The &os; Project $FreeBSD$ 2000 2001 2002 2003 2004 The &os; Documentation Project The release notes for &os; &release.current; contain a summary of This document lists applicable security advisories that were issued since the last release, as well as significant changes to the &os; kernel and userland. Some brief remarks on upgrading are also presented. This document contains the release notes for &os; &release.current; on the &arch.print; hardware platform. It describes recently added, changed, or deleted features of &os;. It also provides some notes on upgrading from previous versions of &os;. The &release.type; distribution to which these release notes apply represents the latest point along the &release.branch; development branch since &release.branch; is created. Some pre-built, binary &release.type; distributions along this branch can be found at . ]]> The &release.type; distribution to which these release notes apply represents a point along the &release.branch; development branch between &release.prev; and the future &release.next;. Some pre-built, binary &release.type; distributions along this branch can be found at . ]]> This distribution of &os; &release.current; is a &release.type; distribution. It can be found at or any of its mirrors. More information on obtaining this (or other) &release.type; distributions of &os; can be found in the Obtaining &os; appendix to the &os; Handbook. ]]> All users are encouraged to consult the release errata before installing &os;. The errata document is updated with late-breaking information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for &os; &release.current; can be found on the &os; Web site. This section describes Typical release note items document recent security advisories issued after &release.prev.historic;, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to &os; between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. A bug in &man.mksnap.ffs.8; has been fixed; it caused the creation of a filesystem snapshot to reset the flags on the filesystem to their default values. The possible consequences depended on local usage, but could include disabling extended access control lists or enabling the use of setuid executables stored on an untrusted filesystem. This bug also affected the &man.dump.8; -L option, which uses &man.mksnap.ffs.8;. Note that &man.mksnap.ffs.8; is normally only available to the superuser and members of the operator group. For more information, see security advisory FreeBSD-SA-04:01. A bug with the System V Shared Memory interface (specifically the &man.shmat.2; system call) has been fixed. This bug can cause a shared memory segment to reference unallocated kernel memory. In turn, this can permit a local attacker to gain unauthorized access to parts of kernel memory, possibly resulting in disclosure of sensitive information, bypass of access control mechanisms, or privilege escalation. More details can be found in security advisory FreeBSD-SA-04:02. &merged; A programming error in the &man.jail.attach.2; system call has been fixed. This error could allow a process with superuser privileges inside a &man.jail.8; environment to change its root directory to that of a different jail, and thus gain full read and write access to files and directories within the target jail. More information can be found in security advisory FreeBSD-SA-04:03. A potential low-bandwidth denial-of-service attack against the &os; TCP stack has been prevented by limiting the number of out-of-sequence TCP segments that can be held at one time. More details can be found in security advisory FreeBSD-SA-04:04. &merged; A bug in OpenSSL's SSL/TLS ChangeCipherSpec message processing could result in a null pointer dereference, has been fixed. This could allow a remote attacker to crash an OpenSSL-using application and cause a denial-of-service on the system. More details can be found in security advisory FreeBSD-SA-04:05. &merged; A programming error in the handling of some IPv6 socket options within the &man.setsockopt.2; system call has been fixed. This allows a local attacker to cause a system panic, and may allow to gain unauthorized access to parts of kernel memory, possibly resulting in disclosure of sensitive information, bypass of access control mechanisms, or privilege escalation. More details can be found in security advisory FreeBSD-SA-04:06. Two programming errors in CVS have been fixed. They allow a server to overwrite arbitrary files on the client, and a client to read arbitrary files on the server when accessing remote CVS repositories. More details can be found in security advisory FreeBSD-SA-04:07. &merged; A bugfix for Heimdal rectifies a problem in which it would not perform adequate checking of authentication across autonomous realms. For more information, see security advisory FreeBSD-SA-04:08. &merged; A programming error in CVS which allow the malicious client to overwrite arbitrary portions of the server's memory has been fixed. For more information, see security advisory FreeBSD-SA-04:10. &merged; A potential cache consistency problem of the implementation of the &man.msync.2; system call involving the MS_INVALIDATE operation has been fixed. However, as a side effect of closing this security problem, the MS_INVALIDATE flag no longer guarantees that all pages in the range are invalidated. Users who require the old semantics of MS_INVALIDATE and are not concerned with the security issue being fixed can set the vm.old_msync sysctl to 1 which will revert to the old (insecure) behavior. For more information, see security advisory FreeBSD-SA-04:11. &merged; A programming error in the &man.jail.2; system call which results in a failure to verify that an attempt to manipulate routing tables originated from a non-jailed process has been fixed. For more information, see security advisory FreeBSD-SA-04:12. &merged; A programming error in the handling of some Linux system calls which may result in memory locations being accessed without proper validation has been fixed. For more information, see security advisory FreeBSD-SA-04:13. &merged; ADAPTIVE_MUTEXES has been added and enabled by default. This changes the behavior of blocking mutexes to spin if the thread that currently owns the mutex is executing on another CPU. This feature can be disabled explicitly by setting a kernel option NO_ADAPTIVE_MUTEXES. A kernel option ADAPTIVE_GIANT, which causes the Giant lock to also be treated in an adaptive fashion when adaptive mutexes are enabled, has been added. This improves the performance of SMP machines and is enabled by default on the i386. The &man.acpi.asus.4; driver has been added to use ACPI-controlled hardware features, such as hot keys and LEDs on ASUSTek laptops. The &man.acpi.panasonic.4; driver has been added to support hot keys of Panasonic laptops. It now supports Let's note (or Toughbook, outside Japan) CF-R1N, CF-R2A, and CF-R3. The &man.acpi.toshiba.4; driver has been added to use Toshiba's Hardware Control Interface to manipulate certain hardware features on Toshiba laptops, such as video output switching. The &man.acpi.video.4; driver has been added to provide control display switching and backlight brightness using the ACPI Video Extensions. The &man.acpi.4; driver now supports per-device sysctls (dev.root0.nexus0.acpi0.acpi_lid0.wake, for instance) to allow users to set whether or not a given device can wake the system. The &man.acpi.4; driver will now be disabled automatically when the machine has a well-known broken BIOS. This behavior can be overridden by setting the loader tunable hint.acpi.0.disabled to 0. The &man.agp.4; driver now supports the AMD64 graphics aperture relocation table (GART). The &man.bus.dma.9; interface now supports transparently honoring the alignment and boundary constraints in the DMA tag when loading buffers, and bus_dmamap_load() will automatically use bounce buffers when needed. In addition, a set of sysctls hw.busdma.* for &man.bus.dma.9; statistics has been added. The &man.contigmalloc.9; function has been reimplemented with an algorithm which stands a greatly-improved chance of working despite pressure from running programs. The old algorithm can be used by setting a sysctl vm.old_contigmalloc. More details can be found in the &man.contigmalloc.9; manual page. The &man.ctau.4; driver has been added for Cronyx Tau synchronous serial adapters. This driver was known for a long time as ct in its previous life outside the &os; source tree. &merged; The driver name has changed, but the network interface still has the ct name. The &man.cp.4; driver has been added for Cronyx Tau-PCI synchronous serial adapters. The &man.devfs.5; path rules now work correctly on directories. The dgb (DigiBoard intelligent serial card) driver has been removed due to breakage. Its replacement is the &man.digi.4; driver, which supports all the hardware of the dgb driver. The &man.getvfsent.3; API has been removed. The &man.hme.4; driver now natively supports long frames, so it can be used for &man.vlan.4; with full Ethernet MTU size. The &man.hme.4; driver now supports TCP/UDP Transmit/Receive checksum offload. Since &man.hme.4; does not compensate the checksum for UDP datagram which can yield to 0x0, UDP transmit checksum offload is disabled by default. This can be reactivated by setting the special link option link0 with &man.ifconfig.8;. The hw.pci.allow_unsupported_io_range loader tunable has been removed. &man.jail.2; now supports the use of raw sockets from within a jail. This feature is disabled by default, and controlled by using the security.jail.allow_raw_sockets sysctl. &man.kqueue.2; now supports a new filter EVFILT_FS to be used to signal generic filesystem events to the user space. Currently, mount, unmount, and up/down status of NFS are signaled. KDB, a new debugger framework, has been added. This consists of a new GDB backend, which has been rewritten to support threading, run-length encoding compression, and so on, and the frontend that provides a framework in which multiple, different debugger backends can be configured and which provides basic services to those backends. The following options has been changed: KDB is enabled by default via the kernel options options KDB, options GDB, and options DDB. Both DDB and GDB specify which KDB backends to include. WITNESS_DDB has been renamed to WITNESS_KDB. DDB_TRACE has been renamed to KDB_TRACE. DDB_UNATTENDED has been renamed to KDB_UNATTENDED. SC_HISTORY_DDBKEY has been renamed to SC_HISTORY_KDBKEY. DDB_NOKLDSYM has been removed. The new DDB backend supports pre-linker symbol lookups as well as KLD symbol lookups at the same time. GDB_REMOTE_CHAT has been removed. The GDB protocol hacks to allow this are &os; specific. At the same time, the GDB protocol has packets for console output. KDB also serves as the single point of contact for any and all code that wants to make use of the debugger functions, such as entering the debugger or handling of the alternate break sequence. For this purpose, the frontend has been made non-optional. All debugger requests are forwarded or handed over to the current backend, if applicable. Selection of the current backend is done by the debug.kdb.current sysctl. A list of configured backends can be obtained with the debug.kdb.available sysctl. One can enter the debugger by writing to the debug.kdb.enter sysctl. A new sysctl debug.kdb.stop_cpus has been added. This controls whether or not IPI (Inter Processor Interrupts) to other CPUs will be delivered when entering the debugger, in order to stop them while in the debugger. Loadable kernel modules now work and are enabled in the amd64 build. Preliminary support for running 32-bit Linux binaries on amd64 has been added. This feature is enabled with the COMPAT_LINUX32 kernel option. The loran (Loran-C receiver) driver has been removed due to breakage and lack of maintainership. A new kernel option MAC_STATIC which disables internal MAC Framework synchronization protecting against dynamic load and unload of MAC policies, has been added. The &man.mac.bsdextended.4; policy now supports to match and apply on a first rule only in place of all rules match. This feature can be enabled by setting a new sysctl mac_bsdextended_firstmatch_enabled. The &man.mac.bsdextended.4; policy can now log failed attempts to syslog's AUTHPRIV facility. This feature can be enabled by setting a new sysctl mac_bsdextended_logging. mballoc has been replaced with mbuma, an Mbuf and Cluster allocator built on top of a number of extensions to the UMA framework. Due to this change, the NMBCLUSTERS kernel option is no longer used. The maximum number of the clusters is still capped off according to maxusers, but it can be made unlimited by setting the kern.ipc.nmbclusters loader tunable to zero. /dev/kmem, /dev/mem, and /dev/io are also provided as kernel loadable modules now. A bug in &man.mmap.2; that pages marked as PROT_NONE may become readable under certain circumstances, has been fixed. &merged; A new kernel option MP_WATCHDOG has been added; it allows one of the logical CPUs on a system to be used as a dedicated watchdog to cause a drop to the debugger and/or generate an NMI to the boot processor if the kernel ceases to respond. Several sysctls are available to enable the watchdog running out of the processor's idle thread; a callout is launched to reset a timer in the watchdog. If the callout fails to reset the timer for ten seconds, the timeout process will take place. The debug.watchdog_cpu sysctl allows to select which CPU will run the watchdog. A sysctl debug.leak_schedlock has been added. This causes a sysctl handler that incorrectly leaks the holding sched lock, to spin the lock in order to trigger the watchdog provided by the MP_WATCHDOG option. A new loader tunable debug.mpsafenet has been added and enabled by default. This causes the &os; network stack to operate without the Giant lock, resulting in performance improvement by increasing parallelism and decreasing latency in network processing. Note that enabling one of the &man.ng.tty.4; Netgraph node type, KAME IPsec, and IPX/SPX subsystem results in a boot-time restoration of Giant-enabled network operation, or run-time warning on dynamic load as these components require Giant lock for correct operation. A new kernel option NET_WITH_GIANT has been added. This restores the default value of debug.mpsafenet to 0, and is intended for use on systems compiled with known unsafe components, or where a more conservative configuration is desired. A new loader tunable debug.mpsafevm has been added. This currently results in almost Giant-free execution of zero-fill page faults. A loader tunable debug.mpsafevm has been enabled by default. The &man.nmdm.4; driver has been rewritten to improve its reliability. The raid(4) driver (RAIDframe disk driver from NetBSD) has been removed. It is currently non-functional, and would require some amount of work to make it work under the &man.geom.4; API in 5-CURRENT. An entry of the &man.pcic.4; driver has been removed from a kernel configuration file for GENERIC kernel because this is no longer maintained. The entry had actually been commented out for a long time. The &man.psm.4; driver and &man.moused.8; now support the Synaptics TouchPad. The &man.sab.4; driver now supports the BREAK_TO_DEBUGGER kernel option. The sx driver, which supports Specialix I/O8+ and I/O4+ intelligent multiport serial controllers, has been added. A devclass level has been added to the dev sysctl tree, in order to support per-class variables in addition to per-device variables. This means that dev.foo0.bar is now called dev.foo.0.bar, and it is possible to to have dev.foo.bar as well. A sysctl kern.sched.name which has the name of the scheduler currently in use, has been added, and the kern.quantum sysctl has been moved to kern.sched.quantum for consistency. For the &man.uart.4; device, the hw.uart.console and hw.uart.dbgport kernel environment variables have been added. They can be used to select a serial console and debug port respectively, as well as the attributes. The &man.ubser.4; device driver has been added to support BWCT console management serial adapters. The ULE scheduler is now the default scheduler in the GENERIC kernel. For the average user, interactivity is reported to be better in many cases. This means less skipping and jerking in interactive applications while the machine is very busy. This will not prevent problems due to overloaded disk subsystems, but it does help with overloaded CPUs. On SMP machines, ULE has per-CPU run queues which allow for CPU affinity, CPU binding, and advanced HyperThreading support, as well as providing a framework for more optimizations in the future. As fine-grained kernel locking continues, the scheduler will be able to make more efficient use of the available parallel resources. A linear search algorithm used in &man.vm.map.findspace.9; has been replaced with an O(log n) algorithm built into the map entry splay tree. This significantly reduces the overhead in &man.vm.map.findspace.9; for applications that &man.mmap.2; many hundreds or thousands of regions. The device driver infrastructure (as well as many drivers) have been updated. Among the changes: Many more drivers now use automatically-assigned major numbers (instead of the old static major numbers). Enhanced functions to support cloning of pseudo-devices. Several changes to the driver API, including a new d_version field in struct cdevsw. Note that third-party device drivers will require recompiling after this change. The pseudo-interface cloning has been updated and the match function to allow creation of &man.stf.4; interfaces named stf0, stf, or 6to4. Note that this breaks backward compatibility; for example, ifconfig stf now creates the interface named stf, not stf0, and does not print stf0 to stdout. The &os; dynamic and static linker now support Thread Local Storage (TLS), a GCC feature which supports a __thread modifier to the declaration of global and static variables. This extra modifier means that the variable's value is thread-local; one thread changing its value will not affect the value of the variable in any other thread. The kernel's file descriptor allocation code has been updated, and is now derived from similar code in OpenBSD. On &os;/sparc64, time_t has been changed from a 32-bit value to a 64-bit value. Since this change is not backward-compatible, any programs which were built on an older system using a 32-bit time_t and call system routines for handling time_t values, will have to be recompiled. More detailed information and notice on upgrading from the source can be found in /usr/src/UPDATING.64BTT. It is now possible to compile the &os;/i386 kernel with the Intel C/C++ Compiler (as in the lang/icc port). The entropy device &man.random.4; now supports a hardware random number generator (RNG) in the VIA C3 Nehemiah (Stepping 3 and above) CPU. Several old drivers for ISA cards have been removed, including the asc driver for GI1904-based hand scanners, the ctx driver for CORTEX-I Frame Grabber, the gp driver for National Instruments AT-GPIB and AT-GPIB/TNT boards, the gsc driver for the Genius GS-4500 hand scanner, the le driver for DEC EtherWORKS II and III Ethernet controllers, the rdp driver for RealTek RTL 8002-based pocket Ethernet adapters, the spigot driver for the Creative Labs Video Spigot video-acquisition board, the stl and stli drivers for Stallion Technologies multiport serial controllers, and the wt driver for Archive/Wangtek cartridge tapes. They are currently non-functional, and would require a considerable amount of work to make them work under the new API in 5-CURRENT. The userland support such as related ioctls and utilities including sasc and sgsc has also been removed. A new sysctl, kern.always_console_output, has been added. It makes output from the kernel go to the console despite the use of TIOCCONS. A serial console-capable version of boot0 has been added. It can be written to a disk using &man.boot0cfg.8; and specifying /boot/boot0sio as the argument to the -b option. cdboot now works around a BIOS problem observed on some systems when booting from USB CDROM drives. The &man.arl.4; driver, which supports Aironet Arlan 655 wireless adapters has been added. &merged; The &man.dc.4; driver now supports sparc64 Davicom cards that store their MAC address in Open Firmware. A short hiccup in the &man.em.4; driver during parameter reconfiguration, has been fixed. &merged; The &man.fwip.4; driver, which supports IP over FireWire has been added. Note that currently the broadcast channel number is hardwired and MCAP for multicast channel allocation is not supported. This driver is intended to conform to the RFC 2734 and RFC 3146 standard for IP over FireWire and eventually replace the &man.fwe.4; driver. &man.fxp.4; now uses the device sysctl tree such as dev.fxp0, and those sysctls can be set on a per-device basis. &man.fxp.4; now provides actual control over its capability to receive extended Ethernet frames, indicated by the VLAN_MTU interface capability. It can be toggled from userland with the aid of the vlanmtu and -vlanmtu options to &man.ifconfig.8;. The hea (Efficient Networks, Inc. ENI-155p ATM adapter) driver has been removed due to breakage. Its functionality has been subsumed into the &man.en.4; driver. The &man.ixgb.4; driver, which supports Intel PRO/10GBE 10 gigabit Ethernet cards, has been added. &merged; The lmc (LAN Media Corp. PCI WAN adapter) driver has been removed due to breakage and lack of maintainership. &os; now provides a binary compatibility layer for using µsoft.windows; NDIS drivers for network adapters under &os;/i386. It includes a relocator/linker for &windows; .SYS files to interface with the &os; kernel and emulates various parts of the NDIS API using native &os; kernel functions. This system supports PCI (&man.pci.4;) and CardBus (&man.cardbus.4;) network devices, and is designed principally for Ethernet and wireless network interfaces. For more information, see the &man.ndis.4; and &man.ndiscvt.8; manual pages. The &man.ng.atmllc.4; Netgraph node type, which handles RFC 1483 ATM LLC encapsulation, has been added. The &man.ng.hub.4; Netgraph node type, which supports a simple packet distribution that acts like an Ethernet hub, has been added. &merged; The &man.ng.rfc1490.4; Netgraph node type now supports Cisco style encapsulation, which is often used alongside RFC 1490 in frame relay links. The &man.ng.sppp.4; Netgraph node type, which is a &man.netgraph.4 interface to the original &man.sppp.4 network module for synchronous lines, has been added. A new Netgraph method has been added to restore some behavior lost in the change from 4.X style &man.ng.tee.4; Netgraph nodes. The &man.ng.vlan.4; Netgraph node type, which supports IEEE 802.1Q VLAN tagging, has been added. &merged; A bug that prevents VLAN support in the &man.nge.4; driver from working has been fixed. &merged; The &man.pci.4; bus resource and power management have been updated. Although the &man.pci.4; bus power state management has been enabled by default, it may cause problems on some systems. This can be disabled by setting the tunable hw.pci.do_powerstate to 0. Several bugs related to &man.polling.4; support in the &man.rl.4; driver have been fixed. &merged; Several bugs related to multicast and promiscuous mode handling in the &man.sk.4; driver have been fixed. The &man.ste.4; driver now supports &man.polling.4;. &merged; The &man.udav.4; driver has been added. It provides support for USB Ethernet adapters based on the Davicom DM9601 chipset. The &man.vr.4; driver now supports &man.polling.4;. &merged; The hardware TX checksum support in the &man.xl.4; driver has been disabled as it does not work correctly and slows down the transmission rate. &merged; Interface &man.polling.4; support can now be enabled on a per-interface basis. All of the network drivers that support &man.polling.4; (&man.dc.4;, &man.fxp.4;, &man.em.4;, &man.nge.4;, &man.re.4;, &man.rl.4;, &man.sis.4;, &man.ste.4;, and &man.vr.4;) now also support this capability and it can be controlled via &man.ifconfig.8;. &merged; The DA_OLD_QUIRKS kernel option, which is for the CAM SCSI disk driver (&man.cam.4;), has been removed. &merged; The &man.gre.4; tunnel driver now supports WCCP version 2. &man.ipfw.4; rules now support the versrcreach option to verify that a valid route to the source address of a packet exists in the routing table. This option is very useful for routers with a complete view of the Internet (BGP) in the routing table to reject packets with spoofed or unroutable source addresses. For example, deny ip from any to any not versrcreach is equivalent to the following in Cisco IOS syntax: ip verify unicast source reachable-via any &man.ipfw.4; rules now support the antispoof option to verify if incoming packet's source address belongs to a directly connected network. If the network is directly connected, then the interface the packet came on in is compared to the interface the network is connected to. When incoming interface and directly connected interface are not the same, the packet does not match. For example: deny ip from any to any not antispoof in &man.ipfw.4; rules now support the jail option to associate the rule with a specific prison ID. For example: count ip from any to any jail 2 Note that this rule currently applies for TCP and UDP packets only. &man.ipfw.4; now supports lookup tables. This feature is useful for handling large sparse address sets. &merged; The &man.ipfw.4; forward rule has to be compiled into the kernel with a kernel option IPFIREWALL_FORWARD to enable it. A new sysctl net.inet.ip.process_options to control the processing of IP options. When this sysctl is set to 0 IP options are ignored and passed unmodified, set to 1 all IP options are processed (default), and set to 2 all packets with IP options are rejected with an ICMP filter prohibited message, respectively. Some bugs in the IPsec implementation from the KAME Project have been fixed. These bugs were related to freeing memory objects before all references to them were removed, and could cause erratic behavior or kernel panics after flushing the Security Policy Database (SPD). &man.natd.8; now supports multiple instances via a new option globalports. This allows &man.natd.8; to be bound to different network interfaces and sharing of load. PFIL_HOOKS support is now always compiled into the kernel, and the associated kernel compile options have been removed. All of the packet filter subsystems that &os; supports now use the PFIL_HOOKS framework. The link state change notification of Ethernet media support has been added to the routing socket. Link Quality Monitoring (LQM) support in &man.ppp.8; has been reimplemented. LQM, which is described in RFC 1989, allows PPP to keep track of the quality of a running connection. &merged; The following TCP features are now enabled by default: RFC 3042 (Limited Retransmit), RFC 3390 (increased initial congestion window sizes), TCP bandwidth-delay product limiting. A set of sysctls net.inet.tcp.rfc3042, net.inet.tcp.rfc3390, and net.inet.tcp.inflight.enable for these features are available. More information can be found in &man.tcp.4;. &os;'s TCP implementation now includes support for a minimum MSS (settable via the net.inet.tcp.minmss sysctl variable) and a rate limit on connections that send many small TCP segments within a short period of time (via the net.inet.tcp.minmssoverload sysctl variable). Connections exceeding this limit may be reset and dropped. This feature provides protection against a class of resource exhaustion attacks. The TCP implementation now includes partial (output-only) support for RFC 2385 (TCP-MD5) digest support. This feature, enabled with the TCP_SIGNATURE and FAST_IPSEC kernel options, is a TCP option for authenticating TCP sessions. &man.setkey.8; now includes support for the TCP-MD5 class of security associations. &merged; The TCP connection reset handling has been improved to make several reset attacks as difficult as possible while maintaining compatibility with the widest range of TCP stacks. The implementation of RFC 1948 has been improved. The time offset component of an Initial Sequence Number (ISN) now includes random positive increments between clock ticks so that ISNs will always be increasing, no matter how quickly the port is recycled. The random ephemeral port allocation, which come from OpenBSD has been implemented. This is enabled by default and can be disabled by using the net.inet.ip.portrange.randomized sysctl. &merged; TCP Selective Acknowledgements (SACK) as described in RFC 2018 have been added. This improves TCP performance over connections with heavy packet loss. SACK can be enabled with the sysctl net.inet.tcp.sack.enable. The &man.ata.4; driver now supports &man.cardbus.4; ATA/SATA controllers. A number of bugs in the &man.ata.4; driver have been fixed. Most notably, master/slave device detection should work better, and some problems with timeouts should be resolved. The &man.ata.4; driver now supports the Promise command sequencer present on all modern Promise controllers (PDC203** PDC206**). This also adds preliminary support for the Promise SX4/SX4000 as a normal Promise ATA controller; ATA RAID's are supported though but only RAID0, RAID1 and RAID0+1. A bug of the automatic density selection code in the &man.fd.4; driver has been fixed. The &man.ips.4; driver now supports the recent Adaptec ServeRAID series SCSI controller cards. A bug in the &man.isp.4; driver which prevents the cards on SBus from working correctly, has been fixed. The &man.twa.4; driver, which supports 3ware's 9000 series PATA/SATA RAID controllers has been added. &merged; The &man.umass.4; driver now supports the missing ATAPI MMC commands and handles the timeout properly. &merged; The &man.vinum.4; volume manager, has been updated to use &man.geom.4;, the 5.x disk I/O request transformation framework. A gvinum userland utility has been added. The &man.esp.4; device driver has been ported from NetBSD to support the SBus SCSI card in Sun Ultra 1e and 2 machines. Support for LSI-type software RAID has been added. The autofs(9) file system and the userland library &man.libautofs.3; have been added. The EXT2FS file system code now includes partial support for large (> 4GB) files. This support is partial in that it will refuse to create large files on filesystems that have not been upgraded to EXT2_DYN_REV or that do not have the EXT2_FEATURE_RO_COMPAT_LARGE_FILE flag set in the superblock. A bug in &man.geom.4; that could result in I/O hangs in some rare cases has been fixed. A new GEOM_CONCAT &man.geom.4; class has been added to concatenate multiple disks to appear as a single larger disk. A new GEOM_NOP &man.geom.4; class for various testing purposes has been added. A new GEOM_RAID3 &man.geom.4; class for RAID3 transformation and &man.graid3.8; userland utility have been added. A new GEOM_STRIPE &man.geom.4; class which implements RAID0 transformation has been added. This class has two modes: fast and economic. In fast mode, when very small stripe size is used, only one I/O request will be sent to every disk in a stripe; it performs about 10 times faster for small stripe sizes than economic mode and other RAID0 implementations. While fast mode is used by default, it consumes more memory than economic mode, which sends requests each time. Economic mode can be enabled by setting a loader tunable kern.geom.stripe.fast to 0. It is also possible to specify the maximum memory that fast mode can consume, by setting the loader tunable kern.geom.stripe.maxmem. GEOM Gate, which consists of a new GEOM_GATE &man.geom.4; class and several GEOM Gate userland utilities (&man.ggatel.8;, &man.ggatec.8;, and &man.ggated.8;) has been added. It supports exporting devices, including non &man.geom.4;-aware devices, through the network. A new GEOM_LABEL &man.geom.4; class to detect volume labels on various file systems, such as UFS, MSDOSFS (FAT12, FAT16, FAT32), and ISO9660, has been added. A new GEOM_GPT &man.geom.4; class, which supports GUID Partition Table (GPT) partitions and the ability to have a large number of partitions on a single disk, has been added into GENERIC by default. A new GEOM_MIRROR &man.geom.4; class to support which supports RAID1 functionality, has been added. The &man.gmirror.8; utility can be used for control of this class. A new GEOM_UZIP &man.geom.4; class to implement read-only compressed disks has been added. This currently supports cloop V2.0 disk compression format. A new GEOM_VINUM &man.geom.4; class to support cooperation between &man.vinum.4; and &man.geom.4; has been added. A panic in the NFSv4 client has been fixed; this occurred when attempting operations against an NFSv3/NFSv2-only server. The SMBFS client now has support for SMB request signing, which prevents man in the middle attacks and is required in order to connect to Windows 2003 servers in their default configuration. As signing each message imposes a significant performance penalty, this feature is only enabled if the server requires it; this may eventually become an option to &man.mount.smbfs.8;. The MSDOSFS_LARGE kernel option has been added to support for FAT32 filesystems bigger than 128GB. This option is disabled by default. It uses at least 32 bytes of kernel memory for each file on disk; furthermore it is only safe to use in certain controlled situations, such as read-only mount with less than 1 million files and so on. Exporting these large filesystems over NFS is not supported. The meteor (video capture) driver has been removed due to breakage and lack of maintainership. The Direct Rendering Manager (DRM) code has been updated from the DRI Project CVS tree as of 26 May, 2004. This update includes new PCI IDs and a new packet for Radeon. The drivers for various sound cards has been reorganized; device sound is the generic sound driver, and device snd_* are device-specific sound drivers now. The midi driver, which supports serial port and several sound cards, has been removed. More details can be found in related manual pages: sound(4), &man.snd.ad1816.4;, &man.snd.als4000.4;, &man.snd.cmi.4;, &man.snd.cs4281.4;, &man.snd.ds1.4;, &man.snd.emu10k1.4;, &man.snd.es137x.4;, and &man.snd.solo.4;. The sound(4) (formerly &man.pcm.4;) driver has been modified to read /boot/device.hints on startup, to allow setting of default values for mixer channels. The ALTQ framework has been imported from a KAME snapshot as of 7 June, 2004. This import breaks ABI compatibility of struct ifnet and requires all network drives to be recompiled. Additionally some of the networking drivers have been modified to support the ALTQ framework. Updated drivers are &man.bfe.4;, &man.em.4;, &man.fxp.4;, &man.em.4;, &man.lnc.4;, &man.tun.4;, &man.de.4;, &man.rl.4;, &man.sis.4;, and &man.xl.4;. IPFilter has been updated from version 3.4.31 to version 3.4.35 &merged;. An ia64 stack unwinder, Unwind Express (libuwx) by Hewlett-Packard has been imported for use in the kernel. &man.acpidump.8; now supports SSDT tables. Dumping or disassembling the DSDT will now include the contents if there are any SSDT table as well. &man.bsdlabel.8; now supports a -f option to work on files instead of disk partitions. &man.bsdtar.1; is now the default &man.tar.1; utility in the &os; base system. /usr/bin/tar has been a symlink pointing to /usr/bin/bsdtar by default. To return to using /usr/bin/gtar by default, the WITH_GTAR make variable can be used. The bthidcontrol and bthidd commands, which support Bluetooth HIDs (Human Interface Devices), have been added. &man.col.1;, &man.colcrt.1;, &man.colrm.1;, &man.column.1;, &man.fmt.1;, &man.join.1;, &man.rev.1;, &man.tr.1;, and &man.ul.1; now support multibyte characters. &man.conscontrol.8; now supports set and unset commands which set/unset the virtual console. unset makes outputs from the system, such as the kernel &man.printf.9;, always go out to the real main console. This is an interface to the tty ioctl TIOCCONS. The &man.cron.8 daemon now accepts two new options, -j and -J, to enable time jitter for jobs to run as unprivileged users and the superuser, respectively. Time jitter means that &man.cron.8 will sleep for a small random period of time in the specified range before executing a job. This feature is intended to smooth load peaks appearing when a lot of jobs are scheduled for a particular moment. &merged; &man.cut.1; -c, -d, and -f now work correctly in locales with multibyte characters. &man.cvs.1; now supports iso8601 option keyword to print dates in ISO 8601 format. &man.daemon.8; now supports a -p option to create a PID file. &man.dd.1; now supports a fillchar option to specify an alternative padding character when using a conversion mode, or when using noerror with sync and an input error occurs. &man.df.1; now supports a -c option to display a grand total of statistics for file systems. A bug in &man.df.1;, which can print invalid information when a -t option is specified and a mount point is not accessible by the calling user, has been fixed. The doscmd utility has been removed from the &os; base system. It is now available via the emulators/doscmd port in the &os; Ports Collection. &man.dump.8; and &man.restore.8; now support a -P option to specify backup methods other than files and tapes. The argument is passed to a normal &man.sh.1; pipeline with either the $DUMP_VOLUME or $RESTORE_VOLUME environment variable defined, respectively. For more information, see &man.dump.8; and &man.restore.8;. The &man.eeprom.8; utility to display and modify system configurations stored in EEPROM or NVRAM has been added. The current implementation supports systems equipped with Open Firmware. The &man.fdcontrol.8;, &man.fdformat.1;, and &man.fdread.1; utilities now work on &os;/pc98. &man.fgetwln.3; function, a wide character version of &man.fgetln.3; has been added. The &man.find.1; utility now supports a -acl primary to locate files with &man.acl.3;. The &man.find.1; utility now supports a new primary -depth n which tests whether the depth of the current file relative to the starting point of the traversal is n. &merged; &man.ftpd.8; now opens a socket for a data transfer in active mode using effective UID of the current user, not root. This is useful for matching anonymous FTP data traffic with a single &man.ipfw.8; rule with uid. The &man.ftw.3; and &man.nftw.3; functions have been implemented. These are used to traverse a directory hierarchy. The &man.geom.8; utility for operating on &man.geom.4; classes from the userland has been added. &man.gpt.8;, a GUID partition table maintenance utility, now supports a remove command. Its add command now supports a -i option, which allows the user to specify the partition number of a new partition. The &man.id.1; now supports a -M option to print the MAC label of the current process. &man.ifconfig.8; now supports renaming of network interfaces at run-time using the name parameter. &man.ifconfig.8; now prints the &man.polling.4; status on the interface. &merged; &man.ifconfig.8; now provides the vlanmtu and -vlanmtu options, which control the capability of some Ethernet interfaces to receive extended frames (i.e. frames containing more than 1500 bytes of payload). &man.ifconfig.8; now provides the vlanhwtag and -vlanhwtag options, which control the capability of some Ethernet interfaces to process VLAN tags in the hardware. &man.indent.1; now supports a -ldi option to control indentation of local variables. A number of other tunings were made to this utility. &man.indent.1; now supports -fbs and -ut for function declarations with the opening brace on the same line as the declaration of arguments all spaces and no tabs in order to fix problem when non-8 space tabs are used. &man.ip6fw.8; now supports a -n flag to stop it from making any changes to the rules in the kernel &man.ipcs.1; now supports a -u option to display information about IPC mechanisms owned by the specified user. &man.ipfw.8; now supports a -b flag to print only the action and comment for each rule, thus omitting the rule body. &man.jail.8; now supports a -U option to run command as a user which exists only in the &man.jail.2; environment. &man.jail.8; now supports a -l option to clean the environment. All environment variables are discarded except for HOME, SHELL, PATH, TERM, and USER before running the jailed program under specific user's credentials. This behavior is similar to that provided by the &man.su.1; -l option. &man.kgdb.1;, a kernel debugging utility which uses libgdb and understands kernel threads, kernel modules, and &man.kvm.3;, has been added. &man.killall.1; now supports a -e flag to make the -u operate on effective, rather than real, user IDs. &merged; &man.libalias.3; now has support (and a new API) for multiple aliasing instances in a single process. The existing API has been reimplemented in terms of the new one to preserve compatibility. A libarchive library for manipulation of compressed and uncompressed archive files has been added. More details can be found in &man.libarchive.3;. libdisk now uses the correct PC98 disk partition value for &os;. This permits the &man.sysinstall.8; disk partition editor to correctly create a single &os; partition covering the entire disk. &merged; libdisk now uses d_addr_t for disk addresses. This allows &man.sysinstall.8; to properly handle disks and filesystems more than 1 TB. The library formerly known as libkse has been renamed libpthread and is now the default threading library on the i386, amd64, and ia64 platforms. GCC's -pthread option has been changed to use libpthread rather than libc_r. Users with older binaries (for example, ports compiled before this change was made) should use &man.libmap.conf.5; to map libc_r and/or libkse to libpthread. Users with NVIDIA-supplied drivers and libraries may need to use a &man.libmap.conf.5; that maps libpthread references to the older libc_r since these drivers and utilities do not work with libpthread. libpthread now supports a LIBPTHREAD_SYSTEM_SCOPE environment variable to force 1:1 mode (using system scope threads). Note that building libpthread with -DSYSTEM_SCOPE_ONLY flag also forces 1:1 mode, and that this option is set by default for architectures that do not support M:N mode yet. In addition, a LIBPTHREAD_PROCESS_SCOPE environment variable can be used to force M:N mode (using process scope threads). For example: &prompt.user; LIBPTHREAD_SYSTEM_SCOPE=yes threaded_app forces the application threaded_app to use system scope threads, and &prompt.user; LIBPTHREAD_PROCESS_SCOPE=yes threaded_app forces it to use process scope threads, respectively. A bug in the -d option of &man.look.1; has been fixed. Also, &man.look.1; now works correctly in locales with multibyte characters. &man.ls.1; now treat filenames as multibyte character strings according to the current LC_CTYPE when determining which characters are printable. &man.make.1; now supports the new .warning directive. &man.make.1; now supports the POSIX-compatible + flag in Makefile command lines, which causes a line to be executed even when -n is specified. This is useful for calls to submakes, for example. &man.make.1; now puts variable assignments from the command line into the MAKEFLAGS variable as required by POSIX. This causes such variables to be pushed into all sub-makes called by the &man.make.1; (except when the MAKEFLAGS variable is explicitly changed in the sub-make's environment). This makes them also mostly un-overrideable in sub-makes except on the sub-make's command line. The &man.nearbyint.3; and &man.nearbyintf.3; C99 functions have been implemented. The tgmath.h C99 header has been implemented. This provides type-generic macros for the math.h and complex.h functions that have float, double and long double implementations. The GNU extensions of &man.mbsnrtowcs.3; and &man.wcsnrtombs.3; have been implemented. &man.newsyslog.8; now allows the users to set a debugging option via the newsyslog.conf file. &man.newsyslog.8; now uses a new order when processing files to rotate. It first rotates all files that need to be rotated, then sends a single signal to each process which needs to be signaled, and finally compresses all the files that were rotated. A &man.nextwctype.3; function to iterate over all characters in a particular character class has been added. Initial support for UTF-8 versions of all the currently supported system locales has been added. This is primarily for the benefit of the misc/utf8locale port. An Israel Hebrew locale he_IL.UTF-8 has been added. The &man.logins.1; utility has been added to display information about user and system accounts. &man.mountd.8; now supports the -p option, which allows users to specify a known port for use in firewall rulesets. &man.netstat.1; now displays the multicast group memberships present in the system. &man.newfs.8; and &man.mdmfs.8; now support a -l flag to enable them to set the MAC multilabel flag on new filesystems without requiring the use of &man.tunefs.8;. &man.nologin.8; now reports login attempts via &man.syslogd.8;. &man.nologin.8; has been moved from /sbin/nologin to /usr/sbin/nologin. /sbin/nologin remains as a symbolic link for backward compatibility. A bugfix has been applied to NSS support, which fixes problems when using third-party NSS modules (such as net/nss_ldap) and groups with large membership lists. &man.od.1; now has POSIX-style support for multibyte characters. &man.patch.1; has been replaced with a BSD-licensed version from OpenBSD. This includes a --posix option for strict POSIX conformance. The &man.pgrep.1; and &man.pkill.1; commands, which come from NetBSD, have been added. They also support a -M option to extract values associated with the name list from the specified core instead of the default /dev/kmem, and a -N option to extract the name list from the specified system instead of the default kernel. &man.ppp.8; now supports a set rad_alive N command to enable periodic RADIUS accounting information being sent to the RADIUS server. &merged; &man.ppp.8; now supports a set pppoe [standard|3Com] command to configure the operating mode of an underlying the &man.ng.pppoe.4; Netgraph node. &man.ps.1; compatibility with POSIX/SUSv3 has been improved. The changes include -p for a list of process IDs, -t for a list of terminal names, -A which is equivalent to -ax, -G for a list of group IDs, -X which is the opposite of -x, and some minor improvements. For more information, see &man.ps.1;. &merged; &man.ps.1; now supports a -O emul format option, which prints the name of the system call emulation environment the process is in. &man.pw.8; now supports a -H option, which accepts an encrypted password on a file descriptor. &merged; A bug in &man.rarpd.8; that prevents it from working properly when a interface has more than one IP address has been fixed. &merged; &man.regex.3; now supports regular expression matching aware of multibyte characters. The configuration files used by the &man.resolver.3; now support the timeout: and attempts: keywords. The &man.resolver.3; and associated interfaces are now much more reentrant and thread-safe. Multiple DNS lookups can now be run at the same time, showing major improvements in the performance of some multi-threaded applications. Some multi-threaded programs need to be recompiled; examples from the Ports Collection are www/mozilla and variants, mail/evolution, devel/gnomevfs, and devel/gnomevfs2. &man.rmdir.1; now supports a -v flag, which makes it verbose. &man.savecore.8; now works correctly for dump files larger than 2GB. A bug in &man.script.1; has been fixed so that it now works correctly if the standard input is closed. This fix prevents a potentially dangerous interaction with the sysutils/portupgrade package; if it was run non-interactively, it could remove all out-of-date ports without reinstalling them. The &man.sdpd.8; Bluetooth Service Discovery Protocol daemon has been added. &man.sed.1; y (translate) command now supports multibyte characters. The &man.sha1.1; and &man.rmd160.1; utilities have been added. Similar to &man.md5.1;, they calculate a message digest of their inputs. &merged; &man.smbmsg.8;, a small utility to send/receive SMBus messages, has been added. &man.sunlabel.8; now supports two new flags: -c to calculate all partition sizes in cylinders as opposed to sectors, and -h to print the label in human readable size/offset format. &man.talk.1; now use localhost as a default machine name in &man.talkd.8; request packets, when the destination and source are local. This makes &man.talk.1; dependent on a valid host entry for localhost in /etc/hosts or the DNS. &man.tftpd.8; now supports two new options: a -w option allows new files to be created, and a -U option allows the umask to be set. &man.top.1; now supports to display the current amount of I/O. This feature can be enabled by hitting m or passing the command line option -m io. &man.truss.1; now includes early support for &os;/amd64. Many userland utilities in the base system (mostly GNU contributed utilities) now use the system version of &man.getopt.long.3;, rather than the GNU version. The diskless script has been split out into hostname, resolve, tmp, and var scripts. The gbde_swap script, which supports gbde-enabled swap devices has been added. When the gbde_swap_enable variable is specified in &man.rc.conf.5;, a swap device named /dev/foo.bde in &man.fstab.5; is automatically attached at boot time with the device /dev/foo and a random key, which generated by computing the MD5 checksum of 512 bytes read from /dev/random. Note that this prevents recovery of kernel dumps. The ip6addrctl_enable and ip6addrctl_verbose have been added. When ip6addrctl_enable is set to YES, the address selection policy is installed into the kernel. If there is /etc/ip6addrctl.conf it will be used, otherwise a default policy will be installed. The default policy is one described in RFC 3484 when ipv6_enable is set to YES. Otherwise, the priority policy for IPv4 address will be used as a default policy. The mixer script has been added. It saves the current settings of all audio mixers present in the system on shutdown and restores the settings on boot. The pf and pflog scripts for &man.pf.4; has been added. The ACPI-CA code has been updated from the 20030619 snapshot to the 20040527 snapshot. The AMD (am-utils) has been updated from version 6.0.9 to version 6.0.10p1. awk from Bell Labs has been updated from the 29 July 2003 release to the 7 February 2004 release. Binutils have been updated to a 23 May 2004 snapshot from the FSF 2.15 branch. CVS has been updated from version 1.11.15 to version 1.11.17. &merged; The FILE has been updated from version 3.41 to version 4.10. gdtoa (a library that performs conversions of numbers between binary and decimal form) has been updated from version 20030324 to version 20040118. GDB has been updated to version 6.1.1. GNU GCC has been updated from 3.3.3-prerelease as of 6 November, 2003 to 3.4.2-prerelease as of 28 July, 2004. GNU grep has been updated from version 2.4d to version 2.5.1. less has been updated from version 371 to version 381. GNU readline 4.3 has been updated with official patches 001 through 005. The GNU regex library has been updated to the version included with GNU grep 2.5.1. GNU sort has been updated from textutils 2.1 to a coreutils snapshot as of 12 August, 2004. The GNU tar implementation in the base system is now called gtar. Heimdal Kerberos has been updated from version 0.6 to version 0.6.1. The ISC DHCP client has been updated from version 3.0.1 RC10 to version 3.0.1. libpcap has been updated from version 0.7.1 to version 0.8.3. lukemftp has been updated from a snapshot as of 3 November, 2003 to one as of 9 August, 2004. NTP has been updated from version 4.1.1a to version 4.2.0. OpenPAM has been updated from the Dogwood release to the Eelgrass release. OpenSSH has been updated from version 3.6.1p1 to version 3.8.1p1. The configuration defaults for &man.sshd.8; have been changed. SSH protocol version 1 is no longer enabled by default. In addition, password authentication over SSH is disabled by default if PAM is enabled. OpenSSL has been updated from version 0.9.7c to version 0.9.7d. &merged; OpenSSL VIA C3 Nehemiah PadLock ACE (Advanced Cryptography Engine) crypto support, which provides Advanced Encryption Standard (AES) encryption, has been imported from a prerelease version of OpenSSL. pf, OpenBSD's packet filter as of OpenBSD 3.5-stable, has been imported into &os; source tree and is now installed by default. Two new users (proxy and _pflogd) and three new groups (authpf, proxy, and _pflogd), which pf needs, have been added as well. On upgrading from source, these user accounts must be added in advance. mergemaster -p can be used to assist in creating the proper entries in the &man.passwd.5; and &man.group.5; files. The NO_PF variable in make.conf can be used to prevent pf from building. Several userland utilities of OpenBSD's pf have been imported. &man.ftp-proxy.8; is an ftp proxy for &man.pf.4;, &man.pfctl.8; is an equivalent to &man.ipf.8;, &man.pflogd.8; is a daemon logging packets via if_pflog in &man.pcap.3; format, and &man.authpf.8; is an authentication shell to modify &man.pf.4; rulesets. routed has been updated from release 2.22 to release 2.27 from rhyolite.com. Note that for users relying on RIP's MD5 authentication feature, &man.routed.8; routed is now incompatible with previous versions of &os;; however it is now compatible with implementations from Sun, Cisco and other vendors. sendmail has been updated from version 8.12.10 to version 8.13.1. &merged; tcpdump has been updated from version 3.7.1 to version 3.8.3. tcsh has been updated from version 6.11 to version 6.13.00. The timezone database has been updated from tzdata2003a to tzdata2004a. zlib has been updated from version 1.1.4 to version 1.2.1. Most of startup/shutdown scripts installed by various ports now use the new &man.rc.8; framework introduced in &os; 5.X, while some ports still use the old-style scripts. On startup, the new &man.rc.8; style scripts are executed first and then the old-style scripts. On shutdown, exactly the reverse happens. The SIZE attribute for distfiles, which can be used for checking file sizes before fetching, has been added and enabled by default. DISABLE_SIZE is a user control knob to disable the distfile size checking. This is especially useful on old &os; versions which did not have &man.fetch.1; support for this, and for some FTP proxies which always report incorrect or bogus sizes. Two new files have been added to the ports tree to track note-worthy changes: ports/CHANGES lists major changes to the Ports Collection and its infrastructure. ports/UPDATING describes some potential pitfalls that can be encountered when updating certain ports, analogous to src/UPDATING for the base system. The version number parsing code has been rewritten in the system pkg_* tools, restoring compatibility with 4.x and sysutils/portupgrade. The package tools can now match packages with relational operators and csh-style {...} choices. For example: &prompt.root; pkg_info -I 'docbook>=3.0' will list (all) docbook DTDs with at least version 3.0. Additional command line options have also been added to aid pattern matching. The package tools have improved handling of corrupt package databases. &man.pkg.create.1; now supports a -S option to make all @cwd be prefixed during package creation. &man.pkg.info.1; now supports a -j option to show the requirements script for each package. The building process for boot floppy images has been completely overhauled. The most significant change is that the loader now boots a stock GENERIC kernel split across multiple disks (two at the time of this writing). This greatly improves installations that begin with a boot from floppy disk, because they now use exactly the same kernel (and thus support the same hardware) as CDROM installations. The stripped-down MFSROOT kernel is no longer needed, and the mfsroot image no longer requires kernel modules. The boot.flp and driver.flp images are also obsolete and no longer built. &os; cryptography support is no longer an optional component of releases, and the crypto release distribution is now part of base. Note that the -DNOCRYPT build option still exists for anyone who really wants to build non-cryptographic binaries. The supported release of GNOME has been updated from version 2.4 to version 2.6.2. If you are using the older GNOME desktop itself (x11/gnome2), simply upgrading it from the &os; Ports Collection with &man.portupgrade.1; (sysutils/portupgrade) will cause serious problems. If you are a GNOME desktop user, please read the instructions carefully at , and use the gnome_upgrade.sh script to properly upgrade to GNOME 2.6. Note that if you are just a casual user of some of the GNOME libraries, &man.portupgrade.1; should be sufficient to update your ports. The supported release of KDE has been updated from version 3.1.4 to version 3.3.0. The security/portaudit utility has been added to the &os; Ports Collection. This utility will read a database containing known ports vulnerabilities and report them to the administrator. &os; now uses Xorg instead of XFree86 as the default X Window System. The supported release is Xorg X11R6.7.0. Note that XFree86 is also available in the &os; Ports Collection (x11/XFree86-4). Users with existing &os; systems are highly encouraged to read the Early Adopter's Guide to &os; &release.current;. This document generally has the filename EARLY.TXT on the distribution media, or any other place that the release notes can be found. It offers some notes on upgrading, but more importantly, also discusses some of the relative merits of upgrading to &os; 5.X versus running &os; 4.X. Upgrading &os; should, of course, only be attempted after backing up all data and configuration files.