|   | Released March 29, 2016 Copyright 1997-2016, Theo de Raadt. ISBN 978-0-9881561-7-3 5.9 Songs: "Doctor W^X", "Systemagic (Anniversary Edition)" 
 
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via  | 
This is a partial list of new features and systems included in OpenBSD 5.9. For a comprehensive list, see the changelog leading to 5.9.
lookup yp
            in
            
            resolv.conf(5).
        SOCK_DNS
            
            socket(2) flag that makes an SS_DNS tagged socket
            conceptually different from a plain socket.
        mode subcommand.
    default-lease-time,
        max-lease-time and bootp-lease-time options.
    -y IEEE802_11_RADIO and -v options.
    -g flag is used.
    -b flag that specifies the size of the EFI System
        partition to create.
    -v flag that causes a verbose display of both MBR
        and GPT information.
    -B and
        -b flags being removed.
        The associated fields in the disklabel were also removed.
        These functions are now all performed by
        
        installboot(8).
    kevent structures are now dumped.
    PermitRootLogin=prohibit-password/without-password that could,
        depending on compile-time configuration, permit password authentication
        to root while preventing other forms of authentication.
      SECURITY extension.
      diffie-hellman-group-exchange to 2048 bits.
      blowfish-cbc, cast128-cbc,
          all arcfour variants and the rijndael-cbc aliases
          for AES.
        draft-rsa-dsa-sha2-256-03.txt and
        draft-ssh-ext-info-04.txt.
      AddKeysToAgent client option which can be set to
        yes, no, ask, or confirm, and
        defaults to no.  When enabled, a private key that is used
        during authentication will be added to
        ssh-agent(1)
        if it is running (with confirmation enabled if set to confirm).
      authorized_keys option restrict that
        includes all current and future key restrictions
        (no-*-forwarding, etc.).
        Also add permissive versions of the existing restrictions, e.g.
        no-pty -> pty. This simplifies the task of setting up
        restricted keys and ensures they are maximally-restricted,
        regardless of any permissions we might implement in the future.
      ssh-keygen -lf ~/.ssh/authorized_keys.  (bz#1319)
      none as an argument for
        sshd_config(5)
        Foreground and ChrootDirectory.  Useful inside
        Match blocks to override a global default.  (bz#2486)
      -f -") for ssh-keygen -L.
      ssh-keyscan -c ... flag to allow fetching certificates
        instead of plain keys.
      cvs.openbsd.org.) in
        hostname canonicalisation - treat them as already canonical and
        trailing '.' before matching
        ssh_config(5).
      first_kex_follows option during the
        initial key exchange.
      SSH2_MSG_UNIMPLEMENTED replies to
        unexpected messages during key exchange.  (bz#2949)
      ConnectionAttempts=0, which does not
        make sense and would cause ssh to print an uninitialised stack
        variable.  (bz#2500)
      Match blocks.  (bz#2489)
      PubkeyAcceptedKeyTypes +... inside a Match block.
      -i options
        before checking whether or not the identity file exists.  Avoids
        confusion for cases where shell doesn't expand (e.g.
        -i ~/file vs. -i~/file).  (bz#2481)
      Match exec
        in a config file, which could cause some commands to fail in certain
        environments.  (bz#2471)
      ChrootDirectory is active.  (bz#2485)
      PubkeyAcceptedKeyTypes in ssh -G config dump.
      TunnelForwarding device flags if they are
        already what is needed; makes it possible to use
        tun(4)/
        tap(4)
        networking as non-root user if device permissions and interface flags
        are pre-established.
      RekeyLimits could be exceeded by one packet.  (bz#2521)
      fatal() for PKCS11 tokens that present empty key IDs.
        (bz#1773)
      RekeyLimits larger than 4GB.  (bz#2521)
      known_hosts
        file edits when known_hosts doesn't exist.
      %i in ControlPath to UID.  (bz#2449)
      openssh_RSA_verify.  (bz#2460)
      ssh -G ...) of HostKeyAlgorithms=+...
      HostkeyAlgorithms=+...
      ClientHello messages
        that do not include TLS extensions, resulting in such handshakes being
        aborted.
      ECDH_compute_key that can lead to silent
        truncation of the result key without error. A coding error could cause
        software to use much shorter keys than intended.
      DTLS_BAD_VER. Pre-DTLSv1 implementations
        are no longer supported.
      engine command and parameters are removed from
        
        openssl(1).
        Previous releases removed dynamic and built-in engine support already.
      Certplus CA root certificate to the default
        cert.pem file.
      sizeof(RC4_CHUNK).
      AEAD construction introduced in RFC 7539, which is different
        than that already used in TLS with
        
        EVP_aead_chacha20_poly1305(3).
      COMODO RSA Certification Authority and
        QuoVadis root certificates to cert.pem.
      C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority"
        (serial 3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be)
        root certificate from cert.pem.
      s_time command now performs a proper shutdown which allows a
        full TLS connection to be benchmarked more accurately. A new
        -no_shutdown flag
        makes s_time adopt the previous behavior so that comparisons
        can still be made with OpenSSL's version.
      SSLEAY_CONF backwards compatibility
        environment variable in
        
        openssl(1).
      CVE-2015-3194—NULL pointer dereference in client
          side certificate validation.
        CVE-2015-3195—memory leak in PKCS7, not reachable
          from TLS/SSL.
        CVE-2015-3193—carry propagating bug in the x86_64
          Montgomery squaring procedure.
        CVE-2015-3196—double free race condition of the
          identify hint data.
        cmake builds.
      pkgconfig files to correctly report the release
        version number, not the individual library ABI version numbers.
      libtls API is changed from the 2.2.x series:
        libtls no longer implicitly closes the passed in sockets.
          The caller is responsible for closing them in this case.
        OPENSSL_cpu_caps is provided that does not
        allow software to inadvertently modify cpu capability flags.
        OPENSSL_ia32cap and OPENSSL_ia32cap_loc are removed.
      out_len argument of AEAD changed from
        ssize_t to size_t.
      libtls for client and server operations; it is
        included in the libressl-portable distribution as an example of how
        to use the libtls library.  This is intended to be a simpler
        and more robust replacement for openssl s_client and
        openssl s_server for day-to-day operations.
      unsigned long to
        time_t.  LibreSSL now checks if the host OS supports 64-bit
        time_t.
      libtls.
      libtls,
        
        tls_peer_cert_notbefore(3)
        and
        
        tls_peer_cert_notafter(3).
      EVP_CHECK_DES_KEY code
        (non-functional since initial commit in 2004).
      probable_prime_dh_safe().
      LIBRESSL_VERSION_NUMBER to match that of
        OPENSSL_VERSION_NUMBER.
      AES_decrypt.
      SSL_OP_SINGLE_DH_USE flag.
      Many pre-built packages for each architecture:
Some highlights:
Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate form of install. The instructions for doing an HTTP (or other style of) install are very similar; the CDROM instructions are left intact so that you can see how much easier it would have been if you had purchased a CDROM instead.
Please refer to the following files on the three CDROMs or mirror site for extensive details on how to install OpenBSD 5.9 on your machine:
Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above!
If you already have an OpenBSD 5.8 system, and do not want to reinstall, upgrade instructions and advice can be found in the Upgrade Guide.
src.tar.gz contains a source archive starting at /usr/src.
This file contains everything you need except for the kernel sources, which are
in a separate archive.  To extract:
# mkdir -p /usr/src # cd /usr/src # tar xvfz /tmp/src.tar.gz
sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
# mkdir -p /usr/src/sys # cd /usr/src # tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as described here. Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree.
A ports tree archive is also provided. To extract:
# cd /usr # tar xvfz /tmp/ports.tar.gz
Go read the ports page if you know nothing about ports at this point. This text is not a manual of how to use ports. Rather, it is a set of notes meant to kickstart the user on the OpenBSD ports system.
The ports/ directory represents a CVS (see the manpage for cvs(1) if you aren't familiar with CVS) checkout of our ports. As with our complete source tree, our ports tree is available via AnonCVS. So, in order to keep up to date with the -stable branch, you must make the ports/ tree available on a read-write medium and update the tree with a command like:
# cd /usr/ports # cvs -d [email protected]:/cvs update -Pd -rOPENBSD_5_9
[Of course, you must replace the server name here with a nearby anoncvs server.]
Note that most ports are available as packages on our mirrors. Updated ports for the 5.9 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just would like to know more, the mailing list [email protected] is a good place to know.