Tux Machines

Do you waddle the waddle?

Other Sites

LinuxGizmos.com

Renesas Releases Dual-Band Wi-Fi 6 and Bluetooth LE MCUs on Cortex-M33 Architecture

The MCUs are based on an Arm Cortex-M33 CPU running at 160 MHz and equipped with 704 KB of SRAM. This configuration enables them to operate as standalone processors for cost-sensitive IoT endpoints while still supporting use as wireless co-processors when paired with other RA-series microcontrollers.

Muzi Unveils Launches Modular BASE Board System for Meshtastic Mesh Networking

The Base Uno and Base Duo share a common architecture built around Nordic’s nRF52840 microcontroller, a device frequently used in Meshtastic hardware for its low power consumption and integrated Bluetooth Low Energy support.

Tor Project blog

New Release: Tails 7.3.1

For more details, read our changelog.

9to5Linux

Grml 2025.12 Linux Distro Is Out Based on Debian Forky and Linux Kernel 6.17

Powered by Linux kernel 6.17 and based on Debian Testing/Forky repositories as of December 11th, 2025, the Grml 2025.12 (codename Postwurfsendung) release updates the grml-live build system for creating Grml (based) Linux live systems with a new TOR class, support for the grml-desktop package, and Debian Bookworm as the minimum host OS.

KDE Frameworks 6.21 Adds Support for Nim Code Files to the Breeze Icon Theme

KDE Frameworks 6.21 updates file transfer notifications to fall back to file-based progress display when size-based progress display isn’t available, adds support for Nim code files to the Breeze icon theme, and adds a new icon to the Fifteen Puzzle widget, along with a symbolic icon when placed on a panel.

Kali Linux 2025.4 Ethical Hacking Distro Released with KDE Plasma 6.5, GNOME 49

Coming almost three months after Kali Linux 2025.3, the Kali Linux 2025.4 release updates the GNOME and KDE Plasma desktop offerings to the latest GNOME 49 and KDE Plasma 6.5 releases, in addition to Xfce 4.20, which remains the default desktop environment.

pearOS Is Back, Now Based on Arch Linux and Featuring the KDE Plasma Desktop

French developer David Tavares initially created Pear OS back in 2011, based on Ubuntu and featuring the GNOME 3 desktop environment. The initial release, Pear OS 3, was based on Ubuntu 11.10 (Oneiric Ocelot) operating system and shipped with Linux kernel 3.0.

System76 Launches First Stable Release of COSMIC Desktop and Pop!_OS 24.04 LTS

Based on the Ubuntu 24.04 LTS (Noble Numbat) operating system series, Pop!_OS 24.04 LTS ships with the brand-new COSMIC desktop environment written in the Rust programming language, designed and developed by System76 for all GNU/Linux distributions.

NVIDIA 580.119.02 Linux Graphics Driver Released with Various Bug Fixes

NVIDIA 580.119.02 is here to fix a bug that caused display corruption on LG Ultragear monitors when using certain modes, a bug that caused corruption in the X-Plane video game on workstation NVIDIA GPUs, and a regression from NVIDIA 580.65.06 that caused mode timings like 1920×1080@75 to no longer be available.

KDE Gear 25.12 Software Suite Released with Many Improvements for KDE Apps

KDE Gear 25.12 improves the Dolphin file manager so that trashed temporary folders no longer end up in your home trash bin, along with support for hiding files and folders from the Dolphin context menu, and updates the Itinerary travel assistant with more extractors for railway companies, events, and more.

Tails 7.3.1 Anonymous Linux OS Released with Tor Browser 15.0.3 and Tor 0.4.8.21

Coming a month after Tails 7.2, the Tails 7.3.1 release updates the default web browser to the latest Tor Browser 15.0.3, a major update based on Mozilla Firefox 140 ESR that introduces exciting features like support for vertical tabs and tab groups, as well as a new unified search button in the address bar.

Raspberry Pi Imager 2.0.2 Adds Support for Multiple SSH Keys, Direct I/O Bypass

You would think that Raspberry Pi Imager 2.0.2 is a small update that fixes some bugs and other issues discovered in the initial Raspberry Pi Imager 2.0 release, but, in fact, it’s a huge release adding lots of new features like direct I/O bypass to reduce memory pressure during writes.

OpenBSD 7.2 released (UPDATEDx3)

posted by Roy Schestowitz on Oct 20, 2022,
updated Oct 29, 2022

------------------------------------------------------------------------
- OpenBSD 7.2 RELEASED -------------------------------------------------


October 20, 2022.


We are pleased to announce the official release of OpenBSD 7.2.
This is our 53rd release.  We remain proud of OpenBSD's record of more
than twenty years with only two remote holes in the default install.


As in our previous releases, 7.2 provides significant improvements,
including new features, in nearly all areas of the system:


 - New/extended platforms:
    o Added support for Ampere Altra
    o Added support for Apple M2
    o Added support for Lenovo ThinkPad x13s and other machines using
      the Qualcomm Snapdragon 8cx Gen 3 (SC8280XP) SoC.


 - Various kernel improvements:
    o Allowed bsd.rd and bsd/bsd.mp to boot on Oracle Cloud amd64
      instances.
    o Added support for switching from glass console to serial console
      on arm64 systems that default to glass console.
    o pf(4) automatically allows IGMP and ICMP6 MLD packets with the
      router alert option. Special allow-opts rules are no longer needed
      for multicast discovery.
    o Fixed a pf(4) NULL dereference panic triggered by relayd(8).
    o Implement "show all routes" to print routing tables in ddb(4).
    o Added a method (ESC D) to enter ddb(4) on serial drivers that do
      not have a true BREAK mechanism.
    o Added "show all routes" and the ability to show individual routes
      (e.g. "show route 0xfffffd807e9b0000") to ddb(4).
    o Added a "show swap" command to ddb(4) to help debugging.
    o Count dropped network packets due to low memory in netstat(1).
    o Simplified machine command handling in ddb(4).
    o Changed to a simpler formula to calculate a default kern.maxthread
      value: 2*NPROCESS.
    o Enabled kstat(4), a device that exports kernel statistics that can
      be read by kstat(1).
    o Added CPU frequency sensors for each core on CPUs that have
      MPERF/APERF support.
    o Merged the UVM swap-backed and object-backed inactive page lists.
    o Fixed rwlock(9) implementation to be fair to writers. Previously,
      readers could grab the lock even if writers were waiting first.
    o Made the CPU frequency scaling duration relative to the load when
      in automatic mode on battery.
    o Fixed luna88k MULTIPROCESSOR kernels booting with CPU modules
      installed in arbitrary slots.
    o Added a missing kqueue(2) wakeup, found by a Go testcase hang.
    o Bumped the maximum number of supported CPUs to 256 on arm64.
    o Ensure uvm_swap_io() can succeed, even in out of memory
      situations, by reserving a second segment for the page daemon.
    o Ensured progress in the swapper by pre-allocating pages in a
      DMA-reachable region.
    o Made the page daemon consider pmemrange regions when trying to
      free pages from the inactive list. Previously the page daemon
      could use a lot of CPU without freeing a page because the global
      limits were satisfied.
    o Ensured that uvm_swap_get() will always sleep rather than
      returning an error. Previously an error could be returned to the
      fault handler which would result in processes dying when a system
      was under a lot of memory pressure.
    o Added support for using non-standard UARTs (such as the Synopsys
      DesignWare UART) as an early console.
    o Remove NexGen CPU identification code as the kernel cannot run on
      these CPUs anyway.
    o Remove Rise CPU identification code.
    o Dropped detection code for 386sx/386dx CPUs. OpenBSD/i386 hasn't
      actually supported running on either for some time.
    o Dropped detection code for Cyrix CPUs older than the Cyrix M2.
    o Implemented the fundamentals for suspend/resume on arm64.
    o Simplified TSC synchronization testing on amd64.
    o Corrected sparc64 ofwboot to default to the softraid(4) volume on
      the boot device to make root on softraid work out of the box on
      sparc64 and be more consistent with softraid boot on other
      architectures.
    o Removed the obsolete kern.nselcoll sysctl(2).
    o Changed mips64, octeon, and loongson to trigger deferred clock
      interrupts from splx(9). This isolates the clock interrupt
      schedule from the MD clock interrupt code.
    o Fixed a potential kernel panic when an msdos partition is out of
      space by fixing instances where msdosfs passed a NULL proc pointer
      to detrunc().
    o Add a delay_init() function that helps on i386 and amd64
      architectures in setting up delay_func for different timers and
      switching between them depending on their quality properties. This
      improves how timers backing delay(9) are managed.


 - SMP Improvements
    o Make route timer MP safe and use rttimer pool.
    o Use kernel lock to protect parts of ARP, ND6 and PPPoE that are
      not MP safe. Lookup of existing ARP entries is MP safe and can run
      in parallel.
    o Start up to 4 softnet tasks to run IP input and forwarding in
      parallel on multiple cores.
    o Run IPv4 packet reassembly in parallel.
    o Run IPv6 hop-by-hop options processing in parallel.
    o Add a mutex to rate limiting functions to make them MP safe.
    o Introduce mutex and reference counter for internet protocol
      control block.
    o Protect UDP, raw IP, and divert packet input routines with a
      per-socket mutex.
    o Protect recv(2) system call for UDP and raw IP packets with a
      per-socket mutex and shared netlock. Allows to receive packets
      while forwarding in parallel.
    o Protect multicast deliver loop for UDP and raw IP sockets with
      rwlock.
    o Only grab netlock in IGMP and MLD timer when necessary.
    o TCP slow timer runs without netlock.
    o Rework rwlock so that a writer will get the lock eventually.
      Readers cannot share the lock forever. This prevents starvation of
      the writer.
    o Run interface media ioctl with shared netlock so packets can be
      processed while running ifconfig(8).
    o btrace(8) can be used to debug reference counting.
    o Use MP safe refcount for interface addresses.
    o Unlocked kbind(2).
    o Unlocked the pledge(2) system call.
    o Made UNIX domain sockets locking per-socket rather than coarse
      locking of the entire domain sockets layer.


 - Direct Rendering Manager and graphics drivers
    o Updated drm(4) to Linux 5.15.69
    o inteldrm(4): support for Alder Lake, Raptor Lake
    o Reimplemented the TTM page allocation code using bus_dma(9) APIs
      to make sure DMA addresses are translated properly on
      architectures with an IOMMU. This fixed amdgpu(4) and radeondrm(4)
      on powerpc64, sparc64, and arm64 machines with SMMU.
    o Implemented support for framebuffers that don't start on a page
      boundary (like those on the 2021 14" and 16" MacBook Pro).
    o Added handling for framebuffers where the first pixel isn't
      page-aligned to wsfb(4).
    o Fixed Xorg(1) when using the luna88k 1bpp framebuffer hardware.


 - VMM/VMD improvements
    o Improved error handling and logging in vmd(8)
    o Unify all internal structures and interfaces between vmd(8),
      vmctl(8) and vmm(4) to use bytes for memory and disk sizes.
    o Fix rebooting a received VM in vmd(8).
    o Have vmd(8) provide a copy of bios at 4g boundary. SeaBIOS and
      newer Linux kernels expect it there.
    o In vmd(8), fix off by one in VM memory range check.
    o In vmd(8), add support for MMIO assist. In vmm(4), send all port
      I/O emulation to userland.
    o Have vmd(8) compute i8254 read-back command latch from singular
      timestamp.
    o Improve the command line parsing in vmctl(8).
    o Let vmm(4) allow reading MSR_TSC on Intel hosts.
    o In vmm(4), reference count VMs and VCPUs.
    o In vmm(4), zero virtual addresses of VCPU state pages after
      freeing.
    o Fix `vmctl send` on Intel hosts by load the vmcs before reading
      VCPU registers in vmm(4).
    o Fix `vmctl receive` on Intel hosts by adding an additional fault
      type in vmm(4).
    o Add additional dt(4) tracepoints in various vmm(4) codepaths.
    o Add snmpd(8) AgentX support based around VM-MIB (RFC7666).


 - Various new userland features:
    o Replaced rc.d(8) $rcexec variable with an rc_exec function. This
      will require a mechanical change from ${rcexec} to rc_exec in rc.d
      scripts. Kept compatibility to give people a chance to fix their
      custom scripts.
    o Introduced a new daemon_execdir variable to rc.d(8) for changing
      to a specified directory before running rc_exec.
    o Added ts(1), a timestamp utility.
    o Add a new configtest action to rc.d(8) and rcctl(8) to check
      configuration syntax of a daemon.
    o Added forest (-f) mode to ps(1).


 - Various bugfixes and tweaks in userland:
    o Fixed openrsync(1) on sparc64 by eliminating a redundant second
      conversion of the int value from little to host endian.
    o Added connection timeout functionality to openrsync(1) via the
      --contimeout option.
    o Set the default openrsync(1) connection timeout that
      rpki-client(8) uses to 15 seconds.
    o Made use of the fact that repositories are unique objects in
      pkg_add(1) and annotated the quirks repository as cached, allowing
      for a large speed increase.
    o Enabled pkg_add(1) caching by default.
    o Changed the tied algorithm in pkg_add(1) to prevent O(n^2)
      behavior when packages contain several hundred copies of the same
      file.
    o Added a "processing" message for when pkg_add(1) is transferring
      data to inform the user that pkg_add is still working.
    o Added missing uuid_dec_le() to init_gp() so fdisk(8) -A works on
      big-endian architectures.
    o Aligned fdisk(8) logic with that used in the kernel to allow the
      protective EFI GPT partition to be in MBR partitions 0-3, not just
      0.
    o Prevented use of "-u" when fdisk(8) is operating on GPT formatted
      disks.
    o Stopped telling fdisk(8) that macppc HAS_MBR.
    o Made fdisk(8) reject input of excessive length.
    o Fixed an fdisk(8) regression to allow editing an MBR of all
      zeroes.
    o Changed fdisk(8) to restrict user actions if neither GPT nor MBR
      structures can be found on the disk.
    o Made fdisk(8) print a warning when an MBR partition starts or
      extends past the end of the device.
    o Made fdisk(8) print a warning when a GPT partition start or end is
      outside the usable LBA area of the device.
    o Made fdisk(8) display "Microsoft basic data" instead of "FAT12"
      for GPT_UUID_MSDOS partitions.
    o Made fdisk(8) print GPT attributes in verbose output.
    o Made fdisk(8) use the correct GPT bootable attribute bit.
    o Made fdisk(8) not spoof GPT partitions with the attribute
      REQUIRED.
    o Made fdisk(8) ensure GPT headers, table entries and usable area
      don't overlap each other.
    o Installed useful btrace(8) scripts in /usr/share/btrace.
    o Made btrace(8) execute the END probe upon receiving a SIGTERM
      signal.
    o Moved the wait for autoconf interfaces from rc(8) to netstart(8)
      to fix tunnel interfaces that depend on working autoconf
      interfaces.
    o Made netstart(8) create virtual interfaces up front if specified
      on the command line.
    o Changed rc.subr(8) to copy the message to stdout when using
      logger(1) to avoid needing to check syslog when running in debug
      mode.
    o Fixed kbd(8) so it doesn't fail silently when executed by a
      regular user.
    o In the sndio library, added the function sio_flush(3) to stop
      playback immediately. Altered sndiod(8) to wait until the buffer
      is drained before closing the device.
    o Made xterm(1) use a much safer FD-passing idiom for updating
      utmp(5).
    o Prevented a crash in vi(1) when cursor key support is disabled.
    o Updated vi(1) to apply expandtab to the output of a ! command.
    o Made mg(1) automatically delete trailing whitespace on RET in
      c-mode and auto-indent-mode.
    o Made grep(1) provide full context when using match count (-m)
    o Added the --null flag to grep(1) which makes grep print an ASCII
      NUL byte after the file name to make the output unambiguous.
    o Fixed multiple memory leaks in awk(1).
    o Changed compress(1) to print a more accurate message when -v is
      used with -k.
    o Fixed gzip(1) byte counts with 32-bit integers.
    o Fixed the growth check in compress(1) and gzip(1) in cases of
      small files or files with sufficiently random data.
    o Made timeout(1) -s accept HUP like kill(1) and GNU timeout(1) do.
    o Updated capitals and countries in the game quiz(6).
    o Set default sleep value of ico(1) to 10ms.
    o Fixed a bug in cron(8) where it could exit silently if ppoll(2)
      exited. Now it will log to syslog(3) instead of stderr.
    o Added llvm-profdata(1) to base so that ports can benefit from
      profiled builds.
    o Changed rc(8) to only attempt to set the yp(8) domainname if it
      has not been set yet.
    o Raised the "staff" login class data-size-cur on arm64 to be the
      same as that for amd64 in login.conf(5) (1536M).
    o Fixed patch(1) locate-hunk in empty files.
    o Fixed patch(1) in the case of reversing a patch that creates a
      file.
    o Added seconds to the uptime display of top(1).
    o Made putenv(3) return an error if the string starts with the '='
      character. This matches the behavior on FreeBSD and NetBSD.
    o Fixed overflow of the number of errors in renice(8) by setting
      error instead of incrementing it.
    o Removed the "-c" compatibility option from vnconfig(8).
    o Stopped vnconfig(8) from printing the device name on failure.
    o Print a message when ld.so(1) fails inside execve(2) to clarify
      the failure mode when a dynamic executable is run while /usr isn't
      mounted.
    o Improved bioctl(8) RAID level parsing to check numeric levels
      before checking single character levels. This allows recognition
      of RAID 10 as a valid but unsupported level.
    o Fixed installboot(8) messaging when verbose (-v) and dry-run (-n)
      modes are combined with softraid(4).
    o Sped up wc(1) word counting.


 - Improved hardware support and driver bugfixes, including:
    o New aplaudio(4) driver for Apple audio subsystem.
    o New aplmca(4) driver for Apple MCA controller.
    o New aplsart(4) driver for Apple SART address filter.
    o New alpdc, apldchidev, apldckbd, apldcms, and aplrtk drivers for
      keyboard and trackpad on Apple M2 laptops.
    o New qcgpio(4) driver for Qualcomm Snapdragon GPIO controller.
    o New qciic(4) driver for Qualcomm Snapdragon GENI I2C controller.
    o New sfgpio(4) driver for SiFive GPIO controller.
    o New stfclock(4) driver for StarFive JH7100 clock controller.
    o New stfpinctrl(4) driver for StarFive JH7100 pin configuration.
    o New stftemp driver for StarFive JH7100 temperature sensor.
    o New sxirintc(4) driver for Allwinner wakeup interrupt controller.
    o New gpiorestart driver for system reset via GPIO pin.
    o Added support for more power sensors to ipmi(4).
    o Added support for the ehci(4) controller on Marvell 3720 boards.
    o Extended ksmn(4) to show CCD temperatures if available.
    o Fixed missing interrupts for trackpads on some machines after
      resume by making sure amdgpio(4) restores pin configuration on
      resume.
    o Added FIFO support and allow baud rate changes to pluart(4).
    o Added support for the Synopsys DesignWare UART found on the Ryzen
      Embedded V1000 SoCs to com(4).
    o Added xhci(4) support for the dual role controllers integrated on
      the Qualcomm Snapdragon 8cx gen 3 SoC.
    o Added support for using the power button to wake up from suspend
      to axppmic(4).
    o Modified pms(4) to discard relative movement packets outside of
      the [-127, 127] range to prevent cursor jumps when using the
      trackpoint on some Lenovo laptops.
    o Allowed spdmem(4) to attach to gdiumiic(4).
    o Make spdmem(4) attach on 2F-based loongson systems.
    o Added power button support to aplsmc(4).
    o Changed the mfii(4) RAID controller driver to allow the firmware
      more time to transition out of the UNDEFINED state.
    o Added Wacom One S (CTL-472) support to uwacom(4).


 - New or improved network hardware support:
    o Increased rx buffer size on uaq(4) to 62kB.
    o Repaired rge(4) hardware VLAN tagging.
    o Provide statistics via kstats for mvneta(4).
    o Enabled aq(4) on arm64.
    o Implemented and enabled IPv4, TCP, and UDP checksum offloading for
      igc(4).
    o Fixed a panic triggered by ifconfig bnxt0 down by changing bnxt(4)
      devices to not run rx and tx interrupt handlers when the interface
      is not running.
    o Introduced Large Receive Offloading of TCP segment offloading in
      ix(4). Also added a tso option to ifconfig(8) to enable and
      disable this feature.


 - Added or improved wireless network drivers:
    o Made device matching in iwx(4) more similar to Linux iwlwifi in
      order to recognize more devices.
    o Added support for AX210/AX211 devices to iwx(4).
    o Fixed iwx(4) setting of HT/VHT bits in rate flags of the Tx
      command that could cause a firmware panic.
    o Added handling of 9k devices which do not support antenna B to
      iwm(4).
    o Fixed bwfm(4) ifconfig media display on devices with sta_info
      command version 3.
    o Fixed a bwfm(4) crash during USB detach.
    o Fixed detection of the Rx data rate on rtl8192eu urtwn(4) devices.
    o Fixed integer overflows in the iwm(4) and iwx(4) firmware file
      parsers.


 - IEEE 802.11 wireless stack improvements and bugfixes:
    o Make sure drivers initialize all of ieee80211_rxinfo struct.


 - Installer, upgrade and bootloader improvements:
    o Fixed the watchdog in the installer so that it is reset after each
      download and each set installation.
    o Ensured that running sysupgrade(8) on -stable will move to the
      next release, not -current.
    o Added the -b option to sysupgrade(8) to set an alternative base
      directory to which the installation files will be downloaded.
    o Increased the disklabel(8) auto partitioner's maximum size for
      /usr to 30G.
    o Altered installer behavior so the vlan(4) question won't be asked
      unless another network interface exists.
    o Added support for wildcards in fw_update(8) patterns.
    o Added support for booting from RAID 1C softraid(4) volumes on
      amd64, sparc64 and arm64.
    o Added NFS client support to the luna88k RAMDISK kernel.
    o Made the EFI bootloader provide the extra parameters necessary to
      use non-standard UARTs on the AMD Ryzen Embedded V1000 SoCs as
      console.
    o Switched bootloaders to the extended BOOTARG_CONSDEV struct.
    o Added UFS2 support to landisk boot blocks.


 - Security improvements:
    o Implemented privilege separation in xlock(1).
    o Added privilege separation to snmpd(8).
    o The TZ environment variable no longer supports absolute paths, to
      fit better into the pledge(2) bypass model.
    o AF_UNIX socket bind(2) and connect(2) now follow unveil(2)
      configuration.
    o New ypconnect(2) system call creates a socket based upon the IP
      address encoded directly in a locked ypbinding file, thereby
      removing a horrible hack to support YP lookups in programs using
      strong pledge(2) rules.
    o Processes that pledge("vminfo") may now use the read-only
      swapctl(2) operations SWAP_NSWAP and SWAP_STATS providing
      information on swap devices.
    o Randomized the rekey interval of arc4random(3).
    o Reduce the attack surface by introducing a 'local bind' mode to
      ypldap(8). In this mode ypldap binds its RPC sockets to loopback,
      so YP services are only available to the host it's running on.
      ypldap writes the YP binding file in /var/yp/binding itself and
      replaces ypbind(8) and ypserv(8). This also implies that
      portmap(8) doesn't need to be running anymore when local bind mode
      is used.
    o Changed the /sbin daemons dhcpleased(8), mountd(8), nfsd(8),
      pflogd(8), resolvd(8), slaacd(8), and unwind(8) to be dynamically
      linked to allow them to benefit from all the additional
      mitigations that dynamically linked executables gain. NFS mounting
      of /usr must now use statically configured IP addresses.


 - Changes in the network stack:
    o Added the recvmmsg(2) system call that allows receiving multiple
      msghdrs at once, and the sendmmsg syscall that allows sending
      multiple msghdrs at once.
    o Relaxed address availability check for multicast(4) binds so
      processes listening for the same multicast address do not need to
      be the same UID.
    o Introduced dedicated link entries for snapshots to pfsync(4).
    o Changed pf(4) handling of IGMP and ICMP6 MLD packets to allow
      multicast control packets to work by default.
    o Made pf(4) more paranoid about IGMP/MLD messages.
    o Fixed a logic bug in pf_find_state() that could cause pf(4) to
      incorrectly block a packet.
    o Fixed pf(4) syncookies during fast TCP port reuse.
    o Fixed a bug in pf(4) where a pool defined like "172.16.0.0/16"
      would count as a pool size of one address. Also fixed random
      selection of source address to be uniform across the whole pool.
    o Fixed a kernel panic in pf(4) if IP options with an ICMP payload
      were truncated. Such packets will now be dropped instead.
    o Allow forwarding to and from IPs in the 240/4 range.
    o Corrected the Virtual Ethernet Bridge veb(4) to avoid calling
      if_enqueue from an smr critical section.
    o Reworked the kroute rttimer code to fix icmp_pmtu_timeout crashes.
    o Fixed an interrupt storm upon suspend on Amlogic arm64 boards.
    o Fixed a race between pflow_output_process() and
      pflow_clone_destroy() in pflow(4).
    o Added a missing input validation step to pipex(4) MPPE keylenbits.


 - Routing daemons and other userland network improvements:
    o IPsec support was improved:
       - Made iked(8) ignore any CERT payload after the first rather
         than failing the exchange when more than one CERT payload is
         received.
       - Added iked(8) support for sending certificate chains with
         intermediate CAs in multiple CERT payloads.
       - Added an OpenIKED Vendor ID payload in the iked(8) initial
         handshake to make it easier to handle interoperability
         problems with older versions in the future.
       - Added iked(8) connection statistics for successful and failed
         connections, error types, and other events that can be
         printed with "ikectl show stats".
    o In bgpd(8),
       - Implement max-communities filter to limit the number of
         allowed communities, ext-communities and large-communities.
       - Fix insertion of additional non-transitive extended
         communities when sending out prefixes.
       - Relax IP address limitation by allowing prefixes in 240/4.
       - Implement RFC 9234 - Route Leak Prevention and Detection
         Using Roles in UPDATE and OPEN Messages.
       - Full support for RFC 7911 - Advertisement of Multiple Paths
         in BGP (ADD-PATH).
       - Improve FIB code, handle IPv6 scoped addresses properly.
       - Add bgplgd(8), a FastCGI server providing a REST API to
         execute bgpctl(8) commands.
       - Bugfix: bgpd(8) could fail to invalidate nexthops and
         incorrectly leave them in the FIB or Adj-RIB-Out.
       - Speedup bgpctl show rib 10/8 or-longer and show rib 10/8
         or-shorter
       - Switch various static hash tables to RB trees improving
         performance on large systems
       - Export per neighbor pending update and withdraw statistics
       - Fix race between a neighbor session reset and its update
         message backlog
       - Improve handling of nexthop reachability state changes
       - Made sure only one bgpd(8) roa softreconfig runner is run at
         any time.
    o rpki-client(8) saw some changes:
       - Allowed more than one CRL URI in certificates.
       - Do not apply timezone offsets when converting X509 times.
         X509 times are in UTC and comparing them to times in
         different timezones would cause validity problems.
       - Add support for an operator-configurable skiplist facility.
         Operators can specify a list of FQDNs which should not be
         contacted when synchronizing the local cache to the network.
       - Emit a warning when a RRDP session serial number decreases.
       - DER decoding functions were refactored to leverage ASN.1
         templates.
       - Add support to validate & inspect .sig files containing RPKI
         Signed Checklists in filemode (-f).
         (draft-ietf-sidrops-rpki-rsc-08)
       - Print various statistics after the completion of the main
         process.
       - Add support to decode & print TAL (RFC 8630) details in
         filemode (-f).
       - Emit objects in Concatenated JSON format when filemode (-f)
         and the JSON output flag (-j) are combined.
       - Add support for validating Autonomous System Provider
         Authorization (ASPA) objects conforming to
         draft-ietf-sidrops-aspa-profile-10. Validated ASPA payloads
         are visible in JSON and filemode (-f) output.
       - Set rsync(1) connection I/O idle timeout to 15 seconds.
       - Unify the maximum idle I/O and connect timeouts for rsync(1)
         & HTTPS.
       - rpki-client(8) now performs stricter EE certificate
         validation:
          o Disallow AS Resources extensions in ROA EE certificates.
          o Disallow Subject Information Access (SIA) extensions in
            RPKI Signed Checklist (RSC) EE certs.
          o Check the resources in ROAs and RSCs against EE certs.
       - Improve readability and add various information being printed
         in verbose mode.
       - Extend filemode (-f) output and print X.509 certificates in
         PEM format when increased verbosity (-vv) is specified.
       - Shorten the RRDP I/O idle timeout.
       - Introduce a deadline timer that aborts all repository
         synchronization after seven eights of timeout (-s). With this
         rpki-client has improved chances to complete and produce an
         output even when a CA is excessively slow.
       - Abort a currently running RRDP request process when the
         per-repository timeout is reached.
       - Permit multiple AccessDescription entries in SIA X.509
         extensions. While fetching from secondary locations is not
         yet supported, rpki-client will not treat occurrence as a
         fatal error.
       - Resolve a potential for a race condition in non-atomic RRDP
         deltas.
       - Fix some memory leaks.
       - Improve compliance with the HTTP protocol specification.
    o In snmpd(8),
       - Allow object names to be used in addition to OIDs in
         snmpd.conf(5).
       - Better type hinting for debug logging.
       - Introduce a blocklist feature, which removes subtrees from
         view.
       - Reintroduce AgentX master support.
       - Move non-SNMP related metrics to their own AgentX based
         backend.
       - The snmpe process is now pledged stdio recvfd inet unix.
       - Imported snmpd_metrics(8). This allows those who need to use
         net-snmpd the ability to access base snmpd(8) metrics.
    o In ldapd(8), match password schemas case sensitive.
    o In ospfd(8), relax the limitations on what is an acceptable
      unicast IP. There are no more experiments in IPv4 and so there is
      less reason for network daemons to deny formerly experimental IP
      space. Multicast IPs (224/4) and loopback (127/8) are still
      disallowed.
    o Added check to acme-client(1) to ensure the challenge token is
      turned into a filename that is base64url encoded.
    o Added RFC 9234 "BGP Role" support to tcpdump(8)
    o Have tcpdump(8) print ASnumbers in 'asplain' format instead of the
      old 'asdot' format.
    o Fixed a crash in libpcap when it would walk off the end of the
      array performing frees.
    o Made -X connect SOCKS work with IPv6 addresses in nc(1).
    o Introduced a blocklist backend and keyword to snmpd(8), this
      deprecates filter-pf-addresses.
    o Changed dhclient(8) to defer to dhcpleased(8) by doing execve
      ifconfig and providing syslog warnings about deprecated options.
    o Implemented dig(1) support for SVCB and HTTPS record types.
    o Made resolvd(8) write /etc/resolv.conf in a more atomic manner.
    o Added a slowcgi(8) -t flag to change the request timeout.
    o Corrected handling of an abnormal FastCGI termination in httpd(8).
    o Made newer MIME type definitions take precedence over existing
      ones in httpd(8).
    o Moved the relayd(8) daemon(3) call to just before forking the
      children so the parent disassociates from its controlling terminal
      and shell, but not from its children.
    o Changed ftp(1) to use non-blocking connect(2) with ppoll(2) and
      timeout instead of alarm(3). This allows failing over to another
      IP address for hosts that have more than one.


 - tmux(1) improvements and bug fixes:
    o Added an ACL list for multiple users attaching to the tmux(1)
      socket.
    o Ensured cursor remains on selected item on menu.
    o Added support for OSC 8 hyperlinks.
    o Added support for hyperlinks with capture-pane -e and a
      mouse_hyperlink format.
    o Added an "all" state to allow-passthrough to work even in
      invisible panes.
    o Fixed a crash when searching for .* with extremely long lines.
    o Added vi(1) Home/End bindings.
    o Added a Nobr terminfo capability to tell tmux(1) the terminal does
      not use bright colors for bold.
    o Added a notification when a paste buffer is deleted.
    o Fixed window size reporting.


 - LibreSSL version 3.6.0
    o New features
       - EVP API for HKDF ported from OpenSSL and subsequently cleaned
         up.
       - The security level API
         (SSL_{,CTX}_{get,set}_security_level()) is now available.
         Callbacks and ex_data are not supported. Sane software will
         not be using this.
       - Experimental support for the BoringSSL QUIC API.
       - Add initial support for TS ESSCertIDv2 verification.
       - LibreSSL now uses the Baillie-PSW primality test instead of
         Miller-Rabin.
    o Compatibility changes
       - The ASN.1 time parser has been refactored and rewritten using
         CBS. It has been made stricter in that it now enforces the
         rules from RFC 5280.
       - ASN1_AFLG_BROKEN was removed.
       - Error check tls_session_secret_cb() like OpenSSL.
       - Added ASN1_INTEGER_{get,set}_{u,}int64()
       - Move leaf certificate checks to the last thing after chain
         validation.
       - Added -s option to openssl(1) ciphers that only shows the
         ciphers supported by the specified protocol.
       - Use TLS_client_method(3) instead of TLSv1_client_method(3) in
         the openssl(1) ciphers command.
       - Validate the protocols in SSL{_CTX,}_set_alpn_protos().
       - Made TS and PKCS12 opaque.
       - Per RFC 7292, safeContentsBag is a SEQUENCE OF, not a SET OF.
       - Align PKCS12_key_gen_uni() with OpenSSL
       - Various PKCS12 and TS accessors were added. In particular,
         the TS_RESP_CTX_set_time_cb() function was added back.
       - Allow a NULL header in PEM_write{,_bio}()
       - Allow empty attribute sets in CSRs.
       - Adjust signatures of BIO_ctrl functions.
       - Provide additional defines for EVP AEAD.
       - Provide OPENSSL_cleanup().
       - Make BIO_info_cb() identical to bio_info_cb().
    o Bug fixes
       - Avoid use of uninitialized in BN_mod_exp_recp().
       - Fix X509_get_extension_flags() by ensuring that
         EXFLAG_INVALID is set on X509_get_purpose() failure.
       - Fix HMAC() with NULL key.
       - Add ERR_load_{COMP,CT,KDF}_strings() to
         ERR_load_crypto_strings().
       - Avoid strict aliasing violations in BN_nist_mod_*().
       - Do not return X509_V_ERR_UNSPECIFIED from X509_check_ca(). No
         return value of X509_check_ca() indicates failure.
         Application code should therefore issue a checked call to
         X509_check_purpose() before calling X509_check_ca().
       - Rewrite and fix X509v3_asid_subset() to avoid segfaults on
         some valid input.
       - Call the ASN1_OP_D2I_PRE callback after ASN1_item_ex_new().
       - Fix d2i_ASN1_OBJECT to advance the *der_in pointer correctly.
       - Avoid use of uninitialized in ASN1_STRING_to_UTF8().
       - Do not pass uninitialized pointer to ASN1_STRING_to_UTF8().
       - Do not refuse valid IPv6 addresses in nc(1)'s HTTP CONNECT
         proxy.
       - Do not reject primes in trial divisions.
       - Error out on negative shifts in BN_{r,l}shift() instead of
         accessing arrays out of bounds.
       - Fix URI name constraints, allow for URIs with no host part.
       - Fix the legacy verifier callback behaviour for untrusted
         certs.
       - Correct serfver-side handling of TLSv1.3 key updates.
       - Plug leak in PKCS12_setup_mac().
       - Plug leak in X509V3_add1_i2d().
       - Only print X.509 versions we know about.
       - Avoid signed integer overflow due to unary negation
       - Initialize readbytes in BIO_gets().
       - Plug memory leak in CMS_add_simple_smimecap().
       - Plug memory leak in X509_REQ_print_ex().
       - Check HMAC() return value to avoid a later use of
         uninitialized.
       - Avoid potential NULL dereference in ssl_set_pkey().
       - Check return values in ssl_print_tmp_key().
       - Switch loop bounds from size_t to int in check_hosts().
       - Avoid division by zero if no connection was made in s_time.c.
       - Check sk_SSL_CIPHER_push() return value
       - Avoid out-of-bounds read in ssl_cipher_process_rulestr().
       - Use LONG_MAX as the limit for ciphers with long based APIs.
    o Internal improvements
       - Avoid expensive RFC 3779 checks during cert verification.
       - The templated ASN.1 decoder has been cleaned up, refactored,
         modernized with parts rewritten using CBB and CBS.
       - The ASN.1 time parser has been rewritten.
       - Rewrite and fix ASN1_STRING_to_UTF8().
       - Use asn1_abs_set_unused_bits() rather than inlining it.
       - Simplify ec_asn1_group2curve().
       - First pass at a clean up of ASN1_item_sign_ctx()
       - ssl_txt.c was cleaned up.
       - Internal function arguments and struct member have been
         changed to size_t.
       - Lots of missing error checks of EVP API were added.
       - Clean up and clarify BN_kronecker().
       - Simplify ASN1_INTEGER_cmp()
       - Rewrite ASN1_INTEGER_{get,set}() using CBS and CBB and reuse
         the ASN1_INTEGER functions for ASN1_ENUMERATED.
       - Use ASN1_INTEGER to parse and build {Z,}LONG_it
       - Refactored and cleaned up group (elliptic curve) handling in
         t1_lib.c.
       - Simplify certificate list handling code in the legacy server.
       - Make CBB_finish() fail if *out_data is not NULL.
       - Remove tls_buffer_set_data() and remove/revise callers.
       - Rewrite SSL{_CTX,}_set_alpn_protos() using CBS.
       - Simplify tlsext_supported_groups_server_parse().
       - Remove redundant length checks in tlsext parse functions.
       - Simplify tls13_server_encrypted_extensions_recv().
       - Add read and write support to tls_buffer.
       - Convert TLS transcript from BUF_MEM to tls_buffer.
       - Clear key on exit in PKCS12_gen_mac().
       - Minor fixes in PKCS12_parse().
       - Provide and use a primitive clear function for BIGNUM_it.
       - Use ASN1_INTEGER to encode/decode BIGNUM_it.
       - Add stack frames to AES-NI x86_64 assembly.
       - Use named initialisers for BIGNUMs.
       - Tidy up some of BN_nist_mod_*.
       - Expand BLOCK_CIPHER_* and related macros.
       - Avoid shadowing the cbs function parameter in
         tlsext_alpn_server_parse()
       - Deduplicate peer certificate chain processing code.
       - Make it possible to signal an error from an i2c_* function.
       - Rewrite i2c_ASN1_INTEGER() using CBB/CBS.
       - Remove UINT32_MAX limitation on ChaCha() and
         CRYPTO_chacha_20().
       - Remove bogus length checks from EVP_aead_chacha20_poly1305().
       - Reworked DSA_size() and ECDSA_size().
       - Stop using CBIGNUM_it internal to libcrypto.
       - Provide c2i_ASN1_ENUMERATED_cbs() and call it from
         asn1_c2i_primitive().
       - Ensure ASN.1 types are appropriately encoded.
       - Avoid recycling ASN1_STRINGs when decoding ASN.1.
       - Tidy up asn1_c2i_primitive() slightly.
       - Mechanically expand IMPLEMENT_BLOCK_CIPHER, IMPLEMENT_CFBR,
         BLOCK_CIPHER and the looney M_do_cipher macros.
       - Use correct length for EVP CFB mode ciphers.
       - Provide a version of ssl_msg_callback() that takes a CBS.
       - Use CBS to parse TLS alerts in the legacy stack.
       - Increment the input and output position for EVP AES CFB1.
       - Ensure there is no trailing data for a CCS received by the
         TLSv1.3 stack.
       - Use CBS when procesing a CCS message in the legacy stack.
       - Be stricter with middlebox compatibility mode in the TLSv1.3
         server.


 - OpenSSH 9.1
    o Security
       - ssh-keyscan(1): fix a one-byte overflow in SSH banner
         processing
       - ssh-keygen(1): fix double free() in error path of
         signing/verify code
       - ssh-keysign(8): fix double-free in error path introduced in
         OpenSSH 8.9.
    o Potentially-incompatible changes
       - ssh(1), sshd(8): SetEnv directives in ssh_config and
         sshd_config are now first-match-wins to match other
         directives. Previously if an environment variable was
         multiply specified the last set value would have been used.
       - ssh-keygen(8): ssh-keygen -A (generate all default host key
         types) will no longer generate DSA keys, as these are
         insecure and have not been used by default for some years.
       - ssh(1), sshd(8): add a RequiredRSASize directive to set a
         minimum RSA key length. Keys below this length will be
         ignored for user authentication and for host authentication
         in sshd(8).
         ssh(1) will terminate a connection if the server offers an
         RSA key that falls below this limit, as the SSH protocol does
         not include the ability to retry a failed key exchange
       - sftp-server(8): add a users-groups-by-id@openssh.com
         extension request that allows the client to obtain user/group
         names that correspond to a set of uids/gids.
       - sftp(1): use users-groups-by-id@openssh.com sftp-server
         extension (when available) to fill in user/group names for
         directory listings.
       - sftp-server(8): support the home-directory extension request
         defined in draft-ietf-secsh-filexfer-extensions-00. This
         overlaps a bit with the existing "expand-path@openssh.com",
         but some other clients support it.
       - ssh-keygen(1), sshd(8): allow certificate validity intervals,
         sshsig verification times and authorized_keys expiry-time
         options to accept dates in the UTC time zone in addition to
         the default of interpreting them in the system time zone.
         YYYYMMDD and YYMMDDHHMM[SS] dates/times will be interpreted
         as UTC if suffixed with a 'Z' character.
         Also allow certificate validity intervals to be specified in
         raw seconds-since-epoch as hex value, e.g. -V
         0x1234:0x4567890. This is intended for use by regress tests
         and other tools that call ssh-keygen as part of a CA
         workflow.
       - sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
         /usr/libexec/sftp-server -el debug3.
       - ssh-keygen(1): allow the existing -U (use agent) flag to work
         with -Y sign operations, where it will be interpreted to
         require that the private keys is hosted in an agent.
    o Bugfixes
       - ssh-keygen(1): implement the "verify-required" certificate
         option. This was already documented when support for
         user-verified FIDO keys was added, but the ssh-keygen(1) code
         was missing.
       - ssh-agent(1): hook up the restrict_websafe command-line flag;
         previously the flag was accepted but never actually used.
       - sftp(1): improve filename tab completions: never try to
         complete names to non-existent commands, and better match the
         completion type (local or remote filename) against the
         argument position being completed.
       - ssh-keygen(1), ssh(1), ssh-agent(1): several fixes to FIDO
         key handling, especially relating to keys that request
         user-verification. These should reduce the number of
         unnecessary PIN prompts for keys that support intrinsic user
         verification.
       - ssh-keygen(1): when enrolling a FIDO resident key, check if a
         credential with matching application and user ID strings
         already exists and, if so, prompt the user for confirmation
         before overwriting the credential.
       - sshd(8): improve logging of errors when opening
         authorized_keys files.
       - ssh(1): avoid multiplexing operations that could cause
         SIGPIPE from causing the client to exit early. bz3454
       - ssh_config(5), sshd_config(5): clarify that the RekeyLimit
         directive applies to both transmitted and received data.
       - ssh-keygen(1): avoid double fclose() in error path.
       - sshd(8): log an error if pipe() fails while accepting a
         connection.
       - ssh(1), ssh-keygen(1): fix possible NULL deref when built
         without FIDO support.
       - ssh-keyscan(1): add missing *-sk types to ssh-keyscan
         manpage.
       - sshd(8): ensure that authentication passwords are cleared
         from memory in error paths.
       - ssh(1), ssh-agent(1): avoid possibility of notifier code
         executing kill(-1).
       - ssh_config(5): note that the ProxyJump directive also accepts
         the same tokens as ProxyCommand.
       - scp(1): do not not ftruncate(3) files early when in sftp
         mode. The previous behaviour of unconditionally truncating
         the destination file would cause scp ~/foo localhost: and scp
         localhost:foo ~/ to delete all the contents of their
         destination.
       - ssh-keygen(1): improve error message when ssh-keygen -Y sign
         is unable to load a private key.
       - sftp(1), scp(1): when performing operations that glob(3) a
         remote path, ensure that the implicit working directory used
         to construct that path escapes glob(3) characters. This
         prevents glob characters from being processed in places they
         shouldn't, e.g. cd /tmp/a*/, get *.txt should have the get
         operation treat the path /tmp/a* literally and not attempt to
         expand it.
       - ssh(1), sshd(8): be stricter in which characters will be
         accepted in specifying a mask length; allow only 0-9.
       - ssh-keygen(1): avoid printing hash algorithm twice when
         dumping a KRL.
       - ssh(1), sshd(8): continue running local I/O for open channels
         during SSH transport rekeying. This should make ~-escapes
         work in the client (e.g. to exit) if the connection happened
         to have stalled during a rekey event.
       - ssh(1), sshd(8): avoid potential poll() spin during rekeying
       - Further hardening for sshbuf internals: disallow
         "reparenting" a hierarchical sshbuf and zero the entire
         buffer if reallocation fails.


 - mandoc 1.14.6 plus some new features and many bugfixes, including:
    o Significantly improved accessibility of mandoc(1) -T html and
      man.cgi(8) output by using semantically better HTML elements in
      several places and by adding ARIA and DPUB-ARIA roles and
      aria-label attributes to several HTML elements.
    o Got rid of archaic HTML table markup for header and footer lines
      in favor of flexbox CSS. Rendering now adapts to browser windows
      of arbitrary narrowness.
    o Prevented -T html output from turning breakable hyphens into
      underscores in URI fragment identifiers.
    o Improved the roff(7) escape sequence parser in several fundamental
      ways regarding output correctness and groff compatibility.
    o Corrected output that depends on the order of evaluation of
      roff(7) escape sequences by parsing them left-to-right rather than
      right-to-left.
    o Significantly improved -T lint diagnostics regarding syntax errors
      in roff(7) escape sequences and in their arguments.
    o Stopped emitting vertical space before the tbl(7) .TS (table
      start) macro for compatibility with the same change in groff. This
      implies .PP or .Pp macros may need to be inserted before .TS in
      some (but not all!) places in some manual pages using tbl(7).
    o Stopped skipping vertical space after the tbl(7) .TE (table end)
      macro of boxed tables for compatibility with the same change in
      groff. This implies .sp requests may need to be removed after .TE
      in some manual pages using tbl(7).
    o Corrected the calculation of the width of spanned tbl(7) columns.
    o Improved the handling of literal tab characters in filled text in
      multiple ways for compatibility with groff and Heirloom troff.
    o Plus bugfixes for two segfaults, two infinite loops, and several
      assertion failures.


 - Ports and packages:
    o Pre-built packages are available for the following architectures on
      the day of release:
       - aarch64 (arm64): 11261
       - amd64: 11451
       - i386: 10225
       - mips64: 8759
       - powerpc64: XXX
       - riscv64: 9808
       - sparc64: 9275
    o Packages for the following architectures will be made available as
      their builds complete:
       - arm
       - powerpc


 - Some highlights:


    o Asterisk 16.28.0, 18.14.0 and   o Mozilla Thunderbird 102.3.0
      19.6.0                          o Mutt 2.2.7 and NeoMutt 20220429
    o Audacity 2.4.2                  o Node.js 16.17.1
    o CMake 3.24.2                    o OCaml 4.12.1
    o Chromium 105.0.5195.125         o OpenLDAP 2.6.3
    o Emacs 28.2                      o PHP 7.4.30, 8.0.23 and 8.1.10
    o FFmpeg 4.4.2                    o Postfix 3.7.2
    o GCC 8.4.0 and 11.2.0            o PostgreSQL 14.5
    o GHC 9.2.4                       o Python 2.7.18, 3.9.14 and 3.10.7
    o GNOME 42.4                      o Qt 5.15.6 and 6.3.1
    o Go 1.19.1                       o R 4.2.1
    o JDK 8u342, 11.0.16 and 17.0.4   o Ruby 2.7.6, 3.0.4 and 3.1.2
    o KDE Applications 22.08.1        o Rust 1.63.0
    o KDE Frameworks 5.98.0           o SQLite 3.39.3
    o Krita 5.1.1                     o Shotcut 22.06.23
    o LLVM/Clang 13.0.0               o Sudo 1.9.11.2
    o LibreOffice 7.4.1.2             o Suricata 6.0.6
    o Lua 5.1.5, 5.2.4 and 5.3.6      o Tcl/Tk 8.5.19 and 8.6.12
    o MariaDB 10.9.3                  o TeX Live 2021
    o Mono 6.12.0.182                 o Vim 9.0.0192 and Neovim 0.7.2
    o Mozilla Firefox 105.0.1 and     o Xfce 4.16
      ESR 102.3.0


 - As usual, steady improvements in manual pages and other documentation.


 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.7 with xserver 21.1.4 + patches,
      freetype 2.12.1, fontconfig 2.13.94, Mesa 22.1.7, xterm 372,
      xkeyboard-config 2.20, fonttosfnt 1.2.2, and more)
    o LLVM/Clang 13.0.0 (+ patches)
    o GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
    o Perl 5.32.1 (+ patches)
    o NSD 4.6.0
    o Unbound 1.16.3
    o Ncurses 5.7
    o Binutils 2.17 (+ patches)
    o Gdb 6.3 (+ patches)
    o Awk September 12, 2022 version
    o Expat 2.4.9


------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------


We provide patches for known security threats and other important
issues discovered after each release.  Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible.  Therefore, we advise regular
visits to


        https://www.OpenBSD.org/security.html
and
        https://www.OpenBSD.org/errata.html


------------------------------------------------------------------------
- MAILING LISTS AND FAQ ------------------------------------------------


Mailing lists are an important means of communication among users and
developers of OpenBSD.  For information on OpenBSD mailing lists, please
see:


        https://www.OpenBSD.org/mail.html


You are also encouraged to read the Frequently Asked Questions (FAQ) at:


        https://www.OpenBSD.org/faq/


------------------------------------------------------------------------
- DONATIONS ------------------------------------------------------------


The OpenBSD Project is a volunteer-driven software group funded by
donations.  Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others.  This ecosystem is all handled under the same funding umbrella.


We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon
events.


All of our developers strongly urge you to donate and support our future
efforts.  Donations to the project are highly appreciated, and are
described in more detail at:


        https://www.OpenBSD.org/donations.html


------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------


For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.


There may also be exposure benefits since the Foundation may be
interested in participating in press releases.  In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at directors@openbsdfoundation.org for
more information.


------------------------------------------------------------------------
- HTTPS INSTALLS -------------------------------------------------------


OpenBSD can be easily installed via HTTPS downloads.  Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet.  Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.


1) Read either of the following two files for a list of HTTPS mirrors
   which provide OpenBSD, then choose one near you:


        https://www.OpenBSD.org/ftp.html
        https://ftp.openbsd.org/pub/OpenBSD/ftplist


   As of October 20, 2022, the following HTTPS mirror sites have the
   7.2 release:


        https://cdn.openbsd.org/pub/OpenBSD/7.2/            Global
        https://ftp.eu.openbsd.org/pub/OpenBSD/7.2/         Stockholm, Sweden
        https://ftp.hostserver.de/pub/OpenBSD/7.2/          Frankfurt, Germany
        https://ftp.bytemine.net/pub/OpenBSD/7.2/           Oldenburg, Germany
        https://ftp.fr.openbsd.org/pub/OpenBSD/7.2/         Paris, France
        https://mirror.aarnet.edu.au/pub/OpenBSD/7.2/       Brisbane, Australia
        https://ftp.usa.openbsd.org/pub/OpenBSD/7.2/        CO, USA
        https://ftp5.usa.openbsd.org/pub/OpenBSD/7.2/       CA, USA
        https://mirror.esc7.net/pub/OpenBSD/7.2/            TX, USA
        https://openbsd.cs.toronto.edu/pub/OpenBSD/7.2/     Toronto, Canada
        https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.2/ Global
        https://fastly.cdn.openbsd.org/pub/OpenBSD/7.2/     Global


        The release is also available at the master site:


        https://ftp.openbsd.org/pub/OpenBSD/7.2/            Alberta, Canada


        However it is strongly suggested you use a mirror.


   Other mirror sites may take a day or two to update.


2) Connect to that HTTPS mirror site and go into the directory
   pub/OpenBSD/7.2/ which contains these files and directories.
   This is a list of what you will see:


        ANNOUNCEMENT     armv7/        octeon/             root.mail
        README           hppa/         openbsd-72-base.pub sparc64/
        SHA256           i386/         packages/           src.tar.gz
        SHA256.sig       landisk/      packages-stable/    sys.tar.gz
        alpha/           loongson/     ports.tar.gz        xenocara.tar.gz
        amd64/           luna88k/      powerpc64/
        arm64/           macppc/       riscv64/


   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.


        README          - generic README
        root.mail       - a copy of root's mail at initial login.
                          (This is really worthwhile reading).


3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.


4) Next, go into the directory that applies to your architecture,
   for example, amd64.  This is a list of what you will see:


        BOOTIA32.EFI*   bsd*            floppy72.img    pxeboot*
        BOOTX64.EFI*    bsd.mp*         game72.tgz      xbase72.tgz
        BUILDINFO       bsd.rd*         index.txt       xfont72.tgz
        INSTALL.amd64   cd72.iso        install72.img   xserv72.tgz
        SHA256          cdboot*         install72.iso   xshare72.tgz
        SHA256.sig      cdbr*           man72.tgz
        base72.tgz      comp72.tgz      miniroot72.img


   If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
   and install72.iso.  The install72.iso file (roughly 583MB in size)
   is a one-step ISO-format install CD image which contains the various
   *.tgz files so you do not need to fetch them separately.


   If you prefer to use a USB flash drive, fetch install72.img and
   follow the instructions in INSTALL.amd64.


5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.amd64.  INSTALL.amd64 may tell you that you
   need to fetch other files.


6) Just in case, take a peek at:


        https://www.OpenBSD.org/errata.html


   This is the page where we talk about the mistakes we made while
   creating the 7.2 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.


------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------


X.Org has been integrated more closely into the system.  This release
contains X.Org 7.7.  Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc.  During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).


------------------------------------------------------------------------
- PACKAGES AND PORTS ---------------------------------------------------


Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures.  Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.


Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed
separately.


------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------


The source code for all four subsystems can be found in the
pub/OpenBSD/7.2/ directory:


        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz


The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.2/README) file
explains how to deal with these source files.


------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------


Ports tree and package building by Jasper Lievisse Adriaanse,
Jeremie Courreges-Anglas, Visa Hankala, Stuart Henderson, Peter Hessler,
George Koehler, Kurt Mosiejczuk, and Christian Weisgerber.  Base and X
system builds by Kenji Aoyama, Theo de Raadt, and Miod Vallat.  Release
art contributed by Jon Chad.


We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who bought our previous CD sets.  Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.


Our developers are:


    Aaron Bieber, Adam Wolk, Alexander Bluhm, Alexander Hall,
    Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov,
    Andrew Fresh, Anil Madhavapeddy, Anthony J. Bentley,
    Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe,
    Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer,
    Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar,
    Caspar Schutijser, Charlene Wendling, Charles Longeau,
    Chris Cappuccio, Christian Weisgerber, Christopher Zimmermann,
    Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman,
    Daniel Jakots, Darren Tucker, Dave Voutila, David Coppa,
    David Gwynne, David Hill, Denis Fondras, Edd Barrett,
    Elias M. Mariani, Eric Faurot, Florian Obser, Florian Riehm,
    Frederic Cambus, George Koehler, Gerhard Roth, Giannis Tsaraias,
    Gilles Chehade, Giovanni Bechis, Gleydson Soares,
    Gonzalo L. Rodriguez, Greg Steuck, Helg Bredow, Henning Brauer,
    Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
    Inoguchi Kinichiro, James Hastings, James Turner, Jan Klemkow,
    Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas,
    Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung, Jonathan Armani,
    Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Joris Vink,
    Joshua Stein, Juan Francisco Cantero Hurtado, Kazuya Goda,
    Kenji Aoyama, Kenneth R Westerback, Kent R. Spillner, Kevin Lo,
    Kirill Bychkov, Klemens Nanni, Kurt Miller, Kurt Mosiejczuk,
    Landry Breuil, Lawrence Teo, Lucas Raab, Marc Espie, Marcus Glocker,
    Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren,
    Martin Natano, Martin Pieuchot, Martin Reindl, Martynas Venckus,
    Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos,
    Mike Belopuhov, Mike Larkin, Miod Vallat, Moritz Buhl, Nam Nguyen,
    Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen,
    Omar Polo, Ori Bernstein, Otto Moerbeek, Paco Esteban,
    Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt, Paul Irofti,
    Pavel Korovin, Peter Hessler, Philip Guenther,
    Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski,
    Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel,
    Renato Westphal, Ricardo Mestre, Richard Procter, Rob Pierce,
    Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
    Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
    Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf,
    Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
    Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
    Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider,
    Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
    Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
    Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Yasuoka Masahiko,
    Yojiro Uo

Read on

UPDATE

Official page:

More today:

The Register today:

Very late:

Other Recent Tux Machines' Posts

GNU/Linux Gaming: Abxylute's $70 Retro Gaming Handheld, Steam Deck, and Steam Machines
5 stories
Linux Foundation and Microsoft OSI Are Openly Promoting a Giant Ponzi Scheme (They Get Paid to Do This, Hijacking the Linux Brand to Sell Pyramids and Scams)
Hijack the brand, associate it ("Linux") with fraudulent activities, based on fraudulent accounting practices
Canonical to distribute AMD ROCm AI/ML and HPC libraries in Ubuntu
Canonical is pleased to announce an expanded collaboration with AMD to package and maintain AMD ROCm™ software directly in Ubuntu
Are They Bluffing? [original]
I am not a lawyer (IANAL), but something doesn't seem right
What Freedom Means to Me [original]
Freedom is a 7-letter word which in English can mean all sorts of things
Tails 7.3.1 Launches After Security Issue Delays Release
Tails 7.3.1 replaces 7.3 after a last-minute security fix and updates Tor Browser
If You Value Software Freedom, Consider Downloading a Gemini Client (Browser) and Using Geminispace [original]
The Web has become really bad for many different reasons
Keep an Eye on GNU/Linux in Turkey [original]
Turkey has a population larger than any nation in Europe. If GNU/Linux gains even "just 1%" there, that can be a lot of people.
Which Gemini? [original]
In the context of technology or even FOSS alone, there are now many "Geminis"
Another Week Comes to an End, But It Has Been an Exceptionally Productive One [original]
Today we worked on improving the site by adding a few new tools for it
GNU/Linux in Spain as 2025 Ends [original]
Our guess is that Spain wishes and is capable of becoming self-sufficient for "tech"
Pop!_OS 24.04 LTS Released: A Letter From Our Founder
This year, System76 turned twenty
KDE Gear 25.12
"The Gear that Keeps on Gearing" Edition
Feeding 'John' [original]
squirrels are adorable
Not Everything and Everyone is for Sale [original]
The notion that I must chase money didn't appeal to me
Mozilla Thunderbird 146 Brings OpenPGP Keyserver Settings
Thunderbird 146 open-source email client introduces a new OpenPGP keyserver setting and delivers a range of fixes improving stability
Social Control Media Props Up Narcissists and Liars (Who Fake Their Alleged Popularity or Supposed Importance) [original]
It's the same in YouTube
 
Games: "Terminator 2D: NO FATE", "Clair Obscur: Expedition 33", and More
half a dozen GamingOnLinux stories
Today in Techrights
Some of the latest articles
Security Leftovers and Windows TCO
patches, incidents, and more
Free, Libre, and Open Source Software and Standards
FOSS and standards remnants
today's leftovers
BSD and more
Programming Leftovers
Development related picks
Hardware: Home Assistant, SBC, Purism, and More
some gadgets and such
Haiku R1/beta5 as a "Daily Driver" and Creating User-Friendly Installers Across Operating Systems
Some New regarding "Distributions and Operating Systems"
BSD and Linux Kernel Space / File Systems / Virtualization
ZFS and more
Linux Graphics: NVIDIA news and benchmarking NVENC video transcoding on the Pi
3 stories
today's howtos
Instructionals/Technical picks
Red Hat on Buzzwords and Paid-for 'Articles' About Oneself
Red Hat leftovers
Articles on the Duel Between GNU/Linux and Windows, Which Microsoft is Ditching (or Whose Users Get Abandoned)
Wallen and more
today's howtos
5 howtos
Open Hardware/Modding: Raspberry Pi, Pebble Index 01, and More
Hardware picks
Programmers and software developers lost the plot on naming their tools
There’s an odd tendency in modern software development; we’ve collectively decided that naming things after random nouns
Games: Kitten Space Agency, Project Zomboid, and More
8 stories from GamingOnLinux
Ubuntu’s New Telemetry Tool Will ‘Phone Home’ Monthly
Changes are afoot for Ubuntu’s opt-in telemetry service
Bazzite isn’t the best Linux gaming option anymore — this is
I’ve tried pretty much every major Linux distro out there
ShaRPiKeebo pocket Linux computer will start shipping soon (3 years after crowdfunding)
The keyboard is a QMK-compatible USB keyboard that can be used to interact with a Raspberry Pi
Problems with lax licenses, FSF President Ian Kelling, and more in the winter 2025 Bulletin
In the winter 2025 Free Software Foundation (FSF) Bulletin
Free and Open Source Software
This is free and open source software
Purism Liberty Phone Exists vs. Delayed T1 Phone
Purism has a solution available today
Setting up distributed compilations with sccache
There's a relatively new kid on the block, sccache
Record Traffic in Gemini Protocol [original]
Maybe owing to a large volume of pages, our capsule grew a lot and we serve about 30,000 requests per day (this week)
KDE Ni! OS
At this year’s Akademy (the yearly conference and gathering of KDE)
Solus 4.8 Released with Linux Kernel 6.17, GNOME 49, KDE Plasma 6.5, and More
The development team behind the Solus distribution announced today the release and general availability of Solus 4.8 as the latest ISO snapshot of this independent rolling-release distro featuring Budgie, GNOME, KDE Plasma, and Xfce editions.
Gamers Are Flocking Away From Microsoft and From Windows [original]
Give it another year (2026) and let's see is Steam Survey shows GNU/Linux at over 5%
Another Magnificent Milestone [original]
There are already many SSGs out there
GNU/Linux Reaches About 5% in Austria [original]
Germany is dumping Microsoft
Upcoming "black building test" [original]
(or Blackout Test)
Today in Techrights
Some of the latest articles
When a Bird Dies [original]
No, it wasn't a cat's fault
Security and Windows TCO Leftovers
mostly the former
GNU/Linux and BSD Leftovers
mostly GNU/Linux
Free, Libre, and Open Source Software Leftovers
FOSS stories
Open Hardware/Modding: Raspberry Pi, KiCad, and More
Hardware leftovers
Outreachy in GNOME and Rewriting Cartridges (GNOME)
GNOME picks
New Releases of Applications: TLP 1.9.0, VLC 3.0.22, PowerDNS DNSdist 2.0.2 , and Various GNU Projects (Coreutils, Gnuastro Etc.)
Software releases
Let’s Encrypt Turns Ten
Let’s Encrypt news and CAs
Raspberry Pi Imager 2.0.2 Improves Write Speeds And UI Stability
Raspberry Pi Imager 2.0.2 boosts performance with direct I/O bypass
Cinnamon 6.6 Desktop Environment Lands With Major Menu Redesign
Cinnamon 6.6 introduces a redesigned menu, smoother animations
Security Patches and News
Security leftovers
Free, Libre, and Open Source Software Leftovers
FOSS picks
Standards/Consortia: Creative Commons, ePub, and SWIM Protocol
3 more stories
Programming Leftovers
Development picks
GNU/Linux, BSD, and Hardware Leftovers
mostly GNU/Linux picks
Godot 4.6 Reaches Beta and Microsoft is Very Afraid of GNU/Linux Gaining Ground Among Gamers
gaming stories
IBM Red Hat and CentOS Leftovers, RPM 6.0.1 Released
IBM stuff
today's howtos
not so many so far today
Canonical/Ubuntu: AMD ROCm, Evince, and More
a handful of stories
Android Leftovers
The real reason why Android updates are so forgettable now
The Fairbuds XL were already good. We made them better
We have a new edition of our award-winning Fairbuds XL now on sale
Krita 5.2.14 bugfix release!
Today we're releasing Krita 5.2.14
7 reasons I never distro-hop: I just stick with Debian
While many Linux users like to try out new distros, especially those new to Linux
Want to save your old computer? Try one of these 9 Linux distros - for free
Here's how to save money, reduce e-waste
UP Squared Pro TWL AI Dev Kit Review – Intel N150 + Hailo-8L accelerator tested on Ubuntu 24.04
’ve been asked to review three Intel-based UP AI development kits running Ubuntu 24.04 Pro
The 7 Linux distros I recommend most for gaming in 2025 - including my favorite
Still think Linux isn't practical for gaming
Free and Open Source Software, howtos and Installations
This is free and open source software
Linux 6.18, Rust Inside Linux, and RISC-V CPU
Linux leftovers
Games: Factorio, Dungeons of DUSK, and More
GamingOnLinux stories
Graphics: Linux Graphics and Free Code
3 stories
KDE's End of Year Fundraiser 2025 and This Week in KDE Apps; Plasma Camera & Plasma Settings
KDE leftovers
Time to Support the Free Software Foundation, Maker of GNU, GPL, and GCC (Prerequisites for Linux) [original]
The year finishes in 20 days and the FSF is trying to raise another 200,000 dollars to pay for hosting of GNU and various other things
Android Leftovers
4 open source Android file managers that don't spy on you or show ads
Andy Wingo, Alx Sa, Govdirectory Get Awards From the Free Software Foundation (FSF)
latest winners
OpenTofu 1.11 Introduces Ephemerality for Safer Temporary Credentials
OpenTofu 1.11 introduces ephemeral resources
Two Ubuntu Flavours Won’t Be LTS Releases Next Year
Not all of Ubuntu’s flavours have applied for long-term support status in next year’s 26.04 release
Free and Open Source Software
This is free and open source software
Divine D. open source smartphone inches closer to launch, gains microSD Express, micro HDMI, and LoRa support
DawnDrums is hardly the first group to design a Linux-friendly phone
Here are Your Choices for an Open Source NAS Operating System
It also supports a lot of plugins which can heavily extend the features of the OS
Kubuntu 24.04, three dots later, it still keeps me on edge
When I first tested Kubuntu 24.04, I was rather dismayed
OpenSUSE vs. Manjaro: Which powerhouse Linux distro is best for you?
Looking for a Linux distribution that delivers more power and control
Europe is Talking About Software Freedom [original]
We've recently seen many politicians in Europe speaking about digital independence from the US
European Readers, Please Contact Your National Representatives (Delegates) at the EPO, Tell Them About Software Patents and EPO Corruption [original]
We've heard that our reporting is read by many and that it already has a positive impact
today's leftovers
GNU/Linux and more
LWN on Rust Inside Debian, Kernel Development, and Development Tools
7 latest articles
Today in Techrights
Some of the latest articles