diff --git a/website/content/en/releases/15.0R/relnotes.adoc b/website/content/en/releases/15.0R/relnotes.adoc index 68cdc76086..8fab4d8ba5 100644 --- a/website/content/en/releases/15.0R/relnotes.adoc +++ b/website/content/en/releases/15.0R/relnotes.adoc @@ -1,1210 +1,1215 @@ --- title: "FreeBSD 15.0-RELEASE Release Notes" sidenav: download --- :localRel: 15.0 :releaseCurrent: 15.0-RELEASE :releaseBranch: 15-STABLE :releasePrev: 14.0-RELEASE :releaseNext: 15.1-RELEASE :releaseType: "release" include::shared/en/urls.adoc[] = FreeBSD {releaseCurrent} Release Notes :doctype: article :toc: macro :toclevels: 1 :icons: font == Abstract [.abstract-title] The release notes for FreeBSD {releaseCurrent} contain a summary of the changes made to the FreeBSD base system on the {releaseBranch} development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented. [[intro]] == Introduction This document contains the release notes for FreeBSD {releaseCurrent}. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD. The {releaseType} distribution to which these release notes apply represents the latest point along the {releaseBranch} development branch since {releaseBranch} was created. Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[]. The {releaseType} distribution to which these release notes apply represents a point along the {releaseBranch} development branch between {releasePrev} and the future {releaseNext}. Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[]. This distribution of FreeBSD {releaseCurrent} is a {releaseType} distribution. It can be found at https://www.FreeBSD.org/releases/[] or any of its mirrors. More information on obtaining this (or other) {releaseType} distributions of FreeBSD can be found in the link:{handbook}/mirrors[Obtaining FreeBSD appendix] to the link:{handbook}/[FreeBSD Handbook]. All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD {releaseCurrent} can be found on the FreeBSD Web site. This document describes the most user-visible new or changed features in FreeBSD since {releasePrev}. In general, changes described here are unique to the {releaseBranch} branch unless specifically marked as MERGED features. Typical release note items document recent security advisories issued after {releasePrev}, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. [[upgrade]] == Upgrading from Previous Releases of FreeBSD Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the man:freebsd-update[8] utility. See the release-specific upgrade procedure, link:../installation/#upgrade-binary[FreeBSD {releaseCurrent} upgrade information], with more details in the FreeBSD handbook link:{handbook}cutting-edge/#freebsdupdate-upgrade[binary upgrade procedure]. This will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release. The man:freebsd-update[8] utility requires that the host being upgraded have Internet connectivity. Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in [.filename]#/usr/src/UPDATING#. [IMPORTANT] ==== Upgrading FreeBSD should only be attempted after backing up _all_ data and configuration files. ==== [[security-errata]] == Security and Errata This section lists the various Security Advisories and Errata Notices since {releasePrev}. [[security]] === Security Advisories [.informaltable] [cols="1,1,1", frame="none", options="header"] |=== | Advisory | Date | Topic |https://www.freebsd.org/security/advisories/FreeBSD-SA-23:17.pf.asc[FreeBSD-SA-23:17.pf] |05 December 2023 |TCP spoofing vulnerability in man:pf[4] |https://www.freebsd.org/security/advisories/FreeBSD-SA-23:18.nfsclient.asc[FreeBSD-SA-23:18.nfsclient] |12 December 2023 |NFS client data corruption and kernel memory disclosure |https://www.freebsd.org/security/advisories/FreeBSD-SA-23:19.openssh.asc[FreeBSD-SA-23:19.openssh] |19 December 2023 |Prefix Truncation Attack in the SSH protocol |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:01.bhyveload.asc[FreeBSD-SA-24:01.bhyveload] |14 February 2024 |man:bhyveload[8] host file access |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:02.tty.asc[FreeBSD-SA-24:02.tty] |14 February 2024 |man:jail[2] information leak |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:03.unbound.asc[FreeBSD-SA-24:03.unbound] |28 March 2024 |Multiple vulnerabilities in unbound |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:04.openssh.asc[FreeBSD-SA-24:04.openssh] |01 July 2024 |OpenSSH pre-authentication remote code execution |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:05.pf.asc[FreeBSD-SA-24:05.pf] |07 August 2024 |pf incorrectly matches different ICMPv6 states in the state table |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:06.ktrace.asc[FreeBSD-SA-24:06.ktrace] |07 August 2024 |man:ktrace[2] fails to detach when executing a setuid binary |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:07.nfsclient.asc[FreeBSD-SA-24:07.nfsclient] |07 August 2024 |NFS client accepts file names containing path separators |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:08.openssh.asc[FreeBSD-SA-24:08.openssh] |07 August 2024 |OpenSSH pre-authentication async signal safety issue |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:09.libnv.asc[FreeBSD-SA-24:09.libnv] |04 September 2024 |Multiple vulnerabilities in libnv |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:10.bhyve.asc[FreeBSD-SA-24:10.bhyve] |04 September 2024 |man:bhyve[8] privileged guest escape via TPM device passthrough |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:11.ctl.asc[FreeBSD-SA-24:11.ctl] |04 September 2024 |Multiple issues in man:ctl[4] CAM Target Layer |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:12.bhyve.asc[FreeBSD-SA-24:12.bhyve] |04 September 2024 |man:bhyve[8] privileged guest escape via USB controller |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:13.openssl.asc[FreeBSD-SA-24:13.openssl] |04 September 2024 |Possible DoS in X.509 name checks in OpenSSL |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:14.umtx.asc[FreeBSD-SA-24:14.umtx] |04 September 2024 |umtx Kernel panic or Use-After-Free |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:15.bhyve.asc[FreeBSD-SA-24:15.bhyve] |19 September 2024 |man:bhyve[8] out-of-bounds read access via XHCI emulation |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:16.libnv.asc[FreeBSD-SA-24:16.libnv] |19 September 2024 |Integer overflow in libnv |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:17.bhyve.asc[FreeBSD-SA-24:17.bhyve] |29 October 2024 |Multiple issues in the bhyve hypervisor |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:18.ctl.asc[FreeBSD-SA-24:18.ctl] |29 October 2024 |Unbounded allocation in man:ctl[4] CAM Target Layer |https://www.freebsd.org/security/advisories/FreeBSD-SA-24:19.fetch.asc[FreeBSD-SA-24:19.fetch] |29 October 2024 |Certificate revocation list man:fetch[1] option fails |https://www.freebsd.org/security/advisories/FreeBSD-SA-25:01.openssh.asc[FreeBSD-SA-25:01.openssh] |29 January 2025 |OpenSSH Keystroke Obfuscation Bypass |https://www.freebsd.org/security/advisories/FreeBSD-SA-25:02.fs.asc[FreeBSD-SA-25:02.fs] |29 January 2025 |Buffer overflow in some filesystems via NFS |https://www.freebsd.org/security/advisories/FreeBSD-SA-25:03.etcupdate.asc[FreeBSD-SA-25:03.etcupdate] |29 January 2025 |Unprivileged access to system files |https://www.freebsd.org/security/advisories/FreeBSD-SA-25:04.ktrace.asc[FreeBSD-SA-25:04.ktrace] |29 January 2025 |Uninitialized kernel memory disclosure via man:ktrace[2] |https://www.freebsd.org/security/advisories/FreeBSD-SA-25:05.openssh.asc[FreeBSD-SA-25:05.openssh] |21 February 2025 |Multiple vulnerabilities in OpenSSH |https://www.freebsd.org/security/advisories/FreeBSD-SA-25:06.xz.asc[FreeBSD-SA-25:06.xz] |02 July 2025 |Use-after-free in multi-threaded xz decoder |https://www.freebsd.org/security/advisories/FreeBSD-SA-25:07.libarchive.asc[FreeBSD-SA-25:07.libarchive] |08 August 2025 |Integer overflow in libarchive leading to double free |https://www.freebsd.org/security/advisories/FreeBSD-SA-25:08.openssl.asc[FreeBSD-SA-25:08.openssl] |30 September 2025 |Multiple vulnerabilities in OpenSSL |https://www.freebsd.org/security/advisories/FreeBSD-SA-25:09.netinet.asc[FreeBSD-SA-25:09.netinet] |22 October 2025 |`SO_REUSEPORT_LB` breaks man:connect[2] for UDP sockets |https://www.freebsd.org/security/advisories/FreeBSD-SA-25:10.unbound.asc[FreeBSD-SA-25:10.unbound] |26 November 2025 |Cache poison in local-unbound service |=== [[errata]] === Errata Notices [.informaltable] [cols="1,1,1", frame="none", options="header"] |=== | Errata | Date | Topic |https://www.freebsd.org/security/advisories/FreeBSD-EN-23:15.sanitizer.asc[FreeBSD-EN-23:15:sanitizer] |01 December 2023 |Clang sanitizer failure with ASLR enabled |https://www.freebsd.org/security/advisories/FreeBSD-EN-23:16.openzfs.asc[FreeBSD-EN-23:16:openzfs] |01 December 2023 |OpenZFS data corruption |https://www.freebsd.org/security/advisories/FreeBSD-EN-23:17.ossl.asc[FreeBSD-EN-23:17:ossl] |05 December 2023 |man:ossl[4]'s AES-GCM implementation may give incorrect results |https://www.freebsd.org/security/advisories/FreeBSD-EN-23:18.openzfs.asc[FreeBSD-EN-23:18:openzfs] |05 December 2023 |High CPU usage by ZFS kernel threads |https://www.freebsd.org/security/advisories/FreeBSD-EN-23:19.pkgbase.asc[FreeBSD-EN-23:19:pkgbase] |05 December 2023 |Incorrect pkgbase version number for FreeBSD {releasePrev}. |https://www.freebsd.org/security/advisories/FreeBSD-EN-23:20.vm.asc[FreeBSD-EN-23:20:vm] |05 December 2023 |Incorrect results from the kernel physical memory allocator |https://www.freebsd.org/security/advisories/FreeBSD-EN-23:21.tty.asc[FreeBSD-EN-23:21:tty] |24 November 2023 |man:tty[4] IUTF8 causes a kernel panic |https://www.freebsd.org/security/advisories/FreeBSD-EN-23:22.vfs.asc[FreeBSD-EN-23:22:vfs] |05 December 2023 |ZFS snapshot directories not accessible over NFS |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:01.tzdata.asc[FreeBSD-EN-24:01:tzdata] |14 February 2024 |Timezone database information update |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:02.libutil.asc[FreeBSD-EN-24:02:libutil] |14 February 2024 |Login class resource limits and CPU mask bypass |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:03.kqueue.asc[FreeBSD-EN-24:03:kqueue] |14 February 2024 |man:kqueue_close[2] page fault on exit using man:rfork[2] |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:04.ip.asc[FreeBSD-EN-24:04:ip] |14 February 2024 |Kernel panic triggered by man:bind[2] |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:05.tty.asc[FreeBSD-EN-24:05:tty] |28 March 2024 |TTY Kernel Panic |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:06.wireguard.asc[FreeBSD-EN-24:06:wireguard] |28 March 2024 |Insufficient barriers in WireGuard man:if_wg[4] |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:07.clang.asc[FreeBSD-EN-24:07:clang] |28 March 2024 |Clang crash when certain optimization is enabled |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:08.kerberos.asc[FreeBSD-EN-24:08:kerberos] |28 March 2024 |Kerberos segfaults when using weak crypto |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:09.zfs.asc[FreeBSD-EN-24:09:zfs] |24 April 2024 |High CPU usage by kernel threads related to ZFS |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:10.zfs.asc[FreeBSD-EN-24:10:zfs] |19 June 2024 |Kernel memory leak in ZFS |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:11.ldns.asc[FreeBSD-EN-24:11:ldns] |19 June 2024 |LDNS uses nameserver commented out in resolv.conf |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:12.killpg.asc[FreeBSD-EN-24:12:killpg] |19 June 2024 |Lock order reversal in killpg causing livelock |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:13.libc%2B%2B.asc[FreeBSD-EN-24:13:libc++] |19 June 2024 |Incorrect size passed to heap allocated std::string delete |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:14.ifconfig.asc[FreeBSD-EN-24:14:ifconfig] |07 August 2024 |Incorrect ifconfig netmask assignment |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:15.calendar.asc[FreeBSD-EN-24:15:calendar] |04 September 2024 |man:cron[8] / man:periodic[8] session login |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:16.pf.asc[FreeBSD-EN-24:16:pf] |19 September 2024 |Incorrect ICMPv6 state handling in pf |https://www.freebsd.org/security/advisories/FreeBSD-EN-24:17.pam_xdg.asc[FreeBSD-EN-24:17:pam_xdg] |20 October 2024 |XDG runtime directory's file descriptor leak at login |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:01.rpc.asc[FreeBSD-EN-25:01.rpc] |29 January 2025 | NULL pointer dereference in the NFSv4 client |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:02.audit.asc[FreeBSD-EN-25:02.audit] |29 January 2025 |System call auditing disabled by DTrace |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:03.tzdata.asc[FreeBSD-EN-25:03.tzdata] |29 January 2025 |Timezone database information update |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:04.tzdata.asc[FreeBSD-EN-25:04.tzdata] |10 April 2025 |Timezone database information update |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:05.expat.asc[FreeBSD-EN-25:05.expat] |10 April 2025 |Update expat to 2.7.1 |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:06.daemon.asc[FreeBSD-EN-25:06.daemon] |10 April 2025 |man:daemon[8] missing signals |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:07.openssl.asc[FreeBSD-EN-25:07.openssl] |10 April 2025 |Update OpenSSL to 3.0.16 |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:08.caroot.asc[FreeBSD-EN-25:08.caroot] |10 April 2025 |Root certificate bundle update |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:09.libc.asc[FreeBSD-EN-25:09:libc] |02 July 2025 |Dynamically-loaded C++ libraries crashing at exit |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:10.zfs.asc[FreeBSD-EN-25:10:zfs] |02 July 2025 |Corruption in ZFS replication streams from encrypted datasets |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:11.ena.asc[FreeBSD-EN-25:11:ena] |02 July 2025 |`ena` resets and kernel panic on Nitro v4 or newer instances |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:12.efi.asc[FreeBSD-EN-25:12:efi] |08 August 2025 |man:bsdinstall[8] not copying the correct loader on systems with IA32 UEFI firmware. |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:13.wlan_tkip.asc[FreeBSD-EN-25:13:wlan_tkip] |08 August 2025 |net80211 TKIP crypto support fails for some drivers |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:14.route.asc[FreeBSD-EN-25:14:route] |08 August 2025 |man:route[8] monitor buffers too much when redirected to a file |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:15.arm64.asc[FreeBSD-EN-25:15:arm64] |16 September 2025 |arm64 man:syscall[2] allows unprivileged user to panic kernel |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:16.vfs.asc[FreeBSD-EN-25:16:vfs] |16 September 2025 |man:copy_file_range[2] fails to set output parameters |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:17.bnxt.asc[FreeBSD-EN-25:17:bnxt] |16 September 2025 |man:bnxt[4] fails to set media type in some cases |https://www.freebsd.org/security/advisories/FreeBSD-EN-25:18.freebsd-update.asc[FreeBSD-EN-25:18:freebsd-update] |30 September 2025 |man:freebsd-update[8] installs libraries in incorrect order |=== [[userland]] == Userland This section covers changes and additions to userland applications, contributed software, and system utilities. [[userland-config]] === Userland Configuration Changes A new `kdc_restart` variable is available that manages man:kdc[8] (or `krb5kdc`) under man:daemon[8]. Set `kdc_restart="YES"` in man:rc.conf[5] to auto restart kdc on abnormal termination. Set `kdc_restart_delay="N"` to the number of seconds to delay before restarting the kdc. gitref:abc4b3088941[repository=src] By default, changes shown in email by the man:periodic[8] facility from the `daily` scripts show less context than before to reduce the size of the output. The behavior can be controlled by the `daily_diff_flags` variable in man:periodic.conf[5]. Similarly, the changes shown by the security scripts show less context than previously, controlled by the `security_status_diff_flags` variable in man:periodic.conf[5]. gitref:538994626b9f[repository=src], gitref:37dc394170a5[repository=src], gitref:128e78ffb084[repository=src] [[userland-programs]] === Userland Application Changes The man:adduser[8] utility, used by man:bsdinstall[8], will now create a ZFS dataset for a new user's home directory if the parent directory resides on a ZFS dataset. A command-line option is available to disable use of a separate dataset. ZFS encryption is also available. gitref:516009ce8d38[repository=src] The man:date[1] program now supports nanoseconds. For example: `date -Ins` prints "2024-04-22T12:20:28,763742224+02:00" and `date +%N` prints "415050400". gitref:eeb04a736cb9[repository=src] The man:dtrace[1] utility can now generate machine-readable output in JSON, XML, and HTML using man:libxo[3]. gitref:aef4504139a4[repository=src] (Sponsored by Innovate UK) The man:lastcomm[1] utility now displays timestamps with a precision of seconds. gitref:692c0a2e80c1[repository=src] (Sponsored by DSS Gmbh) The man:ldconfig[8] utility now supports hints files of either byte order. The default format is the native byte-order of the host. gitref:fa7b31166ddb[repository=src] The man:usbconfig[8] utility now reads the descriptions of usb vendor and products from [.filename]#/usr/share/misc/usb_vendors# when available, similar to what man:pciconf[8] does. gitref:7b9a772f9f64[repository=src] An option has been added to change the directory in man:env[1] which closely resembles the feature in the GNU version of env, although it does not support long options. gitref:08e8554c4a39[repository=src] (Sponsored by Klara, Inc.) man:ps[1] now automatically removes canned displays' columns that contain same data as some explicitly-requested columns. Before this change, if some user requested to add some "canned display" (options `-j`, `-l`, `-u` or `-v`), columns in it that were duplicates of explicitly-requested ones earlier on the command line were omitted, but this did not work the other way around, when a canned display appears before explicitly-requested columns. Additionally, columns with different keywords but which are aliases to the same keyword are now also considered holding the same data, in addition to columns having the same keyword. gitref:cd768a840644[repository=src] (Sponsored by The FreeBSD Foundation.) man:ps[1]'s `-O` option is now more versatile and predictable. The man:ps[1] display's list of columns is now first built without taking into account the `-O` options. In a second step, all columns passed via `-O` are finally inserted after the built-so-far display's first PID column (if it exists, else at start), in their order of appearance as arguments to the `-O` options. gitref:5dad61d9b949[repository=src] (Sponsored by The FreeBSD Foundation.) man:ps[1]'s `-a` and `-A` options now always show all processes. When combined with other options affecting the selection of processes, except for `-X` and `-x`, option `-a` would have no effect (and `-A` would reduce to just `-x`). This was in contradiction with the rule applying to all other selection options stating that one process is listed as soon as any of these options has been specified and selects it, which is both mandated by POSIX and arguably a natural expectation. As a practical consequence, specifying `-a` or `-A` now causes all processes to be listed regardless of other selection options such as `-U`, `-p`, `-G`, etc., except for the `-X` and `-x` filter options, which continue to apply. In particular, to list only processes from specific jails, one must not use `-a` with `-J`. Option `-J`, contrary to its apparent initial intent, never worked as a filter in practice, except by accident with only `-a` due to the bug. gitref:93a94ce731a8[repository=src] (Sponsored by The FreeBSD Foundation.) man:ps[1] now matches current user's processes using the effective user ID. Previously, we would match using the real user ID. This puts man:ps[1] in conformance with POSIX on that topic. gitref:1aabbb25c9f9c4372[repository=src] (Sponsored by The FreeBSD Foundation.) man:ps[1]'s `-U` flag now selects processes by real user IDs. This is what POSIX mandates for option `-U` and arguably the behavior that most users actually need in most cases. Before, `-U` would select processes by their effective user IDs (which is the behavior mandated by POSIX for option `-u`). gitref:995b690d1398[repository=src] (Sponsored by The FreeBSD Foundation.) Add flags to filter jail prison and vnet variables in man:sysctl[8] output. So users do not have to contact the source code to tell whether a variable is a jail prison / vnet one or not. gitref:615c9ce250ee[repository=src]. man:grep[1] no longer follows symbolic links by default for recursive searches. This matches the documented behavior in the manual page. gitref:3a2ec5957ea9[repository=src] man:mdo[1] now supports fully specifying all users and groups in the target credentials. As a convenience, in addition to a full explicit specification, it allows starting from a baseline providing default values for all attributes, which is either the login credentials from some user in the password database or the current credentials, and then amending these attributes selectively. The manual page has been updated to describe the new options and their interactions. gitref:4ffcb1a4a99c[repository=src] (Sponsored by The FreeBSD Foundation.) (Sponsored by Google LLC (GSoC 2025).) [[userland-contrib]] === Contributed Software One True Awk (man:awk[1]) has been updated to 2nd Edition, with new -csv support and UTF-8 support. The snapshot used is 20250804. gitref:b45a181a74c8[repository=src] +`bmake` has been upgraded to 20250804, providing many debugging +improvements, bug fixes such as detecting and rejecting `gmake` +syntax, and feature improvements such as a floating point argument to +`-j` being used as a multiple of the number of cpus available. + The man:sendmail[8] suite has been upgraded to version 8.18.1, addressing CVE-2023-51765. gitref:58ae50f31e95[repository=src] `bc` has been upgraded to 7.0.2. gitref:90ea553a0d30[repository=src] `blacklist` has been renamed upstream to `blocklist`. Existing setups will continue to work emitting a warning. The snapshot used is 20251026. gitref:4afb96fdd272[repository=src]. `libarchive` has been upgraded to 3.7.7. gitref:2ae238160f20[repository=src] `libcbor` has been upgraded to 0.11.0. gitref:1755b9daa693[repository=src] (Sponsored by The FreeBSD Foundation) `libcxxrt` has been upgraded to vendor snapshot 6f2fdfebcd62. gitref:d0dcee46d971[repository=src] `libfido2` has been upgraded to 1.14.0. gitref:128bace5102e[repository=src] (Sponsored by The FreeBSD Foundation) `libpcap` has been upgraded to 1.10.5. gitref:26f21a6494b4[repository=src] (Sponsored by The FreeBSD Foundation) `tcpdump` has been upgraded to 4.99.5. gitref:ec3da16d8bc1[repository=src] (Sponsored by The FreeBSD Foundation) `unbound` has been upgraded to 1.22.0. gitref:0a096a7b3ae8[repository=src] `llvm` has been upgraded to 19.1.7-0-gcd708029e0b2. gitref:dc3f24ea8a25[repository=src] man:zfs[8]: OpenZFS has been updated to zfs-2.2-release(2.2.7)(gitref:2ec8b6948070[repository=src]). man:xz[1] has been updated to 5.8.1(gitref:9679eedea94c[repository=src]). man:less[1] has been updated to v668(gitref:0bb4c188d363[repository=src]). man:file[1] has been updated to 5.46(gitref:71c92e6b94f0[repository=src]). man:expat[3] has been updated to 2.7.1(gitref:6f7ee9ac036e[repository=src]). `tzdata` has been updated to 2025b(gitref:475082194ac8[repository=src]). OpenSSH has been updated to 9.9p2(gitref:059b786b7db5[repository=src]). (Sponsored by The FreeBSD Foundation). OpenSSL has been updated to 3.0.16(gitref:cb29db243bd0[repository=src]). `googletest` has been updated from 1.14.0 to 1.15.2(gitref:1d67cec52542[repository=src]). One notable change is that GoogleTest 1.15.x now officially requires C++-14 (1.14.x required C++-11). `spleen` has been updated to Spleen 2.1.0(gitref:26336203d32c[repository=src]). [[userland-libraries]] === Runtime Libraries and API The man:setusercontext[3] routine in `libutil` will now set the process priority (nice) from the [.filename]#.login.conf# file from the home directory under appropriate conditions, as well as the system man:login.conf[5]. The priority can now have the value `inherit`, indicating that the priority should be unchanged from that of the parent process. Similarly, the umask can have the value `inherit`. gitref:c328e6c6ccaa[repository=src], gitref:d162d7e2ad32[repository=src], gitref:f2a0277d3e51[repository=src] (Sponsored by Kumacom SAS) Many string and memory operations in the C library now use SIMD (single instruction multiple data) extensions for improved performance when available on amd64 systems; see man:simd[7]. (Sponsored by The FreeBSD Foundation) There is now a much better implementation of the 128-bit `tgammal` function in the math library, man:math[3], on platforms that support it. gitref:8df6c930c151[repository=src] man:fma[3] now returns correctly-signed zero when provided certain small inputs (as observed in the Python test suite). gitref:dc39004bc670[repository=src] (Sponsored by The FreeBSD Foundation) The `cap_rights_is_empty` function has been added. It reports whether a `cap_rights_t` has no rights set. gitref:e77813f7e4a3[repository=src] (Sponsored by The FreeBSD Foundation) `libcxxrt` has been updated to upstream 6f2fdfebcd62(gitref:d9901a23bd2f[repository=src]). The accuracy of man:asinf[3] and man:acosf[3] has improved. gitref:33c82f11c267[repository=src] The man:setgroups[2] and man:getgroups[2] system calls and the man:initgroups[3] library function have been changed to avoid setting or reporting the effective group ID, now only concerning themselves with the supplementary groups. The main purpose of this change is to avoid security issues going forward by becoming compatible with Linux/glibc, OpenBSD, NetBSD and illumos-based systems. Consequently, almost all portable applications should already be compliant with this new behavior and will continue to work correctly or even get fixed in the process (see, e.g., gitref:239e8c98636a[repository=src] for an example affecting OpenSSH). However, out of caution, porters, system administrators and users are advised to audit their applications using man:setgroups[2], man:getgroups[2] and man:initgroups[3], watching out for the following points. Applications must be using man:setgid[2] or man:setegid[2] in addition to man:setgroups[2] or man:initgroups[3] to set the effective group ID. They must not treat the first element of the array returned by man:getgroups[2] specially, but instead as any other supplementary group. For more information, please consult the SECURITY CONSIDERATIONS sections that have been added to the man:setgroups[2], man:getgroups[2] and man:initgroups[3] manual pages. Compatibility system calls and library functions have been provided so that binaries and libraries compiled on FreeBSD 14 systems or earlier will continue to work exactly as before. gitref:9da2fe96ff2e[repository=src], gitref:8878569103a3[repository=src], gitref:7132fb5edbc9[repository=src], gitref:2932e6f59bff[repository=src], gitref:8878569103a3[repository=src] (Sponsored by The FreeBSD Foundation.) `libc` contains compatibility functions enabling running executables/libraries compiled for older versions of FreeBSD. Those that are themselves using compatibility system calls would not reference them correctly, causing misbehavior at runtime. This has been fixed. gitref:47f5f89dbd27[repository=src] (Sponsored by The FreeBSD Foundation.) [[userland-deprecated-programs]] === Deprecated Applications man:fdisk[8] has been deprecated in favor of man:gpart[8] for a long time but has not been removed, running this application will show a warning to migrate to man:gpart[8]. gitref:3958be5c29da[repository=src] (Sponsored by The FreeBSD Foundation) Update deprecation warning to note that man:gvinum[8] is removed in 15.0(gitref:dec497a9fcbf[repository=src]). Deprecation notice for man:syscons[4] has been added. man:syscons[4] is not compatible with UEFI, does not support UTF-8, and is Giant-locked. There is no specific timeline yet for removing it, but support for the Giant lock is expected to go away in one or two major release cycles. (gitref:8c922db4f3d9[repository=src]). (Sponsored by The FreeBSD Foundation). OpenSSH plans to remove support for the DSA signature algorithm in early 2025. man:publickey[5] stuffs has been deprecated. This uses DES and it is likely that nobody uses that in 2025. (gitref:9197c04a251b[repository=src]). [[cloud]] == Cloud Support This section covers changes in support for cloud environments. {releaseCurrent} supports cloudinit, including the `nuageinit` startup script and support for a `config-drive` partition. It is compatible with OpenStack and many hosting facilities. See the https://cloud-init.io[cloud-init] web site and the commit messages, gitref:16a6da44e28d[repository=src] gitref:227e7a205edf[repository=src]. (Sponsored by OVHcloud) The FreeBSD project is now publishing OCI-compatible container images. gitref:8a688fcc242e[repository=src] The FreeBSD project is now publishing Oracle Cloud Infrastructure images. See the link:https://cloudmarketplace.oracle.com/marketplace/app/freebsd-release[Oracle Cloud Infrastructure FreeBSD Listing] for more information. gitref:77b296a2582b[repository=src] The "shutdown" and "reboot" API in the Amazon EC2 cloud now work for arm64 ("Graviton") instances. gitref:28b881840df7[repository=src] (Sponsored by Amazon) Several bug fixes and configuration changes collectively allow device hotplug on both x86 and arm64 ("Graviton") EC2 instances. gitref:ce9a34b1614e[repository=src] gitref:55c3348ed78f[repository=src] gitref:d70bac252d30[repository=src] (Sponsored by Amazon) Users upgrading EC2 instances from earlier FreeBSD releases should set `hw.pci.intx_reroute=0` and `debug.acpi.quirks="56"` in `/boot/loader.conf`. The FreeBSD project now publishes "small" EC2 images; these are the "base" images minus debug symbols, tests, 32-bit libraries, the LLDB debugger, the Amazon SSM Agent, and the AWS CLI. gitref:953142d6baf3[repository=src] (Sponsored by Amazon) The FreeBSD project now publishes "builder" EC2 images; these boot into a memory disk and extract a clean "base" image onto the root disk (mounted at `/mnt`) to be customized before creating an AMI. gitref:584265890303[repository=src] (Sponsored by Amazon) FreeBSD "base" EC2 images now boot up to 76% faster than corresponding {releasePrev} images, with the largest improvements found on arm64 ("Graviton") instances. [[kernel]] == Kernel This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized. [[kernel-general]] === General Kernel Changes FreeBSD now natively implements the Linux man:inotify[2] interface. The system calls themselves are not API-compatible, but libc provides an API-compatible interface, so software which relies on inotify can be run unmodified. gitref:f1f230439fa4[repository=src], (Sponsored by Klara, Inc.) The `fpu_kern_enter` and `fpu_kern_leave` routines have been implemented for powerpc, allowing the use of man:ossl[4] crypto functions in the kernel that use floating point and vector registers. gitref:91e53779b4fc[repository=src] Support legacy PCI hotplug on arm64. gitref:355f02cddbf0[repository=src]. (Sponsored by Arm Ltd). A new common 'mac' node for MAC modules' jail parameters has been created. All future MAC modules' jail parameters will appear under this node. See man:mac[4] for an introduction to MAC. First consumer is man:mac_do[4]. gitref:5041b20503db[repository=src], gitref:f3a06ced2568[repository=src] (Sponsored by The FreeBSD Foundation.) man:mac_do[4] is now considered production-ready, after a number of important fixes. gitref:bbf8af664dc9[repository=src], gitref:292c814931d9[repository=src], gitref:53d2e0d48549[repository=src], gitref:add521c1a5d2[repository=src], gitref:2a20ce91dc29[repository=src], gitref:fa4352b74580[repository=src], gitref:3d8d91a5b32c[repository=src], gitref:8f7e8726e3f5[repository=src], gitref:89958992b618[repository=src] (Sponsored by The FreeBSD Foundation.) man:mac_do[4] now supports changing rules within jails with the `security.mac.do.rules` man:sysctl[8] knob. gitref:b3f93680e39b[repository=src] (Sponsored by The FreeBSD Foundation.) Introduce the man:setcred[2] system call and associated MAC hooks. This new system call allows to set all necessary credentials of a process in one go: Effective, real and saved user IDs, effective, real and saved group IDs, supplementary groups and the MAC label. Besides providing atomicity, its advantage over standard credentials-setting system calls, such as `setuid()`, `seteuid()`, etc., is that it enables MAC modules, such as man:mac_do[4], to restrict the set of credentials some process may gain in a fine-grained manner, as they can now see the final desired state and compare it with the initial one. gitref:ddb3eb4efe55[repository=src] (Sponsored by The FreeBSD Foundation.) Support multiple users and groups as single rule's targets in man:mac_do[4]. Supporting group targets is a requirement for man:mac_do[4] to be able to enforce a limited set of valid new groups in the target credentials and to allow group-only credentials transitions. The allowed groups are tied to one or multiple user IDs. Multiple users and groups in a rule's target part are treated as alternatives (inclusive disjunction), except for the clauses expressing the mandatory presence or absence of a supplementary group. The rules syntax has been changed incompatibly, but migrating existing rules is just a matter of adding `uid=` in front of the target part, substituting commas (`,`) with semi-colons (`;`) and colons (`:`) with greater-than signs (`>`). Please consult the man:mac_do[4] manual page for more information. gitref:83ffc412b2e9[repository=src], gitref:8f7e8726e3f5[repository=src], gitref:f01d26dec67f[repository=src] (Sponsored by The FreeBSD Foundation.) Teach man:sysctl[8] to attach and run itself in a jail. This allows the parent jail to retrieve or set kernel state when child does not have man:sysctl[8] installed (for example light weighted OCI containers or slim jails). This is especially useful when manipulating jail prison or vnet sysctls. For example, `sysctl -j foo -Ja` or `sysctl -j foo net.fibs=2`. gitref:8d5d7e2ba3a6[repository=src]. Enable vnet man:sysctl[9] variables to be loader tunable. In gitref:3da1cf1e88f8[repository=src], the meaning of the flag `CTLFLAG_TUN` is extended to automatically check if there is a kernel environment variable which shall initialize the `SYSCTL` during early boot. It works for all `SYSCTL` types both statically and dynamically created ones, except for the `SYSCTLs` which belong to VNETs. Note that the implementation has a limitation. It behaves the same way as that of non-vnet loader tunables. That is, after the kernel or modules being initialized, any changes (for example via `kenv`) to kernel environment variable will not affect the corresponding vnet variable of subsequently created VNETs. To overcome it, `TUNABLE_XXX_FETCH` can be used to fetch the kernel environment variable into those vnet variables during vnet constructing. gitref:894efae09de4[repository=src] man:sound[4]: Allocate vchans on-demand. Refactor `pcm_chnalloc()` and merge with parts of `vchan_setnew()` (now removed) and `dsp_open()`’s channel creation into a `new dsp_chn_alloc()` function. The function is responsible for either using a free HW channel (if `vchans` are disabled), or allocating a new vchan. `hw.snd.vchans_enable` (previously `hw.snd.maxautovchans`) and `dev.pcm.X.{play|rec}.vchans` now work as tunables to only enable/disable `vchans`, as opposed to setting their number and/or (de-)allocating vchans. Since these sysctls do not trigger any (de-)allocations anymore, their effect is instantaneous, whereas before it could have frozen the machine (when trying to allocate new vchans) when setting `dev.pcm.X.{play|rec}.vchans` to a very large value. gitref:960ee8094913[repository=src]. (Sponsored by The FreeBSD Foundation). Gradual slowdowns and freezes experienced by owners of some AMD GPUs using the amdgpu DRM driver from the `drm-kmod` ports, starting with v5.15 (`graphics/drm-515-kmod` port), have been fixed. In particular, owners of graphics cards with Green Sardine, Polaris 10 and 20 chips were known to be affected. Recent Intel-based GPUs (gen 13+) may also have been affected. The main cause is that the Linux's DRM subsystem's TTM component frequently requests memory that is physically contiguous although this property is not strictly necessary, and the kernel was trying too hard to fulfill them, leading to longer and more frequent freezes as physical memory got more fragmented over time. In the LinuxKPI, `linux_alloc_pages()` now honors `__GFP_NORETRY` by not trying to break superpage reservations or defragment memory if the request for contiguous physical memory cannot be fulfilled immediately. Another cause was that, during recent LinuxKPI evolution, `kmalloc()` was changed to always return physically contiguous memory as it does in Linux, but unfortunately `kvzalloc()` relied on `kmalloc()` and this was not changed, effectively turning all large memory allocations of zeroed pages into costly physically contiguous ones. On allocation success, the TTM component sets page attributes unconditionally, regardless of whether they are already in place, which triggerred expensive TLB shootdowns even when not necessary. Yet another cause was a flaw in the code iterating over memory domains (NUMA) leading to re-examining the same domain multiple times even if it could not fulfill the contiguous allocation request. More details about this are given below. Finally, some useless temporary physically contiguous allocation routinely performed in the case of Carrizo, Polaris and Vega M based AMD GPUs was converted to a regular one in the DRM drivers from the latest `drm-*-kmod` ports. gitref:718d1928f874[repository=src], gitref:4ca9190251bb[repository=src], gitref:986edb19a49c[repository=src], gitref:9d1f3ce79d85[repository=src], gitref:da257e519bc0[repository=src] (Sponsored by The FreeBSD Foundation.) Multiple flaws were fixed in the code iterating over memory domains (NUMA). A failing contiguous allocation request would lead to re-examine the same domain multiple times even if it could not fulfill the request, wasting time and increasing allocation latency. This would happen up to 4 times for the common case of a single memory domain and the "first touch" policy. The first domain selected by all allocation policies, except "first touch" in some cases, would be considered even if it was not in the allowed domains mask or had been marked as to ignore in a previous attempt with the same iterator. After a failed first attempt and sleeping, waiting allocations would restart with the policy's first domain even if that one was still in a low memory condition. Finally, the "interleave" policy would reset the iterator index when restarting, effectively resetting the initial domain in the round-robin phase that happens after allocation from the first domain failed. gitref:da257e519bc0[repository=src], gitref:83ad6d8d8eee[repository=src], gitref:b15ff7214020[repository=src] (Sponsored by The FreeBSD Foundation.) The local stream (AF_UNIX/SOCK_STREAM) and sequenced packet stream (AF_UNIX/SOCK_SEQPACKET) sockets have been improved for better bulk transfer and round trip times. The SOCK_SEQPACKET socket has been brought to the specification and now behaves as a true stream socket, while in previous FreeBSD releases it could exhibit features of a datagram socket. Applications that were using SOCK_SEQPACKET incorrectly and relied on old implementation bugs may need to be adjusted. gitref:d15792780760[repository=src] The effective group ID is now stored in the new `cr_gid` field of `struct cred` and has been removed as the first element of `cr_groups[]`, which now only contains the supplementary groups. All downstream and out-of-tree modules using `cr_groups[0]` must be fixed to use `cr_gid` instead, and surrounding code that loops on `cr_groups[]` elements excluding `cr_groups[0]`, i.e., that intends to act on supplementary groups only, also needs to be adjusted as now supplementary groups start at `&cr_groups[0]` instead of `&cr_groups[1]`. Code that needs to be portable to both 15.0 and earlier versions can use `cr_gid`, which existed also previously as a macro, and can test the truth value of `&cr_groups[0] != &cr_gid` to know how to browse the supplementary groups adequately. gitref:be1f7435ef218b1df35[repository=src] (Sponsored by the FreeBSD Foundation.) [[drivers]] == Devices and Drivers This section covers changes and additions to devices and device drivers since {releasePrev}. [[drivers-device]] === Device Drivers A driver is available for man:ice[4] Ethernet network controllers in the Intel E800 series, which support 100 Gb/s operation. It was upgraded to version 1.43.2-k. gitref:38a1655adcb3[repository=src] (Sponsored by Intel Corporation) man:rtw88[4]: Merge Realtek's rtw88 driver based on Linux v6.17 (gitref:c1d365f39e08[repository=src]). A possible issue that devices cannot authenticate is still being investigated. (Sponsored by The FreeBSD Foundation). man:rtw89[4]: Merge Realtek's rtw89 driver based on Linux v6.17 (gitref:b35044b38f74[repository=src]). The driver is under-tested and may still have issues. (Sponsored by The FreeBSD Foundation). man:iwlwifi[4]: Merge Intels's iwlwifi mvm/mld driver based on Linux v6.17 (gitref:69caa1cf3ce5[repository=src]). The BE200 based chipsets will need newer firmware requiring further driver fixes which are not in this release. (Sponsored by The FreeBSD Foundation). Numerous stability improvements have been in the man:iwlwifi[4] driver for Intel Wi-Fi devices. (Sponsored by The FreeBSD Foundation) Multiple PCI MCFG regions are now supported on amd64 and i386, allowing PCI configuration space access for domains (segments) other than 0. gitref:4b5f64408804[repository=src] The man:smsc[4] Ethernet driver can now fetch the value of `smsc95xx.macaddr` passed by some Raspberry Pi models and use it for the MAC address. It always uses a stable MAC address even if there is no address in EEPROM. gitref:028e4c6548e4[repository=src] The `snd_clone` framework has been removed from the sound subsystem, including related sysctls, simplifying the system. The per-channel nodes ([.filename]#/dev/dspX.Y#) are no longer created, just the primary device ([.filename]#/dev/dspX#). gitref:e6c51f6db8d7[repository=src] (Sponsored by The FreeBSD Foundation) Audio now supports asynchronous device detach. This greatly simplifies hot plugging and unplugging of things such as USB headsets, and eases use of PulseAudio in cases that require operating system sleep and wake (suspend and resume). gitref:d692c314d29a[repository=src] (Sponsored by The FreeBSD Foundation) `ena` has been upgraded to 2.8.0. gitref:6bf02434bd9a[repository=src] (Sponsored by Amazon, Inc.) `ice_ddp` has been upgraded to 1.3.41.0. gitref:a9d78bb714e3[repository=src] (Sponsored by Intel Corporation) Tiger Lake-H support has been added to the man:hda[4] driver. gitref:dbb6f488df6e[repository=src] Meteor Lake support has been added to the man:ichsmb[4] driver. gitref:14c22e28e4ee[repository=src] (Sponsored by Framework Computer Inc) (Sponsored by The FreeBSD Foundation) Meteor Lake support has been added to the man:ig4[4] driver. gitref:56f0fc0011c2[repository=src] A new wireless driver supporting some Realtek chipsets is available: man:rtw89[4]. gitref:a2d1e07f6451[repository=src] (Sponsored by The FreeBSD Foundation) Support for Realtek 8156/8156B has been moved from man:cdce[4] to man:ure[4] for improved performance and reliability. gitref:630077a84186[repository=src] (Sponsored by The FreeBSD Foundation) Support for ACPI GPIO _AEI objects has been added. gitref:1db6ffb2a482[repository=src] (Sponsored by Amazon) man:nvme[4] and man:nvmecontrol[8] have been enabled on all architectures. gitref:24687a65dd7f[repository=src], gitref:aba2d7f89dcf[repository=src] (Sponsored by Chelsio Communications and Netflix) man:mpi3mr[4] driver version has been updated to 8.14.0.2.0(gitref:e6d4b221ba7c[repository=src]). man:mpi3mr[4] MPI Header has been updated to Version 36. This aligns with the latest MPI specification. This includes updated structures, field definitions, and constants required for compatibility with updated firmware. (gitref:60cf1576501d[repository=src]). The man:mpi3mr[4] driver is now in GENERIC (gitref:e2b8fb2202c2[repository=src]). man:rtw88[4]: Merge Realtek's rtw88 driver based on Linux v6.14 (gitref:8ef442451791[repository=src]). (Sponsored by The FreeBSD Foundation). man:rtw89[4]: Merge Realtek's rtw89 driver based on Linux v6.14 (gitref:b6e8b845aeab[repository=src]). (Sponsored by The FreeBSD Foundation). man:iwmbtfw[4]: Add support for 9260/9560 bluetooth adapters (gitref:8e62ae9693bd[repository=src]). Required firmware files are already included in to package:comms/iwmbt-firmware[] port. man:ena[4] driver version has been updated to v2.8.1 (gitref:a1685d25601e[repository=src]). (Sponsored by Amazon, Inc.) man:bnxt[4]: Enable NPAR support on BCM57504 10/25GbE NICs. (gitref:54f842ed8897[repository=src]). man:bnxt[4]: Add 5760X (Thor2) PCI IDs support. Add Thor2 PCI IDs. (gitref:45e161020c2d[repository=src]). man:bnxt[4]: Add support for 400G speed modules (gitref:32fdad17f060[repository=src]). man:ix[4]: Add support for 1000BASE-BX SFP modules. Add support for 1Gbit BiDi modules. (gitref:89d4096950c4[repository=src]). man:igc[4]: Fix attach for I226-K and LMVP devices. The device IDs for these were in the driver's list of PCI ids to attach to, but `igc_set_mac_type()` had never been setup to set the correct mac type for these devices. Fix this by adding these IDs to the switch block in order for them to be recognized by the driver instead of returning an error. This fixes the man:igc[4] attach for the I226-K LOM on the ASRock Z790 PG-ITX/TB4 motherboard, allowing it to be recognized and used. gitref:f034ddd2fa38[repository=src]. Remove old itr sysctl handler from man:em[4]. This implementation had various bugs. The unit conversion/scaling was wrong, and it also did not handle 82574L or man:igb[4] devices correctly. With the new AIM code, it is expected most users will not need to manually tune this. gitref:edf50670e215[repository=src] (Sponsored by BBOX.io). Added support for Brainboxes USB-to-Serial adapters in man:uftdi[4]. (gitref:47db906375b5[repository=src]) The man:iwx[4] driver has been added, supporting the Intel Wi-Fi 6 series of M.2 wireless network adapters. gitref:2ad0f7e91582[repository=src] (Sponsored by The FreeBSD Foundation) A new cellular modem driver supports USB network devices implementing the Mobile Broadband Interface Model (MBIM): man:umb[4]. The accompanying man:umbctl[8] tool is used to display or set MBIM cellular modem interface parameters (4G/LTE). gitref:0f1bf1c22a0c[repository=src] (Sponsored by The FreeBSD Foundation) man:smbios[4] now searches for the SMBIOS v3 (64-bit) entry point first also if booted from BIOS. This allows to detect and report the proper SMBIOS version with BIOSes that only provide the v3 table, as happens on Hetzner virtual machines. For machines that provide both, leverage the v3 table in priority consistently with the EFI case. gitref:bc7f6508363c[repository=src] (Sponsored by The FreeBSD Foundation.) [[drivers-removals]] === Deprecated and Removed Drivers man:agp[4] has been planned for removal in FreeBSD 15.0, and the man page now states that it is deprecated. gitref:92af7c97e197[repository=src] man:syscons[4] has been planned for removal in future releases, and has been noted as deprecated in the man pages to notify users to migrate to man:vt[4]. gitref:2bc5b1d60512[repository=src] (Sponsored by The FreeBSD Foundation) [[storage]] == Storage This section covers changes and additions to file systems and other storage subsystems, both local and networked. [[storage-nfs]] === NFS The man:mountd[8] server has been modified to use man:strunvis[3] to decode directory names in man:exports[5] file(s). This allows special characters, such as blanks, to be embedded in the directory name. `vis -M` may be used to encode such directory names; see man:vis[1]. gitref:2c83f1ada435[repository=src] New man:sysctl[8] variables have been added under `kern.rpc.unenc` and `kern.rpc.tls`, which allow an NFS server administrator to determine how much NFS-over-TLS is being used. A large number of failed handshakes might indicate an NFS configuration problem. gitref:b8e137d8d32d[repository=src] [[storage-ufs]] === UFS Soft updates are now enabled by default when creating a new UFS file system with man:newfs[8]. gitref:6b2af2d88ffd[repository=src] [[storage-zfs]] === ZFS [[storage-general]] === General Storage Define a new `-a` command line option man:mountd[8]. When a file system was exported with the `-alldirs` flag, the export succeeded even if the directory path was not a server file system mount point. gitref:ead3cd3ef628[repository=src] Document recent file handle layout changes. gitref:ca22082c01a7[repository=src] Allow to specify as many groups as configured to be supported by the system in `-maproot` or `-mapall` options in man:exports[5]. Previously, the cap was `NGROUPS_MAX + 1`, where `NGROUPS_MAX` is just the minimum maximum of the number of allowed supplementary groups. Now use the proper `{NGROUPS_MAX} + 1` value, with `{NGROUPS_MAX}` being fetched at runtime via man:sysconf[3]. gitref:e87848a8150e[repository=src] (Sponsored by The FreeBSD Foundation.) [[boot-loader]] == Boot Loader Changes This section covers the boot loader, boot menu, and other boot-related changes. The man:loader[8] now reads local configuration files listed in the variable `local_loader_conf_files` after other configuration files, defaulting to [.filename]#/boot/loader.conf.local#. gitref:a25531db0fc2[repository=src] The man:loader[8] can now be configured to read specific configuration files based on the planar maker, planar product, system product and uboot m_product variables from the SMBIOS. For the moment, the best documentation is the git commit message, gitref:3eb3a802a31b[repository=src]. Console detection in man:loader[8] has been improved on EFI systems. If there is no ConOut variable, ConIn is checked. If multiple devices are found, serial is preferred. gitref:20a6f4779ac6[repository=src] (Sponsored by Netflix) Frame buffer support in man:loader[8] can now use a text-only video driver, resulting in space savings. gitref:57ca2848c0aa[repository=src] (Sponsored by Netflix) The detection of ACPI is now done earlier in man:loader.efi[8] on arm64 systems. The copy of [.filename]#loader.efi# on the EFI partition should be updated on arm64 systems using ACPI. gitref:05cf4dda599a[repository=src] gitref:16c09de80135[repository=src] The LinuxBoot loader can be used to boot FreeBSD from Linux on aarch64 systems as well as amd64. gitref:46010641267[repository=src] (Sponsored by Netflix) The BIOS boot loader added back support for gzip and bzip2, but removed support for graphics mode (by default) to address size problems. (The EFI boot loader is unchanged with support for all of those.) gitref:4d3b05a8530e[repository=src] (Sponsored by Netflix) The BIOS boot loader will now use the SMBIOS v3 (64-bit) entry point if its table is below 4GB. The BIOS boot loader is compiled 32-bit as a client of BTX even on amd64, so cannot access addresses beyond 4GB. However, the 64-bit entry point may refer to a structure table below 4GB, which can be used if the BIOS does not provide a 32-bit entry point, as happens on Hetzner virtual machines. gitref:7f005c6699f4[repository=src] (Sponsored by The FreeBSD Foundation.) The BIOS boot loader now favors the SMBIOS v3 (64-bit) entry point. When both the 32-bit and 64-bit entry points are present, the SMBIOS specification says that the 64-bit entry point always has at least all the structures the 32-bit entry point refers to. In other words, the 32-bit entry point is provided for compatibility, so it is assumed the 64-bit one has more chances to be filled with adequate values. gitref:3f744fb8b2c5[repository=src] (Sponsored by The FreeBSD Foundation.) The EFI boot loader now favors the SMBIOS v3 (64-bit) entry point. Consistently with what is done with BIOS boot. There is a difference though: As the EFI loader runs in 64-bit mode on 64-bit platforms, there is no restriction that the v3 entry point's structure table should be below 4GB. gitref:96f77576e9ea[repository=src] (Sponsored by The FreeBSD Foundation.) [[network]] == Networking This section describes changes that affect networking in FreeBSD. [[network-protocols]] === Network Protocols Lots of improvements to the network stack, including performance improvements and bug fixes for the man:sctp[4] stack. Descriptors returned by man:sctp_peeloff[2] now inherit Capsicum capability man:rights[4] from the parent socket. gitref:ae3d7e27abc9[repository=src] (Sponsored by The FreeBSD Foundation) [[network-general]] === General Network The man:ifconfig[8] utility will no longer accept assigning IP addresses to the underlying member interfaces of a man:bridge[4]. To temporarily bypass this safeguard, use the net.link.bridge.member_ifaddrs man:sysctl[8]. This sysctl is expected to be removed in FreeBSD 16. gitref:b61850c4e6f6[repository=src] ARP (man:arp[4]) support for 802-standard networks has been restored; it had been accidentally removed with FDDI support. (This is different than the Ethernet standard encapsulation.) gitref:d776dd5fbd48[repository=src] It is possible to build a kernel with IPv6 support (INET6) without IPv4 (INET). gitref:6df9fa1c6b83[repository=src] and others The netgraph man:ng_ipfw[4] module no longer truncates cookies to 16 bits, allowing a full 32 bits. gitref:dadf64c5586e[repository=src] AIM(Adaptive Interrupt Moderation) support has been added to the man:igc[4] driver. gitref:472a0ccf847a[repository=src] (Sponsored by Rubicon Communications, LLC ("Netgate") and BBOX.io) This feature has also been added to the man:lem[4], man:em[4] and man:igb[4] drivers. A major regression in UDP performance introduced in FreeBSD 12.0, including NFS over UDP, is believed to be fixed with this change. gitref:49f12d5b38f6[repository=src] (Sponsored by Rubicon Communications, LLC ("Netgate") and BBOX.io) Teach man:ip6addrctl[8] to attach and run itself in a jail. This will make it easier to manage address selection policies of vnet jails, especially for those light weighted OCI containers or slim jails. gitref:b709f7b38cc4[repository=src] Convert `PF_DEFAULT_TO_DROP` into a vnet loader tunable 'net.pf.default_to_drop' for man:pf[4]. gitref:7f7ef494f11d[repository=src] introduced a compile time option `PF_DEFAULT_TO_DROP` to make the man:pf[4] default rule to drop. While this change exposes a vnet loader tunable 'net.pf.default_to_drop' so that users can change the default rule without re-compiling the man:pf[4] module. gitref:3965be101c43[repository=src] A new man:pf[4] route-to pool option "prefer-ipv6-nexthop" allows for routing IPv4 packets over IPv6 gateways. gitref:65c318630123[repository=src] gitref:d2761422eb0a[repository=src] (Sponsored by InnoGames GmbH) man:pf[4] now supports the OpenBSD style NAT syntax. It is possible to use "nat-to", "rdr-to" and "binat-to" on "pass" and "match" rules. The old "nat on ..." syntax can still be used. gitref:e0fe26691fc9[repository=src] (Sponsored by InnoGames GmbH) The man:pfsync[4] protocol has been updated to synchronize multiple missing attributes. This fixes synchronizing of states with route-to, af-to, rtable, dummynet, tags, and scrub options. If synchronization with an older version of FreeBSD is needed the protocol version can be configured with `ifconfig pfsync0 version $VERSION` where $VERSION is 1301 for 13.X relases or 1400 for 14.X. It defaults to 1500 for synchronization between hosts running FreeBSD 15.0. gitref:99475087d63b[repository=src] (Sponsored by InnoGames GmbH) [[wireless-networking]] === Wireless Networking The LinuxKPI 802.11 compatibility layer man:linuxkpi_wlan[4] gained support for the Galois/Counter Mode Protocol (GCMP) from man:wlan_gcmp[4]. (Sponsored by The FreeBSD Foundation) Following other drivers man:iwlwififw[4] firmware was removed from the base system in favor of the ports based solution and man:fwget[8] support. In case of updating from earlier releases, users must install the firmware packages upfront. (Sponsored by The FreeBSD Foundation) The man:iwlwifi[4] wireless driver supports 802.11ac (VHT) for some Intel Wi-Fi 5, and all of Intel Wi-Fi 6 and Wi-Fi 7 hardware. (Sponsored by The FreeBSD Foundation) The man:iwx[4] wireless driver supports 802.11ac (VHT) for Intel Wi-Fi 6 harddware. (Sponsored by The FreeBSD Foundation) The man:rtwn[4] wireless driver supports 802.11ac (VHT) for the RTL8812A and RTL8821A chipsets. [[hardware]] == Hardware Support This section covers general hardware support for physical machines, hypervisors, and virtualization environments, as well as hardware changes and updates that do not otherwise fit in other sections of this document. Please see link:https://www.freebsd.org/releases/{localRel}R/hardware[the list of hardware] supported by {releaseCurrent}, as well as link:https://www.freebsd.org/platforms/[the platforms page] for the complete list of supported CPU architectures. [[hardware-virtualization]] === Virtualization Support The NVMM hypervisor is now detected. gitref:34f40baca641[repository=src] The VNC server in man:bhyve[8] will now show the correct colors when using the package:www/novnc[] client. gitref:f9e09dc5b1d5[repository=src] Under Hyper-V, TLB flushes are now performed using hypercalls rather than IPIs, providing up to a 40% improvement in TLB performance. gitref:7ece5993b787[repository=src] (Sponsored by Microsoft) [[linuxulator]] === Linux Binary Compatibility The `AT_NO_AUTOMOUNT` flag is now ignored for all Linuxulator stat() variants (as the behavior specified by the flag already matches FreeBSD's), improving Linux application compatibility. gitref:99d3ce80ba07[repository=src] (Sponsored by The FreeBSD Foundation) The Linux man:inotify[2] system calls are now implemented in the Linuxulator. (Sponsored by Klara, Inc.) [[multimedia]] == Multimedia Many improvements to the audio stack including support for hot-swapping in man:mixer[8], and the addition of man:mididump[1]. gitref:cf9d2fb18433[repository=src] (Sponsored by The FreeBSD Foundation) gitref:7224e9f2d4af[repository=src] (Sponsored by The FreeBSD Foundation) [[documentation]] == Documentation This section covers changes to manual (man:man[1]) pages and other documentation shipped with the base system. [[man-pages]] === Man Pages A new man:networking[7] manual page provides a quickstart guide to connecting the system to networks including Wi-Fi, and links to other manual pages and the handbook. gitref:39f92a4c4c49[repository=src] Refer to man:graid[8] and man:zfs[8] instead of man:gvinum[8] in man:ccdconfig[8]). (gitref:55cb3a33d920[repository=src]). The man:ps[1] manual page has been revamped to explain the general principles, and descriptions in there have been updated to match reality. The preamble has been revamped to give a thorough overview of the different aspects of the man:ps[1] command. The description of several options and some keywords have been fixed to match their actual behavior and/or expanded. The STANDARDS and BUGS sections have been expanded. gitref:ddf144a04b53[repository=src] (Sponsored by The FreeBSD Foundation.) The man:mac_do[4] manual page has been revamped as part of adding support for multiple users and groups as single rule's targets, which lead to changing the rules syntax. In particular, it has grown a JAIL SUPPORT and SECURITY CONSIDERATIONS sections. gitref:bc201841d139[repository=src] (Sponsored by The FreeBSD Foundation.) The existing content of the man:mdo[1] manual page has been enriched as part of documenting the new support for fully specifying all users and groups in the target credentials. It has now a longer introduction and a new SECURITY CONSIDERATIONS section. gitref:20ebb6ec5ac0[repository=src] (Sponsored by The FreeBSD Foundation.) (Sponsored by Google LLC (GSoC 2025).) man:firewire[4]: Add deprecation notice. This was originally discussed as part of FreeBSD 15 planning, but did not happen in time. Add the deprecation notice now, with an expectation that it will be removed before FreeBSD 16. gitref:fc889167c319[repository=src]. (Sponsored by The FreeBSD Foundation). The ethernet switch controllers, man:mtkswitch[4], man:ip17x[4], man:ar40xx[4], and man:e6000sw[4] have gained initial manual pages. man:mount[8] has gained an example for remounting all filesystems read/write in single-user mode. Manual pages for the lua man:loader[8] modules have had their descriptions reworded to optimize man:apropos[1] results. The manual pages style guide, man:style.mdoc[5], has gained a section for listing supported hardware. When listed this way, the supported hardware will be listed in link:https://www.freebsd.org/releases/{localRel}R/hardware[the supported hardware notes]. Many manuals have had this section added or reworded in this release. Much work has gone into adding man:sysctl[8]s and environment variables to the manual. Try searching for them with `apropos Va=here.is.the.sysctl` or `apropos Ev=here_is_the_environment_variable`. The man:intro[5] to the File Formats manual has been revised, incorporating improvements from OpenBSD. [[ports]] == Ports Collection and Package Infrastructure This section covers changes to the FreeBSD Ports Collection, package infrastructure, and package maintenance and installation tools. A new `FreeBSD-kmods` repository is included in the default `/etc/pkg/FreeBSD.conf` man:pkg[8] configuration file. This repository contains kernel modules compiled specifically for {releaseCurrent} rather than for the {releaseBranch} branch. Installing kernel modules from this repository allows drivers with unstable kernel interfaces, in particular graphics drivers, to work even when the main {releaseBranch} repository has packages build on a previous release. (gitref:a47542f71511[repository=src]). The `FreeBSD` and `FreeBSD-kmods` repositories defined in `/etc/pkg/FreeBSD.conf` have been renamed to `FreeBSD-ports` and `FreeBSD-ports-kmods` respectively. Users who override these in `/usr/local/etc/pkg/repos` will need to adjust their configuration to match the new names. [[Installer]] === Installer The FreeBSD installer, man:bsdinstall[8], now supports downloading and installing firmware packages after the FreeBSD base system installation is complete. gitref:03c07bdc8b31[repository=src] (Sponsored by The FreeBSD Foundation) [[ports-packages]] === Packaging Changes The package:net/wifi-firmware-kmod@release[] package has been added to the DVD package set in order to provide necessary firmware for wifi drivers. gitref:8c6df7ead19c[repository=src] (Sponsored by The FreeBSD Foundation) [[future-releases]] == General Notes Regarding Future FreeBSD Releases