The FreeBSD Project $FreeBSD$ 2000 2001 2002 2003 The FreeBSD Documentation Project The release notes for &os; &release.current; contain a summary of Both changes for kernel and userland are listed, as well as applicable security advisories that were issued since the last release. Some brief remarks on upgrading are also presented. This document contains the release notes for &os; &release.current; on the &arch.print; hardware platform. It describes recently added, changed, or deleted features of &os;. It also provides some notes on upgrading from previous versions of &os;. The &release.type; distribution to which these release notes apply represents a point along the &release.branch; development branch between &release.prev; and the future &release.next;. Some pre-built, binary &release.type; distributions along this branch can be found at . ]]> This distribution of &os; &release.current; is a &release.type; distribution. It can be found at or any of its mirrors. More information on obtaining this (or other) &release.type; distributions of &os; can be found in the Obtaining FreeBSD appendix to the FreeBSD Handbook. ]]> This section describes Typical release note items document new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. Applicable security advisories issued after &release.prev.historic; are also listed. Many additional changes were made to &os; that are not listed here for lack of space. For example, documentation was corrected and improved, minor bugs were fixed, insecure coding practices were audited and corrected, and source code was cleaned up. A remotely exploitable vulnerability in CVS has been corrected with the import of version 1.11.5. More details can be found in security advisory FreeBSD-SA-03:01. &merged; A timing-based attack on OpenSSL, which could allow a very powerful attacker access to plaintext under certain circumstances, has been prevented via an upgrade to OpenSSL 0.9.7. See security advisory FreeBSD-SA-03:02 for more details. &merged; The security and performance of the syncookies feature has been improved to decrease the chance of an attacker being able to spoof connections. More details are given in security advisory FreeBSD-SA-03:03. &merged; Remotely-exploitable buffer overflow vulnerabilities in sendmail have been fixed by updating sendmail. For more details, see security advisory FreeBSD-SA-03:04 and FreeBSD-SA-03:07. &merged; A bounds-checking bug in the XDR implementation, which could allow a remote attacker to cause a denial-of-service, has been fixed. For more details see security advisory FreeBSD-SA-03:05. &merged; Two recently-publicized flaws in OpenSSL have been corrected. For more details, see security advisory FreeBSD-SA-03:06. &merged; Support for the CanBe power management controller has been added. &merged; &man.devfs.5; is now mandatory; the NODEVFS option has been removed from the set of possible kernel configuration options. The DRM kernel modules have been updated to a snapshot from the DRI CVS repository, roughly equivalent to XFree86 4.3.0 but also including some additional bug fixes. An ehci driver has been added; it supports the USB Enhanced Host Controller Interface used by USB 2.0 controllers. A minor bug in the permissions handling of /dev/tty has been fixed. As a result, &man.ssh.1; can now be used after &man.su.1;. A bug that caused &man.fstat.2; to return 0 as the number of bytes available to read from a TCP socket has been fixed. A bug that caused &man.kqueue.2; to report 0 as the number of bytes available to read from a TCP socket has been fixed. The NOTE_LOWAT flag for EVFILT_READ has been fixed. Linux emulation mode now supports IPv6. &man.madvise.2; now supports a MADV_PROTECT behavior, which informs the virtual memory system that a process is critical and should not be killed when swap space has been exhausted. The process must be owned by the superuser. A second process scheduler, designed to be a general purpose scheduler with many SMP benefits, has been added to the scheduler framework. Exactly one scheduler must be specified in a kernel configuration. The original scheduler may be selected using options SCHED_4BSD. The newer (experimental) scheduler can be selected by using options SCHED_ULE. Device major numbers are now allocated dynamically by default. This change greatly decreases the need for a static, centralized table of major number assignments to device drivers (a few drivers retain their old static major numbers for compatibility), and also reduces the possibility of running out of device major numbers. A partial lazy switch mechanism for in-kernel threads has been implemented; it is designed to reduce the overhead of short context switches (such as for interrupt handlers) that do not involve another process. This feature can be enabled with options LAZY_SWITCH. SMP kernels now have rudimentary support for HyperThreading (HTT). The scheduler treats the logical CPUs as if they were additional physical CPUs. This can actually cause suboptimal performance in some cases due to contention for resources. Therefore, logical CPUs are halted by default at startup. They can be enabled with the machdep.hlt_logical_cpus sysctl variable. It is also possible to halt any CPU in the idle loop with the machdep.hlt_cpus sysctl variable. The &man.smp.4; manual page has more details. Some other versions of &os;, including early 5.0-CURRENT snapshots and 4.8-RELEASE, used options HTT to enable HyperThreading support at kernel configuration time. This option is no longer necessary. Support for the Physical Address Extensions (PAE) capability on Intel Pentium Pro and higher processors has been added. This allows the use of up to 64GB of RAM in a machine, although the amount of memory usable by any single process (or the &os; kernel) is unchanged. For more information, see the &man.pae.4; manual page. Work on this feature was sponsored by DARPA and Network Associates Laboratories. A new &man.vpd.4; driver has been added to read hardware information from the Vital Product Data structure on IBM ThinkPad machines. The alpha boot loader (boot1) can now be called boot for consistency with other platforms. The two parts of the boot loader (boot1 and boot2) have been combined into a single boot file, to simplify programs that need to write or otherwise manipulate the boot loader. The PC98 bootloader now has support for booting from SCSI MO media. &merged; The /modules directory (once the default location for modules on &os; 4.X) is no longer a part of the default kern.module_path. Third-party modules should be placed in /boot/modules. Modules designed for use with &os; 4.X are likely to panic and should be used with extreme caution. A new &man.axe.4; network driver has been added. It provides support for USB Ethernet adapters based on the ASIX Electronics AX88172 USB 2.0 chipset. The cm driver now supports IPX. &merged; The &man.sbsh.4; driver for the Granch SBNI16 SHDSL modem has been added. &merged; A new &man.wlan.4; module provides 802.11 link-layer support. The &man.wi.4; driver now uses this facility. A timing bug in the &man.xl.4; driver, which could cause a kernel panic (or other problems) when configuring an interface, has been fixed. &man.ipfw.4; skipto rules can once again be used with the log keyword. &man.ipfw.4; uid rules are once again working. It is now possible to build the FAST_IPSEC and INET6 options into the same kernel. (They still cannot be used together, however.) A bug in TCP NewReno, which caused premature exit from fast recovery when NewReno was enabled, has been fixed. &merged; TCP now has support for the Limited Transmit mechanism proposed by RFC 3042. This feature is intended to improve the effectiveness of TCP loss recovery in certain circumstances. It is off by default but can be enabled with the net.inet.tcp.rfc3042 sysctl variable. More information can be found in &man.tcp.4;. TCP now has support for increased initial congestion window sizes as described in RFC 3390. This feature can improve the throughput of short transfers, as well as high-bandwidth, large propagation-delay connections. It is off by default but can be enabled with the net.inet.tcp.rfc3390 sysctl variable. More information can be found in &man.tcp.4;. The IP fragment reassembly code behaves more gracefully when receiving a large number of packet fragments (it is designed to be more resistant to fragment-based denial of service attacks). &merged; TCP connections in the TIME_WAIT state now use a special protocol control block that uses less space than a full-blown TCP PCB. This allows some of the data structures and resources used by such a connection to be freed earlier. It is now possible to specify the range of privileged ports (TCP and UDP ports that require superuser access to &man.bind.2; to). The range is now specified with the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl variables, defaulting to the traditional UNIX behavior. This feature is intended to help network servers bind to traditionally privileged ports without requiring superuser access. &man.ip.4; has more details. Some bugs in the non-blocking RPC code has been fixed. As a result, &man.amd.8; users are now able to mount volumes from a &release.current; server. Support for XNS networking, which has not worked correctly for almost seven years, has been removed. The &man.aac.4; driver now runs free of the Giant kernel lock. This change has given a nearly 20% performance speedup on an SMP system running multiple I/O intensive loads. The &man.ata.4; driver now supports all known SiS chipsets. (More details can be found in the Hardware Notes.) A number of changes have been made to the &man.cd.4; driver. The primary user-visible change is improved compatibility with ATAPI/USB/Firewire CDROM drives. &man.geom.4; is now mandatory; the NO_GEOM has been removed from the set of kernel configuration options. A bug in the &man.mly.4; driver that caused hangs has been corrected. Support has been added for volume labels on UFS and UFS2 filesystems. These labels are strings that can be used to identify a volume, regardless of what device it appears on. Labels can be set with the -L options to &man.newfs.8; or &man.tunefs.8;. With the GEOM_VOL module, volumes can be accessed using their labels under /dev/vol. The root filesystem can now be located on a &man.vinum.4; volume. More information can be found in the &man.vinum.4; manual page. The wfd and wst drivers, which have been broken for some time, have been removed. A new DIRECTIO kernel option enables support for read operations that bypass the buffer cache and put data directly into a userland buffer. This feature requires that the O_DIRECT flag is set on the file descriptor and that both the offset and length for the read operation are multiples of the physical media sector size. &merged; NETNCP and Netware Filesystem Support (nwfs) are once again working. Bugs that could cause the unmounting of a smbfs share to fail or cause a kernel panic have been fixed. The atspeaker.ko and pcspeaker.ko modules for the &man.speaker.4; device have been renamed speaker.ko. &man.adduser.8; now correctly handles setting user passwords containing special shell characters. &man.adduser.8; now supports a -g option to set a user's default login group. The compat4x distribution now includes the libcrypto.so.2, libgmp.so.3, and libssl.so.2 libraries from &os; 4.7-RELEASE. &man.chgrp.1 and &man.chown.8 now, when the owner/group is modified, print the old and new uid/gid if the -v option is specified more than once. &man.config.8; now implements a nodevice kernel configuration file directive that cancels the effect of a device directive. The new nooption and nomakeoption directives cancel prior options and makeoptions directives, respectively. The &man.diskinfo.8; utility has been added to show information about a disk device and optionally to run a naive performance test. The -N and -W flags to &man.disklabel.8; have been retired. &man.disklabel.8; is now only built for architectures where it is useful (i386, pc98, alpha, and ia64). The -s to &man.disklabel.8; has been removed because the i386 boot loader now resides in a single file. &man.dump.8; now supports caching of disk blocks with the -C option. This can improve dump performance at the cost of possibly missing filesystem updates that occur between passes. &man.dumpfs.8; now supports a -m flag to print file system parameters in the form of a &man.newfs.8; command. &man.elfdump.1;, a utility to display information about &man.elf.5; format executable files, has been added. &man.fetch.1; uses the .netrc support in &man.fetch.3; and also supports a -N to specify an alternate .netrc file. &man.fetch.3; now has support for .netrc files (see &man.ftp.1; for more details). &man.ftpd.8; now supports a -h option to disable printing any host-specific information, such as the &man.ftpd.8; version or hostname, in server messages. &merged; &man.ftpd.8; now supports a -P option to specify a port on which to listen in daemon mode. The default data port number is now set to be one less than the control port number, rather than being hard-coded. &merged; &man.ftpd.8; now supports an extended format of the /etc/ftpchroot file. Please refer to the &man.ftpchroot.5; manpage, which is now available, for details. &merged; &man.ftpd.8; now supports login directory pathnames that specify simultaneously a directory for &man.chroot.2; and that to change to in the chrooted environment. The /./ separator is used for this purpose, like in other FTP daemons having this feature. It may be used in both &man.ftpchroot.5; and &man.passwd.5;. &merged; &man.fwcontrol.8; now supports -R and -S options for receiving and sending DV streams. &merged; The &man.gstat.8; utility has been added to show the disk activity inside the &man.geom.4; subsystem. &man.ipfw.8; now supports enable and disable commands to control various aspects of the operation of &man.ipfw.4; (including enabling and disabling the firewall itself). These provide a more convenient and visible interface than the existing sysctl variables. &merged; &man.jail.8; now supports a -i flag to output an identifier for a newly-created jail. The &man.jexec.8; utility has been added to execute a command inside an existing jail. The &man.jls.8; utility has been added to list existing jails. &man.kenv.1; has been moved from /usr/bin to /bin to make it available at times during system startup when only the root filesystem is mounted. &man.killall.1; now supports a -j option to kill all processes inside a jail. The &man.libgeom.3; library has been added to allow some userland access to the &man.geom.4; subsystem. The mac_portacl MAC policy module has been added. It provides a simple ACL mechanism to permit users and groups to bind ports for TCP or UDP, and is intended to be used in conjunction with the recently-added net.inet.ip.portrange.reservedhigh sysctl. The MAKEDEV script is now unnecessary, due to the mandatory presence of &man.devfs.5;, and has been removed. &man.mixer.8; can now implement relative volume adjustments. The &man.mksnap.ffs.8; program has been added to allow easier creation of FFS snapshots. It is a SUID-root executable designed for use by members of the operator group. &man.mount.8; and &man.umount.8; now accept a -F option to specify an alternate &man.fstab.5; file. &man.mount.nfs.8; now supports a -c flag to avoid doing a &man.connect.2; for UDP mount points. This option must be used if the server does not reply to requests from the standard NFS port number 2049 or if it replies to requests using a different IP address (which can occur if the server is multi-homed). Setting the vfs.nfs.nfs_ip_paranoia sysctl to 0 will make this option the default. &merged; &man.mount.nfs.8; now supports the noinet4 and noinet6 mount options to prevent NFS mounts from using IPv4 or IPv6 respectively. &man.newfs.8; will now create UFS2 file systems by default, unless UFS1 is specifically requested with the -O1. &man.newsyslog.8; now supports a W flag to force previously-started compression jobs for an entry (or group of entries specified with the G flag) to finish before beginning a new one. This feature is designed to prevent system overloads caused by starting several compression jobs on big files simultaneously. &merged; &man.nsdispatch.3; is now thread-safe and implements support for Name Service Switch (NSS) modules. NSS modules may be statically built into libc or dynamically loaded via &man.dlopen.3;. They are loaded/initialized at configuration time (i.e. when &man.nsdispatch.3; is called and &man.nsswitch.conf.5; is read or re-read). A new &man.pam.chroot.8; module has been added, which does a &man.chroot.2; operation for users into either a predetermined directory or one derived from their home directory. &man.pam.ssh.8; has been rewritten. One side effect of the rewrite is that it now starts a separate instance of &man.ssh-agent.1; for each session instead of trying to connect each session to the agent started by the first session. &man.ping.8; now supports a -D flag to set the Don't Fragment bit on outgoing packets. &man.ping.8; now supports a -M option to use ICMP mask request or timestamp request messages instead of ICMP echo requests. &man.ping.8; now supports a -z flag to set the Type of Service bits in outgoing packets. &man.pw.8; can now add a user whose name ends with a $ character; this change is intended to help administration of Samba services. &merged; A bug in &man.rand.3; that could cause a sequence to remain stuck at 0 has been fixed. (&man.rand.3; remains unsuitable for all but trivial uses.) &man.rtld.1; now has support for the dynamic mapping of shared object dependencies. More information can be found in &man.libmap.conf.5;. This is an optional feature, disabled by default. &man.sem.open.3; now correctly handles multiple opens of the same semaphore; as a result, &man.sem.close.3; no longer crashes calling programs. The seeding algorithm used by &man.srandom.3; has been strengthened. The sunlabel utility, a program analogous to &man.disklabel.8; that works on Sun disk labels, has been added. &man.sysinstall.8; will now select UFS2 as the default layout for new file systems unless specifically requested in the disk labeler. The &man.swapoff.8; command has been added to disable paging and swapping on a device. A related &man.swapctl.8; command has been added to provide an interface to &man.swapon.8; and &man.swapoff.8; similar to other BSDs. The &man.swapoff.8; feature should be considered experimental. &man.syslogd.8; now allows multiple hosts or programs to be named in host or program specifications in &man.syslog.conf.5; files. &man.systat.1; now includes an -ifstat display mode that displays the network traffic going through active interfaces on the system. The &man.usbhidaction.1; command has been added; it performs actions according to its configuration in response to USB HID controls. &man.uudecode.1; and &man.b64decode.1; now support a -r flag for decoding raw (or broken) files that may be missing the initial and possibly final framing lines. &merged; &man.vmstat.8; has re-implemented the -f flag, which displays statistics on fork operations. &man.xargs.1; now supports a -P option to execute multiple copies of the same utility in parallel. &man.xargs.1; now supports a -o flag to reopen /dev/tty for the child process before executing the command. This is useful when the child process is an interactive application. A 1:1 threading package (where for every pthread in an application there is one KSE and thread) has been implemented. Under this model, the kernel handles all thread scheduling decisions and all signal delivery. This uses some of the common KSE code, and is a restricted case of the M:N threading work still in progress. The libthr library implementing the userland portion of this functionality is a drop-in replacement for the libc_r library. Note that libthr is not (at this time) built by default. awk from Bell Labs has been updated to a 14 March 2003 snapshot. BIND has been updated to version 8.3.4. &merged; All of the bzip2 suite of applications is now installed in the base system (in particular, bzip2recover is now built and installed). &merged; CVS has been updated to 1.11.5. &merged; FILE has been updated to 3.41. &merged; GCC has been updated to 3.2.2 (release version). The gdtoa library, for conversions between strings and floating point, has been imported. These sources were dated 24 March 2003. IPFilter has been updated to 3.4.31. &merged; The ISC DHCP client has been updated to 3.0.1RC11. &merged; The ISC DHCP client now includes the &man.omshell.1; utility and the &man.dhcpctl.3; library for run-time control of the client. Kerberos IV support (in the form of KTH eBones) has been removed. Users requiring this functionality can still get it from the security/krb4 port (or package). Kerberos IV compatibility mode for Kerberos 5 has been removed, and the k5program userland utilities have been renamed to kprogram. libpcap now has support for selecting among multiple data link types on an interface. lukemftpd (not built or installed by default) has been updated to a snapshot from 22 January 2003. OpenPAM has been updated to the Daffodil release. OpenSSL has been updated to release 0.9.7a. Among other features, this release includes support for AES and takes advantage of &man.crypto.4; devices. &merged; sendmail has been updated to version 8.12.9. &merged; &man.tcpdump.1; has been updated to version 3.7.2. &merged; It also now supports a -L flag to list the data link types available on an interface and a -y option to specify the data link type to use while capturing packets. The one-line pkg-comment files have been eliminated from each port skeleton; their contents have been moved into each port's Makefile. This change reduces the disk space and inodes used by the ports tree. &merged; When fetching distfiles for building a port, the FETCH_REGET Makefile variable can be used to specify the number of times to try continuing to fetch a distfile if it fails its MD5 checksum. The port infrastructure also supports re-fetching interrupted distfiles. &man.pkg.create.1; now supports a -C option, which allows packages to register a list of other packages with which they conflict. They will refuse to install (via &man.pkg.add.1;) if one of the listed packages is already present. The -f flag to &man.pkg.add.1; overrides this conflict-checking. &man.pkg.info.1; now honors the BLOCKSIZE environment variable in its output when the -b flag is given. &man.pkg.info.1; now implements a -Q option, which is similar to the -q quiet option except that it prefixes the output with the package name. The supported release of GNOME has been updated to 2.2.1. &merged; The supported release of KDE has been updated to 3.1.1a. &merged; &man.sysinstall.8; once again supports installing individual components of XFree86. Supporting changes (not user-visible) generalize the concept of installing parts of distributions as packages. The supported release of XFree86 has been updated to 4.3.0. &merged; Several upgrade mechanisms designed to permit major version upgrades from &os; 2.X to 3.X and from &os; 3.X to 4.X have been removed. The following new articles have been added to the documentation set: FreeBSD From Scratch, The Roadmap for 5-STABLE. A new Danish (da_DK.ISO8859-1) translation project has been started. Users with existing &os; systems are highly encouraged to read the Early Adopter's Guide to &os; 5.0. This document generally has the filename EARLY.TXT on the distribution media, or any other place that the release notes can be found. It offers some notes on upgrading, but more importantly, also discusses some of the relative merits of upgrading to &os; 5.X versus running &os; 4.X. Upgrading &os; should, of course, only be attempted after backing up all data and configuration files.