The FreeBSD Project $FreeBSD$ 2000 2001 2002 2003 2004 The FreeBSD Documentation Project The release notes for &os; &release.current; contain a summary of This document lists applicable security advisories that were issued since the last release, as well as significant changes to the &os; kernel and userland. Some brief remarks on upgrading are also presented. This document contains the release notes for &os; &release.current; on the &arch.print; hardware platform. It describes recently added, changed, or deleted features of &os;. It also provides some notes on upgrading from previous versions of &os;. The &release.type; distribution to which these release notes apply represents a point along the &release.branch; development branch between &release.prev; and the future &release.next;. Some pre-built, binary &release.type; distributions along this branch can be found at . ]]> This distribution of &os; &release.current; is a &release.type; distribution. It can be found at or any of its mirrors. More information on obtaining this (or other) &release.type; distributions of &os; can be found in the Obtaining FreeBSD appendix to the FreeBSD Handbook. ]]> Users who are new to the &release.branch; series of &os; &release.type;s should also read the Early Adopters Guide to &os; &release.current;. This document can generally be found in the same location as the release notes (either as a part of a &os; distribution or on the &os; Web site). It contains important information regarding the advantages and disadvantages of using &os; &release.current;, as opposed to releases based on the &os; 4-STABLE development branch. All users are encouraged to consult the release errata before installing &os;. The errata document is updated with late-breaking information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for &os; &release.current; can be found on the &os; Web site. This section describes Typical release note items document recent security advisories issued after &release.prev.historic;, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to &os; between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. A bug in &man.mksnap.ffs.8; has been fixed; it caused the creation of a filesystem snapshot to reset the flags on the filesystem to their default values. The possible consequences depended on local usage, but could include disabling extended access control lists or enabling the use of setuid executables stored on an untrusted filesystem. This bug also affected the &man.dump.8; -L option, which uses &man.mksnap.ffs.8;. Note that &man.mksnap.ffs.8; is normally only available to the superuser and members of the operator group. For more information, see security advisory FreeBSD-SA-04:01. A bug with the System V Shared Memory interface (specifically the &man.shmat.2; system call) has been fixed. This bug can cause a shared memory segment to reference unallocated kernel memory. In turn, this can permit a local attacker to gain unauthorized access to parts of kernel memory, possibly resulting in disclosure of sensitive information, bypass of access control mechanisms, or privilege escalation. More details can be found in security advisory FreeBSD-SA-04:02. &merged; A programming error in the &man.jail.attach.2; system call has been fixed. This error could allow a process with superuser privileges inside a &man.jail.8; environment to change its root directory to that of a different jail, and thus gain full read and write access to files and directories within the target jail. More information can be found in security advisory FreeBSD-SA-04:03. A potential low-bandwidth denial-of-service attack against the &os; TCP stack has been prevented by limiting the number of out-of-sequence TCP segments that can be held at one time. More details can be found in security advisory FreeBSD-SA-04:04. &merged; A bug in OpenSSL's SSL/TLS ChangeCipherSpec message processing could result in a null pointer dereference, has been fixed. This could allow a remote attacker to crash an OpenSSL-using application and cause a denial-of-service on the system. More details can be found in security advisory FreeBSD-SA-04:05. &merged; A programming error in the handling of some IPv6 socket options within the &man.setsockopt.2; system call has been fixed. This allows a local attacker to cause a system panic, and may allow to gain unauthorized access to parts of kernel memory, possibly resulting in disclosure of sensitive information, bypass of access control mechanisms, or privilege escalation. More details can be found in security advisory FreeBSD-SA-04:06. Two programming errors in CVS have been fixed. They allow a server to overwrite arbitrary files on the client, and a client to read arbitrary files on the server when accessing remote CVS repositories. More details can be found in security advisory FreeBSD-SA-04:07. &merged; The &man.acpi.toshiba.4; driver has been added to use Toshiba's Hardware Control Interface to manipulate certain hardware features on Toshiba laptops. The &man.acpi.toshiba.4; driver now supports video output switching. The &man.acpi.video.4; driver has been added to provide control display switching and backlight brightness using the ACPI Video Extensions. The &man.ctau.4; driver has been added for Cronyx-Tau synchronous serial adapters. This driver was known for a long time as ct in its previous life outside the &os; source tree. &merged; The driver name has changed, but the network interface still has the ct name. &man.devfs.5; path rules now work correctly on directories. The dgb (DigiBoard intelligent serial card) driver has been removed due to breakage. Its replacement is the &man.digi.4; driver, which supports all the hardware of the dgb driver. The &man.getvfsent.3; API has been removed. The loran (Loran-C receiver) driver has been removed due to breakage and lack of maintainership. The raid(4), RAIDframe disk driver from NetBSD has been removed. This is currently non-functional, and would require some amount of work to make it work under the &man.geom.4; API in 5-CURRENT. The sx driver, which supports Specialix I/O8+ and I/O4+ intelligent multiport serial controllers has been added. For the &man.uart.4; device hw.uart.console and hw.uart.dbgport environment variables have been added. They can be used to select a serial console and debug port respectively, as well as the attributes. The &man.ubser.4; device driver has been added to support BWCT console management serial adapters. The ULE scheduler is now the default scheduler in the GENERIC kernel. For the average user, interactivity is reported to be better in many cases. This means less skipping and jerking in interactive applications while the machine is very busy. This will not prevent problems due to overloaded disk subsystems, but it does help with overloaded CPUs. On SMP machines, ULE has per-CPU run queues which allow for CPU affinity, CPU binding, and advanced HyperThreading support, as well as providing a framework for more optimizations in the future. As fine-grained kernel locking continues, the scheduler will be able to make more efficient use of the available parallel resources. The device driver infrastructure (as well as many drivers) have been updated. Among the changes: Many more drivers now use automatically-assigned major numbers (instead of the old static major numbers). Enhanced functions to support cloning of pseudodevices. Several changes to the driver API, including a new d_version field in struct cdevsw. Note that third-party device drivers will require recompiling after this change. The kernel's file descriptor allocation code has been updated, and is now derived from similar code in OpenBSD. On &os;/sparc64, time_t has been changed from a 32-bit value to a 64-bit value. Since this change is not backward-compatible, any programs which were built on an older system using a 32-bit time_t and call system routines for handling time_t values, will have to be recompiled. More detailed information and notice on upgrading from the source can be found in /usr/src/UPDATING.64BTT. It is now possible to compile the &os;/i386 kernel with the Intel C/C++ Compiler (as in the lang/icc port). The entropy device &man.random.4; now supports a hardware random number generator (RNG) in the VIA C3 Nehemiah (Stepping 3 and above) CPU. Several old drivers for ISA cards have been removed, including the asc driver for GI1904-based hand scanners, the ctx driver for CORTEX-I Frame Grabber, the gp driver for National Instruments AT-GPIB and AT-GPIB/TNT boards, the gsc driver for the Genius GS-4500 hand scanner, the le driver for DEC EtherWORKS II and III ethernet controllers, the rdp driver for RealTek RTL 8002-based pocket ethernet adapters, the spigot driver for the Creative Labs Video Spigot video-acquisition board, the stl and stli drivers for Stallion Technologies multiport serial controllers, and the wt driver for Archive/Wangtek cartridge tapes. They are currently non-functional, and would require a considerable amount of work to make them work under the new API in 5-CURRENT. The userland support such as related ioctls and utilities including sasc and sgsc has also been removed. A serial console-capable version of boot0 has been added. It can be written to a disk using &man.boot0cfg.8; and specifying /boot/boot0sio as the argument to the -b option. cdboot now works around a BIOS problem observed on some systems when booting from USB CDROM drives. The &man.arl.4; driver, which supports Aironet Arlan 655 wireless adapters has been added. The &man.dc.4; driver now supports sparc64 Davicom cards that store their MAC address in OpenFirmware. A short hiccup in the &man.em.4; during parameter reconfiguration, has been fixed. &merged; The hea (Efficient Networks, Inc. ENI-155p ATM adapter) driver has been removed due to breakage. Its functionality has been subsumed into the &man.en.4; driver. The lmc (LAN Media Corp. PCI WAN adapter) driver has been removed due to breakage and lack of maintainership. &os; now provides a binary compatibility layer for using µsoft.windows; NDIS drivers for network adapters under &os;/i386. It includes a relocator/linker for &windows; .SYS files to interface with the &os; kernel and emulates various parts of the NDIS API using native &os; kernel functions. This system supports PCI and CardBus network devices, and is designed principally for Ethernet and wireless network interfaces. For more information, see the &man.ndis.4; and &man.ndiscvt.8; manual pages. The &man.ng.atmllc.4; Netgraph node type, which handles RFC 1483 ATM LLC encapsulation, has been added. The &man.ng.hub.4; NetGraph node type, which supports a simple packet distribution that acts like an Ethernet hub has been added. The &man.ng.vlan.4; NetGraph node type, which supports IEEE 802.1Q VLAN tagging has been added. &merged; A bug that prevents VLAN support in the &man.nge.4; driver from working has been fixed. &merged; The &man.pci.4; bus resource and power management have been updated. Although the &man.pci.4; bus power state management has been enabled, it may cause problems on some systems. This can be disabled by setting the tunable hw.pci.do_powerstate to 0. Several bugs related to &man.polling.4; support in the &man.rl.4; driver have been fixed. &merged; Several bugs related to multicast and promiscuous mode handling in the &man.sk.4; driver have been fixed. The &man.ste.4; driver now supports &man.polling.4;. &merged; The &man.udav.4; driver has been added. It provides support for USB Ethernet adapters based on the Davicom DM9601 chipset. The &man.vr.4; driver now supports &man.polling.4;. The hardware TX checksum support in the &man.xl.4; driver has been disabled as it does not work correctly and slows down the transmission rate. &merged; The per-interface &man.polling.4; support has been implemented. All of the network drivers that support &man.polling.4; (&man.dc.4;, &man.fxp.4;, &man.em.4;, &man.nge.4;, &man.re.4;, &man.rl.4;, &man.sis.4;, &man.ste.4;, and &man.vr.4;) now also support this capability and it can be controlled via &man.ifconfig.8;. The &man.gre.4; tunnel driver now supports WCCP version 2. Some bugs in the IPSec implementation from the KAME Project have been fixed. These bugs were related to freeing memory objects before all references to them were removed, and could cause erratic behavior or kernel panics after flushing the Security Policy Database (SPD). The PFIL_HOOKS option is now enabled by default in the GENERIC kernel. The most notable effect of this change is to make IPFilter work correctly when loaded as a kernel module. The following TCP features are now enabled by default: RFC 3042 (Limited Retransmit), RFC 3390 (increased initial congestion window sizes), TCP bandwidth-delay product limiting. More information can be found in &man.tcp.4;. &os;'s TCP implementation now includes support for a minimum MSS (settable via the net.inet.tcp.minmss sysctl variable) and a rate limit on connections that send many small TCP segments within a short period of time (via the net.inet.tcp.minmssoverload sysctl variable). Connections exceeding this limit may be reset and dropped. This feature provides protection against a class of resource exhaustion attacks. The TCP implementation now includes partial (output-only) support for RFC 2385 (TCP-MD5) digest support. This feature, enabled with the TCP_SIGNATURE and FAST_IPSEC kernel options, is a TCP option for authenticating TCP sessions. &man.setkey.8; now includes support for the TCP-MD5 class of security associations. &merged; The &man.ata.4; driver now supports cardbus ATA/SATA controllers. A number of bugs in the &man.ata.4; driver have been fixed. Most notably, master/slave device detection should work better, and some problems with timeouts should be resolved. The &man.ata.4; driver now supports the Promise command sequencer present on all modern Promise controllers (PDC203** PDC206**). This also adds preliminary support for the Promise SX4/SX4000 as a normal Promise ATA controller; ATA RAID's are supported though but only RAID0, RAID1 and RAID0+1. A bug of the automatic density selection code in the &man.fd.4; driver has been fixed. The &man.ips.4; driver now supports the recent Adaptec ServeRAID series SCSI controller cards. A bug in the &man.isp.4; driver which prevents the cards on SBus from working correctly, has been fixed. The &man.twa.4; driver, which supports 3ware's 9000 series PATA/SATA RAID controllers has been added. &merged; The &man.umass.4; driver now supports the missing ATAPI MMC commands and handles the timeout properly. &merged; The EXT2FS file system code now includes partial support for large (> 4GB) files. This support is partial in that it will refuse to create large files on filesystems that have not been upgraded to EXT2_DYN_REV or that do not have the EXT2_FEATURE_RO_COMPAT_LARGE_FILE flag set in the superblock. A bug in GEOM that could result in I/O hangs in some rare cases has been fixed. A new geom_concat class has been added to concatenate multiple disks to appear as a single larger disk. The &man.gconcat.8; utility is used for configurating concatenated disks. A panic in the NFSv4 client has been fixed; this occurred when attempting operations against an NFSv3/NFSv2-only server. The SMBFS client now has support for SMB request signing, which prevents man in the middle attacks and is required in order to connect to Windows 2003 servers in their default configuration. As signing each message imposes a significant performance penalty, this feature is only enabled if the server requires it; this may eventually become an option to &man.mount.smbfs.8;. The meteor (video capture) driver has been removed due to breakage and lack of maintainership. &man.bsdlabel.8; now supports a -f option to work on files instead of disk partitions. The bthidcontrol command and the bthidd command, which support Bluetooth HID (Human Interface Device), have been added. The doscmd utility has been removed from the &os; base system, and has been available in the &os; Ports Collection instead. &man.dump.8; and &man.restore.8; now support a -P option to specify backup methods other than files and tapes. The argument is passed to a normal &man.sh.1; pipeline with either $DUMP_VOLUME or $RESTORE_VOLUME defined in the environment, respectively. For more information, see &man.dump.8; and &man.restore.8;. The &man.fdcontrol.8;, &man.fdformat.1;, and &man.fdread.1; utilities now work on &os;/pc98. The &man.find.1; now supports a option -acl to locate files with &man.acl.3;. &man.indent.1; now supports a -ldi option to control indentation of local variables. A number of other tunings were made to this utility. &man.ifconfig.8; now supports renaming of network interfaces at run-time using the name parameter. &man.ifconfig.8; now prints the &man.polling.4; status on the interface. &merged; &man.ip6fw.8; now supports a -n flag to stop it from making any changes to the rules in the kernel &man.ipcs.1; now supports a -u option to display information about IPC mechanisms owned by the specified user. &man.ipfw.8; now supports a -b flag to print only the action and comment for each rule, thus omitting the rule body. &man.killall.1; now supports a -e flag to make the -u operate on effective, rather than real, user IDs. &merged; &man.libalias.3; now has support (and a new API) for multiple aliasing instances in a single process. The existing API has been reimplemented in terms of the new one to preserve compatibility. A libarchive library for manipulation of compressed and uncompressed archive files has been added. More details can be found in &man.libarchive.3;. libdisk now uses the correct PC98 disk partition value for &os;. This permits the &man.sysinstall.8; disk partition editor to correctly create a single &os; partition covering the entire disk. &merged; libdisk now uses d_addr_t for disk addresses. This allows &man.sysinstall.8; to properly handle disks and filesystems more than 1 TB. The library formerly known as libkse has been renamed libpthread and is now the default threading library on the i386, amd64, and ia64 platforms. GCC's -pthread option has been changed to use libpthread rather than libc_r. Users with older binaries (for example, ports compiled before this change was made) should use &man.libmap.conf.5; to map libc_r and/or libkse to libpthread. Users with NVIDIA-supplied drivers and libraries may need to use a &man.libmap.conf.5; that maps libpthread references to the older libc_r since these drivers and utilities do not work with libpthread. &man.make.1; now supports the new .warning directive. Initial support for UTF-8 versions of all the currently supported system locales has been added. This is primarily for the benefit of the misc/utf8locale port. The &man.logins.1; utility has been added to display information about user and system accounts. &man.mountd.8; now supports the -p option, which allows users to specify a known port for use in firewall rulesets. &man.netstat.1; now displays the multicast group memberships present in the system. &man.newfs.8; and &man.mdmfs.8; now support a -l flag to enable them to set the MAC multilabel flag on new filesystems without requiring the use of &man.tunefs.8;. &man.nologin.8; now reports login attempts via &man.syslogd.8;. &man.nologin.8; has been moved from /sbin/nologin to /usr/sbin/nologin, and /sbin/nologin remains as a symbolic link for backward compatibility. A bugfix has been applied to NSS support, which fixes problems when using third-party NSS modules (such as net/nss_ldap) and groups with large membership lists. The &man.pgrep.1; and &man.pkill.1; commands, which come from NetBSD, have been added. They also support a -M option to extract values associated with the name list from the specified core instead of the default /dev/kmem, and a -N option to extract the name list from the specified system instead of the default kernel. &man.ps.1; compatibility with POSIX/SUSv3 has been improved. The changes include -p for a list of process IDs, -t for a list of terminal names, -A which is equivalent to -ax, -G for a list of group IDs, -X which is the opposite of -x, and some minor improvements. For more information, see &man.ps.1;. &merged; &man.pw.8; now supports a -H option, which accepts an encrypted password on a file descriptor. &merged; The configuration files used by the &man.resolver.3; now support the timeout: and attempts: keywords. The &man.resolver.3; and associated interfaces are now much more reentrant and thread-safe. Multiple DNS lookups can now be run at the same time, showing major improvements in the performance of some multi-threaded applications. Some multi-threaded programs need to be recompiled; examples from the Ports Collection are www/mozilla and variants, mail/evolution, devel/gnomevfs, and devel/gnomevfs2. &man.rmdir.1; now supports a -v flag, which makes it verbose. &man.savecore.8; now works correctly for dump files larger than 2GB. A bug in &man.script.1; has been fixed so that it now works correctly if its stdin is closed. This fix prevents a potentially dangerous interaction with the sysutils/portupgrade package; if it was run non-interactively, it could remove all out-of-date ports without reinstalling them. The &man.sdpd.8; Bluetooth Service Discovery Protocol daemon has been added. Many userland utilities in the base system (mostly GNU contributed utilities) now use the system version of &man.getopt.long.3;, rather than the GNU version. The diskless script has been split out into hostname, resolve, tmp, and var scripts. The gbde_swap script, which supports gbde-enabled swap devices has been added. When the gbde_swap_enable variable is specified in &man.rc.conf.5;, a swap device named /dev/foo.bde in &man.fstab.5; is automatically attached at boot time with the device /dev/foo and a random key, which generated by computing the MD5 checksum of 512 bytes read from /dev/random. Note that this prevents recovery of kernel dumps. The mixer script has been added. It saves the current settings of all audio mixers present in the system on shutdown and restores the settings on boot. The pf and pflog scripts for &man.pf.4; has been added. The ACPI-CA code has been updated from the 20030619 snapshot to the 20040402 snapshot. awk from Bell Labs has been updated from the 29 July 2003 release to the 7 February 2004 release. CVS has been updated from version 1.11.10 to version 1.11.15. gdtoa (a library that performs conversions of numbers between binary and decimal form) has been updated from version 20030324 to version 20040118. GNU grep has been updated from 2.4d to 2.4.2. less has been updated from version 371 to version 381. GNU readline 4.3 has been updated with official patches 001 through 005. The GNU regex library has been updated to the version included with GNU grep 2.4.2. The GNU tar implementation in the base system is now called gtar, with tar being a link to gtar. Heimdal Kerberos has been updated from 0.6 to 0.6.1. libpcap has been updated from version 0.7.1 to version 0.8.3. OpenPAM has been updated from the Dogwood release to the Eelgrass release. OpenSSH has been updated from 3.6.1p1 to 3.8p1. The configuration defaults for &man.sshd.8; have been changed. SSH protocol version 1 is no longer enabled by default. In addition, password authentication over SSH is disabled by default if PAM is enabled. OpenSSL has been updated from 0.9.7c to 0.9.7d. &merged; pf, OpenBSD's packet filter as of OpenBSD 3.4, has been imported into &os; source tree and is now installed by default. A new user proxy, and two new groups authpf and proxy, which pf needs, are added as well. On upgrading from the source, these user accounts must be added in advance. The NO_PF variable in make.conf can be used to prevent pf from building. Several userland utilities of OpenBSD's pf have been imported. libexec/ftp-proxy is an ftp proxy for pf, sbin/pfctl is an equivalent to sbin/ipf, sbin/pflogd is a daemon logging packets via if_pflog in pcap format, and usr.sbin/authpf is an authentication shell to modify pf rulesets. routed has been updated from release 2.22 to release 2.27 from rhyolite.com. Note that for users relying on RIP's MD5 authentication feature, &man.routed.8; routed is now incompatible with previous versions of &os;; however it is now compatible with implementations from Sun, Cisco and other vendors. sendmail has been updated from version 8.12.10 to version 8.12.11. &merged; tcpdump has been updated from version 3.7.1 to version 3.8.3. The SIZE attribute for distfiles, which can be used for checking file sizes before fetching, has been added and enabled by default. DISABLE_SIZE is a user control knob to disable the distfile size checking. This is especially useful on old &os; versions which did not have &man.fetch.1; support for this, and for some FTP proxies which always report incorrect or bogus sizes. Two new files have been added to the ports tree to track note-worthy changes: ports/CHANGES lists major changes to the Ports Collection and its infrastructure. ports/UPDATING describes some potential pitfalls that can be encountered when updating certain ports, analogous to src/UPDATING for the base system. The building process for boot floppy images has been completely overhauled. The most significant change is that the loader now boots a stock GENERIC kernel split across multiple disks (two at the time of this writing). This greatly improves installations that begin with a boot from floppy disk, because they now use exactly the same kernel (and thus support the same hardware) as CDROM installations. The stripped-down MFSROOT kernel is no longer needed, and the mfsroot image no longer requires kernel modules. The boot.flp and driver.flp images are also obsolete and no longer built. The supported release of GNOME has been updated from 2.4 to 2.6. If you are using the older GNOME desktop itself (x11/gnome2), simply upgrading it from the &os; Ports Collection with &man.portupgrade.1; (sysutils/portupgrade) will cause serious problems. If you are a GNOME desktop user, please read the instructions carefully at , and use the gnome_upgrade.sh script to properly upgrade to GNOME 2.6. Note that if you are just a casual user of some of the GNOME libraries, &man.portupgrade.1; should be sufficient to update your ports. The supported release of KDE has been updated from 3.1.4 to 3.2.1. Users with existing &os; systems are highly encouraged to read the Early Adopter's Guide to &os; &release.current;. This document generally has the filename EARLY.TXT on the distribution media, or any other place that the release notes can be found. It offers some notes on upgrading, but more importantly, also discusses some of the relative merits of upgrading to &os; 5.X versus running &os; 4.X. Upgrading &os; should, of course, only be attempted after backing up all data and configuration files.