The OpenBSD project has shipped OpenBSD 7.9, the latest six-month cadence release of the security-focused UNIX-like operating system that has spent three decades cultivating a reputation built on careful code review and a default install with only two known remote holes in its entire history.
This cycle brings LibreSSL 4.3.0, scheduler refinements, and a long list of fixes for the bundled tmux terminal multiplexer. The headline security work, unsurprisingly, lands in OpenSSH. A flaw reported by Florian Kohnhäuser found that ssh(1) validated shell metacharacters in command-line usernames too late, which meant configurations expanding %u tokens inside a Match exec block could potentially execute arbitrary shell commands when fed crafted input. A separate sshd(8) issue corrected a faulty algorithm that could allow inappropriate matches when an authorized_keys principals= entry was checked against a certificate principal containing a comma. The OpenBSD developers continue to caution against exposing ssh command lines directly to untrusted input, noting that no mitigation can be absolute given the variety of shells in the wild.
OpenBSD 7.9 also continues the project's slow march onto modern ARM hardware after 7.8 added Raspberry Pi 5 support. The full breakdown of kernel, userland, and ports work lives in the changelog, and amd64 installation media is available as a 762 MB ISO and an 801 MB raw image from the project's mirrors. OpenSSH and LibreSSL, both developed inside the OpenBSD tree, will filter out to Linux distributions and other downstream consumers over the coming weeks.