------------------------------------------------------------------------ - OpenBSD 7.9 RELEASED ------------------------------------------------- May 19, 2026. We are pleased to announce the official release of OpenBSD 7.9. This is our 60th release. We remain proud of OpenBSD's record of more than thirty years with only two remote holes in the default install. As in our previous releases, 7.9 provides significant improvements, including new features, in nearly all areas of the system: - Platform-specific improvements: o arm64: - Enabled ice(4) on arm64. - Added support for the RK3588 and RK3576 SoCs with new or additions to existing drivers. - Added support for the Genesys Logic GL9755 SDHC controller (which includes the SDHC controller on some of the Apple Silicon laptops) to sdmmc(4). o amd64: - Added SMU support to amdpmc(4). The SMU is a microcontroller buried deep in the bowels of AMD SoCs and needs to be tickled in order to reach the lowest power states in suspend. - Disabled Panel Self Refresh (PSR) in amdgpu to avoid a potential hang on a ThinkPad X13 gen 6. - Increased MAXCPUs on amd64 to 255. - On amd64, we now zero the DM PTE/PDE pages before use. This fixes a bug on machines with more than 512GB RAM. - Mitigated floating point state leakage observed on AMD Zen/Zen+ (Zen 1). o luna88k: - Switched luna88k compiler to gcc4. - Switched luna88k to PIE (Position Independent Executables) by default. o riscv64: Systems with a SpacemiT K1 SoC gained support with the following (and more) changes: - Added smtclock(4), a driver for the clock/reset controller on the SpacemiT K1 SoC. - Added many more drivers to support the SpacemiT K1 SoC. - Implemented support for the Zicbom (Cache-Block Management) and Svpbmt (Page-Based Memory Types) extensions. - Added the SpacemiT K1 device trees onto the riscv64 miniroot making them accessible during installation. - Made "Instruction access fault" (EXCP_FAULT_FETCH) traps being treated as PROT_EXEC. This fixes random SIGSEGV on the SpacemiT X60 cores. - Added SpacemiT K1 support to dwpcie(4). o Other architectures: - Fixed various errors on big-endian systems in ice(4) to make it work on sparc64. - Changed powerpc64 memory barriers to "sync". - Reworked and improved TLB shootdown on alpha. - Hoisted mips64 CPU accounting to get multiple softnet threads on MP systems. - Made sure to initialize all FPU registers on sparc64 to all 1 (or -NaN), and not only the lower 32 registers. - Fixed parking mutex on sun4u sparc64 cpus. o More platform-specific changes can be found in the hardware support section below. - Various kernel improvements: o Introduced a mechanism to manage CPU cores with different speeds in the scheduler. The sysctl(8) variable "hw.blockcpu" takes a sequence of 4 letters: S (for SMT), P (regular performance CPU), E (efficient CPU, generally 80% to 50% as fast), and L (lethargic CPU) which are even slower. Set this to select CPUs to kick out of the scheduler (SL by default). Currently works on amd64 and arm64. o Replaced the cas spinlock in kernel mutexes with a "parking" lock. o Stopped forcing the page daemon to sleep when there are outstanding paging requests. o Implemented a ddb(4) stop command that sends a SIGSTOP to the specified pid. o Made ddb(4) output visible when entering ddb from X on amdgpu. o Added infrastructure to allow future support of up to 52 partitions per disk. o Made changes to avoid memory allocation from within the swapencrypt path of the pagedaemon by pre-allocating 32 swapclusters up-front. o Changed the strategy by which the pagedaemon creates free memory by overshooting the creation of inactive and free pages, in order to defragment memory. o Refuse to load a binary without a PT_LOAD exec segment. - Suspend/Hibernate Support: o Implemented delayed hibernation: In order to prevent running out of battery while suspended, this feature wakes up a suspended system after a configurable time to then immediately perform a hibernation. The machdep.hibernatedelay sysctl(2) is used to configure the number of seconds after which the system will wake up from suspend and hibernate itself. - SMP Improvements: o Unlocked socket splicing. o Unlocked icmp6_sysctl(). o Unlocked the IGMP slow timeout. o Enabled parallel fault handling on amd64 and arm64. o Made bse(4) interrupts mp-safe. o Protected the IGMP and MLD6 fast timers with an rwlock. - Direct Rendering Manager and graphics drivers: o Updated drm(4) to Linux 6.18.22. - VMM/VMD and virtualization improvements: o Adopted PCI-based semantics for reading unsupported or invalid registers by returning all 1's. Newer Linux kernels have started using 128-bit feature spaces. o Added sysctl(8) machdep.vmmode to indicate status as a host or guest (and SEV mode). o Added vmboot, a tiny kernel that allows sysupgrade(8) to work for vmd(8) VMs. o Allowed cd(4)/vioscsi(4) on a VM to use confidential computing methods, e.g. AMD SEV. o Fixed a segfault in vmd(8) during vmmci timeout firing. o Enabled 32-bit direct kernel launch for both amd64 and i386 in vmd(8). o Fixed a race in vmd(8) vm pause barrier usage. o Fixed a race in vmm(4) vm termination path. o Added emulation of AMD SysCfg MSR in vmm(4). o Made OpenBSD work on Apple Virtualization. o Only expose pvclock(4) in vmm(4) if tsc frequency is known. o Reduced vmd(8) lowmem area in the memory map to help Linux guest reboot issues. o Prevented vmd(8) pause deadlock when vcpu doesn't halt. o Fixed timer emulation-related OpenBSD-i386 VM hangs when using the i8254 hardware timecounter with vmm(4). o Made vio(4) recover from missed RX interrupts. o Fixed vmd(8) vionet reset race leading to broken networking. - Various new userland features: o Dynamically determine the possible partition names to show in the disklabel(8) editor a(dd) command help message. o Allow the disklabel(8) 'd'elete editor command to zero out FS_UNUSED partitions despite current value of d_npartitions. o Added display of the close-on-fork flag as 'f' in R/W column to fstat(1). o Added support for the XDG_RUNTIME_DIR environment variable in login(1) and xenodm(1) via login_cap(3). Set it by default, pointing to /tmp/run/user/${uid} which gets created if needed. - More bugfixes and tweaks in userland: o Made libsndio restart the audio(4) device upon underrun. o Enable fall-back audio devices by default in sndiod(8). o Simplified the Unix socket binding code in sndiod(8). o Simplified cookie handling in libsndio. o Enabled recording and monitoring at the same time in sndiod(8). o In the LLVM compiler, fixed x86 frame lowering for -msave-args. o Made pthread_set_name_np(3) succeed with long thread names instead of silently failing. o Handle calls to libc's freeaddrinfo(3) function with a NULL argument, instead of crashing, and improve the manpage. o Made pcidump(8) print PCI bridge windows when they are "open". o Fixed an editline(3) bug that truncates completion candidates when the input wraps to a new line. o Added file(1) support for PSF2 fonts detection. o Added file(1) support for Web Open Font Format (WOFF) detection. o Fixed mg(1) replace-regexp issues. o Improved handling of strdup(3) failures in mg(1). o Improved the "No changes need to be saved" check in mg(1). o Dropped the initialization of curses when ksh(1) is not started interactively. This avoids opening and parsing of the terminfo(3) file. o Added echo(1) -e to process escape sequences and support for multiple groups of dash args like ksh's echo. o Increased the length of arguments that can be given to pkill(1). This allows matching of commands with longer command line arguments. o Made the -0 option override -E in xargs(1). o Set metaSendsEscape by default in xterm(1). o Fixed leap year detection in newsyslog(8). o Fixed less(1) crash on reading an invalid tags file. o Fixed a memory leak on sensorsd(8) configuration reload. - Improved hardware support and driver bugfixes, including: o Tweaked PCI device power management such that drivers can change their own power state. Let xhci(4) power itself down such that its companion USB4 controller can go to sleep in its DVACT_POWERDOWN implementation. o Added nhi(4), a driver for USB4 controllers. o Added an audio(9) driver interface to expose the hardware's display name. o Changed envy(4) and uaudio(4) devices to return the product name as the display name. o Handle uaudio(4) devices with a single clock exposed in multiple domains. o Fixed unintended truncation of uaudio(4) device names when printing them in libsndio applications. o Improved acpi(4) handling of PCI bridges. o Implemented "StorageD3Enable" support in acpi(4). o Stopped acpi(4) from calling the PCI function when an AML node has neither _ADR nor _HID, and avoid a panic on the ThinkPad X40. o Added iasuskbd(4) support for special keys on the ASUS I2C laptop keyboards. o Added sgmsi(4), a driver for the MSI controller implementation on Sophgo SG2042 SoCs. o Added cdpcie(4), a driver for the Cadence PCIe controller, supporting the variant found on the Sophgo SG2042 SoC. o Added dwpcie(4) Qualcomm SC7280 support. o Added qcuart(4), a driver for Qualcomm GENI UART serial consoles. o Added smtgpio(4), a driver for the GPIO controller found on SpacemiT K1 SoCs. o Added rkusbdpphy(4), a driver for the USB DP Combo PHY on Rockchip SoCs. o Added support for blocking reads to fuse(4). o Added basic implementation of the low-level FUSE API sufficient to compile and run lowntfs-3g. o Allowed uhidev(4) to attach to and work with devices that don't have an input interrupt endpoint. o Added the ispi(4) driver for Intel LPSS SPI controller. o Added an Apple variant to the "de" keyboard encoding for wskbd(4). o Added acpihid(4), a driver for the Generic Buttons Device defined by the ACPI specification. o Made viogpu(4) viogpu_wsmmap() return a physical address via bus_dmamem_mmap(9). o Added support for "Apple Inc. Virtual USB Digitizer", to expose the touchpad on Apple Virtualization. o Added support for the PSP found on the AMD EPYC 9005 to psp(4). o Added support for the AlphaSmart Dana to uvisor(4) as a PALM4 device. o Added support for more line speeds to uplcom(4). o Added support for the RK3528 SoC to the dwmshc(4) eMMC controller driver. o In wscons(4) disallowed loading if mapchar emulops require a question mark character that is missing. - New or improved network hardware support: o Fixed memory leaks in bnxt(4). o In umb(4), made uplink and downlink speeds visible through kstat(4). o Added support for Quectel EC200A LTE modems to umsm(4). o Added rge(4) support for RTL8126 chip revision 0x64a00000. o Turned on SoftLRO by default on bnxt(4) and ice(4). o Fixed the ice(4) "too many data commands" error on TSO packets. o Increased the urndis(4) buffer size to 16k. o Fixed an issue where dwqe(4), e.g. on a veb(4), doesn't recover when the link is down but packets are bridged. o Made the output of bse(4) mp-safe. o Enabled 64-bit DMA transfers on aq(4), em(4), rge(4), re(4), iavf(4), ix(4), ixv(4), ixl(4), igc(4), ice(4) and iwx(4). o Added support for BCM575xx devices (also known as Thor or P5) to bnxt(4). o Added smte(4), a driver for the ethernet interfaces of the SpacemiT K1 SoC. - IEEE 802.11 wireless stack improvements and bugfixes: o Fixed association to access points which have all 802.11b rates disabled. o Updated ieee80211_classify() to RFC8325 to prioritize interactive SSH sessions correctly, and rate-limit high-prio QoS packets. o Initialized TIDs 4-7 to improve QoS behaviour during Tx aggregation. o Added basic 802.11ax support. o Added support for a 160 MHz window at 5 GHz and enabled it on iwx(4). - Added or improved wireless network drivers: o Improved chances of qwx(4) receiving the initial WPA handshake message. o Reinitialized the qwx(4) HAL state when resuming from suspend. o Enabled iwx(4) on i386. o Added PMF (Protected Management Frames) support to iwm(4), iwx(4), and qwx(4), and add support for 802.11 AKM SHA256-PSK to ifconfig(8) and enable it by default if the driver supports PMF. o Fixed iwx(4) issues related to roaming and PMF and firmware crypto keys. o Set the assoc ID field in iwx(4) firmware commands correctly. o Added support for BZ devices with WiFi 6e radio to iwx(4). o Made iwx(4) not load incomplete firmware images and report a proper error instead. o Fixed iwn(4) setting of DMA base addresses of Tx rings 17 and beyond. o Added powersave support to iwx(4) and enable by default. o Added support for 160 MHz channel width to iwx(4). o Increased the VHT frame aggregation size limit from 64k to 1024k on iwx(4). o Aligned iwx(4) antenna patterns and STBC with iwlwifi. - Installer, upgrade, bootloader, and pkg-tools improvements: o Allow installboot(8) to finish, even if efi(4) can't be accessed. o Made sysupgrade fail if df /usr says the filesystem is over 90% full, rather than potentially completely breaking the system. o Scan both dmesg.boot and dmesg(8) output for devices with fw_update(8). o On amd64, added support for loading files (kernels) from the EFI system partition. This means one can put the OpenBSD boot loader and bsd.rd on the EFI boot partition and run the installer that way. This already works on arm64. o Improved keydisk partition detection in the installer. o Added aggr(4) support to arm64 RAMDISK and i386/amd64 RAMDISK_CD. o Increased the auto-allocated partition size of /usr/obj in disklabel(8). o Floppy install users on i386/amd64 may find fw_update(8) for some drivers will not work because pci strings in the kernel have become too large. - Security improvements: o Stop allowing root to bypass the effects of bpf(4) BIOCLOCK. BIOCLOCK is intended to remove the ability to reconfigure a BPF descriptor, but root processes were not subject to this revocation of privileges. No software relied on root being able to reconfigure a BPF descriptor, so this exemption was been removed. o Retired the pledge(2) 'tmppath' promise. The use of unveil /tmp rwc, unveil / r or similar together with pledge "rpath wpath cpath" replaces all use cases of 'tmppath' in a safer way. o Introduced the __pledge_open(2) system call, allowing libc to open a small set of tightly controlled internal files even when pledge(2) and unveil(2) would otherwise disallow direct access. File descriptors obtained this way are restricted to read-only use and cannot be used with write(2), chmod(2), chflags(2), chown(2), ftruncate(2), or fdpassing. This lets libc handle required devices, pledge-dependent files, and zoneinfo data without preserving the old pledge_namei() shortcut that allowed non-libc code to open the same special files. o In pledged processes, made /etc/localtime and /usr/share/zoneinfo scans much stricter. o In dig(1), fixed pledge/unveil issues relating to manual opening of /etc/resolv.conf. o Fixed unveil(2) to handle a filesystem that is mounted on a mount point that is itself the root of another filesystem. o Start fork(2)'ed children without a pgrp set (i.e. NULL) and update the pgrp pointer late to fix a potential race. o Do not expose p_addr kernel address through sysctl(2) unless root. o For sysctl({CTL_KERN, KERN_TTY, KERN_TTY_INFO), only export the t_session kernel address pointer if the caller is root. - New features in the network stack: o Made the Virtual Ethernet Bridge veb(4) a VLAN-aware bridge. Ports in veb(4) now have a PVID (port VLAN identifier) used to determine which VLAN untagged packets get associated with, and a bitmap of allowed VIDs (VLAN IDs) that say what VLANs tagged traffic can interact with. Ports can be configured as "access" ports by only configuring a pvid but with no entries in the vid map, or as a "trunk" by disabling the pvid and adding entries to the vid map, or a "hybrid" port by configuring both a pvid and entries in the vid map. To maintain compatibility with existing (simple) setups, veb defaults to using pvid 1 on ports added to the bridge. o Added a LOCKED flag to veb(4) ports that are added to a bridge(4). This makes sure that the source MAC address of frames received by these ports has an entry in the fib/address cache pointing at the same interface. o In IPFIX/Netflow v10, added a NAT template with post-NAT source and destination IP address and ports, allowing use of pflow to track internal to external translations. o Enabled IPv6 autoconf (SLAAC) by default. - Further changes and bugfixes in the network stack: o Implemented "checksum offload" between rport(4) pairs. This allows the kernel to skip ip/tcp/udp checksum calculation for packets between rdomains. o Implemented IFCAP_TSO in rport(4). This allows the stack to pass large tcp frames between rdomains. o In rport(4), made changes to use multiple txqs to spread traffic handling over softnet threads. o Fixed a panic when autodial (link1) on pppoe(4) tries to run. o Allowed bpf(4) in tun_dev_read to see VLAN tags when IFCAP_VLAN_HWTAGGING is enabled. o Added XOR and MOD operations to bpf(4). o Made tpmr(4) work with ether_offload_ifcap like veb(4) and bridge(4). o Added Private VLAN support to veb(4) as per RFC 5517. o Allowed VLAN tags (and therefore VLAN interfaces) on top of vports. o Made use of per-CPU refs in the input path instead of doing one refcnt per port to improve performance on tpmr(4), veb(4) and aggr(4). o Removed lacp support from trunk(4), now better supported by aggr(4). o Introduced a global interface queue limit. Limit all multiqueue network interfaces to common IF_MAX_VECTORS. Currently it is set to 8. One global limit helps to find an optimal value, stops wasting interrupt vectors, and clarifies what the actual hardware or driver limitations are. o Updated codel implementation to comply with RFCs 8289 and 8290. o Improved vio(4) feature negotiation for Large Receive Offload/TCP Segmentation Offload. o Prevented false ELOOP error in socket splicing with SO_SPLICE. o Made the network stack ignore TCP SACK packets with invalid sequence numbers to prevent potential kernel crash. - The following changes were made to the pf(4) firewall: o Introduced source and state limiters in pf(4). See the Source Limiters section in pf.conf(5). o Extended pf(4) limiters so an administrator can specify the action the rule executes when limit is reached. o In pfctl(8), changed default limiter action from no-match to block. o Have pf(4) state and source limiter state cleanup assert on the right lock. o Fixed pfctl(8) with -nvf ... option to provide output which matches pfctl grammar for rules that use source/state limiters. o Print both nat-to and rdr-to in pfctl(8) show rules. - Routing daemons, network services and other userland network programs saw the following improvements: o Do not log an error when dhcp6leased(8) cannot add a route because it already exists. o In dhcpleased(8), do not pass pointers over process privilege boundaries via imsg, only data. o Do not log an error when slaacd(8) cannot add a route because it already exists. o Fixed a buffer overflow reachable via rogue router advertisements in slaacd(8). o Prevented potential slaacd(8) crash if an attacker on the same layer 2 network sends rogue router advertisements. o Changed ospf6d(8) rc.d script to disallow reload, since ospf6d does not support it. o Fixed smtpd(8) dying if a malformed imsg is sent on the local socket. o Improved the logging of filter processing in smtpd(8). o Changed the default "tagged" operation for ifconfig(8) to add VLAN IDs rather than replace them. o Allowed the ifconfig(8) and brconfig(8) "tagged" operation to accept multiple VIDs and/or ranges of VIDs. o Added support for non-default config file paths to unbound(8) rc.d script. o In unwind(8), allow one to configure forced resolvers outside of preference blocks. o Added a "no banner" option to suppress the Server header in httpd(8). o Restored httpd(8) server_http_time() use of GMT. o Made httpd(8) error out on presence of Content-Length and Transfer-Encoding headers for GET, HEAD and other methods that should have no body. o Made relayd(8) and httpd(8) use the same internal log functions as bgpd(8) (and several other daemons). o Restored relayd(8) relay_http_time() use of GMT. o Added relayd(8) support for PROXY protocol in TCP relays. o Set a User-Agent in HTTP health checks sent by relayd(8). o Fixed a race condition in relayd(8) that could cause a crash during configuration reload. o Made relayd(8) support TLS with multiple listeners. o Fixed ftp(1) http_time() to use GMT, not UTC, per RFC 9110. o Report success in ftp(1) when a file is fully retrieved. o Made tcpdump(8) show the 802.11 QoS TID with -v. o Added printing of NetBIOS and DNS servers in IPCP to tcpdump(8). o Extended tcpdump(8) for printing of DHCPv6 information. o Made sure that internal counters do not go out of bounds if the -n or -A traceroute(8) options are specified more than once. o Raised rad(8) lifetimes for the router, DNS and NAT64 to 60 minutes and lower the prefix valid lifetime to 60 minutes. It does not make sense for one piece of information to time out before another when these are transmitted in one router advertisement packet. o Fixed a hang in rad(8) and slaacd(8) when they receive an RA from the local network with an ND option of length zero. - acme-client(1) saw several changes: o Made acme-client(1) only display port numbers in Host headers when the port is not 443. o Added support for IP Address certificates in acme-client(1). o Made changes to use ASN1_STRING_* accessor functions instead of reaching into ASN1_STRING objects directly. - In bgpd(8): o Rewrote the Adj-RIB-Out handling to be more memory efficient and faster. For large IXP route server deployments a reduction in memory usage of more than 50% should be feasible. o Process UPDATE messages in two phases: first update Adj-RIB-In, Loc-RIB, and FIB, then process all the Adj-RIB-Out tables. This significantly reduces the latency since updating all the Adj-RIB-Out tables could take a fair amount of time. o Introduced CH hash tables - a scalable hash map implementation that boosts performance through improved cache locality. o Introduce new metrics that track the amount of time spent in various parts of the main event loop of the route decision engine. o Fixed various non-critical things uncovered by Coverity scanner. o Improved outbound filter performance by storing the rules in an array and also deduplicate equal filters across peers. This and the filter_set change reduce the initial sync duration of large route servers by more than 25%. o Improved performance of filter_sets processing in the RDE process by moving to a linear array of set objects to reduce cache misses. o Added better logging for attribute parse errors which cause a session reset via UPDATE ATTRLIST error notification. o Introduced various additional memory metrics which are part of the 'show rib memory' command. Some values are also tracked per-neighbor and visible via 'show neighbor'. o Fixed logic error when handling per-peer and per-group MRT message dump configurations. - In rpki-client(8): o The Canonical Cache Representation underwent a breaking change after the adoption of draft-ietf-sidrops-rpki-ccr as a SIDROPS working group item. Apart from several CMS-related cosmetics, it now uses an IANA-assigned content type. As a result, rpki-client 9.7 cannot parse rpki-client 9.6's .ccr files and vice versa. o Support for Ghostbusters Record objects (RFC 6493) has been removed. Nobody showed interest in deploying this and there are other, widely supported ways of exchanging operational contact information such as RDAP. RFC 6493 is undergoing a status review to be marked as historic: status-change-rpki-ghostbusters-record-to-historic o Prepare the code base for the opaque ASN1_STRING structure in OpenSSL 4. o Fixed two reliability issues: one where a malicious RPKI Certification Authority can trigger a crash, one where a malicious Trust Anchor can provoke memory exhaustion. Thanks to Xie Yifan for reporting. o Various refactoring for improved compatibility with various libcrypto implementations and in CA/BGPsec certificate handling. o Fixed an accounting issue in HTTP gzip compression detection. o Added a warning in extra verbose mode (-vv) about standards non-compliant Issuer and Subject ASN.1 string encodings. o Added a check for canonical encoding of ASPA eContent in alignment with draft-ietf-sidrops-aspa-profile-22. o Ensure that a repository timeout correctly stops repository processing. Thanks to Fedor Vompe from Deutsche Telekom for reporting. o Fixed a defect in Canonical Cache Representation ROAIPAddressFamily sort order. As a result, rpki-client 9.8 cannot parse rpki-client 9.7's .ccr files and vice versa. Thanks to Bart Bakker from RIPE NCC for reporting. o Fixed an issue in the parser for the locally configured constraints. Thanks to Daniel Anderson. o A malicious RRDP Publication Server can cause a NULL dereference. Thanks to Daniel Anderson for reporting. o A malicious RPKI Publication Server can cause an incorrect error exit. Thanks to Yuheng Zhang, Qi Wang, Jianjun Chen from Tsinghua University, and Teatime Lab for reporting. - tmux(1) improvements and bug fixes: o Fixed the logic of the no-detached case for detach-on-destroy option. o Support case-insensitive search in tmux(1) modes in the same way as copy mode (like emacs, so all-lowercase means case insensitive). o Added -l flag to tmux(1) command-prompt to disable splitting into multiple prompts. o Allowed show-messages to work without a client. o Added seconds to tmux(1) clock mode. o Made tmux(1) clock mode seconds synchronized to the second. o Added support for synchronized output mode (DECSET 2026). o Added a focus-follows-mouse option. o Reduced request timeout to 500 milliseconds to match the extended escape time and discard palette requests if receiving a reply for a different index. o Added an -e flag to tmux(1) command-prompt to close if empty. o Fixed window-size=latest not resizing on switch-client in session groups. o Made tmux respond to DECRQM 2026. o Break out the sorting code into a common file so formats and modes use the same code and add -O for sorting to the list commands. o Added sorting (-O flag) and a custom format (-F) to list-keys. o Fixed several memory leaks. o Allow copy mode to work for readonly clients, except for copy commands. o Avoid a crash by checking for NULL before dereferencing. o Make -c (shell command) work with new-session -A. o Draw message as one format, allowing prompts and messages to occupy only a portion of the status bar, overlaying the normal status content rather than replacing the entire line. o Add a short built-in help text for each mode accessible with C-h. o Add extkeys feature to tmux(1) itself so nested tmux works. o Add -C flag to tmux(1) command-prompt to match display-message -C. - LibreSSL version 4.3.0: o Portable changes - Rework portable assembly handling with LIBRESSL_USE_ASSEMBLY - Add SHA assembly for elf-aarch64 - Add definition of ssize_t to cms.h for Windows - Fix posix_open() implementation so it properly signals failure - Fix SIGALRM handler for openssl speed on Windows o Internal improvements - Remove the unused sequence number from X509_REVOKED. - Replace a call to atoi(3) with strtonum(3) in nc(1) and replace a misleading use of ntohs(3) with htons(3). - openssl(1) speed now uses HMAC-SHA256 for its hmac benchmark. - Reimplemented only use of ASN1_PRINTABLE_type() in openssl(1) ca. The API will be removed in an upcoming release. - Add curve NID to EC_POINT objects so the library has a clue on which curve a given EC_POINT is supposed to live. - Use curve NID to check for compatibility between group and points in various EC API. This isn't 100% failsafe but good enough for sane uses. - Require SSE in order to use gcm_{gmult,ghash}_4bit_mmx(). On rare i386 machines supporting MMX but not SSE this could result in an illegal instruction. - Cleaned up asn1t.h to make it somewhat readable and more robust by using C99 initializers in particular. - Further assembly macro improvements for -portable. - Add fast path for well-known DH primes in DH_check(3) (including those from RFC 7919). Some projects still fiddle with this in 2025. - Rewrite ec_point_cmp() for readability and robustness. - Improve EVP_{Open,Seal}Init(3) internals. This is legacy API that cannot be removed since one scripting language still exposes it. - ASN1_BIT_STRING_set_bit(3) now trims trailing zero bits itself rather than relying on i2c_ASN1_BIT_STRING(3) to do that when encoding. - Fix and add workarounds to libtls to improve const correctness and to avoid warnings when compiling with OpenSSL 4. - Prefix EC_KEY methods with ec_key_ to avoid problems in some static links. - Remove mac_packet, a leftover from accepting SSLv2 ClientHellos. - Remove ssl_server_legacy_first_packet(). - In addition to what was done in LibreSSL 4.0 for the version handling, disable TLSv1.1 and lower also on the method level. - Remove workaround for SSL 3.0/TLS 1.0 CBC vulnerability. - Refactor ocsp_find_signer_sk() to avoid neglecting the ASN.1's semantics by directly reaching into deeply nested OCSP structures. o Compatibility changes - Expose X509_VERIFY_PARAM_set_hostflags(3) as a public symbol. - Provide SSL_SESSION_dup(3). - BIGNUMs now use the C99 types uint64_t/uint32_t for the word width. Fixes long-standing issues with 32-bit longs on 64-bit Windows. - Many unused BN_* macros with incomprehensible names were removed: BN_LONG, BN_BITS{,4}, BN_MASK2{,l,h,h1}, BN_TBIT, BN_DEC_CONV, BN_{DEC,HEX}_FMT{1,2}, ... - openssl(1) cms no longer accepts the unsupported -compress and -uncompress switches. - Added PKCS7_NO_DUAL_CONTENT flag/behavior. This is incorrect legacy behavior but some language bindings decided to rely on it in 2025. - Remove STABLE_FLAGS_MALLOC but keep STABLE_NO_MASK because there is still one user... - Fix ASN1_ADB_END macro to have compatible signature with OpenSSL. The adb_cb() argument is currently ignored. - Unexport ASN1_LONG_UNDEF. o New features - Support for MLKEM768_X25519 keyshare in TLS. - Added ML-KEM benchmarks to openssl(1) speed. - Added support for starttls protocol sieve. - Add support for RSASSA-PSS with pubkey OID RSASSA-PSS to libssl. o Bug fixes - Ensure the group selected by a TLSv1.3 server for a HelloRetryRequest is not one for which the client has already sent a key share. - Plug memory leak in CMS_EncryptedData_encrypt(3). - Plug possible memory leak and double free in nref_nos(). - Removed always zero test results for some no longer available legacy primitives in openssl(1) speed. - List SHA-3 digests in openssl(1) help output. - Fix encoding of bit strings with trailing zeroes on which ASN1_STRING_FLAG_BITS_LEFT is not set. - Add missing NULL pointer check to PKCS12_item_decrypt_d2i(3). - Avoid type confusion leading to 1-byte read at address 0x00-0xff in PKCS#12 parsing. - Fix type confusion in timestamp response parsing for v2 signing certs. - Fix EVP_SealInit(3) to return 0 on error, not -1. - Replace incorrect strncmp(3) with strcmp(3) in CRL distribution point config parsing. - openssl x509 -text writes its output to the file specified by -out like all other openssl(1) subcommands. - Stop Delta CRL processing in the verifier if the cRLNumber is missing. This is flagged on deserialization, but nothing checks that flag. This can lead to a NULL dereference if the verification has enabled Delta CRL checking by setting X509_V_FLAG_USE_DELTAS. - Fix NULL dereference that can be triggered with malformed OAEP parameter encoding for CMS decryption. - Add missing length checks before BIO_new_mem_buf(3) in libtls. - Improve libtls error reporting consistency, avoid reporting unrelated errnos. - Fix SAN dNSName constraints: instead of substring matching, match exactly and allow zero or more components in front of the candidate. o Reliability fix - Fix off-by-one error in the X.509 verifier depth checking. This can lead to a 4-byte overwrite on heap allocated memory for clients talking to a malicious server or for servers that have client certificate verification enabled. In addition, the maximum depth must be set to the maximum allowed value of 32. o Testing and proactive security - Port Wycheproof tests to testvectors_v1 and improve coverage and correctness. Add tests for ML-KEM in particular. - OpenSSH 10.3: o Security fixes: - ssh(1): validation of shell metacharacters in user names supplied on the command-line was performed too late to prevent some situations where they could be expanded from %-tokens in ssh_config. For certain configurations, such as those that use a "%u" token in a "Match exec" block, an attacker who can control the user name passed to ssh(1) could potentially execute arbitrary shell commands. Reported by Florian Kohnhäuser. We continue to recommend against directly exposing ssh(1) and other tools' command-lines to untrusted input. Mitigations such as this cannot be absolute given the variety of shells and user configurations in use. - sshd(8): when matching an authorized_keys principals="" option against a list of principals in a certificate, an incorrect algorithm was used that could allow inappropriate matching in cases where a principal name in the certificate contains a comma character. Exploitation of the condition requires an authorized_keys principals="" option that lists more than one principal *and* a CA that will issue a certificate that encodes more than one of these principal names separated by a comma (typical CAs strongly constrain which principal names they will place in a certificate). This condition only applies to user- trusted CA keys in authorized_keys, the main certificate authentication path (TrustedUserCAKeys/AuthorizedPrincipalsFile) is not affected. Reported by Vladimir Tokarev. - scp(1): when downloading files as root in legacy (-O) mode and without the -p (preserve modes) flag set, scp did not clear setuid/setgid bits from downloaded files as one might typically expect. This bug dates back to the original Berkeley rcp program. Reported by Christos Papakonstantinou of Cantina and Spearbit. - sshd(8): fix incomplete application of PubkeyAcceptedAlgorithms and HostbasedAcceptedAlgorithms with regard to ECDSA keys. Previously if one of these directives contains any ECDSA algorithm name (say "ecdsa-sha2-nistp384"), then any other ECDSA algorithm would be accepted in its place regardless of whether it was listed or not. Reported by Christos Papakonstantinou of Cantina and Spearbit. - ssh(1): connection multiplexing confirmation (requested using "ControlMaster ask/autoask") was not being tested for proxy mode multiplexing sessions (i.e. "ssh -O proxy ..."). Reported by Michalis Vasileiadis. o Potentially incompatible changes: - ssh(1), sshd(8): remove bug compatibility for implementations that don't support rekeying. If such an implementation tries to interoperate with OpenSSH, it will now eventually fail when the transport needs rekeying. - sshd(8): prior to this release, a certificate that had an empty principals section would be treated as matching any principal (i.e. as a wildcard) when used via authorized_keys principals="" option. This was intentional, but created a surprising and potentially risky situation if a CA accidentally issued a certificate with an empty principals section: instead of being useless as one might expect, it could be used to authenticate as any user who trusted the CA via authorized_keys. [Note that this condition did not apply to CAs trusted via the sshd_config(5) TrustedUserCAKeys option.] This release treats an empty principals section as never matching any principal, and also fixes interpretation of wildcard characters in certificate principals. Now they are consistently implemented for host certificates and not supported for user certificates. - ssh(1): the -J and equivalent -oProxyJump="..." options now validate user and host names for ProxyJump/-J options passed via the command-line (no such validation is performed for this option in configuration files). This prevents shell injection in situations where these were directly exposed to adversarial input, which would have been a terrible idea to begin with. Reported by rabbit. o New features: - ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new names is advertised via the EXT_INFO message. If a server offers support for the new names, then they are used preferentially. Support for the pre-standardisation "@openssh.com" extensions for agent forwarding remains supported. - ssh-agent(1): implement support for draft-ietf-sshm-ssh-agent "query" extension. - ssh-add(1): support querying the protocol extensions via the agent "query" extension with a new -Q flag. - ssh(1): support multiple files in ssh_config and sshd_config RevokedHostKeys directive. bz3918 - ssh(1): add a ~I escape option that shows information about the current SSH connection. - ssh(1): add an "ssh -Oconninfo user@host" multiplexing command that shows connection information, similar to the ~I escapechar. - ssh(1): add an ssh -O channels user@host multiplexing command to get a running mux process to show information about what channels are currently open. - sshd(8): add invaliduser penalty to PerSourcePenalties, which is applied to login attempts for usernames that do not match real accounts. Defaults to 5s to match 'authfail' but allows administrators to block such attempts for longer if desired. - sshd(8): add a GSSAPIDelegateCredentials option for the server, controlling whether it accepts delegated credentials offered by the client. This option mirrors the same option in ssh_config. - ssh(1), sshd(8): support the VA DSCP codepoint in the IPQoS directive. - sshd(8): convert PerSourcePenalties to using floating point time, allowing penalties to be less than a second. This is useful if you need to penalise things you expect to occur at >=1 QPS. - ssh-keygen(1): support writing ED25519 keys in PKCS8 format. - Support the ed25519 signature scheme via libcrypto. o Bugfixes: - sshd(8): make IPQoS first-match-wins in sshd_config, like other configuration directives. bz3924 - sshd(8): fix potential crash when MaxStartups is set to a single argument (i.e. not using the MaxStartups x:y:z form) with a value below 10. bz3941 - sshd(8): fix a potential hang during key exchange if needed DH group values were missing from /etc/moduli. - ssh-agent(1): fix return values from extensions to be correct with respect to draft-ietf-sshm-ssh-agent: extension requests should indicate failure using SSH_AGENT_EXTENSION_FAILURE rather than the generic SSH_AGENT_FAILURE error code. This allows the client to discern between "the request failed" and "the agent doesn't support this extension". - ssh(1): use fmprintf for showing challenge-response name and info to preserve UTF-8 characters where appropriate. - scp(1): when uploading a directory using SFTP (e.g. during a recursive transfer), don't clobber the remote directory permissions unless either we created the directory during the transfer or the -p flag was set. bz3925 - All: implement missing pieces of FIDO/webauthn signature support, mostly related to certificate handling and enable acceptance of this signature format by default. bz3748 - sshd_config(5): make it clear that DenyUsers/DenyGroups overrides AllowUsers/AllowGroups. Previously we specified the order in which the directives are processed but it was ambiguous as to what happened if both matched. - ssh(1): don't try to match certificates held in an agent to private keys. This matching is done to support certificates that were loaded without their private key material, but is unnecessary for agent-hosted certificates, which always have private key material available in the agent. Worse, this matching would mess up the request sent to the agent in such a way as to break usage of these keys when the key usage was restricted in the agent. bz3752 - sftp(1): if editline has been switched to vi mode (i.e. via "bind -v" in .editrc), set up a keybinding so that command mode can be entered. - ssh(1), sshd(8): improve performance of keying the sntrup761 key agreement algorithm. - ssh(1), sshd(8): enforce maximum packet/block limit during pre-authentication phase. - sftp(1): don't misuse the sftp limits extension's open-handles field. This value is supposed to be the number of handles a server will allow to be opened and not a number of outstanding read/write requests that can be sent during an upload/download. - sshd(8): don't crash at connection time if the main sshd_config lacks any subsystem directive but one is defined in a Match block. bz3906 - sshd_config(5): add a warning next to the ForceCommand directive that forcing a command doesn't automatically disable forwarding. - sshd_config(5): add a warning that TOKENS are replaced without filtering or escaping and that it's the administrator's responsibility to ensure they are used safely in context. - scp(1): correctly quote filenames in verbose output for local->local copies. bz3900 - sshd(8): don't mess up the PerSourceNetBlockSize IPv6 mask if sscanf didn't decode it. - ssh-add(1): when loading FIDO2 resident keys, set the comment to the FIDO application string. This matches the behaviour of ssh-keygen -K. - sshd(8): don't strnvis() log messages that are going to be logged by sshd-auth via its parent sshd-session process, as the parent will also run them through strnvis(). Prevents double-escaping of non-printing characters in some log messages. bz3896 - ssh-agent(1): escape SSH_AUTH_SOCK paths that are sent to the shell as setenv commands. Unbreaks ssh-agent for home directory paths that contain whitespace. bz3884 - All: Remove unnecessary checks for ECDSA public key validity. - sshd(8): activate UnusedConnectionTimeout only after the last channel has closed. Previously UnusedConnectionTimeout could fire early after a ChannelTimeout. This was not a problem for the OpenSSH client because it terminates once all channels have closed but could cause problems for other clients (e.g. API clients) that do things differently. bz3827 - All: fix PKCS#11 key PIN entry problems introduced in openssh-10.1/10.2. bz3879 - scp(1): when using the SFTP protocol for transfers, fix implicit destination path selection when source path ends with "..". bz3871 - sftp(1): when tab-completing a filename, ensure that the completed string does not end up mid-way through a multibyte character, as this will cause a fatal() later on. - ssh-keygen(1): fix crash at exit (visible via ssh-keygen -D) when multiple keys loaded. - scp(1)/sftp(1): correctly display bandwidths greater than 2 GBps in the progress meter. - Ports and packages: o Pre-built packages are available for the following architectures on the day of release: - aarch64 (arm64): 12883 - amd64: 13044 - i386: 10631 - mips64: 9309 - powerpc64: 9507 - sparc64: 10079 o Packages for the following architectures will be made available as their builds complete: - arm - powerpc - riscv64 - Some highlights: o Asterisk 16.30.1, 18.26.4, o Mutt 2.3.1 and NeoMutt 20260406 20.19.0 and 22.9.0 o Node.js 22.22.2 o Audacity 3.7.7 o OCaml 4.14.2 o CMake 4.2.3 o OpenLDAP 2.6.13 o Chromium 147.0.7727.101 o PHP 8.2.30, 8.3.30, 8.4.20 and o Emacs 30.2 8.5.5 o FFmpeg 8.0.1 o Postfix 3.5.25 and 3.11.1 o GCC 15.2.0 o PostgreSQL 18.3 o GHC 9.10.3 o Python 2.7.18 and 3.13.13 o GNOME 49 o Qt 5.15.18 (+ kde patches) and o Go 1.26.2 6.10.2 o JDK 11.0.30, 17.0.18, 21.0.10, o R 4.5.2 25.0.2 o Ruby 3.3.11, 3.4.9 and 4.0.2 o KDE Applications 25.12.3 o Rust 1.94.1 o KDE Frameworks 6.23.0 o SQLite 3.51.3 o KDE Plasma 6.6.4 o Shotcut 26.2.26 o Krita 5.2.16 o Sudo 1.9.17p2 o LLVM/Clang 19.1.7, 20.1.8 o Suricata 7.0.7 21.1.8 o Tcl/Tk 8.5.19. 8.6.17 and 9.0.3 o LibreOffice 26.2.2.2 o TeX Live 2025 o Lua 5.1.5, 5.2.4, 5.3.6 and o Vim 9.2.0357 and Neovim 0.12.1 5.4.8 o Vulkan 1.4.341.0 o MariaDB 11.4.10 o Wayland 1.24.0 with compositors o Mono 6.14.1 Labwc, Mango, Niri, Sway and o Mozilla Firefox 150.0 and Wayfire ESR 140.10.0 o Xfce 4.20.0 o Mozilla Thunderbird 140.10.0 - As usual, steady improvements in manual pages and other documentation. - The system includes the following major components from outside suppliers: o Xenocara (based on X.Org 7.7 with xserver 21.1.21 + patches, freetype 2.14.2, fontconfig 2.17.1, Mesa 25.0.7, xterm 406, xkeyboard-config 2.20, fonttosfnt 1.2.4, and more) o LLVM/Clang 19.1.7 (+ patches) o GCC 4.2.1 (+ patches) o Perl 5.42.2 (+ patches) o pkgconf 2.4.3 o NSD 4.14.2 o Unbound 1.24.2 o Ncurses 6.4 o Binutils 2.17 (+ patches) o Gdb 6.3 (+ patches) o Awk 20250116 o Expat 2.7.5 o zlib 1.3.2 (+ patches) ------------------------------------------------------------------------ - SECURITY AND ERRATA -------------------------------------------------- We provide patches for known security threats and other important issues discovered after each release. Our continued research into security means we will find new security problems -- and we always provide patches as soon as possible. Therefore, we advise regular visits to https://www.OpenBSD.org/security.html and https://www.OpenBSD.org/errata.html ------------------------------------------------------------------------ - MAILING LISTS AND FAQ ------------------------------------------------ Mailing lists are an important means of communication among users and developers of OpenBSD. For information on OpenBSD mailing lists, please see: https://www.OpenBSD.org/mail.html You are also encouraged to read the Frequently Asked Questions (FAQ) at: https://www.OpenBSD.org/faq/ ------------------------------------------------------------------------ - DONATIONS ------------------------------------------------------------ The OpenBSD Project is a volunteer-driven software group funded by donations. Besides OpenBSD itself, we also develop important software like OpenSSH, LibreSSL, OpenNTPD, OpenSMTPD, the ubiquitous pf packet filter, the quality work of our ports development process, and many others. This ecosystem is all handled under the same funding umbrella. We hope our quality software will result in contributions that maintain our build/development infrastructure, pay our electrical/internet costs, and allow us to continue operating very productive developer hackathon events. All of our developers strongly urge you to donate and support our future efforts. Donations to the project are highly appreciated, and are described in more detail at: https://www.OpenBSD.org/donations.html ------------------------------------------------------------------------ - OPENBSD FOUNDATION --------------------------------------------------- For those unable to make their contributions as straightforward gifts, the OpenBSD Foundation (https://www.openbsdfoundation.org) is a Canadian not-for-profit corporation that can accept larger contributions and issue receipts. In some situations, their receipt may qualify as a business expense write-off, so this is certainly a consideration for some organizations or businesses. There may also be exposure benefits since the Foundation may be interested in participating in press releases. In turn, the Foundation then uses these contributions to assist OpenBSD's infrastructure needs. Contact the foundation directors at directors@openbsdfoundation.org for more information. ------------------------------------------------------------------------ - RELEASE SONG --------------------------------------------------------- OpenBSD 7.9 comes with the song "Diamond in the Rough". An explanation of the song may be found at: https://www.OpenBSD.org/lyrics.html#79 ------------------------------------------------------------------------ - HTTPS INSTALLS ------------------------------------------------------- OpenBSD can be easily installed via HTTPS downloads. Typically you need a single small piece of boot media (e.g., a USB flash drive) and then the rest of the files can be installed from a number of locations, including directly off the Internet. Follow this simple set of instructions to ensure that you find all of the documentation you will need while performing an install via HTTPS. 1) Read either of the following two files for a list of HTTPS mirrors which provide OpenBSD, then choose one near you: https://www.OpenBSD.org/ftp.html https://ftp.openbsd.org/pub/OpenBSD/ftplist As of May 19, 2026, the following HTTPS mirror sites have the 7.9 release: https://cdn.openbsd.org/pub/OpenBSD/7.9/ Global https://ftp.eu.openbsd.org/pub/OpenBSD/7.9/ Stockholm, Sweden https://ftp.hostserver.de/pub/OpenBSD/7.9/ Frankfurt, Germany https://ftp.bytemine.net/pub/OpenBSD/7.9/ Oldenburg, Germany https://ftp.fr.openbsd.org/pub/OpenBSD/7.9/ Paris, France https://mirror.aarnet.edu.au/pub/OpenBSD/7.9/ Brisbane, Australia https://ftp.usa.openbsd.org/pub/OpenBSD/7.9/ CO, USA https://ftp5.usa.openbsd.org/pub/OpenBSD/7.9/ CA, USA https://mirror.esc7.net/pub/OpenBSD/7.9/ TX, USA https://openbsd.cs.toronto.edu/pub/OpenBSD/7.9/ Toronto, Canada https://cloudflare.cdn.openbsd.org/pub/OpenBSD/7.9/ Global https://fastly.cdn.openbsd.org/pub/OpenBSD/7.9/ Global The release is also available at the master site: https://ftp.openbsd.org/pub/OpenBSD/7.9/ Alberta, Canada However it is strongly suggested you use a mirror. Other mirror sites may take a day or two to update. 2) Connect to that HTTPS mirror site and go into the directory pub/OpenBSD/7.9/ which contains these files and directories. This is a list of what you will see: ANNOUNCEMENT armv7/ octeon/ root.mail README hppa/ openbsd-79-base.pub sparc64/ SHA256 i386/ packages/ src.tar.gz SHA256.sig landisk/ packages-stable/ sys.tar.gz alpha/ loongson/ ports.tar.gz xenocara.tar.gz amd64/ luna88k/ powerpc64/ arm64/ macppc/ riscv64/ It is quite likely that you will want at LEAST the following files which apply to all the architectures OpenBSD supports. README - generic README root.mail - a copy of root's mail at initial login. (This is really worthwhile reading). 3) Read the README file. It is short, and a quick read will make sure you understand what else you need to fetch. 4) Next, go into the directory that applies to your architecture, for example, amd64. This is a list of what you will see: BOOTIA32.EFI* bsd* floppy79.img pxeboot* BOOTX64.EFI* bsd.mp* game79.tgz xbase79.tgz BUILDINFO bsd.rd* index.txt xfont79.tgz INSTALL.amd64 cd79.iso install79.img xserv79.tgz SHA256 cdboot* install79.iso xshare79.tgz SHA256.sig cdbr* man79.tgz base79.tgz comp79.tgz miniroot79.img If you are new to OpenBSD, fetch _at least_ the file INSTALL.amd64 and install79.iso. The install79.iso file (roughly 762MB in size) is a one-step ISO-format install CD image which contains the various *.tgz files so you do not need to fetch them separately. If you prefer to use a USB flash drive, fetch install79.img and follow the instructions in INSTALL.amd64. 5) If you are an expert, follow the instructions in the file called README; otherwise, use the more complete instructions in the file called INSTALL.amd64. INSTALL.amd64 may tell you that you need to fetch other files. 6) Just in case, take a peek at: https://www.OpenBSD.org/errata.html This is the page where we talk about the mistakes we made while creating the 7.9 release, or the significant bugs we fixed post-release which we think our users should have fixes for. Patches and workarounds are clearly described there. ------------------------------------------------------------------------ - X.ORG FOR MOST ARCHITECTURES ----------------------------------------- X.Org has been integrated more closely into the system. This release contains X.Org 7.7. Most of our architectures ship with X.Org, including amd64, sparc64 and macppc. During installation, you can install X.Org quite easily using xenodm(1), our simplified X11 display manager forked from xdm(1). ------------------------------------------------------------------------ - PACKAGES AND PORTS --------------------------------------------------- Many third party software applications have been ported to OpenBSD and can be installed as pre-compiled binary packages on the various OpenBSD architectures. Please see https://www.openbsd.org/faq/faq15.html for more information on working with packages and ports. Note: a few popular ports, e.g., NSD, Unbound, and several X applications, come standard with OpenBSD and do not need to be installed separately. ------------------------------------------------------------------------ - SYSTEM SOURCE CODE --------------------------------------------------- The source code for all four subsystems can be found in the pub/OpenBSD/7.9/ directory: xenocara.tar.gz ports.tar.gz src.tar.gz sys.tar.gz The README (https://ftp.OpenBSD.org/pub/OpenBSD/7.9/README) file explains how to deal with these source files. ------------------------------------------------------------------------ - THANKS --------------------------------------------------------------- Ports tree and package building by Jeremie Courreges-Anglas, Visa Hankala, Stuart Henderson, Peter Hessler, George Koehler, Kurt Mosiejczuk, and Christian Weisgerber. Base and X system builds by Kenji Aoyama, Theo de Raadt, and Miod Vallat. Release art by Lyra Henderson. We would like to thank all of the people who sent in bug reports, bug fixes, donation cheques, and hardware that we use. We would also like to thank those who bought our previous CD sets. Those who did not support us financially have still helped us with our goal of improving the quality of the software. Our developers are: Aaron Bieber, Adam Wolk, Aisha Tammy, Alexander Bluhm, Alexander Hall, Alexandr Nedvedicky, Alexandr Shadchin, Alexandre Ratchov, Andrew Hewus Fresh, Anil Madhavapeddy, Anthony J. Bentley, Antoine Jacoutot, Anton Lindqvist, Asou Masato, Ayaka Koshibe, Benoit Lecocq, Bjorn Ketelaars, Bob Beck, Brandon Mercer, Brent Cook, Brian Callahan, Bryan Steele, Can Erkin Acar, Caspar Schutijser, Charlene Wendling, Charles Longeau, Chris Cappuccio, Christian Ludwig, Christian Weisgerber, Christopher Zimmermann, Claudio Jeker, Dale Rahn, Damien Miller, Daniel Dickman, Daniel Jakots, Darren Tucker, Dave Voutila, David Coppa, David Gwynne, David Hill, David Leadbeater, Denis Fondras, Edd Barrett, Eric Faurot, Florian Obser, Florian Riehm, Frederic Cambus, George Koehler, Gerhard Roth, Giannis Tsaraias, Gilles Chehade, Giovanni Bechis, Gleydson Soares, Gonzalo L. Rodriguez, Greg Steuck, Hans-Joerg Hoexer, Helg Bredow, Henning Brauer, Ian Darwin, Ian Sutton, Igor Sobrado, Ingo Feinerer, Ingo Schwarze, Inoguchi Kinichiro, James Hastings, James Turner, Jan Klemkow, Jason McIntyre, Jasper Lievisse Adriaanse, Jeremie Courreges-Anglas, Jeremy Evans, Job Snijders, Joel Sing, Joerg Jung, Johannes Thyssen Tishman, Jonathan Armani, Jonathan Gray, Jonathan Matthew, Jordan Hargrave, Josh Rickmar, Joshua Sing, Joshua Stein, Juan Francisco Cantero Hurtado, Kazuya Goda, Kenji Aoyama, Kenjiro Nakayama, Kenneth R Westerback, Kent R. Spillner, Kevin Lo, Kirill A. Korinsky, Kirill Bychkov, Klemens Nanni, Kurt Miller, Kurt Mosiejczuk, Landry Breuil, Lawrence Teo, Lucas Gabriel Vuotto, Lucas Raab, Marcus Glocker, Mark Kettenis, Mark Lumsden, Markus Friedl, Martijn van Duren, Martin Natano, Martin Reindl, Martynas Venckus, Matthew Dempsky, Matthias Kilian, Matthieu Herrb, Michael Mikonos, Mike Belopuhov, Mike Larkin, Miod Vallat, Moritz Buhl, Nam Nguyen, Nayden Markatchev, Nicholas Marriott, Nigel Taylor, Okan Demirmen, Omar Polo, Ori Bernstein, Otto Moerbeek, Paco Esteban, Pamela Mosiejczuk, Pascal Stumpf, Patrick Wildt, Paul Irofti, Pavel Korovin, Peter Hessler, Philip Guenther, Pierre-Emmanuel Andre, Pratik Vyas, Rafael Sadowski, Rafael Zalamena, Raphael Graf, Remi Locherer, Remi Pointel, Renato Westphal, Renaud Allard, Ricardo Mestre, Richard Procter, Rob Pierce, Robert Nagy, Sasano Takayoshi, Scott Soule Cheloha, Sebastian Benoit, Sebastian Reitenbach, Sebastien Marie, Solene Rapenne, Stefan Fritsch, Stefan Hagen, Stefan Kempf, Stefan Sperling, Steven Mestdagh, Stuart Cassoff, Stuart Henderson, Sunil Nimmagadda, T.J. Townsend, Ted Unangst, Theo Buehler, Theo de Raadt, Thomas Frohwein, Tim van der Molen, Tobias Heider, Tobias Stoeckmann, Todd C. Miller, Todd Mortimer, Tom Cosgrove, Tracey Emery, Ulf Brosziewski, Uwe Stuehler, Vadim Zhukov, Vincent Gross, Visa Hankala, Vitaliy Makkoveev, Volker Schlecht, Yasuoka Masahiko, Yojiro Uo