OpenBSD is a free, multi-platform 4.4BSD-based UNIX-like operating system. The 57th release, OpenBSD 7.6, comes with new features, various improvements, bug fixes, and tweaks.
Security improvements
- Added
-fret-clean
option to the compiler, defaulting to off. This new option causes the caller to clean the return address off the stack after a call completes. The-fret-clean
option was then enabled on amd64 for libc, libcrypto, ld.so, kernel, and all the ssh tools. - Expose branch target identification (BTI) to userland and make LLVM generate code with BTI instructions.
- Enabled PAC in addition to BTI on arm64 such that JIT code matches the default branch protection provided by our base compiler.
- Limit NFS connections to originate from a reserved port, but permit null requests (aka server pings) from non-reserved ports in nfs.
- Made local ports bound during
connect(2)
unique per laddr rather than globally unique. - Enforced the
pinsyscalls(2)
rules on non-static/ld.so/libc.so text segments. - Added
pledge
andunveil
torpcinfo(8)
. - Added
AUDIO_GETDEV
ioctl to “audio”pledge(2)
.
Changes were made to the pf(4)
firewall
- Added display of
pf(4)
fragment reassembly counters topfctl(8)
andsystat(1)
. - Fixed
pfsync(4)
TCP-state not being updated for destination connection peer and reduced excessivepfsync
traffic. - Allow users to define tables inside an anchor in the same way they can define global tables in
pf.conf(5)
. Previously this required a separatepfctl -a foo -t bar
invocation.
New features in the network stack
- Made PPP interfaces to run in an
rdomain(4)
and install a default route in the same routing domain. - Introduced
rport(4)
for point-to-point layer 3 connectivity between routing domains. Similar topair(4)
but more efficient as it does not add Ethernet headers. - Implemented IPv6 forwarding IPsec only (
sysctl net.inet6.ip6.forwarding = 2
), the equivalent tonet.inet.ip.forwarding = 2
for IPv4. - Added
BIOCSETFNR
tobpf(4)
, likeBIOCSETF
without resetting the buffer or stats. - Implemented
SO_ACCEPTCONN
ingetsockopt(2)
which can be used to check iflisten(2)
was called and the socket is accepting connections.
Various new userland features
- Added
scandirat(3)
from FreeBSD. - Added
elf_aux_info(3)
, designed to let userland peek atAT_HWCAP
andAT_HWCAP2
, using an interface from FreeBSD. - Added missing function
wcsnlen(3)
to find length of a wide string (i.e.wcslen(3)
with a max len argument). - Imported libva 2.22.0, an implementation for VA-API (video acceleration API). VA-API provides access to graphics hardware acceleration capabilities for video processing.
- Added the option
"-u name"
toenv(1)
to remove a variable from the environment.
OpenBSD 7.6 is available for download here. See here for a complete list of changes and additions.