------------------------------------------------
- FTP INSTALLS ---------------------------------------------------------

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP or HTTP downloads.  Typically you need a single
small piece of boot media (e.g., a boot floppy) and then the rest
of the files can be installed from a number of locations, including
directly off the Internet.  Follow this simple set of instructions
to ensure that you find all of the documentation you will need
while performing an install via FTP or HTTP.  With the CD-ROMs,
the necessary documentation is easier to find.

1) Read either of the following two files for a list of ftp/http
   mirrors which provide OpenBSD, then choose one near you:

        http://www.OpenBSD.org/ftp.html
        ftp://ftp.OpenBSD.org/pub/OpenBSD/5.1/ftplist

   As of Nov 1, 2011, the following ftp mirror sites have the 5.1 release:

        ftp://ftp.eu.openbsd.org/pub/OpenBSD/5.1/       Stockholm, Sweden
        ftp://ftp.bytemine.net/pub/OpenBSD/5.1/         Oldenburg, Germany
        ftp://ftp.ch.openbsd.org/pub/OpenBSD/5.1/       Zurich, Switzerland
        ftp://ftp.fr.openbsd.org/pub/OpenBSD/5.1/       Paris, France
        ftp://ftp5.eu.openbsd.org/pub/OpenBSD/5.1/      Vienna, Austria
        ftp://mirror.aarnet.edu.au/pub/OpenBSD/5.1/     Brisbane, Australia
        ftp://ftp.usa.openbsd.org/pub/OpenBSD/5.1/      CO, USA
        ftp://ftp5.usa.openbsd.org/pub/OpenBSD/5.1/     CA, USA
        ftp://obsd.cec.mtu.edu/pub/OpenBSD/5.1/         Michigan, USA

        The release is also available at the master site:

        ftp://ftp.openbsd.org/pub/OpenBSD/5.1/          Alberta, Canada

        However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
   pub/OpenBSD/5.1/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     armish/          mvme68k/         sparc64/
        Changelogs/      ftplist          mvme88k/         src.tar.gz
        HARDWARE         hp300/           packages/        sys.tar.gz
        PACKAGES         hppa/            ports.tar.gz     tools/
        PORTS            i386/            root.mail        vax/
        README           landisk/         sgi/             xenocara.tar.gz
        alpha/           mac68k/          socppc/          zaurus/
        amd64/           macppc/          sparc/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        HARDWARE        - list of hardware we support
        PORTS           - description of our "ports" tree
        PACKAGES        - description of pre-compiled packages
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, i386.  This is a list of what you will see:

        INSTALL.i386    cd51.iso        floppyB51.fs    pxeboot*
        INSTALL.linux   cdboot*         floppyC51.fs    xbase51.tgz
        MD5             cdbr*           game51.tgz      xetc51.tgz
        base51.tgz      cdemu51.iso     index.txt       xfont51.tgz
        bsd*            comp51.tgz      install51.iso   xserv51.tgz
        bsd.mp*         etc51.tgz       man51.tgz       xshare51.tgz
        bsd.rd*         floppy51.fs     misc51.tgz

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
   and the appropriate floppy*.fs or install51.iso files.  Consult the
   INSTALL.i386 file if you don't know which of the floppy images
   you need (or simply fetch all of them).

   If you use the install51.iso file (roughly 250MB in size), then you
   do not need the various *.tgz files since they are contained on that
   one-step ISO-format install CD.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.i386.  INSTALL.i386 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        http://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 5.1 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
      you can use "fdimage.exe" located in the pub/OpenBSD/5.1/tools
      directory to do so.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.6.  Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc.  During installation, you can install
X.Org quite easily.  Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.

------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------

The OpenBSD ports tree contains automated instructions for building
third party software.  The software has been verified to build and
run on the various OpenBSD architectures.  The 5.1 ports collection,
including many of the distribution files, is included on the 3-CD
set.  Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD.  Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).

------------------------------------------------------------------------
- BINARY PACKAGES WE PROVIDE -------------------------------------------

A large number of binary packages are provided.  Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/5.1/PACKAGES) for more details.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/5.1/README)
file explains how to deal with these source files.  For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/5.1/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Jasper Lievisse Adriaanse,
Landry Breuil, Michael Erdely, Stuart Henderson, Peter Hessler,
Paul Irofti, Antoine Jacoutot, Robert Nagy, and Christian Weisgerber.
System builds by Theo de Raadt, Mark Kettenis, and Miod Vallat.
X11 builds by Todd Fries and Miod Vallat.  ISO-9660 filesystem
layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 5.1 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

    Alexander Bluhm, Alexander Hall, Alexander Schrijver,
    Alexander Yurchenko, Alexandr Shadchin, Alexandre Ratchov,
    Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot,
    Ariane van der Steldt, Austin Hook, Benoit Lecocq, Bernd Ahlers,
    Bob Beck, Bret Lambert, Bryan Steele, Camiel Dobbelaar,
    Can Erkin Acar, Charles Longeau, Chris Kuethe, Christian Weisgerber,
    Christiano F. Haesbaert, Claudio Jeker, Dale Rahn, Damien Bergamini,
    Damien Miller, Darren Tucker, David Coppa, David Gwynne, David Hill,
    David Krause, Edd Barrett, Eric Faurot, Federico G. Schwindt,
    Felix Kronlage, Gilles Chehade, Giovanni Bechis, Gleydson Soares,
    Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze,
    Jacek Masiulaniec, Jakob Schlyter, Janne Johansson, Jason George,
    Jason McIntyre, Jason Meltzer, Jasper Lievisse Adriaanse,
    Jeremy Evans, Jim Razmus II, Joel Knight, Joel Sing, Joerg Zinke,
    Jolan Luff, Jonathan Armani, Jonathan Gray, Jonathan Matthew,
    Jordan Hargrave, Joshua Elsasser, Joshua Stein, Kenji Aoyama,
    Kenneth R Westerback, Kevin Lo, Kevin Steves, Kurt Miller,
    Landry Breuil, Laurent Fanis, Luke Tymowski, Marc Espie,
    Marco Pfatschbacher, Marcus Glocker, Mark Kettenis, Mark Lumsden,
    Mark Uemura, Markus Friedl, Martin Pieuchot, Martynas Venckus,
    Mats O Jansson, Matthew Dempsky, Matthias Kilian, Matthieu Herrb,
    Michael Erdely, Mike Belopuhov, Mike Larkin, Miod Vallat,
    Nayden Markatchev, Nicholas Marriott, Nick Holland, Nigel Taylor,
    Nikolay Sturm, Okan Demirmen, Otto Moerbeek, Owain Ainsworth,
    Pascal Stumpf, Paul de Weerd, Paul Irofti, Peter Hessler,
    Peter Valchev, Philip Guenther, Pierre-Emmanuel Andre,
    Pierre-Yves Ritschard, Remi Pointel, Reyk Floeter, Robert Nagy,
    Ryan Freeman, Ryan Thomas McBride, Sasano, Sebastian Benoit,
    Sebastian Reitenbach, Simon Bertrang, Simon Perreault,
    Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh,
    Stuart Cassoff, Stuart Henderson, Takuya Asada, Ted Unangst,
    Theo de Raadt, Thordur I Bjornsson, Tobias Stoeckmann,
    Tobias Weingartner, Todd C. Miller, Todd Fries, Uwe Stuehler,
    Will Maier, William Yodlowsky, Yasuoka Masahiko, Yojiro Uo

Announce: OpenSSH 6.0 released

Damien Miller — 2012-04-22T00:53:19

OpenSSH 6.0 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed
code or patches, reported bugs, tested snapshots or donated to the
project. More information on donations may be found at:
http://www.openssh.com/donations.html

Changes since OpenSSH 5.9
=========================

This is primarily a bugfix release.

Features:

 * ssh-keygen(1): Add optional checkpoints for moduli screening
 * ssh-add(1): new -k option to load plain keys (skipping certificates)
 * sshd(8): Add wildcard support to PermitOpen, allowing things like
   "PermitOpen localhost:*".  bz #1857
 * ssh(1): support for cancelling local and remote port forwards via the
   multiplex socket. Use ssh -O cancel -L xx:xx:xx -R yy:yy:yy user< at >host"
   to request the cancellation of the specified forwardings
 * support cancellation of local/dynamic forwardings from ~C commandline

Bugfixes:

 * ssh(1): ensure that $DISPLAY contains only valid characters before
   using it to extract xauth data so that it can't be used to play local
   shell metacharacter games.
 * ssh(1): unbreak remote portforwarding with dynamic allocated listen ports
 * scp(1): uppress adding '--' to remote commandlines when the first
   argument does not start with '-'. saves breakage on some
   difficult-to-upgrade embedded/router platforms
 * ssh(1)/sshd(8): fix typo in IPQoS parsing: there is no "AF14" class,
   but there is an "AF21" class
 * ssh(1)/sshd(8): do not permit SSH2_MSG_SERVICE_REQUEST/ACCEPT during
   rekeying
 * ssh(1): skip attempting to create ~/.ssh when -F is passed
 * sshd(8): unbreak stdio forwarding when ControlPersist is in use; bz#1943
 * sshd(1): send tty break to pty master instead of (probably already
   closed) slave side; bz#1859
 * sftp(1): silence error spam for "ls */foo" in directory with files;
   bz#1683
 * Fixed a number of memory and file descriptor leaks

Portable OpenSSH:

 * Add a new privilege separation sandbox implementation for Linux's
   new seccomp sandbox, automatically enabled on platforms that support
   it. (Note: privilege separation sandboxing is still experimental)
 * Fix compilation problems on FreeBSD, where libutil contained openpty()
   but not login().
 * ssh-keygen(1): don't fail in -A on platforms that don't support ECC
 * Add optional support for LDNS, a BSD licensed DNS resolver library
   which supports DNSSEC
 * Relax OpenSSL version check to allow running OpenSSH binaries on
   systems with OpenSSL libraries with a newer "fix" or "patch" level
   than the binaries were originally compiled on (previous check only
   allowed movement within "patch" releases). bz#1991
 * Fix builds using contributed Redhat spec file. bz#1992

Checksums:
==========

 - SHA1 (openssh-6.0.tar.gz) = 5d30aba0423c44e89924bb44c5d2153635506a9f
 - SHA1 (openssh-6.0p1.tar.gz) = f691e53ef83417031a2854b8b1b661c9c08e4422

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh< at >openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

pre-orders activate for OpenBSD 5.1

Theo de Raadt — 2012-03-14T02:47:24

It is that time again.  I have just activated pre-orders for CDs,
tshirts, and posters for the 5.1 release -- due May 1.

    http://openbsd.org/orders.html
    
At the same time, I am making available the song that will come out
with the release (hmm, it is still moving out to the ftp mirrors at
the moment, but that is ok).  The song and details of it are linked
from:

    http://openbsd.org/lyrics.html

And there is something else.  Five years ago we made available an
Audio CD that contained 5 years of songs.  Well, we have made a new
audio CD since enough new songs have been made.  It is not very
expensive, so please consider buying this as well when you place any
order.  It has some rather nice liner notes.  Had some great fun
coming up with the cover for that CD:

   http://openbsd.org/images/cdaudio2.gif 
    
I'd also like you remind you that Michael Lucas new "SSH Mastery" book
is also now available, in case anyone was waiting for the 5.1 release
to place one order.

    http://openbsd.org/books.html#book9

Please consider purchasing these items and/or making a donation, since
this is a very important revenue source which keeps the project going.

Welcome to the announce list!

2011-12-09T09:05:17

Welcome to the announce mailing list!
Your password at OpenBSD Mailing List Server is

vdkwVk

To leave this mailing list, send the following command in the body
of a message to majordomo< at >openbsd.org:

approve vdkwVk unsubscribe announce gooa-announce< at >lo.gmane.org

This command will work even if your address changes.  For that reason,
among others, it is important that you keep a copy of this message.

To post a message to the mailing list, send it to
  announce< at >openbsd.org

If you need help or have questions about the mailing list, please
contact the people who manage the list by sending a message to
  owner-announce< at >openbsd.org

You can manage your subscription by visiting the following WWW location:
  <http://lists.openbsd.org/cgi-bin/mj_wwwusr/domain=openbsd.org/gooa-announce%40lo.gmane.org>

E5BD-612D-C2A8 : REMINDER from announce

2011-12-07T06:20:02

__ 
Some time ago, a confirmation token was sent to you because of the
following request:

  "subscribe announce gooa-announce< at >lo.gmane.org (Gmane Admin)"

It was sent for the following reason(s):

  The subscribe_policy rule says that the "subscribe" command    must be confirmed by the person affected by the command.
  

This request has neither been accepted nor rejected.  If you want this
action to be taken, please do one of the following:

1. If you have web browsing capability, visit
   <http://lists.openbsd.org/cgi-bin/mj_confirm/domain=openbsd.org?t=E5BD-612D-C2A8>
   and follow the instructions there.

2. Reply to majordomo< at >openbsd.org
   with one of the following two commands in the body of the message:

    accept
    reject

   (The number E5BD-612D-C2A8 must be in the Subject header)

3. Reply to majordomo< at >openbsd.org
   with one of the following two commands in the body of the message:

    accept E5BD-612D-C2A8
    reject E5BD-612D-C2A8

If you do not respond within 3 days, this token will expire.

If you would like to communicate with a person, 
send mail to owner-announce< at >openbsd.org.

E5BD-612D-C2A8 : CONFIRM from announce (subscribe)

2011-12-03T00:39:49

__ 
The following request

  "subscribe announce gooa-announce< at >lo.gmane.org (Gmane Admin)"

was sent to OpenBSD Mailing List Server 
by gooa-announce< at >lo.gmane.org (Gmane Admin).

To accept or reject this request, please do one of the following:

1. If you have web browsing capability, visit
   <http://lists.openbsd.org/cgi-bin/mj_confirm/domain=openbsd.org?t=E5BD-612D-C2A8>
   and follow the instructions there.

2. Reply to majordomo< at >openbsd.org 
   with one of the following two commands in the body of the message:

    accept
    reject

   (The number E5BD-612D-C2A8 must be in the Subject header)

3. Reply to majordomo< at >openbsd.org 
   with one of the following two commands in the body of the message:
   
    accept E5BD-612D-C2A8
    reject E5BD-612D-C2A8

Your confirmation is required for the following reason(s):

  The subscribe_policy rule says that the "subscribe" command 
  must be confirmed by the person affected by the command.
  

If you do not respond within 4 days, a reminder will be sent.

If you do not respond within 7 days, this token will expire,
and the request will not be completed.

If you would like to communicate with a person, 
send mail to owner-announce< at >openbsd.org.

OpenBSD 4.8 released Nov 1, 2010

Theo de Raadt — 2010-11-01T15:03:09

------------------------------------------------------------------------
- OpenBSD 4.8 RELEASED -------------------------------------------------

Nov 1, 2010.

We are pleased to announce the official release of OpenBSD 4.8.
This is our 28th release on CD-ROM (and 29th via FTP). We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 4.8 provides significant improvements,
including new features, in nearly all areas of the system:

- New/extended platforms:
o i386 and amd64:
- ACPI-based suspend/resume works on most machines with
Intel/ATI video. Machines using NVidia graphics will not
resume the graphics. cardbus(4) and pcmcia(4) will still
have some problems, too.

- Improved hardware support, including:
o New acpisony(4) driver for Sony ACPI control.
o New itherm(4) driver for Intel 3400 temperature sensor.
o New se(4) driver for SiS 190 10/100/Gigabit Ethernet devices.
o New uguru(4) driver for ABIT temperature, voltage and fan sensors.
o New owctr(4) driver for 1-Wire counter devices.
o New pgs(4) driver for Programmers Switch found on some macppc machines.
o Support for 82576 fiber and 82577/82578 (PCH) based devices has been
added to em(4).
o Support for 24-bit encodings and USB 2.0 playback has been added to
uaudio(4).
o Support for Winbond/Nuvoton W83627DHG-P has been added to wbsio(4).
o Support for RTL8168E has been added to re(4).
o Support for 800x480 has been added to udl(4).
o Support for M-audio Audiophile 192k has been added to envy(4).
o Support for Intel Core i3/i5 internal graphics (Ironlake) has been
added to inteldrm(4) and agp(4).
o The ss(4) and uscanner(4) drivers have been removed.
o Improved robustness of several SCSI/SAS/RAID HBA drivers, including
mpi(4), mpii(4) and ciss(4).

- New tools:
o iked(8), an Internet Key Exchange version 2 (IKEv2) daemon.
o ldapd(8), a Lightweight Directory Access Protocol (LDAP) daemon.

- Filesystem midlayer improvements:
o Fix internal locking in (still experimental!) NTFS.

- OpenBGPD, OpenOSPFD and other routing daemon improvements:
o bgpd(8) control sockets are now specified in the config file.
This removes the -s and -r arguments to bgpd.
o Extended the BGP MPLS VPN support to allow Layer-3 MPLS VPNs to be
terminated on OpenBSD with the help of mpe(4), ldpd(8), and bgpd(8).
o bgpd(8) supports multiple FIBs and it is possible to assign them
to RIBs for redistribution.
o bgpd now supports to use neighbor-as in AS filter statements and
added two new filters -- max-as-seq and max-as-len -- to limit the
length of a sequence of a single AS or the total length of an AS path.
o Added softreconfig support in bgpd for peers changing the RIB.
o Fixed multiprotocol MRT dumps and added 4-byte AS-Number support in bgpd(8).
o Added support for ping6 and traceroute6 in bgplg(8) and bgplgsh(8)
o ospfd(8) has better LSA pruning and config reload support.
o ospf6d(8) now supports LSAs larger than the link MTU, has improved
interoperability with other OSPFv3 implementations, can redistribute
the default route, and will correctly handle IPv6 prefixes advertised
by neighbours on the same link but not configured on the router itself.
o Various improvements in ldpd(8) including correct penultimate hop
popping, better session handling, and a imporved config file parser.

- Generic network stack improvements:
o ifconfig(8) and route(8) get better Multiprotocol Label
Switching support.
o traceroute(8) now supports extended ICMP headers which allows
printing of MPLS labels.
o Support for RFC 4941 privacy extensions for stateless address
autoconfiguration has been added to inet6(4) and can be enabled
via ifconfig(8).
o ifconfig(8) now supports random selection of MAC addresses.
o tcpdump(8) now decodes Multicast Listener Discovery version 2
and Internet Key Exchange version 2 traffic.
o enc(4) and ipsec(4) are now aware of routing domains.
o dhcpd(8) and dhclient(8) and are now capable of running in different
routing domains.
o Added MPLS support and a simple keepalive mechanism to gre(4).
o Added MPLS support to gif(4).
o Support for 802.1ad-style QinQ nested VLANs with the addition
of svlan(4) (service VLAN) interfaces.
o Added a RTM_DESYNC routing message as indicator that route messages
got dropped because of insufficent buffer space. ospfd(8) uses
this message to keep the internal view of the routing table in sync.

- SCSI improvements:
o better cd(4) detaching.
o better st(4) sense data and buf handling.
o eliminate excessive delays when starting DVD playing.
o ask only for minimal (i.e. 18 bytes) sense data, fixing usb devices.
o migrate to using bufq.
o always try READ CAPACITY 16 on devices claiming to be SCSI-3.
o many performance and reliability improvements as a result of
new SCSI midlayer:
- introduce round-robin scheduling of resources for
outstanding device commands to prevent a single device
from monopolising the bus.
- significant reduction in memory consumption used for
tracking devices attached to buses.
- eliminate many unnecessary splbio/splx calls in SCSI drivers.
- eliminate many use after free's exposed by new SCSI midlayer.
- eliminate scsi_scsi_cmd(), simplifying calling inside SCSI midlayer.
- eliminate struct scsi_device.
- eliminate many uninitialized data references and invalid
scsi_done() calls exposed by new SCSI midlayer.
- eliminate use of EAGAIN.
- eliminate almost all uses of NO_CCB and XS_NO_CCB.

- Assorted improvements:
o mbtowc(3) multi-byte/wide-character conversion functions have been added
to the C library, and setlocale(3) now supports the en_US.UTF-8 locale.
o posix_madvise(2), posix_memalign(3), strndup(3), and strnlen(3) have been
added to the C library.
o The event(3) library was updated to version 1.4.14b.
o The pthreads(3) library now implements the
pthread_rwlock_timed{rd,wr}lock interfaces.
o AES-NI support has been integrated into the OpenSSL crypto(3) library.
o MIDI control in non-server mode was added to aucat(1), including seeking
within .wav files
o A new record-what-you-hear feature was added to aucat(1).
o The minimum extra latency of the aucat(1) server was lowered to a single
block, improving usability of low-latency programs without stability
compromise.
o disklabel(8) now supports unique disk identifiers.
o ftp(1) now handles redirection to relative URLs in the Location: header
of HTTP responses.
o lint(1) now recognizes the C99 data types _Bool and _Complex and some
related gcc extensions.
o make(1) now allows variables in SysV modifiers, and implements the :QL
(quote list) modifier.
o man(1) now allows to combine the -s option with -m or -M.
o Improved directory editing in mg(1).
o newfs(8) has been tweaked to better support large file systems.
o od(1) now supports the POSIX -A option to select an input address base.
o sendbug(1) now includes the output of usbdevs -v into the template.
o smtpd(8) now supports the SIZE and ENHANCEDSTATUSCODES extensions and
the "plain" backend for maps, and performance was improved when
handling large amounts of mail.
o wsconsctl(8) now handles more than one keyboard, mouse and display.
o Many memory leaks have been fixed in various userland utilities.
o amd64, i386, hppa, sparc64, socppc and macppc platforms were switched
over to gcc4.
o newfs(8) now makes FFS2 the default for partitions larger
than INT_MAX blocks.
o dhcpd(8) now includes the server id in NAK messages, as
required by some relays.
o disklabel(8) now aligns the start and end of FFS partitions on
bsize boundaries where it can, to improve performance on
4096-byte block devices.
o by default, read and write caching is now turned on for
non-USB scsi disks.
o getdirentries(2) now checks to ensure that it doesn't wrap
or truncate directory information on architectures where LONG
is a different size from LONG LONG.
o disklabel(8) now ensures correct physical bounds and disk size
are used when building a disklabel from saved ascii disklabel.
o it is again possible to build a bsd.rd that has DDB.
o pms(4) now works much better with various trackpads and over
suspend/resume cycles.
o fdisk(8) now aligns the OpenBSD partition on a power of 2
block boundary to improve performance on 4096-byte block devices.
o nfsd(8) now logs start up errors to the system log as well
as the console.
o nfsd(8) now errors out if given an invalid number of servers to run.

- Install/Upgrade process changes:
o If the system time is off by more than 120 seconds, ask if the user
wants to set it accordingly.
o disklabel(8) now allows to customize auto allocated labels using
the -R option.
o Default network install method changed from FTP to HTTP.
o Automatically set /etc/pkg.conf `installfrom' entry to the public
mirror used while installing or upgrading.
o sysmerge(8) now automatically installs missing users and groups.

- OpenSSH 5.5:
o New features:
- Added a ControlPersist option to ssh_config(5).
- Hostbased authentication may now use certificate host keys.
- ssh-keygen(1) now supports signing certificate using a CA key
that has been stored in a PKCS#11 token.
- ssh(1) will now log the hostname and address that we connected to
at LogLevel=verbose after authentication is successful to mitigate
"phishing" attacks.
- Expand %h to the hostname in ssh_config Hostname options.
- Allow ssh-keygen(1) to import and export of PEM and PKCS#8 keys.
- sshd(8) will now queue debug messages for bad ownership or permissions
on the user's keyfiles encountered during authentication.
- ssh(1) connection multiplexing now supports remote forwarding with
dynamic port allocation and can report the allocated port back to
the user.
- sshd(8) now supports indirection in matching of principal names
listed in certificates. sshd(8) now has a new AuthorizedPrincipalsFile
option.
- Additional sshd_config(5) options are now valid inside Match blocks:
o AuthorizedKeysFile
o AuthorizedPrincipalsFile
o HostbasedUsesNameFromPacketOnly
o PermitTunnel
o The following significant bugs have been fixed in this release:
- The PKCS#11 code now retries a lookup for a private key if there is
no matching key with CKA_SIGN attribute enabled (bz#1736).
- Unbreak strdelim() skipping past quoted strings.
- sftp(1): fix swapped args in upload_dir_internal() (bz#1797).
- Fix a longstanding problem where if you suspend scp(1) at the
password/passphrase prompt the terminal mode is not restored.
- Fix a PKCS#11 crash on some smartcards by validating the length
returned for C_GetAttributValue (bz#1773).
- sftp(1): fix ls in working directories that contain globbing
characters in their pathnames (bz#1655).
- Print warning for missing home directory when ChrootDirectory=none.
(bz#1564).
- sftp(1): fix a memory leak in do_realpath() error path (bz#1771).
- ssh-keygen(1): Standardise error messages when attempting to open
private key files to include "progname: filename: error reason"
(bz#1783).
- Replace verbose and overflow-prone Linebuf code with
read_keyfile_line() (bz#1565).
- Include the user name on "subsystem request for ..." log messages.
- ssh(1) and sshd(8): remove hardcoded limit of 100 permitopen clauses
and port forwards per direction (bz#1327).
- sshd(8): ignore stderr output from subsystems to avoid hangs if a
subsystem or shell initialisation writes to stderr (bz#1750).
- Skip the initial check for access with an empty password when
PermitEmptyPasswords=no (bz#1638).
- sshd(8): fix logspam when key options (from="..." especially) deny
non-matching keys (bz#1765).
- ssh-keygen(1): display a more helpful error message when $HOME is
inaccessible while trying to create .ssh directory (bz#1740).
- ssh(1): fix hang when terminating a mux slave using ~ (bz#1758).
- ssh-keygen(1): refuse to generate keys longer than
OPENSSL_[RD]SA_MAX_MODULUS_BITS (bz#1516).
- Suppress spurious tty warning when using -O and stdin is not
a tty (bz#1746).
- Kill channel when pty allocation requests fail (bz#1698).

- Mandoc 1.10.5:
o The mandoc(1) utility is now used to build all manuals in the base
system and in Xenocara from mdoc(7) and man(7) sources.
o New integrated roff preprocessor with minimal support for conditional
requests, nested roff requests, string definitions, roff registers,
also parsing and ignoring macro definitions.
o Improved support for manual pages generated by pod2man(1).
o Many parser improvements, in particular mdoc(7) support for word
keeps, synopsis mode in arbitrary sections, graceful handling of
badly nested blocks, and improved parsing of column displays.
o New PostScript and PDF output frontends.
o Many ASCII and HTML output formatting improvements, for example
proper synopsis indentation and improved end-of-sentence detection.
o Considerably improved syntax checking and error reporting.

- Over 5,800 ports, major robustness and speed improvements in package tools.
- Many pre-built packages for each architecture:
o i386: 6218 o sparc64: 5950
o alpha: 5827 o sh: 1100
o amd64: 6166 o powerpc: 5996
o sparc: 4130 o arm: 5628
o hppa: 5632 o vax: 1528
o mips64: 3632 o mips64el: 4486

- Some highlights:
o Gnome 2.30.2 o KDE 3.5.10
o Xfce 4.6.2 o MySQL 5.1.48
o PostgreSQL 8.4.4 o Postfix 2.7.1
o OpenLDAP 2.3.43 o Mozilla Firefox 3.6.8 and 3.5.11
o Mozilla Thunderbird 3.1.1 o OpenOffice.org 3.2.1
o Emacs 21.4 and 22.3 o Vim 7.2.444
o PHP 5.2.13 o Python 2.4.6, 2.5.4 and 2.6.5
o Ruby 1.8.6.369 o Mono 2.6.4

- As usual, steady improvements in manual pages and other documentation.

- The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.5 with xserver 1.8 + patches, freetype 2.3.12, fontconfig 2.8.0, Mesa 7.8.2, xterm 258 and more)
o Gcc 2.95.3 (+ patches), 3.3.5 (+ patches) and 4.2.1 (+patches)
(depends on the architecture)
o Perl 5.10.1 (+ patches)
o Our improved and secured version of Apache 1.3, with SSL/TLS and DSO support
o OpenSSL 0.9.8k (+ patches)
o Groff 1.15
o Sendmail 8.14.3, with libmilter
o Bind 9.4.2-P2 (+ patches)
o Lynx 2.8.6rel.5 with HTTPS and IPv6 support (+ patches)
o Sudo 1.7.2
o Ncurses 5.7
o Latest KAME IPv6
o Heimdal 0.7.2 (+ patches)
o Arla 0.35.7
o Binutils 2.15 (+ patches)
o Gdb 6.3 (+ patches)

If you'd like to see a list of what has changed between OpenBSD 4.7
and 4.8, look at

http://www.OpenBSD.org/plus48.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each CD release. As usual, between the
creation of the OpenBSD 4.8 FTP/CD-ROM binaries and the actual 4.8
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default). Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible. Therefore, we advise regular visits to

http://www.OpenBSD.org/security.html
and
http://www.OpenBSD.org/errata.html

Security patch announcements are sent to the security-announce< at >OpenBSD.org
mailing list. For information on OpenBSD mailing lists, please see:

http://www.OpenBSD.org/mail.html

------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------

OpenBSD 4.8 is also available on CD-ROM. The 3-CD set costs $50 CDN and
is available via mail order and from a number of contacts around the
world. The set includes a colourful booklet which carefully explains the
installation of OpenBSD. A new set of cute little stickers is also
included (sorry, but our FTP mirror sites do not support STP, the Sticker
Transfer Protocol). As an added bonus, the second CD contains an audio
track, a song entitled "El Puffiachi". MP3 and OGG versions of
the audio track can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

http://www.OpenBSD.org/lyrics.html#48

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 4.8 CD-ROMs are bootable on the following four platforms:

o i386
o amd64
o macppc
o sparc64

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

http://www.OpenBSD.org/orders.html

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from. For our default mail order, go directly to:

https://https.OpenBSD.org/cgi-bin/order

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts. Additionally, donations to the project are
highly appreciated, as described in more detail at:

http://www.OpenBSD.org/goals.html#funding

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense writeoff, so this is certainly a consideration for
some organizations or businesses. There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs. Contact the foundation directors at
directors< at >openbsdfoundation.org for more information.

------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------

The OpenBSD distribution companies also sell tshirts and polo shirts.
And our users like them too. We have a variety of shirts available,
with the new and old designs, from our web ordering system at, as
described above.

There is no specific new OpenBSD shirt for this release -- we decided
to skip a release. Hoever, we also sell our older shirts, as well as
a selection of OpenSSH t-shirts.

------------------------------------------------------------------------
- FTP INSTALLS ---------------------------------------------------------

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP. Typically you need a single small piece of boot
media (e.g., a boot floppy) and then the rest of the files can be
installed from a number of locations, including directly off the
Internet. Follow this simple set of instructions to ensure that
you find all of the documentation you will need while performing
an install via FTP. With the CD-ROMs, the necessary documentation
is easier to find.

1) Read either of the following two files for a list of ftp
mirrors which provide OpenBSD, then choose one near you:

http://www.OpenBSD.org/ftp.html
ftp://ftp.OpenBSD.org/pub/OpenBSD/4.8/ftplist

As of Nov 1, 2010, the following ftp mirror sites have the 4.8 release:

ftp://ftp.eu.openbsd.org/pub/OpenBSD/4.8/Stockholm, Sweden
ftp://ftp.bytemine.net/pub/OpenBSD/4.8/ Oldenburg, Germany
ftp://mirror.aarnet.edu.au/pub/OpenBSD/4.8/ Brisbane, Australia
ftp://ftp.wu-wien.ac.at/pub/OpenBSD/4.8/ Vienna, Austria
ftp://ftp.usa.openbsd.org/pub/OpenBSD/4.8/CO, USA
ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.8/CA, USA
ftp://obsd.cec.mtu.edu/pub/OpenBSD/4.8/ Michigan, USA

The release is also available at the master site:

ftp://ftp.openbsd.org/pub/OpenBSD/4.8/ Alberta, Canada

However it is strongly suggested you use a mirror.

Other mirror sites may take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
pub/OpenBSD/4.8/ which contains these files and directories.
This is a list of what you will see:

ANNOUNCEMENT armish/ mvme68k/ sparc64/
Changelogs/ ftplist mvme88k/ src.tar.gz
HARDWARE hp300/ packages/ sys.tar.gz
PACKAGES hppa/ ports.tar.gz tools/
PORTS i386/ root.mail vax/
README landisk/ sgi/ xenocara.tar.gz
alpha/ mac68k/ socppc/ zaurus/
amd64/ macppc/ sparc/

It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.

README - generic README
HARDWARE - list of hardware we support
PORTS - description of our "ports" tree
PACKAGES - description of pre-compiled packages
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).

3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
for example, i386. This is a list of what you will see:

INSTALL.i386 cd48.iso floppyB48.fs pxeboot*
INSTALL.linux cdboot* floppyC48.fs xbase48.tgz
MD5 cdbr* game48.tgz xetc48.tgz
base48.tgz cdemu48.iso index.txt xfont48.tgz
bsd* comp48.tgz install48.iso xserv48.tgz
bsd.mp* etc48.tgz man48.tgz xshare48.tgz
bsd.rd* floppy48.fs misc48.tgz

If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
and the appropriate floppy*.fs or install48.iso files. Consult the
INSTALL.i386 file if you don't know which of the floppy images
you need (or simply fetch all of them).

If you use the install48.iso file (roughly 200MB in size), then you
do not need the various *.tgz files since they are contained on that
one-step ISO-format install CD.

5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.i386. INSTALL.i386 may tell you that you
need to fetch other files.

6) Just in case, take a peek at:

http://www.OpenBSD.org/errata.html

This is the page where we talk about the mistakes we made while
creating the 4.8 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
you can use "fdimage.exe" located in the pub/OpenBSD/4.8/tools
directory to do so.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system. This release
contains X.Org 7.4. Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc. During installation, you can install
X.Org quite easily. Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.

------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------

The OpenBSD ports tree contains automated instructions for building
third party software. The software has been verified to build and
run on the various OpenBSD architectures. The 4.8 ports collection,
including many of the distribution files, is included on the 3-CD
set. Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD. Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).

------------------------------------------------------------------------
- BINARY PACKAGES WE PROVIDE -------------------------------------------

A large number of binary packages are provided. Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.8/PACKAGES) for more details.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.8/README)
file explains how to deal with these source files. For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/4.8/ directory:

xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Jasper Lievisse Adriaanse,
Landry Breuil, Michael Erdely, Stuart Henderson, Peter Hessler,
Paul Irofti, Antoine Jacoutot, Robert Nagy, and Christian Weisgerber.
System builds by Theo de Raadt, Mark Kettenis, and Miod Vallat.
X11 builds by Todd Fries and Miod Vallat. ISO-9660 filesystem
layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who pre-ordered the 4.8 CD-ROM or bought our previous
CD-ROMs. Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

Alexander Bluhm, Alexander Hall, Alexander von Gernler,
Alexander Yurchenko, Alexandre Ratchov, Alexey Vatchenko,
Anders Magnusson, Andreas Gunnarsson, Anil Madhavapeddy,
Antoine Jacoutot, Ariane van der Steldt, Artur Grabowski,
Austin Hook, Benoit Lecocq, Bernd Ahlers, Bob Beck, Bret Lambert,
Can Erkin Acar, Chad Loder, Charles Longeau, Chris Kuethe,
Christian Weisgerber, Claudio Jeker, Dale Rahn, Damien Bergamini,
Damien Miller, Dariusz Swiderski, Darren Tucker,
David Gwynne, David Hill, David Krause, Edd Barrett, Eric Faurot,
Esben Norby, Fabien Romano, Federico G. Schwindt, Felix Kronlage,
Gilles Chehade, Giovanni Bechis, Gordon Willem Klok,
Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze,
Jacek Masiulaniec, Jacob Meuser, Jakob Schlyter, Janne Johansson,
Jared Yanovich, Jason Dixon, Jason George, Jason McIntyre,
Jason Meltzer, Jasper Lievisse Adriaanse, Jim Razmus II, Joel Sing,
Joerg Goltermann, Johan Mson Lindman, Jolan Luff, Jonathan Armani,
Jonathan Gray, Jordan Hargrave, Joshua Stein, Kenneth R Westerback,
Kevin Lo, Kevin Steves, Kjell Wooding, Kurt Miller, Landry Breuil,
Laurent Fanis, Marc Espie, Marco Peereboom, Marco Pfatschbacher,
Marco S Hyman, Marcus Glocker, Marek Vasut, Mark Kettenis,
Mark Uemura, Markus Friedl, Martin Reindl, Martynas Venckus,
Mathieu Sauve-Frankel, Mats O Jansson, Matthias Kilian,
Matthieu Herrb, Michael Erdely, Michael Knudsen, Michele Marchetto,
Mike Larkin, Miod Vallat, Moritz Grimm, Moritz Jodeit,
Nicholas Marriott, Nick Holland, Nikolay Sturm, Okan Demirmen,
Oleg Safiullin, Otto Moerbeek, Owain Ainsworth, Paul de Weerd,
Paul Irofti, Peter Hessler, Peter Stromberg, Peter Valchev,
Philip Guenther, Pierre-Emmanuel Andre, Pierre-Yves Ritschard,
Rainer Giedat, Reyk Floeter, Robert Nagy, Rui Reis,
Ryan Thomas McBride, Simon Bertrang, Simon Perreault, Stefan Kempf,
Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh,
Stuart Henderson, Takuya Asada, Ted Unangst, Theo de Raadt,
Thordur I Bjornsson, Tobias Stoeckmann, Tobias Weingartner,
Todd C. Miller, Todd Fries, Will Maier, William Yodlowsky,
Xavier Santolaria, Yasuoka Masahiko, Yojiro Uo

MeetBSD California 2010 in ONE WEEK!

Matt Olander — 2010-10-29T18:57:56

Come discuss all the BSD flavors with your peers next week at MeetBSD
California! It's on Friday and Saturday, November 5th & 6th at
Hacker Dojo, in Mountain View, California, USA.

We have an interactive Unconference on the first day. This means that
the attendees will get to decide the topics in real time.
For the second day, a more traditional format of speakers and
works-in-progress will be followed. It's highly hackable, informative,
and fun.

Of course, a legendary BSD-party featuring special guests, activities,
and entertainment will occur Saturday evening at the Dojo ;)

Thanks to our generous sponsors, the cost is only $25 USD which includes
snacks, lunches, and admission to the after-party.


If you are planning on attending, please reserve your space now:
http://www.meetbsd.com


See you there!

--
MeetBSD California '11

OpenBSD mailing list downtime

Todd C. Miller — 2010-09-21T21:46:03

The OpenBSD mail list server will be down on Oct 9th from 6am to
6pm MDT for machine room maintainance.

This also affects ftp.usa.openbsd.org (aka ftp3.usa.openbsd.org and
anoncvs3.usa.openbsd.org) which resides inthe same machine room.

 - todd

OpenBSD 4.7 Released, May 19 2010

Bob Beck — 2010-05-19T12:48:35

------------------------------------------------------------------------
- OpenBSD 4.7 RELEASED -------------------------------------------------

May 19, 2010.

We are pleased to announce the official release of OpenBSD 4.7.
This is our 27th release on CD-ROM (and 28th via FTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 4.7 provides significant improvements,
including new features, in nearly all areas of the system:

 - New/extended platforms:
    o OpenBSD/alpha
      o Added support for the DS15/DS25/ES45.
    o OpenBSD/loongson
      New platform for systems based on the Loongson 2E and 2F MIPS-compatible
      processors. Supported machines include:
      o Lemote Fuloong 2F mini-PC
      o Lemote Lynloong all-in-one-PC
      o Lemote Yeeloong netbook (8.9" and 10.1" models)
      o EMTEC Gdium Liberty 1000 netbook
    o OpenBSD/sgi
      o Added support for multi-node SGI Origin systems, in M mode.
      o Added support for the SGI Origin 350, Onyx 350, Onyx 4 and
        Tezro systems.
      o Added SMP support on the SGI Octane.
      o Support for many more onboard devices on Octane and Origin systems.
    o OpenBSD/socppc
      o Added support for the RouterBOARD RB600A.
    o OpenBSD/sparc64
      o Preliminary support for running OpenBSD in a guest domain on top of
        an OpenBSD control domain on sun4v machines.

 - Improved hardware support, including:
    o Revamped SCSI midlayer and improved driver support.
    o UDF 2.5 and 2.6 (HDDVD and Blu-ray) disks support.
    o Added mpath(4), a driver that steals paths to scsi devices if they could
      be available via multiple paths and then made available via mpath(4).
    o New aibs(4) driver for ASUSTeK AI Booster hardware monitoring.
    o New uthum(4) driver for the TEMPerHUM USB temperature and humidity
      sensors.
    o New utrh(4) driver for USBRH temperature and humidity sensors.
    o New uyurex(4) driver for the Maywa-denki & KAYAC YUREX twitch/jiggle of
      knee sensor.
    o New urndis(4) driver for remote NDIS Ethernet over USB devices (phones).
    o New xf86-video-wsudl(4) Xorg driver for USB DisplayLink devices
      supported by udl(4).
    o New mpii(4) driver for LSI Logic Fusion MPT Message Passing Interface II
      based SAS 2 controllers.
    o New athn(4) driver for Atheros IEEE 802.11a/g/n wireless network devices.
    o New alc(4) driver for Atheros AR8131/AR8132 10/100/Gigabit Ethernet
      devices.
    o New lisa(4) driver for STMicroelectronics LIS331DL MEMS motion sensors.
    o New gcu(4) driver for Intel EP80579 Global Configuration Unit.
    o New lom(4) driver for LOMLite and LOMLite2 as found on many of Sun's
      UltraSPARC-IIi servers.
    o New vsw(4) driver for virtual switches on sun4v machines.
    o New vds(4) driver for virtual disk servers on sun4v machines.
    o Support for EP80579 integrated Ethernet and ICH9 M V has been added
      to em(4).
    o Support for 82599 and SFP+ 82598 devices has been added to ix(4).
    o Support for the Sun GigabitEthernet SBus Adapter 1.0/1.1 has been
      added to ti(4).
    o Support for SBus variants of the QLogic Fibre Channel host adapters
      has been added to isp(4).
    o Support for SBus variants of the Sun Gigabit Ethernet has been added
      to gem(4).
    o Support for Intel WiFi Link 1000 and Intel Centrino
      Advanced-N 6200/Ultimate-N 6300 has been added to iwn(4).
    o Support for Ralink RT3572 based 802.11n devices has been added to run(4).
    o VIA Tremor 5.1, M-Audio Revolution 5.1 cards has been added to envy(4).
    o New uhts(4) driver for USB HID touchscreens.
    o Improved touchscreen support in the xf86-input-ws(4) Xorg driver and
      improved calibration using the new device properties from Xinput.
    o Support for ON CAT6095 and ON CAT34TS02 temperature sensors added
      to sdtemp(4).
    o Several improvements and bug fixes to existing Ethernet drivers,
      including em(4), re(4), ti(4) and vge(4).
    o Support for the PIC PCI-X controller added to the SGI xbridge(4) driver.
    o Support for the onboard Fast Ethernet interface found on SGI Octane
      and many SGI Origin family systems, iec(4).
    o Support for more SGI input and video devices on Octane and Origin
      systems, with iockbc(4), impact(4), and odyssey(4).
    o Improved PCI resource allocation; more hardware left unconfigured by
      the machine's firmware (including hotplugged hardware) should work now.
    o Support for recording/full-duplex added to mavb(4).
    o Improved support for USB audio devices in uaudio(4).
    o Improved support for bwi(4) devices on strict-alignment architectures
      like armish.
    o Eliminate usage of SCSI tagged queueing mechanisms other than simple
      queuing, thus avoiding incorrect implementations on various disk devices.
    o Eliminate spurious dhclient(8) error messages when the specified
      interface does not exist.
    o Eliminate spurious softraid(4) error messages for removable devices
      without media.

 - New tools:
    o newfs_ext2fs(8) for creating ext2 filesystems.
    o mkuboot(8) for creating U-Boot boot loader images.
    o midicat(1) MIDI server allowing MIDI programs to communicate
    o POSIX-compliant fuser(1) to identify process IDs holding a file open

 - Filesystem midlayer improvements:
    o Dynamic Buffer Cache now supported to a max size set with sysctl
      kern.bufcachepercent
    o Dynamic VFS name cache rewrite, now uses Red/Black trees instead of
      linked lists.
    o Numerous NFS client stability fixes.
    o Fix FAT32 mounting.
    o Fix cd9660 directory handling to eliminate looping and random
      truncation of directory entries.
    o Fix various internal locking problems with cd9660, udf, msdosfs
      and ffs file systems.

 - pf(4) improvements:
    o nat-to, rdr-to, binat-to options replace the nat, rdr and binat
      translation rules.
      changes for more info.
    o The route-to, reply-to, dup-to and fastroute options in pf.conf
      move to filteropts.
    o pf(4) can now translate packets between different routing domains.
    o Added -S and -L options to pfctl(8) to store and load pf state table
      from a file.
    o Added support for IPV4 and IPv6 divert sockets.

 - OpenBGPD, OpenOSPFD and other routing daemon improvements:
    o Update capability code in bgpd(8) to follow RFC 5492.
    o BGP MPLS VPN (RFC 4364) support added to the bgpd RIB.
    o In bgpd(8), implement the RFC4486 BGP Cease Notification
      Message subcodes.
    o It is now possible to enable/disable specific BGP capabilities.
    o Update bgpctl(8) irrfilter to support IPv6 and 4-byte AS numbers.
    o Minimal router-dead-time of 1 second and sub-second hello intervals
      added to ospfd(8). Additionally it is now possible to specify
      sub-second SPF timers for faster route fail-over.
    o ospf6d(8) is now installed by default. The RIB can be synced with
      the kernel routing table now. Support for AS-ext LSA has been added.
      This is still work-in-progress but testing is highly appreciated.
    o ldpd -- the MPLS label distribution protocol daemon -- is now
      installed by default. A custom kernel with option MPLS is needed
      to use it.

 - Generic network stack improvements:
    o brconfig is now integrated into ifconfig(8)
    o Added vether(4), a virtual Ethernet device.
    o Two bugs in IPsec/HMAC-SHA2 were fixed, resulting in an incompatibility
      with the HMAC-SHA-256/384/512 hash algorithms with previous versions
      of OpenBSD and other IPsec implementations sharing the bugs.
    o In dhcpd(8), echo back the Relay Agent Information option if present,
      and add support for the ipsec-tunnel hardware type.
    o Make dhcrelay(8) pick up the routing domain from the specified interface
      and use that rdomain for relaying the packets to the server.
    o Added support in dhcrelay(8) for RFC3046 "DHCP-over-ipsec".
    o Make the tcpdump(8) BGP OPEN capability parser RFC 5492 compliant.
    o Added an exec command to route(8) to run a process and its children
      in a specified routing domain.
    o ifconfig(8) now deals with more than 64 alias addresses.
    o Various fixes to mbuf defragmenting and mbuf chain copying
      improve reliability.

 - Assorted improvements:
    o malloc(3) now has an S flag to turn on the options that help debugging
      and improve security.
    o Updated terminfo(3) database and ncurses(3) library.
    o Added support for lazy binding in ld.so(1) on hppa.
    o Added POSIX silent check option (-C) to sort(1).
    o Added POSIX extended regular expression support to sed(1) (-E option).
    o Added GNU-compatible macro prefix option (-P) to m4(1).
    o Make it possible to specify a port in resolv.conf(5).
    o Improved FILE locking support in stdio(3).
    o Added SO_SNDTIMEO and SO_RCVTIMEO support in pthreads(3).
    o cdio(1) no longer prints bogus information if no TOC is found on
      the disk.
    o New -v flag causes cdio(1) to print profile and feature information.
    o whois(1) no longer attempts to keep the memory of 6Bone alive.
    o Added per-application MIDI-controlled volume knob to aucat(1)
    o Added MMC and MTC support to aucat(1) making possible MIDI-to-audio
      synchronization.
    o Added mio_open(3) interface to access hardware and software MIDI ports
    o Many memory leaks found by parfait and eliminated.
    o Make handling of floppy disk disklabels more reliable by properly
      initializing starting label.

 - Install/Upgrade process changes:
    o Take more care to ensure all filesystems are umount'ed when restarting
      an install or upgrade.
    o If no possible root disk is found, keep checking until one appears.
    o The default ftp directory for -stable is now the release directory
      instead of the snapshot directory.
    o Selection of TZ during installs is no longer confused by
      trailing slashes.
    o If /etc/X11 is found during upgrades, add the X sets to the list
      of default sets to install.

 - OpenSSH 5.5:
    o New features:
      o SSH protocol 1 is disabled by default.
      o Remove the libsectok/OpenSC-based smartcard code and add support
        for PKCS#11 tokens.
      o Add support for certificate authentication of users and hosts
        using a new, minimal OpenSSH certificate format (not X.509).
      o Added a 'netcat mode' to ssh(1).
      o Add the ability to revoke keys in sshd(8) and ssh(1).
      o Rewrite the ssh(1) multiplexing support to support non-blocking
        operation of the mux master.
      o Add a 'read-only' mode to sftp-server(8) that disables open in
        write mode and all other fs-modifying protocol methods. (bz#430)
      o Allow setting an explicit umask on the sftp-server(8) commandline
        to override whatever default the user has. (bz#1229)
      o Many improvements to the sftp(1) client.
      o New RSA keys will be generated with a public exponent of 65537
        instead of the previous value 35.
      o Passphrase-protected SSH protocol 2 private keys are now protected
        with AES-128 instead of 3DES.
    o The following significant bugs have been fixed in this release:
      o Fixed a minor information leak of environment variables specified in
        authorized_keys if an attacker happens to know the public key in use.
      o When using ChrootDirectory, make sure we test for the existence of
        the user's shell inside the chroot and not outside. (bz#1679)
      o Cache user and group name lookups in sftp-server using
        user_from_[ug]id(3) to improve performance on hosts where these
        operations are slow. (bz#1495)
      o Fix problem that prevented passphrase reading from being interrupted
        in some circumstances. (bz#1590)
      o Ignore and log any Protocol 1 keys where the claimed size is not
        equal to the actual size.
      o Make HostBased authentication work with a ProxyCommand. (bz#1569)
      o Avoid run-time failures when specifying hostkeys via a relative path
        by prepending the current working directory in these cases. (bz#1290)
      o Do not prompt for a passphrase if we fail to open a keyfile, and log
        the reason why the open failed to debug. (bz#1693)
      o Document that the PubkeyAuthentication directive is allowed in a
        sshd_config(5) Match block. (bz#1577)
      o When converting keys, truncate key comments at 72 chars as per
        RFC4716. (bz#1630)
      o Do not allow logins if /etc/nologin exists but is not readable by
        the user logging in.
      o Output a debug log if sshd(8) can't open an existing
        authorized_keys. (bz#1694)
      o Quell tc[gs]etattr(3) warnings when forcing a tty (ssh -tt), since
        we usually don't actually have a tty to read/set. (bz#1686)
      o Prevent sftp(1) from crashing when given a "-" without a command;
        also, allow whitespace to follow a "-". (bz#1691)
      o After sshd(8) receives a SIGHUP, ignore subsequent HUPs while
        sshd(8) re-execs itself; prevents two HUPs in quick succession
        from resulting in sshd(8) dying. (bz#1692)
      o Clarify in sshd_config(5) that StrictModes does not apply to
        ChrootDirectory; permissions and ownership are always checked
        when chrooting. (bz#1532)
      o Set close-on-exec on various descriptors so they don't get leaked
        to child processes. (bz#1643)
      o Fix very rare race condition in x11/agent channel allocation
      o Fix incorrect exit status when multiplexing and channel ID 0 is
        recycled. (bz#1570)
      o Fail with an error when an attempt is made to connect to a server
        with ForceCommand=internal-sftp with a shell session. (bz#1606)
      o Warn but do not fail if stat(2)ing the subsystem binary
        fails. (bz#1599)
      o Change "Connecting to host..." message to "Connected to host." and
        delay it until after the sftp protocol connection has been
        established. (bz#1588)
      o Use the HostKeyAlias rather than the hostname specified on the
        commandline when prompting for passwords. (bz#1039)
      o Correct off-by-one in percent_expand(). (bz#1607)
      o Fix passing of empty options from scp(1) and sftp(1) to the
        underlying ssh(1); also add support for the stop option "--".
      o Fix an incorrect magic number and typo in PROTOCOL. (bz#1688)
      o Don't escape backslashes when displaying the SSH2 banner. (bz#1533)
      o Don't unnecessarily dup() the in and out fds for
        sftp-server(8). (bz#1566)
      o Force use of the correct hash function for random-art signature
        display. (bz#1611)
      o Do not fall back to adding keys without constraints when the agent
        refuses the constrained add request. (bz#1612)
      o Fix a race condition in ssh-agent(1) that could result in a wedged
        or spinning agent. (bz#1633)
      o Flush stdio before exec() to ensure that everything has made it out
        before the streams go away. (bz#1596)
      o Set FD_CLOEXEC on in/out sockets in sshd(8). (bz#1706)

 - Over 5,800 ports, major robustness and speed improvements in package tools.
 - Many pre-built packages for each architecture:
    o i386: 5951
    o sparc64: 5745
    o alpha: 5641
    o sh: 768
    o amd64: 5879
    o powerpc: 5785
    o sparc: 4053
    o arm: 3711
    o hppa: 5500
    o vax: 1785
    o mips64: 3690
    o mips64el: 4316

 - Some highlights:
    o Gnome 2.28.2.
    o KDE 3.5.10.
    o Xfce 4.6.1.
    o MySQL 5.1.42.
    o PostgreSQL 8.4.2.
    o Postfix 2.6.5.
    o OpenLDAP 2.3.43.
    o Mozilla Firefox 3.0.18 and 3.5.8.
    o Mozilla Thunderbird 2.0.0.23.
    o OpenOffice.org 3.1.1.
    o Emacs 21.4 and 22.3
    o Vim 7.2.267.
    o PHP 5.2.12.
    o Python 2.4.6, 2.5.4 and 2.6.3.
    o Ruby 1.8.6.369.

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.4 with xserver 1.6.5 + patches,
      freetype 2.3.9, fontconfig 2.6.0, Mesa 7.4.2, xterm 250 and more)
    o Gcc 2.95.3 (+ patches) and 3.3.5 (+ patches)
    o Perl 5.10.1 (+ patches)
    o Our improved and secured version of Apache 1.3, with SSL/TLS
      and DSO support
    o OpenSSL 0.9.8k (+ patches)
    o Groff 1.15
    o Sendmail 8.14.3, with libmilter
    o Bind 9.4.2-P2 (+ patches)
    o Lynx 2.8.6rel.5 with HTTPS and IPv6 support (+ patches)
    o Sudo 1.7.2
    o Ncurses 5.7
    o Latest KAME IPv6
    o Heimdal 0.7.2 (+ patches)
    o Arla 0.35.7
    o Binutils 2.15 (+ patches)
    o Gdb 6.3 (+ patches)

If you'd like to see a list of what has changed between OpenBSD 4.6
and 4.7, look at

        http://www.OpenBSD.org/plus47.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each CD release.  As usual, between the
creation of the OpenBSD 4.7 FTP/CD-ROM binaries and the actual 4.7
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default).  Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible.  Therefore, we advise regular visits to

        http://www.OpenBSD.org/security.html
and
http://www.OpenBSD.org/errata.html

Security patch announcements are sent to the security-announce< at >OpenBSD.org
mailing list.  For information on OpenBSD mailing lists, please see:

http://www.OpenBSD.org/mail.html

------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------

OpenBSD 4.7 is also available on CD-ROM.  The 3-CD set costs $50 CDN and
is available via mail order and from a number of contacts around the
world.  The set includes a colourful booklet which carefully explains the
installation of OpenBSD.  A new set of cute little stickers is also
included (sorry, but our FTP mirror sites do not support STP, the Sticker
Transfer Protocol).  As an added bonus, the second CD contains an audio
track, a song entitled "I'm still here".  MP3 and OGG versions of
the audio track can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

    http://www.OpenBSD.org/lyrics.html#47

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 4.7 CD-ROMs are bootable on the following four platforms:

  o i386
  o amd64
  o macppc
  o sparc64

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

        http://www.OpenBSD.org/orders.html

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from.  For our default mail order, go directly to:

        https://https.OpenBSD.org/cgi-bin/order

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts.  Additionally, donations to the project are
highly appreciated, as described in more detail at:

        http://www.OpenBSD.org/goals.html#funding

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense writeoff, so this is certainly a consideration for
some organizations or businesses.  There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs.  Contact the foundation directors at
directors< at >openbsdfoundation.org for more information.

------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------

The OpenBSD distribution companies also sell tshirts and polo shirts.
And our users like them too.  We have a variety of shirts available,
with the new and old designs, from our web ordering system at, as
described above.

The OpenBSD 4.7 t-shirts are available now.  We also sell our older
shirts, as well as a selection of OpenSSH t-shirts.

------------------------------------------------------------------------
- FTP INSTALLS ---------------------------------------------------------

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP.  Typically you need a single small piece of boot
media (e.g., a boot floppy) and then the rest of the files can be
installed from a number of locations, including directly off the
Internet.  Follow this simple set of instructions to ensure that
you find all of the documentation you will need while performing
an install via FTP.  With the CD-ROMs, the necessary documentation
is easier to find.

1) Read either of the following two files for a list of ftp
   mirrors which provide OpenBSD, then choose one near you:

        http://www.OpenBSD.org/ftp.html
        ftp://ftp.OpenBSD.org/pub/OpenBSD/4.7/ftplist

   As of May 19, 2010, the following ftp mirror sites have the 4.7 release:

ftp://ftp.eu.openbsd.org/pub/OpenBSD/4.7/Stockholm, Sweden
ftp://ftp.bytemine.net/pub/OpenBSD/4.7/         Oldenburg, Germany
ftp://mirror.aarnet.edu.au/pub/OpenBSD/4.7/     Brisbane, Australia
ftp://ftp.wu-wien.ac.at/pub/OpenBSD/4.7/        Vienna, Austria
ftp://ftp.usa.openbsd.org/pub/OpenBSD/4.7/CO, USA
ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.7/CA, USA
ftp://obsd.cec.mtu.edu/pub/OpenBSD/4.7/         Michigan, USA

The release is also available at the master site:

ftp://ftp.openbsd.org/pub/OpenBSD/4.7/        Alberta, Canada

However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
   pub/OpenBSD/4.7/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     armish/          mvme68k/         sparc64/
        Changelogs/      ftplist          mvme88k/         src.tar.gz
        HARDWARE         hp300/           packages/        sys.tar.gz
        PACKAGES         hppa/            ports.tar.gz     tools/
        PORTS            i386/            root.mail        vax/
        README           landisk/         sgi/             xenocara.tar.gz
        alpha/           mac68k/          socppc/          zaurus/
        amd64/           macppc/          sparc/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        HARDWARE        - list of hardware we support
        PORTS           - description of our "ports" tree
        PACKAGES        - description of pre-compiled packages
        root.mail       - a copy of root's mail at initial login.
  (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, i386.  This is a list of what you will see:

INSTALL.i386    cd47.iso        floppyB47.fs    pxeboot*
INSTALL.linux   cdboot*         floppyC47.fs    xbase47.tgz
MD5             cdbr*           game47.tgz      xetc47.tgz
base47.tgz      cdemu47.iso     index.txt       xfont47.tgz
bsd*            comp47.tgz      install47.iso   xserv47.tgz
bsd.mp*         etc47.tgz       man47.tgz       xshare47.tgz
bsd.rd*         floppy47.fs     misc47.tgz

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
   and the appropriate floppy*.fs or install47.iso files.  Consult the
   INSTALL.i386 file if you don't know which of the floppy images
   you need (or simply fetch all of them).

   If you use the install47.iso file (roughly 200MB in size), then you
   do not need the various *.tgz files since they are contained on that
   one-step ISO-format install CD.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.i386.  INSTALL.i386 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        http://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 4.7 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
      you can use "fdimage.exe" located in the pub/OpenBSD/4.7/tools
      directory to do so.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.4.  Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc.  During installation, you can install
X.Org quite easily.  Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.

------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------

The OpenBSD ports tree contains automated instructions for building
third party software.  The software has been verified to build and
run on the various OpenBSD architectures.  The 4.7 ports collection,
including many of the distribution files, is included on the 3-CD
set.  Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD.  Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).

------------------------------------------------------------------------
- BINARY PACKAGES WE PROVIDE -------------------------------------------

A large number of binary packages are provided.  Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.7/PACKAGES) for more details.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.7/README)
file explains how to deal with these source files.  For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/4.7/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Jasper Lievisse Adriaanse, Michael Erdely,
Simon Bertrang, Stuart Henderson, Antoine Jacoutot, Robert Nagy,
Nikolay Sturm, and Christian Weisgerber.  System builds by Theo de Raadt,
Mark Kettenis, and Miod Vallat.  X11 builds by Todd Fries and Miod Vallat.
ISO-9660 filesystem layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 4.7 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

    Alexander Bluhm, Alexander Hall, Alexander von Gernler,
    Alexander Yurchenko, Alexandre Ratchov, Alexey Vatchenko,
    Anders Magnusson, Andreas Gunnarsson, Anil Madhavapeddy,
    Antoine Jacoutot, Ariane van der Steldt, Artur Grabowski,
    Austin Hook, Benoit Lecocq, Bernd Ahlers, Bob Beck, Bret Lambert,
    Can Erkin Acar, Chad Loder, Charles Longeau, Chris Kuethe,
    Christian Weisgerber, Claudio Jeker, Dale Rahn, Damien Bergamini,
    Damien Miller, Dariusz Swiderski, Darren Tucker,
    David Gwynne,  David Hill, David Krause, Edd Barrett, Eric Faurot,
    Esben Norby,  Fabien Romano, Federico G. Schwindt, Felix Kronlage,
    Gilles Chehade, Giovanni Bechis, Gordon Willem Klok, 
    Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze,
    Jacek Masiulaniec, Jacob Meuser, Jakob Schlyter, Janne Johansson,
    Jared Yanovich, Jason Dixon, Jason George, Jason McIntyre,
    Jason Meltzer, Jasper Lievisse Adriaanse, Jim Razmus II, Joel Sing,
    Joerg Goltermann, Johan Mson Lindman, Jolan Luff, Jonathan Armani,
    Jonathan Gray, Jordan Hargrave, Joshua Stein, Kenneth R Westerback,
    Kevin Lo, Kevin Steves, Kjell Wooding, Kurt Miller, Landry Breuil,
    Laurent Fanis, Marc Espie, Marco Peereboom, Marco Pfatschbacher,
    Marco S Hyman, Marcus Glocker, Marek Vasut, Mark Kettenis,
    Mark Uemura, Markus Friedl, Martin Reindl, Martynas Venckus,
    Mathieu Sauve-Frankel, Mats O Jansson, Matthias Kilian,
    Matthieu Herrb, Michael Erdely, Michael Knudsen, Michele Marchetto,
    Mike Larkin, Miod Vallat, Moritz Grimm, Moritz Jodeit,
    Nicholas Marriott, Nick Holland, Nikolay Sturm, Okan Demirmen,
    Oleg Safiullin, Otto Moerbeek, Owain Ainsworth, Paul de Weerd,
    Paul Irofti, Peter Hessler, Peter Stromberg, Peter Valchev,
    Philip Guenther, Pierre-Emmanuel Andre, Pierre-Yves Ritschard,
    Rainer Giedat, Reyk Floeter, Robert Nagy, Rui Reis,
    Ryan Thomas McBride, Simon Bertrang, Simon Perreault, Stefan Kempf,
    Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh,
    Stuart Henderson, Takuya Asada, Ted Unangst, Theo de Raadt,
    Thordur I Bjornsson, Tobias Stoeckmann, Tobias Weingartner,
    Todd C. Miller, Todd Fries, Will Maier, William Yodlowsky,
    Xavier Santolaria, Yasuoka Masahiko, Yojiro Uo

OpenSSH 5.5 released

Damien Miller — 2010-04-16T01:06:13

OpenSSH 5.5 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed code
or patches, reported bugs, tested snapshots or donated to the project.
More information on donations may be found at:
http://www.openssh.com/donations.html

This is a bugfix release.

Changes since OpenSSH 5.4
=========================

 * Unbreak sshd_config's AuthorizedKeysFile option for $HOME-relative paths

 * Fix compilation failures on platforms that lack dlopen()

 * Include a language tag when sending a protocol 2 disconnection message.

 * Make logging of certificates used for user authentication more clear and
   consistent between CAs specified using TrustedUserCAKeys and
   authorized_keys

Portable OpenSSH:

 * Allow contrib/ssh-copy-id to fail gracefully when there are no keys in
   the ssh-agent. bz#1723

 * Explicitly link libX11 into contrib/gnome-ssh-askpass2. bz#1725

 * Allow ChrootDirectory to work in SELinux platforms. bz#1726

 * Add configure.ac stanza for Haiku OS. bz#1741

 * Enable utmpx support on FreeBSD where possible. bz#1732

 * Use pkg-config to determine libedit linker flags where possible. bz#1744

Checksums:
==========

 - SHA1 (openssh-5.5.tar.gz) = 59864a048b09ad1b6e65a74d5d385d8189ab8c74
 - SHA1 (openssh-5.5p1.tar.gz) = 361c6335e74809b26ea096b34062ba8ff6c97cd6

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh< at >openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

Mailing list and anoncvs/anonftp server downtime

Todd C. Miller — 2010-03-22T20:32:26

The OpenBSD mailing lists will be down on Saturday April 10 from
6am MDT to 6pm MDT while machine room the server is located in
undergoes scheduled maintainance.

This also applies to ftp.usa.openbsd.org (aka ftp3.usa.openbsd.org
and anoncvs3.usa.openbsd.org), which is located in the same machine
room.

 - todd

Announce: OpenSSH 5.4 released

Damien Miller — 2010-03-08T02:06:07

OpenSSH 5.4 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

Once again, we would like to thank the OpenSSH community for their
continued support of the project, especially those who contributed code
or patches, reported bugs, tested snapshots or donated to the project.
More information on donations may be found at:
http://www.openssh.com/donations.html

This is a major feature and bugfix release.

Changes since OpenSSH 5.3
=========================

Features:

 * After a transition period of about 10 years, this release disables
   SSH protocol 1 by default. Clients and servers that need to use the
   legacy protocol must explicitly enable it in ssh_config / sshd_config
   or on the command-line.

 * Remove the libsectok/OpenSC-based smartcard code and add support for
   PKCS#11 tokens. This support is automatically enabled on all
   platforms that support dlopen(3) and was inspired by patches written
   by Alon Bar-Lev. Details in the ssh(1) and ssh-add(1) manpages.

 * Add support for certificate authentication of users and hosts using a
   new, minimal OpenSSH certificate format (not X.509). Certificates
   contain a public key, identity information and some validity
   constraints and are signed with a standard SSH public key using
   ssh-keygen(1). CA keys may be marked as trusted in authorized_keys
   or via a TrustedUserCAKeys option in sshd_config(5) (for user
   authentication), or in known_hosts (for host authentication).

   Documentation for certificate support may be found in ssh-keygen(1),
   sshd(8) and ssh(1) and a description of the protocol extensions in
   PROTOCOL.certkeys.

 * Added a 'netcat mode' to ssh(1): "ssh -W host:port ..." This connects
   stdio on the client to a single port forward on the server. This
   allows, for example, using ssh as a ProxyCommand to route connections
   via intermediate servers. bz#1618

 * Add the ability to revoke keys in sshd(8) and ssh(1). User keys may
   be revoked using a new sshd_config(5) option "RevokedKeys". Host keys
   are revoked through known_hosts (details in the sshd(8) man page).
   Revoked keys cannot be used for user or host authentication and will
   trigger a warning if used.

 * Rewrite the ssh(1) multiplexing support to support non-blocking
   operation of the mux master, improve the resilience of the master to
   malformed messages sent to it by the slave and add support for
   requesting port- forwardings via the multiplex protocol. The new
   stdio-to-local forward mode ("ssh -W host:port ...") is also
   supported. The revised multiplexing protocol is documented in the
   file PROTOCOL.mux in the source distribution.

 * Add a 'read-only' mode to sftp-server(8) that disables open in write
   mode and all other fs-modifying protocol methods. bz#430

 * Allow setting an explicit umask on the sftp-server(8) commandline to
   override whatever default the user has. bz#1229

 * Many improvements to the sftp(1) client, many of which were
   implemented by Carlos Silva through the Google Summer of Code
   program:
   - Support the "-h" (human-readable units) flag for ls
   - Implement tab-completion of commands, local and remote filenames
   - Support most of scp(1)'s commandline arguments in sftp(1), as a
     first step towards making sftp(1) a drop-in replacement for scp(1).
     Note that the rarely-used "-P sftp_server_path" option has been
     moved to "-D sftp_server_path" to make way for "-P port" to match
     scp(1).
   - Add recursive transfer support for get/put and on the commandline

 * New RSA keys will be generated with a public exponent of RSA_F4 ==
   (2**16)+1 == 65537 instead of the previous value 35.

 * Passphrase-protected SSH protocol 2 private keys are now protected
   with AES-128 instead of 3DES. This applied to newly-generated keys
   as well as keys that are reencrypted (e.g. by changing their
   passphrase).

Bugfixes:

 * Hold authentication debug messages until after successful
   authentication. Fixes a minor information leak of environment
   variables specified in authorized_keys if an attacker happens to
   know the public key in use.
 * When using ChrootDirectory, make sure we test for the existence of
   the user's shell inside the chroot and not outside (bz#1679)
 * Cache user and group name lookups in sftp-server using
   user_from_[ug]id(3) to improve performance on hosts where these
   operations are slow (e.g. NIS or LDAP). bz#1495
 * Fix problem that prevented passphrase reading from being interrupted
   in some circumstances; bz#1590
 * Ignore and log any Protocol 1 keys where the claimed size is not
   equal to the actual size.
 * Make HostBased authentication work with a ProxyCommand. bz#1569
 * Avoid run-time failures when specifying hostkeys via a relative
   path by prepending the current working directory in these cases.
   bz#1290
 * Do not prompt for a passphrase if we fail to open a keyfile, and log
   the reason why the open failed to debug. bz#1693
 * Document that the PubkeyAuthentication directive is allowed in a
   sshd_config(5) Match block. bz#1577
 * When converting keys, truncate key comments at 72 chars as per
   RFC4716. bz#1630
 * Do not allow logins if /etc/nologin exists but is not readable by the
   user logging in.
 * Output a debug log if sshd(8) can't open an existing authorized_keys.
   bz#1694
 * Quell tc[gs]etattr warnings when forcing a tty (ssh -tt), since we
   usually don't actually have a tty to read/set; bz#1686
 * Prevent sftp from crashing when given a "-" without a command.
   Also, allow whitespace to follow a "-". bz#1691
 * After sshd receives a SIGHUP, ignore subsequent HUPs while sshd
   re-execs itself. Prevents two HUPs in quick succession from resulting
   in sshd dying. bz#1692
 * Clarify in sshd_config(5) that StrictModes does not apply to
   ChrootDirectory. Permissions and ownership are always checked when
   chrooting. bz#1532
 * Set close-on-exec on various descriptors so they don't get leaked to
   child processes. bz#1643
 * Fix very rare race condition in x11/agent channel allocation: don't
   read after the end of the select read/write fdset and make sure a
   reused FD is not touched before the pre-handlers are called.
 * Fix incorrect exit status when multiplexing and channel ID 0 is
   recycled. bz#1570
 * Fail with an error when an attempt is made to connect to a server
   with ForceCommand=internal-sftp with a shell session (i.e. not a
   subsystem session). Avoids stuck client when attempting to ssh to
   such a service. bz#1606:
 * Warn but do not fail if stat()ing the subsystem binary fails. This
   helps with chrootdirectory+forcecommand=sftp-server and restricted
   shells. bz #1599
 * Change "Connecting to host..." message to "Connected to host."
   and delay it until after the sftp protocol connection has been
   established. Avoids confusing sequence of messages when the
   underlying ssh connection experiences problems. bz#1588
 * Use the HostKeyAlias rather than the hostname specified on the
   commandline when prompting for passwords. bz#1039
 * Correct off-by-one in percent_expand(): we would fatal() when trying
   to expand EXPAND_MAX_KEYS, allowing only EXPAND_MAX_KEYS-1 to
   actually work. Note that nothing in OpenSSH actually uses close to
   this limit at present. bz#1607
 * Fix passing of empty options from scp(1) and sftp(1) to the
   underlying ssh(1). Also add support for the stop option "--".
 * Fix an incorrect magic number and typo in PROTOCOL; bz#1688
 * Don't escape backslashes when displaying the SSH2 banner. bz#1533
 * Don't unnecessarily dup() the in and out fds for sftp-server. bz#1566
 * Force use of the correct hash function for random-art signature
   display as it was inheriting the wrong one when bubblebabble
   signatures were activated. bz#1611
 * Do not fall back to adding keys without constraints (ssh-add -c /
   -t ...) when the agent refuses the constrained add request. bz#1612
 * Fix a race condition in ssh-agent that could result in a wedged or
   spinning agent. bz#1633
 * Flush stdio before exec() to ensure that everying (motd
   in particular) has made it out before the streams go away. bz#1596
 * Set FD_CLOEXEC on in/out sockets in sshd(8). bz#1706

Portable OpenSSH Bugfixes:

 * Use system's kerberos principal name on AIX if it's available.
   bz#1583
 * Disable OOM-killing of the listening sshd on Linux. bz#1470
 * Use pkg-config for opensc config if it's available. bz#1160
 * Unbreak Redhat spec to allow building without askpass. bz#1677
 * If PidFile is set in sshd_config, use it in SMF init file. bz#1628
 * Print error and usage() when ssh-rand-helper is passed command-
   line arguments as none are supported. bz#1568
 * Add missing setsockopt() to set IPV6_V6ONLY for local forwarding
   with GatwayPorts=yes. bz#1648
 * Make GNOME 2 askpass dialog desktop-modal. bz#1645
 * If SELinux is enabled set the security context to "sftpd_t" before
   running the internal sftp server. bz#1637
 * Correctly check libselinux for necessary SELinux functions; bz#1713
 * Unbreak builds on Redhat using the supplied openssh.spec; bz#1731
 * Fix incorrect privilege dropping order on AIX that prevented
   chroot operation; bz#1567
 * Call aix_setauthdb/aix_restoredb at the correct times on AIX to
   prevent authentication failure; bz#1710

Checksums:
==========

 - SHA1 (openssh-5.4.tar.gz) = 1776832d902f7b4c7863afd41a5ec7a14efe95d6
 - SHA1 (openssh-5.4p1.tar.gz) = 2a3042372f08afb1415ceaec8178213276a36302

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh< at >openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

4.6-stable ports

William Yodlowsky — 2009-10-22T03:05:37

We are happy to announce that 4.6-stable ports will soon be receiving 
security updates and fixes.

Please note that this also marks the end of updates to 4.5-stable 
ports, as we are supporting the presently-available release only.

OpenBSD 4.6 release, Oct 18

Theo de Raadt — 2009-10-18T15:38:41

Many people have received their 4.6 CDs in the mail by now, and we
really don't want them to be without the full package repository.

------------------------------------------------------------------------
- OpenBSD 4.6 RELEASED -------------------------------------------------

Oct 18, 2009.

We are pleased to announce the official release of OpenBSD 4.6.
This is our 26th release on CD-ROM (and 27th via FTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 4.6 provides significant improvements,
including new features, in nearly all areas of the system:

- New/extended platforms:
    o mvme88k
      o MVME141 and MVME165 boards are now supported.
    o sgi
      o SGI Octane, SGI Origin 200 and SGI Fuel systems are now supported.
      o Several bugs in interrupt handling have been fixed, resulting
        in significantly improved system response.
    o sparc
      o The bootblock load address has been moved so that larger kernels
        can be loaded.
    o sparc64
      o Acceleration support has been added for many of the PCI frame buffer
        drivers, such as the Sun PGX, PGX64 and XVR-100, and Tech Source
        Raptor GFX graphics cards.

- Improved hardware support, including:
    o Several new/improved drivers for sensors, including:
      o The ips(4) driver now has sensor support, complementing the bio support.
      o The acpithinkpad(4) driver now has temperature and fan sensor support.
      o New endrun(4) driver for the EndRun Technologies timedelta sensor.
      o The fins(4) driver now has support for F71806, F71862 and F71882 ICs.
      o The acpitz(4) driver now shows correct decimals for temperature.
    o Added radeonfb(4) to sparc64, an accelerated framebuffer for
      Sun XVR-100 boards.
    o Added support for RTL8103E and RTL8168DP devices in the re(4) driver.
    o Added support for BCM5709/BCM5716 devices in the bnx(4) driver.
    o Added support for ICH10 variants of em(4).
    o Added support for VIA VX855 chipset in the viapm(4) and pciide(4) drivers.
    o Added support for Intel SCH IDE to pciide(4).
    o Added support for the Broadcom HT-1100 chipset in the piixpm(4) driver.
    o Added support for 82574L based devices in the em(4) driver.
    o Added support for VIA CX800 south bridge to the viapm(4) driver.
    o A number of network drivers including bge(4), bnx(4), hme(4), iwn(4),
      ix(4), msk(4), sis(4), sk(4), vr(4) and wpi(4) now make use of the
      MCLGETI(9) allocator in order to reduce memory usage and increase
      performance when under load or attack.
    o Added support in em(4) for the newer 82575 chips.
    o zyd(4) now supports devices with Airoha AL2230S radios.
    o zyd(4) now works on big-endian machines
    o urtw(4) now supports RTL8187B based devices.
    o New otus(4) driver for Atheros AR9001U USB 802.11a/b/g/Draft-N
      wireless devices.
    o New berkwdt(4) driver for Berkshire Products PCI watchdog timers.
    o New udl(4) driver for USB video devices.
    o Support for a variety of newer models in bge(4).
    o Initial version of vsw(4), a driver for the virtual network switch
      found on sun4v sparc64 systems.
    o Implemented machfb(4), an accelerated driver for the sparc64 PGX/PGX64
      framebuffers.
    o New vcc(4) and vcctty(4) drivers for the "Virtual Console Concentrator"
      found on the control domain of sun4v systems.
    o Implemented 64-bit FIFO modes for ciss(4) devices.
    o Enabled hardware VLAN tagging and stripping on ix(4).
    o Added basic support for Envy24HT chips to the envy(4) driver.
    o Many improvements and updates to the isp(4) driver.
    o Added support for 88E8057-based Yukon 2 Ultra 2-devices in msk(4).
    o The ips(4) driver now works reliably.
    o Added raptor(4), an accelerated framebuffer driver for the Tech Source
      Raptor GFX cards on the sparc64 platform.
    o Enabled schsio(4) on i386 and amd64 and added watchdog timer support.
    o New acpivideo(4) driver for ACPI display switching and brightness control.
    o Added support for the IBM ServeRAID-8k in the aac(4) driver.
    o Added support for the BCM5825 and 5860/61/62 Broadcom CryptoNetX
      IPSec/SSL Security processor in the ubsec(4) driver.
    o Added support for AES-CBC with BCM5823-based ubsec(4) devices.
    o Firmware for bnx(4) has been updated.
    o Added support to fxp(4) for the 82552 MAC found on some ICH7 chipsets.
    o Added support to umsm(4) for Truinstall enabled modems like the
      Sierra 881U.
    o Added support to pciide(4) for ICH10 SATA devices not operating in
      AHCI mode.
    o dc(4) now reads the MAC address from the eeprom rather than CIS.
    o em(4) now correctly handles MAC addresses for dual-port 8257[56] cards.
    o IPv6 receive TCP/UDP checksum offloading has been enabled for jme(4).
    o IPv6 receive TCP/UDP checksum offloading has been enabled in bge(4) for
      the 5755 and later chips.
    o iwi(4) now associates with APs that refuse non-short slot-time capable
      STAs.
    o IP, TCP and UDP checksum offloading has been enabled in vr(4) for
      VT6105M-based devices.
    o VGA BIOS repost support has been added for amd64 and i386 platforms.

- New tools:
    o Added smtpd(8), a new privilege-separated SMTP daemon.
    o Imported the tmux(1) terminal multiplexer, replacing window(1).

- New functionality:
    o httpd(8) can now serve files larger than 2GB in size.
    o Mice with many buttons are now supported by wsmoused(8).
    o New "nfsserver" and "nfsclient" views have been added to systat(1).
    o Automatic partition allocation has been added to disklabel(8), with a
      variety of smart heuristics.
    o An undo command has been added to disklabel(8), which reverts the
      label back to its previous state.
    o When running in auto-mode, sysmerge(8) will now install binary files
      from X sets automatically.
    o sysmerge(8) now creates a report summary file in the work directory.
    o httpd(8) now drops privileges to www/www rather than nobody/nogroup
      if the User/Group entries are not present within the configuration file.
    o ELF based platforms now generate ELF core dumps and gdb(1) is now able
      to read ELF core dumps.
    o Additional diff options have been added to opencvs(1).
    o When sendbug(1) is run as root, the pcidump(8) and acpidump(8) output
      is included.
    o Support for audible ping(8) and ping6(8) has been added.
    o ftpd(8) now logs both the remote IP and remote hostname when receiving
      a new connection.
    o relayd(8) now allows both UDP and TCP redirections.
    o SSL sessions are now maintained by relayd(8) for each checked host,
      resulting in subsequent checks being lighter and faster on the server.
    o Added support to relayd(8) for client-side TCP connections from relays.
    o Added support to relayd(8) for specifying a CA file to verify SSL server
      certificates when connecting as a client from relays.

- pf(4) improvements:
    o Enabled pf(4) by default in the rc.conf(8).
    o Removed pf(4) scrub rules, and only do one kind of packet reassembly.
      Rulesets with scrub rules need to be modified because of this.
    o Regular rules can now have per-rule scrub options.
    o Added new "match" keyword which only applies rule options but does
      not change the current pass/block state.
    o Make all pf(4) operations transactional to improve atomicity of reloads.
    o Stricter pf(4) checking for ICMP and ICMPv6 packets.
    o Various improvements to pfsync(4) to lower sync traffic bandwidth and
      optionally allow active-active firewall setups.
    o Fix pf(4) scrub max-mss for IPv6 traffic.

- softraid(4) improvements:
    o Rebuild support has been added and RAID 1 volumes can now be rebuilt.
    o Boot time assembly has been significantly improved, with volume and
      chunk ordering now being respected. Duplicated chunks and version
      mismatches are also handled gracefully.
    o Volumes with missing members are now brought online.

- OpenBGPD, OpenOSPFD and other routing daemon improvements:
    o In bgpd(8), rework most of the RDE to allow multiple RIBs.
      It is possible to filter per-RIB and attach neighbors to a specific RIB.
    o Added an option to bgpd(8) to change the "connect-retry" timer.
    o Allow bgpd.conf(5) and bgpctl(8) to contain 32-bit ASN numbers written in
      ASPLAIN format.
    o Fix bgpd(8) to correctly encode MP unreachable NLRI so IPv6 prefixes get
      removed correctly.
    o Changed the behaviour of "redistribute default" for ospfd(8) and ripd(8).
      A default route has to be present in the FIB to be correctly advertised.
    o Make ospfd(8) and ripd(8) track reject and blackhole routes and allow
      them to be redistributed even if pointing to 127.0.0.1.
    o Allow an alternate control socket to be specified for ospfd(8).
    o ospfd(8) can now be bound to an alternate routing domain.
    o Fix ospfd(8) route metric for "redistribute default".
    o Initial version of ldpctl(8) and ldpd(8), a label distribution protocol
      daemon for mpls.
    o Make dvmrpd(8) RDE aware of multicast group members per interface.
    o Added support for pruning in dvmrpd(8).

- Generic Network-Stack improvements:
    o Support for virtual routing and firewalling with the addition of routing
      domains.
    o Added support for ifconfig(8) to bind an interface to a routing domain.
    o Added support to ping(8), traceroute(8), arp(8), nc(1) and telnet(1) to
      specify which routing domain to use.
    o Allow ifconfig(8) to turn off IPv6 completely for an interface and
      make rtsold(8) turn on inet6 on the interface.
    o Routes track the interface link state.
    o route(8) flush accepts "-iface" or "-priority" to only flush routes
      matching these conditions.
    o Multiple dhclients can now coexist without causing mayhem.
    o Make wireless interfaces have an interface priority of 4 by default.
      Makes them less preferred then wired interfaces.
    o Do not accept IPv4 ICMP redirects by default.
    o Added the MAC address to the log entries in dhclient(8). 
    o Make systat(1) show interface description names in the interface view,
      and add new NFS server and client views.
    o Make tun(4) emulate link state depending on the open and close of the
      device fd.
    o Use pf state-table information to speed up decision on whether a packet
      is to be delivered locally or forwarded.
    o More routing socket checks added to make userland applications more
      resilient to kernel changes.

- Install/Upgrade process changes:
    o The installer has almost been rewritten, primarily with a focus on
      simplifying the installation process.
    o Automatic disk layout can now be used during installation, allowing for
      simple single-disk installs.
    o VLAN support is now available in some installation media.
    o A standard user account can now be created during the install process.

- OpenSSH 5.3:
    o Do not limit home directory paths to 256 characters.
    o Several minor documentation and correctness fixes.

- Over 5,800 ports, minor robustness improvements in package tools.
    o Many pre-built packages for each architecture:
      i386:   5606    sparc64:  5413    alpha: 5346    sh:     1261
      amd64:  5544    powerpc:  5427    sparc: 3711    mips64: 3443
      arm:    5291    hppa:     4790    vax:   1785

- As usual, steady improvements in manual pages and other documentation.

- The system includes the following major components from outside
  suppliers:
      o Xenocara (based on X.Org 7.4 + patches, freetype 2.3.9,
        fontconfig 2.6.0, Mesa 7.4.2, xterm 243 and more)
      o Gcc 2.95.3 (+ patches) and 3.3.5 (+ patches)
      o Perl 5.10.0 (+ patches)
      o Our improved and secured version of Apache 1.3, with SSL/TLS
        and DSO support
      o OpenSSL 0.9.8k (+ patches)
      o Groff 1.15
      o Sendmail 8.14.3, with libmilter
      o Bind 9.4.2-P2 (+ patches)
      o Lynx 2.8.6rel.5 with HTTPS and IPv6 support (+ patches)
      o Sudo 1.7.2
      o Ncurses 5.2
      o Latest KAME IPv6
      o Heimdal 0.7.2 (+ patches)
      o Arla 0.35.7
      o Binutils 2.15 (+ patches)
      o Gdb 6.3 (+ patches)

If you'd like to see a list of what has changed between OpenBSD 4.5
and 4.6, look at

        http://www.OpenBSD.org/plus46.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

we provide patches for known security threats and other important
issues discovered after each CD release.  As usual, between the
creation of the OpenBSD 4.6 FTP/CD-ROM binaries and the actual 4.6
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default).  Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible.  Therefore, we advise regular visits to

        http://www.OpenBSD.org/security.html
and
http://www.OpenBSD.org/errata.html

Security patch announcements are sent to the security-announce< at >OpenBSD.org
mailing list.  For information on OpenBSD mailing lists, please see:

http://www.OpenBSD.org/mail.html

------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------

OpenBSD 4.6 is also available on CD-ROM.  The 3-CD set costs $50 CDN and
is available via mail order and from a number of contacts around the
world.  The set includes a colourful booklet which carefully explains the
installation of OpenBSD.  A new set of cute little stickers is also
included (sorry, but our FTP mirror sites do not support STP, the Sticker
Transfer Protocol).  As an added bonus, the second CD contains an audio
track, a song entitled "Planet of the Users".  MP3 and OGG versions of
the audio track can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

    http://www.OpenBSD.org/lyrics.html#46

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 4.6 CD-ROMs are bootable on the following four platforms:

  o i386
  o amd64
  o macppc
  o sparc64

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

        http://www.OpenBSD.org/orders.html

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from.  For our default mail order, go directly to:

        https://https.OpenBSD.org/cgi-bin/order

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts.  Additionally, donations to the project are
highly appreciated, as described in more detail at:

        http://www.OpenBSD.org/goals.html#funding

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense writeoff, so this is certainly a consideration for
some organizations or businesses.  There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs.  Contact the foundation directors at
directors< at >openbsdfoundation.org for more information.

------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------

The OpenBSD distribution companies also sell tshirts and polo shirts.
And our users like them too.  We have a variety of shirts available,
with the new and old designs, from our web ordering system at, as
described above.

The OpenBSD 4.6 t-shirts are available now.  We also sell our older
shirts, as well as a selection of OpenSSH t-shirts.

------------------------------------------------------------------------
- FTP INSTALLS ---------------------------------------------------------

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP.  Typically you need a single small piece of boot
media (e.g., a boot floppy) and then the rest of the files can be
installed from a number of locations, including directly off the
Internet.  Follow this simple set of instructions to ensure that
you find all of the documentation you will need while performing
an install via FTP.  With the CD-ROMs, the necessary documentation
is easier to find.

1) Read either of the following two files for a list of ftp
   mirrors which provide OpenBSD, then choose one near you:

        http://www.OpenBSD.org/ftp.html
        ftp://ftp.OpenBSD.org/pub/OpenBSD/4.6/ftplist

   As of Oct 1, 2009, the following ftp mirror sites have the 4.6 release:

ftp://ftp.stacken.kth.se/pub/OpenBSD/4.6/Sweden
ftp://ftp2.usa.openbsd.org/pub/OpenBSD/4.6/NYC, USA
ftp://ftp3.usa.openbsd.org/pub/OpenBSD/4.6/CO, USA
ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.6/CA, USA
ftp://rt.fm/pub/OpenBSD/4.6/IL, USA

The release is also available at the master site:

ftp://ftp.openbsd.org/pub/OpenBSD/4.6/Alberta, Canada

However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
   pub/OpenBSD/4.6/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     armish/          mvme68k/         sparc64/
        Changelogs/      ftplist          mvme88k/         src.tar.gz
        HARDWARE         hp300/           packages/        sys.tar.gz
        PACKAGES         hppa/            ports.tar.gz     tools/
        PORTS            i386/            root.mail        vax/
        README           landisk/         sgi/             xenocara.tar.gz
        alpha/           mac68k/          socppc/          zaurus/
        amd64/           macppc/          sparc/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        HARDWARE        - list of hardware we support
        PORTS           - description of our "ports" tree
        PACKAGES        - description of pre-compiled packages
        root.mail       - a copy of root's mail at initial login.
  (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, i386.  This is a list of what you will see:

INSTALL.i386    cd46.iso        floppyB46.fs    pxeboot*
INSTALL.linux   cdboot*         floppyC46.fs    xbase46.tgz
MD5             cdbr*           game46.tgz      xetc46.tgz
base46.tgz      cdemu46.iso     index.txt       xfont46.tgz
bsd*            comp46.tgz      install46.iso   xserv46.tgz
bsd.mp*         etc46.tgz       man46.tgz       xshare46.tgz
bsd.rd*         floppy46.fs     misc46.tgz

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
   and the appropriate floppy*.fs or install46.iso files.  Consult the
   INSTALL.i386 file if you don't know which of the floppy images
   you need (or simply fetch all of them).

   If you use the install46.iso file (roughly 200MB in size), then you
   do not need the various *.tgz files since they are contained on that
   one-step ISO-format install CD.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.i386.  INSTALL.i386 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        http://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 4.6 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
      you can use "fdimage.exe" located in the pub/OpenBSD/4.6/tools
      directory to do so.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.4.  Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc.  During installation, you can install
X.Org quite easily.  Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.

------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------

The OpenBSD ports tree contains automated instructions for building
third party software.  The software has been verified to build and
run on the various OpenBSD architectures.  The 4.6 ports collection,
including many of the distribution files, is included on the 3-CD
set.  Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD.  Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).

------------------------------------------------------------------------
- BINARY PACKAGES WE PROVIDE -------------------------------------------

A large number of binary packages are provided.  Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.6/PACKAGES) for more details.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.6/README)
file explains how to deal with these source files.  For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/4.6/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

OpenBSD 4.6 includes artwork and CD artistic layout by Ty Semaka,
who also arranged an audio track on the OpenBSD 4.6 CD set.  Ports
tree and package building by Jasper Lievisse Adriaanse, Michael Erdely,
Simon Bertrang, Stuart Henderson, Antoine Jacoutot, Robert Nagy,
Nikolay Sturm, and Christian Weisgerber.  System builds by Theo de Raadt,
Mark Kettenis, and Miod Vallat.  X11 builds by Todd Fries and Miod Vallat.
ISO-9660 filesystem layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 4.6 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

    Alexander Bluhm, Alexander Hall, Alexander von Gernler,
    Alexander Yurchenko, Alexandre Ratchov, Alexey Vatchenko,
    Anders Magnusson, Andreas Gunnarsson, Anil Madhavapeddy,
    Antoine Jacoutot, Ariane van der Steldt, Artur Grabowski,
    Austin Hook, Benoit Lecocq, Bernd Ahlers, Bob Beck, Bret Lambert,
    Can Erkin Acar, Chad Loder, Charles Longeau, Chris Cappuccio,
    Chris Kuethe, Christian Weisgerber, Claudio Jeker,
    Constantine A. Murenin, Dale Rahn, Damien Bergamini, Damien Miller,
    Darren Tucker, David Gwynne, David Hill, David Krause, Eric Faurot,
    Esben Norby, Federico G. Schwindt, Felix Kronlage, Gilles Chehade,
    Giovanni Bechis, Gordon Willem Klok, Hans-Joerg Hoexer,
    Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze,
    Jacek Masiulaniec, Jacob Meuser, Jakob Schlyter, Janne Johansson,
    Jared Yanovich, Jason Dixon, Jason George, Jason McIntyre,
    Jason Meltzer, Jasper Lievisse Adriaanse, Jim Razmus II, Joel Sing,
    Joerg Goltermann, Johan Mson Lindman, Jolan Luff, Jonathan Gray,
    Jordan Hargrave, Joris Vink, joshua stein, Kenneth R Westerback,
    Kevin Lo, Kevin Steves, Kjell Wooding, Kurt Miller, Landry Breuil,
    Laurent Fanis, Marc Espie, Marco Peereboom, Marco Pfatschbacher,
    Marco S Hyman, Marcus Glocker, Mark Kettenis, Mark Uemura,
    Markus Friedl, Martin Reindl, Martynas Venckus,
    Mathieu Sauve-Frankel, Mats O Jansson, Matthias Kilian,
    Matthieu Herrb, Michael Erdely, Michael Knudsen, Michele Marchetto,
    Mike Larkin, Miod Vallat, Moritz Grimm, Moritz Jodeit,
    Nicholas Marriott, Nick Holland, Nikolay Sturm, Okan Demirmen,
    Oleg Safiullin, Otto Moerbeek, Owain Ainsworth, Paul de Weerd,
    Paul Irofti, Peter Hessler, Peter Stromberg, Peter Valchev,
    Philip Guenther, Pierre-Emmanuel Andre, Pierre-Yves Ritschard,
    Rainer Giedat, Ray Lai, Reyk Floeter, Robert Nagy, Rui Reis,
    Ryan Thomas McBride, Simon Bertrang, Stefan Kempf, Steven Mestdagh,
    Stuart Henderson, Ted Unangst, Theo de Raadt, Thordur I. Bjornsson,
    Tobias Stoeckmann, Tobias Weingartner, Todd C. Miller, Todd Fries,
    Will Maier, William Yodlowsky, Xavier Santolaria, Yojiro Uo

Announce: OpenSSH 5.3 released

Damien Miller — 2009-10-01T13:46:18

OpenSSH 5.3 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

This release marks the 10th anniversary of the OpenSSH project.
We would like to thank the OpenSSH community for their support,
especially those who will continue to contribute code or patches,
report bugs, test snapshots or donate to the project during the
next 10 years.  More information on donations may be found at:
http://www.openssh.com/donations.html

This is a bugfix release, no new features have been added.

Changes since OpenSSH 5.2
=========================

General Bugfixes:

 * Do not limit home directory paths to 256 characters. bz#1615

 * Several minor documentation and correctness fixes.

Portable OpenSSH Bugfixes:

 * This release removes for support for very old versions of Cygwin and
   for Windows 95/98/ME

 * Move the deletion of PAM credentials on logout to after the session
   close. bz#1534

 * Make PrintLastLog work on AIX. bz#1595

 * Avoid compile errors on FreeBSD from conflicts in glob.h. bz#1634

 * Delay dropping of root privileges on AIX so chroot and pam_open_session
   work correctly. bz#1249 and bz#1567

 * Increase client IO buffer on Cygwin to 64K, realising a significant
   performance improvement.
 
 * Roll back bz#1241 (better handling for expired passwords on Tru64).
   The change broke password logins on some configurations.

 * Accept ENOSYS as a fallback error when attempting atomic
   rename(). bz#1535

 * Fix passing of variables to recursive make(1) invocations on Solaris.
   bz#1505

 * Skip the tcgetattr call on the pty master on Solaris, since it never
   succeeds and can hang if large amounts of data is sent to the slave
   (eg a copy-paste). bz#1528 

 * Fix detection of krb5-config. bz#1639

 * Fix test for server-assigned remote forwarding port for non-root users.
   bz#1578

 * Fix detection of libresolv on OSX 10.6.

Checksums:
==========

 - SHA1 (openssh-5.3.tar.gz) = f1b9a280565e916c1f84fd4d944313ec926242a2
 - SHA1 (openssh-5.3p1.tar.gz) = d411fde2584ef6022187f565360b2c63a05602b5

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh< at >openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.

Announce: OpenSSH 5.3 released

Damien Miller — 2009-10-01T13:46:18

OpenSSH 5.3 has just been released. It will be available from the
mirrors listed at http://www.openssh.com/ shortly.

OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0
implementation and includes sftp client and server support.

This release marks the 10th anniversary of the OpenSSH project.
We would like to thank the OpenSSH community for their support,
especially those who will continue to contribute code or patches,
report bugs, test snapshots or donate to the project during the
next 10 years.  More information on donations may be found at:
http://www.openssh.com/donations.html

This is a bugfix release, no new features have been added.

Changes since OpenSSH 5.2
=========================

General Bugfixes:

 * Do not limit home directory paths to 256 characters. bz#1615

 * Several minor documentation and correctness fixes.

Portable OpenSSH Bugfixes:

 * This release removes for support for very old versions of Cygwin and
   for Windows 95/98/ME

 * Move the deletion of PAM credentials on logout to after the session
   close. bz#1534

 * Make PrintLastLog work on AIX. bz#1595

 * Avoid compile errors on FreeBSD from conflicts in glob.h. bz#1634

 * Delay dropping of root privileges on AIX so chroot and pam_open_session
   work correctly. bz#1249 and bz#1567

 * Increase client IO buffer on Cygwin to 64K, realising a significant
   performance improvement.
 
 * Roll back bz#1241 (better handling for expired passwords on Tru64).
   The change broke password logins on some configurations.

 * Accept ENOSYS as a fallback error when attempting atomic
   rename(). bz#1535

 * Fix passing of variables to recursive make(1) invocations on Solaris.
   bz#1505

 * Skip the tcgetattr call on the pty master on Solaris, since it never
   succeeds and can hang if large amounts of data is sent to the slave
   (eg a copy-paste). bz#1528 

 * Fix detection of krb5-config. bz#1639

 * Fix test for server-assigned remote forwarding port for non-root users.
   bz#1578

 * Fix detection of libresolv on OSX 10.6.

Checksums:
==========

 - SHA1 (openssh-5.3.tar.gz) = f1b9a280565e916c1f84fd4d944313ec926242a2
 - SHA1 (openssh-5.3p1.tar.gz) = d411fde2584ef6022187f565360b2c63a05602b5

Reporting Bugs:
===============

- Please read http://www.openssh.com/report.html
  Security bugs should be reported directly to openssh< at >openssh.com

OpenSSH is brought to you by Markus Friedl, Niels Provos, Theo de Raadt,
Kevin Steves, Damien Miller, Darren Tucker, Jason McIntyre, Tim Rice and
Ben Lindstrom.