d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
freebsd-nq/release/doc/en_US.ISO8859-1/relnotes/article.sgml
Bruce A. Mah 99fe508b9d New/modified release notes: Only two security profiles instead of three, 
all inetd.conf services disabled by default but now editable in
sysinstall(8).

Deleted an item about disabling selected services in inetd.conf, since
it was superceded by the above.

While I'm here, rename the "Security Fixes" section to "Security-Related
Changes".
2001-08-15 17:05:07 +00:00

2060 lines
89 KiB
Plaintext
Raw Blame History

<!--
The "What's New" section of the release notes. Within
each subsection (i.e. kernel, security, userland), list
items in chronological order, unless necessary to keep
related items together, such as multiple release notes
pertaining to a single program or module.
-->
<sect1>
<sect1info>
<pubdate>$FreeBSD$</pubdate>
</sect1info>
<title>What's New</title>
<para>This section describes the most user-visible new or changed
features in &os; since &release.prev;. All changes
described here are unique to the &release.branch; branch unless
specifically marked as &merged; features.</para>
<para>Many additional changes were made to &os; that are not listed
here for lack of space. For example, documentation was corrected
and improved, minor bugs were fixed, insecure coding practices were
audited and corrected, and source code was cleaned up.</para>
<para>The release notes items are organized into three different
sections. <xref linkend="kernel"> lists recent changes to the &os;
kernel. Security fixes, including those pertaining to security
advisories, are listed in <xref linkend="security">. Finally, <xref
linkend="userland"> covers changes to &os; userland applications
included in the base system.</para>
<sect2 id="kernel">
<title>Kernel Changes</title>
<para>The &man.kqueue.2; event notification facility was added to
the &os; kernel. This is a new interface which is able to
replace &man.poll.2;/&man.select.2, offering improved performance,
as well as the ability to report many different types of events.
Support for monitoring changes in sockets, pipes, fifos, and files
are present, as well as for signals and processes. &merged;</para>
<para arch="i386">Support for Intel's Wired for Management 2.0 (PXE)
was added to the FreeBSD boot loader. Due to API differences, the
older PXE versions are not supported. This allow network booting
using DHCP. &merged;</para>
<para>Support for USB devices was added to the
<filename>GENERIC</filename> kernel and to the installation
programs to support USB devices out of the box. Note that SRM
does not support USB devices at the moment, so you must still use
an AT keyboard if you are not using a serial console. &merged;</para>
<para>POSIX.1b Shared Memory Objects are now supported. The
implementation uses regular files, but automatically enables the
MAP_NOSYNC flag when they are &man.mmap.2;-ed. &merged;</para>
<para arch="i386">A driver for AGP hardware has been added. &merged;</para>
<para>The kernel and modules have been moved to the directory
<filename>/boot/kernel</filename>, so they can be easily
manipulated together. The boot loader has been updated to make
this change as seamless as possible.</para>
<para arch="i386">The i386 boot loader now has support for a
<literal>nullconsole</literal>
console type, for use on systems with neither a video console nor
a serial port. &merged;</para>
<para>Replaced the <literal>PQ_*CACHE</literal> options with a
single <literal>PQ_CACHESIZE</literal> option to be set to
the cache size in kilobytes. The old options are still supported
for backwards compatibility. &merged;</para>
<para arch="i386">The <literal>NCPU</literal>, <literal>NAPIC</literal>,
<literal>NBUS</literal>, and <literal>NINTR</literal> kernel
configuration options, for configuring SMP kernels, have been
removed. <literal>NCPU</literal> is now set to a maximum of 16,
and the other, aforementioned options are now
dynamic. &merged;</para>
<para>&man.devfs.5;, which allows entries in the
<filename>/dev</filename> directory to be built automatically and
supports more flexible attachment of devices, has been largely
reworked. &man.devfs.5; is now enabled by default and can be
disabled by the <literal>NODEVFS</literal> kernel option.</para>
<para arch="i386">Preliminary Cardbus support under NEWCARD has been added.
This code supports the TI113X, TI12XX, TI125X, Ricoh 5C46/5C47, Topic
95/97/100 and Cirrus Logic PD683X bridges. 16-bit PC Card support
is not yet functional.</para>
<para>Write combining for crashdumps has been implemented. This
feature is useful when write caching is disabled on both SCSI and
IDE disks, where large memory dumps could take up to an hour to
complete. &merged;</para>
<para>Extremely large swap areas (&gt;67 GB) no longer panic the
system.</para>
<para arch="i386">The &man.ichsmb.4; driver for the Intel 82801AA
(ICH) SMBus controller and compatibles has been
added. &merged;</para>
<para arch="i386">The &man.uscanner.4; driver for basic USB scanner support
using SANE has been added. See <ulink
url="http://www.mostang.com/sane/">the SANE home page</ulink> for
supported scanners. The HP ScanJet 4100C, 5200C and 6300C are
known to be working.</para>
<para arch="i386">The umodem driver for USB modems has been added.
Support is provided for the 3Com 5605 and Metricom Ricochet GS
wireless USB modems.</para>
<para arch="alpha">Support for threads under Linux emulation has been
added.</para>
<para arch="i386">The pccard driver and &man.pccardc.8; now support multiple
<quote>beep types</quote> upon card insertion and removal. &merged;</para>
<para>A number of cleanups and enhancements have been applied to
the PCI subsystem.
<filename>/usr/share/misc/pci_vendors</filename> now contains a
vendor/device database, which can be used by
&man.pciconf.8;.</para>
<para arch="i386">The &man.spic.4; driver, which provides access to the job
dial device on some Sony laptops, has been added.</para>
<para arch="i386">PECOFF (WIN32 Execution file format) support has been
added.</para>
<para>A VESA S3 linear framebuffer driver has been added.</para>
<para>The <maketarget>buildkernel</maketarget> target now gets the
name of the configuration(s) to build from the
<varname>KERNCONF</varname> variable, not
<varname>KERNEL</varname>. It is no longer required, in some
cases, for a <maketarget>buildworld</maketarget> to precede a
<maketarget>buildkernel</maketarget>. (The
<maketarget>buildworld</maketarget> is still required when
upgrading across major releases, across
<application>binutil</application> updates and when &man.config.8;
changes version.)
</para>
<para>The &man.random.4; device has been rewritten to use the
<application>Yarrow</application> algorithm. It harvests entropy
from a variety of interrupt sources, including the console
devices, Ethernet and point-to-point network interfaces, and
mass-storage devices. Entropy from the &man.random.4; device is
now periodically saved to files in
<filename>/var/db/entropy</filename>, as well as at
&man.shutdown.8; time.</para>
<para>The &man.syscons.4; driver now supports keyboard-controlled
pasting, by default bound to
<keycap>Shift</keycap>-<keycap>Insert</keycap>.</para>
<para>The &man.labpc.4; driver has been removed due to
<quote>bitrot</quote>.</para>
<para>A new kernel option, <literal>options REGRESSION</literal>,
enables interfaces and functionality intended for use during
correctness and regression testing.</para>
<para>The <literal>USER_LDT</literal> kernel option is now
activated by default.</para>
<para>A new &man.ddb.4; command <command>show pcpu</command> lists
some of the per-CPU data.</para>
<para>A new digi driver has been added to support PCI Xr-based and ISA
Xem Digiboard cards. A new digictl program is (mainly) used to
re-initialise cards that have external port modules attached such as
the PC/Xem.</para>
<para>The <literal>O_DIRECT</literal> flag has been added to
&man.open.2; and &man.fcntl.2;. Specifying this flag for open
files will attempt to minimize the cache effects of reading and
writing. &merged;</para>
<para><literal>OLDCARD</literal> and &man.pccardd.8; now support
PCI cards.</para>
<para>An &man.orm.4; device has been added to claim the option
ROMs in the ISA memory I/O space, to prevent other drivers from
mistakenly assigning addresses that conflict with these ROMs. &merged;</para>
<para>The out-of-swap process termination code now begins killing
processes earlier to avoid deadlocks; it now also takes into
account the swap space used by processes when computing the
process sizes. &merged;</para>
<para>Linker sets are now self-contained; &man.gensetdefs.8; is
unnecessary and has been removed.</para>
<para>Numerous SMP-friendly changes have been made to the kernel's
mbuf allocator.</para>
<para>The dgm driver has been removed in favor of the digi driver.</para>
<para>Network device cloning has been implemented, and the &man.gif.4;
device has been modified to take advantage of it.
Thus, instead of specifying how many &man.gif.4; interfaces
are available in kernel configuration files, &man.ifconfig.8;'s
<option>create</option> option should be used when another device
instance is desired. &merged;</para>
<para>The kernel message buffer is now accessible by the
(machine-independent) <varname>kern.msgbuf</varname> sysctl
variable; &man.dmesg.8; no longer needs to be SGID
<groupname>kmem</groupname>.</para>
<para>Two new &man.ddb.4; commands, <command>hwatch</command> and
<command>dhwatch</command>, have been introduced. Analogous to
<command>watch</command> and <command>dwatch</command>, they install
hardware watchpoints (as opposed to software watchpoints) if supported
by the architecture. &merged;</para>
<para>A &man.nmdm.4; null-modem terminal driver has been added.
&merged;</para>
<sect3>
<title>Processor/Motherboard Support</title>
<para>SMP support has been largely reworked, incorporating code
from BSD/OS 5.0. One of the main features of SMPng (<quote>SMP
Next Generation</quote>) is to allow more processes to run in
kernel, without the need for spin locks that can dramatically
reduce the efficiency of multiple processors. Interrupt
handlers now have contexts associated with them that allow them
to be blocked, which reduces the need to lock out
interrupts.</para>
<para arch="i386">Support for the 80386 processor has been
removed from the <filename>GENERIC</filename> kernel, as this
code seriously pessimizes performance on other ia32
processors.</para>
<para arch="i386">The <literal>I386_CPU</literal> kernel option
to support the 80386 processor is now mutually exclusive with
support for other ia32 processors; this should slightly improve
performance on the 80386 due to the elimination of runtime
processor type checks.</para>
<para arch="i386">Custom kernels that will run on the 80386 can
still be built by changing the cpu options in the kernel
configuration file to only include
<literal>I386_CPU</literal>.</para>
<para arch="alpha">AlphaServer 1200 (<quote>Tincup</quote>) has
been tested and works OK. Currently it does not want to boot
from CD or floppy but a transplanted disk that was installed on
another Alpha works well. &merged;</para>
<para arch="alpha">The API UP1100 mainboard has been verified to work.</para>
<para arch="alpha">The API CS20 1U high server has been verified to work.</para>
<para arch="alpha">The DEC3000 series support has been removed from the mfsroot
floppy image so that it fits on a 1.44 Mbyte floppy again. As the
DEC3000 is currently only usable diskless this should not cause
any problems.</para>
<para arch="alpha">Support for AlphaServer 2100A (<quote>Lynx</quote>) has been
added.</para>
<para arch="alpha">Kernel code has been added that allows older generation Alpha CPUs
(EV4 and EV5) to emulate instructions of the newer Alpha CPU
generations. This enables the use of binary-only programs like Adobe
Acrobat 4 on EV4 and EV5.</para>
<para arch="alpha">SMP support for the alpha is now operational.</para>
<para arch="i386">Detection for new processors, such as the
FC-PGA2 Pentium III (Tualatin), Transmeta Crusoe, and Transmeta
Crusoe LongRun, has been added. &merged;</para>
<para arch="alpha">Support for the following hardware has been removed
from the installation kernel to make it fit on a 1.44MB floppy again:
Multia, NoName, PC64, EB64, Aspen Alpine, sa (SCSI tape), amr, parallel
port support, vx (3c590, 3c595), pcn (AMD Am79C97x PCI 10/100),
sf (Adaptec AIC-6915), sis (SiS 900/SiS 7016), ste (Sundance ST201
(D-Link DFE-550TX)), wb (Winbond W89C840F).</para>
<para arch="i386">Support for Streaming <acronym>SIMD</acronym>
Extensions (<acronym>SSE</acronym>) has been introduced. The
<literal>CPU_ENABLE_SSE</literal> kernel option controls whether
support is compiled into the kernel. &merged;</para>
</sect3>
<sect3>
<title>Network Interface Support</title>
<para>Added support for PCI Ethernet adapters based on the
National Semiconductor DP83815 chipset, including the NetGear
FA311-TX and FA312-TX, in the form of the &man.sis.4; driver.</para>
<para>The &man.tap.4; driver, a virtual Ethernet device driver for
bridged configurations, has been added. &merged;</para>
<para>The &man.ti.4; driver now supports the Alteon AceNIC
1000baseT Gigabit Ethernet and Netgear GA620T 1000baseT Gigabit
cards. &merged;</para>
<para>The &man.xl.4; driver now supports the 3Com 3C556 and 3C556B
MiniPCI adapters used on some laptops. &merged;</para>
<para arch="alpha">The &man.ed.4; driver is now supported.</para>
<para>The &man.pcn.4; driver, which supports the AMD PCnet/FAST,
PCnet/FAST+, PCnet/FAST III, PCnet/PRO, PCnet/Home, and HomePNA
adapters, has been added. Although these cards are already
supported by the &man.lnc.4; driver, the &man.pcn.4; driver runs
these chips in 32-bit mode and uses the RX alignment feature to
achieve zero-copy receive. This driver is also
machine-independent, so it will work on both the i386 and alpha
platforms. The &man.lnc.4; driver is still needed to support non-PCI
cards. &merged;</para>
<para>Support for Fujitsu MB86960A/MB86965A based Ethernet
PC-Cards is back. &merged;</para>
<para arch="i386">The snc driver for the National Semiconductor
DP8393X (SONIC) Ethernet controller has been added. Currently,
this driver is only used on the PC-98 architecture. &merged;</para>
<para>The &man.an.4; driver for Cisco Aironet cards now supports
Wired Equivalent Privacy (WEP) encryption, settable via
&man.ancontrol.8;. &merged;</para>
<para arch="i386">The &man.el.4; driver can now be loaded as a
module.</para>
<para>The &man.ray.4; driver, which supports the Webgear Aviator
wireless network cards, has been committed. The operation of
&man.ray.4; interfaces can be modified by
&man.raycontrol.8;. &merged;</para>
<para arch="alpha">The &man.fpa.4; driver now supports Digital's
DEFPA FDDI adaptors on the Alpha.</para>
<para arch="i386">Linksys Fast Ethernet PCCARD cards supported by the
&man.ed.4; driver now require the addition of flag
<literal>0x80000</literal> to their config line in
&man.pccard.conf.5;. This flag is not optional. These Linksys
cards will not be recognized without it.</para>
<para>A bug in the &man.ed.4; driver that could cause panics with
very short packets and BPF or bridging active has been
fixed. &merged;</para>
<para>The &man.ed.4; driver now has support for D-Link
DL10022 chips, necessary for the NetGear FA-410TX and other
cards. As a result, <literal>device miibus</literal> is
required in kernel configurations using the &man.ed.4;
driver. &merged;</para>
<para>The &man.fxp.4; driver now requires a <literal>device
miibus</literal> entry in the kernel configuration file. &merged;</para>
<para>The &man.wx.4; driver now supports the Intel PRO1000-F and
PRO1000-T (10/100/1000) adapters. &merged;</para>
<para>Added the &man.nge.4; driver, which supports PCI Gigabit
Ethernet adapters based on the National Semiconductor DP83820
and DP83821 Gigabit Ethernet controller chips, including the
D-Link DGE-500T, SMC EZ Card 1000 (SMC9462TX), Asante
FriendlyNet GigaNIC 1000TA and 1000TPC and Addtron
AEG320T. This driver supports transmit and receive checksum
offloading. &merged;</para>
<para>The &man.lge.4; driver has been added to support the Level
1 LXT1001 NetCellerator Gigabit Ethernet controller chip. This
device is used on some fiber optic GigE cards from SMC, D-Link
and Addtron. Jumbograms and TCP/IP checksum offload on receive
are supported, although hardware VLAN filtering is not. &merged;</para>
<para>The &man.xl.4; driver now supports reception of VLAN
tagged frames (on the <quote>Cyclone</quote> or newer
chipsets). &merged;</para>
<para>The &man.ti.4; driver correctly masks VLAN tags. &merged;</para>
<para>The &man.an.4; driver now supports the Cisco Aironet 350
series of adaptors.</para>
<para>The &man.txp.4; driver has been added to support NICs
based on the 3Com 3XP Typhoon/Sidewinder (3CR990) chipset. &merged;</para>
</sect3>
<sect3>
<title>Network Protocols</title>
<para>&man.accept.filter.9;, a kernel feature to reduce overheads
when accepting and reading new connections on listening sockets,
has been added. &merged;</para>
<para>The &man.ng.mppc.4; and &man.ng.bridge.4; node types have
been added to the netgraph subsystem. The &man.ng.ether.4; node
is now dynamically loadable. Miscellaneous bug fixes and
enhancements have also been made. &merged;</para>
<para>&man.netgraph.4; has received some updates and bugfixes.</para>
<para>A new netgraph node type &man.ng.one2many.4; for multiplexing
and demultiplexing packets over multiple links has been added.
&merged;</para>
<para arch="alpha">SLIP has been removed from the
<filename>mfsroot</filename> floppy image.</para>
<para>ICMP ECHO and TSTAMP replies are now rate limited. TCP RSTs
generated due to packets sent to open and unopen ports are now
limited by separate counters. Each rate limiting queue now has
its own description.</para>
<para>ICMP <literal>UNREACH_FILTER_PROHIB</literal> messages can
now RST TCP connections in the <literal>SYN_SENT</literal> state
if the correct sequence numbers are sent back, as controlled by the
<varname>net.inet.tcp.icmp_may_rst</varname>
sysctl.</para>
<para>TCP has received some bug fixes for its delayed ACK
behavior. &merged;</para>
<para>TCP now supports the NewReno modification to the TCP Fast Recovery
algorithm. This behavior can be controlled via the
<varname>net.inet.tcp.newreno</varname> sysctl variable. &merged;</para>
<para>TCP now uses a more aggressive timeout for initial SYN segments; this
allows initial connection attempts to be dropped much
faster. &merged;</para>
<para>The <literal>TCP_COMPAT_42</literal> kernel option has
been removed.</para>
<para>The <literal>TCP_RESTRICT_RST</literal> kernel option has
been removed. Similar functionality can be achieved with the
<varname>net.inet.tcp.blackhole</varname> sysctl
variable. &merged;</para>
<para>TCP now has RFC 1323 extensions enabled by default in
&man.rc.conf.5;. &merged;</para>
<para>RFC 1323 and RFC 1644 TCP extensions are now disabled for a
connection in progress if no response has been received by the
third SYN segment sent. This behavior tries to work around
(very old) terminal servers with buggy VJ header compression
implementations. &merged;</para>
<para>The TCP implementation no longer requires the
allocation of a TCP template structure for each connection; this
should reduce the buffer usage on large systems handling many
connections. &merged;</para>
<para>TCP's default buffer sizes, controlled by the
<varname>net.inet.tcp.sendspace</varname> and
<varname>net.inet.tcp.recvspace</varname> sysctl variables, have
been increased to 32K and 64K respectively.</para>
<para>A new sysctl <varname>net.inet.ip.check_interface</varname>,
which is on by default, causes IP to verify that an incoming
packet arrives on an interface that has an address matching the
packet's destination address. &merged;</para>
<para>A new sysctl
<varname>net.link.ether.inet.log_arp_wrong_iface</varname> has
been added to control the suppression of logging when ARP replies
arrive on the wrong interface. &merged;</para>
<para>The <literal>proxy</literal> modifier to &man.arp.8;'s
<option>-d</option> option has been renamed to
<literal>pub</literal>, for consistency with the
<option>-s</option> option. The <literal>only</literal> keyword
has been added to the <option>-s</option> and
<option>-S</option> flags, to be used in creating
<quote>proxy-only</quote> published entries.</para>
<para>&man.ipfw.8; now filters correctly in the presence of ECN bits in TCP
segments. &merged;</para>
<para>&man.ipfw.8; will now avoid the display of dynamic
firewall rules unless the <option>-d</option> flag is passed to
it. The <option>-e</option> lists expired dynamic rules.</para>
<para>&man.bridge.4; and &man.dummynet.4; have received some
enhancements and bug fixes.</para>
<para>&man.ipfw.8; has a new feature (<literal>me</literal>) that
allows for packet matching on interfaces with dynamically-changing
IP addresses. &merged;</para>
<para>&man.ip6fw.8; now has the ability to use a preprocessor
and use the <option>-q</option> (quiet) flag when reading from a
file. &merged;</para>
<para>A new <literal>options RANDOM_IP_ID</literal> kernel
option causes the ID field of IP packets to be randomized. This
closes a minor information leak which allows a remote observer
to determine the rate at which the machine is generating
packets, since the default behaviour is to increment a counter
for each packet sent. &merged;</para>
<para>IP multicast now works on VLAN devices. Several other
bugs in the VLAN code have also been fixed.</para>
</sect3>
<sect3>
<title>Disks and Storage</title>
<para arch="i386">The &man.twe.4; 3ware ATA RAID driver has added. &merged;</para>
<para>The &man.ata.4; driver now has support for ATA100
controllers. In addition, it now supports the ServerWorks ROSB4
ATA33 chipset, the CMD 648 ATA66 and CMD 649 ATA100 chipsets, and
the Cyrix 5530. &merged;</para>
<para>To provide more flexible configuration, the various options for the
&man.ata.4; driver are now boot loader tunables, rather than kernel
configure-time options. &merged;</para>
<para>The &man.ata.4; driver now has support for tagged queuing,
which is enabled by the <literal>hw.ata.tags</literal> loader
tunable. &merged;</para>
<para>The &man.ata.4; driver now has support for ATA
<quote>pseudo</quote> RAID controllers as the Promise Fasttrak and
HighPoint HPT370 controllers. &merged;</para>
<para>The &man.wd.4; compatability devices were removed from the
&man.ata.4; driver. &merged;</para>
<para arch="i386">The &man.mly.4; driver, for Mylex PCI to SCSI
AccelRAID and eXtremeRAID controllers with firmware 6.X and
later, has been added. &merged;</para>
<para arch="i386">The &man.asr.4; driver, which provides support
for the Adaptec SCSI RAID controller family, as well as the DPT
SmartRAID V and VI families, has been added. &merged;</para>
<para arch="i386">Support for the Adaptec FSA family of PCI-SCSI
RAID controllers has been added, in the form of the &man.aac.4;
driver.</para>
<para>The &man.ahc.4; driver has received numerous updates,
bugfixes, and enhancements. Among various improvements are
improved compatibility with chips in <quote>RAID Port</quote> mode
and systems with AAA and/or ARO cards installed, as well as
performance improvements. Some bugs were also fixed, including a
rare hang on Ultra2/U160 controllers. &merged;</para>
<para arch="i386">The ncv, nsp, and stg drivers have
been ported from NetBSD/pc98. They support the NCR 53C50 /
Workbit Ninja SCSI-3 / TMC 18C30, 18C50 based PC-Card/ISA SCSI
controllers. &merged;</para>
<para>The &man.cd.4; driver now has support for write operations.
This allows writing to DVD-RAM, PD and similar drives that probe
as CD devices. Note that change affects only random-access
writeable devices, not sequential-only writeable devices such as
CD-R drives, which are supported by &man.cdrecord.1; in the Ports
Collection. &merged;</para>
<para>The &man.vinum.4; volume manager has received some bug fixes and
enhancements.</para>
<para>&man.md.4;, the memory disk device, has had the
functionality of &man.vn.4; incorporated into it. &man.md.4;
devices can now be configured by &man.mdconfig.8;. &man.vn.4; has
been removed. The Memory Filesystem (MFS) has also been
removed.</para>
<para>BurnProof(TM) support, for applicable ATAPI CD-ROM burners, is now
supported. &merged;</para>
<para arch="alpha">A bug that made certain CDROM drives fail to
attach when connected to a SCSI card driven by &man.isp.4; has
been fixed. &merged;</para>
<para>The &man.isp.4; driver is now proactive about discovering
Fibre Channel topology changes.</para>
<para>The &man.isp.4; driver now supports target mode for Qlogic
SCSI cards, including Ultra2 and Ultra3 and dual bus cards.</para>
<para>The ida disk driver now has crashdump support. &merged;</para>
<para>The CAM error recovery code has been updated.</para>
<para>Some problems in &man.sa.4; error handling have been
fixed, including the <quote>tape drive spinning indefinitely
upon mt stat</quote> problem.</para>
</sect3>
<sect3>
<title>Filesystems</title>
<para>Support for named extended attributes was added to the &os;
kernel. This allows the kernel, and appropriately privileged
userland processes, to tag files and directories with attribute
data. Extended attributes were added to support the TrustedBSD
Project, in particular ACLs, capability data, and mandatory access
control labels (see
<filename>/usr/src/sys/ufs/ufs/README.extattr</filename> for
details).</para>
<para>Due to a licensing change, softupdates have been integrated
into the main portion of the kernel source tree. As a
consequence, softupdates are now available with the
<filename>GENERIC</filename> kernel. &merged;</para>
<para>A filesystem snapshot capability has been added to FFS.
Details can be found in
<filename>/usr/src/sys/ufs/ffs/README.snapshot</filename>.</para>
<para>Softupdates for FFS have received some bug fixes and
enhancements.</para>
<para>When running with softupdates, &man.statfs.2; and
&man.df.1; will track the number of blocks and files that are
committed to being freed.</para>
<para>A bug in FFS that could cause superblock corruption on very large
filesystems has been corrected. &merged;</para>
<para>The Inode Filesystem (IFS) has been added; more information
can be found in
<filename>/usr/src/sys/ufs/ifs/README</filename>.</para>
<para>The ISO-9660 filesystem now has a hook that supports a loadable
character conversion routine. The
<filename>sysutils/cd9660_unicode</filename> port
contains a set of common conversions.</para>
<para>&man.kernfs.5; is obsolete and has been retired.</para>
<para>A bug in the NFS client that caused bogus access times with
<literal>O_EXCL|O_CREAT</literal> opens was fixed. &merged;</para>
<para>A new NFS hash function (based on the Fowler/Noll/Vo hash
algorithm) has been implemented to improve NFS performance by
increasing the efficiency of the <varname>nfsnode</varname> hash
tables. &merged;</para>
<para>Client-side NFS locks have been implemented.</para>
<para>Support for file system Access Control Lists (ACLs) has been
introduced, allowing more fine-grained control of discretionary
access control on files and directories. This support was
integrated from the TrustedBSD Project. More details can be found in
<filename>/usr/src/sys/ufs/ufs/README.acls</filename>.</para>
<para>The directory layout preference algorithm for FFS has been
changed to improve its speed on large filesystems.</para>
<para arch="i386">smbfs (CIFS) support in kernel has been added.
The corresponding userland filesystem mount utility can be found
in the <filename>net/smbfs</filename> port in the &os; Ports
Collection. &merged;</para>
<para>For consistency, the fdesc, fifo, null, msdos, portal,
umap, and union filesystems have been renamed to fdescfs,
fifofs, msdosfs, nullfs, portalfs, umapfs, and unionfs. Where
applicable, modules and mount_* programs have been
renamed. Compatability <quote>glue</quote> has been added to
&man.mount.8; so that <literal>msdos</literal> filesystem
entries in &man.fstab.5; will work without changes.</para>
<para>pseudofs, a pseudo-filesystem framework, has been added.
&man.linprocfs.5; has been modified to use pseudofs.</para>
<para>A simple hash-based lookup optimization for large directories
called <literal>dirhash</literal> has been added. Conditional on the
<literal>UFS_DIRHASH</literal> kernel option, it improves the speed
of operations on very large directories at the expense of some
memory. &merged;</para>
</sect3>
<sect3>
<title>Multimedia Support</title>
<para arch="i386">The &man.pcm.4; driver now supports the ESS Solo 1,
Maestro-1, Maestro-2, and Maestro-2e; Forte Media fm801, ESS
Maestro-2e, and VIA Technologies VT82C686A sound card/chipsets,
and has received some other updates.
Separate drivers for the SoundBlaster 8 and Soundblaster 16 now
replace an older, unified driver. A driver for the CMedia
CMI8338/CMI8738 sound chips has been added. A driver for the
CS4281 sound chip has been added. A driver for the S3
Sonicvobes chipset has been added. &merged;</para>
<para arch="i386">A driver for the Advance Logic ALS4000 has
been added. &merged;</para>
<para arch="i386">A driver for the
ESS Maestro-3/Allegro has been added, however due to licensing
restrictions, it cannot be compiled into the kernel. &merged; To
use this driver, add the following line to
<filename>/boot/loader.conf</filename>:</para>
<programlisting>snd_maestro3_load="YES"</programlisting>
<para>The &man.bktr.4; driver has been updated to 2.18. This
update provides a number of new features: New tuner
types have been added, and improvements to the KLD module and to
memory allocation have been made. Bugs in &man.devfs.5; when
unloading and reloading have been fixed.
Support for new Hauppauge Model 44xxx WinTV Cards (the ones with
no audio mux) has been added.</para>
<para>When sound modules are built, one can now load all the
drivers and infrastructure by <command>kldload
snd</command>.</para>
<para>A new API has been added for sound cards with hardware
volume control.</para>
<para arch="i386">A driver for the Intel 443MX, 810, 815, and 815E
integrated sound devices has been added.</para>
</sect3>
<sect3>
<title>Contributed Software</title>
<para><application>IPFilter</application> has been updated to
3.4.20. &merged;</para>
<para>The Forth Inspired Command Language
(<application>FICL</application>) used in the boot loader has
been updated to 2.05.</para>
<para>ACPI support has been merged in from the
<application>Intel ACPI</application>
project, and updated to the ACPI CA 20010518 release.</para>
<sect4 arch="i386">
<title>isdn4bsd</title>
<para><application>isdn4bsd</application> has been updated to
version 1.0.1. &merged;</para>
<para>The &man.ihfc.4; driver for supporting Cologne Chip
Designs HFC devices under <application>isdn4bsd</application>
has been added. &merged;</para>
<para>The &man.itjc.4; driver for supporting NETjet-S / Teles
PCI-TJ devices under <application>isdn4bsd</application> has
been added. &merged;</para>
<para>Experimental support for the Eicon.Diehl DIVA 2.0 and
2.02 ISA PnP ISDN cards has been added to the &man.isic.4;
<application>isdn4bsd</application> driver. &merged;</para>
<para>Active CAPI-based ISDN cards manufacured by AVM are now
supported using the &man.i4bcapi.4; and the &man.iavc.4; driver. The
supported cards are the AVM B1 PCI and AVM B1 ISA Basic Rate
cards and the AVM T1 Primary Rate cards. &merged;</para>
<para>A new <literal>maxconnecttime</literal> keyword is now
accepted in &man.isdnd.rc.5; files to limit the time a
connection may remain open. &merged;</para>
</sect4>
<sect4 id="kame-kernel">
<title>KAME</title>
<para>The IPv6 stack is now based on a snapshot based on the KAME
Project's IPv6 snapshot as of 28 May, 2001. Most of the
items listed in this section are a result of this import.
<xref linkend="kame-userland"> lists userland updates to the
KAME IPv6 stack. &merged;</para>
<para>&man.gif.4; is now based on RFC 2893, rather than RFC
1933. The <literal>IFF_LINK2</literal> interface flag can
be used to control ingress filtering. &merged;</para>
<para><application>IPSec</application> has received some
enhancements, including the ability to use the Rijndael and
SHA2 algorithms. IPSec RC5 support has been removed due to
patent issues. &merged;</para>
<para>&man.stf.4; now conforms to RFC 3056; the
<literal>IFF_LINK2</literal> interface flag can be used to
control ingress filtering. &merged;</para>
<para>IPv6 has better checking of illegal addresses (such as
loopback addresses) on physical networks. &merged;</para>
<para>The <varname>IPV6_V6ONLY</varname> socket option is
now completely supported. The kernel's default behavior
with respect to this option is controlled by the
<varname>net.inet6.ip6.v6only</varname> sysctl
variable. &merged;</para>
<para>RFC 3041 (Privacy Extensions for Stateless Address
Autoconfiguration) is now supported. It can be enabled via
the <varname>net.inet6.ip6.use_tempaddr</varname> sysctl
variable. &merged;</para>
</sect4>
</sect3>
</sect2>
<sect2 id="security">
<title>Security-Related Changes</title>
<para>&man.sysinstall.8; now allows the user to select one of two
<quote>security profiles</quote> at install-time. These profiles enable
different levels of system security by enabling or disabling
various system services in &man.rc.conf.5; on new
installs. &merged;</para>
<para>A bug in which malformed ELF executable images can hang the
system has been fixed (see security advisory
FreeBSD-SA-00:41). &merged;</para>
<para>A security hole in Linux emulation was fixed (see security
advisory FreeBSD-SA-00:42). &merged;</para>
<para>String-handling library calls in many programs were fixed to
reduce the possibility of buffer overflow-related exploits.
&merged;</para>
<para>TCP now uses stronger randomness in choosing its initial sequence
numbers (see security advisory FreeBSD-SA-00:52). &merged;</para>
<para>Several buffer overflows in &man.tcpdump.1; were corrected
(see security advisory FreeBSD-SA-00:61). &merged;</para>
<para>A security hole in &man.top.1; was corrected (see security advisory
FreeBSD-SA-00:62). &merged;</para>
<para>A potential security hole caused by an off-by-one-error in
&man.gethostbyname.3; has been fixed (see security advisory
FreeBSD-SA-00:63). &merged;</para>
<para>A potential buffer overflow in the &man.ncurses.3; library,
which could cause arbitrary code to be run from within
&man.systat.1;, has been corrected (see security advisory
FreeBSD-SA-00:68). &merged;</para>
<para>A vulnerability in &man.telnetd.8; that could cause it to
consume large amounts of server resources has been fixed (see
security advisory FreeBSD-SA-00:69). &merged;</para>
<para>The <literal>nat deny_incoming</literal> command in
&man.ppp.8; now works correctly (see security advisory
FreeBSD-SA-00:70). &merged;</para>
<para>A vulnerability in &man.csh.1;/&man.tcsh.1; temporary files
that could allow overwriting of arbitrary user-writable files has
been closed (see security advisory FreeBSD-SA-00:76). &merged;</para>
<para>The &man.ssh.1; binary is no longer SUID root by
default.</para>
<para>Some fixes were applied to the Kerberos
IV implementation related to environment variables, a
possible buffer overrun, and overwriting ticket files. &merged;</para>
<para>&man.telnet.1; now does a better job of sanitizing its
environment. &merged;</para>
<para>Several vulnerabilities in &man.procfs.5; were fixed (see
security advisory FreeBSD-SA-00:77). &merged;</para>
<para>A bug in <application>OpenSSH</application> in which a
server was unable to disable &man.ssh-agent.1; or
<literal>X11Forwarding</literal> was fixed (see security advisory
FreeBSD-SA-01:01). &merged;</para>
<para>A bug in &man.ipfw.8; and &man.ip6fw.8; in which inbound TCP
segments could incorrectly be treated as being part of an
<literal>established</literal> connection has been fixed (see
security advisory FreeBSD-SA-01:08). &merged;</para>
<para>A bug in &man.crontab.1; that could allow users to read any
file on the system in valid &man.crontab.5; syntax has been fixed
(see security advisory FreeBSD-SA-01:09). &merged;</para>
<para>A vulnerability in &man.inetd.8; that could allow
read-access to the initial 16 bytes of
<groupname>wheel</groupname>-accessible files has been fixed (see security
advisory FreeBSD-SA-01:11). &merged;</para>
<para>A bug in &man.periodic.8; that used insecure temporary files has been
corrected (see security advisory FreeBSD-SA-01:12). &merged;</para>
<para>A bug in &man.sort.1; in which an attacker might be able to
cause it to abort processing has been fixed (see security advisory
FreeBSD-SA-01:13). &merged;</para>
<para><application>OpenSSH</application> now has code to prevent
(instead of just mitigating through connection limits) an attack
that can lead to guessing the server key (not host key) by
regenerating the server key when an RSA failure is detected (see
security advisory FreeBSD-SA-01:24). &merged;</para>
<para>A number of programs have had output formatting strings
corrected so as to reduce the risk of vulnerabilities. &merged;</para>
<para>A number of programs that use temporary files now do so more
securely. &merged;</para>
<para>A bug in ICMP that could cause an attacker to disrupt TCP and UDP
<quote>sessions</quote> has been corrected. &merged;</para>
<para>A bug in &man.timed.8;, which caused it to crash if send
certain malformed packets, has been corrected (see security
advisory FreeBSD-SA-01:28). &merged;</para>
<para>A bug in &man.rwhod.8;, which caused it to crash if send
certain malformed packets, has been corrected (see security
advisory FreeBSD-SA-01:29). &merged;</para>
<para>A security hole in FreeBSD's FFS and EXT2FS implementations,
which allowed a race condition that could cause users to have
unauthorized access to data, has been fixed (see security advisory
FreeBSD-SA-01:30). &merged;</para>
<para>A remotely-exploitable vulnerability in &man.ntpd.8; has
been closed (see security advisory FreeBSD-SA-01:31). &merged;</para>
<para>A security hole in <application>IPFilter</application>'s
fragment cache has been closed (see
security advisory FreeBSD-SA-01:32). &merged;</para>
<para>Buffer overflows in &man.glob.3;, which could cause
arbitrary code to be run on an FTP server, have been closed. In
addition, to prevent some forms of DOS attacks, &man.glob.3;
allows specification of a limit on the number of pathname matches
it will return. &man.ftpd.8; now uses this feature (see security
advisory FreeBSD-SA-01:33). &merged;</para>
<para>Initial sequence numbers in TCP are more thoroughly
randomized (see security advisory FreeBSD-SA-01:39). Due to some
possible compatability issues, the behavior of this security fix
can be enabled or disabled via the
<varname>net.inet.tcp.tcp_seq_genscheme</varname> sysctl
variable.&merged;</para>
<para>A vulnerability in the &man.fts.3; routines (used by
applications for recursively traversing a filesystem) could
allow a program to operate on files outside the intended directory
hierarchy. This bug has been fixed (see security advisory
FreeBSD-SA-01:40). &merged;</para>
<para>&os;'s TCP implementation has been made more resistant to
SYN floods, by eliminating the RST segment normally sent when
removing a connection from the listen queue.</para>
<para><application>OpenSSH</application> now switches to the
user's UID before attempting to unlink the authentication
forwarding file, nullifying the effects of a race.</para>
<para>A flaw allowed some signal handlers to remain in effect in a
child process after being exec-ed from its parent. This allowed
an attacker to execute arbitrary code in the context of a setuid
binary. This flaw has been corrected (see security advisory
FreeBSD-SA-01:42). &merged;</para>
<para>A remote buffer overflow in &man.tcpdump.1; has been fixed
(see security advisory FreeBSD-SA-01:48). &merged;</para>
<para>A remote buffer overflow in &man.telnetd.8; has been
fixed (see security advisory FreeBSD-SA-01:49). &merged;</para>
<para>The new <varname>net.inet.ip.maxfragpackets</varname>
and <varname>net.inet.ip6.maxfragpackets</varname> sysctl
variables limit the amount of memory that can be consumed by IPv4
and IPv6 packet fragments, which defends against some denial of service
attacks (see security advisory FreeBSD-SA-01:52). &merged;</para>
<para>All services in <filename>inetd.conf</filename> are now
disabled by default for new installations. &man.sysinstall.8;
gives the option of enabling or disabling &man.inetd.8; on new
installations, as well as editing
<filename>inetd.conf</filename>. &merged;</para>
</sect2>
<sect2 id="userland">
<title>Userland Changes</title>
<para>&man.cdcontrol.1; now supports a <literal>cdid</literal>
command, which calculates and displays the CD serial number, using
the same algorithm used by the CDDB database. &merged;</para>
<para>&man.mtree.8; now includes support for a file that lists
pathnames to be excluded when creating and verifying prototypes.
This makes it easier to use &man.mtree.8; as a part of an
intrusion-detection system. &merged;</para>
<para>&man.ls.1; can produce colorized listings with the
<option>-G</option> flag (and appropriate terminal
support). &merged;</para>
<para>&man.sysinstall.8; now properly preserves
<filename>/etc/mail</filename> during a binary upgrade. &merged;</para>
<para>The &man.truncate.1; utility, which truncates or extends the length
of files, has been added. &merged;</para>
<para>&man.syslogd.8; can take a <option>-n</option> option to
disable DNS queries for every request. &merged;</para>
<para>&man.kenv.1;, a command to dump the kernel environment, has
been added. &merged;</para>
<para>The behavior of &man.periodic.8; is now controlled by
<filename>/etc/defaults/periodic.conf</filename> and
<filename>/etc/periodic.conf</filename>. &merged;</para>
<para arch="i386">&man.boot98cfg.8;, a PC-98 boot manager installation and
configuration utility, has been added. &merged;</para>
<para>&man.logger.1; can now send messages directly to a remote
syslog. &merged;</para>
<para arch="i386">&man.gdb.1; now supports hardware watchpoints (using the
kernel's debug register + support that has been introduced in
&os; 4.0). &merged;</para>
<para>&man.which.1; is now a C program, rather than a Perl
script.</para>
<para>&man.killall.1; is now a C program, rather than a Perl
script. As a result, its <option>-m</option> option now uses the
regular expression syntax of &man.regex.3;, rather than that of
&man.perl.1;. &merged;</para>
<para>&man.killall.1; now allows non-root users to kill SUID root
processes that they started, the same as the Perl version did.</para>
<para>&man.finger.1; now has the ability to support fingering
aliases, via the &man.finger.conf.5; file. &merged;</para>
<para>&man.finger.1; now has support for a
<filename>.pubkey</filename> file.</para>
<para>nsswitch support has been merged from NetBSD. By creating
an &man.nsswitch.conf.5; file, FreeBSD can be configured so that
various databases such as &man.passwd.5; and &man.group.5; can be
looked up using flat files, NIS, or Hesiod. The old
<filename>hosts.conf</filename> file is no longer used.</para>
<para>RSA Security has waived all patent rights to the RSA
algorithm. As a
result, the native <application>OpenSSL</application>
implementation of the RSA algorithm is now activated by default,
and the <filename>rsaref</filename> port and
<filename>librsaUSA</filename> are no longer required for USA
residents. &merged;</para>
<para>&man.ifconfig.8; command can set the link-layer address
of an interface. &merged;</para>
<para>&man.ifconfig.8; can now accept addresses in slash/CIDR
notation. &merged;</para>
<para>&man.ifconfig.8; now has support for setting parameters for
IEEE 802.11 wireless network devices. &man.wi.4; and
&man.an.4; devices are supported, and partial support is provided
for &man.awi.4; devices. &merged;</para>
<para>&man.ifconfig.8; no longer displays the list of supported
media by default. Instead it displays it when the
<option>-m</option> is given. &merged;</para>
<para>&man.setproctitle.3; has been moved from
<filename>libutil</filename> to
<filename>libc</filename>. &merged;</para>
<para>&man.chio.1; now has the ability to specify elements by
volume tag instead of by their physical location as well as the
ability to return an element to its previous location. &merged;</para>
<para>&man.sed.1; now takes a <option>-E</option> option for
extended regular expression support. &merged;</para>
<para>&man.ln.1; now takes an <option>-i</option> option to
request user confirmation before overwriting an existing
file. &merged;</para>
<para>&man.ln.1; now takes a <option>-h</option> flag to avoid
following a target that is a link, with a <option>-n</option> flag
for compatability with other implementations. &merged;</para>
<para>Userland &man.ppp.8; has received a number of updates and
bug fixes. &merged;</para>
<para>&man.make.1; has gained the <literal>:C///</literal>
(regular expression substitution), <literal>:L</literal>
(lowercase), and <literal>:U</literal> (uppercase) variable
modifiers. These were added to reduce the differences between the
&os; and
OpenBSD/NetBSD
&man.make.1 programs. &merged; </para>
<para>Bugs in &man.make.1;, among which include broken null suffix
behavior, bad assumptions about current directory permissions, and
potential buffer overflows, have been fixed. &merged;</para>
<para>The &os; <filename>Makefile</filename> infrastructure now
supports the <varname>WARNS</varname> directive from NetBSD. This
directive controls the addition of compiler warning flags to
<varname>CFLAGS</varname> in a relatively compiler-neutral
manner. &merged;</para>
<para>&man.fsck.8; wrappers have been imported; this feature
provides infrastructure for &man.fsck.8; to work on different
types of filesystems (analogous to &man.mount.8;).</para>
<para>The behavior of &man.fsck.8; when dealing with various
passes (a la <filename>/etc/fstab</filename>) has been modified to
accomodate multiple-disk filesystems.</para>
<para>&man.style.perl.7;, a style guide for Perl code in the &os;
base system, has been added.</para>
<para>The <quote>in use</quote> percentage metric displayed by
&man.netstat.1; now really reflects the percentage of network
mbufs used. &merged;</para>
<para>&man.netstat.1; now has a <option>-W</option> flag that
tells it not to truncate addresses, even if they're too long for
the column they're printed in. &merged;</para>
<para>&man.netstat.1; now keeps track of input and output packets
on a per-address basis for each interface. &merged;</para>
<para>&man.netstat.1; now has a <option>-z</option> flag to reset
statistics.</para>
<para>&man.sockstat.1; now has <option>-c</option> and
<option>-l</option> flags for listing connected and listening
sockets, respectively. &merged;</para>
<para>&man.mergemaster.8; has gained some new features, has been
cleaned up somewhat, and is now more cross-platform friendly.</para>
<para>&man.mergemaster.8; now sources an
<filename>/etc/mergemaster.rc</filename> file and also prompts the
user to run recommended commands (such as
<command>newaliases</command>) as needed. &merged;</para>
<para>The compiler chain now uses the FSF-supplied C/C++ runtime
initialization code. This change brings about better
compatibility with code generated from the various egcs and gcc
ports, as well as the stock public FSF source. &merged;</para>
<para>The threads library has gained some signal handling changes,
bug fixes, and performance enhancements (including zero system
call thread switching). &man.gdb.1; thread support has been
updated to match these changes. &merged;</para>
<para>&man.chflags.1; has moved from <filename>/usr/bin</filename>
to <filename>/bin</filename>.</para>
<para>Use of the <literal>CSMG_*</literal> macros no longer
require inclusion of
<filename>&lt;sys/param.h&gt;</filename></para>
<para>IP Filter is now supported by the
&man.rc.conf.5; boot-time configuration and
initialization. &merged;</para>
<para>The &man.lastlogin.8; utility, which prints the last login
time of each user, has been imported from
NetBSD. &merged;</para>
<para>&man.last.1; now implements a <option>-d</option> that
provides a <quote>snapshot</quote> of who was logged in at a
particular date and time. &merged;</para>
<para>&man.newfs.8; now implements write combining, which can make
creation of new filesystems up to seven times
faster. &merged;</para>
<para>&man.newfs.8; now takes a <option>-U</option> option to
enable softupdates on a new filesystem. &merged;</para>
<para>The default number of cylinders per group in &man.newfs.8;
is now 22, up from 16.</para>
<para>A number of buffer overflows in &man.config.8; have been
fixed. &merged;</para>
<para>&man.pwd.1; can now double as &man.realpath.1;, a program to
resolve pathnames to their underlying physical paths. &merged;</para>
<para>&man.stty.1; now has support for an
<literal>erase2</literal> control character, so that, for example,
both the <keycap>Delete</keycap> and <keycap>Backspace</keycap>
keys can be used to erase characters. &merged;</para>
<para>The &man.ibcs2.8;, &man.linux.8;, &man.osf1.8;, and &man.svr4.8;
scripts, whose sole purpose was to load emulation
kernel modules, have been removed. The kernel module system will
automatically load them as needed to fulfill dependencies.</para>
<para>&man.top.1; will now use the full width of its tty.</para>
<para>&man.growfs.8;, a utility for growing FFS filesystems, has
been added. &man.ffsinfo.8;, a utility for dump all the
meta-information of an existing filesystem, has also been
added. &merged;</para>
<para>&man.indent.1; has gained some new formatting
options. &merged;</para>
<para>&man.sysinstall.8; now uses some more intuitive defaults
thanks to some new dialog support functions. &merged;</para>
<para>The default root partition in &man.sysinstall.8; is now
100MB on the i386 and 120MB on the alpha.</para>
<para>&man.xargs.1; gained a <option>-J</option> option which allows
the user to specify exactly where in the command line the input should
be retrofitted. &merged;</para>
<para>Shortly after the receipt of a <literal>SIGINFO</literal>
signal (normally control-T from the controlling tty), &man.fsck.ffs.8;
will now output a line indicating the current phase number and
progress information relevant to the current phase. &merged;</para>
<para>&man.fsck.ffs.8; now supports background filesystem checks
to mounted FFS filesystems with the <option>-B</option> option
(softupdates must be enabled on these filesystems). The
<option>-F</option> flag now determines whether a specified
filesystem needs foreground checking.</para>
<para>&man.fsck.8; now has support for foreground
(<option>-F</option>) and background (<option>-B</option>) checks.
Traditionally, &man.fsck.8; is invoked before the filesystems are
mounted and all checks are done to completion at that time. If
background checking is available, &man.fsck.8; is invoked twice.
It is first invoked at the traditional time, before the
filesystems are mounted, with the <option>-F</option> flag to do
checking on all the filesystems that cannot do background
checking. It is then invoked a second time, after the system has
completed going multiuser, with the <option>-B</option> flag to do
checking on all the filesystems that can do background checking.
Unlike the foreground checking, the background checking is started
asynchronously so that other system activity can proceed even on
the filesystems that are being checked. Boot-time enabling of
this feature is controlled by the
<varname>background_fsck</varname> option in &man.rc.conf.5;.</para>
<para>A new &man.fsck.msdosfs.8; utility has been added to check
the consistency of MS-DOS filesystems. &merged;</para>
<para>Catching up with most other network utilities in the base
system, &man.lpr.1;, &man.lpd.8;, &man.syslogd.8;, and
&man.logger.1; are now all IPv6-capable. &merged;</para>
<para arch="i386"><filename>libdisk</filename> can now do
install-time configuration of the &arch; <filename>boot0</filename>
boot loader. &merged;</para>
<para>The <option>-v</option> option to &man.rm.1; now displays
the entire pathname of a file being removed.</para>
<para>&man.lpr.1;, &man.lpq.1;, and &man.lpd.8; have received a
few minor enhancements. &merged;</para>
<para>&man.lpd.8; now takes two new options: <option>-c</option>
will log all connection errors to &man.syslogd.8;, while
<option>-W</option> will allow connections from non-reserved
ports. &merged;</para>
<para>&man.lpc.8; has been improved; <command>lpc clean</command>
is now somewhat safer, and a new <command>lpc tclean</command>
command has been added to check to see what files would be removed
by <command>lpc clean</command>. &merged;</para>
<para>If the first argument to &man.ancontrol.8; or
&man.wicontrol.8; doesn't start with a <literal>-</literal>, it is
assumed to be an interface.</para>
<para>&man.rdist.1; has been retired.</para>
<para>&man.ppp.8; has gained the <literal>tcpmssfixup</literal>
option, which adjusts outgoing and incoming TCP SYN packets so that the maximum
receive segment size is no larger than allowed by the interface
MTU. &merged;</para>
<para><filename>libcrypt</filename> and
<filename>libdescrypt</filename> have been unified to provide a
configurable password authentication hash library. Both the md5
and des hash methods are provided unless the des hash is
specifically compiled out. &merged;</para>
<para>&man.passwd.1; and &man.pw.8; now select the password hash
algorithm at run time. See the <literal>passwd_format</literal>
attribute in <filename>/etc/login.conf</filename>.</para>
<para>In preparation for meeting SUSv2/POSIX
<filename>&lt;sys/select.h&gt;</filename> requirements,
<literal>struct selinfo</literal> and related functions have been
moved to <filename>&lt;sys/selinfo.h&gt;</filename>.</para>
<para>&man.syslogd.8; now supports a <literal>LOG_CONSOLE</literal>
facility (disabled by
default), which can be used to log <filename>/dev/console</filename>
output. &merged;</para>
<para>&man.rpcgen.1; now uses <filename>/usr/bin/cpp</filename>
(as on NetBSD), not <filename>/usr/libexec/cpp</filename>.</para>
<para>Boot-time &man.syscons.4; configuration was moved to a
machine-independent <filename>/etc/rc.syscons</filename>. &merged;</para>
<para>&man.burncd.8; now supports a <option>-m</option> option for
multisession mode (the default behavior now is to close disks as
single-session). A <option>-l</option> option to take a list of
image files from a filename was also added; <filename>-</filename>
can be used as a filename for <literal>stdin</literal>. &merged;</para>
<para>&man.dmesg.8; now has a <option>-a</option> option to show
the entire message buffer, including &man.syslogd.8; records and
<filename>/dev/console</filename> output. &merged;</para>
<para>&man.cdcontrol.1; now uses the <literal>CDROM</literal>
environment variable to pick a default device. &merged;</para>
<para>&man.cdcontrol.1; now supports <literal>next</literal> and
<literal>prev</literal> commands to skip forwards or backwards a
specified number of tracks while playing an audio CD.</para>
<para>&man.sysctl.8; now supports a <option>-N</option> option to
print out variable names only.</para>
<para>&man.sysctl.8; has replaced the <option>-A</option> and
<option>-X</option> options with <option>-ao</option> and
<option>-ax</option> respectively; the former options are now
deprecated. The <option>-w</option> is deprecated as well; it is
not needed to determine the user's intentions.</para>
<para>&man.sysinstall.8; now lives in <filename>/usr/sbin</filename>,
which simplifies the installation process. The &man.sysinstall.8;
manpage is also installed in a more consistent fashion now.</para>
<para>&man.config.8; is now better about converting various
warnings that should
have been errors into actual fatal errors with an exit code. This
ensures that <literal>make buildkernel</literal>
doesn't quietly ignore them and
build a bogus kernel without a human to read the errors. &merged;</para>
<para><filename>libc</filename> is now thread-safe by default;
<filename>libc_r</filename> contains only thread functions.</para>
<para>&man.find.1; now takes the <option>-empty</option> flag,
which returns true if a file or directory is empty. &merged;</para>
<para>&man.find.1; now takes the <option>-iname</option> and
<option>-ipath</option> primaries for case-insensitive matches,
and the <option>-regexp</option> and <option>-iregexp</option>
primaries for regular-expression matches. The <option>-E</option>
flag now enables extended regular expressions. &merged;</para>
<para>&man.find.1; now has the <option>-anewer</option>,
<option>-cnewer</option>, <option>-mnewer</option>,
<option>-okdir</option>, and <option>-newer[acm][acmt]</option>
primaries for comparisons of file timestamps. &merged;</para>
<para>&man.tftpd.8; now takes the <option>-c</option> and
<option>-C</option> options, which allow the server to
&man.chroot.2; based on the IP address of the connecting client.
&man.tftp.1; and &man.tftpd.8; can now transfer files larger than
65535 blocks. &merged;</para>
<para>&man.vidcontrol.1; now accepts a <option>-g</option>
parameter to select custom text geometry in the
<literal>VESA_800x600</literal> raster text mode. &merged;</para>
<para>&man.ldconfig.8; now checks directory ownerships and
permissions for greater security; these checks can be disabled
with the <option>-i</option> flag. &merged;</para>
<para>The &man.rfork.thread.3; library call has been added as a
helper function to &man.rfork.2;. Using this function should
avoid the need to implement complex stack swap
code. &merged;</para>
<para>Significant additions have been made to internationalization
support; &os; now has complete locale support for the
<literal>LC_MONETARY</literal>, <literal>LC_NUMERIC</literal>, and
<literal>LC_MESSAGES</literal> categories. A number of
applications have been updated to take advantage of this
support.</para>
<para>Locale names have been changed to improve compatability with
the names used by X11R6, as well as a number of other UNIX
versions. As an example, the <literal>en_US.ISO_8859-1</literal>
locale name has been changed to
<literal>en_US.ISO8859-1</literal>. Entries in
<filename>/etc/locale.alias</filename> provide backward
compatability.</para>
<para>A <filename>compat4x</filename> distribution has been added
for compatibility with &os; 4-STABLE.</para>
<para>The
<filename>compat3x</filename> distribution has been updated to
include libraries present in &os; 3.5.1-RELEASE. &merged;</para>
<para>&man.savecore.8; now supports a <option>-k</option> option
to prevent clearing a crash dump after saving it. It also
attempts to avoid writing large stretches of zeros to crash dump
files to save space and time. &merged;</para>
<para>&man.savecore.8; now works correctly on machines with 2 GB
or more of RAM. &merged;</para>
<para>&man.tar.1; now supports the <varname>TAR_RSH</varname>
variable, principally to enable the use of &man.ssh.1; as a
transport. &merged;</para>
<para>&man.disklabel.8; now supports partition sizes expressed in
kilobytes, megabytes, or gigabytes, in addition to sectors. &merged;</para>
<para>The pseudo-random number generator implemented by
&man.rand.3; has been improved to provide less biased results.</para>
<para>&man.login.1; now exports environment variables set by
<application>PAM</application> modules. &merged;</para>
<para><application>PAM</application> support has been added for
account management and sessions.</para>
<para>&man.su.1; now uses <application>PAM</application> for
authentication.</para>
<para>&man.wall.1; now supports a <option>-g</option> flag to
write a message to all users of a given group.</para>
<para>The new <varname>CPUTYPE</varname>
<filename>make.conf</filename> variable controls the compilation
of processor-specific optimizations in various pieces of code such
as <application>OpenSSL</application>. &merged;</para>
<para>The default value for &man.cvs.1;'s
<varname>CVS_RSH</varname> variable is now <literal>ssh</literal>,
rather than <literal>rsh</literal>. &merged;</para>
<para>&man.ipfstat.8; now supports the <option>-t</option> option
to turn on a &man.top.1;-like display. &merged;</para>
<para><filename>/usr/src/share/examples/BSD_daemon/</filename> now
contains a scalable Beastie graphic. &merged;</para>
<para>&man.dump.8; now supports inheritance of the
<literal>nodump</literal> flag down a hierarchy. &merged;</para>
<para>The <option>-T</option> to &man.dump.8; no longer swallows
an extra argument. &merged;</para>
<para>&man.dump.8; has a new <option>-D</option> option, allowing
the path to the <filename>/etc/dumpdates</filename> file to be
changed. &merged;</para>
<para>&man.split.1; now has the ability to split a file longer
than 2GB. &merged;</para>
<para>&man.tail.1; now has the ability to work on files longer
than 2GB. &merged;</para>
<para>&man.units.1; has received some updates and bugfixes. &merged;</para>
<para>As part of an ongoing process, many manual pages were
improved, both in terms of their formatting markup and in their
content. &merged;</para>
<para><command>lprm -</command> now works for remote printer
queues. &merged;</para>
<para>&man.ftpd.8; now supports a <option>-r</option> flag for
read-only mode and a <option>-E</option> flag to disable
<literal>EPSV</literal>. It also has some fixes to reduce
information leakage and the ability to specify compile-time port
ranges. &merged;</para>
<para>&man.ping.8; now supports a <option>-m</option> option to
set the TTL of outgoing packets. &merged;</para>
<para>&man.ping.8; now supports a <option>-A</option> option to
beep when packets are lost.</para>
<para>A version of Transport Independent RPC
(<application>TI-RPC</application>) has been imported.</para>
<para>&man.rpcbind.8; has replaced &man.portmap.8;.</para>
<para>NFS now works over IPv6.</para>
<para>&man.rpc.lockd.8; has been imported from NetBSD.</para>
<para>&man.rc.8; now has an framework for handling dependencies between
&man.rc.conf.5; variables. &merged;</para>
<para>&man.rc.8; now deletes all non-directory files in
<filename>/var/run</filename> and
<filename>/var/spool/lock</filename> at boot time.</para>
<para>The &man.setfacl.1; and &man.getfacl.1; commands have been
added to manage file system Access Control Lists.</para>
<para>The default TCP port range used by
<filename>libfetch</filename> for passive FTP retrievals has
changed; this affects the behavior of &man.fetch.1;, which has
gained the <option>-U</option> option to restore the old
behavior. &merged;</para>
<para><filename>libfetch</filename> now has support for an
authentication callback.</para>
<para><filename>libfetch</filename> now has support for a
<varname>HTTP_USER_AGENT</varname> environment variable. &merged;</para>
<para>&man.atacontrol.8; has been added to control various aspects
of the &man.ata.4; driver.</para>
<para><filename>libcrypt</filename> now has support for Blowfish
password hashing. &merged;</para>
<para>The functions from <filename>libposix1e</filename> have been
integrated into <filename>libc</filename>.</para>
<para>&man.vidcontrol.1; now allows the user to omit the font size
specification when loading a font, and has some better
error-handling. &merged;</para>
<para>&man.vidcontrol.1; now supports a <option>-p</option> to
take a snapshot of a &man.syscons.4; video buffer. These
snapshots can be manipulated by some of the
<filename>scr2*</filename> utilities in the Ports
Collection. &merged;</para>
<para>&man.vidcontrol.1; now supports a <option>-C</option> option
to clear the history buffer for a given tty. &merged;</para>
<para>devinfo, a simple tool to print the device tree and resource usage by
devices, has been added.</para>
<para>&man.fmtcheck.3;, a function for checking consistency of
format string arguments, has been added.</para>
<para>&man.nl.1;, a line numbering filter program, has been added.</para>
<para>&man.c89.1; has been converted from a shell script to a
binary executable, fixing some minor bugs. &merged;</para>
<para>&man.pax.1; has received a number of enhancements, including
&man.cpio.1; functionality, &man.tar.1; compatability
enhancements, <option>-z</option> and <option>-Z</option> flags
for &man.gzip.1; and &man.compress.1; functionality, and a number
of bug fixes.</para>
<para>Ukranian language support has been added to the &os;
console. &merged;</para>
<para>The performance of the ELF dynamic linker &man.rtld.1; has
been improved. &merged;</para>
<para>&man.fdread.1;, a program to read data from floppy disks,
has been added. It is a counterpart to &man.fdwrite.1; and is
designed to provide a means of recovering at least some data from
bad media, and to obviate for a complex invocation of
&man.dd.1;.</para>
<para>&man.xargs.1; now supports a <option>-J</option>
<replaceable>replstr</replaceable> option that allows the user to
tell &man.xargs.1; to insert the data read from standard input at
a specific point in the command line arguments rather than at the
end.</para>
<para>&man.apmd.8; now supports monitoring of the battery state via the
<literal>apm_battery</literal> configuration directive.</para>
<para>&man.telnet.1; now does autologin and encryption by default;
a new <option>-y</option> option turns off encryption.</para>
<para>&man.telnet.1; now supports a <option>-u</option> flag to
allow connections to UNIX-domain (<literal>AF_UNIX</literal>)
sockets. &merged;</para>
<para>The default stripe size in &man.vinum.8; has been changed
from 256KB to 279KB, to spread out superblocks more evenly between
stripes.</para>
<para>&man.chown.8; now correctly follows symbolic links named as
command line arguments if run without <option>-R</option>.</para>
<para>&man.chown.8; no longer takes <literal>.</literal> as a
user/group delimeter. This change was made to support usernames
containing a <literal>.</literal>.</para>
<para>&man.chmod.1; now supports a <option>-h</option> for
changing the mode of a symbolic link.</para>
<para>&man.install.1; has a number of new features, including the
<option>-b</option> and <option>-B</option> options for backing up
existing target files and the <option>-S</option> option for
<quote>safe</quote> (atomic copy) operation. The
<option>-c</option> (copy) flag is now the default, and the
<option>-D</option> (debugging) flag has been withdrawn.
&man.install.1; now issues a warning if <option>-d</option>
(create directories) and <option>-C</option> (copy changed files
only) are used together. &merged;</para>
<para>&man.whois.1; now directs queries for IP addresses to
ARIN. If a query to ARIN references APNIC or RIPE, the
appropriate server will also be queried, provided that the
<option>-Q</option> option is not specified. &merged;</para>
<para>A new utility &man.diskcheckd.8; has been added; it is a
daemon which runs in the background, reading entire disks to find
any read errors on those disks. Its behavior at startup time can
be controlled by the <varname>diskcheckd_enable</varname> variable
in &man.rc.conf.5;.</para>
<para>&man.fmt.1; has been rewritten; the rewrite fixes a number
of bugs compared to its prior behavior.</para>
<para>&man.df.1; now takes a <option>-l</option> option to only
display information about locally-mounted filesystems. &merged;</para>
<para>The syntax of &man.inetd.8;'s support for &man.faithd.8; is
now compatable with that of other BSDs. &merged;</para>
<para>The <literal>ident</literal> protocol support in &man.inetd.8; has
been cleaned up and updated. &merged;</para>
<para>&man.inetd.8; now has the ability to manage UNIX-domain
sockets. &merged;</para>
<para>&man.du.1; now takes a <option>-I</option> command-line flag
to ignore/skip files and subdirectories matching a specified
shell-glob mask. &merged;</para>
<para>The &man.resolver.3; in &os; now implements EDNS0 support,
which will be necessary when working with IPv6 transport-ready
resolvers/DNS servers. &merged;</para>
<para>&man.col.1; now takes a <option>-p</option> to force unknown
control sequences to be passed through unchanged.</para>
<para>The &man.mdmfs.8; command has been added; it is a wrapper
around &man.mdconfig.8;, &man.disklabel.8;, &man.newfs.8;, and
&man.mount.8; that mimics the command line option set of the
deprecated &man.mount.mfs.8;.</para>
<para>The &man.getprogname.3; and &man.setprogname.3; library
functions have been added to manipulate the name of the current
program. They are used by error-reporting routines to produce
consistent output. &merged;</para>
<para>The &man.kldconfig.8; utility has been added to make it easier to
manipulate the kernel module search path. &merged;</para>
<para>&man.moused.8; now takes a <option>-a</option> to control
mouse acceleration. &merged;</para>
<para arch="i386">&man.fdisk.8; no longer attempts to search for
a device if none has been specified on the command line, but
instead tries to figure out the default device name from the
root device.</para>
<para>&man.mail.1; now takes a <option>-E</option> flag to avoid
sending messages with empty bodies. &merged;</para>
<para>&man.route.8; is now more verbose when changing indirect
routes, in the case of a gateway route that is the same route as
the one being modified.</para>
<para>&man.route.8; now uses
<literal><replaceable>host</replaceable>/<replaceable>bits</replaceable></literal>
syntax instead of
<literal><replaceable>net</replaceable>/<replaceable>bits</replaceable></literal>
syntax, for compatability with &man.netstat.1;.</para>
<para>&man.route.8; can now create <quote>proxy only</quote>
published ARP entries.</para>
<sect3>
<title>Contributed Software</title>
<para><application>bc</application> has been updated from 1.04 to
1.06. &merged;</para>
<para>The ISC library from the <application>BIND</application>
distribution is now built as
<filename>libisc</filename>. &merged;</para>
<para><application>BIND</application> is now built with the
<literal>NOADDITIONAL</literal> flag, which causes &man.named.8;
to operate in a more consistent fashion for certain common
misconfigurations. &merged;</para>
<para><application>BIND</application> has been updated to
8.2.4-REL. &merged;</para>
<para><application>Binutils</application> have been updated to
2.11.2. &merged;</para>
<para><application>bzip2</application> 1.0.1 has been imported; this
brings the &man.bzip2.1; program and the <filename>libbz2</filename>
library to the base system. &merged;</para>
<para><application>cvs</application> has been updated to
1.11.1p1. &merged;</para>
<para>The &man.ee.1; <application>Easy Editor</application> has
been updated to 1.4.2. &merged;</para>
<para><application>file</application> has been updated to 3.36.
&merged;</para>
<para>&man.awk.1;, in the form of
<application>gawk</application>, has been updated from 3.0.4 to 3.0.6.
This fixes a number of non-critical bugs and includes a few
performance tweaks. &merged;</para>
<para><application>gcc</application> has been updated to 2.95.3. &merged;</para>
<para>&man.gcc.1; now uses a unified <filename>libgcc</filename>
rather than a separate one for threaded and non-threaded programs.
<filename>/usr/lib/libgcc_r.a</filename> can be removed.
&merged;</para>
<para>&man.gcc.1; now supports the environment variable
<varname>GCC_OPTIONS</varname>, which can hold a set of default
options for <application>GCC</application>. &merged;</para>
<para><application>GNATS</application> has been updated to
3.113. &merged;</para>
<para><application>gperf</application> has been updated to 2.7.2.</para>
<para><application>groff</application> and its related utilities
have been updated to FSF version 1.17.2. This import brings in a
new &man.mdoc.7; macro package (sometimes referred to as
<literal>mdocNG</literal>), which removes many of the
limitations of its predecessor. &merged;</para>
<para><application>Heimdal</application> has been updated to
0.3f.</para>
<para>The <application>ISC DHCP</application> client has been
updated to 2.0pl5. &merged;</para>
<para><application>Kerberos IV</application> has been updated to
1.0.5. &merged;</para>
<para>The &man.more.1; command has been replaced by &man.less.1;,
although it can still be run as
<command>more</command>. <application>less</application> has
been imported at 3.5.8. &merged;</para>
<para><application>libpcap</application> has been updated to
0.6.2. &merged;</para>
<para><application>libreadline</application> has been updated to
4.2.</para>
<para><application>Linux-PAM</application> has been updated to
0.75. &merged;</para>
<para>A number of new <application>Linux-PAM</application> modules
have been added, including: <filename>pam_ftp</filename>,
<filename>pam_krb5</filename>,
<filename>pam_nologin</filename>,
<filename>pam_rootok</filename>,
<filename>pam_securetty</filename>,
<filename>pam_wheel</filename>.</para>
<para><application>ncurses</application> has been updated to
5.2-20010512.</para>
<para>The <application>OPIE</application> one-time-password suite
has been updated to 2.32. &merged; It has completely replaced
the functionality of <application>S/Key</application>.</para>
<para><application>Perl</application> has been updated to version
5.6.0.</para>
<para>&man.routed.8; has been updated to version 2.22. &merged;</para>
<para><application>tcpdump</application> has been updated to
3.6.3. &merged;</para>
<para>The &man.csh.1; shell has been replaced by &man.tcsh.1;,
although it can still be run as <command>csh</command>.
<application>tcsh</application> has been updated to version
6.10. &merged;</para>
<para>&man.traceroute.8; now takes its default maximum TTL value
from the <varname>net.inet.ip.ttl</varname> sysctl
variable. &merged;</para>
<sect4 id="kame-userland">
<title>KAME</title>
<para>The IPv6 stack is now based on a snapshot based on the KAME
Project's IPv6 snapshot as of 28 May, 2001. Most of the
items listed in this section are a result of this import.
<xref linkend="kame-kernel"> lists kernel updates to the KAME
IPv6 stack. &merged;</para>
<para>&man.faithd.8; now supports a configuration file for
access control. &merged;</para>
<para>&man.ifconfig.8; can now perform the functions of
&man.gifconfig.8;. &merged;</para>
<para>&man.ifconfig.8; can now perform the functions of
&man.prefix.8;. &man.prefix.8; is now a shell script for
partial backwards compatability. &merged;</para>
<para>&man.ndp.8; now implements garbage collection for stale
NDP entries, as described in RFC 2461 (Neighbor Discovery for
IP Version 6 (IPv6)). &merged;</para>
<para>&man.pim6dd.8; and &man.pim6sd.8; have been removed due to
restrictive licensing conditions. These programs are available
in the ports collection as <filename>net/pim6dd</filename> and
<filename>net/pim6sd</filename>. &merged;</para>
<para>&man.route6d.8; now supports a <option>-n</option> flag
to avoid updating the kernel forwarding table. &merged;</para>
<para>The <option>-R</option> (router renumbering) option to
&man.rtadvd.8; is currently ignored. &merged;</para>
</sect4>
<sect4>
<title>OpenSSH</title>
<para><application>OpenSSH</application> has been updated to
2.1.0, which provides support for the SSH2 protocol, including DSA
keys. Therefore, <application>OpenSSH</application> users in the
US no longer need to rely on the restrictively-licensed
RSAREF toolkit which is required to
handle RSA keys. <application>OpenSSH</application> 2.1 interoperates well with other SSH2
clients and servers, including the <filename>ssh2</filename> port.
See the <ulink url="http://www.openssh.com/">OpenSSH Web
site</ulink> for more details. &merged;</para>
<para><application>OpenSSH</application> can now authenticate
using OPIE passwords in SSH1 mode. Support is not yet available
in SSH2 mode. &merged;</para>
<para><application>OpenSSH</application> has been updated to
2.2.0. &man.ssh-add.1; and &man.ssh-agent.1; can now handle DSA
keys. A server for sftp, interoperable with ssh.com
clients and others has been added. &man.scp.1; can now handle
files larger than 2 GBytes. Interoperability with other SSH2
clients/servers has been improved. A new feature to limit the
number of outstanding unauthenticated ssh connections in
&man.sshd.8; has been added. &merged;</para>
<para><application>OpenSSH</application> has been updated to
2.3.0. This version adds support for the Rijndael encryption
algorithm. &merged;</para>
<para><application>PAM</application> support for
<application>OpenSSH</application> has been added.</para>
<para>A long-standing bug in <application>OpenSSH</application>,
which sometimes resulted in a dropped session when an
X11-forwarded client was closed, was fixed.</para>
<para><application>Kerberos</application> compatability has been
added to <application>OpenSSH</application>. &merged;</para>
<para><application>OpenSSH</application> has been modified to be
more resistant to traffic analysis by requiring that
<quote>non-echoed</quote> characters are still echoed back in a
null packet, as well as by padding passwords sent so as not to
hint at password lengths. &merged;</para>
<para>&man.sshd.8; is now enabled by default on new
installs. &merged;</para>
<para>&man.sshd.8; <literal>X11Forwarding</literal> is now turned
on by default on the server (any risk is to the client, where it
is already disabled by default).</para>
<para>In <filename>/etc/ssh/sshd_config</filename>, the
<literal>ConnectionsPerPeriod</literal> parameter has been
deprecated in favor of <literal>MaxStartups</literal>.</para>
<para><application>OpenSSH</application> now has a
<literal>VersionAddendum</literal> configuration setting for
&man.sshd.8; to allow changing the part of the
<application>OpenSSH</application> version string after the
main version number.</para>
<para><application>OpenSSH</application> has been updated to
version 2.9, which adds two new programs, &man.sftp.1; and
&man.ssh-keyscan.1;. Among the various enhancements: The
default protocol is now v2, rekeying of existing SSH sessions
is now supported, and an experimental
<application>SOCKS4</application> proxy has been added to
&man.ssh.1;.</para>
</sect4>
<sect4>
<title>OpenSSL</title>
<para><application>OpenSSL</application> has been updated to
0.9.6b.</para>
<para><application>OpenSSL</application> now has support for
machine-dependent ASM optimizations, activated by the new
<varname>MACHINE_CPU</varname> and/or <varname>CPUTYPE</varname>
<filename>make.conf</filename> variables. &merged;</para>
</sect4>
<sect4>
<title>sendmail</title>
<para><application>sendmail</application> has been updated from
version 8.9.3 to version 8.11.5. Important changes include: new
default file locations (see
<filename>/usr/src/contrib/sendmail/cf/README</filename>);
&man.newaliases.1; is limited to <username>root</username> and
trusted users; STARTTLS encryption; and the MSA port (587) is
turned on by default. See
<filename>/usr/src/contrib/sendmail/RELEASE_NOTES</filename> for
more information. &merged;</para>
<para>&man.mail.local.8; is no longer installed as a SUID binary.
If you are using a <filename>/etc/mail/sendmail.cf</filename> from
the default <filename>sendmail.cf</filename> included with &os;
any time after 3.1.0, you are fine. If you are using a
hand-configured <filename>sendmail.cf</filename> and
<command>mail.local</command> for delivery, check to make sure the
<literal>F=S</literal> flag is set on the
<literal>Mlocal</literal> line. Those with
<filename>.mc</filename> files who need to add the flag can do so
by adding the following line to their <filename>.mc</filename>
file and regenerating the <filename>sendmail.cf</filename>
file:</para>
<programlisting>MODIFY_MAILER_FLAGS(`LOCAL',`+S')dnl</programlisting>
<para>Note that <literal>FEATURE(`local_lmtp')</literal> already
does this. &merged;</para>
<para>The default <filename>/etc/mail/sendmail.cf</filename>
disables the SMTP <literal>EXPN</literal> and
<literal>VRFY</literal> commands. &merged;</para>
<para>&man.vacation.1; has been updated to use the version included with
<application>sendmail</application>. &merged;</para>
<para>The <application>sendmail</application> configuration
building tools are installed in
<filename>/usr/share/sendmail/cf/</filename>. &merged;</para>
<para>New <filename>make.conf</filename> options:
<varname>SENDMAIL_MC</varname> and
<varname>SENDMAIL_ADDITIONAL_MC</varname>. See
<filename>/etc/defaults/make.conf</filename> for more
information. &merged;</para>
<para><filename>/etc/mail/Makefile</filename> now supports: the
new <varname>SENDMAIL_MC</varname> <filename>make.conf</filename>
option; the ability to build <filename>.cf</filename> files from
<filename>.mc</filename> files; generalized map rebuilding;
rebuilding the aliases file; and the ability to stop, start, and
restart <application>sendmail</application>. &merged;</para>
</sect4>
</sect3>
<sect3>
<title>Ports/Packages Collection</title>
<para>Version numbers of installed packages have a new
(backward-compatible) syntax, which supports the
<varname>PORTREVISION</varname> and <varname>PORTEPOCH</varname>
variables in Ports Collection <filename>Makefile</filename>s.
These changes help keep track of changes in the ports collection
entries such as security patches or &os;-specific updates, which
aren't reflected in the original, third-party software
distributions. &man.pkg.version.1; can now compare these
new-style version numbers. &merged;</para>
<para>To improve performance and disk utilization, the <quote>ports
skeletons</quote> in the FreeBSD Ports Collection have been restructured.
Installed ports and packages should not be affected. &merged;</para>
<para>All packages and ports now contain an <quote>origin</quote>
directive, which makes it easier for programs such as
&man.pkg.version.1; to determine the directory from which a
package was built. &merged;</para>
<para>&man.pkg.update.1;, a utility to update installed packages
and update their dependencies, has been added. &merged;</para>
<para>&man.pkg.info.1; now supports globbing against names of
installed packages. The <option>-G</option> option disables this
behavior, and the <option>-x</option> option causes regular
expression matching instead of shell globbing. &merged;</para>
<para>&man.pkg.info.1; can now accept a <option>-g</option> flag for
verifying an installed package against its recorded checksums (to
see if it's been modified post-installation). Naturally, this
mechanism is only as secure as the contents of
<filename>/var/db/pkg</filename> if it's to be used for auditing
purposes. &merged;</para>
<para>&man.pkg.create.1; and &man.pkg.add.1; can now work with
packages that have been compressed using
&man.bzip2.1;. &man.pkg.add.1; will use the PACKAGEROOT
environment variable to determine a mirror site for new
packages. &merged;</para>
<para>&man.pkg.create.1; now records dependencies in dependency
order rather than in the order specified on the command line.
This improves the functioning of <command>pkg_add
-r</command>. &merged;</para>
<para>&man.pkg.version.1; now has a version number comparison
routine that corresponds to the Porters Handbook. It also has a
<option>-t</option> option for testing address comparisons.
&merged;</para>
<para>&man.pkg.version.1; now takes a <option>-s</option> flag
to limit its operation to ports/packages matching a given
string. &merged;</para>
<para>When requested to delete multiple packages,
&man.pkg.delete.1; will now attempt to remove them in dependency
order rather than the order specified on the command
line. &merged;</para>
<para>&man.pkg.delete.1; now can perform glob/regexp matching of
package names. In addition, it supports a <option>-a</option>
option for removing all packages and a <option>-i</option> option
for &man.rm.1;-style interactive confirmation. &merged;</para>
<para>&man.pkg.sign.1; and &man.pkg.check.1; have been added to
digitally sign and verify the signatures on binary package
files. &merged;</para>
<para><application>BSDPAN</application>, a collection of modules
that provides tighter integration of
<application>Perl</application> into the &os; Ports
Collection, has been added.</para>
</sect3>
</sect2>
</sect1>
Reference in New Issue View Git Blame Copy Permalink