OpenBSD 7.4 release. Important updates, improvements and changes

Six months after the release of OpenBSD 7.3, the next release of OpenBSD is presented, now with version 7.4. The size of the distribution package, the installation ISO image of the OpenBSD 7.4 base system, is only 630 MB. Let’s see what has changed, added or been removed. All the details are under the cut.

Major updates

For now the number of ports has increased for AMD64 architecture and others. So, for AMD64 – 11845 (was 11764), for aarch64 – 11508 (was 11561), for i386 – 10603 (was 10572). Among the application versions in the ports:

• Asterisk 16.30.1, 18.19.0b, 20.4.0
• Audacity 3.3.3
• CMake 3.27.5
• Chromium 117.0.5938.149
• Emacs 29.1
• FFmpeg 4.4.4
• GCC 8.4.0 and 11.2.0
• GHC 9.2.7
• GNOME 44
• Go 1.21.1
• JDK 8u382, 11.0.20 and 17.0.8
• KDE Applications 23.08.0
• KDE Frameworks 5.110.0
• Krita 5.1.5
• LLVM/Clang 13.0.0 and 16.0.6
• LibreOffice 7.6.2.1
• Lua 5.1.5, 5.2.4, 5.3.6 and 5.4.6
• MariaDB 10.9.6
• Mono 6.12.0.199
• Mozilla Firefox 118.0.1 and ESR 115.3.1
• Mozilla Thunderbird 115.3.1
• Mutt 2.2.12 and NeoMutt 20230517
• Node.js 18.18.0
• OpenLDAP 2.6.6
• PHP 7.4.33, 8.0.30, 8.1.24 and 8.2.11
• Postfix 3.7.3
• PostgreSQL 15.4
• Python 2.7.18, 3.9.18, 3.10.13 and 3.11.5
• Qt 5.15.10 and 6.5.2
• R 4.2.3
• Ruby 3.0.6, 3.1.4 and 3.2.2
• Rust 1.72.1
• SQLite 3.42.0
• Shotcut 07/23/29
• Sudo 1.9.14.2
• Suricata 6.0.12
• Tcl/Tk 8.5.19 and 8.6.13
• TeX Live 2022
• Vim 9.0.1897 and Neovim 0.9.1
• Xfce 4.18

In addition, many third-party components have been updated. Among the updated ones it is worth mentioning:

• Xenocara graphics stack based on X.Org 7.7 with xserver 21.1.8 + patches, freetype 2.13.0, fontconfig 2.14.2, Mesa 22.3.7, xterm 378, xkeyboard-config 2.20, fonttosfnt 1.2.2.
• LLVM/Clang 13.0.0 (+ patches)
• GCC 4.2.1 (+ patches) and 3.3.6 (+ patches)
• Perl 5.36.1 (+ patches)
• NSD 4.7.0
• Unbound 1.18
• Ncurses 5.7
• Binutils 2.17 (+ patches)
• Gdb 6.3 (+ patch)
• Awk 12.9.2023
• Expat 2.5.0.

• LibreSSL packages with OpenSSH have also been updated. If you need a list of updates, it is available at the following links: for LibreSSL 3.8.0, OpenSSH 9.4 And OpenSSH 9.5.

• As for other improvements, it is worth noting the appearance of components for updating the microcode for AMD chips for the amd64 and i386 architectures. The good news is that all this is installed automatically when you download it. To install, you need to use the standard fw_update utility.
• There are also innovations for the arm64 architecture. So, in order to protect user space, Pointer Authentication is now enabled by default. The technology allows you to use specialized ARM64 instructions to verify return addresses using digital signatures that are stored in the unused upper bits of the pointer itself.
• Accordingly, the settings of the clang system compiler, as well as clang and gcc from the ports, have been changed. This made it possible to improve the protection of core applications from exploits that involved return-oriented programming techniques (ROP – Return-Oriented Programming). This method consists in the fact that the attacker does not place the code in memory, but uses fragments of machine instructions that are already in the loaded libraries. The work of the exploit is to build a whole chain of calls to such blocks in order to obtain the necessary functions.

• Also for the amd64 and i386 architectures, support for the dt pseudo-device has been implemented for organizing dynamic tracing of the system and applications. The utrace system call has been added to insert user entries into the ktrace log.
• Also backported are fixes that address undefined behavior when using MS-DOS file systems from FreeBSD.
• The ARM64 architecture uses the ability to enter deep idle states, available in Apple M1/M2 chips, to save power and implement standby mode.
• Another security innovation is the addition of a workaround for the Zenbleed vulnerability in AMD processors.
• It was also possible to optimize support for multiprocessor systems. In particular, the arprequest() function, the code for processing incoming ARP packets, and the implementation of neighbor detection in the IPv6 stack are now free of blocking.
• The make utility has added support for the ${.VARIABLES} variable to display the names of all set global variables.
• Support for random offsets has been added to cron and crontab when specifying ranges of values ​​with a given step, which allows you to avoid simultaneous requests for a resource from different machines that have the same rules in cron. For example, specifying “0~59/30” or “~/30” in the minute field will cause the command to run twice per hour at successive random intervals.
• It is also worth mentioning support for loading files from the EFI System Partition.
• The installer also optimized support for software RAID (softraid). Thus, the ability to place the root partition in softraid on riscv64 and arm64 systems has been added. Well, Softraid has been added to the ramdisk for the powerpc64 architecture. For arm64, support for Guided Disk Encryption has been implemented.
• The shutdown command now requires the user to be added to the “_shutdown” group, which allows for the separation of shutdown and direct disk read permissions.

Other updates can be found on the page

OpenBSD 7.4

. If you have already tried the distribution, write how you like it. Are there any problems, or perhaps everything is running smoothly and well like never before.

Other interesting materials