OpenBSD 7.2 released (UPDATEDx3)

posted by Roy Schestowitz on Oct 20, 2022,
updated Oct 29, 2022

------------------------------------------------------------------------
- OpenBSD 7.2 RELEASED -------------------------------------------------


October 20, 2022.


We are pleased to announce the official release of OpenBSD 7.2.
This is our 53rd release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.


As in our previous releases, 7.2 provides significant improvements,
including new features, in nearly all areas of the system:


 - New/extended platforms:
    o Added support for Ampere Altra
    o Added support for Apple M2
    o Added support for Lenovo ThinkPad x13s and other machines using
      the Qualcomm Snapdragon 8cx Gen 3 (SC8280XP) SoC.


 - Various kernel improvements:
    o Allowed bsd.rd and bsd/bsd.mp to boot on Oracle Cloud amd64
      instances.
    o Added support for switching from glass console to serial console
      on arm64 systems that default to glass console.
    o pf(4) automatically allows IGMP and ICMP6 MLD packets with the
      router alert option. Special allow-opts rules are no longer needed
      for multicast discovery.
    o Fixed a pf(4) NULL dereference panic triggered by relayd(8).
    o Implement "show all routes" to print routing tables in ddb(4).
    o Added a method (ESC D) to enter ddb(4) on serial drivers that do
      not have a true BREAK mechanism.
    o Added "show all routes" and the ability to show individual routes
      (e.g. "show route 0xfffffd807e9b0000") to ddb(4).
    o Added a "show swap" command to ddb(4) to help debugging.
    o Count dropped network packets due to low memory in netstat(1).
    o Simplified machine command handling in ddb(4).
    o Changed to a simpler formula to calculate a default kern.maxthread
      value: 2*NPROCESS.
    o Enabled kstat(4), a device that exports kernel statistics that can
      be read by kstat(1).
    o Added CPU frequency sensors for each core on CPUs that have
      MPERF/APERF support.
    o Merged the UVM swap-backed and object-backed inactive page lists.
    o Fixed rwlock(9) implementation to be fair to writers. Previously,
      readers could grab the lock even if writers were waiting first.
    o Made the CPU frequency scaling duration relative to the load when
      in automatic mode on battery.
    o Fixed luna88k MULTIPROCESSOR kernels booting with CPU modules
      installed in arbitrary slots.
    o Added a missing kqueue(2) wakeup, found by a Go testcase hang.
    o Bumped the maximum number of supported CPUs to 256 on arm64.
    o Ensure uvm_swap_io() can succeed, even in out of memory
      situations, by reserving a second segment for the page daemon.
    o Ensured progress in the swapper by pre-allocating pages in a
      DMA-reachable region.
    o Made the page daemon consider pmemrange regions when trying to
      free pages from the inactive list. Previously the page daemon
      could use a lot of CPU without freeing a page because the global
      limits were satisfied.
    o Ensured that uvm_swap_get() will always sleep rather than
      returning an error. Previously an error could be returned to the
      fault handler which would result in processes dying when a system
      was under a lot of memory pressure.
    o Added support for using non-standard UARTs (such as the Synopsys
      DesignWare UART) as an early console.
    o Remove NexGen CPU identification code as the kernel cannot run on
      these CPUs anyway.
    o Remove Rise CPU identification code.
    o Dropped detection code for 386sx/386dx CPUs. OpenBSD/i386 hasn't
      actually supported running on either for some time.
    o Dropped detection code for Cyrix CPUs older than the Cyrix M2.
    o Implemented the fundamentals for suspend/resume on arm64.
    o Simplified TSC synchronization testing on amd64.
    o Corrected sparc64 ofwboot to default to the softraid(4) volume on
      the boot device to make root on softraid work out of the box on
      sparc64 and be more consistent with softraid boot on other
      architectures.
    o Removed the obsolete kern.nselcoll sysctl(2).
    o Changed mips64, octeon, and loongson to trigger deferred clock
      interrupts from splx(9). This isolates the clock interrupt
      schedule from the MD clock interrupt code.
    o Fixed a potential kernel panic when an msdos partition is out of
      space by fixing instances where msdosfs passed a NULL proc pointer
      to detrunc().
    o Add a delay_init() function that helps on i386 and amd64
      architectures in setting up delay_func for different timers and
      switching between them depending on their quality properties. This
      improves how timers backing delay(9) are managed.


 - SMP Improvements
    o Make route timer MP safe and use rttimer pool.
    o Use kernel lock to protect parts of ARP, ND6 and PPPoE that are
      not MP safe. Lookup of existing ARP entries is MP safe and can run
      in parallel.
    o Start up to 4 softnet tasks to run IP input and forwarding in
      parallel on multiple cores.
    o Run IPv4 packet reassembly in parallel.
    o Run IPv6 hop-by-hop options processing in parallel.
    o Add a mutex to rate limiting functions to make them MP safe.
    o Introduce mutex and reference counter for internet protocol
      control block.
    o Protect UDP, raw IP, and divert packet input routines with a
      per-socket mutex.
    o Protect recv(2) system call for UDP and raw IP packets with a
      per-socket mutex and shared netlock. Allows to receive packets
      while forwarding in parallel.
    o Protect multicast deliver loop for UDP and raw IP sockets with
      rwlock.
    o Only grab netlock in IGMP and MLD timer when necessary.
    o TCP slow timer runs without netlock.
    o Rework rwlock so that a writer will get the lock eventually.
      Readers cannot share the lock forever. This prevents starvation of
      the writer.
    o Run interface media ioctl with shared netlock so packets can be
      processed while running ifconfig(8).
    o btrace(8) can be used to debug reference counting.
    o Use MP safe refcount for interface addresses.
    o Unlocked kbind(2).
    o Unlocked the pledge(2) system call.
    o Made UNIX domain sockets locking per-socket rather than coarse
      locking of the entire domain sockets layer.


 - Direct Rendering Manager and graphics drivers
    o Updated drm(4) to Linux 5.15.69
    o inteldrm(4): support for Alder Lake, Raptor Lake
    o Reimplemented the TTM page allocation code using bus_dma(9) APIs
      to make sure DMA addresses are translated properly on
      architectures with an IOMMU. This fixed amdgpu(4) and radeondrm(4)
      on powerpc64, sparc64, and arm64 machines with SMMU.
    o Implemented support for framebuffers that don't start on a page
      boundary (like those on the 2021 14" and 16" MacBook Pro).
    o Added handling for framebuffers where the first pixel isn't
      page-aligned to wsfb(4).
    o Fixed Xorg(1) when using the luna88k 1bpp framebuffer hardware.


 - VMM/VMD improvements
    o Improved error handling and logging in vmd(8)
    o Unify all internal structures and interfaces between vmd(8),
      vmctl(8) and vmm(4) to use bytes for memory and disk sizes.
    o Fix rebooting a received VM in vmd(8).
    o Have vmd(8) provide a copy of bios at 4g boundary. SeaBIOS and
      newer Linux kernels expect it there.
    o In vmd(8), fix off by one in VM memory range check.
    o In vmd(8), add support for MMIO assist. In vmm(4), send all port
      I/O emulation to userland.
    o Have vmd(8) compute i8254 read-back command latch from singular
      timestamp.
    o Improve the command line parsing in vmctl(8).
    o Let vmm(4) allow reading MSR_TSC on Intel hosts.
    o In vmm(4), reference count VMs and VCPUs.
    o In vmm(4), zero virtual addresses of VCPU state pages after
      freeing.
    o Fix `vmctl send` on Intel hosts by load the vmcs before reading
      VCPU registers in vmm(4).
    o Fix `vmctl receive` on Intel hosts by adding an additional fault
      type in vmm(4).
    o Add additional dt(4) tracepoints in various vmm(4) codepaths.
    o Add snmpd(8) AgentX support based around VM-MIB (RFC7666).


 - Various new userland features:
    o Replaced rc.d(8) $rcexec variable with an rc_exec function. This
      will require a mechanical change from ${rcexec} to rc_exec in rc.d
      scripts. Kept compatibility to give people a chance to fix their
      custom scripts.
    o Introduced a new daemon_execdir variable to rc.d(8) for changing
      to a specified directory before running rc_exec.
    o Added ts(1), a timestamp utility.
    o Add a new configtest action to rc.d(8) and rcctl(8) to check
      configuration syntax of a daemon.
    o Added forest (-f) mode to ps(1).


 - Various bugfixes and tweaks in userland:
    o Fixed openrsync(1) on sparc64 by eliminating a redundant second
      conversion of the int value from little to host endian.
    o Added connection timeout functionality to openrsync(1) via the
      --contimeout option.
    o Set the default openrsync(1) connection timeout that
      rpki-client(8) uses to 15 seconds.
    o Made use of the fact that repositories are unique objects in
      pkg_add(1) and annotated the quirks repository as cached, allowing
      for a large speed increase.
    o Enabled pkg_add(1) caching by default.
    o Changed the tied algorithm in pkg_add(1) to prevent O(n^2)
      behavior when packages contain several hundred copies of the same
      file.
    o Added a "processing" message for when pkg_add(1) is transferring
      data to inform the user that pkg_add is still working.
    o Added missing uuid_dec_le() to init_gp() so fdisk(8) -A works on
      big-endian architectures.
    o Aligned fdisk(8) logic with that used in the kernel to allow the
      protective EFI GPT partition to be in MBR partitions 0-3, not just
      0.
    o Prevented use of "-u" when fdisk(8) is operating on GPT formatted
      disks.
    o Stopped telling fdisk(8) that macppc HAS_MBR.
    o Made fdisk(8) reject input of excessive length.
    o Fixed an fdisk(8) regression to allow editing an MBR of all
      zeroes.
    o Changed fdisk(8) to restrict user actions if neither GPT nor MBR
      structures can be found on the disk.
    o Made fdisk(8) print a warning when an MBR partition starts or
      extends past the end of the device.
    o Made fdisk(8) print a warning when a GPT partition start or end is
      outside the usable LBA area of the device.
    o Made fdisk(8) display "Microsoft basic data" instead of "FAT12"
      for GPT_UUID_MSDOS partitions.
    o Made fdisk(8) print GPT attributes in verbose output.
    o Made fdisk(8) use the correct GPT bootable attribute bit.
    o Made fdisk(8) not spoof GPT partitions with the attribute
      REQUIRED.
    o Made fdisk(8) ensure GPT headers, table entries and usable area
      don't overlap each other.
    o Installed useful btrace(8) scripts in /usr/share/btrace.
    o Made btrace(8) execute the END probe upon receiving a SIGTERM
      signal.
    o Moved the wait for autoconf interfaces from rc(8) to netstart(8)
      to fix tunnel interfaces that depend on working autoconf
      interfaces.
    o Made netstart(8) create virtual interfaces up front if specified
      on the command line.
    o Changed rc.subr(8) to copy the message to stdout when using
      logger(1) to avoid needing to check syslog when running in debug
      mode.
    o Fixed kbd(8) so it doesn't fail silently when executed by a
      regular user.
    o In the sndio library, added the function sio_flush(3) to stop
      playback immediately. Altered sndiod(8) to wait until the buffer
      is drained before closing the device.
    o Made xterm(1) use a much safer FD-passing idiom for updating
      utmp(5).
    o Prevented a crash in vi(1) when cursor key support is disabled.
    o Updated vi(1) to apply expandtab to the output of a ! command.
    o Made mg(1) automatically delete trailing whitespace on RET in
      c-mode and auto-indent-mode.
    o Made grep(1) provide full context when using match count (-m)
    o Added the --null flag to grep(1) which makes grep print an ASCII
      NUL byte after the file name to make the output unambiguous.
    o Fixed multiple memory leaks in awk(1).
    o Changed compress(1) to print a more accurate message when -v is
      used with -k.
    o Fixed gzip(1) byte counts with 32-bit integers.
    o Fixed the growth check in compress(1) and gzip(1) in cases of
      small files or files with sufficiently random data.
    o Made timeout(1) -s accept HUP like kill(1) and GNU timeout(1) do.
    o Updated capitals and countries in the game quiz(6).
    o Set default sleep value of ico(1) to 10ms.
    o Fixed a bug in cron(8) where it could exit silently if ppoll(2)
      exited. Now it will log to syslog(3) instead of stderr.
    o Added llvm-profdata(1) to base so that ports can benefit from
      profiled builds.
    o Changed rc(8) to only attempt to set the yp(8) domainname if it
      has not been set yet.
    o Raised the "staff" login class data-size-cur on arm64 to be the
      same as that for amd64 in login.conf(5) (1536M).
    o Fixed patch(1) locate-hunk in empty files.
    o Fixed patch(1) in the case of reversing a patch that creates a
      file.
    o Added seconds to the uptime display of top(1).
    o Made putenv(3) return an error if the string starts with the '='
      character. This matches the behavior on FreeBSD and NetBSD.
    o Fixed overflow of the number of errors in renice(8) by setting
      error instead of incrementing it.
    o Removed the "-c" compatibility option from vnconfig(8).
    o Stopped vnconfig(8) from printing the device name on failure.
    o Print a message when ld.so(1) fails inside execve(2) to clarify
      the failure mode when a dynamic executable is run while /usr isn't
      mounted.
    o Improved bioctl(8) RAID level parsing to check numeric levels
      before checking single character levels. This allows recognition
      of RAID 10 as a valid but unsupported level.
    o Fixed installboot(8) messaging when verbose (-v) and dry-run (-n)
      modes are combined with softraid(4).
    o Sped up wc(1) word counting.


 - Improved hardware support and driver bugfixes, including:
    o New aplaudio(4) driver for Apple audio subsystem.
    o New aplmca(4) driver for Apple MCA controller.
    o New aplsart(4) driver for Apple SART address filter.
    o New alpdc, apldchidev, apldckbd, apldcms, and aplrtk drivers for
      keyboard and trackpad on Apple M2 laptops.
    o New qcgpio(4) driver for Qualcomm Snapdragon GPIO controller.
    o New qciic(4) driver for Qualcomm Snapdragon GENI I2C controller.
    o New sfgpio(4) driver for SiFive GPIO controller.
    o New stfclock(4) driver for StarFive JH7100 clock controller.
    o New stfpinctrl(4) driver for StarFive JH7100 pin configuration.
    o New stftemp driver for StarFive JH7100 temperature sensor.
    o New sxirintc(4) driver for Allwinner wakeup interrupt controller.
    o New gpiorestart driver for system reset via GPIO pin.
    o Added support for more power sensors to ipmi(4).
    o Added support for the ehci(4) controller on Marvell 3720 boards.
    o Extended ksmn(4) to show CCD temperatures if available.
    o Fixed missing interrupts for trackpads on some machines after
      resume by making sure amdgpio(4) restores pin configuration on
      resume.
    o Added FIFO support and allow baud rate changes to pluart(4).
    o Added support for the Synopsys DesignWare UART found on the Ryzen
      Embedded V1000 SoCs to com(4).
    o Added xhci(4) support for the dual role controllers integrated on
      the Qualcomm Snapdragon 8cx gen 3 SoC.
    o Added support for using the power button to wake up from suspend
      to axppmic(4).
    o Modified pms(4) to discard relative movement packets outside of
      the [-127, 127] range to prevent cursor jumps when using the
      trackpoint on some Lenovo laptops.
    o Allowed spdmem(4) to attach to gdiumiic(4).
    o Make spdmem(4) attach on 2F-based loongson systems.
    o Added power button support to aplsmc(4).
    o Changed the mfii(4) RAID controller driver to allow the firmware
      more time to transition out of the UNDEFINED state.
    o Added Wacom One S (CTL-472) support to uwacom(4).


 - New or improved network hardware support:
    o Increased rx buffer size on uaq(4) to 62kB.
    o Repaired rge(4) hardware VLAN tagging.
    o Provide statistics via kstats for mvneta(4).
    o Enabled aq(4) on arm64.
    o Implemented and enabled IPv4, TCP, and UDP checksum offloading for
      igc(4).
    o Fixed a panic triggered by ifconfig bnxt0 down by changing bnxt(4)
      devices to not run rx and tx interrupt handlers when the interface
      is not running.
    o Introduced Large Receive Offloading of TCP segment offloading in
      ix(4). Also added a tso option to ifconfig(8) to enable and
      disable this feature.


 - Added or improved wireless network drivers:
    o Made device matching in iwx(4) more similar to Linux iwlwifi in
      order to recognize more devices.
    o Added support for AX210/AX211 devices to iwx(4).
    o Fixed iwx(4) setting of HT/VHT bits in rate flags of the Tx
      command that could cause a firmware panic.
    o Added handling of 9k devices which do not support antenna B to
      iwm(4).
    o Fixed bwfm(4) ifconfig media display on devices with sta_info
      command version 3.
    o Fixed a bwfm(4) crash during USB detach.
    o Fixed detection of the Rx data rate on rtl8192eu urtwn(4) devices.
    o Fixed integer overflows in the iwm(4) and iwx(4) firmware file
      parsers.


 - IEEE 802.11 wireless stack improvements and bugfixes:
    o Make sure drivers initialize all of ieee80211_rxinfo struct.


 - Installer, upgrade and bootloader improvements:
    o Fixed the watchdog in the installer so that it is reset after each
      download and each set installation.
    o Ensured that running sysupgrade(8) on -stable will move to the
      next release, not -current.
    o Added the -b option to sysupgrade(8) to set an alternative base
      directory to which the installation files will be downloaded.
    o Increased the disklabel(8) auto partitioner's maximum size for
      /usr to 30G.
    o Altered installer behavior so the vlan(4) question won't be asked
      unless another network interface exists.
    o Added support for wildcards in fw_update(8) patterns.
    o Added support for booting from RAID 1C softraid(4) volumes on
      amd64, sparc64 and arm64.
    o Added NFS client support to the luna88k RAMDISK kernel.
    o Made the EFI bootloader provide the extra parameters necessary to
      use non-standard UARTs on the AMD Ryzen Embedded V1000 SoCs as
      console.
    o Switched bootloaders to the extended BOOTARG_CONSDEV struct.
    o Added UFS2 support to landisk boot blocks.


 - Security improvements:
    o Implemented privilege separation in xlock(1).
    o Added privilege separation to snmpd(8).
    o The TZ environment variable no longer supports absolute paths, to
      fit better into the pledge(2) bypass model.
    o AF_UNIX socket bind(2) and connect(2) now follow unveil(2)
      configuration.
    o New ypconnect(2) system call creates a socket based upon the IP
      address encoded directly in a locked ypbinding file, thereby
      removing a horrible hack to support YP lookups in programs using
      strong pledge(2) rules.
    o Processes that pledge("vminfo") may now use the read-only
      swapctl(2) operations SWAP_NSWAP and SWAP_STATS providing
      information on swap devices.
    o Randomized the rekey interval of arc4random(3).
    o Reduce the attack surface by introducing a 'local bind' mode to
      ypldap(8). In this mode ypldap binds its RPC sockets to loopback,
      so YP services are only available to the host it's running on.
      ypldap writes the YP binding file in /var/yp/binding itself and
      replaces ypbind(8) and ypserv(8). This also implies that
      portmap(8) doesn't need to be running anymore when local bind mode
      is used.
    o Changed the /sbin daemons dhcpleased(8), mountd(8), nfsd(8),
      pflogd(8), resolvd(8), slaacd(8), and unwind(8) to be dynamically
      linked to allow them to benefit from all the additional
      mitigations that dynamically linked executables gain. NFS mounting
      of /usr must now use statically configured IP addresses.


 - Changes in the network stack:
    o Added the recvmmsg(2) system call that allows receiving multiple
      msghdrs at once, and the sendmmsg syscall that allows sending
      multiple msghdrs at once.
    o Relaxed address availability check for multicast(4) binds so
      processes listening for the same multicast address do not need to
      be the same UID.
    o Introduced dedicated link entries for snapshots to pfsync(4).
    o Changed pf(4) handling of IGMP and ICMP6 MLD packets to allow
      multicast control packets to work by default.
    o Made pf(4) more paranoid about IGMP/MLD messages.
    o Fixed a logic bug in pf_find_state() that could cause pf(4) to
      incorrectly block a packet.
    o Fixed pf(4) syncookies during fast TCP port reuse.
    o Fixed a bug in pf(4) where a pool defined like "172.16.0.0/16"
      would count as a pool size of one address. Also fixed random
      selection of source address to be uniform across the whole pool.
    o Fixed a kernel panic in pf(4) if IP options with an ICMP payload
      were truncated. Such packets will now be dropped instead.
    o Allow forwarding to and from IPs in the 240/4 range.
    o Corrected the Virtual Ethernet Bridge veb(4) to avoid calling
      if_enqueue from an smr critical section.
    o Reworked the kroute rttimer code to fix icmp_pmtu_timeout crashes.
    o Fixed an interrupt storm upon suspend on Amlogic arm64 boards.
    o Fixed a race between pflow_output_process() and
      pflow_clone_destroy() in pflow(4).
    o Added a missing input validation step to pipex(4) MPPE keylenbits.


 - Routing daemons and other userland network improvements:
    o IPsec support was improved:
       - Made iked(8) ignore any CERT payload after the first rather
         than failing the exchange when more than one CERT payload is
         received.
       - Added iked(8) support for sending certificate chains with
         intermediate CAs in multiple CERT payloads.
       - Added an OpenIKED Vendor ID payload in the iked(8) initial
         handshake to make it easier to handle interoperability
         problems with older versions in the future.
       - Added iked(8) connection statistics for successful and failed
         connections, error types, and other events that can be
         printed with "ikectl show stats".
    o In bgpd(8),
       - Implement max-communities filter to limit the number of
         allowed communities, ext-communities and large-communities.
       - Fix insertion of additional non-transitive extended
         communities when sending out prefixes.
       - Relax IP address limitation by allowing prefixes in 240/4.
       - Implement RFC 9234 - Route Leak Prevention and Detection
         Using Roles in UPDATE and OPEN Messages.
       - Full support for RFC 7911 - Advertisement of Multiple Paths
         in BGP (ADD-PATH).
       - Improve FIB code, handle IPv6 scoped addresses properly.
       - Add bgplgd(8), a FastCGI server providing a REST API to
         execute bgpctl(8) commands.
       - Bugfix: bgpd(8) could fail to invalidate nexthops and
         incorrectly leave them in the FIB or Adj-RIB-Out.
       - Speedup bgpctl show rib 10/8 or-longer and show rib 10/8
         or-shorter
       - Switch various static hash tables to RB trees improving
         performance on large systems
       - Export per neighbor pending update and withdraw statistics
       - Fix race between a neighbor session reset and its update
         message backlog
       - Improve handling of nexthop reachability state changes
       - Made sure only one bgpd(8) roa softreconfig runner is run at
         any time.
    o rpki-client(8) saw some changes:
       - Allowed more than one CRL URI in certificates.
       - Do not apply timezone offsets when converting X509 times.
         X509 times are in UTC and comparing them to times in
         different timezones would cause validity problems.
       - Add support for an operator-configurable skiplist facility.
         Operators can specify a list of FQDNs which should not be
         contacted when synchronizing the local cache to the network.
       - Emit a warning when a RRDP session serial number decreases.
       - DER decoding functions were refactored to leverage ASN.1
         templates.
       - Add support to validate & inspect .sig files containing RPKI
         Signed Checklists in filemode (-f).
         (draft-ietf-sidrops-rpki-rsc-08)
       - Print various statistics after the completion of the main
         process.
       - Add support to decode & print TAL (RFC 8630) details in
         filemode (-f).
       - Emit objects in Concatenated JSON format when filemode (-f)
         and the JSON output flag (-j) are combined.
       - Add support for validating Autonomous System Provider
         Authorization (ASPA) objects conforming to
         draft-ietf-sidrops-aspa-profile-10. Validated ASPA payloads
         are visible in JSON and filemode (-f) output.
       - Set rsync(1) connection I/O idle timeout to 15 seconds.
       - Unify the maximum idle I/O and connect timeouts for rsync(1)
         & HTTPS.
       - rpki-client(8) now performs stricter EE certificate
         validation:
          o Disallow AS Resources extensions in ROA EE certificates.
          o Disallow Subject Information Access (SIA) extensions in
            RPKI Signed Checklist (RSC) EE certs.
          o Check the resources in ROAs and RSCs against EE certs.
       - Improve readability and add various information being printed
         in verbose mode.
       - Extend filemode (-f) output and print X.509 certificates in
         PEM format when increased verbosity (-vv) is specified.
       - Shorten the RRDP I/O idle timeout.
       - Introduce a deadline timer that aborts all repository
         synchronization after seven eights of timeout (-s). With this
         rpki-client has improved chances to complete and produce an
         output even when a CA is excessively slow.
       - Abort a currently running RRDP request process when the
         per-repository timeout is reached.
       - Permit multiple AccessDescription entries in SIA X.509
         extensions. While fetching from secondary locations is not
         yet supported, rpki-client will not treat occurrence as a
         fatal error.
       - Resolve a potential for a race condition in non-atomic RRDP
         deltas.
       - Fix some memory leaks.
       - Improve compliance with the HTTP protocol specification.
    o In snmpd(8),
       - Allow object names to be used in addition to OIDs in
         snmpd.conf(5).
       - Better type hinting for debug logging.
       - Introduce a blocklist feature, which removes subtrees from
         view.
       - Reintroduce AgentX master support.
       - Move non-SNMP related metrics to their own AgentX based
         backend.
       - The snmpe process is now pledged stdio recvfd inet unix.
       - Imported snmpd_metrics(8). This allows those who need to use
         net-snmpd the ability to access base snmpd(8) metrics.
    o In ldapd(8), match password schemas case sensitive.
    o In ospfd(8), relax the limitations on what is an acceptable
      unicast IP. There are no more experiments in IPv4 and so there is
      less reason for network daemons to deny formerly experimental IP
      space. Multicast IPs (224/4) and loopback (127/8) are still
      disallowed.
    o Added check to acme-client(1) to ensure the challenge token is
      turned into a filename that is base64url encoded.
    o Added RFC 9234 "BGP Role" support to tcpdump(8)
    o Have tcpdump(8) print ASnumbers in 'asplain' format instead of the
      old 'asdot' format.
    o Fixed a crash in libpcap when it would walk off the end of the
      array performing frees.
    o Made -X connect SOCKS work with IPv6 addresses in nc(1).
    o Introduced a blocklist backend and keyword to snmpd(8), this
      deprecates filter-pf-addresses.
    o Changed dhclient(8) to defer to dhcpleased(8) by doing execve
      ifconfig and providing syslog warnings about deprecated options.
    o Implemented dig(1) support for SVCB and HTTPS record types.
    o Made resolvd(8) write /etc/resolv.conf in a more atomic manner.
    o Added a slowcgi(8) -t flag to change the request timeout.
    o Corrected handling of an abnormal FastCGI termination in httpd(8).
    o Made newer MIME type definitions take precedence over existing
      ones in httpd(8).
    o Moved the relayd(8) daemon(3) call to just before forking the
      children so the parent disassociates from its controlling terminal
      and shell, but not from its children.
    o Changed ftp(1) to use non-blocking connect(2) with ppoll(2) and
      timeout instead of alarm(3). This allows failing over to another
      IP address for hosts that have more than one.


 - tmux(1) improvements and bug fixes:
    o Added an ACL list for multiple users attaching to the tmux(1)
      socket.
    o Ensured cursor remains on selected item on menu.
    o Added support for OSC 8 hyperlinks.
    o Added support for hyperlinks with capture-pane -e and a
      mouse_hyperlink format.
    o Added an "all" state to allow-passthrough to work even in
      invisible panes.
    o Fixed a crash when searching for .* with extremely long lines.
    o Added vi(1) Home/End bindings.
    o Added a Nobr terminfo capability to tell tmux(1) the terminal does
      not use bright colors for bold.
    o Added a notification when a paste buffer is deleted.
    o Fixed window size reporting.


 - LibreSSL version 3.6.0
    o New features
       - EVP API for HKDF ported from OpenSSL and subsequently cleaned
         up.
       - The security level API
         (SSL_{,CTX}_{get,set}_security_level()) is now available.
         Callbacks and ex_data are not supported. Sane software will
         not be using this.
       - Experimental support for the BoringSSL QUIC API.
       - Add initial support for TS ESSCertIDv2 verification.
       - LibreSSL now uses the Baillie-PSW primality test instead of
         Miller-Rabin.
    o Compatibility changes
       - The ASN.1 time parser has been refactored and rewritten using
         CBS. It has been made stricter in that it now enforces the
         rules from RFC 5280.
       - ASN1_AFLG_BROKEN was removed.
       - Error check tls_session_secret_cb() like OpenSSL.
       - Added ASN1_INTEGER_{get,set}_{u,}int64()
       - Move leaf certificate checks to the last thing after chain
         validation.
       - Added -s option to openssl(1) ciphers that only shows the
         ciphers supported by the specified protocol.
       - Use TLS_client_method(3) instead of TLSv1_client_method(3) in
         the openssl(1) ciphers command.
       - Validate the protocols in SSL{_CTX,}_set_alpn_protos().
       - Made TS and PKCS12 opaque.
       - Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF.
       - Align PKCS12_key_gen_uni() with OpenSSL
       - Various PKCS12 and TS accessors were added. In particular,
         the TS_RESP_CTX_set_time_cb() function was added back.
       - Allow a NULL header in PEM_write{,_bio}()
       - Allow empty attribute sets in CSRs.
       - Adjust signatures of BIO_ctrl functions.
       - Provide additional defines for EVP AEAD.
       - Provide OPENSSL_cleanup().
       - Make BIO_info_cb() identical to bio_info_cb().
    o Bug fixes
       - Avoid use of uninitialized in BN_mod_exp_recp().
       - Fix X509_get_extension_flags() by ensuring that
         EXFLAG_INVALID is set on X509_get_purpose() failure.
       - Fix HMAC() with NULL key.
       - Add ERR_load_{COMP,CT,KDF}_strings() to
         ERR_load_crypto_strings().
       - Avoid strict aliasing violations in BN_nist_mod_*().
       - Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca(). No
         return value of X509_check_ca() indicates failure.
         Application code should therefore issue a checked call to
         X509_check_purpose() before calling X509_check_ca().
       - Rewrite and fix X509v3_asid_subset() to avoid segfaults on
         some valid input.
       - Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new().
       - Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly.
       - Avoid use of uninitialized in ASN1_STRING_to_UTF8().
       - Do not pass uninitialized pointer to ASN1_STRING_to_UTF8().
       - Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT
         proxy.
       - Do not reject primes in trial divisions.
       - Error out on negative shifts in BN_{r,l}shift() instead of
         accessing arrays out of bounds.
       - Fix URI name constraints, allow for URIs with no host part.
       - Fix the legacy verifier callback behaviour for untrusted
         certs.
       - Correct serfver-side handling of TLSv1.3 key updates.
       - Plug leak in PKCS12_setup_mac().
       - Plug leak in X509V3_add1_i2d().
       - Only print X.509 versions we know about.
       - Avoid signed integer overflow due to unary negation
       - Initialize readbytes in BIO_gets().
       - Plug memory leak in CMS_add_simple_smimecap().
       - Plug memory leak in X509_REQ_print_ex().
       - Check HMAC() return value to avoid a later use of
         uninitialized.
       - Avoid potential NULL dereference in ssl_set_pkey().
       - Check return values in ssl_print_tmp_key().
       - Switch loop bounds from size_t to int in check_hosts().
       - Avoid division by zero if no connection was made in s_time.c.
       - Check sk_SSL_CIPHER_push() return value
       - Avoid out-of-bounds read in ssl_cipher_process_rulestr().
       - Use LONG_MAX as the limit for ciphers with long based APIs.
    o Internal improvements
       - Avoid expensive RFC 3779 checks during cert verification.
       - The templated ASN.1 decoder has been cleaned up, refactored,
         modernized with parts rewritten using CBB and CBS.
       - The ASN.1 time parser has been rewritten.
       - Rewrite and fix ASN1_STRING_to_UTF8().
       - Use asn1_abs_set_unused_bits() rather than inlining it.
       - Simplify ec_asn1_group2curve().
       - First pass at a clean up of ASN1_item_sign_ctx()
       - ssl_txt.c was cleaned up.
       - Internal function arguments and struct member have been
         changed to size_t.
       - Lots of missing error checks of EVP API were added.
       - Clean up and clarify BN_kronecker().
       - Simplify ASN1_INTEGER_cmp()
       - Rewrite ASN1_INTEGER_{get,set}() using CBS and CBB and reuse
         the ASN1_INTEGER functions for ASN1_ENUMERATED.
       - Use ASN1_INTEGER to parse and build {Z,}LONG_it
       - Refactored and cleaned up group (elliptic curve) handling in
         t1_lib.c.
       - Simplify certificate list handling code in the legacy server.
       - Make CBB_finish() fail if *out_data is not NULL.
       - Remove tls_buffer_set_data() and remove/revise callers.
       - Rewrite SSL{_CTX,}_set_alpn_protos() using CBS.
       - Simplify tlsext_supported_groups_server_parse().
       - Remove redundant length checks in tlsext parse functions.
       - Simplify tls13_server_encrypted_extensions_recv().
       - Add read and write support to tls_buffer.
       - Convert TLS transcript from BUF_MEM to tls_buffer.
       - Clear key on exit in PKCS12_gen_mac().
       - Minor fixes in PKCS12_parse().
       - Provide and use a primitive clear function for BIGNUM_it.
       - Use ASN1_INTEGER to encode/decode BIGNUM_it.
       - Add stack frames to AES-NI x86_64 assembly.
       - Use named initialisers for BIGNUMs.
       - Tidy up some of BN_nist_mod_*.
       - Expand BLOCK_CIPHER_* and related macros.
       - Avoid shadowing the cbs function parameter in
         tlsext_alpn_server_parse()
       - Deduplicate peer certificate chain processing code.
       - Make it possible to signal an error from an i2c_* function.
       - Rewrite i2c_ASN1_INTEGER() using CBB/CBS.
       - Remove UINT32_MAX limitation on ChaCha() and
         CRYPTO_chacha_20().
       - Remove bogus length checks from EVP_aead_chacha20_poly1305().
       - Reworked DSA_size() and ECDSA_size().
       - Stop using CBIGNUM_it internal to libcrypto.
       - Provide c2i_ASN1_ENUMERATED_cbs() and call it from
         asn1_c2i_primitive().
       - Ensure ASN.1 types are appropriately encoded.
       - Avoid recycling ASN1_STRINGs when decoding ASN.1.
       - Tidy up asn1_c2i_primitive() slightly.
       - Mechanically expand IMPLEMENT_BLOCK_CIPHER, IMPLEMENT_CFBR,
         BLOCK_CIPHER and the looney M_do_cipher macros.
       - Use correct length for EVP CFB mode ciphers.
       - Provide a version of ssl_msg_callback() that takes a CBS.
       - Use CBS to parse TLS alerts in the legacy stack.
       - Increment the input and output position for EVP AES CFB1.
       - Ensure there is no trailing data for a CCS received by the
         TLSv1.3 stack.
       - Use CBS when procesing a CCS message in the legacy stack.
       - Be stricter with middlebox compatibility mode in the TLSv1.3
         server.


 - OpenSSH 9.1
    o Security
       - ssh-keyscan(1): fix a one-byte overflow in SSH banner
         processing
       - ssh-keygen(1): fix double free() in error path of
         signing/verify code
       - ssh-keysign(8): fix double-free in error path introduced in
         OpenSSH 8.9.
    o Potentially-incompatible changes
       - ssh(1), sshd(8): SetEnv directives in ssh_config and
         sshd_config are now first-match-wins to match other
         directives. Previously if an environment variable was
         multiply specified the last set value would have been used.
       - ssh-keygen(8): ssh-keygen -A (generate all default host key
         types) will no longer generate DSA keys, as these are
         insecure and have not been used by default for some years.
       - ssh(1), sshd(8): add a RequiredRSASize directive to set a
         minimum RSA key length. Keys below this length will be
         ignored for user authentication and for host authentication
         in sshd(8).
         ssh(1) will terminate a connection if the server offers an
         RSA key that falls below this limit, as the SSH protocol does
         not include the ability to retry a failed key exchange
       - sftp-server(8): add a users-groups-by-id@openssh.com
         extension request that allows the client to obtain user/group
         names that correspond to a set of uids/gids.
       - sftp(1): use users-groups-by-id@openssh.com sftp-server
         extension (when available) to fill in user/group names for
         directory listings.
       - sftp-server(8): support the home-directory extension request
         defined in draft-ietf-secsh-filexfer-extensions-00. This
         overlaps a bit with the existing "expand-path@openssh.com",
         but some other clients support it.
       - ssh-keygen(1), sshd(8): allow certificate validity intervals,
         sshsig verification times and authorized_keys expiry-time
         options to accept dates in the UTC time zone in addition to
         the default of interpreting them in the system time zone.
         YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted
         as UTC if suffixed with a 'Z' character.
         Also allow certificate validity intervals to be specified in
         raw seconds-since-epoch as hex value, e.g. -V
         0x1234:0x4567890. This is intended for use by regress tests
         and other tools that call ssh-keygen as part of a CA
         workflow.
       - sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
         /usr/libexec/sftp-server -el debug3.
       - ssh-keygen(1): allow the existing -U (use agent) flag to work
         with -Y sign operations, where it will be interpreted to
         require that the private keys is hosted in an agent.
    o Bugfixes
       - ssh-keygen(1): implement the "verify-required" certificate
         option. This was already documented when support for
         user-verified FIDO keys was added, but the ssh-keygen(1) code
         was missing.
       - ssh-agent(1): hook up the restrict_websafe command-line flag;
         previously the flag was accepted but never actually used.
       - sftp(1): improve filename tab completions: never try to
         complete names to non-existent commands, and better match the
         completion type (local or remote filename) against the
         argument position being completed.
       - ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO
         key handling, especially relating to keys that request
         user-verification. These should reduce the number of
         unnecessary PIN prompts for keys that support intrinsic user
         verification.
       - ssh-keygen(1): when enrolling a FIDO resident key, check if a
         credential with matching application and user ID strings
         already exists and, if so, prompt the user for confirmation
         before overwriting the credential.
       - sshd(8): improve logging of errors when opening
         authorized_keys files.
       - ssh(1): avoid multiplexing operations that could cause
         SIGPIPE from causing the client to exit early. bz3454
       - ssh_config(5), sshd_config(5): clarify that the RekeyLimit
         directive applies to both transmitted and received data.
       - ssh-keygen(1): avoid double fclose() in error path.
       - sshd(8): log an error if pipe() fails while accepting a
         connection.
       - ssh(1), ssh-keygen(1): fix possible NULL deref when built
         without FIDO support.
       - ssh-keyscan(1): add missing *-sk types to ssh-keyscan
         manpage.
       - sshd(8): ensure that authentication passwords are cleared
         from memory in error paths.
       - ssh(1), ssh-agent(1): avoid possibility of notifier code
         executing kill(-1).
       - ssh_config(5): note that the ProxyJump directive also accepts
         the same tokens as ProxyCommand.
       - scp(1): do not not ftruncate(3) files early when in sftp
         mode. The previous behaviour of unconditionally truncating
         the destination file would cause scp ~/foo localhost: and scp
         localhost:foo ~/ to delete all the contents of their
         destination.
       - ssh-keygen(1): improve error message when ssh-keygen -Y sign
         is unable to load a private key.
       - sftp(1), scp(1): when performing operations that glob(3) a
         remote path, ensure that the implicit working directory used
         to construct that path escapes glob(3) characters. This
         prevents glob characters from being processed in places they
         shouldn't, e.g. cd /tmp/a*/, get *.txt should have the get
         operation treat the path /tmp/a* literally and not attempt to
         expand it.
       - ssh(1), sshd(8): be stricter in which characters will be
         accepted in specifying a mask length; allow only 0-9.
       - ssh-keygen(1): avoid printing hash algorithm twice when
         dumping a KRL.
       - ssh(1), sshd(8): continue running local I/O for open channels
         during SSH transport rekeying. This should make ~-escapes
         work in the client (e.g. to exit) if the connection happened
         to have stalled during a rekey event.
       - ssh(1), sshd(8): avoid potential poll() spin during rekeying
       - Further hardening for sshbuf internals: disallow
         "reparenting" a hierarchical sshbuf and zero the entire
         buffer if reallocation fails.


 - mandoc 1.14.6 plus some new features and many bugfixes, including:
    o Significantly improved accessibility of mandoc(1) -T html and
      man.cgi(8) output by using semantically better HTML elements in
      several places and by adding ARIA and DPUB-ARIA roles and
      aria-label attributes to several HTML elements.
    o Got rid of archaic HTML table markup for header and footer lines
      in favor of flexbox CSS. Rendering now adapts to browser windows
      of arbitrary narrowness.
    o Prevented -T html output from turning breakable hyphens into
      underscores in URI fragment identifiers.
    o Improved the roff(7) escape sequence parser in several fundamental
      ways regarding output correctness and groff compatibility.
    o Corrected output that depends on the order of evaluation of
      roff(7) escape sequences by parsing them left-to-right rather than
      right-to-left.
    o Significantly improved -T lint diagnostics regarding syntax errors
      in roff(7) escape sequences and in their arguments.
    o Stopped emitting vertical space before the tbl(7) .TS (table
      start) macro for compatibility with the same change in groff. This
      implies .PP or .Pp macros may need to be inserted before .TS in
      some (but not all!) places in some manual pages using tbl(7).
    o Stopped skipping vertical space after the tbl(7) .TE (table end)
      macro of boxed tables for compatibility with the same change in
      groff. This implies .sp requests may need to be removed after .TE
      in some manual pages using tbl(7).
    o Corrected the calculation of the width of spanned tbl(7) columns.
    o Improved the handling of literal tab characters in filled text in
      multiple ways for compatibility with groff and Heirloom troff.
    o Plus bugfixes for two segfaults, two infinite loops, and several
      assertion failures.


 - Ports and packages:
    o Pre-built packages are available for the following architectures on
      the day of release:
       - aarch64 (arm64): 11261
       - amd64: 11451
       - i386: 10225
       - mips64: 8759
       - powerpc64: XXX
       - riscv64: 9808
       - sparc64: 9275
    o Packages for the following architectures will be made available as
      their builds complete:
       - arm
       - powerpc


 - Some highlights:


    o Asterisk 16.28.0, 18.14.0 and   o Mozilla Thunderbird 102.3.0
      19.6.0                          o Mutt 2.2.7 and NeoMutt 20220429
    o Audacity 2.4.2                  o Node.js 16.17.1
    o CMake 3.24.2                    o OCaml 4.12.1
    o Chromium 105.0.5195.125         o OpenLDAP 2.6.3
    o Emacs 28.2                      o PHP 7.4.30, 8.0.23 and 8.1.10
    o FFmpeg 4.4.2                    o Postfix 3.7.2
    o GCC 8.4.0 and 11.2.0            o PostgreSQL 14.5
    o GHC 9.2.4                       o Python 2.7.18, 3.9.14 and 3.10.7
    o GNOME 42.4                      o Qt 5.15.6 and 6.3.1
    o Go 1.19.1                       o R 4.2.1
    o JDK 8u342, 11.0.16 and 17.0.4   o Ruby 2.7.6, 3.0.4 and 3.1.2
    o KDE Applications 22.08.1        o Rust 1.63.0
    o KDE Frameworks 5.98.0           o SQLite 3.39.3
    o Krita 5.1.1                     o Shotcut 22.06.23
    o LLVM/Clang 13.0.0               o Sudo 1.9.11.2
    o LibreOffice 7.4.1.2             o Suricata 6.0.6
    o Lua 5.1.5, 5.2.4 and 5.3.6      o Tcl/Tk 8.5.19 and 8.6.12
    o MariaDB 10.9.3                  o TeX Live 2021
    o Mono 6.12.0.182                 o Vim 9.0.0192 and Neovim 0.7.2
    o Mozilla Firefox 105.0.1 and     o Xfce 4.16
      ESR 102.3.0


 - As usual, steady improvements in manual pages and other documentation.


 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 21.1.4 + patches,
      freetype 2.12.1, fontconfig 2.13.94, Mesa 22.1.7, xterm 372,
      xkeyboard-config 2.20, fonttosfnt 1.2.2, and more)
    o LLVM/Clang 13.0.0 (+ patches)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.32.1 (+ patches)
    o NSD 4.6.0
    o Unbound 1.16.3
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk September 12, 2022 version
    o Expat 2.4.9


------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------


We provide patches for known security threats and other important
issues discovered after each release.  Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible.  Therefore, we advise regular
visits to


        https://www.OpenBSD.org/security.html
and
        https://www.OpenBSD.org/errata.html


------------------------------------------------------------------------
- MAILING LISTS AND FAQ ------------------------------------------------


Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please
see:


        https://www.OpenBSD.org/mail.html


You are also encouraged to read the Frequently Asked Questions (FAQ) at:


        https://www.OpenBSD.org/faq/


------------------------------------------------------------------------
- DONATIONS ------------------------------------------------------------


The OpenBSD Project is a volunteer-driven software group funded by
donations.  Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others.  This ecosystem is all handled under the same funding umbrella.


We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon
events.


All of our developers strongly urge you to donate and support our future
efforts.  Donations to the project are highly appreciated, and are
described in more detail at:


        https://www.OpenBSD.org/donations.html


------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------


For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.


There may also be exposure benefits since the Foundation may be
interested in participating in press releases.  In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at directors@openbsdfoundation.org for
more information.


------------------------------------------------------------------------
- HTTPS INSTALLS -------------------------------------------------------


OpenBSD can be easily installed via HTTPS downloads.  Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet.  Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.


1) Read either of the following two files for a list of HTTPS mirrors
   which provide OpenBSD, then choose one near you:


        https://www.OpenBSD.org/ftp.html
        https://ftp.openbsd.org/pub/OpenBSD/ftplist


   As of October 20, 2022, the following HTTPS mirror sites have the
   7.2 release:


        https://cdn.openbsd.org/pub/OpenBSD/7.2/            Global
        https://ftp.eu.openbsd.org/pub/OpenBSD/7.2/         Stockholm, Sweden
        https://ftp.hostserver.de/pub/OpenBSD/7.2/          Frankfurt, Germany
        https://ftp.bytemine.net/pub/OpenBSD/7.2/           Oldenburg, Germany
        https://ftp.fr.openbsd.org/pub/OpenBSD/7.2/         Paris, France
        https://mirror.aarnet.edu.au/pub/OpenBSD/7.2/       Brisbane, Australia
        https://ftp.usa.openbsd.org/pub/OpenBSD/7.2/        CO, USA
        https://ftp5.usa.openbsd.org/pub/OpenBSD/7.2/       CA, USA
        https://mirror.esc7.net/pub/OpenBSD/7.2/            TX, USA
        https://openbsd.cs.toronto.edu/pub/OpenBSD/7.2/     Toronto, Canada
        https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.2/ Global
        https://fastly.cdn.openbsd.org/pub/OpenBSD/7.2/     Global


        The release is also available at the master site:


        https://ftp.openbsd.org/pub/OpenBSD/7.2/            Alberta, Canada


        However it is strongly suggested you use a mirror.


   Other mirror sites may take a day or two to update.


2) Connect to that HTTPS mirror site and go into the directory
   pub/OpenBSD/7.2/ which contains these files and directories.
   This is a list of what you will see:


        ANNOUNCEMENT     armv7/        octeon/             root.mail
        README           hppa/         openbsd-72-base.pub sparc64/
        SHA256           i386/         packages/           src.tar.gz
        SHA256.sig       landisk/      packages-stable/    sys.tar.gz
        alpha/           loongson/     ports.tar.gz        xenocara.tar.gz
        amd64/           luna88k/      powerpc64/
        arm64/           macppc/       riscv64/


   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.


        README          - generic README
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).


3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.


4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:


        BOOTIA32.EFI*   bsd*            floppy72.img    pxeboot*
        BOOTX64.EFI*    bsd.mp*         game72.tgz      xbase72.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont72.tgz
        INSTALL.amd64   cd72.iso        install72.img   xserv72.tgz
        SHA256          cdboot*         install72.iso   xshare72.tgz
        SHA256.sig      cdbr*           man72.tgz
        base72.tgz      comp72.tgz      miniroot72.img


   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install72.iso.  The install72.iso file (roughly 583MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.


   If you prefer to use a USB flash drive, fetch install72.img and
   follow the instructions in INSTALL.amd64.


5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.


6) Just in case, take a peek at:


        https://www.OpenBSD.org/errata.html


   This is the page where we talk about the mistakes we made while
   creating the 7.2 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.


------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------


X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).


------------------------------------------------------------------------
- PACKAGES AND PORTS ---------------------------------------------------


Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures.  Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.


Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed
separately.


------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------


The source code for all four subsystems can be found in the
pub/OpenBSD/7.2/ directory:


        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz


The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.2/README) file
explains how to deal with these source files.


------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------


Ports tree and package building by Jasper Lievisse Adriaanse,
Jeremie Courreges-Anglas, Visa Hankala, Stuart Henderson, Peter Hessler,
George Koehler, Kurt Mosiejczuk, and Christian Weisgerber.  Base and X
system builds by Kenji Aoyama, Theo de Raadt, and Miod Vallat.  Release
art contributed by Jon Chad.


We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who bought our previous CD sets.  Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.


Our developers are:


    Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
    Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
    Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
    Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe,
    Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer,
    Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar,
    Caspar Schutijser, Charlene Wendling, Charles Longeau,
    Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
    Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman,
    Daniel Jakots, Darren Tucker, Dave Voutila, David Coppa,
    David Gwynne, David Hill, Denis Fondras, Edd Barrett,
    Elias M. Mariani, Eric Faurot, Florian Obser, Florian Riehm,
    Frederic Cambus, George Koehler, Gerhard Roth, Giannis Tsaraias,
    Gilles Chehade, Giovanni Bechis, Gleydson Soares,
    Gonzalo L. Rodriguez, Greg Steuck, Helg Bredow, Henning Brauer,
    Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
    Inoguchi Kinichiro, James Hastings, James Turner, Jan Klemkow,
    Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas,
    Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani,
    Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Joris Vink,
    Joshua Stein, Juan Francisco Cantero Hurtado, Kazuya Goda,
    Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner, Kevin Lo,
    Kirill Bychkov, Klemens Nanni, Kurt Miller, Kurt Mosiejczuk,
    Landry Breuil, Lawrence Teo, Lucas Raab, Marc Espie, Marcus Glocker,
    Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren,
    Martin Natano, Martin Pieuchot, Martin Reindl, Martynas Venckus,
    Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos,
    Mike Belopuhov, Mike Larkin, Miod Vallat, Moritz Buhl, Nam Nguyen,
    Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen,
    Omar Polo, Ori Bernstein, Otto Moerbeek, Paco Esteban,
    Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt, Paul Irofti,
    Pavel Korovin, Peter Hessler, Philip Guenther,
    Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski,
    Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel,
    Renato Westphal, Ricardo Mestre, Richard Procter, Rob Pierce,
    Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
    Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
    Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf,
    Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
    Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
    Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider,
    Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
    Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
    Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Yasuoka Masahiko,
    Yojiro Uo

Read on

UPDATE

Official page:

• OpenBSD 7.2

  This is a partial list of new features and systems included in OpenBSD 7.2.

More today:

• OPENBSD 7.2

  [...] Although there are few, if any, Power-specific changes, there are many welcome general ones including multiple improvements in SMP and updated graphics and hardware drivers. [...]

The Register today:

• OpenBSD 7.2 is out –�with Apple M2 support • The Register

  OpenBSD 7.2 is here, spanning an impressive 14 different computer platforms, including FOSS fans who have the newest Apple Arm-based Mac models.

  The Reg FOSS desk took a look at OpenBSD 7.1 back in April, and for an overall assessment, what we said there stands. Version 7.1 was mainly noteworthy for including fairly preliminary support for Apple Silicon-based Macs, meaning the M1 processor. The new version 7.2 builds on that by adding three new Arm-based platforms: Apple M2-based Macs, Ampere's manycore Altra CPUs, and Lenovo's Snapdragon-based Thinkpad X13s.

  The release notes list this version's new features in detail, and there's even more in the changelog. This is a minor version, so the changes are relatively modest: various bugfixes, improved handling of power management and SMP, and better support for running in Oracle Cloud instances. There's better support for some newer Intel wireless and graphics chipsets, including the AX210 and AX211 Wi-Fi chips, and the built-in graphics of Intel Alder Lake and Raptor Lake processors.

Very late:

• OpenBSD 7.2 released

  OpenBSD doesn’t get enough love. It is a truly impressive operating system. And their glorious leader (Theo de Raadt) just announced the new 7.2 version.

  And, as is often the case with OpenBSD, the release notes are *ahem* rather extensive.