- OpenBSD 4.7 RELEASED -------------------------------------------------

May 19, 2010.

We are pleased to announce the official release of OpenBSD 4.7.
This is our 27th release on CD-ROM (and 28th via FTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 4.7 provides significant improvements,
including new features, in nearly all areas of the system:

 - New/extended platforms:
    o OpenBSD/alpha
      o Added support for the DS15/DS25/ES45.
    o OpenBSD/loongson
      New platform for systems based on the Loongson 2E and 2F MIPS-compatible
      processors. Supported machines include:
      o Lemote Fuloong 2F mini-PC
      o Lemote Lynloong all-in-one-PC
      o Lemote Yeeloong netbook (8.9" and 10.1" models)
      o EMTEC Gdium Liberty 1000 netbook
    o OpenBSD/sgi
      o Added support for multi-node SGI Origin systems, in M mode.
      o Added support for the SGI Origin 350, Onyx 350, Onyx 4 and
        Tezro systems.
      o Added SMP support on the SGI Octane.
      o Support for many more onboard devices on Octane and Origin systems.
    o OpenBSD/socppc
      o Added support for the RouterBOARD RB600A.
    o OpenBSD/sparc64
      o Preliminary support for running OpenBSD in a guest domain on top of
        an OpenBSD control domain on sun4v machines.

 - Improved hardware support, including:
    o Revamped SCSI midlayer and improved driver support.
    o UDF 2.5 and 2.6 (HDDVD and Blu-ray) disks support.
    o Added mpath(4), a driver that steals paths to scsi devices if they could
      be available via multiple paths and then made available via mpath(4).
    o New aibs(4) driver for ASUSTeK AI Booster hardware monitoring.
    o New uthum(4) driver for the TEMPerHUM USB temperature and humidity
      sensors.
    o New utrh(4) driver for USBRH temperature and humidity sensors.
    o New uyurex(4) driver for the Maywa-denki & KAYAC YUREX twitch/jiggle of
      knee sensor.
    o New urndis(4) driver for remote NDIS Ethernet over USB devices (phones).
    o New xf86-video-wsudl(4) Xorg driver for USB DisplayLink devices
      supported by udl(4).
    o New mpii(4) driver for LSI Logic Fusion MPT Message Passing Interface II
      based SAS 2 controllers.
    o New athn(4) driver for Atheros IEEE 802.11a/g/n wireless network devices.
    o New alc(4) driver for Atheros AR8131/AR8132 10/100/Gigabit Ethernet
      devices.
    o New lisa(4) driver for STMicroelectronics LIS331DL MEMS motion sensors.
    o New gcu(4) driver for Intel EP80579 Global Configuration Unit.
    o New lom(4) driver for LOMLite and LOMLite2 as found on many of Sun's
      UltraSPARC-IIi servers.
    o New vsw(4) driver for virtual switches on sun4v machines.
    o New vds(4) driver for virtual disk servers on sun4v machines.
    o Support for EP80579 integrated Ethernet and ICH9 M V has been added
      to em(4).
    o Support for 82599 and SFP+ 82598 devices has been added to ix(4).
    o Support for the Sun GigabitEthernet SBus Adapter 1.0/1.1 has been
      added to ti(4).
    o Support for SBus variants of the QLogic Fibre Channel host adapters
      has been added to isp(4).
    o Support for SBus variants of the Sun Gigabit Ethernet has been added
      to gem(4).
    o Support for Intel WiFi Link 1000 and Intel Centrino
      Advanced-N 6200/Ultimate-N 6300 has been added to iwn(4).
    o Support for Ralink RT3572 based 802.11n devices has been added to run(4).
    o VIA Tremor 5.1, M-Audio Revolution 5.1 cards has been added to envy(4).
    o New uhts(4) driver for USB HID touchscreens.
    o Improved touchscreen support in the xf86-input-ws(4) Xorg driver and
      improved calibration using the new device properties from Xinput.
    o Support for ON CAT6095 and ON CAT34TS02 temperature sensors added
      to sdtemp(4).
    o Several improvements and bug fixes to existing Ethernet drivers,
      including em(4), re(4), ti(4) and vge(4).
    o Support for the PIC PCI-X controller added to the SGI xbridge(4) driver.
    o Support for the onboard Fast Ethernet interface found on SGI Octane
      and many SGI Origin family systems, iec(4).
    o Support for more SGI input and video devices on Octane and Origin
      systems, with iockbc(4), impact(4), and odyssey(4).
    o Improved PCI resource allocation; more hardware left unconfigured by
      the machine's firmware (including hotplugged hardware) should work now.
    o Support for recording/full-duplex added to mavb(4).
    o Improved support for USB audio devices in uaudio(4).
    o Improved support for bwi(4) devices on strict-alignment architectures
      like armish.
    o Eliminate usage of SCSI tagged queueing mechanisms other than simple
      queuing, thus avoiding incorrect implementations on various disk devices.
    o Eliminate spurious dhclient(8) error messages when the specified
      interface does not exist.
    o Eliminate spurious softraid(4) error messages for removable devices
      without media.

 - New tools:
    o newfs_ext2fs(8) for creating ext2 filesystems.
    o mkuboot(8) for creating U-Boot boot loader images.
    o midicat(1) MIDI server allowing MIDI programs to communicate
    o POSIX-compliant fuser(1) to identify process IDs holding a file open

 - Filesystem midlayer improvements:
    o Dynamic Buffer Cache now supported to a max size set with sysctl
      kern.bufcachepercent
    o Dynamic VFS name cache rewrite, now uses Red/Black trees instead of
      linked lists.
    o Numerous NFS client stability fixes.
    o Fix FAT32 mounting.
    o Fix cd9660 directory handling to eliminate looping and random
      truncation of directory entries.
    o Fix various internal locking problems with cd9660, udf, msdosfs
      and ffs file systems.

 - pf(4) improvements:
    o nat-to, rdr-to, binat-to options replace the nat, rdr and binat
      translation rules.
      changes for more info.
    o The route-to, reply-to, dup-to and fastroute options in pf.conf
      move to filteropts.
    o pf(4) can now translate packets between different routing domains.
    o Added -S and -L options to pfctl(8) to store and load pf state table
      from a file.
    o Added support for IPV4 and IPv6 divert sockets.

 - OpenBGPD, OpenOSPFD and other routing daemon improvements:
    o Update capability code in bgpd(8) to follow RFC 5492.
    o BGP MPLS VPN (RFC 4364) support added to the bgpd RIB.
    o In bgpd(8), implement the RFC4486 BGP Cease Notification
      Message subcodes.
    o It is now possible to enable/disable specific BGP capabilities.
    o Update bgpctl(8) irrfilter to support IPv6 and 4-byte AS numbers.
    o Minimal router-dead-time of 1 second and sub-second hello intervals
      added to ospfd(8). Additionally it is now possible to specify
      sub-second SPF timers for faster route fail-over.
    o ospf6d(8) is now installed by default. The RIB can be synced with
      the kernel routing table now. Support for AS-ext LSA has been added.
      This is still work-in-progress but testing is highly appreciated.
    o ldpd -- the MPLS label distribution protocol daemon -- is now
      installed by default. A custom kernel with option MPLS is needed
      to use it.

 - Generic network stack improvements:
    o brconfig is now integrated into ifconfig(8)
    o Added vether(4), a virtual Ethernet device.
    o Two bugs in IPsec/HMAC-SHA2 were fixed, resulting in an incompatibility
      with the HMAC-SHA-256/384/512 hash algorithms with previous versions
      of OpenBSD and other IPsec implementations sharing the bugs.
    o In dhcpd(8), echo back the Relay Agent Information option if present,
      and add support for the ipsec-tunnel hardware type.
    o Make dhcrelay(8) pick up the routing domain from the specified interface
      and use that rdomain for relaying the packets to the server.
    o Added support in dhcrelay(8) for RFC3046 "DHCP-over-ipsec".
    o Make the tcpdump(8) BGP OPEN capability parser RFC 5492 compliant.
    o Added an exec command to route(8) to run a process and its children
      in a specified routing domain.
    o ifconfig(8) now deals with more than 64 alias addresses.
    o Various fixes to mbuf defragmenting and mbuf chain copying
      improve reliability.

 - Assorted improvements:
    o malloc(3) now has an S flag to turn on the options that help debugging
      and improve security.
    o Updated terminfo(3) database and ncurses(3) library.
    o Added support for lazy binding in ld.so(1) on hppa.
    o Added POSIX silent check option (-C) to sort(1).
    o Added POSIX extended regular expression support to sed(1) (-E option).
    o Added GNU-compatible macro prefix option (-P) to m4(1).
    o Make it possible to specify a port in resolv.conf(5).
    o Improved FILE locking support in stdio(3).
    o Added SO_SNDTIMEO and SO_RCVTIMEO support in pthreads(3).
    o cdio(1) no longer prints bogus information if no TOC is found on
      the disk.
    o New -v flag causes cdio(1) to print profile and feature information.
    o whois(1) no longer attempts to keep the memory of 6Bone alive.
    o Added per-application MIDI-controlled volume knob to aucat(1)
    o Added MMC and MTC support to aucat(1) making possible MIDI-to-audio
      synchronization.
    o Added mio_open(3) interface to access hardware and software MIDI ports
    o Many memory leaks found by parfait and eliminated.
    o Make handling of floppy disk disklabels more reliable by properly
      initializing starting label.

 - Install/Upgrade process changes:
    o Take more care to ensure all filesystems are umount'ed when restarting
      an install or upgrade.
    o If no possible root disk is found, keep checking until one appears.
    o The default ftp directory for -stable is now the release directory
      instead of the snapshot directory.
    o Selection of TZ during installs is no longer confused by
      trailing slashes.
    o If /etc/X11 is found during upgrades, add the X sets to the list
      of default sets to install.

 - OpenSSH 5.5:
    o New features:
      o SSH protocol 1 is disabled by default.
      o Remove the libsectok/OpenSC-based smartcard code and add support
        for PKCS#11 tokens.
      o Add support for certificate authentication of users and hosts
        using a new, minimal OpenSSH certificate format (not X.509).
      o Added a 'netcat mode' to ssh(1).
      o Add the ability to revoke keys in sshd(8) and ssh(1).
      o Rewrite the ssh(1) multiplexing support to support non-blocking
        operation of the mux master.
      o Add a 'read-only' mode to sftp-server(8) that disables open in
        write mode and all other fs-modifying protocol methods. (bz#430)
      o Allow setting an explicit umask on the sftp-server(8) commandline
        to override whatever default the user has. (bz#1229)
      o Many improvements to the sftp(1) client.
      o New RSA keys will be generated with a public exponent of 65537
        instead of the previous value 35.
      o Passphrase-protected SSH protocol 2 private keys are now protected
        with AES-128 instead of 3DES.
    o The following significant bugs have been fixed in this release:
      o Fixed a minor information leak of environment variables specified in
        authorized_keys if an attacker happens to know the public key in use.
      o When using ChrootDirectory, make sure we test for the existence of
        the user's shell inside the chroot and not outside. (bz#1679)
      o Cache user and group name lookups in sftp-server using
        user_from_[ug]id(3) to improve performance on hosts where these
        operations are slow. (bz#1495)
      o Fix problem that prevented passphrase reading from being interrupted
        in some circumstances. (bz#1590)
      o Ignore and log any Protocol 1 keys where the claimed size is not
        equal to the actual size.
      o Make HostBased authentication work with a ProxyCommand. (bz#1569)
      o Avoid run-time failures when specifying hostkeys via a relative path
        by prepending the current working directory in these cases. (bz#1290)
      o Do not prompt for a passphrase if we fail to open a keyfile, and log
        the reason why the open failed to debug. (bz#1693)
      o Document that the PubkeyAuthentication directive is allowed in a
        sshd_config(5) Match block. (bz#1577)
      o When converting keys, truncate key comments at 72 chars as per
        RFC4716. (bz#1630)
      o Do not allow logins if /etc/nologin exists but is not readable by
        the user logging in.
      o Output a debug log if sshd(8) can't open an existing
        authorized_keys. (bz#1694)
      o Quell tc[gs]etattr(3) warnings when forcing a tty (ssh -tt), since
        we usually don't actually have a tty to read/set. (bz#1686)
      o Prevent sftp(1) from crashing when given a "-" without a command;
        also, allow whitespace to follow a "-". (bz#1691)
      o After sshd(8) receives a SIGHUP, ignore subsequent HUPs while
        sshd(8) re-execs itself; prevents two HUPs in quick succession
        from resulting in sshd(8) dying. (bz#1692)
      o Clarify in sshd_config(5) that StrictModes does not apply to
        ChrootDirectory; permissions and ownership are always checked
        when chrooting. (bz#1532)
      o Set close-on-exec on various descriptors so they don't get leaked
        to child processes. (bz#1643)
      o Fix very rare race condition in x11/agent channel allocation
      o Fix incorrect exit status when multiplexing and channel ID 0 is
        recycled. (bz#1570)
      o Fail with an error when an attempt is made to connect to a server
        with ForceCommand=internal-sftp with a shell session. (bz#1606)
      o Warn but do not fail if stat(2)ing the subsystem binary
        fails. (bz#1599)
      o Change "Connecting to host..." message to "Connected to host." and
        delay it until after the sftp protocol connection has been
        established. (bz#1588)
      o Use the HostKeyAlias rather than the hostname specified on the
        commandline when prompting for passwords. (bz#1039)
      o Correct off-by-one in percent_expand(). (bz#1607)
      o Fix passing of empty options from scp(1) and sftp(1) to the
        underlying ssh(1); also add support for the stop option "--".
      o Fix an incorrect magic number and typo in PROTOCOL. (bz#1688)
      o Don't escape backslashes when displaying the SSH2 banner. (bz#1533)
      o Don't unnecessarily dup() the in and out fds for
        sftp-server(8). (bz#1566)
      o Force use of the correct hash function for random-art signature
        display. (bz#1611)
      o Do not fall back to adding keys without constraints when the agent
        refuses the constrained add request. (bz#1612)
      o Fix a race condition in ssh-agent(1) that could result in a wedged
        or spinning agent. (bz#1633)
      o Flush stdio before exec() to ensure that everything has made it out
        before the streams go away. (bz#1596)
      o Set FD_CLOEXEC on in/out sockets in sshd(8). (bz#1706)

 - Over 5,800 ports, major robustness and speed improvements in package tools.
 - Many pre-built packages for each architecture:
    o i386: 5951
    o sparc64: 5745
    o alpha: 5641
    o sh: 768
    o amd64: 5879
    o powerpc: 5785
    o sparc: 4053
    o arm: 3711
    o hppa: 5500
    o vax: 1785
    o mips64: 3690
    o mips64el: 4316

 - Some highlights:
    o Gnome 2.28.2.
    o KDE 3.5.10.
    o Xfce 4.6.1.
    o MySQL 5.1.42.
    o PostgreSQL 8.4.2.
    o Postfix 2.6.5.
    o OpenLDAP 2.3.43.
    o Mozilla Firefox 3.0.18 and 3.5.8.
    o Mozilla Thunderbird 2.0.0.23.
    o OpenOffice.org 3.1.1.
    o Emacs 21.4 and 22.3
    o Vim 7.2.267.
    o PHP 5.2.12.
    o Python 2.4.6, 2.5.4 and 2.6.3.
    o Ruby 1.8.6.369.

 - As usual, steady improvements in manual pages and other documentation.

 - The system includes the following major components from outside suppliers:
    o Xenocara (based on X.Org 7.4 with xserver 1.6.5 + patches,
      freetype 2.3.9, fontconfig 2.6.0, Mesa 7.4.2, xterm 250 and more)
    o Gcc 2.95.3 (+ patches) and 3.3.5 (+ patches)
    o Perl 5.10.1 (+ patches)
    o Our improved and secured version of Apache 1.3, with SSL/TLS
      and DSO support
    o OpenSSL 0.9.8k (+ patches)
    o Groff 1.15
    o Sendmail 8.14.3, with libmilter
    o Bind 9.4.2-P2 (+ patches)
    o Lynx 2.8.6rel.5 with HTTPS and IPv6 support (+ patches)
    o Sudo 1.7.2
    o Ncurses 5.7
    o Latest KAME IPv6
    o Heimdal 0.7.2 (+ patches)
    o Arla 0.35.7
    o Binutils 2.15 (+ patches)
    o Gdb 6.3 (+ patches)

If you'd like to see a list of what has changed between OpenBSD 4.6
and 4.7, look at

        http://www.OpenBSD.org/plus47.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each CD release.  As usual, between the
creation of the OpenBSD 4.7 FTP/CD-ROM binaries and the actual 4.7
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default).  Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible.  Therefore, we advise regular visits to

        http://www.OpenBSD.org/security.html
and
	http://www.OpenBSD.org/errata.html

Security patch announcements are sent to the security-announce@OpenBSD.org
mailing list.  For information on OpenBSD mailing lists, please see:

	http://www.OpenBSD.org/mail.html

------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------

OpenBSD 4.7 is also available on CD-ROM.  The 3-CD set costs $50 CDN and
is available via mail order and from a number of contacts around the
world.  The set includes a colourful booklet which carefully explains the
installation of OpenBSD.  A new set of cute little stickers is also
included (sorry, but our FTP mirror sites do not support STP, the Sticker
Transfer Protocol).  As an added bonus, the second CD contains an audio
track, a song entitled "I'm still here".  MP3 and OGG versions of
the audio track can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

    http://www.OpenBSD.org/lyrics.html#47

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 4.7 CD-ROMs are bootable on the following four platforms:

  o i386
  o amd64
  o macppc
  o sparc64

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

        http://www.OpenBSD.org/orders.html

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from.  For our default mail order, go directly to:

        https://https.OpenBSD.org/cgi-bin/order

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts.  Additionally, donations to the project are
highly appreciated, as described in more detail at:

        http://www.OpenBSD.org/goals.html#funding

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense writeoff, so this is certainly a consideration for
some organizations or businesses.  There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs.  Contact the foundation directors at
directors@openbsdfoundation.org for more information.

------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------

The OpenBSD distribution companies also sell tshirts and polo shirts.
And our users like them too.  We have a variety of shirts available,
with the new and old designs, from our web ordering system at, as
described above.

The OpenBSD 4.7 t-shirts are available now.  We also sell our older
shirts, as well as a selection of OpenSSH t-shirts.

------------------------------------------------------------------------
- FTP INSTALLS ---------------------------------------------------------

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP.  Typically you need a single small piece of boot
media (e.g., a boot floppy) and then the rest of the files can be
installed from a number of locations, including directly off the
Internet.  Follow this simple set of instructions to ensure that
you find all of the documentation you will need while performing
an install via FTP.  With the CD-ROMs, the necessary documentation
is easier to find.

1) Read either of the following two files for a list of ftp
   mirrors which provide OpenBSD, then choose one near you:

        http://www.OpenBSD.org/ftp.html
        ftp://ftp.OpenBSD.org/pub/OpenBSD/4.7/ftplist

   As of May 19, 2010, the following ftp mirror sites have the 4.7 release:

	ftp://ftp.eu.openbsd.org/pub/OpenBSD/4.7/	Stockholm, Sweden
	ftp://ftp.bytemine.net/pub/OpenBSD/4.7/         Oldenburg, Germany
	ftp://mirror.aarnet.edu.au/pub/OpenBSD/4.7/     Brisbane, Australia
	ftp://ftp.wu-wien.ac.at/pub/OpenBSD/4.7/        Vienna, Austria
	ftp://ftp.usa.openbsd.org/pub/OpenBSD/4.7/	CO, USA
	ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.7/	CA, USA
	ftp://obsd.cec.mtu.edu/pub/OpenBSD/4.7/         Michigan, USA

	The release is also available at the master site:

	ftp://ftp.openbsd.org/pub/OpenBSD/4.7/	        Alberta, Canada

	However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
   pub/OpenBSD/4.7/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     armish/          mvme68k/         sparc64/
        Changelogs/      ftplist          mvme88k/         src.tar.gz
        HARDWARE         hp300/           packages/        sys.tar.gz
        PACKAGES         hppa/            ports.tar.gz     tools/
        PORTS            i386/            root.mail        vax/
        README           landisk/         sgi/             xenocara.tar.gz
        alpha/           mac68k/          socppc/          zaurus/
        amd64/           macppc/          sparc/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        HARDWARE        - list of hardware we support
        PORTS           - description of our "ports" tree
        PACKAGES        - description of pre-compiled packages
        root.mail       - a copy of root's mail at initial login.
			  (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, i386.  This is a list of what you will see:

	INSTALL.i386    cd47.iso        floppyB47.fs    pxeboot*
	INSTALL.linux   cdboot*         floppyC47.fs    xbase47.tgz
	MD5             cdbr*           game47.tgz      xetc47.tgz
	base47.tgz      cdemu47.iso     index.txt       xfont47.tgz
	bsd*            comp47.tgz      install47.iso   xserv47.tgz
	bsd.mp*         etc47.tgz       man47.tgz       xshare47.tgz
	bsd.rd*         floppy47.fs     misc47.tgz

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
   and the appropriate floppy*.fs or install47.iso files.  Consult the
   INSTALL.i386 file if you don't know which of the floppy images
   you need (or simply fetch all of them).

   If you use the install47.iso file (roughly 200MB in size), then you
   do not need the various *.tgz files since they are contained on that
   one-step ISO-format install CD.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.i386.  INSTALL.i386 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        http://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 4.7 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
      you can use "fdimage.exe" located in the pub/OpenBSD/4.7/tools
      directory to do so.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.4.  Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc.  During installation, you can install
X.Org quite easily.  Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.

------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------

The OpenBSD ports tree contains automated instructions for building
third party software.  The software has been verified to build and
run on the various OpenBSD architectures.  The 4.7 ports collection,
including many of the distribution files, is included on the 3-CD
set.  Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD.  Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).

------------------------------------------------------------------------
- BINARY PACKAGES WE PROVIDE -------------------------------------------

A large number of binary packages are provided.  Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.7/PACKAGES) for more details.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.7/README)
file explains how to deal with these source files.  For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/4.7/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

Ports tree and package building by Jasper Lievisse Adriaanse, Michael Erdely,
Simon Bertrang, Stuart Henderson, Antoine Jacoutot, Robert Nagy,
Nikolay Sturm, and Christian Weisgerber.  System builds by Theo de Raadt,
Mark Kettenis, and Miod Vallat.  X11 builds by Todd Fries and Miod Vallat.
ISO-9660 filesystem layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 4.7 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

    Alexander Bluhm, Alexander Hall, Alexander von Gernler,
    Alexander Yurchenko, Alexandre Ratchov, Alexey Vatchenko,
    Anders Magnusson, Andreas Gunnarsson, Anil Madhavapeddy,
    Antoine Jacoutot, Ariane van der Steldt, Artur Grabowski,
    Austin Hook, Benoit Lecocq, Bernd Ahlers, Bob Beck, Bret Lambert,
    Can Erkin Acar, Chad Loder, Charles Longeau, Chris Kuethe,
    Christian Weisgerber, Claudio Jeker, Dale Rahn, Damien Bergamini,
    Damien Miller, Dariusz Swiderski, Darren Tucker,
    David Gwynne,  David Hill, David Krause, Edd Barrett, Eric Faurot,
    Esben Norby,  Fabien Romano, Federico G. Schwindt, Felix Kronlage,
    Gilles Chehade, Giovanni Bechis, Gordon Willem Klok,
    Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze,
    Jacek Masiulaniec, Jacob Meuser, Jakob Schlyter, Janne Johansson,
    Jared Yanovich, Jason Dixon, Jason George, Jason McIntyre,
    Jason Meltzer, Jasper Lievisse Adriaanse, Jim Razmus II, Joel Sing,
    Joerg Goltermann, Johan Mson Lindman, Jolan Luff, Jonathan Armani,
    Jonathan Gray, Jordan Hargrave, Joshua Stein, Kenneth R Westerback,
    Kevin Lo, Kevin Steves, Kjell Wooding, Kurt Miller, Landry Breuil,
    Laurent Fanis, Marc Espie, Marco Peereboom, Marco Pfatschbacher,
    Marco S Hyman, Marcus Glocker, Marek Vasut, Mark Kettenis,
    Mark Uemura, Markus Friedl, Martin Reindl, Martynas Venckus,
    Mathieu Sauve-Frankel, Mats O Jansson, Matthias Kilian,
    Matthieu Herrb, Michael Erdely, Michael Knudsen, Michele Marchetto,
    Mike Larkin, Miod Vallat, Moritz Grimm, Moritz Jodeit,
    Nicholas Marriott, Nick Holland, Nikolay Sturm, Okan Demirmen,
    Oleg Safiullin, Otto Moerbeek, Owain Ainsworth, Paul de Weerd,
    Paul Irofti, Peter Hessler, Peter Stromberg, Peter Valchev,
    Philip Guenther, Pierre-Emmanuel Andre, Pierre-Yves Ritschard,
    Rainer Giedat, Reyk Floeter, Robert Nagy, Rui Reis,
    Ryan Thomas McBride, Simon Bertrang, Simon Perreault, Stefan Kempf,
    Stefan Sperling, Stephan A. Rickauer, Steven Mestdagh,
    Stuart Henderson, Takuya Asada, Ted Unangst, Theo de Raadt,
    Thordur I Bjornsson, Tobias Stoeckmann, Tobias Weingartner,
    Todd C. Miller, Todd Fries, Will Maier, William Yodlowsky,
    Xavier Santolaria, Yasuoka Masahiko, Yojiro Uo

Many people have received their 4.6 CDs in the mail by now, and we
really don't want them to be without the full package repository.

------------------------------------------------------------------------
- OpenBSD 4.6 RELEASED -------------------------------------------------

Oct 18, 2009.

We are pleased to announce the official release of OpenBSD 4.6.
This is our 26th release on CD-ROM (and 27th via FTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 4.6 provides significant improvements,
including new features, in nearly all areas of the system:

- New/extended platforms:
    o mvme88k
      o MVME141 and MVME165 boards are now supported.
    o sgi
      o SGI Octane, SGI Origin 200 and SGI Fuel systems are now supported.
      o Several bugs in interrupt handling have been fixed, resulting
        in significantly improved system response.
    o sparc
      o The bootblock load address has been moved so that larger kernels
        can be loaded.
    o sparc64
      o Acceleration support has been added for many of the PCI frame buffer
        drivers, such as the Sun PGX, PGX64 and XVR-100, and Tech Source
        Raptor GFX graphics cards.

- Improved hardware support, including:
    o Several new/improved drivers for sensors, including:
      o The ips(4) driver now has sensor support, complementing the bio support.
      o The acpithinkpad(4) driver now has temperature and fan sensor support.
      o New endrun(4) driver for the EndRun Technologies timedelta sensor.
      o The fins(4) driver now has support for F71806, F71862 and F71882 ICs.
      o The acpitz(4) driver now shows correct decimals for temperature.
    o Added radeonfb(4) to sparc64, an accelerated framebuffer for
      Sun XVR-100 boards.
    o Added support for RTL8103E and RTL8168DP devices in the re(4) driver.
    o Added support for BCM5709/BCM5716 devices in the bnx(4) driver.
    o Added support for ICH10 variants of em(4).
    o Added support for VIA VX855 chipset in the viapm(4) and pciide(4) drivers.
    o Added support for Intel SCH IDE to pciide(4).
    o Added support for the Broadcom HT-1100 chipset in the piixpm(4) driver.
    o Added support for 82574L based devices in the em(4) driver.
    o Added support for VIA CX800 south bridge to the viapm(4) driver.
    o A number of network drivers including bge(4), bnx(4), hme(4), iwn(4),
      ix(4), msk(4), sis(4), sk(4), vr(4) and wpi(4) now make use of the
      MCLGETI(9) allocator in order to reduce memory usage and increase
      performance when under load or attack.
    o Added support in em(4) for the newer 82575 chips.
    o zyd(4) now supports devices with Airoha AL2230S radios.
    o zyd(4) now works on big-endian machines
    o urtw(4) now supports RTL8187B based devices.
    o New otus(4) driver for Atheros AR9001U USB 802.11a/b/g/Draft-N
      wireless devices.
    o New berkwdt(4) driver for Berkshire Products PCI watchdog timers.
    o New udl(4) driver for USB video devices.
    o Support for a variety of newer models in bge(4).
    o Initial version of vsw(4), a driver for the virtual network switch
      found on sun4v sparc64 systems.
    o Implemented machfb(4), an accelerated driver for the sparc64 PGX/PGX64
      framebuffers.
    o New vcc(4) and vcctty(4) drivers for the "Virtual Console Concentrator"
      found on the control domain of sun4v systems.
    o Implemented 64-bit FIFO modes for ciss(4) devices.
    o Enabled hardware VLAN tagging and stripping on ix(4).
    o Added basic support for Envy24HT chips to the envy(4) driver.
    o Many improvements and updates to the isp(4) driver.
    o Added support for 88E8057-based Yukon 2 Ultra 2-devices in msk(4).
    o The ips(4) driver now works reliably.
    o Added raptor(4), an accelerated framebuffer driver for the Tech Source
      Raptor GFX cards on the sparc64 platform.
    o Enabled schsio(4) on i386 and amd64 and added watchdog timer support.
    o New acpivideo(4) driver for ACPI display switching and brightness control.
    o Added support for the IBM ServeRAID-8k in the aac(4) driver.
    o Added support for the BCM5825 and 5860/61/62 Broadcom CryptoNetX
      IPSec/SSL Security processor in the ubsec(4) driver.
    o Added support for AES-CBC with BCM5823-based ubsec(4) devices.
    o Firmware for bnx(4) has been updated.
    o Added support to fxp(4) for the 82552 MAC found on some ICH7 chipsets.
    o Added support to umsm(4) for Truinstall enabled modems like the
      Sierra 881U.
    o Added support to pciide(4) for ICH10 SATA devices not operating in
      AHCI mode.
    o dc(4) now reads the MAC address from the eeprom rather than CIS.
    o em(4) now correctly handles MAC addresses for dual-port 8257[56] cards.
    o IPv6 receive TCP/UDP checksum offloading has been enabled for jme(4).
    o IPv6 receive TCP/UDP checksum offloading has been enabled in bge(4) for
      the 5755 and later chips.
    o iwi(4) now associates with APs that refuse non-short slot-time capable
      STAs.
    o IP, TCP and UDP checksum offloading has been enabled in vr(4) for
      VT6105M-based devices.
    o VGA BIOS repost support has been added for amd64 and i386 platforms.

- New tools:
    o Added smtpd(8), a new privilege-separated SMTP daemon.
    o Imported the tmux(1) terminal multiplexer, replacing window(1).

- New functionality:
    o httpd(8) can now serve files larger than 2GB in size.
    o Mice with many buttons are now supported by wsmoused(8).
    o New "nfsserver" and "nfsclient" views have been added to systat(1).
    o Automatic partition allocation has been added to disklabel(8), with a
      variety of smart heuristics.
    o An undo command has been added to disklabel(8), which reverts the
      label back to its previous state.
    o When running in auto-mode, sysmerge(8) will now install binary files
      from X sets automatically.
    o sysmerge(8) now creates a report summary file in the work directory.
    o httpd(8) now drops privileges to www/www rather than nobody/nogroup
      if the User/Group entries are not present within the configuration file.
    o ELF based platforms now generate ELF core dumps and gdb(1) is now able
      to read ELF core dumps.
    o Additional diff options have been added to opencvs(1).
    o When sendbug(1) is run as root, the pcidump(8) and acpidump(8) output
      is included.
    o Support for audible ping(8) and ping6(8) has been added.
    o ftpd(8) now logs both the remote IP and remote hostname when receiving
      a new connection.
    o relayd(8) now allows both UDP and TCP redirections.
    o SSL sessions are now maintained by relayd(8) for each checked host,
      resulting in subsequent checks being lighter and faster on the server.
    o Added support to relayd(8) for client-side TCP connections from relays.
    o Added support to relayd(8) for specifying a CA file to verify SSL server
      certificates when connecting as a client from relays.

- pf(4) improvements:
    o Enabled pf(4) by default in the rc.conf(8).
    o Removed pf(4) scrub rules, and only do one kind of packet reassembly.
      Rulesets with scrub rules need to be modified because of this.
    o Regular rules can now have per-rule scrub options.
    o Added new "match" keyword which only applies rule options but does
      not change the current pass/block state.
    o Make all pf(4) operations transactional to improve atomicity of reloads.
    o Stricter pf(4) checking for ICMP and ICMPv6 packets.
    o Various improvements to pfsync(4) to lower sync traffic bandwidth and
      optionally allow active-active firewall setups.
    o Fix pf(4) scrub max-mss for IPv6 traffic.

- softraid(4) improvements:
    o Rebuild support has been added and RAID 1 volumes can now be rebuilt.
    o Boot time assembly has been significantly improved, with volume and
      chunk ordering now being respected. Duplicated chunks and version
      mismatches are also handled gracefully.
    o Volumes with missing members are now brought online.

- OpenBGPD, OpenOSPFD and other routing daemon improvements:
    o In bgpd(8), rework most of the RDE to allow multiple RIBs.
      It is possible to filter per-RIB and attach neighbors to a specific RIB.
    o Added an option to bgpd(8) to change the "connect-retry" timer.
    o Allow bgpd.conf(5) and bgpctl(8) to contain 32-bit ASN numbers written in
      ASPLAIN format.
    o Fix bgpd(8) to correctly encode MP unreachable NLRI so IPv6 prefixes get
      removed correctly.
    o Changed the behaviour of "redistribute default" for ospfd(8) and ripd(8).
      A default route has to be present in the FIB to be correctly advertised.
    o Make ospfd(8) and ripd(8) track reject and blackhole routes and allow
      them to be redistributed even if pointing to 127.0.0.1.
    o Allow an alternate control socket to be specified for ospfd(8).
    o ospfd(8) can now be bound to an alternate routing domain.
    o Fix ospfd(8) route metric for "redistribute default".
    o Initial version of ldpctl(8) and ldpd(8), a label distribution protocol
      daemon for mpls.
    o Make dvmrpd(8) RDE aware of multicast group members per interface.
    o Added support for pruning in dvmrpd(8).

- Generic Network-Stack improvements:
    o Support for virtual routing and firewalling with the addition of routing
      domains.
    o Added support for ifconfig(8) to bind an interface to a routing domain.
    o Added support to ping(8), traceroute(8), arp(8), nc(1) and telnet(1) to
      specify which routing domain to use.
    o Allow ifconfig(8) to turn off IPv6 completely for an interface and
      make rtsold(8) turn on inet6 on the interface.
    o Routes track the interface link state.
    o route(8) flush accepts "-iface" or "-priority" to only flush routes
      matching these conditions.
    o Multiple dhclients can now coexist without causing mayhem.
    o Make wireless interfaces have an interface priority of 4 by default.
      Makes them less preferred then wired interfaces.
    o Do not accept IPv4 ICMP redirects by default.
    o Added the MAC address to the log entries in dhclient(8).
    o Make systat(1) show interface description names in the interface view,
      and add new NFS server and client views.
    o Make tun(4) emulate link state depending on the open and close of the
      device fd.
    o Use pf state-table information to speed up decision on whether a packet
      is to be delivered locally or forwarded.
    o More routing socket checks added to make userland applications more
      resilient to kernel changes.

- Install/Upgrade process changes:
    o The installer has almost been rewritten, primarily with a focus on
      simplifying the installation process.
    o Automatic disk layout can now be used during installation, allowing for
      simple single-disk installs.
    o VLAN support is now available in some installation media.
    o A standard user account can now be created during the install process.

- OpenSSH 5.3:
    o Do not limit home directory paths to 256 characters.
    o Several minor documentation and correctness fixes.

- Over 5,800 ports, minor robustness improvements in package tools.
    o Many pre-built packages for each architecture:
      i386:   5606    sparc64:  5413    alpha: 5346    sh:     1261
      amd64:  5544    powerpc:  5427    sparc: 3711    mips64: 3443
      arm:    5291    hppa:     4790    vax:   1785

- As usual, steady improvements in manual pages and other documentation.

- The system includes the following major components from outside
  suppliers:
      o Xenocara (based on X.Org 7.4 + patches, freetype 2.3.9,
        fontconfig 2.6.0, Mesa 7.4.2, xterm 243 and more)
      o Gcc 2.95.3 (+ patches) and 3.3.5 (+ patches)
      o Perl 5.10.0 (+ patches)
      o Our improved and secured version of Apache 1.3, with SSL/TLS
        and DSO support
      o OpenSSL 0.9.8k (+ patches)
      o Groff 1.15
      o Sendmail 8.14.3, with libmilter
      o Bind 9.4.2-P2 (+ patches)
      o Lynx 2.8.6rel.5 with HTTPS and IPv6 support (+ patches)
      o Sudo 1.7.2
      o Ncurses 5.2
      o Latest KAME IPv6
      o Heimdal 0.7.2 (+ patches)
      o Arla 0.35.7
      o Binutils 2.15 (+ patches)
      o Gdb 6.3 (+ patches)

If you'd like to see a list of what has changed between OpenBSD 4.5
and 4.6, look at

        http://www.OpenBSD.org/plus46.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

we provide patches for known security threats and other important
issues discovered after each CD release.  As usual, between the
creation of the OpenBSD 4.6 FTP/CD-ROM binaries and the actual 4.6
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default).  Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible.  Therefore, we advise regular visits to

        http://www.OpenBSD.org/security.html
and
	http://www.OpenBSD.org/errata.html

Security patch announcements are sent to the security-announce@OpenBSD.org
mailing list.  For information on OpenBSD mailing lists, please see:

	http://www.OpenBSD.org/mail.html

------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------

OpenBSD 4.6 is also available on CD-ROM.  The 3-CD set costs $50 CDN and
is available via mail order and from a number of contacts around the
world.  The set includes a colourful booklet which carefully explains the
installation of OpenBSD.  A new set of cute little stickers is also
included (sorry, but our FTP mirror sites do not support STP, the Sticker
Transfer Protocol).  As an added bonus, the second CD contains an audio
track, a song entitled "Planet of the Users".  MP3 and OGG versions of
the audio track can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

    http://www.OpenBSD.org/lyrics.html#46

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 4.6 CD-ROMs are bootable on the following four platforms:

  o i386
  o amd64
  o macppc
  o sparc64

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

        http://www.OpenBSD.org/orders.html

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from.  For our default mail order, go directly to:

        https://https.OpenBSD.org/cgi-bin/order

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts.  Additionally, donations to the project are
highly appreciated, as described in more detail at:

        http://www.OpenBSD.org/goals.html#funding

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense writeoff, so this is certainly a consideration for
some organizations or businesses.  There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs.  Contact the foundation directors at
directors@openbsdfoundation.org for more information.

------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------

The OpenBSD distribution companies also sell tshirts and polo shirts.
And our users like them too.  We have a variety of shirts available,
with the new and old designs, from our web ordering system at, as
described above.

The OpenBSD 4.6 t-shirts are available now.  We also sell our older
shirts, as well as a selection of OpenSSH t-shirts.

------------------------------------------------------------------------
- FTP INSTALLS ---------------------------------------------------------

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP.  Typically you need a single small piece of boot
media (e.g., a boot floppy) and then the rest of the files can be
installed from a number of locations, including directly off the
Internet.  Follow this simple set of instructions to ensure that
you find all of the documentation you will need while performing
an install via FTP.  With the CD-ROMs, the necessary documentation
is easier to find.

1) Read either of the following two files for a list of ftp
   mirrors which provide OpenBSD, then choose one near you:

        http://www.OpenBSD.org/ftp.html
        ftp://ftp.OpenBSD.org/pub/OpenBSD/4.6/ftplist

   As of Oct 1, 2009, the following ftp mirror sites have the 4.6 release:

	ftp://ftp.stacken.kth.se/pub/OpenBSD/4.6/	Sweden
	ftp://ftp2.usa.openbsd.org/pub/OpenBSD/4.6/	NYC, USA
	ftp://ftp3.usa.openbsd.org/pub/OpenBSD/4.6/	CO, USA
	ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.6/	CA, USA
	ftp://rt.fm/pub/OpenBSD/4.6/			IL, USA

	The release is also available at the master site:

	ftp://ftp.openbsd.org/pub/OpenBSD/4.6/	Alberta, Canada

	However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
   pub/OpenBSD/4.6/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT     armish/          mvme68k/         sparc64/
        Changelogs/      ftplist          mvme88k/         src.tar.gz
        HARDWARE         hp300/           packages/        sys.tar.gz
        PACKAGES         hppa/            ports.tar.gz     tools/
        PORTS            i386/            root.mail        vax/
        README           landisk/         sgi/             xenocara.tar.gz
        alpha/           mac68k/          socppc/          zaurus/
        amd64/           macppc/          sparc/

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        HARDWARE        - list of hardware we support
        PORTS           - description of our "ports" tree
        PACKAGES        - description of pre-compiled packages
        root.mail       - a copy of root's mail at initial login.
			  (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, i386.  This is a list of what you will see:

	INSTALL.i386    cd46.iso        floppyB46.fs    pxeboot*
	INSTALL.linux   cdboot*         floppyC46.fs    xbase46.tgz
	MD5             cdbr*           game46.tgz      xetc46.tgz
	base46.tgz      cdemu46.iso     index.txt       xfont46.tgz
	bsd*            comp46.tgz      install46.iso   xserv46.tgz
	bsd.mp*         etc46.tgz       man46.tgz       xshare46.tgz
	bsd.rd*         floppy46.fs     misc46.tgz

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
   and the appropriate floppy*.fs or install46.iso files.  Consult the
   INSTALL.i386 file if you don't know which of the floppy images
   you need (or simply fetch all of them).

   If you use the install46.iso file (roughly 200MB in size), then you
   do not need the various *.tgz files since they are contained on that
   one-step ISO-format install CD.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.i386.  INSTALL.i386 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        http://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 4.6 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
      you can use "fdimage.exe" located in the pub/OpenBSD/4.6/tools
      directory to do so.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.4.  Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc.  During installation, you can install
X.Org quite easily.  Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.

------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------

The OpenBSD ports tree contains automated instructions for building
third party software.  The software has been verified to build and
run on the various OpenBSD architectures.  The 4.6 ports collection,
including many of the distribution files, is included on the 3-CD
set.  Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD.  Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).

------------------------------------------------------------------------
- BINARY PACKAGES WE PROVIDE -------------------------------------------

A large number of binary packages are provided.  Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.6/PACKAGES) for more details.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.6/README)
file explains how to deal with these source files.  For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/4.6/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

OpenBSD 4.6 includes artwork and CD artistic layout by Ty Semaka,
who also arranged an audio track on the OpenBSD 4.6 CD set.  Ports
tree and package building by Jasper Lievisse Adriaanse, Michael Erdely,
Simon Bertrang, Stuart Henderson, Antoine Jacoutot, Robert Nagy,
Nikolay Sturm, and Christian Weisgerber.  System builds by Theo de Raadt,
Mark Kettenis, and Miod Vallat.  X11 builds by Todd Fries and Miod Vallat.
ISO-9660 filesystem layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 4.6 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

    Alexander Bluhm, Alexander Hall, Alexander von Gernler,
    Alexander Yurchenko, Alexandre Ratchov, Alexey Vatchenko,
    Anders Magnusson, Andreas Gunnarsson, Anil Madhavapeddy,
    Antoine Jacoutot, Ariane van der Steldt, Artur Grabowski,
    Austin Hook, Benoit Lecocq, Bernd Ahlers, Bob Beck, Bret Lambert,
    Can Erkin Acar, Chad Loder, Charles Longeau, Chris Cappuccio,
    Chris Kuethe, Christian Weisgerber, Claudio Jeker,
    Constantine A. Murenin, Dale Rahn, Damien Bergamini, Damien Miller,
    Darren Tucker, David Gwynne, David Hill, David Krause, Eric Faurot,
    Esben Norby, Federico G. Schwindt, Felix Kronlage, Gilles Chehade,
    Giovanni Bechis, Gordon Willem Klok, Hans-Joerg Hoexer,
    Henning Brauer, Ian Darwin, Igor Sobrado, Ingo Schwarze,
    Jacek Masiulaniec, Jacob Meuser, Jakob Schlyter, Janne Johansson,
    Jared Yanovich, Jason Dixon, Jason George, Jason McIntyre,
    Jason Meltzer, Jasper Lievisse Adriaanse, Jim Razmus II, Joel Sing,
    Joerg Goltermann, Johan Mson Lindman, Jolan Luff, Jonathan Gray,
    Jordan Hargrave, Joris Vink, joshua stein, Kenneth R Westerback,
    Kevin Lo, Kevin Steves, Kjell Wooding, Kurt Miller, Landry Breuil,
    Laurent Fanis, Marc Espie, Marco Peereboom, Marco Pfatschbacher,
    Marco S Hyman, Marcus Glocker, Mark Kettenis, Mark Uemura,
    Markus Friedl, Martin Reindl, Martynas Venckus,
    Mathieu Sauve-Frankel, Mats O Jansson, Matthias Kilian,
    Matthieu Herrb, Michael Erdely, Michael Knudsen, Michele Marchetto,
    Mike Larkin, Miod Vallat, Moritz Grimm, Moritz Jodeit,
    Nicholas Marriott, Nick Holland, Nikolay Sturm, Okan Demirmen,
    Oleg Safiullin, Otto Moerbeek, Owain Ainsworth, Paul de Weerd,
    Paul Irofti, Peter Hessler, Peter Stromberg, Peter Valchev,
    Philip Guenther, Pierre-Emmanuel Andre, Pierre-Yves Ritschard,
    Rainer Giedat, Ray Lai, Reyk Floeter, Robert Nagy, Rui Reis,
    Ryan Thomas McBride, Simon Bertrang, Stefan Kempf, Steven Mestdagh,
    Stuart Henderson, Ted Unangst, Theo de Raadt, Thordur I. Bjornsson,
    Tobias Stoeckmann, Tobias Weingartner, Todd C. Miller, Todd Fries,
    Will Maier, William Yodlowsky, Xavier Santolaria, Yojiro Uo

I have to admitt that most of the presentations was to deep into the kernel to my knowledge but I liked the conferances anyhow.

The Slackathon was the end of a Hackathon mostly founded by NIC.SE, so many of the OpenBSD core developers was there including Theo De Raadt see pic below.

Welcome to this years Slackathon!

It will be held August 15th, at the Stockholm University, though not in

the same conference room as the previous years, since it couldn’t hold

all visitors anymore!

As previous years, the website is slowly getting into shape, and

probably wont hold the complete “truth” until afterwards, since we

update it as we get more correct info. Be sure to check the web more

frequently as we get closer to the event.

The url is http://www.slackathon.se:2009/

The description still points to the old location, but I’ll spank some

sense into the web slaves so they make a better “how-to-get-here” that

actually shows you are going to “Hörsal B3″ and not the old conference

room. We’ll put some blowfishes up to point people that come from the

subway station in the right direction.

This year, there will be even more OpenBSD developers attending, since

the Slackathon 2009 is right after the f2k9 Filesystem Hackathon which I

am hosting at my work using a grant from the IIS foundation (the guys

and gals running the .SE top level domain)

Also note, that since there doesn’t seem to be an OpenCon this year, the

Slackathon probably is the only major OpenBSD-only conference held, so

even if it collides with HAR2009 and the Stockholm “midnight run”, you

don’t want to miss it!

Get them begging skills warmed up and draw donations from friends,

employers, parents or other rich entities that you think should donate

to OpenBSD and OpenSSH! It would also be nice if you help spread the

word around on various forums and communities.

As with previous years there will be no entrance fee and dinner will be

served for free to everyone, but I’d still need you to pre-announce if

you want it so I can make the correct amount of food, and also if you

want the vegan version.

For all of you who don’t live nearby, we can probably find you a couch

to sleep on here, just send a heads-up and we’ll dig up a few

“volunteers” to share their living quarters with you.

Hope to see you all there!

May 1, 2009.

We are pleased to announce the official release of OpenBSD 4.5.
This is our 25th release on CD-ROM (and 26th via FTP).  We remain
proud of OpenBSD's record of more than ten years with only two remote
holes in the default install.

As in our previous releases, 4.5 provides significant improvements,
including new features, in nearly all areas of the system:

- New/extended platforms:
    o Initial ports to the xscale based gumstix platform and the ARM
      based OpenMoko
    o OpenBSD/sparc64
      o New vdsk(4) and vnet(4) drivers provide support for virtual
        I/O between logical domains on Sun's CoolThreads servers,
        including UltraSPARC T2+ machines.
      o Workstations and laptops with UltraSPARC IIe CPUs can now scale
        down the CPU frequency to save power.

- Improved hardware support, including:
    o Several new/improved drivers for sensors, including:
      o The cac(4)  driver now has bio and sensor support.
      o The mpi(4) driver now has bio and sensor support.
      o New gpiodcf(4) driver for DCF77/HBG timedelta sensors
        through GPIO pins.
      o New schsio(4) driver for SMSC SCH311x LPC Super I/O devices.
      o The it(4) driver now supports IT8720F chips.
      o The it(4) driver now supports FAN4 and FAN5 sensors for
        IT8716F/IT8718F/IT8720F/IT8726F chips.
      o The owtemp(4) driver now supports Maxim/Dallas DS18B20 and
        DS1822 temperature sensors.
      o The km(4) driver now supports AMD Family 11h
        processors (Turion X2 Ultra et al).
      o The lm(4) driver now supports W83627DHG attachment on the ICC bus.
      o The lmenv(4) driver now has better support for the fan sensors
        on lm81, adm9240 and ds1780 chips.
      o The sdtemp(4) driver now supports ST STTS424 chips.
    o The em(4) driver now supports ICH9 IGP M and IGP M AMT chips.
    o The sdmmc(4) driver now supports SDHC cards.
    o The msk(4) driver now supports Yukon-2 FE+ (88E8040, 88E8042) based
      devices.
    o The iwn(4) driver now supports Intel WiFi Link 5100/5300 devices.
    o The wpi(4) and iwn(4) drivers now support hardware CCMP cryptography.
    o The ath(4) driver now has WPA-PSK support.
    o age(4), a driver for Attansic L1 gigabit Ethernet devices was added.
    o ale(4), a driver for Atheros AR81xx (aka Attansic L1E) Ethernet
      devices was added.
    o mos(4), a driver for Moschip MCS7730/7830 10/100 USB Ethernet
      devices was added.
    o jme(4), a driver for JMicron JMC250/JMC260 10/100 and Gigabit
      Ethernet devices was added.
    o run(4), a driver for Ralink USB IEEE 802.11a/b/g/Draft-N devices
      was added.
    o auacer(4), a driver for Acer Labs M5455 audio devices was added.
    o ifb(4), a driver for Sun Expert3D, Expert3D-Lite, XVR-500, XVR-600
      and XVR-1200 framebuffers (accelerated).
    o wildcatfb(4), an X driver for Sun Expert3D, Expert3D-Lite, XVR-500,
      XVR-600 and XVR-1200 framebuffers (unaccelerated).
    o sunffb(4), an accelerated X driver for Sun Creator, Creator 3D and
      Elite 3D framebuffers.
    o vdsk(4), a driver for virtual disks of sun4v logical domains.
    o vnet(4), a driver for virtual network adapters of sun4v logical domains.
    o vrng(4), a driver for the random number generator on Sun
      UltraSPARC T2/T2+ CPUs.
    o The vcons(4) driver is now interrupt driven.
    o ips(4), a driver for IBM SATA/SCSI ServeRAID controllers was added.
    o udfu(4), a driver for device firmware upgrade (DFU) was added.
    o Many improvements were made to the acpi(4) subsystem.
    o The umsm(4) driver supports several new EVDO/UMTS devices.
    o The mfi(4) driver now supports the next generation of
      MegaRAID SAS controllers.
    o New vsbic(4) driver for the MVME327A SCSI and floppy controller
      on mvme88k machines.
    o The re(4) driver, now supports 8168D/8111D-based devices.
    o The ehci(4) driver now supports isochronous transfers.
    o S/PDIF output support has been added to the ac97(4), auich(4),
      auvia(4) and azalia(4) drivers.
    o azalia(4) mixer has been clarified and simplified, support for 20-bit
      and 24-bit encodings has been added.
    o The gbe(4) frame buffer driver now supports acceleration.

- New tools:
    o ypldap(8), an YP server using LDAP as a backend.
    o xcompmgr(1) was added to xenocara.

- New functionality:
    o The libc resolver(3) may now be forced to perform lookups by TCP
      only using a new resolv.conf(5) option. The nameserver declaration
      in resolv.conf(5) has also been extended to allow specification
      of non-default nameserver ports.
    o apropos(1) has two new options (-S and -s) to allow searching by
      machine architecture and manual section.
    o aucat(1) now has audio server capability. Audio devices can be
      shared between multiple applications. Applications can run natively
      on fixed sample rate devices or on devices with unusual encodings.
      Multi-channel audio devices can be split into smaller independent
      subdevices.
    o aucat(1) now has a deviceless mode, in which it can be used as a
      general purpose audio file format conversion utility (to mix,
      demultiplex, resample or reencode files).
    o ifconfig(8) can now list channels supported by an IEEE 802.11 device.
    o New views were added to systat(8): malloc, bucket and pool. Improvements
      were made to existing views.
    o vnconfig(8) can now create devices with arbitrary geometry with the
      new -t option.
    o FFS filesystems are now supported on most devices, e.g. CD's, that have
      sector sizes other than 512 bytes.
    o Disklabels are now correctly placed and found on most devices,
      e.g. CD's, that have sector sizes other than 512 bytes.

- Assorted improvements and code cleanup:
    o malloc(3) has gained new attack mitigation measures; critical
      bookkeeping structures are protected at runtime using mprotect(2)
      and allocated at random addresses where possible.
    o A new version of the gdtoa code has been integrated, bringing
      better C99 support to printf(3) and friends.
    o Vastly improved C99 support in libm, including complex math support.

- Install/Upgrade process changes:
    o crunchgen(1) and crunchide(1) have been merged into crunchgen(8),
      which is now built and installed by default.
    o mksuncd(1) now lives in base and is installed by default.
    o CD-ROM installs are now supported on SGI.
    o Accept initial root passwords containing backslash characters.
    o Install now allows multiple interfaces to be configured with dhcp(8).
    o Upgrades now use the minimal protocols(5) and services(5) files
      provided on the install media.
    o The install media no longer contain a disktab(5) file.
    o Serial console speed is correctly determined on macppc.

- OpenSSH 5.2:
    o New features:
      o Added an option to ssh(1) to force logging to syslog rather
        than stderr.
      o The sshd_config(5) ForceCommand directive now accepts commandline
        arguments for the internal-sftp server.
      o The ssh(1) ~C escape commandline now support runtime creation of
        dynamic port forwards.
      o Support the SOCKS4A protocol in ssh(1) dynamic forwards.
      o Support remote port forwarding with a listen port of '0'.
      o sshd(8) now supports setting PermitEmptyPasswords and
        AllowAgentForwarding in Match blocks.
    o The following significant bugs have been fixed in this release:
      o Repair a ssh(1) crash introduced in openssh-5.1 when the
        client is sent a zero-length banner.
      o The eow@openssh.com and no-more-sessions@openssh.com protocol
        extensions are now only sent to peers that identify
        themselves as OpenSSH.
      o Avoid printing "Non-public channel" warnings in sshd(8), since ssh(1)
        has sent incorrect channel numbers since ~2004; make ssh(1) send the
        correct channel number for SSH2_MSG_CHANNEL_SUCCESS and
        SSH2_MSG_CHANNEL_FAILURE.
      o Avoid double-free in ssh(1) ~C escape -L handler.
      o Correct fail-on-error behaviour in sftp(1) batchmode for remote
        stat operations.
      o Avoid hang in ssh(1) when attempting to connect to a server that
        has MaxSessions set to zero.

- Over 5,500 ports, minor robustness improvements in package tools.
    o Many pre-built packages for each architecture:
      i386:   5379    sparc64:  5174    alpha: 5132    sh:     1543
      amd64:  5312    powerpc:  5162    sparc: 2651    mips64: 3278
      arm:    4120    hppa:     4689    vax:   1718
    o Highlights include:
      o Gnome 2.24.3.
      o GNUstep 1.18.0.
      o KDE 3.5.10.
      o Mozilla Firefox 3.0.6.
      o Mozilla Thunderbird 2.0.0.19.
      o MySQL 5.0.77.
      o OpenOffice.org 2.4.2 and 3.0.1.
      o PostgreSQL 8.3.6.
      o Xfce 4.4.3.
      o OpenArena 0.8.1 (only for amd64, i386 and macppc)

- As usual, steady improvements in manual pages and other documentation.

- The system includes the following major components from outside
  suppliers:
      o Xenocara (based on X.Org 7.4 + patches, freetype 2.3.7,
        fontconfig 2.4.2, Mesa 7.2, xterm 239 and more)
      o Gcc 2.95.3 (+ patches) and 3.3.5 (+ patches)
      o Perl 5.10.0 (+ patches)
      o Our improved and secured version of Apache 1.3, with SSL/TLS
        and DSO support
      o OpenSSL 0.9.8j (+ patches)
      o Groff 1.15
      o Sendmail 8.14.3, with libmilter
      o Bind 9.4.2-P2 (+ patches)
      o Lynx 2.8.5rel.4 with HTTPS and IPv6 support (+ patches)
      o Sudo 1.7
      o Ncurses 5.2
      o Latest KAME IPv6
      o Heimdal 0.7.2 (+ patches)
      o Arla 0.35.7
      o Binutils 2.15 (+ patches)
      o Gdb 6.3 (+ patches)

If you'd like to see a list of what has changed between OpenBSD 4.4
and 4.5, look at

        http://www.OpenBSD.org/plus45.html

Even though the list is a summary of the most important changes
made to OpenBSD, it still is a very very long list.

------------------------------------------------------------------------
- SECURITY AND ERRATA --------------------------------------------------

We provide patches for known security threats and other important
issues discovered after each CD release.  As usual, between the
creation of the OpenBSD 4.5 FTP/CD-ROM binaries and the actual 4.5
release date, our team found and fixed some new reliability problems
(note: most are minor and in subsystems that are not enabled by
default).  Our continued research into security means we will find
new security problems -- and we always provide patches as soon as
possible.  Therefore, we advise regular visits to

        http://www.OpenBSD.org/security.html
and
	http://www.OpenBSD.org/errata.html

Security patch announcements are sent to the security-announce@OpenBSD.org
mailing list.  For information on OpenBSD mailing lists, please see:

	http://www.OpenBSD.org/mail.html

------------------------------------------------------------------------
- CD-ROM SALES ---------------------------------------------------------

OpenBSD 4.5 is also available on CD-ROM.  The 3-CD set costs $50 CDN and
is available via mail order and from a number of contacts around the
world.  The set includes a colourful booklet which carefully explains the
installation of OpenBSD.  A new set of cute little stickers is also
included (sorry, but our FTP mirror sites do not support STP, the Sticker
Transfer Protocol).  As an added bonus, the second CD contains an audio
track, a song entitled "Games".  MP3 and OGG versions of the audio track
can be found on the first CD.

Lyrics (and an explanation) for the songs may be found at:

    http://www.OpenBSD.org/lyrics.html#45

Profits from CD sales are the primary income source for the OpenBSD
project -- in essence selling these CD-ROM units ensures that OpenBSD
will continue to make another release six months from now.

The OpenBSD 4.5 CD-ROMs are bootable on the following four platforms:

  o i386
  o amd64
  o macppc
  o sparc64

(Other platforms must boot from floppy, network, or other method).

For more information on ordering CD-ROMs, see:

        http://www.OpenBSD.org/orders.html

The above web page lists a number of places where OpenBSD CD-ROMs
can be purchased from.  For our default mail order, go directly to:

        https://https.OpenBSD.org/cgi-bin/order

All of our developers strongly urge you to buy a CD-ROM and support
our future efforts.  Additionally, donations to the project are
highly appreciated, as described in more detail at:

        http://www.OpenBSD.org/goals.html#funding

------------------------------------------------------------------------
- OPENBSD FOUNDATION ---------------------------------------------------

For those unable to make their contributions as straightforward gifts,
the OpenBSD Foundation (http://www.openbsdfoundation.org) is a Canadian
not-for-profit corporation that can accept larger contributions and
issue receipts.  In some situations, their receipt may qualify as a
business expense writeoff, so this is certainly a consideration for
some organizations or businesses.  There may also be exposure benefits
since the Foundation may be interested in participating in press releases.
In turn, the Foundation then uses these contributions to assist OpenBSD's
infrastructure needs.  Contact the foundation directors at
directors@openbsdfoundation.org for more information.

------------------------------------------------------------------------
- T-SHIRT SALES --------------------------------------------------------

The OpenBSD distribution companies also sell tshirts and polo shirts.
And our users like them too.  We have a variety of shirts available,
with the new and old designs, from our web ordering system at, as
described above.

The OpenBSD 4.5 t-shirts are available now.  We also sell our older
shirts, as well as a selection of OpenSSH t-shirts.

------------------------------------------------------------------------
- FTP INSTALLS ---------------------------------------------------------

If you choose not to buy an OpenBSD CD-ROM, OpenBSD can be easily
installed via FTP.  Typically you need a single small piece of boot
media (e.g., a boot floppy) and then the rest of the files can be
installed from a number of locations, including directly off the
Internet.  Follow this simple set of instructions to ensure that
you find all of the documentation you will need while performing
an install via FTP.  With the CD-ROMs, the necessary documentation
is easier to find.

1) Read either of the following two files for a list of ftp
   mirrors which provide OpenBSD, then choose one near you:

        http://www.OpenBSD.org/ftp.html
        ftp://ftp.OpenBSD.org/pub/OpenBSD/4.5/ftplist

   As of May 1, 2009, the following ftp mirror sites have the 4.5 release:

	ftp://ftp.stacken.kth.se/pub/OpenBSD/4.5/	Sweden
	ftp://ftp2.usa.openbsd.org/pub/OpenBSD/4.5/	NYC, USA
	ftp://ftp3.usa.openbsd.org/pub/OpenBSD/4.5/	CO, USA
	ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.5/	CA, USA
	ftp://rt.fm/pub/OpenBSD/4.5/			IL, USA

	The release is also available at the master site:

	ftp://ftp.openbsd.org/pub/OpenBSD/4.5/	Alberta, Canada

	However it is strongly suggested you use a mirror.

   Other mirror sites may take a day or two to update.

2) Connect to that ftp mirror site and go into the directory
   pub/OpenBSD/4.5/ which contains these files and directories.
   This is a list of what you will see:

        ANNOUNCEMENT   amd64/         macppc/        sys.tar.gz
        Changelogs/    armish/        mvme68k/       tools/
        HARDWARE       ftplist        packages/      vax/
        PACKAGES       hp300/         ports.tar.gz   xenocara.tar.gz
        PORTS          hppa/          root.mail      zaurus/
        README         i386/          sparc/
        SIZES          landisk/       sparc64/
        alpha/         mac68k/        src.tar.gz

   It is quite likely that you will want at LEAST the following
   files which apply to all the architectures OpenBSD supports.

        README          - generic README
        HARDWARE        - list of hardware we support
        PORTS           - description of our "ports" tree
        PACKAGES        - description of pre-compiled packages
        root.mail       - a copy of root's mail at initial login.
			  (This is really worthwhile reading).

3) Read the README file.  It is short, and a quick read will make
   sure you understand what else you need to fetch.

4) Next, go into the directory that applies to your architecture,
   for example, i386.  This is a list of what you will see:

	INSTALL.i386    cd45.iso        floppyB45.fs    pxeboot*
	INSTALL.linux   cdboot*         floppyC45.fs    xbase45.tgz
	MD5             cdbr*           game45.tgz      xetc45.tgz
	base45.tgz      cdemu45.iso     index.txt       xfont45.tgz
	bsd*            comp45.tgz      install45.iso   xserv45.tgz
	bsd.mp*         etc45.tgz       man45.tgz       xshare45.tgz
	bsd.rd*         floppy45.fs     misc45.tgz

   If you are new to OpenBSD, fetch _at least_ the file INSTALL.i386
   and the appropriate floppy*.fs or install45.iso files.  Consult the
   INSTALL.i386 file if you don't know which of the floppy images
   you need (or simply fetch all of them).

   If you use the install45.iso file (roughly 200MB in size), then you
   do not need the various *.tgz files since they are contained on that
   one-step ISO-format install CD.

5) If you are an expert, follow the instructions in the file called
   README; otherwise, use the more complete instructions in the
   file called INSTALL.i386.  INSTALL.i386 may tell you that you
   need to fetch other files.

6) Just in case, take a peek at:

        http://www.OpenBSD.org/errata.html

   This is the page where we talk about the mistakes we made while
   creating the 4.5 release, or the significant bugs we fixed
   post-release which we think our users should have fixes for.
   Patches and workarounds are clearly described there.

Note: If you end up needing to write a raw floppy using Windows,
      you can use "fdimage.exe" located in the pub/OpenBSD/4.5/tools
      directory to do so.

------------------------------------------------------------------------
- X.ORG FOR MOST ARCHITECTURES -----------------------------------------

X.Org has been integrated more closely into the system.  This release
contains X.Org 7.4.  Most of our architectures ship with X.Org, including
amd64, sparc, sparc64 and macppc.  During installation, you can install
X.Org quite easily.  Be sure to try out xdm(1) and see how we have
customized it for OpenBSD.

------------------------------------------------------------------------
- PORTS TREE -----------------------------------------------------------

The OpenBSD ports tree contains automated instructions for building
third party software.  The software has been verified to build and
run on the various OpenBSD architectures.  The 4.5 ports collection,
including many of the distribution files, is included on the 3-CD
set.  Please see the PORTS file for more information.

Note: some of the most popular ports, e.g., the Apache web server
and several X applications, come standard with OpenBSD.  Also, many
popular ports have been pre-compiled for those who do not desire
to build their own binaries (see BINARY PACKAGES, below).

------------------------------------------------------------------------
- BINARY PACKAGES WE PROVIDE -------------------------------------------

A large number of binary packages are provided.  Please see the PACKAGES
file (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.5/PACKAGES) for more details.

------------------------------------------------------------------------
- SYSTEM SOURCE CODE ---------------------------------------------------

The CD-ROMs contain source code for all the subsystems explained
above, and the README (ftp://ftp.OpenBSD.org/pub/OpenBSD/4.5/README)
file explains how to deal with these source files.  For those who
are doing an FTP install, the source code for all four subsystems
can be found in the pub/OpenBSD/4.5/ directory:

        xenocara.tar.gz     ports.tar.gz   src.tar.gz     sys.tar.gz

------------------------------------------------------------------------
- THANKS ---------------------------------------------------------------

OpenBSD 4.5 includes artwork and CD artistic layout by Ty Semaka,
who also arranged an audio track on the OpenBSD 4.5 CD set.  Ports
tree and package building by Jasper Lievisse Adriaanse, Michael Erdely,
Simon Bertrang, Stuart Henderson, Antoine Jacoutot, Robert Nagy,
Nikolay Sturm, and Christian Weisgerber.  System builds by Theo de Raadt,
Mark Kettenis, and Miod Vallat.  X11 builds by Todd Fries and Miod Vallat.
ISO-9660 filesystem layout by Theo de Raadt.

We would like to thank all of the people who sent in bug reports, bug
fixes, donation cheques, and hardware that we use.  We would also like
to thank those who pre-ordered the 4.5 CD-ROM or bought our previous
CD-ROMs.  Those who did not support us financially have still helped
us with our goal of improving the quality of the software.

Our developers are:

    Alexander Bluhm, Alexander Schrijver, Alexander Yurchenko,
    Alexander von Gernler, Alexandre Ratchov, Alexey Vatchenko,
    Anders Magnusson, Andreas Gunnarsson, Anil Madhavapeddy,
    Antoine Jacoutot, Ariane van der Steldt, Artur Grabowski,
    Austin Hook, Bernd Ahlers, Bob Beck, Bret Lambert, Can Erkin Acar,
    Chad Loder, Charles Longeau, Chris Kuethe, Christian Weisgerber,
    Claudio Jeker, Constantine A. Murenin, Dale Rahn, Damien Bergamini,
    Damien Miller, Darren Tucker, David Gwynne, David Hill,
    David Krause, Eric Faurot, Esben Norby, Federico G. Schwindt,
    Felix Kronlage, Gilles Chehade, Giovanni Bechis, Gordon Willem Klok,
    Hans-Joerg Hoexer, Henning Brauer, Ian Darwin, Igor Sobrado,
    Jacek Masiulaniec, Jacob Meuser, Jakob Schlyter, Janne Johansson,
    Jared Yanovich, Jason Dixon, Jason George, Jason McIntyre,
    Jasper Lievisse Adriaanse, Joel Sing, Joerg Goltermann, Jolan Luff,
    Jonathan Gray, Jordan Hargrave, Joris Vink, Joshua Stein,
    Kenneth R Westerback, Kevin Lo, Kevin Steves, Kjell Wooding,
    Kurt Miller, Landry Breuil, Laurent Fanis, Marc Balmer, Marc Espie,
    Marco Peereboom, Marco Pfatschbacher, Marco S Hyman, Marcus Glocker,
    Mark Kettenis, Mark Uemura, Markus Friedl, Martin Reindl,
    Martynas Venckus, Mathieu Sauve-Frankel, Mats O Jansson,
    Matthias Kilian, Matthieu Herrb, Michael Erdely, Michael Knudsen,
    Michele Marchetto, Mike Belopuhov, Mike Larkin, Miod Vallat,
    Moritz Jodeit, Nick Holland, Nikolay Sturm, Okan Demirmen,
    Oleg Safiullin, Otto Moerbeek, Owain Ainsworth, Paul Irofti,
    Paul de Weerd, Pedro Martelletto, Peter Hessler, Peter Stromberg,
    Peter Valchev, Philip Guenther, Pierre-Emmanuel Andre,
    Pierre-Yves Ritschard, Rainer Giedat, Ray Lai, Reyk Floeter,
    Robert Nagy, Rui Reis, Ryan Thomas McBride, Simon Bertrang,
    Stefan Kempf, Stefan Sperling, Steven Mestdagh, Stuart Henderson,
    Ted Unangst, Theo de Raadt, Thordur I. Bjornsson, Tobias Stoeckmann,
    Tobias Weingartner, Todd C. Miller, Todd Fries, Will Maier,
    Xavier Santolaria, Yojiro Uo

This article describes how to monitor an IPSEC tunnel running on OpenBSD. I could not find any plugin already done so I created my own.

The pre req. for this article are:

• A working Nagios or op5 Monitor setup
• A IPsec VPN tunnel running on OpenBSD
• A working NRPE agent at the OpenBSD box

Theory

The way of getting the status of IPsec on OpenBSD is buy running:

ipsecctl -s s

esp tunnel from x.x.x.x to y.y.y.y spi 0xe58a63d3 auth hmac-md5 enc 3des-cbc \
       authkey 0xabcdfghijklmnopqrstuvxyz \
       enckey 0xabcdfghijklmnopqrstuvxyz
esp tunnel from y.y.y.y to x.x.x.x spi 0x555f1f13 auth hmac-md5 enc 3des-cbc \
      authkey 0xabcdfghijklmnopqrstuvxyz \
       enckey 0xabcdfghijklmnopqrstuvxyz

This shows that the IPsec tunnel between x.x.x.x and y.y.y.y is up.

Depending of the OpenBSD version the output will be different.

Plugin

I put the plugin in /opt/plugins/custom at my OpenBSD box.

#!/bin/sh
#
# Copyright (C) 2009 Peter Andersson, peter@it-slav.net
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
#
# Very simple plugin that checks if a ipsec vpn is up between to ip-adresses
# Tested on OpenBSD 4.0
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see .
#
# Example use of this script:
# ./check_ipsecctl 10.1.1.1 10.2.1.1 "VPN HQ"
# OK: VPN HQ is up
#
# ./check_ipsecctl 10.1.1.1 10.2.1.1 "VPN HQ"
# CRITICAL: VPN HQ is down (No IP-SEC VPN from 10.1.1.1 to 10.2.1.1  No IP-SEC VPN from 10.2.1.1 to 10.1.1.1)
#
#
IPSECCTL="/sbin/ipsecctl -s sa"
STATUS=0

LINE1=`$IPSECCTL | grep "from $1 to $2" `
if [ $? -eq 1 ]; then
        STATUS=2;
        OUTPUT1="No IP-SEC VPN from $1 to $2 "
fi

LINE2=`$IPSECCTL | grep "from $2 to $1" `
if [ $? -eq 1 ]; then
        STATUS=2;
        OUTPUT2="No IP-SEC VPN from $2 to $1"
fi

if [ $STATUS -eq 0 ]; then
        echo "OK: $3 is up"
        exit $STATUS
else
        echo "CRITICAL: $3 is down ($OUTPUT1 $OUTPUT2)"
        exit $STATUS
fi

Nrpe config

Nagios run check_ipsecctl via NRPE, it mus run as a privileged user and I use sudo, in /etc/nrpe.cfg

command[vpn_johan]=sudo /opt/plugins/custom/check_ipsecctl x.x.x.x y.y.y.y "VPN Johan"

x.x.x.x and y.y.y.y are the IP-addresses where the VPN tunnel terminates

Sudo

Use sudoedit /etc/sudoers to modify the sudo config file:

nagios  ALL=(root) NOPASSWD: /opt/plugins/custom/check_ipsecctl

Nagios or op5 Monitor configuration

The VPN connection can be treated as a service running on the OpenBSD box, but in my opinion, the VPN  should be treated as a host using the plugin above to check that the host is alive, and the hosts at the other end of the VPN connection should have the  VPN tunnel as parent. The advantage is that if the VPN tunnel is down the hosts and services behind it is unreachable, which is the correct behavior.

hosts.cfg

# host template 'default-hosttemplate-nrpe'
define host{
    name                           default-hosttemplate-nrpe
    check_command                  check_nrpe
    max_check_attempts             5
    obsess_over_host               0
    check_freshness                0
    active_checks_enabled          1
    passive_checks_enabled         1
    event_handler_enabled          1
    flap_detection_enabled         1
    flap_detection_options         n
    process_perf_data              1
    retain_status_information      1
    retain_nonstatus_information   1
    notification_interval          0
    notification_period            24x7
    notification_options           d,u,r,f
    notifications_enabled          1
    stalking_options               n
    register                       0
    }
# host 'vpn-johan'
define host{
    use                            default-hosttemplate-nrpe
    host_name                      vpn-johan
    alias                          vpn johan
    address                        10.1.1.1
    parents                        internet
    check_command                  check_nrpe!vpn_johan
    contact_groups                 it-slav_msn,it-slav_mail,call_it-slav
    }

10.1.1.1 is the IP-adress to my OpenBSD box. The reason for using a template is that I’m using the webbased config tool that comes with op5 Monitor.

The result

Links

• Nagios
• op5 Monitor a Nagios based full supported monitor solution
• OpenBSD, a FREE, multi-platform 4.4BSD-based UNIX-like operating system.
• IPsec, a suite of protocols for securing Internet Protocol communications by authenticating and encrypting each IP packet of a data stream.

This is a typical log message in /var/log/authlog

Feb  9 20:15:49 pedro sshd[30934]: Failed password for root from 67.205.85.119 port 35603 ssh2
Feb  9 20:15:49 pedro sshd[2656]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:51 pedro sshd[15299]: Failed password for root from 67.205.85.119 port 35753 ssh2
Feb  9 20:15:51 pedro sshd[15791]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:53 pedro sshd[9043]: Failed password for root from 67.205.85.119 port 35882 ssh2
Feb  9 20:15:53 pedro sshd[31484]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:54 pedro sshd[27717]: Failed password for root from 67.205.85.119 port 36030 ssh2
Feb  9 20:15:55 pedro sshd[30185]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:56 pedro sshd[27718]: Failed password for root from 67.205.85.119 port 36164 ssh2
Feb  9 20:15:56 pedro sshd[28005]: Received disconnect from 67.205.85.119: 11: Bye Bye
Feb  9 20:15:58 pedro sshd[30648]: Failed password for root from 67.205.85.119 port 36314 ssh2
Feb  9 20:15:58 pedro sshd[21087]: Received disconnect from 67.205.85.119: 11: Bye Bye

Of course this is a script kiddie that tries to break into my firewall just because it answers on port 22 and it is annoying. One way of make it a little harder to break in is by let the packetfilter drop all packages that comes from an ip-address that did this.

This one way of doing it.

Create a pf blacklist /etc/pf.conf

–snipp–

table <ssh_blacklist> persist file "/var/pf/ssh_blacklist"
...

block in quick log on $ext_if from <ssh_blacklist> to any

–snipp–

Create a script that detects failed ssh breakin attempts and updates the blacklist

root@pedro:/var/log# cat /root/scripts/blockbadssh.sh
#!/bin/sh
logger "Check for bad ssh behavior"
PATH=/bin:/usr/bin
BL=/var/pf/ssh_blacklist
TEMPFILE=$(mktemp /tmp/bl_XXXXXX) || exit 1
TEMPFILE2=$(mktemp /tmp/bl2_XXXXXX) || exit 1

#cp $BL $TEMPFILE
grep "Invalid user" /var/log/authlog | awk '{print $10}' | sort | uniq > $TEMPFILE2
grep "Failed password for invalid" /var/log/authlog | awk '{print $13}' | sort | uniq  >> $TEMPFILE2
grep "Failed password for root" /var/log/authlog | awk '{print $11}' | sort | uniq  >> $TEMPFILE2

sort $TEMPFILE2 |uniq > $TEMPFILE
#echo "Nu är TEMPFILE"
#cat $TEMPFILE

#cat $BL >> $TEMPFILE
for i in `cat $TEMPFILE`
do
  grep $i $BL>/dev/null
  if [ "$?" == "1" ]
  then
    logger "Added $i to ssh-blacklist"
    echo "Added $i to ssh-blacklist"
  fi
done

cat $BL >> $TEMPFILE
sort $TEMPFILE | uniq > $BL

rm $TEMPFILE
rm $TEMPFILE2

/sbin/pfctl -t ssh_blacklist -Treplace -f $BL 2>&1 | grep -v "no changes"

Make it run every minute

root@pedro:/var/log# crontab -l 

*     *       *       *       *       /root/scripts/blockbadssh.sh

I know this is a dirty way of doing it and it is a good idea to have another pf rule that accept traffic from well known hosts so you do not get blocked because you failed a login.

This a problem that grows and there are many technologies how to fight it.

As I’m the sysadmin of my mailserver it makes it possible to use many approaches. The best way is to find out if it is a spam before it is accepted at the SMTP server. I’m using a Fairly-Secure Anti-SPAM Gateway Using OpenBSD, Postfix, Greylisting, Amavisd-new, SpamAssassin, Razor and DCC and it is very effective.

• The first filter is to check if the receiver of the mail is valid. It might seem like a obvious first filter but in many cases the host that receives mails from internet only forward the mail to an inner mail server and suddenly invalid mails with probably incorrect from address is the receiving organizations problem. With this approach a valid mail but misspelled to address will bounce back to the sender. If it is a spam mail it will be the sending hosts problem how to handle. I graph this and it can be found here. A qualified guess is that more or less all of them are spams.
• The second step is a little bit more complex, the mail is scanned before it is accepted. So if my spam scanner finds that the mail is a spam it will tell the sending mailserver that it-slav.net thinks that this mail is a spam and that it is not accepted. If nothing suspicious is found the mailserver accept the mail and it will be sent to my mailserver. The number of mails that are scanned and a spam is found is graphed and it can be found here.
• A third technology I have used is greylistening, it is very effective but the technologies described above is good enough for me so I’m not using it now. It puts a little more burden on the sending host and the first time a host sends a mail to a new host it will take some extra time.
• A promising technlogy is SPF, the idea is to guarantee that the sending mail comes from the place were it claims to come from, a good description can be found at wikipedia. Spamassassin use SPF. If you want to avoid that your domain can be used as the sender of a spam, add some extra lines to your DNS record.
• To annoy spamsenders a good idea could be to start a tarpit. Send all spammsenders to your tarpitt and enjoy when they use their resources for nothing. It is included in OpenBSD in compination with greylistening.

Graphs

• Rejected
  
• Spam

Buy a CD set or a T-shirt to support this excellent project.