|   | Released Sep 1, 2016 Copyright 1997-2016, Theo de Raadt. ISBN 978-0-9881561-8-0 6.0 Songs: "Another Smash of the Stack", "Black Hat", "Money" "Comfortably Dumb (the misc song)", "Mother", "Goodbye". 
 
All applicable copyrights and credits are in the src.tar.gz,
sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
files fetched via  | 
This is a partial list of new features and systems included in OpenBSD 6.0. For a comprehensive list, see the changelog leading to 6.0.
/usr/local is set to wxallowed during install
    -M and -m TTL flags to
        nc(1).
    AF_UNIX support to
        tcpbench(1).
    llprio option in
        ifconfig(8).
    /dev/bpf0 instead of looping
        through /dev/bpf* devices.  These programs include
        arp(8),
        dhclient(8),
        dhcpd(8),
        dhcrelay(8),
        hostapd(8),
        mopd(8),
        npppd(8),
        rarpd(8),
        rbootd(8), and
        tcpdump(8).
        The libpcap library
        has also been modified accordingly.
    W^X is now strictly enforced by default;
	a program can only violate it if the executable is marked with
	PT_OPENBSD_WXNEEDED and is located on a filesystem
	mounted with the wxallowed
	mount(8) option.
	Because there are still too many ports which violate W^X, the
	installer mounts the /usr/local filesystem with
	wxallowed.  This allows the base system to be more
	secure as long as /usr/local is a separate filesystem.
	If you use no W^X violating programs, consider manually
	revoking that option.
    -r to be started without root privileges.
    -s -p tcp shows the relevant information to tune
        the SYN cache with
        sysctl(8)
        net.inet.tcp.
    net.inet.tcp.rootonly and
	sysctl(8)
	net.inet.udp.rootonly.
    open() function will no longer
	interfere with the operation of
	fopen(3).
    PT_TLS sections are now supported in initially loaded object.
    pcap_free_datalinks()
        and pcap_offline_filter().
    setenv keyword for more powerful environment handling in
        doas.conf(5).
    -g and -p options to
        aucat.1
        for time positioning.
    -F option to
        install(1)
        to fsync(2)
        the file before closing it.
    pollfd structures.
    get all and getdef all.
    -I (interactive) flag.
    -c and -k allow to provide
        TLS client certificates for
        syslogd(8)
        on the sending side.
        With that the receiving side can verify log messages
        are authentic.
        Note that syslogd does not have this check feature yet.
    pkg_add python%3.4 to select the 3.4 branch,
	and use pkg_info -zm to get a fuzzy listing with branch
	selection suitable for pkg_add -l.
    chown promise that allows pledged programs to set
        setugid attributes,
        a stricter enforcement of the recvfd promise and
        chroot(2) is no longer
        allowed for pledged programs.
    -r option to the
            smtpd(8)
            enqueuer for compatibility with mailx.
        ProxyJump option and corresponding -J
          command-line flag to allow simplified indirection through a one or
          more SSH bastions or "jump hosts".
      IdentityAgent option to allow specifying specific
          agent sockets instead of accepting one from the environment.
      ExitOnForwardFailure and ClearAllForwardings
          to be optionally overridden when using ssh -W.  (bz#2577)
      Include directive for
          ssh_config(5)
          files.
      LOG_CRIT.  (bz#2585)
      AuthenticationMethods="" in configurations and accept
          AuthenticationMethods=any for the default behaviour of not
          requiring multiple authentication.  (bz#2398)
      "POSSIBLE BREAK-IN ATTEMPT!"
          message when forward and reverse DNS don't match.  (bz#2585)
      ControlPersist background process stderr except in
          debug mode or when logging to syslog.  (bz#1988)
      LocalForward and RemoteForward entries
          to fix failures when both ExitOnForwardFailure and
          hostname canonicalisation are enabled.  (bz#2562)
      UseDNS: it affects ssh hostname
          processing for authorized_keys, not known_hosts.
          (bz#2554)
      ClientAliveInterval pings when a time-based
          RekeyLimit is set; previously keepalive packets were not
          being sent.  (bz#2252)
      MOD_MAXERROR to avoid unsynced time status when using
        ntp_adjtime.
    cert.pem has been reorganized and synced with Mozilla's
          certificate store.
      install_sw' build target.
      libtls so that configuration
          errors are more visible.
      X509_*set_object functions to return 0 on allocation
          failure.
      BN_FLG_CONSTTIME is set.
      GENERALIZEDTIME formats are accepted for
          OCSP, as per RFC 6960.
      CVE-2016-2105—EVP_EncodeUpdate overflow.
      CVE-2016-2106—EVP_EncryptUpdate overflow.
      CVE-2016-2107—padding oracle in AES-NI CBC MAC check.
      CVE-2016-2108—memory corruption in the ASN.1 encoder.
      CVE-2016-2109—ASN.1 BIO excessive memory allocation.
      Ports and packages:
New proot(1) tool in the ports tree for building packages in a chroot.
Many pre-built packages for each architecture:
Some highlights:
Following this are the instructions which you would have on a piece of paper if you had purchased a CDROM set instead of doing an alternate form of install. The instructions for doing an HTTP (or other style of) install are very similar; the CDROM instructions are left intact so that you can see how much easier it would have been if you had purchased a CDROM instead.
Please refer to the following files on the three CDROMs or mirror site for extensive details on how to install OpenBSD 6.0 on your machine:
Quick installer information for people familiar with OpenBSD, and the use of the "disklabel -E" command. If you are at all confused when installing OpenBSD, read the relevant INSTALL.* file as listed above!
The OpenBSD/i386 release is on CD1. Boot from the CD to begin the install - you may need to adjust your BIOS options first.
If your machine can boot from USB, you can write install60.fs or miniroot60.fs to a USB stick and boot from it.
If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.i386 document.
If you are planning on dual booting OpenBSD with another OS, you will need to read INSTALL.i386.
The OpenBSD/amd64 release is on CD2. Boot from the CD to begin the install - you may need to adjust your BIOS options first.
If your machine can boot from USB, you can write install60.fs or miniroot60.fs to a USB stick and boot from it.
If you can't boot from a CD, floppy disk, or USB, you can install across the network using PXE as described in the included INSTALL.amd64 document.
If you are planning to dual boot OpenBSD with another OS, you will need to read INSTALL.amd64.
Burn the image from a mirror site to a CDROM, and power on your machine while holding down the C key until the display turns on and shows OpenBSD/macppc boot.
Alternatively, at the Open Firmware prompt, enter boot cd:,ofwboot /6.0/macppc/bsd.rd
Put CD3 in your CDROM drive and type boot cdrom.
If this doesn't work, or if you don't have a CDROM drive, you can write CD3:6.0/sparc64/floppy60.fs or CD3:6.0/sparc64/floppyB60.fs (depending on your machine) to a floppy and boot it with boot floppy. Refer to INSTALL.sparc64 for details.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
You can also write CD3:6.0/sparc64/miniroot60.fs to the swap partition on the disk and boot with boot disk:b.
If nothing works, you can boot over the network as described in INSTALL.sparc64.
Write 6.0/alpha/floppy60.fs or 6.0/alpha/floppyB60.fs (depending on your machine) to a diskette and enter boot dva0. Refer to INSTALL.alpha for more details.
Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install will most likely fail.
Write a system specific miniroot to an SD card and boot from it after connecting to the serial console. Refer to INSTALL.armv7 for more details.
Boot over the network by following the instructions in INSTALL.hppa or the hppa platform page.
Write miniroot60.fs to the start of the CF or disk, and boot normally.
Write miniroot60.fs to a USB stick and boot bsd.rd from it or boot bsd.rd via tftp. Refer to the instructions in INSTALL.loongson for more details.
Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader from the PROM, and then bsd.rd from the bootloader. Refer to the instructions in INSTALL.luna88k for more details.
After connecting a serial port, boot bsd.rd over the network via DHCP/tftp. Refer to the instructions in INSTALL.octeon for more details.
To install, burn cd60.iso on a CD-R, put it in the CD drive of your machine and select Install System Software from the System Maintenance menu. Indigo/Indy/Indigo2 (R4000) systems will not boot automatically from CD-ROM, and need a proper invocation from the PROM prompt. Refer to the instructions in INSTALL.sgi for more details.
If your machine doesn't have a CD drive, you can setup a DHCP/tftp network server, and boot using "bootp()/bsd.rd.IP##" using the kernel matching your system type. Refer to the instructions in INSTALL.sgi for more details.
After connecting a serial port, boot over the network via DHCP/tftp. Refer to the instructions in INSTALL.socppc for more details.
Using the Linux built-in graphical ipkg installer, install the openbsd60_arm.ipk package. Reboot, then run it. Read INSTALL.zaurus for a few important details.
If you already have an OpenBSD 5.9 system, and do not want to reinstall, upgrade instructions and advice can be found in the Upgrade Guide.
src.tar.gz contains a source archive starting at /usr/src.
This file contains everything you need except for the kernel sources,
which are in a separate archive.
To extract:
# mkdir -p /usr/src # cd /usr/src # tar xvfz /tmp/src.tar.gz
sys.tar.gz contains a source archive starting at /usr/src/sys.
This file contains all the kernel sources you need to rebuild kernels.
To extract:
# mkdir -p /usr/src/sys # cd /usr/src # tar xvfz /tmp/sys.tar.gz
Both of these trees are a regular CVS checkout. Using these trees it is possible to get a head-start on using the anoncvs servers as described here. Using these files results in a much faster initial CVS update than you could expect from a fresh checkout of the full OpenBSD source tree.
A ports tree archive is also provided. To extract:
# cd /usr # tar xvfz /tmp/ports.tar.gz
Go read the ports page if you know nothing about ports at this point. This text is not a manual of how to use ports. Rather, it is a set of notes meant to kickstart the user on the OpenBSD ports system.
The ports/ directory represents a CVS checkout of our ports. As with our complete source tree, our ports tree is available via AnonCVS. So, in order to keep up to date with the -stable branch, you must make the ports/ tree available on a read-write medium and update the tree with a command like:
# cd /usr/ports # cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_6_0
[Of course, you must replace the server name here with a nearby anoncvs server.]
Note that most ports are available as packages on our mirrors. Updated ports for the 6.0 release will be made available if problems arise.
If you're interested in seeing a port added, would like to help out, or just would like to know more, the mailing list ports@openbsd.org is a good place to know.