------------------------------------------------------------------------
- OpenBSD 7.9 RELEASED -------------------------------------------------
May 19, 2026.
We are pleased to announce the official release of OpenBSD 7.9.
This is our 60th release. We remain proud of OpenBSD's record of
more than thirty years with only two remote holes in the default
install.
As in our previous releases, 7.9 provides significant improvements,
including new features, in nearly all areas of the system:
- Platform-specific improvements:
o arm64:
- Enabled ice(4) on arm64.
- Added support for the RK3588 and RK3576 SoCs with new or
additions to existing drivers.
- Added support for the Genesys Logic GL9755 SDHC controller
(which includes the SDHC controller on some of the Apple
Silicon laptops) to sdmmc(4).
o amd64:
- Added SMU support to amdpmc(4). The SMU is a microcontroller
buried deep in the bowels of AMD SoCs and needs to be tickled
in order to reach the lowest power states in suspend.
- Disabled Panel Self Refresh (PSR) in amdgpu to avoid a
potential hang on a ThinkPad X13 gen 6.
- Increased MAXCPUs on amd64 to 255.
- On amd64, we now zero the DM PTE/PDE pages before use. This
fixes a bug on machines with more than 512GB RAM.
- Mitigated floating point state leakage observed on AMD
Zen/Zen+ (Zen 1).
o luna88k:
- Switched luna88k compiler to gcc4.
- Switched luna88k to PIE (Position Independent Executables) by
default.
o riscv64:
Systems with a SpacemiT K1 SoC gained support with the following
(and more) changes:
- Added smtclock(4), a driver for the clock/reset controller on
the SpacemiT K1 SoC.
- Added many more drivers to support the SpacemiT K1 SoC.
- Implemented support for the Zicbom (Cache-Block Management)
and Svpbmt (Page-Based Memory Types) extensions.
- Added the SpacemiT K1 device trees onto the riscv64 miniroot
making them accessible during installation.
- Made "Instruction access fault" (EXCP_FAULT_FETCH) traps
being treated as PROT_EXEC. This fixes random SIGSEGV on the
SpacemiT X60 cores.
- Added SpacemiT K1 support to dwpcie(4).
o Other architectures:
- Fixed various errors on big-endian systems in ice(4) to make
it work on sparc64.
- Changed powerpc64 memory barriers to "sync".
- Reworked and improved TLB shootdown on alpha.
- Hoisted mips64 CPU accounting to get multiple softnet threads
on MP systems.
- Made sure to initialize all FPU registers on sparc64 to all 1
(or -NaN), and not only the lower 32 registers.
- Fixed parking mutex on sun4u sparc64 cpus.
o More platform-specific changes can be found in the hardware
support section below.
- Various kernel improvements:
o Introduced a mechanism to manage CPU cores with different speeds
in the scheduler. The sysctl(8) variable "hw.blockcpu" takes a
sequence of 4 letters: S (for SMT), P (regular performance CPU), E
(efficient CPU, generally 80% to 50% as fast), and L (lethargic
CPU) which are even slower. Set this to select CPUs to kick out of
the scheduler (SL by default). Currently works on amd64 and arm64.
o Replaced the cas spinlock in kernel mutexes with a "parking" lock.
o Stopped forcing the page daemon to sleep when there are
outstanding paging requests.
o Implemented a ddb(4) stop command that sends a SIGSTOP to the
specified pid.
o Made ddb(4) output visible when entering ddb from X on amdgpu.
o Added infrastructure to allow future support of up to 52
partitions per disk.
o Made changes to avoid memory allocation from within the
swapencrypt path of the pagedaemon by pre-allocating 32
swapclusters up-front.
o Changed the strategy by which the pagedaemon creates free memory
by overshooting the creation of inactive and free pages, in order
to defragment memory.
o Refuse to load a binary without a PT_LOAD exec segment.
- Suspend/Hibernate Support:
o Implemented delayed hibernation:
In order to prevent running out of battery while suspended, this
feature wakes up a suspended system after a configurable time to
then immediately perform a hibernation. The machdep.hibernatedelay
sysctl(2) is used to configure the number of seconds after which
the system will wake up from suspend and hibernate itself.
- SMP Improvements:
o Unlocked socket splicing.
o Unlocked icmp6_sysctl().
o Unlocked the IGMP slow timeout.
o Enabled parallel fault handling on amd64 and arm64.
o Made bse(4) interrupts mp-safe.
o Protected the IGMP and MLD6 fast timers with an rwlock.
- Direct Rendering Manager and graphics drivers:
o Updated drm(4) to Linux 6.18.22.
- VMM/VMD and virtualization improvements:
o Adopted PCI-based semantics for reading unsupported or invalid
registers by returning all 1's. Newer Linux kernels have started
using 128-bit feature spaces.
o Added sysctl(8) machdep.vmmode to indicate status as a host or
guest (and SEV mode).
o Added vmboot, a tiny kernel that allows sysupgrade(8) to work for
vmd(8) VMs.
o Allowed cd(4)/vioscsi(4) on a VM to use confidential computing
methods, e.g. AMD SEV.
o Fixed a segfault in vmd(8) during vmmci timeout firing.
o Enabled 32-bit direct kernel launch for both amd64 and i386 in
vmd(8).
o Fixed a race in vmd(8) vm pause barrier usage.
o Fixed a race in vmm(4) vm termination path.
o Added emulation of AMD SysCfg MSR in vmm(4).
o Made OpenBSD work on Apple Virtualization.
o Only expose pvclock(4) in vmm(4) if tsc frequency is known.
o Reduced vmd(8) lowmem area in the memory map to help Linux guest
reboot issues.
o Prevented vmd(8) pause deadlock when vcpu doesn't halt.
o Fixed timer emulation-related OpenBSD-i386 VM hangs when using the
i8254 hardware timecounter with vmm(4).
o Made vio(4) recover from missed RX interrupts.
o Fixed vmd(8) vionet reset race leading to broken networking.
- Various new userland features:
o Dynamically determine the possible partition names to show in the
disklabel(8) editor a(dd) command help message.
o Allow the disklabel(8) 'd'elete editor command to zero out
FS_UNUSED partitions despite current value of d_npartitions.
o Added display of the close-on-fork flag as 'f' in R/W column to
fstat(1).
o Added support for the XDG_RUNTIME_DIR environment variable in
login(1) and xenodm(1) via login_cap(3). Set it by default,
pointing to /tmp/run/user/${uid} which gets created if needed.
- More bugfixes and tweaks in userland:
o Made libsndio restart the audio(4) device upon underrun.
o Enable fall-back audio devices by default in sndiod(8).
o Simplified the Unix socket binding code in sndiod(8).
o Simplified cookie handling in libsndio.
o Enabled recording and monitoring at the same time in sndiod(8).
o In the LLVM compiler, fixed x86 frame lowering for -msave-args.
o Made pthread_set_name_np(3) succeed with long thread names instead
of silently failing.
o Handle calls to libc's freeaddrinfo(3) function with a NULL
argument, instead of crashing, and improve the manpage.
o Made pcidump(8) print PCI bridge windows when they are "open".
o Fixed an editline(3) bug that truncates completion candidates when
the input wraps to a new line.
o Added file(1) support for PSF2 fonts detection.
o Added file(1) support for Web Open Font Format (WOFF) detection.
o Fixed mg(1) replace-regexp issues.
o Improved handling of strdup(3) failures in mg(1).
o Improved the "No changes need to be saved" check in mg(1).
o Dropped the initialization of curses when ksh(1) is not started
interactively. This avoids opening and parsing of the terminfo(3)
file.
o Added echo(1) -e to process escape sequences and support for
multiple groups of dash args like ksh's echo.
o Increased the length of arguments that can be given to pkill(1).
This allows matching of commands with longer command line
arguments.
o Made the -0 option override -E in xargs(1).
o Set metaSendsEscape by default in xterm(1).
o Fixed leap year detection in newsyslog(8).
o Fixed less(1) crash on reading an invalid tags file.
o Fixed a memory leak on sensorsd(8) configuration reload.
- Improved hardware support and driver bugfixes, including:
o Tweaked PCI device power management such that drivers can change
their own power state. Let xhci(4) power itself down such that its
companion USB4 controller can go to sleep in its DVACT_POWERDOWN
implementation.
o Added nhi(4), a driver for USB4 controllers.
o Added an audio(9) driver interface to expose the hardware's
display name.
o Changed envy(4) and uaudio(4) devices to return the product name
as the display name.
o Handle uaudio(4) devices with a single clock exposed in multiple
domains.
o Fixed unintended truncation of uaudio(4) device names when
printing them in libsndio applications.
o Improved acpi(4) handling of PCI bridges.
o Implemented "StorageD3Enable" support in acpi(4).
o Stopped acpi(4) from calling the PCI function when an AML node has
neither _ADR nor _HID, and avoid a panic on the ThinkPad X40.
o Added iasuskbd(4) support for special keys on the ASUS I2C laptop
keyboards.
o Added sgmsi(4), a driver for the MSI controller implementation on
Sophgo SG2042 SoCs.
o Added cdpcie(4), a driver for the Cadence PCIe controller,
supporting the variant found on the Sophgo SG2042 SoC.
o Added dwpcie(4) Qualcomm SC7280 support.
o Added qcuart(4), a driver for Qualcomm GENI UART serial consoles.
o Added smtgpio(4), a driver for the GPIO controller found on
SpacemiT K1 SoCs.
o Added rkusbdpphy(4), a driver for the USB DP Combo PHY on Rockchip
SoCs.
o Added support for blocking reads to fuse(4).
o Added basic implementation of the low-level FUSE API sufficient to
compile and run lowntfs-3g.
o Allowed uhidev(4) to attach to and work with devices that don't
have an input interrupt endpoint.
o Added the ispi(4) driver for Intel LPSS SPI controller.
o Added an Apple variant to the "de" keyboard encoding for wskbd(4).
o Added acpihid(4), a driver for the Generic Buttons Device defined
by the ACPI specification.
o Made viogpu(4) viogpu_wsmmap() return a physical address via
bus_dmamem_mmap(9).
o Added support for "Apple Inc. Virtual USB Digitizer", to expose
the touchpad on Apple Virtualization.
o Added support for the PSP found on the AMD EPYC 9005 to psp(4).
o Added support for the AlphaSmart Dana to uvisor(4) as a PALM4
device.
o Added support for more line speeds to uplcom(4).
o Added support for the RK3528 SoC to the dwmshc(4) eMMC controller
driver.
o In wscons(4) disallowed loading if mapchar emulops require a
question mark character that is missing.
- New or improved network hardware support:
o Fixed memory leaks in bnxt(4).
o In umb(4), made uplink and downlink speeds visible through
kstat(4).
o Added support for Quectel EC200A LTE modems to umsm(4).
o Added rge(4) support for RTL8126 chip revision 0x64a00000.
o Turned on SoftLRO by default on bnxt(4) and ice(4).
o Fixed the ice(4) "too many data commands" error on TSO packets.
o Increased the urndis(4) buffer size to 16k.
o Fixed an issue where dwqe(4), e.g. on a veb(4), doesn't recover
when the link is down but packets are bridged.
o Made the output of bse(4) mp-safe.
o Enabled 64-bit DMA transfers on aq(4), em(4), rge(4), re(4),
iavf(4), ix(4), ixv(4), ixl(4), igc(4), ice(4) and iwx(4).
o Added support for BCM575xx devices (also known as Thor or P5) to
bnxt(4).
o Added smte(4), a driver for the ethernet interfaces of the
SpacemiT K1 SoC.
- IEEE 802.11 wireless stack improvements and bugfixes:
o Fixed association to access points which have all 802.11b rates
disabled.
o Updated ieee80211_classify() to RFC8325 to prioritize interactive
SSH sessions correctly, and rate-limit high-prio QoS packets.
o Initialized TIDs 4-7 to improve QoS behaviour during Tx
aggregation.
o Added basic 802.11ax support.
o Added support for a 160 MHz window at 5 GHz and enabled it on
iwx(4).
- Added or improved wireless network drivers:
o Improved chances of qwx(4) receiving the initial WPA handshake
message.
o Reinitialized the qwx(4) HAL state when resuming from suspend.
o Enabled iwx(4) on i386.
o Added PMF (Protected Management Frames) support to iwm(4), iwx(4),
and qwx(4), and add support for 802.11 AKM SHA256-PSK to
ifconfig(8) and enable it by default if the driver supports PMF.
o Fixed iwx(4) issues related to roaming and PMF and firmware crypto
keys.
o Set the assoc ID field in iwx(4) firmware commands correctly.
o Added support for BZ devices with WiFi 6e radio to iwx(4).
o Made iwx(4) not load incomplete firmware images and report a
proper error instead.
o Fixed iwn(4) setting of DMA base addresses of Tx rings 17 and
beyond.
o Added powersave support to iwx(4) and enable by default.
o Added support for 160 MHz channel width to iwx(4).
o Increased the VHT frame aggregation size limit from 64k to 1024k
on iwx(4).
o Aligned iwx(4) antenna patterns and STBC with iwlwifi.
- Installer, upgrade, bootloader, and pkg-tools improvements:
o Allow installboot(8) to finish, even if efi(4) can't be accessed.
o Made sysupgrade fail if df /usr says the filesystem is over 90%
full, rather than potentially completely breaking the system.
o Scan both dmesg.boot and dmesg(8) output for devices with
fw_update(8).
o On amd64, added support for loading files (kernels) from the EFI
system partition. This means one can put the OpenBSD boot loader
and bsd.rd on the EFI boot partition and run the installer that
way. This already works on arm64.
o Improved keydisk partition detection in the installer.
o Added aggr(4) support to arm64 RAMDISK and i386/amd64 RAMDISK_CD.
o Increased the auto-allocated partition size of /usr/obj in
disklabel(8).
o Floppy install users on i386/amd64 may find fw_update(8) for some
drivers will not work because pci strings in the kernel have
become too large.
- Security improvements:
o Stop allowing root to bypass the effects of bpf(4) BIOCLOCK.
BIOCLOCK is intended to remove the ability to reconfigure a BPF
descriptor, but root processes were not subject to this revocation
of privileges. No software relied on root being able to
reconfigure a BPF descriptor, so this exemption was been removed.
o Retired the pledge(2) 'tmppath' promise. The use of unveil /tmp
rwc, unveil / r or similar together with pledge "rpath wpath
cpath" replaces all use cases of 'tmppath' in a safer way.
o Introduced the __pledge_open(2) system call, allowing libc to open
a small set of tightly controlled internal files even when
pledge(2) and unveil(2) would otherwise disallow direct access.
File descriptors obtained this way are restricted to read-only use
and cannot be used with write(2), chmod(2), chflags(2), chown(2),
ftruncate(2), or fdpassing. This lets libc handle required
devices, pledge-dependent files, and zoneinfo data without
preserving the old pledge_namei() shortcut that allowed non-libc
code to open the same special files.
o In pledged processes, made /etc/localtime and /usr/share/zoneinfo
scans much stricter.
o In dig(1), fixed pledge/unveil issues relating to manual opening
of /etc/resolv.conf.
o Fixed unveil(2) to handle a filesystem that is mounted on a mount
point that is itself the root of another filesystem.
o Start fork(2)'ed children without a pgrp set (i.e. NULL) and
update the pgrp pointer late to fix a potential race.
o Do not expose p_addr kernel address through sysctl(2) unless root.
o For sysctl({CTL_KERN, KERN_TTY, KERN_TTY_INFO), only export the
t_session kernel address pointer if the caller is root.
- New features in the network stack:
o Made the Virtual Ethernet Bridge veb(4) a VLAN-aware bridge.
Ports in veb(4) now have a PVID (port VLAN identifier) used to
determine which VLAN untagged packets get associated with, and a
bitmap of allowed VIDs (VLAN IDs) that say what VLANs tagged
traffic can interact with. Ports can be configured as "access"
ports by only configuring a pvid but with no entries in the vid
map, or as a "trunk" by disabling the pvid and adding entries to
the vid map, or a "hybrid" port by configuring both a pvid and
entries in the vid map. To maintain compatibility with existing
(simple) setups, veb defaults to using pvid 1 on ports added to
the bridge.
o Added a LOCKED flag to veb(4) ports that are added to a bridge(4).
This makes sure that the source MAC address of frames received by
these ports has an entry in the fib/address cache pointing at the
same interface.
o In IPFIX/Netflow v10, added a NAT template with post-NAT source
and destination IP address and ports, allowing use of pflow to
track internal to external translations.
o Enabled IPv6 autoconf (SLAAC) by default.
- Further changes and bugfixes in the network stack:
o Implemented "checksum offload" between rport(4) pairs. This allows
the kernel to skip ip/tcp/udp checksum calculation for packets
between rdomains.
o Implemented IFCAP_TSO in rport(4). This allows the stack to pass
large tcp frames between rdomains.
o In rport(4), made changes to use multiple txqs to spread traffic
handling over softnet threads.
o Fixed a panic when autodial (link1) on pppoe(4) tries to run.
o Allowed bpf(4) in tun_dev_read to see VLAN tags when
IFCAP_VLAN_HWTAGGING is enabled.
o Added XOR and MOD operations to bpf(4).
o Made tpmr(4) work with ether_offload_ifcap like veb(4) and
bridge(4).
o Added Private VLAN support to veb(4) as per RFC 5517.
o Allowed VLAN tags (and therefore VLAN interfaces) on top of
vports.
o Made use of per-CPU refs in the input path instead of doing one
refcnt per port to improve performance on tpmr(4), veb(4) and
aggr(4).
o Removed lacp support from trunk(4), now better supported by
aggr(4).
o Introduced a global interface queue limit. Limit all multiqueue
network interfaces to common IF_MAX_VECTORS. Currently it is set
to 8. One global limit helps to find an optimal value, stops
wasting interrupt vectors, and clarifies what the actual hardware
or driver limitations are.
o Updated codel implementation to comply with RFCs 8289 and 8290.
o Improved vio(4) feature negotiation for Large Receive Offload/TCP
Segmentation Offload.
o Prevented false ELOOP error in socket splicing with SO_SPLICE.
o Made the network stack ignore TCP SACK packets with invalid
sequence numbers to prevent potential kernel crash.
- The following changes were made to the pf(4) firewall:
o Introduced source and state limiters in pf(4). See the Source
Limiters section in pf.conf(5).
o Extended pf(4) limiters so an administrator can specify the action
the rule executes when limit is reached.
o In pfctl(8), changed default limiter action from no-match to
block.
o Have pf(4) state and source limiter state cleanup assert on the
right lock.
o Fixed pfctl(8) with -nvf ... option to provide output which
matches pfctl grammar for rules that use source/state limiters.
o Print both nat-to and rdr-to in pfctl(8) show rules.
- Routing daemons, network services and other userland network programs
saw the following improvements:
o Do not log an error when dhcp6leased(8) cannot add a route because
it already exists.
o In dhcpleased(8), do not pass pointers over process privilege
boundaries via imsg, only data.
o Do not log an error when slaacd(8) cannot add a route because it
already exists.
o Fixed a buffer overflow reachable via rogue router advertisements
in slaacd(8).
o Prevented potential slaacd(8) crash if an attacker on the same
layer 2 network sends rogue router advertisements.
o Changed ospf6d(8) rc.d script to disallow reload, since ospf6d
does not support it.
o Fixed smtpd(8) dying if a malformed imsg is sent on the local
socket.
o Improved the logging of filter processing in smtpd(8).
o Changed the default "tagged" operation for ifconfig(8) to add VLAN
IDs rather than replace them.
o Allowed the ifconfig(8) and brconfig(8) "tagged" operation to
accept multiple VIDs and/or ranges of VIDs.
o Added support for non-default config file paths to unbound(8) rc.d
script.
o In unwind(8), allow one to configure forced resolvers outside of
preference blocks.
o Added a "no banner" option to suppress the Server header in
httpd(8).
o Restored httpd(8) server_http_time() use of GMT.
o Made httpd(8) error out on presence of Content-Length and
Transfer-Encoding headers for GET, HEAD and other methods that
should have no body.
o Made relayd(8) and httpd(8) use the same internal log functions as
bgpd(8) (and several other daemons).
o Restored relayd(8) relay_http_time() use of GMT.
o Added relayd(8) support for PROXY protocol in TCP relays.
o Set a User-Agent in HTTP health checks sent by relayd(8).
o Fixed a race condition in relayd(8) that could cause a crash
during configuration reload.
o Made relayd(8) support TLS with multiple listeners.
o Fixed ftp(1) http_time() to use GMT, not UTC, per RFC 9110.
o Report success in ftp(1) when a file is fully retrieved.
o Made tcpdump(8) show the 802.11 QoS TID with -v.
o Added printing of NetBIOS and DNS servers in IPCP to tcpdump(8).
o Extended tcpdump(8) for printing of DHCPv6 information.
o Made sure that internal counters do not go out of bounds if the -n
or -A traceroute(8) options are specified more than once.
o Raised rad(8) lifetimes for the router, DNS and NAT64 to 60
minutes and lower the prefix valid lifetime to 60 minutes. It does
not make sense for one piece of information to time out before
another when these are transmitted in one router advertisement
packet.
o Fixed a hang in rad(8) and slaacd(8) when they receive an RA from
the local network with an ND option of length zero.
- acme-client(1) saw several changes:
o Made acme-client(1) only display port numbers in Host headers when
the port is not 443.
o Added support for IP Address certificates in acme-client(1).
o Made changes to use ASN1_STRING_* accessor functions instead of
reaching into ASN1_STRING objects directly.
- In bgpd(8):
o Rewrote the Adj-RIB-Out handling to be more memory efficient and
faster. For large IXP route server deployments a reduction in
memory usage of more than 50% should be feasible.
o Process UPDATE messages in two phases: first update Adj-RIB-In,
Loc-RIB, and FIB, then process all the Adj-RIB-Out tables. This
significantly reduces the latency since updating all the
Adj-RIB-Out tables could take a fair amount of time.
o Introduced CH hash tables - a scalable hash map implementation
that boosts performance through improved cache locality.
o Introduce new metrics that track the amount of time spent in
various parts of the main event loop of the route decision engine.
o Fixed various non-critical things uncovered by Coverity scanner.
o Improved outbound filter performance by storing the rules in an
array and also deduplicate equal filters across peers. This and
the filter_set change reduce the initial sync duration of large
route servers by more than 25%.
o Improved performance of filter_sets processing in the RDE process
by moving to a linear array of set objects to reduce cache misses.
o Added better logging for attribute parse errors which cause a
session reset via UPDATE ATTRLIST error notification.
o Introduced various additional memory metrics which are part of the
'show rib memory' command. Some values are also tracked
per-neighbor and visible via 'show neighbor'.
o Fixed logic error when handling per-peer and per-group MRT message
dump configurations.
- In rpki-client(8):
o The Canonical Cache Representation underwent a breaking change
after the adoption of draft-ietf-sidrops-rpki-ccr as a SIDROPS
working group item. Apart from several CMS-related cosmetics, it
now uses an IANA-assigned content type. As a result, rpki-client
9.7 cannot parse rpki-client 9.6's .ccr files and vice versa.
o Support for Ghostbusters Record objects (RFC 6493) has been
removed. Nobody showed interest in deploying this and there are
other, widely supported ways of exchanging operational contact
information such as RDAP. RFC 6493 is undergoing a status review
to be marked as historic:
status-change-rpki-ghostbusters-record-to-historic
o Prepare the code base for the opaque ASN1_STRING structure in
OpenSSL 4.
o Fixed two reliability issues: one where a malicious RPKI
Certification Authority can trigger a crash, one where a malicious
Trust Anchor can provoke memory exhaustion. Thanks to Xie Yifan
for reporting.
o Various refactoring for improved compatibility with various
libcrypto implementations and in CA/BGPsec certificate handling.
o Fixed an accounting issue in HTTP gzip compression detection.
o Added a warning in extra verbose mode (-vv) about standards
non-compliant Issuer and Subject ASN.1 string encodings.
o Added a check for canonical encoding of ASPA eContent in alignment
with draft-ietf-sidrops-aspa-profile-22.
o Ensure that a repository timeout correctly stops repository
processing. Thanks to Fedor Vompe from Deutsche Telekom for
reporting.
o Fixed a defect in Canonical Cache Representation
ROAIPAddressFamily sort order. As a result, rpki-client 9.8 cannot
parse rpki-client 9.7's .ccr files and vice versa. Thanks to Bart
Bakker from RIPE NCC for reporting.
o Fixed an issue in the parser for the locally configured
constraints. Thanks to Daniel Anderson.
o A malicious RRDP Publication Server can cause a NULL dereference.
Thanks to Daniel Anderson for reporting.
o A malicious RPKI Publication Server can cause an incorrect error
exit. Thanks to Yuheng Zhang, Qi Wang, Jianjun Chen from Tsinghua
University, and Teatime Lab for reporting.
- tmux(1) improvements and bug fixes:
o Fixed the logic of the no-detached case for detach-on-destroy
option.
o Support case-insensitive search in tmux(1) modes in the same way
as copy mode (like emacs, so all-lowercase means case
insensitive).
o Added -l flag to tmux(1) command-prompt to disable splitting into
multiple prompts.
o Allowed show-messages to work without a client.
o Added seconds to tmux(1) clock mode.
o Made tmux(1) clock mode seconds synchronized to the second.
o Added support for synchronized output mode (DECSET 2026).
o Added a focus-follows-mouse option.
o Reduced request timeout to 500 milliseconds to match the extended
escape time and discard palette requests if receiving a reply for
a different index.
o Added an -e flag to tmux(1) command-prompt to close if empty.
o Fixed window-size=latest not resizing on switch-client in session
groups.
o Made tmux respond to DECRQM 2026.
o Break out the sorting code into a common file so formats and modes
use the same code and add -O for sorting to the list commands.
o Added sorting (-O flag) and a custom format (-F) to list-keys.
o Fixed several memory leaks.
o Allow copy mode to work for readonly clients, except for copy
commands.
o Avoid a crash by checking for NULL before dereferencing.
o Make -c (shell command) work with new-session -A.
o Draw message as one format, allowing prompts and messages to
occupy only a portion of the status bar, overlaying the normal
status content rather than replacing the entire line.
o Add a short built-in help text for each mode accessible with C-h.
o Add extkeys feature to tmux(1) itself so nested tmux works.
o Add -C flag to tmux(1) command-prompt to match display-message -C.
- LibreSSL version 4.3.0:
o Portable changes
- Rework portable assembly handling with LIBRESSL_USE_ASSEMBLY
- Add SHA assembly for elf-aarch64
- Add definition of ssize_t to cms.h for Windows
- Fix posix_open() implementation so it properly signals
failure
- Fix SIGALRM handler for openssl speed on Windows
o Internal improvements
- Remove the unused sequence number from X509_REVOKED.
- Replace a call to atoi(3) with strtonum(3) in nc(1) and
replace a misleading use of ntohs(3) with htons(3).
- openssl(1) speed now uses HMAC-SHA256 for its hmac benchmark.
- Reimplemented only use of ASN1_PRINTABLE_type() in openssl(1)
ca. The API will be removed in an upcoming release.
- Add curve NID to EC_POINT objects so the library has a clue
on which curve a given EC_POINT is supposed to live.
- Use curve NID to check for compatibility between group and
points in various EC API. This isn't 100% failsafe but good
enough for sane uses.
- Require SSE in order to use gcm_{gmult,ghash}_4bit_mmx(). On
rare i386 machines supporting MMX but not SSE this could
result in an illegal instruction.
- Cleaned up asn1t.h to make it somewhat readable and more
robust by using C99 initializers in particular.
- Further assembly macro improvements for -portable.
- Add fast path for well-known DH primes in DH_check(3)
(including those from RFC 7919). Some projects still fiddle
with this in 2025.
- Rewrite ec_point_cmp() for readability and robustness.
- Improve EVP_{Open,Seal}Init(3) internals. This is legacy API
that cannot be removed since one scripting language still
exposes it.
- ASN1_BIT_STRING_set_bit(3) now trims trailing zero bits
itself rather than relying on i2c_ASN1_BIT_STRING(3) to do
that when encoding.
- Fix and add workarounds to libtls to improve const
correctness and to avoid warnings when compiling with OpenSSL
4.
- Prefix EC_KEY methods with ec_key_ to avoid problems in some
static links.
- Remove mac_packet, a leftover from accepting SSLv2
ClientHellos.
- Remove ssl_server_legacy_first_packet().
- In addition to what was done in LibreSSL 4.0 for the version
handling, disable TLSv1.1 and lower also on the method level.
- Remove workaround for SSL 3.0/TLS 1.0 CBC vulnerability.
- Refactor ocsp_find_signer_sk() to avoid neglecting the
ASN.1's semantics by directly reaching into deeply nested
OCSP structures.
o Compatibility changes
- Expose X509_VERIFY_PARAM_set_hostflags(3) as a public symbol.
- Provide SSL_SESSION_dup(3).
- BIGNUMs now use the C99 types uint64_t/uint32_t for the word
width. Fixes long-standing issues with 32-bit longs on 64-bit
Windows.
- Many unused BN_* macros with incomprehensible names were
removed: BN_LONG, BN_BITS{,4}, BN_MASK2{,l,h,h1}, BN_TBIT,
BN_DEC_CONV, BN_{DEC,HEX}_FMT{1,2}, ...
- openssl(1) cms no longer accepts the unsupported -compress
and -uncompress switches.
- Added PKCS7_NO_DUAL_CONTENT flag/behavior. This is incorrect
legacy behavior but some language bindings decided to rely on
it in 2025.
- Remove STABLE_FLAGS_MALLOC but keep STABLE_NO_MASK because
there is still one user...
- Fix ASN1_ADB_END macro to have compatible signature with
OpenSSL. The adb_cb() argument is currently ignored.
- Unexport ASN1_LONG_UNDEF.
o New features
- Support for MLKEM768_X25519 keyshare in TLS.
- Added ML-KEM benchmarks to openssl(1) speed.
- Added support for starttls protocol sieve.
- Add support for RSASSA-PSS with pubkey OID RSASSA-PSS to
libssl.
o Bug fixes
- Ensure the group selected by a TLSv1.3 server for a
HelloRetryRequest is not one for which the client has already
sent a key share.
- Plug memory leak in CMS_EncryptedData_encrypt(3).
- Plug possible memory leak and double free in nref_nos().
- Removed always zero test results for some no longer available
legacy primitives in openssl(1) speed.
- List SHA-3 digests in openssl(1) help output.
- Fix encoding of bit strings with trailing zeroes on which
ASN1_STRING_FLAG_BITS_LEFT is not set.
- Add missing NULL pointer check to PKCS12_item_decrypt_d2i(3).
- Avoid type confusion leading to 1-byte read at address
0x00-0xff in PKCS#12 parsing.
- Fix type confusion in timestamp response parsing for v2
signing certs.
- Fix EVP_SealInit(3) to return 0 on error, not -1.
- Replace incorrect strncmp(3) with strcmp(3) in CRL
distribution point config parsing.
- openssl x509 -text writes its output to the file specified by
-out like all other openssl(1) subcommands.
- Stop Delta CRL processing in the verifier if the cRLNumber is
missing. This is flagged on deserialization, but nothing
checks that flag. This can lead to a NULL dereference if the
verification has enabled Delta CRL checking by setting
X509_V_FLAG_USE_DELTAS.
- Fix NULL dereference that can be triggered with malformed
OAEP parameter encoding for CMS decryption.
- Add missing length checks before BIO_new_mem_buf(3) in
libtls.
- Improve libtls error reporting consistency, avoid reporting
unrelated errnos.
- Fix SAN dNSName constraints: instead of substring matching,
match exactly and allow zero or more components in front of
the candidate.
o Reliability fix
- Fix off-by-one error in the X.509 verifier depth checking.
This can lead to a 4-byte overwrite on heap allocated memory
for clients talking to a malicious server or for servers that
have client certificate verification enabled. In addition,
the maximum depth must be set to the maximum allowed value of
32.
o Testing and proactive security
- Port Wycheproof tests to testvectors_v1 and improve coverage
and correctness. Add tests for ML-KEM in particular.
- OpenSSH 10.3:
o Security fixes:
- ssh(1): validation of shell metacharacters in user names
supplied on the command-line was performed too late to
prevent some situations where they could be expanded from
%-tokens in ssh_config. For certain configurations, such as
those that use a "%u" token in a "Match exec" block, an
attacker who can control the user name passed to ssh(1) could
potentially execute arbitrary shell commands. Reported by
Florian Kohnhäuser. We continue to recommend against directly
exposing ssh(1) and other tools' command-lines to untrusted
input. Mitigations such as this cannot be absolute given the
variety of shells and user configurations in use.
- sshd(8): when matching an authorized_keys principals=""
option against a list of principals in a certificate, an
incorrect algorithm was used that could allow inappropriate
matching in cases where a principal name in the certificate
contains a comma character. Exploitation of the condition
requires an authorized_keys principals="" option that lists
more than one principal *and* a CA that will issue a
certificate that encodes more than one of these principal
names separated by a comma (typical CAs strongly constrain
which principal names they will place in a certificate). This
condition only applies to user- trusted CA keys in
authorized_keys, the main certificate authentication path
(TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected.
Reported by Vladimir Tokarev.
- scp(1): when downloading files as root in legacy (-O) mode
and without the -p (preserve modes) flag set, scp did not
clear setuid/setgid bits from downloaded files as one might
typically expect. This bug dates back to the original
Berkeley rcp program. Reported by Christos Papakonstantinou
of Cantina and Spearbit.
- sshd(8): fix incomplete application of
PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with
regard to ECDSA keys. Previously if one of these directives
contains any ECDSA algorithm name (say
"ecdsa-sha2-nistp384"), then any other ECDSA algorithm would
be accepted in its place regardless of whether it was listed
or not. Reported by Christos Papakonstantinou of Cantina and
Spearbit.
- ssh(1): connection multiplexing confirmation (requested using
"ControlMaster ask/autoask") was not being tested for proxy
mode multiplexing sessions (i.e. "ssh -O proxy ...").
Reported by Michalis Vasileiadis.
o Potentially incompatible changes:
- ssh(1), sshd(8): remove bug compatibility for implementations
that don't support rekeying. If such an implementation tries
to interoperate with OpenSSH, it will now eventually fail
when the transport needs rekeying.
- sshd(8): prior to this release, a certificate that had an
empty principals section would be treated as matching any
principal (i.e. as a wildcard) when used via authorized_keys
principals="" option. This was intentional, but created a
surprising and potentially risky situation if a CA
accidentally issued a certificate with an empty principals
section: instead of being useless as one might expect, it
could be used to authenticate as any user who trusted the CA
via authorized_keys. [Note that this condition did not apply
to CAs trusted via the sshd_config(5) TrustedUserCAKeys
option.] This release treats an empty principals section as
never matching any principal, and also fixes interpretation
of wildcard characters in certificate principals. Now they
are consistently implemented for host certificates and not
supported for user certificates.
- ssh(1): the -J and equivalent -oProxyJump="..." options now
validate user and host names for ProxyJump/-J options passed
via the command-line (no such validation is performed for
this option in configuration files). This prevents shell
injection in situations where these were directly exposed to
adversarial input, which would have been a terrible idea to
begin with. Reported by rabbit.
o New features:
- ssh(1), sshd(8): support IANA-assigned codepoints for SSH
agent forwarding, as per draft-ietf-sshm-ssh-agent. Support
for the new names is advertised via the EXT_INFO message. If
a server offers support for the new names, then they are used
preferentially. Support for the pre-standardisation
"@openssh.com" extensions for agent forwarding remains
supported.
- ssh-agent(1): implement support for draft-ietf-sshm-ssh-agent
"query" extension.
- ssh-add(1): support querying the protocol extensions via the
agent "query" extension with a new -Q flag.
- ssh(1): support multiple files in ssh_config and sshd_config
RevokedHostKeys directive. bz3918
- ssh(1): add a ~I escape option that shows information about
the current SSH connection.
- ssh(1): add an "ssh -Oconninfo user@host" multiplexing
command that shows connection information, similar to the ~I
escapechar.
- ssh(1): add an ssh -O channels user@host multiplexing command
to get a running mux process to show information about what
channels are currently open.
- sshd(8): add invaliduser penalty to PerSourcePenalties, which
is applied to login attempts for usernames that do not match
real accounts. Defaults to 5s to match 'authfail' but allows
administrators to block such attempts for longer if desired.
- sshd(8): add a GSSAPIDelegateCredentials option for the
server, controlling whether it accepts delegated credentials
offered by the client. This option mirrors the same option in
ssh_config.
- ssh(1), sshd(8): support the VA DSCP codepoint in the IPQoS
directive.
- sshd(8): convert PerSourcePenalties to using floating point
time, allowing penalties to be less than a second. This is
useful if you need to penalise things you expect to occur at
>=1 QPS.
- ssh-keygen(1): support writing ED25519 keys in PKCS8 format.
- Support the ed25519 signature scheme via libcrypto.
o Bugfixes:
- sshd(8): make IPQoS first-match-wins in sshd_config, like
other configuration directives. bz3924
- sshd(8): fix potential crash when MaxStartups is set to a
single argument (i.e. not using the MaxStartups x:y:z form)
with a value below 10. bz3941
- sshd(8): fix a potential hang during key exchange if needed
DH group values were missing from /etc/moduli.
- ssh-agent(1): fix return values from extensions to be correct
with respect to draft-ietf-sshm-ssh-agent: extension requests
should indicate failure using SSH_AGENT_EXTENSION_FAILURE
rather than the generic SSH_AGENT_FAILURE error code. This
allows the client to discern between "the request failed" and
"the agent doesn't support this extension".
- ssh(1): use fmprintf for showing challenge-response name and
info to preserve UTF-8 characters where appropriate.
- scp(1): when uploading a directory using SFTP (e.g. during a
recursive transfer), don't clobber the remote directory
permissions unless either we created the directory during the
transfer or the -p flag was set. bz3925
- All: implement missing pieces of FIDO/webauthn signature
support, mostly related to certificate handling and enable
acceptance of this signature format by default. bz3748
- sshd_config(5): make it clear that DenyUsers/DenyGroups
overrides AllowUsers/AllowGroups. Previously we specified the
order in which the directives are processed but it was
ambiguous as to what happened if both matched.
- ssh(1): don't try to match certificates held in an agent to
private keys. This matching is done to support certificates
that were loaded without their private key material, but is
unnecessary for agent-hosted certificates, which always have
private key material available in the agent. Worse, this
matching would mess up the request sent to the agent in such
a way as to break usage of these keys when the key usage was
restricted in the agent. bz3752
- sftp(1): if editline has been switched to vi mode (i.e. via
"bind -v" in .editrc), set up a keybinding so that command
mode can be entered.
- ssh(1), sshd(8): improve performance of keying the sntrup761
key agreement algorithm.
- ssh(1), sshd(8): enforce maximum packet/block limit during
pre-authentication phase.
- sftp(1): don't misuse the sftp limits extension's
open-handles field. This value is supposed to be the number
of handles a server will allow to be opened and not a number
of outstanding read/write requests that can be sent during an
upload/download.
- sshd(8): don't crash at connection time if the main
sshd_config lacks any subsystem directive but one is defined
in a Match block. bz3906
- sshd_config(5): add a warning next to the ForceCommand
directive that forcing a command doesn't automatically
disable forwarding.
- sshd_config(5): add a warning that TOKENS are replaced
without filtering or escaping and that it's the
administrator's responsibility to ensure they are used safely
in context.
- scp(1): correctly quote filenames in verbose output for
local->local copies. bz3900
- sshd(8): don't mess up the PerSourceNetBlockSize IPv6 mask if
sscanf didn't decode it.
- ssh-add(1): when loading FIDO2 resident keys, set the comment
to the FIDO application string. This matches the behaviour of
ssh-keygen -K.
- sshd(8): don't strnvis() log messages that are going to be
logged by sshd-auth via its parent sshd-session process, as
the parent will also run them through strnvis(). Prevents
double-escaping of non-printing characters in some log
messages. bz3896
- ssh-agent(1): escape SSH_AUTH_SOCK paths that are sent to the
shell as setenv commands. Unbreaks ssh-agent for home
directory paths that contain whitespace. bz3884
- All: Remove unnecessary checks for ECDSA public key validity.
- sshd(8): activate UnusedConnectionTimeout only after the last
channel has closed. Previously UnusedConnectionTimeout could
fire early after a ChannelTimeout. This was not a problem for
the OpenSSH client because it terminates once all channels
have closed but could cause problems for other clients (e.g.
API clients) that do things differently. bz3827
- All: fix PKCS#11 key PIN entry problems introduced in
openssh-10.1/10.2. bz3879
- scp(1): when using the SFTP protocol for transfers, fix
implicit destination path selection when source path ends
with "..". bz3871
- sftp(1): when tab-completing a filename, ensure that the
completed string does not end up mid-way through a multibyte
character, as this will cause a fatal() later on.
- ssh-keygen(1): fix crash at exit (visible via ssh-keygen -D)
when multiple keys loaded.
- scp(1)/sftp(1): correctly display bandwidths greater than 2
GBps in the progress meter.
- Ports and packages:
o Pre-built packages are available for the following architectures on
the day of release:
- aarch64 (arm64): 12883
- amd64: 13044
- i386: 10631
- mips64: 9309
- powerpc64: 9507
- sparc64: 10079
o Packages for the following architectures will be made available as
their builds complete:
- arm
- powerpc
- riscv64
- Some highlights:
o Asterisk 16.30.1, 18.26.4, o Mutt 2.3.1 and NeoMutt 20260406
20.19.0 and 22.9.0 o Node.js 22.22.2
o Audacity 3.7.7 o OCaml 4.14.2
o CMake 4.2.3 o OpenLDAP 2.6.13
o Chromium 147.0.7727.101 o PHP 8.2.30, 8.3.30, 8.4.20 and
o Emacs 30.2 8.5.5
o FFmpeg 8.0.1 o Postfix 3.5.25 and 3.11.1
o GCC 15.2.0 o PostgreSQL 18.3
o GHC 9.10.3 o Python 2.7.18 and 3.13.13
o GNOME 49 o Qt 5.15.18 (+ kde patches) and
o Go 1.26.2 6.10.2
o JDK 11.0.30, 17.0.18, 21.0.10, o R 4.5.2
25.0.2 o Ruby 3.3.11, 3.4.9 and 4.0.2
o KDE Applications 25.12.3 o Rust 1.94.1
o KDE Frameworks 6.23.0 o SQLite 3.51.3
o KDE Plasma 6.6.4 o Shotcut 26.2.26
o Krita 5.2.16 o Sudo 1.9.17p2
o LLVM/Clang 19.1.7, 20.1.8 o Suricata 7.0.7
21.1.8 o Tcl/Tk 8.5.19. 8.6.17 and 9.0.3
o LibreOffice 26.2.2.2 o TeX Live 2025
o Lua 5.1.5, 5.2.4, 5.3.6 and o Vim 9.2.0357 and Neovim 0.12.1
5.4.8 o Vulkan 1.4.341.0
o MariaDB 11.4.10 o Wayland 1.24.0 with compositors
o Mono 6.14.1 Labwc, Mango, Niri, Sway and
o Mozilla Firefox 150.0 and Wayfire
ESR 140.10.0 o Xfce 4.20.0
o Mozilla Thunderbird 140.10.0
- As usual, steady improvements in manual pages and other documentation.
- The system includes the following major components from outside suppliers:
o Xenocara (based on X.Org 7.7 with xserver 21.1.21 + patches,
freetype 2.14.2, fontconfig 2.17.1, Mesa 25.0.7, xterm 406,
xkeyboard-config 2.20, fonttosfnt 1.2.4, and more)
o LLVM/Clang 19.1.7 (+ patches)
o GCC 4.2.1 (+ patches)
o Perl 5.42.2 (+ patches)
o pkgconf 2.4.3
o NSD 4.14.2
o Unbound 1.24.2
o Ncurses 6.4
o Binutils 2.17 (+ patches)
o Gdb 6.3 (+ patches)
o Awk 20250116
o Expat 2.7.5
o zlib 1.3.2 (+ patches)
------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------
We provide patches for known security threats and other important
issues discovered after each release. Our continued research into
security means we will find new security problems -- and we always
provide patches as soon as possible. Therefore, we advise regular
visits to
https://www.OpenBSD.org/security.html
and
https://www.OpenBSD.org/errata.html
------------------------------------------------------------------------
- MAILING LISTS AND FAQ ------------------------------------------------
Mailing lists are an important means of communication among users and
developers of OpenBSD. For information on OpenBSD mailing lists, please
see:
https://www.OpenBSD.org/mail.html
You are also encouraged to read the Frequently Asked Questions (FAQ) at:
https://www.OpenBSD.org/faq/
------------------------------------------------------------------------
- DONATIONS ------------------------------------------------------------
The OpenBSD Project is a volunteer-driven software group funded by
donations. Besides OpenBSD itself, we also develop important software
like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet
filter, the quality work of our ports development process, and many
others. This ecosystem is all handled under the same funding umbrella.
We hope our quality software will result in contributions that maintain
our build/development infrastructure, pay our electrical/internet costs,
and allow us to continue operating very productive developer hackathon
events.
All of our developers strongly urge you to donate and support our future
efforts. Donations to the project are highly appreciated, and are
described in more detail at:
https://www.OpenBSD.org/donations.html
------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------
For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts. In some situations, their receipt may qualify as a
business expense write-off, so this is certainly a consideration for
some organizations or businesses.
There may also be exposure benefits since the Foundation may be
interested in participating in press releases. In turn, the Foundation
then uses these contributions to assist OpenBSD's infrastructure needs.
Contact the foundation directors at [email protected] for
more information.
------------------------------------------------------------------------
- RELEASE SONG ---------------------------------------------------------
OpenBSD 7.9 comes with the song "Diamond in the Rough". An explanation
of the song may be found at:
https://www.OpenBSD.org/lyrics.html#79
------------------------------------------------------------------------
- HTTPS INSTALLS -------------------------------------------------------
OpenBSD can be easily installed via HTTPS downloads. Typically you need
a single small piece of boot media (e.g., a USB flash drive) and then
the rest of the files can be installed from a number of locations,
including directly off the Internet. Follow this simple set of
instructions to ensure that you find all of the documentation you will
need while performing an install via HTTPS.
1) Read either of the following two files for a list of HTTPS mirrors
which provide OpenBSD, then choose one near you:
https://www.OpenBSD.org/ftp.html
https://ftp.openbsd.org/pub/OpenBSD/ftplist
As of May 19, 2026, the following HTTPS mirror sites have the
7.9 release:
https://cdn.openbsd.org/pub/OpenBSD/7.9/ Global
https://ftp.eu.openbsd.org/pub/OpenBSD/7.9/ Stockholm, Sweden
https://ftp.hostserver.de/pub/OpenBSD/7.9/ Frankfurt, Germany
https://ftp.bytemine.net/pub/OpenBSD/7.9/ Oldenburg, Germany
https://ftp.fr.openbsd.org/pub/OpenBSD/7.9/ Paris, France
https://mirror.aarnet.edu.au/pub/OpenBSD/7.9/ Brisbane, Australia
https://ftp.usa.openbsd.org/pub/OpenBSD/7.9/ CO, USA
https://ftp5.usa.openbsd.org/pub/OpenBSD/7.9/ CA, USA
https://mirror.esc7.net/pub/OpenBSD/7.9/ TX, USA
https://openbsd.cs.toronto.edu/pub/OpenBSD/7.9/ Toronto, Canada
https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.9/ Global
https://fastly.cdn.openbsd.org/pub/OpenBSD/7.9/ Global
The release is also available at the master site:
https://ftp.openbsd.org/pub/OpenBSD/7.9/ Alberta, Canada
However it is strongly suggested you use a mirror.
Other mirror sites may take a day or two to update.
2) Connect to that HTTPS mirror site and go into the directory
pub/OpenBSD/7.9/ which contains these files and directories.
This is a list of what you will see:
ANNOUNCEMENT armv7/ octeon/ root.mail
README hppa/ openbsd-79-base.pub sparc64/
SHA256 i386/ packages/ src.tar.gz
SHA256.sig landisk/ packages-stable/ sys.tar.gz
alpha/ loongson/ ports.tar.gz xenocara.tar.gz
amd64/ luna88k/ powerpc64/
arm64/ macppc/ riscv64/
It is quite likely that you will want at LEAST the following
files which apply to all the architectures OpenBSD supports.
README - generic README
root.mail - a copy of root's mail at initial login.
(This is really worthwhile reading).
3) Read the README file. It is short, and a quick read will make
sure you understand what else you need to fetch.
4) Next, go into the directory that applies to your architecture,
for example, amd64. This is a list of what you will see:
BOOTIA32.EFI* bsd* floppy79.img pxeboot*
BOOTX64.EFI* bsd.mp* game79.tgz xbase79.tgz
BUILDINFO bsd.rd* index.txt xfont79.tgz
INSTALL.amd64 cd79.iso install79.img xserv79.tgz
SHA256 cdboot* install79.iso xshare79.tgz
SHA256.sig cdbr* man79.tgz
base79.tgz comp79.tgz miniroot79.img
If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64
and install79.iso. The install79.iso file (roughly 762MB in size)
is a one-step ISO-format install CD image which contains the various
*.tgz files so you do not need to fetch them separately.
If you prefer to use a USB flash drive, fetch install79.img and
follow the instructions in INSTALL.amd64.
5) If you are an expert, follow the instructions in the file called
README; otherwise, use the more complete instructions in the
file called INSTALL.amd64. INSTALL.amd64 may tell you that you
need to fetch other files.
6) Just in case, take a peek at:
https://www.OpenBSD.org/errata.html
This is the page where we talk about the mistakes we made while
creating the 7.9 release, or the significant bugs we fixed
post-release which we think our users should have fixes for.
Patches and workarounds are clearly described there.
------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------
X.Org has been integrated more closely into the system. This release
contains X.Org 7.7. Most of our architectures ship with X.Org, including
amd64, sparc64 and macppc. During installation, you can install X.Org
quite easily using xenodm(1), our simplified X11 display manager forked
from xdm(1).
------------------------------------------------------------------------
- PACKAGES AND PORTS ---------------------------------------------------
Many third party software applications have been ported to OpenBSD and
can be installed as pre-compiled binary packages on the various OpenBSD
architectures. Please see https://www.openbsd.org/faq/faq15.html for
more information on working with packages and ports.
Note: a few popular ports, e.g., NSD, Unbound, and several X
applications, come standard with OpenBSD and do not need to be installed
separately.
------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------
The source code for all four subsystems can be found in the
pub/OpenBSD/7.9/ directory:
xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz
The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.9/README) file
explains how to deal with these source files.
------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------
Ports tree and package building by Jeremie Courreges-Anglas,
Visa Hankala, Stuart Henderson, Peter Hessler, George Koehler,
Kurt Mosiejczuk, and Christian Weisgerber. Base and X system builds by
Kenji Aoyama, Theo de Raadt, and Miod Vallat. Release art by
Lyra Henderson.
We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use. We would also like
to thank those who bought our previous CD sets. Those who did not
support us financially have still helped us with our goal of improving
the quality of the software.
Our developers are:
Aaron Bieber, Adam Wolk, Aisha Tammy, Alexander Bluhm,
Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin,
Alexandre Ratchov, Andrew Hewus Fresh, Anil Madhavapeddy,
Anthony J. Bentley, Antoine Jacoutot, Anton Lindqvist, Asou Masato,
Ayaka Koshibe, Benoit Lecocq, Bjorn Ketelaars, Bob Beck,
Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele,
Can Erkin Acar, Caspar Schutijser, Charlene Wendling,
Charles Longeau, Chris Cappuccio, Christian Ludwig,
Christian Weisgerber, Christopher Zimmermann, Claudio Jeker,
Dale Rahn, Damien Miller, Daniel Dickman, Daniel Jakots,
Darren Tucker, Dave Voutila, David Coppa, David Gwynne, David Hill,
David Leadbeater, Denis Fondras, Edd Barrett, Eric Faurot,
Florian Obser, Florian Riehm, Frederic Cambus, George Koehler,
Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis,
Gleydson Soares, Gonzalo L. Rodriguez, Greg Steuck,
Hans-Joerg Hoexer, Helg Bredow, Henning Brauer, Ian Darwin,
Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze,
Inoguchi Kinichiro, James Hastings, James Turner, Jan Klemkow,
Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas,
Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung,
Johannes Thyssen Tishman, Jonathan Armani, Jonathan Gray,
Jonathan Matthew, Jordan Hargrave, Josh Rickmar, Joshua Sing,
Joshua Stein, Juan Francisco Cantero Hurtado, Kazuya Goda,
Kenji Aoyama, Kenjiro Nakayama, Kenneth R Westerback,
Kent R. Spillner, Kevin Lo, Kirill A. Korinsky, Kirill Bychkov,
Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil,
Lawrence Teo, Lucas Gabriel Vuotto, Lucas Raab, Marcus Glocker,
Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren,
Martin Natano, Martin Reindl, Martynas Venckus, Matthew Dempsky,
Matthias Kilian, Matthieu Herrb, Michael Mikonos, Mike Belopuhov,
Mike Larkin, Miod Vallat, Moritz Buhl, Nam Nguyen,
Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen,
Omar Polo, Ori Bernstein, Otto Moerbeek, Paco Esteban,
Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt, Paul Irofti,
Pavel Korovin, Peter Hessler, Philip Guenther,
Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski,
Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel,
Renato Westphal, Renaud Allard, Ricardo Mestre, Richard Procter,
Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha,
Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie,
Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf,
Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson,
Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler,
Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider,
Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove,
Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov,
Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Volker Schlecht,
Yasuoka Masahiko, Yojiro Uo
