webdump_tests

openbsd_73.html (79983B)

---

 <!doctype html>
 <html lang=en id=release>
 <head>
 <meta charset=utf-8>
 
 <title>OpenBSD 7.3</title>
 <meta name="description" content="OpenBSD 7.3">
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <link rel="stylesheet" type="text/css" href="openbsd.css">
 <link rel="canonical" href="https://www.openbsd.org/73.html">
 </head><body>
 <h2 id=OpenBSD>
 <a href="index.html">
 <i>Open</i><b>BSD</b></a>
 7.3
 </h2>
 
 <table>
 <tr>
 <td>
 <a href="images/DryGarden.png">
 <img width="227" height="303" src="images/DryGarden-s.gif" alt="Dry Garden"></a>
 <td>
 Released Apr 10, 2023. (54th OpenBSD release)<br>
 Copyright 1997-2023, Theo de Raadt.<br>
 <br>
 7.3 Song: "<a href="lyrics.html#73">The Wizard and the Fish</a>"<br>
 Artwork by George Mager.
 <br>
 <ul>
 <li>See the information on <a href="ftp.html">the FTP page</a> for
     a list of mirror machines.
 <li>Go to the <code class=reldir>pub/OpenBSD/7.3/</code> directory on
     one of the mirror sites.
 <li>Have a look at <a href="errata73.html">the 7.3 errata page</a> for a list
     of bugs and workarounds.
 <li>See a <a href="plus73.html">detailed log of changes</a> between the
     7.2 and 7.3 releases.
 <p>
 <li><a href="https://man.openbsd.org/signify.1">signify(1)</a>
     pubkeys for this release:<p>
 
 <table class=signify>
 <tr><td>
 openbsd-73-base.pub:
 <td>
 <a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/openbsd-73-base.pub">
 RWQS90bYzZ4XFms5z9OodrFABHMQnW6htU+4Tmp88NuQiTEezMm2cQ3K</a>
 <tr><td>
 openbsd-73-fw.pub:
 <td>
 RWRSJW95RokBEZUxBFvPCEdtQPg2WMExzMIcjnXzVpIwUpyZZmfXun5a
 <tr><td>
 openbsd-73-pkg.pub:
 <td>
 RWTJxSCZzSPKGp8unIp/yxG2lvCXJg5lFVvbOBQUvKEnGHFAO8RPg3mr
 <tr><td>
 openbsd-73-syspatch.pub:
 <td>
 RWShXqVD7hfbBpWb1B5EGr1DUX8kkjkTueCsa243lLNocuuVU+2eWMn5
 </table>
 </ul>
 <p>
 All applicable copyrights and credits are in the src.tar.gz,
 sys.tar.gz, xenocara.tar.gz, ports.tar.gz files, or in the
 files fetched via <code>ports.tar.gz</code>.
 </table>
 
 <hr>
 
 <section id=new>
 <h3>What's New</h3>
 <p>
 This is a partial list of new features and systems included in OpenBSD 7.3.
 For a comprehensive list, see the <a href="plus73.html">changelog</a> leading
 to 7.3.
 
 <ul>
 
 <li>Various kernel improvements:
   <ul>
 
 
   <li>Added <a href="https://man.openbsd.org/waitid.2">waitid(2)</a>,
 	wait for process state change.
   <li>Added <a href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a>,
 	specify the call stub for a specific system call.
   <li>Added <a href="https://man.openbsd.org/getthrname.2">getthrname(2)</a> and
 	<a href="https://man.openbsd.org/setthrname.2">setthrname(2)</a>,
 	get or set thread name.
   <li>Added WTRAPPED option for <a
 	href="https://man.openbsd.org/waitid.2">waitid(2)</a> to control
 	whether CLD_TRAPPED state changes, i.e., ptrace(2) on a process, are reported.
 
 <!-- kernel internals -->
   <li>Introduced <a
 	href="https://man.openbsd.org/clockintr.9">clockintr(9)</a>, a
 	machine-independent clock interrupt scheduler. Switched all
 	architectures to use the new subsystem.
   <li>Introduced a new kern.autoconf_serial <a
 	href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> that can be used
 	by userland to monitor state changes of the kernel device tree.
   <li>Fixed <a href="https://man.openbsd.org/pmap.9">pmap(9)</a> bugs
 	involving entering an executable mapping for a page before
 	synchronizing the data and instruction cache on arm64 and riscv64.
   <li>Removed copystr(9) from the public API.
   <li>Added <a
 	href="https://man.openbsd.org/getnsecruntime.9">getnsecruntime(9)</a>.
 	Offers fast access to the system runtime clock at the cost of precision.
 
   <li>Prevent detaching ("bioctl -d detach") of a boot volume on a RAID managed by <a
 	href="https://man.openbsd.org/bioctl.8">bioctl(8)</a>.
 
   <li>On arm64, avoid using 1GB mappings for the identity map in the
 	early kernel bootstrap phase and when booting the secondary CPUs. This
 	avoids accidentally mapping memory regions that should not be mapped
 	(i.e. secure memory) as all mapped memory can be accessed
 	speculatively.
   <li>On arm64, add a machdep.lidaction <a
 	href="https://man.openbsd.org/sysctl.8">sysctl(8)</a> for <a
 	href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a> Apple Silicon
 	laptops.<br>
   	The arm64 default for the machdep.lidaction is 1, making the
 	system suspend when the lid is closed. <a
 	href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a> provides support
 	for the lid position sensor.
   <li>Changed arm64 suspend idle loop from WFE to WFI, avoiding spurious
 	wakeups while other CPUs are still active.
   <li>Added new <a href="https://man.openbsd.org/dt.4">dt(4)</a> tracing ioctl
 	DTIOCARGS to get the type of probe arguments.
   </ul>
 
 <li>SMP Improvements
   <ul>
   <li>Unlocked <a href="https://man.openbsd.org/mmap.2">mmap(2)</a>, <a
 	href="https://man.openbsd.org/munmap.2">munmap(2)</a>, and <a
 	href="https://man.openbsd.org/mprotect.2">mprotect(2)</a>.
   <li>Unlocked <a href="https://man.openbsd.org/sched_yield.2">sched_yield(2)</a>.
   <li>Added support for per-CPU counters to
 	<a href="https://man.openbsd.org/evcount.9">evcount(9)</a>.
 	Useful for counting events that are prone to occur simultaneously
 	across multiple CPUs, like clock interrupts and IPIs.
   <li>Moved <a href="https://man.openbsd.org/pf.4">pf(4)</a> purge
 	tasks out from under the kernel lock.
   <li>Unlocked <a href="https://man.openbsd.org/ioctl.2">ioctl(2)</a>
 	SIOCGIFCONF, SIOCGIFGMEMB, SIOCGIFGATTR, and SIOCGIFGLIST.
   <li>Protected interface tables in <a
 	href="https://man.openbsd.org/pf.4">pf(4)</a> with PF_LOCK(), allowing
 	removal of NET_LOCK() protection from the <a
 	href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> code path in pf.
   <li>Unlocked <a
 	href="https://man.openbsd.org/getsockopt.2">getsockopt(2)</a> and <a
 	href="https://man.openbsd.org/setsockopt.2">setsockopt(2)</a>.
   <li>Completed removing kernel lock from IPv6 read ioctls.
   <li>Unlocked <a href="https://man.openbsd.org/minherit.2">minherit(2)</a>.
   <li>Made <a href="https://man.openbsd.org/tun.4">tun(4)</a> and <a
 	href="https://man.openbsd.org/tap.4">tap(4)</a> event filters MP-safe.
   <li>Unlocked <a href="https://man.openbsd.org/utrace.2">utrace(2)</a>.
   <li>Stopped holding the vm_map lock while flushing pages in <a
 	href="https://man.openbsd.org/msync.2">msync(2)</a> and <a
 	href="https://man.openbsd.org/madvise.2">madvise(2)</a>. Prevents a
 	3-thread deadlock between <a
 	href="https://man.openbsd.org/msync.2">msync(2)</a>, page-fault and <a
 	href="https://man.openbsd.org/mmap.2">mmap(2)</a>.
   <li>Unlocked <a
 	href="https://man.openbsd.org/select.2">select(2)</a>, <a
 	href="https://man.openbsd.org/pselect.2">pselect(2)</a>, <a
 	href="https://man.openbsd.org/poll.2">poll(2)</a>, and <a
 	href="https://man.openbsd.org/ppoll.2">ppoll(2)</a>.
   </ul>
 
 <li>Direct Rendering Manager and graphics drivers
   <ul>
   <li>Updated <a href="https://man.openbsd.org/drm.4">drm(4)</a>
       to Linux 6.1.15
   <li><a href="https://man.openbsd.org/drm.4">amdgpu(4)</a>: Added
       support for Ryzen 7000 "Raphael", Ryzen 7020 series "Mendocino",
       Ryzen 7045 series "Dragon Range",
       Radeon RX 7900 XT/XTX "Navi 31",
       Radeon RX 7600M (XT), 7700S, and 7600S "Navi 33."
   <li>Fixed frame buffer corruption and additional bugs after wakeup
 	on Apple Silicon laptops and the Lenovo x13s.
   <li>Added support for the backlight connector property to <a
 	href="https://man.openbsd.org/amdgpu.4">amdgpu(4)</a> as in <a
 	href="https://man.openbsd.org/inteldrm.4">inteldrm(4)</a>, making <a
 	href="https://man.openbsd.org/xbacklight.1">xbacklight(1)</a> work
 	when using the Xorg modesetting driver.
   </ul>
 
 <li>VMM/VMD improvements
   <ul>
 	<li>Updated <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> to
 		permit SVM guests read access to MSR_HWCR and MSR_PSTATEDEF.
 		Guests can use these registers on AMD 17h and 19h hosts to
 		determine the TSC frequency without calibrating against a
 		second clock.
 	<li>Allocated reference for vm and vcpu SLISTs in <a
 		href="https://man.openbsd.org/vmm.4">vmm(4)</a>, keeping vmm from
 		triggering excessive wakeup calls while iterating through the list of
 		vms while servicing an <a
 		href="https://man.openbsd.org/ioctl.2">ioctl(2)</a>.
 	<li>Set <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> RAX guest
 		register state based on VMCB.
 	<li>Removed locking in <a
 		href="https://man.openbsd.org/vmm.4">vmm(4)</a> vmm_intr_pending,
 		reducing slowdowns due to requests for a lock held while the VM is
 		running.
 	<li>Increased speed of delivery of interrupts to a running vcpu in <a
 		href="https://man.openbsd.org/vmm.4">vmm(4)</a>.
 	<li>Made <a href="https://man.openbsd.org/vmm.4">vmm(4)</a> treat vcpu
 		lists as immutable, removing the need to reference count individual
 		vcpu objects and use a rwlock.
 	<li>Implemented zero-copy operations on virtqueues in <a
 		href="https://man.openbsd.org/vmd.8">vmd(8)</a>.
 	<li>Provided a detailed e820 memory map when booting <a
 		href="https://man.openbsd.org/vmd.8">vmd(8)</a> guests with SeaBIOS.
 		When a vm initializes memory ranges, we now track what each range
 		represents. This information can be used to supply the e820 memory map
 		to SeaBIOS via the fw_cfg interface allowing it to properly
 		communicate memory ranges to a guest operating system. With this
 		special cases in ports can be removed.
 	<li>Added thread names to vm processes in <a
 		href="https://man.openbsd.org/vmd.8">vmd(8)</a>, visible in <a 
                 href="https://man.openbsd.org/ps.1">ps(1)</a>.
 	<li>Hid the WAITPKG cpu feature from <a
 		href="https://man.openbsd.org/vmm.4">vmm(4)</a> guests, preventing
 		invalid instruction exceptions. Also added WAITPKG feature
 		identification to i386 and amd64.
 	<li>Changed <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> to
 		only open /dev/vmm once, having the parent process send the fd to the
 		vmm child process.
 	<li>Restricted <a href="https://man.openbsd.org/vmm.4">vmm(4)</a>
 		exposed cpuid extended feature flags.
 	<li>Adjusted <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> error
 		paths to avoid removal of configuration-defined (known) VMs on error.
 	<li>Stopped being paranoid about hypervisor correct PKU handling.<br>
 	    Added saving and restoring guest PKRU to <a
 		href="https://man.openbsd.org/vmm.4">vmm(4)</a>. Expose the PKU cpuid
 		bit to the guest if in use on the host.
 	<li>Made <a href="https://man.openbsd.org/vmd.8">vmd(8)</a> scan the
 		PCI bus to determine bootorder strings.
   </ul>
 
 <li>Various new userland features:
   <ul>
   <li>Added <a href="https://man.openbsd.org/kdump.1">kdump(1)</a>
 	argument support for msyscall, pledge, unveil, __realpath, ypconnect
 	and __tmpfd.
   <li>Added <a
 	href="https://man.openbsd.org/mimmutable.2">mimmutable(2)</a> and <a
 	href="https://man.openbsd.org/munmap.2">munmap(2)</a> reporting to <a
 	href="https://man.openbsd.org/kdump.1">kdump(1)</a>.
   <li>Added <a
 	href="https://man.openbsd.org/lastcomm.1">lastcomm(1)</a> reporting
 	for process kills due to <a
 	href="https://man.openbsd.org/execve.2">execve(2)</a> from non-pinned
 	syscall address.
   </ul>
 
 <li>Various bugfixes and tweaks in userland:
   <ul>
   <li>Allow TZ to contain absolute paths starting with /usr/share/zoneinfo.
 	All absolute paths were ignored in 7.2 to avoid
 	<a href="https://man.openbsd.org/unveil.2">unveil(2)</a> violations.
   <li>Made <a href="https://man.openbsd.org/ldomctl.8">ldomctl(8)</a>
 	accept more descriptive name-based paths in addition to number-based
 	paths in <a
 	href="https://man.openbsd.org/ldom.conf.5">ldom.conf(5)</a>.
   <li>Dropped support for $rc_exec in <a
 	href="https://man.openbsd.org/rc.subr.8">rc.subr(8)</a>. The rc_exec
 	function should be used instead.
   <li>Excluded /tmp/*.shm files from /tmp cleaning in <a
 	href="https://man.openbsd.org/daily.8">daily(8)</a>. Removing them
 	interferes with programs that use shared memory via <a
 	href="https://man.openbsd.org/shm_open.3">shm_open(3)</a>.
   <li>Added zap-to-char and zap-up-to-char to <a
 	href="https://man.openbsd.org/mg.1">mg(1)</a>. Bound zap-to-char to
 	M-z.
   <li>Fixed handling of escaped backslashes in <a
 	href="https://man.openbsd.org/vi.1">vi(1)</a> ex_range.
   <li>Added support to <a
 	href="https://man.openbsd.org/gunzip.1">gunzip(1)</a> for zip files
 	that contain a single member.
   <li>Fixed <a href="https://man.openbsd.org/ed.1">ed(1)</a> to print
 	bytes read/written and the ? prompt to stdout, not stderr.
   <li>Changed the vmstat view in <a
 	href="https://man.openbsd.org/systat.1">systat(1)</a> to measure
 	elapsed time with <a
 	href="https://man.openbsd.org/clock_gettime.2">clock_gettime(2)</a>
 	instead of statclock ticks.
   <li>Improved the periodic display in <a
 	href="https://man.openbsd.org/iostat.8">iostat(8)</a>.
   <li>Fixed an edge case in <a href="https://man.openbsd.org/top.1">top(1)</a>
 	where summary statistics for offline CPUs were displayed.
   <li>Added support for a personal <a
 	href="https://man.openbsd.org/units.1">units(1)</a> library by passing
 	-f multiple times.
   <li>Changed <a href="https://man.openbsd.org/df.1">df(1)</a> to
 	round up fractional percentages.
   <li>Fixed unbounded variable expansion in <a
 	href="https://man.openbsd.org/pkg-config.1">pkg-config(1)</a>.
   <li>Switched to use <a
 	href="https://man.openbsd.org/llvm-strip.1">llvm-strip(1)</a> on
 	architectures that use <a
 	href="https://man.openbsd.org/ld.lld.1">ld.lld(1)</a>.
 <!-- rc scripts -->
   <li>Made <a href="https://man.openbsd.org/rc.8">rc(8)</a> reorder
 	libraries in parallel to <a
 	href="https://man.openbsd.org/netstart.8">netstart(8)</a>, as this
 	does not depend on network access.
   <li>Made <a href="https://man.openbsd.org/rc.8">rc(8)</a> print the
 	name of each library before relinking as a signal to the operator that
 	boot has not stalled.
 <!-- audio -->
   <li>Added a -w flag to <a
 	href="https://man.openbsd.org/audioctl.8">audioctl(8)</a> for
 	displaying variables periodically.
   <li>Added short options for <a
 	href="https://man.openbsd.org/timeout.1">timeout(1)</a> --foreground
 	and --preserve-status.
   <li>Added signal as a full argument name for <a
 	href="https://man.openbsd.org/timeout.1">timeout(1)</a> -s.
   <li>Fixed .wav files generated by <a
 	href="https://man.openbsd.org/aucat.1">aucat(1)</a> by using extended
 	header format.
 <!-- disks ... -->
   <li>In <a
 	href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>, use the
 	size of the largest chunk of free space, not the total of all such
 	chunks, when checking for sufficient space to add a partition.
   <li>Extended <a
 	href="https://man.openbsd.org/disklabel.8">disklabel(8)</a> template
 	parsing to allow "[mount point] *" as the specification for putting
 	the maximum available free space into a partition. Extended
 	command line parsing to allow "T-" as the specification to read the
 	template from stdin.
   <li>Repaired <a
   href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
   to check for D_VENDOR flag in d_flags, not d_secpercyl.
   <li>Removed remnants of DEC standard 144 bad sector code from
   <a
   href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
   and
   <a
   href="https://man.openbsd.org/disktab.5">disktab(5)</a>.
   <li>Removed last references to d_drivedata field from <a
   href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
   <li>Enhanced <a
   href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
   auto allocation to use all possible free space.
   <li>Enhanced <a
   href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
   to ensure valid partition offsets and sizes after rounding.
   <li>Enhanced <a
   href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
   simple editor to allow '*' when the action is 'delete'.
   <li>Removed <a
   href="https://man.openbsd.org/disklabel.8">disklabel(8)</a>
   code related to defunct disk types 'hd' and 'svnd'.
   <li>Repaired <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
   to set the correct 'bootable' bit in GPT partitions.
   <li>Repaired <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
   to use GPT_UUID_NBSD_UFS for NetBSD GPT partition entries.
   <li>Added UEFI defined GPT partition type GPT_UUID_LEGACY_MBR to
   the partition types
   <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
   recognizes.
   <li>Enhanced <a href="https://man.openbsd.org/fdisk.8">fdisk(8)</a>
   to avoid spurious warnings when editing unused GPT partition.
   <li>Fixed <a href="https://man.openbsd.org/cdio.1">cdio(1)</a>
   error displays and plugged a leak in the error path.
   <li>Removed pointless :ob#0:pb#0:[tb=swap:] and
   :pb#N:ob#0: lines from various <a
   href="https://man.openbsd.org/disktab.5">disktab(5)</a>
   entries.
   </ul>
 
 <li>Improved hardware support and driver bugfixes, including:
   <ul>
     <li>Suspend/Resume improvements
     <ul>
       <li>Extended arm64 suspend/resume to include support for parking
 		CPUs in a WFE/WFI loop.
       <li>Put CPUs in the lowest P-state before the final suspend step,
 		needed for systems where we park CPUs in a low-power idle state
 		ourselves.
     </ul>
 
     <li>system-on-chip devices
     <ul>
 <!-- SoC -->
   <li>Added support for the Rockchip RK3566/RK3568 SoCs.
   <li>Added support for the Rockchip RK3568 processor.
 
   <li>Added support for the RK3568 PCIe controller to <a
 	href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>.
   <li>Added <a
 	href="https://man.openbsd.org/qcdwusb.4">qcdwusb(4)</a>, a driver
 	controlling the interface logic for the Synopsys DesignWare USB 3.0
 	controller found on various Qualcomm Snapdragon SoCs.
   <li>Added support for the PCIe controller on the Qualcomm SC8280XP
 	to <a href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>.
   <li>Added <a
 	href="https://man.openbsd.org/qcpmicgpio.4">qcpmicgpio(4)</a>, a
 	driver for the GPIO block inside the Qualcomm PMICs.
   <li>Added <a href="https://man.openbsd.org/qcpmic.4">qcpmic(4)</a>,
 	a driver for the SPMI-connected PMICs found on Qualcomm SoCs.
   <li>Added <a href="https://man.openbsd.org/qcspmi.4">qcspmi(4)</a>,
 	a driver for the SPMI PMIC Arbiter found on Qualcomm SoCs.
   <li>Added <a href="https://man.openbsd.org/qcpdc.4">qcpdc(4)</a>, a
 	driver for the Qualcomm Power Domain controller found on Qualcomm
 	SoCs.
   <li>Added <a href="https://man.openbsd.org/qcpwm.4">qcpwm(4)</a>, a
 	driver for the PWM found on Qualcomm SoCs.
   <li>Added <a href="https://man.openbsd.org/qcpon.4">qcpon(4)</a>, a
 	driver for the Qualcomm PMIC block that hosts the powerkey and reset
 	input.
   <li>In <a href="https://man.openbsd.org/rkgpio.4">rkgpio(4)</a>,
 	handled different register layouts in modern Rockchip SoCs as seen in
 	the RK356x and RK3588.
   <li>Added support for RK356x TSADC clocks to <a
 	href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>.
   <li>Added GMAC-related RK356x clocks to <a
 	href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>.
   <li>Added RK3588 support to <a
 	href="https://man.openbsd.org/rkclock.4">rkclock(4)</a> and <a
 	href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a>.
   <li>Added <a href="https://man.openbsd.org/mvortc.4">mvortc(4)</a>,
 	a driver for the RTC on the ARMADA 38x series.
   <li>Added <a href="https://man.openbsd.org/mvodog.4">mvodog(4)</a>,
 	a driver for the watchdog on the ARMADA 38x series.
   <li>Implemented <a
 	href="https://man.openbsd.org/rkpinctrl.4">rkpinctrl(4)</a> support
 	for explicit routing to use alternative pin muxings.
   <li>Added <a href="https://man.openbsd.org/ytphy.4">ytphy(4)</a>, a
 	driver for the MotorComm YT8511 PHY.
   <li>Made <a href="https://man.openbsd.org/rktemp.4">rktemp(4)</a>
 	work on RK356x with U-Boot.
   <li>Added initialization code for RK356x in <a
 	href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a> to prevent
 	kernel hangs.
   <li>Implemented setting the parent clock for RK356x in <a
 	href="https://man.openbsd.org/rkclock.4">rkclock(4)</a>.
   <li>Added <a href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a>
 	code to bring up the PCIe controller on the RK356x.
   <li>Added <a
 	href="https://man.openbsd.org/rkpciephy.4">rkpciephy(4)</a>, a driver
 	for the PCIe 3.0 PHY found on the RK356x.
   <li>Added <a
 	href="https://man.openbsd.org/rkcomphy.4">rkcomphy(4)</a>, a driver
 	for the "naneng" combo PHY found on the RK356x (and RK3588). Only
 	PCIe, SATA and USB3 support are implemented.
     </ul>
 
     <li>Improved support for Apple arm64 hardware
     <ul>
 <!-- Apple -->
   <li>Made <a
 	href="https://man.openbsd.org/aplhidev.4">aplhidev(4)</a> recognize M1
 	laptops with touchbars and translated Fn+(1-10,-,=) keys to F1-F12 on
 	these systems.
   <li>Added suspend/resume support to <a
 	href="https://man.openbsd.org/aplns.4">aplns(4)</a>.
   <li>Implemented wakeup interrupt support in <a
 	href="https://man.openbsd.org/aplintc.4">aplintc(4)</a>.
   <li>Added suspend/resume support to control the power domain to <a
 	href="https://man.openbsd.org/aplsart.4">aplsart(4)</a>.
   <li>Made the power button function as a wakeup button during suspend
 	in <a href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a>.
   <li>Added <a href="https://man.openbsd.org/aplpwm.4">aplpwm(4)</a>,
 	a driver for the PWM controller found on Apple Silicon.
   <li>Improve Apple support by increasing the <a
 	href="https://man.openbsd.org/apliic.4">apliic(4)</a> transfer
 	completion timeout to 100ms to accommodate USB Type-C PD chips.
   <li>Added <a href="https://man.openbsd.org/tipd.4">tipd(4)</a>, a
 	driver fixing USB hotplug of type-C connectors on Apple Silicon
 	hardware.
   <li>Improved <a
 	href="https://man.openbsd.org/aplpmu.4">aplpmu(4)</a> range check to
 	protect against overflow.
   <li>Added <a
 	href="https://man.openbsd.org/aplefuse.4">aplefuse(4)</a>, a driver
 	for the eFuses on Apple Silicon SoCs.
   <li>Enabled <a
 	href="https://man.openbsd.org/aplpcie.4">aplpcie(4)</a> power
 	management for PCI devices.
   <li>Disable the screen backlight with <a
 	href="https://man.openbsd.org/aplsmc.4">aplsmc(4)</a> on Apple Silicon
 	laptops when the lid is closed.
     </ul>
 
     <li>X13s support
     <ul>
 <!-- x13s -->
   <li>Worked around incomplete ACPI tables on the Lenovo x13s by
 	loading the alternate device tree binaries from disk.
   <li>Set console output to the framebuffer on Lenovo x13s machines.
   <li>Made the USB ports work after a suspend/resume cycle on the x13s.
     </ul>
 
     <li>Improved audio devices
     <ul>
 <!-- audio -->
   <li>Made <a
 	href="https://man.openbsd.org/aplaudio.4">aplaudio(4)</a> calculate
 	the bit clock based on numbers of channels, bytes/sample and sample
 	rate.
   <li>Set <a href="https://man.openbsd.org/sncodec.4">sncodec(4)</a>
 	and <a href="https://man.openbsd.org/tascodec.4">tascodec(4)</a>
 	default volume to -30dB instead of the hardware default of 0dB
 	(maximum).
   <li>Added <a
 	href="https://man.openbsd.org/sncodec.4">sncodec(4)</a>, a driver for
 	the TI SNO12776/TAS2764 digital amplifier.
     </ul>
 
     <li>Other changes
     <ul>
 <!-- various USB -->
   <li>Added support for the Wacom One M CTL-672 tablet to <a
 	href="https://man.openbsd.org/uwacom.4">uwacom(4)</a>.
   <li>Hooked up the same USB device drivers on riscv64 as done in the
 	arm64 architecture kernel.<br>Enabled access to <a
 	href="https://man.openbsd.org/usb.4">usb(4)</a>, <a
 	href="https://man.openbsd.org/ugen.4">ugen(4)</a>, <a
 	href="https://man.openbsd.org/ulpt.4">ulpt(4)</a>, <a
 	href="https://man.openbsd.org/ucom.4">ucom(4)</a> and <a
 	href="https://man.openbsd.org/ujoy.4">ujoy(4)</a>.
   <li>Added <a href="https://man.openbsd.org/uftdi.4">uftdi(4)</a>
 	support for FTDI FT232R.
   <li>Added <a href="https://man.openbsd.org/uhidpp.4">uhidpp(4)</a>
 	support for Bolt receivers and the Unified Battery feature often found
 	on newer Logitech HID++ hardware.
 
 <!-- RTC -->
   <li>Converted more RTC drivers to use todr_attach(). Quality of the
 	RTC is set such that "discrete" RTC chips are preferred over RTCs
 	integrated on a SoC.
   <li>Added support for the DS1339 RTC as found on the PiJuice.
   <li>Added <a href="https://man.openbsd.org/qcrtc.4">qcrtc(4)</a>, a
 	driver for the RTC found on Qualcomm PMICs.
   <li>Improved <a href="https://man.openbsd.org/qcrtc.4">qcrtc(4)</a>
 	RTC reliability.
 
 <!-- wscons -->
   <li>Added cursor back tab support to <a
 	href="https://man.openbsd.org/wscons.4">wscons(4)</a> VT100
 	emulation.<br>Added aixterm bright color sequences (SGR 90-97 and
 	100-107).
   <li>Added missing <a
 	href="https://man.openbsd.org/wscons.4">wscons(4)</a> bounds checks
 	when processing terminal escape sequences.
   <li>Replaced broken UTF-8 logic in <a
 	href="https://man.openbsd.org/wscons.4">wscons(4)</a> with a better
 	one borrowed from Citrus.
 
 <!-- other -->
   <li>Introduced <a
 	href="https://man.openbsd.org/pijuice.4">pijuice(4)</a>, an apm/sensor
 	driver for the PiJuice HAT UPS.
   <li>Added <a
 	href="https://man.openbsd.org/pwmleds.4">pwmleds(4)</a>, a driver for
 	PWM controlled LEDs.
   <li>Implemented <a
 	href="https://man.openbsd.org/dwpcie.4">dwpcie(4)</a> support for the
 	(optional) MSI controller of the Synopsys DesignWare PCIe host bridge.
   <li>Added <a
 	href="https://man.openbsd.org/icc.4">icc(4)</a> driver for
 	I2C Consumer Control devices.
   <li>Prevented a possible crash when a <a
 	href="https://man.openbsd.org/ugen.4">ugen(4)</a> device is detached.
   <li>Implemented wakeup interrupt handling in <a
 	href="https://man.openbsd.org/agintc.4">agintc(4)</a>.
   <li>Enabled <a
 	href="https://man.openbsd.org/pcagpio.4">pcagpio(4)</a> and <a
 	href="https://man.openbsd.org/pcamux.4">pcamux(4)</a>, making the SFP
 	port on the ClearFog Base (CN9130) work.
   <li>Adopted a workaround for a bug in the ARM generic timer on the
 	A64, disabling userland timecounter support on affected hardware
 	pending a similar libc workaround.
   <li>Made amd64 cpuid recognize protection keys for Protection Key Supervisor (PKS).
   <li>Implemented access to EFI variables ESRT through an <a
 	href="https://man.openbsd.org/ioctl.2">ioctl(2)</a> interface
 	compatible with what FreeBSD and NetBSD have.<br>
 	Created /dev/efi on amd64 and arm64.
   <li>Added <a href="https://man.openbsd.org/dwge.4">dwge(4)</a> support
 	for "enhanced descriptor" mode found on some variants of the Synopsys
 	DesignWare GMAC.
   <li>Removed the <a
 	href="https://man.openbsd.org/OpenBSD-7.2/elansc.4">elansc(4)</a>
 	driver for AMD Elan SC520 System Controller.
   <li>Made <a href="https://man.openbsd.org/ppb.4">ppb(4)</a> bus
 	range available after detaching, fixing unplugging and replugging
 	thunderbolt devices that were plugged in when the machine was booted.
   <li>Reworked the arm64 architecture cpu_init_secondary() function to
 	allow use for both initial powerup and wakeup from deeper sleep
 	states.
   <li>Added <a href="https://man.openbsd.org/ufshci.4">ufshci(4)</a>,
 	a driver for Universal Flash Storage (UFS) Host Controllers.
   <li>Added <a href="https://man.openbsd.org/scmi.4">scmi(4)</a>, a
 	driver for the ARM System Control and Management Interface.
   <li>Added support for the Shenzhen Tangcheng Technology TCS4525
 	voltage regulator to <a
 	href="https://man.openbsd.org/fanpwr.4">fanpwr(4)</a>.
   <li>Added <a href="https://man.openbsd.org/psci.4">psci(4)</a> (ARM
 	Power State Coordination Interface) support for available deep idle
 	states as advertised in device trees.
   <li>Added <a href="https://man.openbsd.org/eephy.4">eephy(4)</a>,
 	found on the Turris Omnia WAN port, to armv7.
   <li>Added polling to <a
 	href="https://man.openbsd.org/tipmic.4">tipmic(4)</a> driver when
 	starting from a cold boot, fixing a hang on boot.
   <li>Added a workaround for Intel Braswell/Cherry Trail mwait hang.
   <li>Added the Armada 380 temperature sensor to <a
 	href="https://man.openbsd.org/mvtemp.4">mvtemp(4)</a> and enabled the
 	driver on armv7.
     </ul>
   </ul>
 
 <li>New or improved network hardware support:
   <ul>
   <li>Enabled <a href="https://man.openbsd.org/em.4">em(4)</a> IPv4,
 	TCP and UDP checksum offloading and hardware VLAN tagging on devices
 	with 82575, 82576, i350 and i210 chipsets.
   <li>Improved <a href="https://man.openbsd.org/mcx.4">mcx(4)</a>
 	performance by using interrupt-based command completion.
   <li>Fixed a panic seen with <a
 	href="https://man.openbsd.org/rge.4">rge(4)</a> RTL8125 with MCLGETL.
   <li>Add <a href="https://man.openbsd.org/dwqe.4">dwqe(4)</a>, a
 	driver for the Synopsys DesignWare Ethernet QoS controller used on the
 	NXP i.MX8MP, the Rockchip RK35xx series and Intel Elkhart Lake.
   <li>Worked around an issue on the StarFive JH7100 SoC to make <a
 	href="https://man.openbsd.org/dwge.4">dwge(4)</a> Ethernet work
 	reliably on the StarFive VisionFive 1 board.
   <li>In <a href="https://man.openbsd.org/mvneta.4">mvneta(4)</a>,
 	passed MII flags depending on the phy mode specified in the device
 	tree, making the WAN port work on the Turris Omnia.
   </ul>
 
 <li>Added or improved wireless network drivers:
   <ul>
   <li>Increased the timeout for <a
 	href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> PCI devices to
 	avoid spurious firmware load failures, particularly on Apple M2 laptops.
   <li>Implemented alternative mailbox handling mechanism required by
 	newer <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a> firmware.
   <li>Fixed <a href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>
 	issues with suspend/resume and possible firmware crashes on the M2
 	MacBook Air.
   <li>Prevented an <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>
 	firmware error when authentication to the AP times out.
   <li>Fixed a crash in <a
 	href="https://man.openbsd.org/iwx.4">iwx(4)</a> when connecting to WEP
 	networks via <a
 	href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> join.
   <li>Fixed an alignment issue in <a
 	href="https://man.openbsd.org/iwx.4">iwx(4)</a> Rx descriptors.
   <li>Avoided trying to remove keys while doing crypto in hardware if
 	the station is not active in <a
 	href="https://man.openbsd.org/iwx.4">iwx(4)</a> firmware, fixing a
 	firmware panic.
   <li>Prevented potential panics by disallowing the <a
 	href="https://man.openbsd.org/iwx.4">iwx(4)</a> init task from running
 	in parallel to wakeup code during resume.
   <li>Switched all <a href="https://man.openbsd.org/iwx.4">iwx(4)</a>
 	devices to -77 firmware images.
   <li>Upgraded firmware images for <a
 	href="https://man.openbsd.org/iwm.4">iwm(4)</a> 9260 and 9560 devices.
   <li>Made <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> get the
 	primary channel number from AP beacon info, preventing problems on
 	40/80Mhz channels if there is a mismatch.
   <li>Fixed <a href="https://man.openbsd.org/iwx.4">iwx(4)</a> session
 	protection event duration.
   </ul>
 
 <li>IEEE 802.11 wireless stack improvements and bugfixes:
   <ul>
   <li>Made net80211 drop beacons received on secondary HT/VHT
 	channels, preventing <a
 	href="https://man.openbsd.org/iwm.4">iwm(4)</a> firmware panics and
 	making association work with 11ac APs which transmit beacons on
 	channels other than their primary.
   <li>Made WEP encryption work on <a
 	href="https://man.openbsd.org/bwfm.4">bwfm(4)</a>.
   </ul>
 
 <li>Installer, upgrade and bootloader improvements:
   <ul>
   <li>Made installer answers <code>!</code> and <code>(S)hell</code> drop into a <a
 	href="https://man.openbsd.org/ksh.1">ksh(1)</a> environment rather
 	than the more limited <a href="https://man.openbsd.org/sh.1">sh(1)</a>.
   <li>Added support for configuring interfaces by lladdr (MAC).
   <li>Made the installer skip interface configuration questions when no interfaces are available.
   <li>Fixed resizing partitions on an auto-allocated disk that had a boot partition.
   <li>Stopped the installer from asking to initialize disks that have
 	<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> chunks.
   <li>Made efiboot fdt support device trees with NOPs in them (like the kernel version).
   <li>Improved the default choice for the installer's install media
 	disk question to show the first disk that (a) is not the root disk and (b)
 	is not a disk with softraid chunks (hosting the root disk, for example).
   <li>Stopped offering WEP in the installer if not supported.
   <li>Fixed lock file error on installer exit/abort.
   <li>Made <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> <code>-p</code>
 	support <a href="https://man.openbsd.org/softraid.4">softraid(4)</a>.
   <li>Made <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> silently skip
 	<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> keydisks.
   <li>Fixed passing explicit stages files to
 	<a href="https://man.openbsd.org/installboot.8">installboot(8)</a>.
 <!-- architecture specific -->
   <li>Added <a
 	href="https://man.openbsd.org/mount_nfs.8">mount_nfs(8)</a> to the
 	sparc64 installer, to fetch sets over NFS.
   <li>Copy the apple-boot firmware to EFI system partition, enabling
 	automatic bootloader updates on Apple Silicon computers.
   <li>Made the installer stop printing MD post installation instructions on upgrades.
   <li>Made it possible to set keyboard layout(s) in arm64's installer.
   <li>Added initial support in the installer for guided disk
 	encryption for amd64, i386, riscv64 and sparc64.
   <li>Added passing of boot device information from the bootloader to
 	the kernel on luna88k.
   <li>Switched luna88k boot loader to MI boot code.
   <li>Made the luna88k bootloader display a puffy boot logo.
   <li>Made <a href="https://man.openbsd.org/ls.1">ls(1)</a> work
 	correctly in the luna88k bootloader.
   <li>Made <a href="https://man.openbsd.org/time.1">time(1)</a> work
 	correctly in the luna88k bootloader.
   <li>Removed dangerous user-settable "addr" variable from MI
 	bootloader, only compiling tty-related code on platforms where it
 	makes sense for the bootloader to control it.
   <li>Added "machine poweroff" command on luna88k bootloader.
   <li>Switched alpha to machine-independent boot blocks.
   <li>Switched all architectures' ramdisks (except alpha's and luna88k's) to use
 	<a href="https://man.openbsd.org/installboot.8">installboot(8)</a> <code>-p</code>.
   <li>Fixed ofwboot OpenFirmware <code>map</code> call to unbreak boot on some machines.
   <li>Reduced ofwboot.net size after libz update to unbreak netboot on some machines.
   <li>Made riscv64 bootloader support boot from RAID 1C softraid volumes.
   <li>Made <a href="https://man.openbsd.org/installboot.8">installboot(8)</a> support
 	<a href="https://man.openbsd.org/softraid.4">softraid(4)</a> on riscv64.
   <li>Stopped creating defunct vax (ra, rx), hp300 (hd) and sparc (xy, xd)
   devices in /dev.
   </ul>
 
 <li>Security improvements:
   <ul>
   <li>Permissions (RWX, MAP_STACK, etc.) on address space regions can
 	be made <a href="https://man.openbsd.org/mimmutable.2">immutable</a>,
 	so that <a href="https://man.openbsd.org/mmap.2">mmap(2)</a>, <a
 	href="https://man.openbsd.org/mprotect.2">mprotect(2)</a> or <a
 	href="https://man.openbsd.org/munmap.2">munmap(2)</a> fail with EPERM.
 	Most of the program static address space is now automatically
 	immutable (main program, ld.so, main stack, load-time shared
 	libraries, and dlopen()'d libraries mapped without RTLD_NODELETE).
 	Programmers can request non-immutable static data using the
 	"openbsd.mutable" section, or manually bring immutability to (page
 	aligned heap objects) using <a
 	href="https://man.openbsd.org/mimmutable.2">mimmutable(2)</a>.
 	The main internal data of <a 
 	href="https://man.openbsd.org/malloc.3">malloc(3)</a>
 	is marked immutable.
   <li>Some architectures now have non-readable code ("xonly"), both from
 	the perspective of userland reading its own memory, or the kernel
 	trying to read memory in a system call. Many sloppy practices in
 	userland code had to be repaired to allow this. The linker
         (<a href="https://man.openbsd.org/ld.lld.1">ld.lld(1)</a> or
         <a href="https://man.openbsd.org/ld.bfd.1">ld.bfd(1)</a>) option
 	--execute-only is enabled by default. In order of development: arm64,
 	riscv64, hppa, amd64, powerpc64, powerpc (G5 only), octeon, and sparc64
 	(sun4u only; unfinished). 
   <li>These can still benefit from switching to --execute-only binaries if the
 	cpu generates different traps for instruction-fetch versus data-fetch.
 	The VM system will not allow memory to be read before it was executed
 	which is valuable together with library relinking. Architectures
 	switched over include loongson. 
   <li><a href="https://man.openbsd.org/ld.so.1">ld.so(1)</a> and crt0
 	register the location of the <a
 	href="https://man.openbsd.org/execve.2">execve(2)</a> stub with the
 	kernel using pinsyscall(2), after which the kernel only accepts an
 	execve call from that specific location.
   <li>Added <a href="https://man.openbsd.org/execve.2">execve(2)</a>
 	violations of <a
 	href="https://man.openbsd.org/pinsyscall.2">pinsyscall(2)</a> policy
 	to the daily mail, available by setting rc.conf.local(5)
 	accounting=YES.
   <li>Added retguard (consistency-check the return address on the
 	stack) to amd64 syscalls.
   <li>sshd random relinking at boot: Randomly relink and install <a
 	href="https://man.openbsd.org/sshd.8">sshd(8)</a>, resulting
 	in a sshd binary with unknown address layout after every reboot.
   <li>Add another mitigation against classic BROP on systems without
 	execute-only mmu hardware-enforcement. A range-checking wrapper in
 	front of <a href="https://man.openbsd.org/copyin.9">copyin(9)</a> and
 	<a href="https://man.openbsd.org/copyinstr.9">copyinstr(9)</a> ensures
 	the userland source address doesn't overlap the main program text and
 	other text segments, thereby making these address ranges unreadable to
 	the kernel. No programs have been discovered which require reading
 	their own text segments with a system call.
   <li>On arm64, introduce mitigation of the Spectre-BHB (Branch
 	History Injection) CPU vulnerability by using core-specific trampoline
 	vectors.
   <li>Enabled the arm64 Data Independent Timing (DIT) feature in both the kernel and
 	userland on CPUs that support it to mitigate timing side-channel
 	attacks.
   </ul>
 
 <li>Changes in the network stack:
   <ul>
 	<li>Made /dev/pf a clonable device to better track kernel resources
 		used by processes.
 	<li>Modified TCP receive buffer size auto-scaling to use the smoothed
 		RTT (SRTT) instead of the timestamp option, which improves performance
 		on high latency networks if the timestamp option isn't available.
 	<li>Relaxed the requirement for multicast support of interfaces for
 		configuring IPv6.  This allows non-multicast interfaces such as
 		point-to-point interfaces and the NBMA / point-to-multipoint
 		interfaces like mpe(4), mgre(4) and wg(4) to work with IPv6.
 	<li>Measure the TCP_KEEPALIVE timeout with <a
 		href="https://man.openbsd.org/getnsecruntime.9">getnsecruntime(9)</a>
 		instead of the system uptime.
 		Prevents TCP connections from needlessly failing en masse after
 		waking a system from suspend.
 	<li>Used stoeplitz (symmetric Toeplitz hash algorithm) to generate a
 		hash/flowid for <a href="https://man.openbsd.org/pf.4">pf(4)</a> state
 		keys.  With this change, pf will hash traffic the same way that
 		hardware using a stoeplitz key will hash incoming traffic on rings.
 		stoeplitz is also used by the TCP stack to generate a flow id, which
 		is used to pick which transmit ring is used on nics with multiple
 		queues, too. Using the same algorithm throughout the stack encourages
 		affinity of packets to rings and softnet threads the whole way
 		through.
 	<li>Prevented possible kernel crashes by dropping TCP packets with
 		destination port 0 in <a href="https://man.openbsd.org/pf.4">pf(4)</a>
 		and the stack.
 	<li>Fixed an endian swap bug causing problems with <a
 		href="https://man.openbsd.org/vlan.4">vlan(4)</a> on <a
 		href="https://man.openbsd.org/em.4">em(4)</a> sparc64 systems.
 	<li>Denied "pipex no" tunnel setting for <a
 		href="https://man.openbsd.org/pppx.4">pppx(4)</a> interfaces.
 	<li>Fixed <a href="https://man.openbsd.org/pfsync.4">pfsync(4)</a>
 		crashing on pf_state_key removal.
 	<li>Fixed a panic in <a
 		href="https://man.openbsd.org/pfsync.4">pfsync(4)</a> when there is
 		no data ready for bulk transfer.
 	<li>Turned off TCP Segmentation Offload (TSO) if interface is added
 		to layer 2 devices.
   	<li>Improved <a href="https://man.openbsd.org/vnet.4">vnet(4)</a>
 		to work better in busy conditions.
 	<li>Added a <a href="https://man.openbsd.org/bpf.4">bpf(4)</a> timeout
 		(BIOCSWTIMEOUT) between capturing a packet and making the buffer
 		readable, preventing, for example, <a
 		href="https://man.openbsd.org/pflogd.8">pflogd(8)</a> waking every
 		half second even if there is nothing to read. By default this buffer
 		is infinite and must be filled to become readable.
 	<li>Avoided enabling TSO on interfaces which are already attached to a bridge.
   </ul>
 
 <li>Routing daemons and other userland network improvements:
   <ul>
   <li>IPsec support was improved:
   <ul>
 	<li>Added <a href="https://man.openbsd.org/iked.8">iked(8)</a>
 		support for configuring multiple name servers.
 	<li>Synced proc.c from <a
 		href="https://man.openbsd.org/vmd.8">vmd(8)</a> to <a
 		href="https://man.openbsd.org/iked.8">iked(8)</a> to enable fork +
 		exec for all processes. This gives each process a fresh and unique
 		address space to further improve randomization of ASLR and stack
 		protector.
   </ul>
   <li>In <a href="https://man.openbsd.org/bgpd.8">bgpd(8)</a>, <a
 	href="https://man.openbsd.org/bgpctl.8">bgpctl(8)</a> and <a
 	href="https://man.openbsd.org/bgplgd.8">bgplgd(8)</a>:
   <ul> 
     <li>Improved performance by optimising the output filters.
     <li>Add Autonomous System Provider Authorization (ASPA) validation
 	based on draft-ietf-sidrops-aspa-verification-12
     <li>Introduce avs (ASPA validation state) filter and bgpctl
 	filter argument.
     <li>Add ASPA support for the RTR protocol based on
 	draft-ietf-sidrops-8210bis-10.
     <li>Improve open policy (RFC 9234) support and enable the capability
 	automatically if a role is specified for the peer.
     <li>Introduce a per-neighbor 'role' configuration option to specify
 	the session role used by ASPA verification and the open policy
 	capability. The 'announce policy' statement was simplified at
 	the same time.
     <li>Improve startup behaviour by introducing a small delay before
 	opening the connection to a new peer.
     <li>Support for aspa-set table config which can be provided by
 	<a
         href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a>.
     <li>Make it possible to filter the RIB by invalid and leaked prefixes
 	in bgpctl and bgplgd.
     <li>Add OpenMetrics output to bgpctl for various BGP statistics and
 	add /metrics endpoint to bgplgd.
     <li>Fix of incorrect length checks that allowed an out-of-bounds
 	read in bgpd.
   </ul>
   <li><a href="https://man.openbsd.org/rpki-client.8">rpki-client(8)</a> saw some changes:
   <ul>
     <li>Add a new '-H' command line option to create a shortlist of
 	repositories to synchronize to. For example, when invoking
 	"rpki-client -H rpki.ripe.net -H chloe.sobornost.net", the utility
 	will not connect to any other hosts other than the two specified
 	through the -H option.
     <li>Add support for validating Geofeed (RFC 9092) authenticators.  To
 	see an example download https://sobornost.net/geofeed.csv and run
 	"rpki-client -f geofeed.csv"
     <li>Add support for validating Trust Anchor Key (TAK) objects. TAK
 	objects can be used to produce new Trust Anchor Locators (TALs) signed
 	by and verified against the previous Trust Anchor. See
 	draft-ietf-sidrops-signed-tal for the full specification.
     <li>Log lines related to RRDP/HTTPS connection problems now include the
 	IP address of the problematic endpoint (in brackets).
     <li>Improve the error message when an invalid filename is encountered
 	in the rpkiManifest field in the Subject Access Information (SIA)
 	extension.
     <li>Emit a warning when unexpected X.509 extensions are encountered.
     <li>Restrict the ROA ipAddrBlocks field to only allow two
 	ROAIPAddressFamily structures (one per address family).	See
 	draft-ietf-sidrops-rfc6482bis.
     <li>Check the absence of the Path Length constraint in the Basic
 	Constraints extension.
     <li>Restrict the SIA extension to only allow the signedObject and
 	rpkiNotify accessMethods.
     <li>Check that the Signed Object access method is present in ROA, MFT,
 	ASPA, TAK, and GBR End-Entity certificates.
     <li>In addition to the 'rsync://' scheme, also permit other schemes
 	(such as 'https://') in the SIA signedObject access method.
     <li>Check that the KeyUsage extension is set to nothing but
 	digitalSignature on End-Entity certificates.
     <li>Check that the KeyUsage extension is set to nothing but keyCertSign
 	and CRLSign on CA certificates.
     <li>Check that the ExtendedKeyUsage extension is absent on CA
 	certificates.
     <li>Fix a bug in the handling of the port of http_proxy.
     <li>The '-r' command line option has been deprecated.
     <li>Filemode (-f) output is now presented as a text based table.
     <li>The 'expires' key in the JSON/CSV/OpenBGPD output formats is now
 	calculated with more accuracy. The calculation takes into account the
 	nextUpdate value of all intermediate CRLs in the signature path
 	towards the trust anchor, in addition to the expiry moment of the
 	leaf-CRL and CAs.
     <li>Handling of CRLs and Manifests in the face of inconsistent RRDP delta
 	publications has been improved. A copy of an alternative version of
 	the applicable CRL is kept in the staging area of the cache directory,
 	in order to increase the potential for establishing a complete
 	publication point, in cases where a single publication point update
 	was smeared across multiple RRDP delta files.
     <li>The OpenBGPD configuration output now includes validated Autonomous
 	System Provider Authorization (ASPA) payloads as an 'aspa-set {}'
 	configuration block.
     <li>When rpki-client is invoked with increased verbosity ('-v'), the
 	current RRDP Serial and Session ID are shown to aid debugging.
     <li>Self-signed X.509 certificates (such as Trust Anchor certificates)
 	now are considered invalid if they contain an X.509
 	AuthorityInfoAccess extension.
     <li>Signed Objects where the CMS signing-time attribute contains a
 	timestamp later then the X.509 certificate's notAfter timestamp are
 	considered invalid.
     <li>Manifests where the CMS signing-time attribute contains a timestamp
 	later then the Manifest eContent nextUpdate timestamp are considered
 	invalid.
     <li>Any objects whose CRL Distribution Points extension contains a
 	CRLIssuer, CRL Reasons, or nameRelativeToCRLIssuer field are
 	considered invalid in accordance with RFC 6487 section 4.8.6.
     <li>For every X.509 certificate the SHA-1 of the Subject Public Key is
 	calculated and compared to the Subject Key Identifier (SKI). If a
 	mismatch is found the certificate is not trusted.
     <li>Require the outside-TBS signature OID for every X.509 intermediate
 	CA certificate and CRL to be sha256WithRSAEncryption.
     <li>Require the RSA key pair modulus and public exponent parameters to
 	strictly conform to the RFC 7935 profile.
     <li>Ensure there is no trailing garbage present in Signed Objects beyond
 	the self-embedded length field.
     <li>Require RRDP Session IDs to strictly be version 4 UUIDs.
     <li>When decoding and validating an individual RPKI file using filemode
 	(rpki-client -f file), display the signature path towards the trust
 	anchor and the timestamp when the signature path will expire.
     <li>When decoding and validating an individual RPKI file using filemode
 	(rpki-client -f file), display the optional CMS signing-time,
 	non-optional X.509 notBefore timestamp and non-optional X.509
 	notAfter timestamp.
   </ul>
 
   <li>Updated zlib to 1.2.13.
 
   <li>Fixed a long-standing bug in a libreadline header that broke the
 	interactive Python command line interface.
 
   <li>Switched <a href="https://man.openbsd.org/tftpd.8">tftpd(8)</a> to
 	default to read-only unless -w is specified for write access (the
 	previous default).
   <li>Stopped printing the prompt for non-interactive usage of <a
 	href="https://man.openbsd.org/tftp.1">tftp(1)</a>.
   <li>Changed <a href="https://man.openbsd.org/rarpd.8">rarpd(8)</a> to
 	only unveil /tftpboot if -t is specified.
   <li>Added client certificate authentication and an optional SASL
 	EXTERNAL bind to <a
 	href="https://man.openbsd.org/ypldap.8">ypldap(8)</a>.
   <li>Adjusted ipv6 address width to align the display columns better
 	in the output of <a href="https://man.openbsd.org/ndp.8">ndp(8)</a>,
 	<a href="https://man.openbsd.org/route.8">route(8)</a> and <a
 	href="https://man.openbsd.org/netstat.1">netstat(1)</a> as already
 	available in <a
 	href="https://man.openbsd.org/systat.1">systat(1)</a>'s netstat.
   <li>Used <a href="https://man.openbsd.org/stravis.3">stravis(3)</a> to
 	sanitize redirect URIs from <a
 	href="https://man.openbsd.org/ftp.1">ftp(1)</a> fetch before printing.
 
   <li>Prevent an <a
 	href="https://man.openbsd.org/unwind.8">unwind(8)</a> crash when a TCP
 	query is larger than the length field indicated.
   <li>Preserve the original order of nameservers as configured via <a
 	href="https://man.openbsd.org/resolv.conf.5">resolv.conf(5)</a> in <a
 	href="https://man.openbsd.org/resolvd.8">resolvd(8)</a>.
   <li>Restrict the characters allowed in the hostname argument of <a
 	href="https://man.openbsd.org/getaddrinfo.3">getaddrinfo(3)</a> to the
 	set [A-z0-9-_.]. Additionally, two consecutive dots ('.') are not
 	allowed nor can the string start with - or '.'. This removes
 	characters like '$', '`', '\n' or '*' that can traverse the DNS
 	without problems but have special meaning as in a shell.
   <li>Fixed a number of out of bounds reads in DNS response parsing of
 	the async DNS resolver in libc.
   <li>Added <a
 	href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> -M (mac) to
 	find the mac address on an interface and print it.
   <li>Added support for configuring interfaces by lladdr to support
 	interface configurations bound to a specific hardware device. The "if"
 	part of the <a
 	href="https://man.openbsd.org/hostname.if.5">hostname.if(5)</a>
 	configuration file can now be a MAC address.
   <li>Limited display of wireguard peers by <a
 	href="https://man.openbsd.org/ifconfig.8">ifconfig(8)</a> to when
 	either a wireguard interface is specified or the flag "-A" is used.
   <li>Implemented the RFC 8781 PREF64 router advertisement option in
 	<a href="https://man.openbsd.org/rad.8">rad(8)</a> which is used to
 	communicate NAT64 prefixes to hosts.
   <li>Moved the documentation of flag mappings displayed by "route show" from the <a
 	href="https://man.openbsd.org/netstat.1">netstat(1)</a> manpage to <a
 	href="https://man.openbsd.org/route.8">route(8)</a>.
   <li>Improvements in <a href="https://man.openbsd.org/nc.1">nc(1)</a>:
   <ul>
     <li>Stop claiming connection success in UDP mode unless true.
     <li>Do not test the connection in non-interactive mode. The test
 	writes characters to the socket which can corrupt data that is
 	possibly piped into nc.
     <li>Some refactoring and code cleanup.
   </ul>
 
   <li>Improvements in 
 	<a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>:
   <ul>
     <li>Added support for newlines inside the alternative names block in
 	<a href="https://man.openbsd.org/acme-client.conf.5">acme-client.conf(5)</a>.
     <li>Use proper data structures for retrieving subject alternative names in
 	certificates rather than printing them to a buffer and tokenizing and
 	parsing the undocumented string.
     <li>Simplified, corrected and modernized the use of libcrypto interfaces.
     <li>Plugged various memory leaks.
     <li>Use <a href="https://man.openbsd.org/ASN1_TIME_to_tm.3">ASN1_TIME_to_tm(3)</a>
 	instead of a poor man's hand-rolled version of it.
     <li>Use <a href="https://man.openbsd.org/acme-client.1">timegm(3)</a>
 	instead of <a href="https://man.openbsd.org/acme-client.1">mktime(3)</a>
 	to eliminate time-zone variation.
     <li>Encode Subject Alternative Name (SAN) entries before printing.
     <li>Prevent <a href="https://man.openbsd.org/acme-client.1">acme-client(1)</a>
 	from leaking an http get request when receiving a redirect without a
 	location header.
   </ul>
 
   <!-- smtpd -->
   <li>Prevented <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>
 	abort due to a connection from a local, scoped ipv6 address.
   <li>Fixed a potential NULL dereference in the unpriv child expanding
 	%{mda} in <a href="https://man.openbsd.org/smtpd.8">smtpd(8)</a>.
   <li>Corrected the order of arguments for calls to <a
 	href="https://man.openbsd.org/shutdown.2">shutdown(2)</a> on the route
 	socket of <a href="https://man.openbsd.org/slaacd.8">slaacd(8)</a>, <a
 	href="https://man.openbsd.org/dhcpleased.8">dhcpleased(8)</a> and <a
 	href="https://man.openbsd.org/unwind.8">unwind(8)</a>.
   <li>Made <a href="https://man.openbsd.org/route.8">route(8)</a>
 	sourceaddr print the used addresses for inet and inet6, or "default"
 	if no sourceaddr is set and the default algorithm is used.
   <li>Added -mpls option to the route(8) monitor command. It can be
 	used to restrict displayed route messages to the mpls address family.
   <li>Fixed <a href="https://man.openbsd.org/openrsync.1">rsync(1)</a>
 	handling of port numbers in rsync://host[:port]/module URLs.
   <li>Made <a href="https://man.openbsd.org/tcpdrop.8">tcpdrop(8)</a>
 	accept netstat-style address.port syntax.
   <li>Ensured <a href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>
 		correctly adds addresses to the undefined/inactive table.
   <li>Switched <a href="https://man.openbsd.org/tftpd.8">tftpd(8)</a> to default
 	to read-only unless <code>-w</code> is specified for write access
 	(the previous default).
   <li>Changed <a href="https://man.openbsd.org/rarpd.8">rarpd(8)</a> to only unveil /tftpboot if -t is specified.
   <li>Fixed the DIOCIGETIFACES ioctl so all network interfaces and
 	interface groups are reported in <a
 	href="https://man.openbsd.org/pfctl.8">pfctl(8)</a>.
   </ul>
 
 <li><a href="https://man.openbsd.org/tmux.1">tmux(1)</a> improvements and bug fixes:
   <ul>
 	<li>Added scroll-top and scroll-bottom <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> commands to scroll so cursor is at the top or bottom respectively.
 	<li>Added a -T flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> capture-pane to capture up to the last used cell and not the full width of the pane.
 	<li>Preserved the marked pane when renumbering windows in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
 	<li>Added modified tab key sequences to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
 	<li>Changed <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> to only set the extended flag when searching, which allows send-keys to work.
 	<li>Added a -l flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> display-message to disable format expansion.
 	<li>Fixed a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> crash when there are no window buffers.
 	<li>Fixed <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> C-S-Tab without extended keys.
 	<li>Added <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> send-keys -K to handle keys directly as if typed.
 	<li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> tty-keys accept \007 as terminator to OSC 10 or 11.
 	<li>Made <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> recognize pasted texts wrapped in bracket paste sequences, rather than only forwarding to the program inside.
 	<li>Supported -1 without -N for list-keys in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
 	<li>Added a flag to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> display-menu to select the menu item chosen first.
 	<li>Added Backtab key support to <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>
 	<li>Disallowed multiple consecutive line separators in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> menu.
 	<li>Extended display-message to work for control clients in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
 	<li>Added -f to list-clients in <a href="https://man.openbsd.org/tmux.1">tmux(1)</a>.
 	<li>Added a <a href="https://man.openbsd.org/tmux.1">tmux(1)</a> L modifier like P, W, S to loop over clients.
   </ul>
 
 <li>LibreSSL version 3.7.2
   <ul>
   <li>New features
     <ul>
     <li>Added Ed25519 support both as a primitive and via OpenSSL's EVP interfaces.
     <li>X25519 is now also supported via EVP.
     <li>The OpenSSL 1.1 raw public and private key API is available with support for
         EVP_PKEY_ED25519, EVP_PKEY_HMAC and EVP_PKEY_X25519. Poly1305 is not
         currently supported via this interface.
     <li>Added EVP_CIPHER_meth_*() setter API.
     <li>Added various X.509 accessor functions.
     </ul>
 
   <li>Compatibility changes
     <ul>
     <li>BIO_read() and BIO_write() now behave more closely to OpenSSL 3 in
         various corner cases.
     </ul>
 
   <li>Bug fixes
     <ul>
     <li>Added EVP_chacha20_poly1305() to the list of all ciphers.
     <li>Fixed potential leaks of EVP_PKEY in various printing functions
     <li>Fixed potential leak in OBJ_NAME_add().
     <li>Avoid signed overflow in i2c_ASN1_BIT_STRING().
     <li>Cleaned up EVP_PKEY_ASN1_METHOD related tables and code.
     <li>Fixed long standing bugs BN_GF2m_poly2arr() and BN_GF2m_mod().
     <li>Fixed segfaults in BN_{dec,hex}2bn().
     <li>Fixed NULL dereference in x509_constraints_uri_host() reachable only
         in the process of generating certificates.
     <li>Fixed a variety of memory corruption issues in BIO chains coming
         from poor old and new API: BIO_push(), BIO_pop(), BIO_set_next().
     <li>Avoid potential divide by zero in BIO_dump_indent_cb()
     <li>Fixed a memory leak, a double free and various other issues in
         BIO_new_NDEF().
     <li>Fixed various crashes in the openssl(1) testing utility.
     <li>Do not check policies by default in the new X.509 verifier.
     <li>Avoid crash with ASN.1 BOOLEANS in openssl(1) asn1parse.
     <li>Added missing error checking in PKCS7.
     <li>Call CRYPTO_cleanup_all_ex_data() from OPENSSL_cleanup().
     </ul>
 
   <li>Documentation improvements
     <ul>
     <li>Numerous improvements and additions for ASN.1, BIO, BN, and X.509.
     <li>The BN documentation is now considered to be complete.
     <li>Marked BIO_s_log(3) BIO_nread0(3), BIO_nread(3), BIO_nwrite0(3), BIO_nwrite(3),
         BIO_dump_cb(3) and BIO_dump_indent_cb(3) as intentionally undocumented.
     <li>Documented various BIO_* interfaces.
     <li>Documented ED25519_keypair(3), ED25519_sign(3), and ED25519_verify(3).
     <li>Documented EVP_PKEY raw private/public key interfaces.
     <li>Documented ASN1_buf_print(3).
     <li>Documented DH_get0_*, DSA_get0_*, ECDSA_SIG_get0_* and RSA_get0_*.
     <li>Merged documentation of UI_null() from OpenSSL 1.1
     <li>Various spelling and other documentation improvements.
     </ul>
 
   <li>Internal improvements
     <ul>
     <li>Remove dependency on system timegm() and gmtime() by replacing
         traditional Julian date conversion with POSIX epoch-seconds date
         conversion from BoringSSL.
     <li>Removed old and unused BN code dealing with primes.
     <li>Started rewriting name constraints code using CBS.
     <li>Removed support for the HMAC PRIVATE KEY.
     <li>Reworked DSA signing and verifying internals.
     <li>Rewrote the TLSv1.2 key exporter.
     <li>Cleaned up and refactored various aspects of the legacy TLS stack.
     <li>Initial overhaul of the BIGNUM code:
       <ul>
       <li>Added a new framework that allows architecture-dependent
           replacement implementations for bignum primitives.
       <li>Imported various s2n-bignum's constant time assembly primitives
           and switched amd64 to them.
       <li>Lots of cleanup, simplification and bug fixes.
       </ul>
     <li>Changed Perl assembly generators to move constants into .rodata,
         allowing code to run with execute-only permissions.
     <li>Capped the number of iterations in DSA and ECDSA signing (avoiding
         infinite loops), added additional sanity checks to DSA.
     <li>ASN.1 parsing improvements.
     <li>Cleanup and improvements in EC code, including always clearing EC
         groups and points on free.
     <li>Various openssl(1) improvements.
     <li>Various nc(1) improvements.
     </ul>
 
   <li>Security fixes
     <ul>
     <li>A malicious certificate revocation list or timestamp response token
         would allow an attacker to read arbitrary memory.
     </ul>
   </ul>
 
 <li>OpenSSH 9.3 and OpenSSH 9.2<br>
 This release of OpenBSD includes the changes made to OpenSSH since release 9.1:
   <ul>
   <li>Security
     <ul>
     <li>ssh-add(1): when adding smartcard keys to ssh-agent(1) with the
       per-hop destination constraints (ssh-add -h ...) added in OpenSSH
       8.9, a logic error prevented the constraints from being
       communicated to the agent. This resulted in the keys being added
       without constraints. The common cases of non-smartcard keys and
       keys without destination constraints are unaffected. This problem
       was reported by Luci Stanescu.
     <li>ssh(1): Portable OpenSSH provides an implementation of the
       getrrsetbyname(3) function if the standard library does not
       provide it, for use by the VerifyHostKeyDNS feature. A
       specifically crafted DNS response could cause this function to
       perform an out-of-bounds read of adjacent stack data, but this
       condition does not appear to be exploitable beyond denial-of-service
       to the ssh(1) client.<br>
       The getrrsetbyname(3) replacement is only included if the system's
       standard library lacks this function and portable OpenSSH was not
       compiled with the ldns library (--with-ldns). getrrsetbyname(3) is
       only invoked if using VerifyHostKeyDNS to fetch SSHFP records. This
       problem was found by the Coverity static analyzer.
     <li>sshd(8): fix a pre-authentication double-free memory fault
       introduced in OpenSSH 9.1. This is not believed to be exploitable,
       and it occurs in the unprivileged pre-auth process that is
       subject to chroot(2) and is further sandboxed on most major
       platforms.
     <li>ssh(8): in OpenSSH releases after 8.7, the PermitRemoteOpen option
       would ignore its first argument unless it was one of the special
       keywords "any" or "none", causing the permission list to fail open
       if only one permission was specified. bz3515
     <li>ssh(1): if the CanonicalizeHostname and CanonicalizePermittedCNAMEs
       options were enabled, and the system/libc resolver did not check
       that names in DNS responses were valid, then use of these options
       could allow an attacker with control of DNS to include invalid
       characters (possibly including wildcards) in names added to
       known_hosts files when they were updated. These names would still
       have to match the CanonicalizePermittedCNAMEs allow-list, so
       practical exploitation appears unlikely.
       </ul>
   <li>Potentially-incompatible changes
       <ul>
     <li>ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
       controls whether the client-side ~C escape sequence that provides a
       command-line is available. Among other things, the ~C command-line
       could be used to add additional port-forwards at runtime.<br>
       This option defaults to "no", disabling the ~C command-line that
       was previously enabled by default. Turning off the command-line
       allows platforms that support sandboxing of the ssh(1) client
       (currently only OpenBSD) to use a stricter default sandbox policy.
       </ul>
   <li>New features
       <ul>
     <li>ssh-keygen(1), ssh-keyscan(1): accept -Ohashalg=sha1|sha256 when
       outputting SSHFP fingerprints to allow algorithm selection. bz3493
     <li>sshd(8): add a `sshd -G` option that parses and prints the
       effective configuration without attempting to load private keys
       and perform other checks. This allows usage of the option before
       keys have been generated and for configuration evaluation and
       verification by unprivileged users.
     <li>sshd(8): add support for channel inactivity timeouts via a new
       sshd_config(5) ChannelTimeout directive. This allows channels that
       have not seen traffic in a configurable interval to be
       automatically closed. Different timeouts may be applied to session,
       X11, agent and TCP forwarding channels.
     <li>sshd(8): add a sshd_config UnusedConnectionTimeout option to
       terminate client connections that have no open channels for a
       length of time. This complements the ChannelTimeout option above.
     <li>sshd(8): add a -V (version) option to sshd like the ssh client has.
     <li>ssh(1): add a "Host" line to the output of ssh -G showing the
       original hostname argument. bz3343
     <li>scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
       allow control over some SFTP protocol parameters: the copy buffer
       length and the number of in-flight requests, both of which are used
       during upload/download. Previously these could be controlled in
       sftp(1) only. This makes them available in both SFTP protocol
       clients using the same option character sequence.
     <li>ssh-keyscan(1): allow scanning of complete CIDR address ranges,
       e.g.  "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then
       it will be expanded to all possible addresses in the range
       including the all-0s and all-1s addresses. bz#976
     <li>ssh(1): support dynamic remote port forwarding in escape
       command-line's -R processing. bz#3499
       </ul>
   <li>Bugfixes
       <ul>
     <li>scp(1), sftp(1): fix progressmeter corruption on wide displays;
       bz3534
     <li>ssh-add(1), ssh-keygen(1): use RSA/SHA256 when testing usability
       of private keys as some systems are starting to disable RSA/SHA1
       in libcrypto.
     <li>sftp-server(8): fix a memory leak. GHPR363
     <li>ssh(1), sshd(8), ssh-keyscan(1): remove vestigial protocol
       compatibility code and simplify what's left.
     <li>Fix a number of low-impact Coverity static analysis findings.
       These include several reported via bz2687
     <li>ssh_config(5), sshd_config(5): mention that some options are not
       first-match-wins.
     <li>Rework logging for the regression tests. Regression tests will now
       capture separate logs for each ssh and sshd invocation in a test.
     <li>ssh(1): make `ssh -Q CASignatureAlgorithms` work as the manpage
       says it should; bz3532.
     <li>ssh(1): ensure that there is a terminating newline when adding a
       new entry to known_hosts; bz3529
     <li>ssh(1): when restoring non-blocking mode to stdio fds, restore
       exactly the flags that ssh started with and don't just clobber them
       with zero, as this could also remove the append flag from the set.
       bz3523
     <li>ssh(1): avoid printf("%s", NULL) if using UserKnownHostsFile=none
       and a hostkey in one of the system known hosts file changes.
     <li>scp(1): switch scp from using pipes to a socket-pair for
       communication with its ssh sub-processes, matching how sftp(1)
       operates.
     <li>sshd(8): clear signal mask early in main(); sshd may have been
       started with one or more signals masked (sigprocmask(2) is not
       cleared on fork/exec) and this could interfere with various things,
       e.g. the login grace timer. Execution environments that fail to
       clear the signal mask before running sshd are clearly broken, but
       apparently they do exist.
     <li>ssh(1): warn if no host keys for hostbased auth can be loaded.
     <li>sshd(8): Add server debugging for hostbased auth that is queued and
       sent to the client after successful authentication, but also logged
       to assist in diagnosis of HostbasedAuthentication problems. bz3507
     <li>ssh(1): document use of the IdentityFile option as being usable to
       list public keys as well as private keys. GHPR352
     <li>sshd(8): check for and disallow MaxStartups values less than or
       equal to zero during config parsing, rather than failing later at
       runtime.  bz3489
     <li>ssh-keygen(1): fix parsing of hex cert expiry times specified on
       the command-line when acting as a CA.
     <li>scp(1): when scp(1) is using the SFTP protocol for transport (the
       default), better match scp/rcp's handling of globs that don't match
       the globbed characters but do match literally (e.g. trying to
       transfer a file named "foo.[1]"). Previously scp(1) in SFTP mode
       would not match these pathnames but legacy scp/rcp mode would.
       bz3488
     <li>ssh-agent(1): document the "-O no-restrict-websafe" command-line
       option.
     <li>ssh(1): honour user's umask(2) if it is more restrictive then the
       ssh default (022).
     </ul>
   </ul>
 
 <li>Ports and packages:
   <p>Many pre-built packages for each architecture:
   <!-- number of FTP packages minus SHA256, SHA256.sig, index.txt -->
   <ul style="column-count: 3">
     <li>aarch64:    11561
     <li>amd64:      11764
     <li>arm:        8653
     <li>i386:       10572
     <li>mips64:     8936
     <li>powerpc:    9893
     <li>powerpc64:  8474
     <li>riscv64:    10191
     <li>sparc64:    9325
   </ul>
 
   <p>Some highlights:
   <ul style="column-count: 3">
     <li>Asterisk 16.30.0, 18.17.0 and 20.2.0
     <li>Audacity 3.2.5
     <li>CMake 3.25.2
     <li>Chromium 111.0.5563.110
     <li>Emacs 28.2
     <li>FFmpeg 4.4.3
     <li>GCC 8.4.0 and 11.2.0
     <li>GHC 9.2.7
     <li>GNOME 43.3
     <li>Go 1.20.1
     <li>JDK 8u362, 11.0.18 and 17.0.6
     <li>KDE Applications 22.12.3
     <li>KDE Frameworks 5.103.0
     <li>Krita 5.1.5
     <li>LLVM/Clang 13.0.0
     <li>LibreOffice 7.5.1.2
     <li>Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.4
     <li>MariaDB 10.9.4
     <li>Mono 6.12.0.182
     <li>Mozilla Firefox 111.0 and ESR 102.9.0
     <li>Mozilla Thunderbird 102.9.0
     <li>Mutt 2.2.9 and NeoMutt 20220429
     <li>Node.js 18.15.0
     <li>OCaml 4.12.1
     <li>OpenLDAP 2.6.4
     <li>PHP 7.4.33, 8.0.28, 8.1.16 and 8.2.3
     <li>Postfix 3.5.17 and 3.7.3
     <li>PostgreSQL 15.2
     <li>Python 2.7.18, 3.9.16, 3.10.10 and 3.11.2
     <li>Qt 5.15.8 and 6.4.2
     <li>R 4.2.1
     <li>Ruby 3.0.5, 3.1.3 and 3.2.1
     <li>Rust 1.68.0
     <li>SQLite 2.8.17 and 3.41.0
     <li>Shotcut 22.12.21
     <li>Sudo 1.9.13.3
     <li>Suricata 6.0.10
     <li>Tcl/Tk 8.5.19 and 8.6.13
     <li>TeX Live 2022
     <li>Vim 9.0.1388 and Neovim 0.8.3
     <li>Xfce 4.18
   </ul>
   <p>
 
 <li>As usual, steady improvements in manual pages and other documentation.
 
 <li>The system includes the following major components from outside suppliers:
   <ul>
     <li>Xenocara (based on X.Org 7.7 with xserver 21.1.6 + patches,
         freetype 2.12.1, fontconfig 2.14, Mesa 22.3.4, xterm 378,
         xkeyboard-config 2.20, fonttosfnt 1.2.2 and more)
     <li>LLVM/Clang 13.0.0 (+ patches)
     <li>GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
     <li>Perl 5.36.0 (+ patches)
     <li>NSD 4.6.1
     <li>Unbound 1.17.0
     <li>Ncurses 5.7
     <li>Binutils 2.17 (+ patches)
     <li>Gdb 6.3 (+ patches)
     <li>Awk September 12, 2022
     <li>Expat 2.5.0
   </ul>
 
 </ul>
 </section>
 
 <hr>
 
 <section id=install>
 <h3>How to install</h3>
 <p>
 Please refer to the following files on the mirror site for
 extensive details on how to install OpenBSD 7.3 on your machine:
 
 <ul>
 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/alpha/INSTALL.alpha">
 	.../OpenBSD/7.3/alpha/INSTALL.alpha</a>
 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/amd64/INSTALL.amd64">
 	.../OpenBSD/7.3/amd64/INSTALL.amd64</a>
 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/arm64/INSTALL.arm64">
 	.../OpenBSD/7.3/arm64/INSTALL.arm64</a>
 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/armv7/INSTALL.armv7">
 	.../OpenBSD/7.3/armv7/INSTALL.armv7</a>
 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/hppa/INSTALL.hppa">
 	.../OpenBSD/7.3/hppa/INSTALL.hppa</a>
 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/i386/INSTALL.i386">
 	.../OpenBSD/7.3/i386/INSTALL.i386</a>
 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/landisk/INSTALL.landisk">
 	.../OpenBSD/7.3/landisk/INSTALL.landisk</a>
 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/loongson/INSTALL.loongson">
 	.../OpenBSD/7.3/loongson/INSTALL.loongson</a>
 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/luna88k/INSTALL.luna88k">
 	.../OpenBSD/7.3/luna88k/INSTALL.luna88k</a>
 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/macppc/INSTALL.macppc">
 	.../OpenBSD/7.3/macppc/INSTALL.macppc</a>
 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/octeon/INSTALL.octeon">
 	.../OpenBSD/7.3/octeon/INSTALL.octeon</a>
 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/powerpc64/INSTALL.powerpc64">
 	.../OpenBSD/7.3/powerpc64/INSTALL.powerpc64</a>
 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/riscv64/INSTALL.riscv64">
 	.../OpenBSD/7.3/riscv64/INSTALL.riscv64</a>
 <li><a href="https://ftp.openbsd.org/pub/OpenBSD/7.3/sparc64/INSTALL.sparc64">
 	.../OpenBSD/7.3/sparc64/INSTALL.sparc64</a>
 </ul>
 </section>
 
 <hr>
 
 <section id=quickinstall>
 <p>
 Quick installer information for people familiar with OpenBSD, and the use of
 the "<a href="https://man.openbsd.org/disklabel.8">disklabel</a> -E" command.
 If you are at all confused when installing OpenBSD, read the relevant
 INSTALL.* file as listed above!
 
 <h3>OpenBSD/alpha:</h3>
 
 <p>
 If your machine can boot from CD, you can write <i>install73.iso</i> or
 <i>cd73.iso</i> to a CD and boot from it.
 Refer to INSTALL.alpha for more details.
 
 <h3>OpenBSD/amd64:</h3>
 
 <p>
 If your machine can boot from CD, you can write <i>install73.iso</i> or
 <i>cd73.iso</i> to a CD and boot from it.
 You may need to adjust your BIOS options first.
 
 <p>
 If your machine can boot from USB, you can write <i>install73.img</i> or
 <i>miniroot73.img</i> to a USB stick and boot from it.
 
 <p>
 If you can't boot from a CD, floppy disk, or USB,
 you can install across the network using PXE as described in the included
 INSTALL.amd64 document.
 
 <p>
 If you are planning to dual boot OpenBSD with another OS, you will need to
 read INSTALL.amd64.
 
 <h3>OpenBSD/arm64:</h3>
 
 <p>
 Write <i>install73.img</i> or <i>miniroot73.img</i> to a disk and boot from it
 after connecting to the serial console.  Refer to INSTALL.arm64 for more
 details.
 
 <h3>OpenBSD/armv7:</h3>
 
 <p>
 Write a system specific miniroot to an SD card and boot from it after connecting
 to the serial console.  Refer to INSTALL.armv7 for more details.
 
 <h3>OpenBSD/hppa:</h3>
 
 <p>
 Boot over the network by following the instructions in INSTALL.hppa or the
 <a href="hppa.html#install">hppa platform page</a>.
 
 <h3>OpenBSD/i386:</h3>
 
 <p>
 If your machine can boot from CD, you can write <i>install73.iso</i> or
 <i>cd73.iso</i> to a CD and boot from it.
 You may need to adjust your BIOS options first.
 
 <p>
 If your machine can boot from USB, you can write <i>install73.img</i> or
 <i>miniroot73.img</i> to a USB stick and boot from it.
 
 <p>
 If you can't boot from a CD, floppy disk, or USB,
 you can install across the network using PXE as described in
 the included INSTALL.i386 document.
 
 <p>
 If you are planning on dual booting OpenBSD with another OS, you will need to
 read INSTALL.i386.
 
 <h3>OpenBSD/landisk:</h3>
 
 <p>
 Write <i>miniroot73.img</i> to the start of the CF
 or disk, and boot normally.
 
 <h3>OpenBSD/loongson:</h3>
 
 <p>
 Write <i>miniroot73.img</i> to a USB stick and boot bsd.rd from it
 or boot bsd.rd via tftp.
 Refer to the instructions in INSTALL.loongson for more details.
 
 <h3>OpenBSD/luna88k:</h3>
 
 <p>
 Copy 'boot' and 'bsd.rd' to a Mach or UniOS partition, and boot the bootloader
 from the PROM, and then bsd.rd from the bootloader.
 Refer to the instructions in INSTALL.luna88k for more details.
 
 <h3>OpenBSD/macppc:</h3>
 
 <p>
 Burn the image from a mirror site to a CDROM, and power on your machine
 while holding down the <i>C</i> key until the display turns on and
 shows <i>OpenBSD/macppc boot</i>.
 
 <p>
 Alternatively, at the Open Firmware prompt, enter <i>boot cd:,ofwboot
 /7.3/macppc/bsd.rd</i>
 
 <h3>OpenBSD/octeon:</h3>
 
 <p>
 After connecting a serial port, boot bsd.rd over the network via DHCP/tftp.
 Refer to the instructions in INSTALL.octeon for more details.
 
 <h3>OpenBSD/powerpc64:</h3>
 
 <p>
 To install, write <i>install73.img</i> or <i>miniroot73.img</i> to a
 USB stick, plug it into the machine and choose the <i>OpenBSD
 install</i> menu item in Petitboot.
 Refer to the instructions in INSTALL.powerpc64 for more details.
 
 <h3>OpenBSD/riscv64:</h3>
 
 <p>
 To install, write <i>install73.img</i> or <i>miniroot73.img</i> to a
 USB stick, and boot with that drive plugged in.
 Make sure you also have the microSD card plugged in that shipped with the
 HiFive Unmatched board.
 Refer to the instructions in INSTALL.riscv64 for more details.
 
 <h3>OpenBSD/sparc64:</h3>
 
 <p>
 Burn the image from a mirror site to a CDROM, boot from it, and type
 <i>boot cdrom</i>.
 
 <p>
 If this doesn't work, or if you don't have a CDROM drive, you can write
 <i>floppy73.img</i> or <i>floppyB73.img</i>
 (depending on your machine) to a floppy and boot it with <i>boot
 floppy</i>. Refer to INSTALL.sparc64 for details.
 
 <p>
 Make sure you use a properly formatted floppy with NO BAD BLOCKS or your install
 will most likely fail.
 
 <p>
 You can also write <i>miniroot73.img</i> to the swap partition on
 the disk and boot with <i>boot disk:b</i>.
 
 <p>
 If nothing works, you can boot over the network as described in INSTALL.sparc64.
 </section>
 
 <hr>
 
 <section id=upgrade>
 <h3>How to upgrade</h3>
 <p>
 If you already have an OpenBSD 7.2 system, and do not want to reinstall,
 upgrade instructions and advice can be found in the
 <a href="faq/upgrade73.html">Upgrade Guide</a>.
 </section>
 
 <hr>
 
 <section id=sourcecode>
 <h3>Notes about the source code</h3>
 <p>
 <code>src.tar.gz</code> contains a source archive starting at <code>/usr/src</code>.
 This file contains everything you need except for the kernel sources,
 which are in a separate archive.
 To extract:
 <blockquote><pre>
 # <kbd>mkdir -p /usr/src</kbd>
 # <kbd>cd /usr/src</kbd>
 # <kbd>tar xvfz /tmp/src.tar.gz</kbd>
 </pre></blockquote>
 <p>
 <code>sys.tar.gz</code> contains a source archive starting at <code>/usr/src/sys</code>.
 This file contains all the kernel sources you need to rebuild kernels.
 To extract:
 <blockquote><pre>
 # <kbd>mkdir -p /usr/src/sys</kbd>
 # <kbd>cd /usr/src</kbd>
 # <kbd>tar xvfz /tmp/sys.tar.gz</kbd>
 </pre></blockquote>
 <p>
 Both of these trees are a regular CVS checkout.  Using these trees it
 is possible to get a head-start on using the anoncvs servers as
 described <a href="anoncvs.html">here</a>.
 Using these files
 results in a much faster initial CVS update than you could expect from
 a fresh checkout of the full OpenBSD source tree.
 </section>
 
 <hr>
 
 <section id=ports>
 <h3>Ports Tree</h3>
 <p>
 A ports tree archive is also provided.  To extract:
 <blockquote><pre>
 # <kbd>cd /usr</kbd>
 # <kbd>tar xvfz /tmp/ports.tar.gz</kbd>
 </pre></blockquote>
 <p>
 Go read the <a href="faq/ports/index.html">ports</a> page
 if you know nothing about ports
 at this point.  This text is not a manual of how to use ports.
 Rather, it is a set of notes meant to kickstart the user on the
 OpenBSD ports system.
 <p>
 The <i>ports/</i> directory represents a CVS checkout of our ports.
 As with our complete source tree, our ports tree is available via
 <a href="anoncvs.html">AnonCVS</a>.
 So, in order to keep up to date with the -stable branch, you must make
 the <i>ports/</i> tree available on a read-write medium and update the tree
 with a command like:
 <blockquote><pre>
 # <kbd>cd /usr/ports</kbd>
 # <kbd>cvs -d anoncvs@server.openbsd.org:/cvs update -Pd -rOPENBSD_7_3</kbd>
 </pre></blockquote>
 <p>
 [Of course, you must replace the server name here with a nearby anoncvs
 server.]
 <p>
 Note that most ports are available as packages on our mirrors. Updated
 ports for the 7.3 release will be made available if problems arise.
 <p>
 If you're interested in seeing a port added, would like to help out, or just
 would like to know more, the mailing list
 <a href="mail.html">ports@openbsd.org</a> is a good place to know.
 </section>
 </body>
 </html>