OpenBSD is a free, multi-platform 4.4BSD-based UNIX-like operating system. The 57th release, OpenBSD 7.6, comes with new features, various improvements, bug fixes, and tweaks.

Security improvements

Added -fret-clean option to the compiler, defaulting to off. This new option causes the caller to clean the return address off the stack after a call completes. The -fret-clean option was then enabled on amd64 for libc, libcrypto, ld.so, kernel, and all the ssh tools.

Expose branch target identification (BTI) to userland and make LLVM generate code with BTI instructions.

Enabled PAC in addition to BTI on arm64 such that JIT code matches the default branch protection provided by our base compiler.

Limit NFS connections to originate from a reserved port, but permit null requests (aka server pings) from non-reserved ports in nfs.

Made local ports bound during connect(2) unique per laddr rather than globally unique.

Enforced the pinsyscalls(2) rules on non-static/ld.so/libc.so text segments.

Added pledge and unveil to rpcinfo(8).

Added AUDIO_GETDEV ioctl to "audio" pledge(2).

Changes were made to the pf(4) firewall

Added display of pf(4) fragment reassembly counters to pfctl(8) and systat(1) .

Fixed pfsync(4) TCP-state not being updated for destination connection peer and reduced excessive pfsync traffic.

Allow users to define tables inside an anchor in the same way they can define global tables in pf.conf(5). Previously this required a separate pfctl -a foo -t bar invocation.

New features in the network stack

Made PPP interfaces to run in an rdomain(4) and install a default route in the same routing domain.

Introduced rport(4) for point-to-point layer 3 connectivity between routing domains. Similar to pair(4) but more efficient as it does not add Ethernet headers.

Implemented IPv6 forwarding IPsec only (sysctl net.inet6.ip6.forwarding = 2), the equivalent to net.inet.ip.forwarding = 2 for IPv4.

Added BIOCSETFNR to bpf(4), like BIOCSETF without resetting the buffer or stats.

Implemented SO_ACCEPTCONN in getsockopt(2) which can be used to check if listen(2) was called and the socket is accepting connections.

Various new userland features

Added scandirat(3) from FreeBSD.

Added elf_aux_info(3), designed to let userland peek at AT_HWCAP and AT_HWCAP2, using an interface from FreeBSD.

Added missing function wcsnlen(3) to find length of a wide string (i.e. wcslen(3) with a max len argument).

to find length of a wide string (i.e. with a max len argument). Imported libva 2.22.0, an implementation for VA-API (video acceleration API). VA-API provides access to graphics hardware acceleration capabilities for video processing.

Added the option "-u name" to env(1) to remove a variable from the environment.

OpenBSD 7.6 is available for download here. See here for a complete list of changes and additions.