From a6ae64c4808f2aedf4d617fa7105069a0d46a94e Mon Sep 17 00:00:00 2001
From: "Bruce A. Mah" <bmah@FreeBSD.org>
Date: Sun, 30 Jun 2002 18:48:24 +0000
Subject: [PATCH] New release notes:  ipfw(4) rewrite.

Modified release notes: ACPI 20020404, OpenSSH 3.4p1 (rewrote 3.3p1
update and reformatted).
---
 .../doc/en_US.ISO8859-1/relnotes/article.sgml | 29 +++++++++++++++----
 .../en_US.ISO8859-1/relnotes/common/new.sgml  | 29 +++++++++++++++----
 2 files changed, 48 insertions(+), 10 deletions(-)

diff --git a/release/doc/en_US.ISO8859-1/relnotes/article.sgml b/release/doc/en_US.ISO8859-1/relnotes/article.sgml
index 9ff22f6dfdd3..50b18f22aa79 100644
--- a/release/doc/en_US.ISO8859-1/relnotes/article.sgml
+++ b/release/doc/en_US.ISO8859-1/relnotes/article.sgml
@@ -913,6 +913,13 @@ options HZ=1000 # not compulsory but strongly recommended</programlisting>
       <para role="historic">&man.ipfw.4; now filters correctly in the presence of ECN
 	bits in TCP segments. &merged;</para>
 
+      <para>&man.ipfw.4 has been re-implemented.  It now uses
+        variable-sized representation of rules in the kernel, similar
+        to &man.bpf.4; instructions.  Most of the externally-visible
+        behavior (i.e. through &man.ipfw.8;) should be unchanged.,
+        although &man.ipfw.8; now supports <literal>or</literal>
+        connectives between match fields.</para>
+
       <para role="historic">A new ng_eiface netgraph module has been added, which
 	appears as an Ethernet interface but delivers its Ethernet
 	frames to a Netgraph hook. &merged;</para>
@@ -1453,7 +1460,7 @@ options HZ=1000 # not compulsory but strongly recommended</programlisting>
 	(ACPI), a multi-vendor standard for configuration and power
 	management, has been added.  This functionality has been
 	provided by the <application>Intel ACPI Component
-	Architecture</application> project, as of the ACPI CA 20020308
+	Architecture</application> project, as of the ACPI CA 20020404
 	snapshot.  Some backward compatability for applications using
 	the older APM standard has been provided.</para>
 
@@ -3550,10 +3557,22 @@ options HZ=1000 # not compulsory but strongly recommended</programlisting>
 	  </para>
 
 	<para><application>OpenSSH</application> has been updated to
-	  3.3p1.  This version adds a <quote>privilege
-	  separation</quote> feature, which uses unprivileged
-	  processes to contain and restrict the effects of future
-	  compromises or programming errors.</para>
+	  3.4p1.  The main changes are:
+	    <itemizedlist>
+	      <listitem>
+	        <para>A <quote>privilege separation</quote> feature,
+		  which uses unprivileged processes to contain and
+		  restrict the effects of future compromises or
+		  programming errors.</para>
+	      </listitem>
+
+	      <listitem>
+	        <para>Several bugfixes, including closure of a
+		  security hole that could lead to an integer overflow
+		  and undesired privilege escalation.</para>
+	      </listitem>
+	    </itemizedlist>
+	  </para>
 
 	<para><application>OpenSSH</application> can now authenticate
 	  using <application>OPIE</application> passwords.</para>
diff --git a/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml b/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml
index 9ff22f6dfdd3..50b18f22aa79 100644
--- a/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml
+++ b/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml
@@ -913,6 +913,13 @@ options HZ=1000 # not compulsory but strongly recommended</programlisting>
       <para role="historic">&man.ipfw.4; now filters correctly in the presence of ECN
 	bits in TCP segments. &merged;</para>
 
+      <para>&man.ipfw.4 has been re-implemented.  It now uses
+        variable-sized representation of rules in the kernel, similar
+        to &man.bpf.4; instructions.  Most of the externally-visible
+        behavior (i.e. through &man.ipfw.8;) should be unchanged.,
+        although &man.ipfw.8; now supports <literal>or</literal>
+        connectives between match fields.</para>
+
       <para role="historic">A new ng_eiface netgraph module has been added, which
 	appears as an Ethernet interface but delivers its Ethernet
 	frames to a Netgraph hook. &merged;</para>
@@ -1453,7 +1460,7 @@ options HZ=1000 # not compulsory but strongly recommended</programlisting>
 	(ACPI), a multi-vendor standard for configuration and power
 	management, has been added.  This functionality has been
 	provided by the <application>Intel ACPI Component
-	Architecture</application> project, as of the ACPI CA 20020308
+	Architecture</application> project, as of the ACPI CA 20020404
 	snapshot.  Some backward compatability for applications using
 	the older APM standard has been provided.</para>
 
@@ -3550,10 +3557,22 @@ options HZ=1000 # not compulsory but strongly recommended</programlisting>
 	  </para>
 
 	<para><application>OpenSSH</application> has been updated to
-	  3.3p1.  This version adds a <quote>privilege
-	  separation</quote> feature, which uses unprivileged
-	  processes to contain and restrict the effects of future
-	  compromises or programming errors.</para>
+	  3.4p1.  The main changes are:
+	    <itemizedlist>
+	      <listitem>
+	        <para>A <quote>privilege separation</quote> feature,
+		  which uses unprivileged processes to contain and
+		  restrict the effects of future compromises or
+		  programming errors.</para>
+	      </listitem>
+
+	      <listitem>
+	        <para>Several bugfixes, including closure of a
+		  security hole that could lead to an integer overflow
+		  and undesired privilege escalation.</para>
+	      </listitem>
+	    </itemizedlist>
+	  </para>
 
 	<para><application>OpenSSH</application> can now authenticate
 	  using <application>OPIE</application> passwords.</para>