OpenBSD Journal
Contributed by rueda on from the puffier raspberries! dept.
OpenBSD -current
has gained
initial support for the
Raspberry Pi 5:
CVSROOT: /cvs Module name: src Changes by: mglocker@cvs.openbsd.org 2025/09/01 12:56:04 Modified files: distrib/arm64/iso: Makefile distrib/arm64/ramdisk: Makefile install.md list Log message: Add Raspberry Pi 5 Model B support for RAMDISK.
-currentContributed by rueda on from the ++good dept.
Rafael Sadowski (rsadowski@)
completed updates
to C++ libraries in -current:
CVSROOT: /cvs Module name: src Changes by: rsadowski@cvs.openbsd.org 2025/08/21 09:26:58 Modified files: gnu/lib/libcxx : Makefile gnu/lib/libcxx/include/c++/v1: __config_site gnu/lib/libcxxabi: Makefile gnu/lib/libexecinfo: Makefile Added files: gnu/lib/libcxx/include/c++/v1: __assertion_handler Log message: update build infrastructure for libunwind-, libcxxabi- and libcxx-19.1.7 This gives us a modern c++ lib in base!
-currentContributed by rueda on from the cccccblddbkhelgbdjuughbjdcvrddggdcjvricrriuk dept.
Yubikey
OTP
support has been disabled in -current.
The
commit message
explains the rationale:
CVSROOT: /cvs Module name: src Changes by: deraadt@cvs.openbsd.org 2025/08/14 08:39:44 Modified files: sys/dev/usb : ukbd.c Log message: Most Yubikey ship with OTP support enabled out of the box (and generate accidental output like cccccblddbkhelgbdjuughbjdcvrddggdcjvricrriuk). Yubikey re-configuration requires crazy buggy and fragile tools using crazy usb feature support, and therefore OTP disabling is very annoying. We make a policy decision to not attach these as keyboards anymore, because a majority of users just want the FIDO functionality. If you want to use OTP, buy a different device from a different vendor or convince Yubikey to significantly improve their tooling. idea from kettenis
To be clear: this affects only the keyboard attachment of only Yubico devices. Therefore:
login_yubikey(8) can no longer be used for local authentication purposes, but will still function for authentication of remote clients (so long as they support Yubikey OTP).Running a patched kernel is the only way [at present] to reverse this change.
Contributed by Peter N. M. Hansteen on from the ssh! QoS vadis? dept.
djm@) introduced a significant change,
which enables ssh
and sshd
to set the IP QoS based on what connections
and sessions are active.
The commit message says,
List: openbsd-cvs Subject: CVS: cvs.openbsd.org: src From: Damien Miller <djm () cvs ! openbsd ! org> Date: 2025-08-18 3:43:01 CVSROOT: /cvs Module name: src Changes by: djm@cvs.openbsd.org 2025/08/17 21:43:01 Modified files: usr.bin/ssh : sshd-session.c sshd-auth.c ssh.c session.c serverloop.c packet.h packet.c mux.c misc.c clientloop.c channels.h channels.c Log message: Make ssh(1) and sshd(8) set IP QoS (aka IP_TOS, IPV6_TCLASS) continually at runtime based on what sessions/channels are open.
Contributed by rueda on from the "it's-in-the-trees!--it's-coming!" dept.
Version 0.117 of Game of Trees has been released (and the port updated):
- regress: replace "sed -i" with ed(1) for portable in-place editing
- ensure that error messages from gotsysd libexec helpers get logged
- fix gotsysd using wrong auth and hmac labels in the generated gotd.conf
- preserve bad symlinks across merges during rebase and histedit
- improve binary files detection: detect any control characters, not just NUL
- gotwebd: fix race condition resulting in trucated html with trailing garbage
- make commit coloring faster and more accurate, producing smaller pack files
- improve selection of pack files for pinning in the open pack file cache
- regress: don't load global/home git configuration files while running tests
- make 'got clone' set a got.conf default branch for fetching only, not sending
tedu@)Contributed by Peter N. M. Hansteen on from the oh, fork! dept.
tedu@) asks,
is OpenBSD 10x faster than Linux?.
He explains,
Here’s a little benchmark complements of Jann Horn. It’s unexpectedly slow on Linux. OpenBSD is so fast, I had to modify the program slightly to measure itself, as the time utility is missing sufficient precision to even record nonzero.Go on, read the rest over at Ted's blog for some fun tidbits on performance and benchmarks.
Contributed by Peter N. M. Hansteen on from the oodles of imaginary friends dept.
spamd(8)
spammer taunting software.
The feature has now been around for 18 years, and undeadly.org co-editor Peter Hansteen found that and another milestone to be a good reason to write a retrospective:
Friends, it finally happened. On August 7th, 2025, the number of spamtraps intended to woo the unwary spammer rolled past the number of inhabitants in my home country of Norway. It's time for a retrospective.
So I wrote up one: Eighteen Years of Greytrapping - Is the Weirdness Finally Paying Off? (also available with G's trackers here) is a retrospective article with data and graphs.
That's right, we've been making life harder for spammers for 18 years. Peter's writeup has links to data, and more field notes and war stories than he could actually remember writing when he started on the retrospective.
Contributed by Peter N. M. Hansteen on from the SSH! Quantums posted! dept.
A recent data point here is that Damien Miller (djm@) just
committed
a new
OpenSSH Post-Quantum Cryptography
FAQ page to the
OpenSSH web site:
List: openbsd-cvs Subject: CVS: cvs.openbsd.org: www From: Damien Miller <djm () cvs ! openbsd ! org> Date: 2025-08-11 5:26:51 CVSROOT: /cvs Module name: www Changes by: djm@cvs.openbsd.org 2025/08/10 23:26:51 Added files: openssh : pq.html
Contributed by Peter N. M. Hansteen on from the puffed up for my closeup dept.
kirill@) would like to hear from you after testing recent snapshots.
Kirill's
message
to misc@ reads:
Subject: Call for testing: USB webcams From: Kirill A. Korinsky <kirill () korins ! ky> Date: 2025-08-06 13:27:31 misc@, the latest snapshots for amd64 and arm64 (I haven't checked other architectures) include my recent changes to add support for H.264 streams from USB webcams.
Donate to OpenBSD
We are constantly on the lookout for stories of how you put OpenBSD to work. Please submit any informative articles on how OpenBSD is helping your company.
OpenBSD 7.7
| 008 | 2025-07-01 RELIABILITY TIOCUCNTL ioctl(2) could crash the kernel if called with a non-file argument. |
| 007 | 2025-07-01 SECURITY Previous fix for X11 server was incomplete. CVE-2025-49176 |
| 006 | 2025-06-17 SECURITY Multiple X11 server issues. CVE-2025-49175 CVE-2025-49176 CVE-2025-49177 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180 |
| 005 | 2025-06-17 RELIABILITY In acme-client(1), handle as yet unobserved "processing" state when fetching an issued certificate by retrying instead of giving up. |
| 004 | 2025-06-17 RELIABILITY When using syncookies in pf(4), new TCP connections could run into timeout due to integer underflow. |
| 003 | 2025-05-10 RELIABILITY Replace incorrect zoneinfo files created by broken zic(8). |
OpenBSD 7.6
| 021 | 2025-07-01 RELIABILITY TIOCUCNTL ioctl(2) could crash the kernel if called with a non-file argument. |
| 020 | 2025-07-01 SECURITY Previous fix for X11 server was incomplete. CVE-2025-49176 |
| 019 | 2025-06-17 SECURITY Multiple X11 server issues. CVE-2025-49175 CVE-2025-49176 CVE-2025-49177 CVE-2025-49178 CVE-2025-49179 CVE-2025-49180 |
| 018 | 2025-06-17 RELIABILITY In acme-client(1), handle as yet unobserved "processing" state when fetching an issued certificate by retrying instead of giving up. |
| 017 | 2025-06-17 RELIABILITY When using syncookies in pf(4), new TCP connections could run into timeout due to integer underflow. |
| 016 | 2025-05-05 SECURITY Kernel of NFS server could crash if nfsd(8) is enabled and an evil NFS request is sent to it. |
Users wishing RSS/RDF summary files of OpenBSD Journal
can retrieve:
Options are available.
Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]