OpenBSD 7.6 released: security improvements, new hardware support, and more!

OpenBSD is a free, multi-platform 4.4BSD-based UNIX-like operating system. The 57th release, OpenBSD 7.6, comes with new features, various improvements, bug fixes, and tweaks.

OpenBSD 7.6

Security improvements
  • Added -fret-clean option to the compiler, defaulting to off. This new option causes the caller to clean the return address off the stack after a call completes. The -fret-clean option was then enabled on amd64 for libc, libcrypto, ld.so, kernel, and all the ssh tools.
  • Expose branch target identification (BTI) to userland and make LLVM generate code with BTI instructions.
  • Enabled PAC in addition to BTI on arm64 such that JIT code matches the default branch protection provided by our base compiler.
  • Limit NFS connections to originate from a reserved port, but permit null requests (aka server pings) from non-reserved ports in nfs.
  • Made local ports bound during connect(2) unique per laddr rather than globally unique.
  • Enforced the pinsyscalls(2) rules on non-static/ld.so/libc.so text segments.
  • Added pledge and unveil to rpcinfo(8).
  • Added AUDIO_GETDEV ioctl to “audio” pledge(2).
Changes were made to the pf(4) firewall
  • Added display of pf(4) fragment reassembly counters to pfctl(8) and systat(1).
  • Fixed pfsync(4) TCP-state not being updated for destination connection peer and reduced excessive pfsync traffic.
  • Allow users to define tables inside an anchor in the same way they can define global tables in pf.conf(5). Previously this required a separate pfctl -a foo -t bar invocation.
New features in the network stack
  • Made PPP interfaces to run in an rdomain(4) and install a default route in the same routing domain.
  • Introduced rport(4) for point-to-point layer 3 connectivity between routing domains. Similar to pair(4) but more efficient as it does not add Ethernet headers.
  • Implemented IPv6 forwarding IPsec only (sysctl net.inet6.ip6.forwarding = 2), the equivalent to net.inet.ip.forwarding = 2 for IPv4.
  • Added BIOCSETFNR to bpf(4), like BIOCSETF without resetting the buffer or stats.
  • Implemented SO_ACCEPTCONN in getsockopt(2) which can be used to check if listen(2) was called and the socket is accepting connections.
Various new userland features
  • Added scandirat(3) from FreeBSD.
  • Added elf_aux_info(3), designed to let userland peek at AT_HWCAP and AT_HWCAP2, using an interface from FreeBSD.
  • Added missing function wcsnlen(3) to find length of a wide string (i.e. wcslen(3) with a max len argument).
  • Imported libva 2.22.0, an implementation for VA-API (video acceleration API). VA-API provides access to graphics hardware acceleration capabilities for video processing.
  • Added the option "-u name" to env(1) to remove a variable from the environment.

OpenBSD 7.6 is available for download here. See here for a complete list of changes and additions.

Don't miss