A long list of recent LibreSSL commits by Theo Buehler (tb@) culminated in bumps to library versions:

CVSROOT:	/cvs
Module name:	src
Changes by:	tb@cvs.openbsd.org	2022/01/14 02:15:08

Modified files:
	lib/libcrypto  : shlib_version 
	lib/libssl     : shlib_version 
	lib/libtls     : shlib_version 

Log message:
bump libcrypto, libssl, libtls majors after struct visibility changes
and Symbol addition and removal in libcrypto.

Undeadly reached out to Theo asking whether he would share with readers an explanation of the changes. He kindly responded:

Today's commits were nothing super exciting, just a lot of work, most of it boring and mechanical…

Johathan Gray (jsg@) has updated DRM to Linux 5.15.14 (with support for several additional chips):

CVSROOT:	/cvs
Module name:	src
Changes by:	jsg@cvs.openbsd.org	2022/01/13 23:53:17

Modified files:
	sys/dev/fdt    : rkdrm.c rkvop.c 
	sys/dev/ic     : anxdp.c 
	sys/dev/pci/drm: dma-resv.c drm_agpsupport.c drm_atomic.c 
[…]
Log message:
update drm to linux 5.15.14

new hardware support includes

Intel
ehl/Elkhart Lake (embedded)
jsl/Jasper Lake (atom)
rkl/Rocket Lake (desktop)

AMD
van gogh APU (gfx1033)
yellow carp / rembrandt APU (gfx1035?)
Ryzen 6000 APU
navy flounder / navi 22 (gfx1031)
RX 6700, RX 6700 XT, RX 6700M, RX 6800M, RX 6850M XT
dimgrey cavefish / navi 23 (gfx1032)
Pro W6600, Pro W6600M, RX 6600, RX 6600 XT, RX 6600M,
RX 6600S, RX 6650M, RX 6650M XT, RX 6700S, RX 6800S
beige goby / navi 24 (gfx1034)
RX 6500 XT, RX 6400, RX 6500M, RX 6300M

Thanks to the OpenBSD Foundation for sponsoring this work
niklas@ for helping with ttm and amdgpu and patrick@ for adapting
rockchip drm.

Make sure to test the new DRM code on your machines (old and new) as this will be part of the 7.1 release in a few months.

Damien Miller (djm@) just noted on social media that he has committed (starting here) changes which allow control over ssh-agent(1) key-forwarding based on destination host and forwarding path.

A detailed description is available on the OpenSSH site.

After much preparatory work in base and ports, clang(1) has been upgraded to version 13.0.0 (on the relevant platforms).

Patrick Wildt (patrick@) made the commits.

Interesting developments (in -current) since OpenBSD 7.0 include:

• Wireless drivers iwm(4) and iwx(4) now support 40MHz channels - see commits. On tech@, Stefan Sperling (stsp@) has requested testing of a diff to add such support to iwn(4).
• A realpath(1) utility was added, largely for the benefit of porters.
• scp(1) has swapped back to using the SFTP protocol by default. See earlier report.
• The implementations of poll(2), select(2), ppoll(2), and pselect(2) were changed to be based on kqueue(2).
• httpd(8) has gained support for custom error pages.
• Syscall kevent(2) has been unlocked.
• Port net/vpnc-scripts has gained support for resolvd(8).
• Sysctl hw.perfpolicy is now set to auto by default at startup. See the commit message for the details.
• igc(4), a driver for Intel 2.5Gb Ethernet controllers, has been added.
• Mouse tracking is now disabled by default in xterm(1). Setting X resource allowMouseOps to true reinstates the earlier behaviour.

The OpenBSD project has released OpenBSD 7.0, the project's 51^st release. As usual, the release page offers highlights, installation and upgrade instructions, as well as links to other resources such as the detailed changelog.

Notable improvements include, but are not limited to:

• Support has been added for a new hardware platform, riscv64, for 64-bit RISC-V systems. [See earlier reports.]
• /etc/bsd.re-config(5) was introduced, providing a mechanism to make config(8)-modified GENERIC kernels compatible with KARL.
• Hibernate time has been reduced. [See earlier report.]
• The timeout(1) utility was imported from NetBSD. [See earlier report.]
• openrsync(1) now has include and exclude options. [See earlier report.]
• doas(1) will now retry up to 3 times on password authentication failure.
• ucc(4), a driver for USB HID Consumer Control keyboards, was added. This exposes volume, audio, and application launch keys.
• xterm(1) is now unveiled. [See earlier report.]
• printf(3) and friends now log an error and abort when confronted with format %n.
• iked(8) now has client-side support for DNS configuration. [See earlier report.]
• traceroute(8) speed has been boosted through asynchronous handling of probe packets and DNS. [See earlier report.]
• dhcpleased(8) and resolvd(8) are both enabled by default and provide the standard mechanism for configuring IPv4 addresses by DHCP. [See previous reports.] The combination also makes nameserver information gathered via slaacd usable in dynamic configurations. dhclient(8) remains available for special cases. A "nameserver" command was added to route(8), allowing sending DNS nameserver prooposals to resolvd(8) over the routing socket.
• In LibreSSL 3.4.1, support has been added for the OpenSSL 1.1.1 TLSv3 APIs. The "new" X.509 validator is enabled, allowing verification of modern certificate chains.
• In OpenSSH 8.8, the RSA/SHA1 signature type [not RSA ("ssh-rsa") keys - see previous report] is disabled by default. scp(1) supports optional use of the SFTP protocol. [Since our previous report, the default has reverted to using the original scp/rcp protocol by default.]

Those upgrading from the 6.9 release (or earlier) should consult the Upgrade Guide.

While your install sets download or when your packages update, please take the time to look at and use one or more of the recommended ways to support the project, such as making a donation. Corporate entities may prefer to send money to The OpenBSD Foundation, a Canadian non-profit corporation. You can also get merchandise and help OpenBSD visibility. Also, don't forget to listen to the release song (mp3 or ogg) and check out the lyrics.

Thanks to the developers for all the excellent work that has gone into this great new release!

In the run-up to the OpenBSD 7.0 release, we note several recent interesting things previously unreported:

• The 7.0 release song is available.
• The loongson hardware platform has been retired. The upcoming OpenBSD 7.0 will be the last release to support this platform.
• On tech@, Stefan Sperling (stsp@) has requested testing of a patch adding initial 40Mhz channel support for iwm(4).
• Mark Kettenis (kettenis@) added support for Apple M1 to U-Boot -- also see Bryan Steele's mastodon link.
• Brian Callahan (bcallah@ when wearing his OpenBSD hat) has been interviewed by the good folks at at BSD Now.

As a result of a licence change by Realtek, that company's wireless firmware images are now included in the tree. The following commit by Kevin Lo (kevlo@) explains the details:

Did you just run syspatch(8) and see it fail?

Here's the reason: one of the two root certificates behind the (excellent) Let's Encrypt CA service has expired. A bug in (the "legacy" verifier of) LibreSSL also contributed.

The syspatches (for OpenBSD 6.8, 032, for OpenBSD 6.9, 018) mitigate the unfortunate situation.

However, your syspatch may fail if your local mirror uses a Let's Encrypt certificate. Patch-22! In that case, the best advice may be to try a mirror that does not use a Let's Encrypt certificate just to get past this speed bump.