OpenBSD 7.6 released: security improvements, new hardware support, and more!

OpenBSD is a free, multi-platform 4.4BSD-based UNIX-like operating system. The 57th release, OpenBSD 7.6, comes with new features, various improvements, bug fixes, and tweaks.

Security improvements

• Added -fret-clean option to the compiler, defaulting to off. This new option causes the caller to clean the return address off the stack after a call completes. The -fret-clean option was then enabled on amd64 for libc, libcrypto, ld.so, kernel, and all the ssh tools.
• Expose branch target identification (BTI) to userland and make LLVM generate code with BTI instructions.
• Enabled PAC in addition to BTI on arm64 such that JIT code matches the default branch protection provided by our base compiler.
• Limit NFS connections to originate from a reserved port, but permit null requests (aka server pings) from non-reserved ports in nfs.
• Made local ports bound during connect(2) unique per laddr rather than globally unique.
• Enforced the pinsyscalls(2) rules on non-static/ld.so/libc.so text segments.
• Added pledge and unveil to rpcinfo(8).
• Added AUDIO_GETDEV ioctl to “audio” pledge(2).

Changes were made to the pf(4) firewall

• Added display of pf(4) fragment reassembly counters to pfctl(8) and systat(1).
• Fixed pfsync(4) TCP-state not being updated for destination connection peer and reduced excessive pfsync traffic.
• Allow users to define tables inside an anchor in the same way they can define global tables in pf.conf(5). Previously this required a separate pfctl -a foo -t bar invocation.

New features in the network stack

• Made PPP interfaces to run in an rdomain(4) and install a default route in the same routing domain.
• Introduced rport(4) for point-to-point layer 3 connectivity between routing domains. Similar to pair(4) but more efficient as it does not add Ethernet headers.
• Implemented IPv6 forwarding IPsec only (sysctl net.inet6.ip6.forwarding = 2), the equivalent to net.inet.ip.forwarding = 2 for IPv4.
• Added BIOCSETFNR to bpf(4), like BIOCSETF without resetting the buffer or stats.
• Implemented SO_ACCEPTCONN in getsockopt(2) which can be used to check if listen(2) was called and the socket is accepting connections.

Various new userland features

• Added scandirat(3) from FreeBSD.
• Added elf_aux_info(3), designed to let userland peek at AT_HWCAP and AT_HWCAP2, using an interface from FreeBSD.
• Added missing function wcsnlen(3) to find length of a wide string (i.e. wcslen(3) with a max len argument).
• Imported libva 2.22.0, an implementation for VA-API (video acceleration API). VA-API provides access to graphics hardware acceleration capabilities for video processing.
• Added the option "-u name" to env(1) to remove a variable from the environment.

OpenBSD 7.6 is available for download here. See here for a complete list of changes and additions.