diff --git a/release/doc/en_US.ISO8859-1/relnotes/article.sgml b/release/doc/en_US.ISO8859-1/relnotes/article.sgml index ffead8a9137f..db49b464ab10 100644 --- a/release/doc/en_US.ISO8859-1/relnotes/article.sgml +++ b/release/doc/en_US.ISO8859-1/relnotes/article.sgml @@ -1,1015 +1,1015 @@ &os;/&arch; &release.current; Release Notes The FreeBSD Project $FreeBSD$ 2000 2001 2002 2003 The FreeBSD Documentation Project The release notes for &os; &release.current; contain a summary of This document lists applicable security advisories that were issued since the last release, as well as significant changes to the &os; kernel and userland. Some brief remarks on upgrading are also presented. Introduction This document contains the release notes for &os; &release.current; on the &arch.print; hardware platform. It describes recently added, changed, or deleted features of &os;. It also provides some notes on upgrading from previous versions of &os;. The &release.type; distribution to which these release notes apply represents a point along the &release.branch; development branch between &release.prev; and the future &release.next;. Some pre-built, binary &release.type; distributions along this branch can be found at . ]]> This distribution of &os; &release.current; is a &release.type; distribution. It can be found at or any of its mirrors. More information on obtaining this (or other) &release.type; distributions of &os; can be found in the Obtaining FreeBSD appendix to the FreeBSD Handbook. ]]> Users who are new to the &release.branch; series of &os; &release.type;s should also read the Early Adopters Guide to &os; &release.current;. This document can generally be found in the same location as the release notes (either as a part of a &os; distribution or on the &os; Web site). It contains important information regarding the advantages and disadvantages of using &os; &release.current;, as opposed to releases based on the &os; 4-STABLE development branch. All users are encouraged to consult the release errata before installing &os;. The errata document is updated with late-breaking information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for &os; &release.current; can be found on the &os; Web site. What's New This section describes Typical release note items document recent security advisories issued after &release.prev.historic;, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to &os; between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. Security Advisories A remotely exploitable vulnerability in CVS has been corrected with the import of version 1.11.5. More details can be found in security advisory FreeBSD-SA-03:01. &merged; A timing-based attack on OpenSSL, which could allow a very powerful attacker access to plaintext under certain circumstances, has been prevented via an upgrade to OpenSSL 0.9.7. See security advisory FreeBSD-SA-03:02 for more details. &merged; The security and performance of the syncookies feature has been improved to decrease the chance of an attacker being able to spoof connections. More details are given in security advisory FreeBSD-SA-03:03. &merged; Remotely-exploitable buffer overflow vulnerabilities in sendmail have been fixed by updating sendmail. For more details, see security advisory FreeBSD-SA-03:04 and FreeBSD-SA-03:07. &merged; A bounds-checking bug in the XDR implementation, which could allow a remote attacker to cause a denial-of-service, has been fixed. For more details see security advisory FreeBSD-SA-03:05. &merged; Two recently-publicized flaws in OpenSSL have been corrected. For more details, see security advisory FreeBSD-SA-03:06. &merged; Kernel Changes Support for the CanBe power management controller has been added. &merged; &man.devfs.5; is now mandatory; the NODEVFS option has been removed from the set of possible kernel configuration options. An ehci driver has been added; it supports the USB Enhanced Host Controller Interface used by USB 2.0 controllers. A minor bug in the permissions handling of /dev/tty has been fixed. As a result, &man.ssh.1; can now be used after &man.su.1;. A bug that caused &man.fstat.2; to return 0 as the number of bytes available to read from a TCP socket has been fixed. A bug that caused &man.kqueue.2; to report 0 as the number of bytes available to read from a TCP socket has been fixed. The NOTE_LOWAT flag for EVFILT_READ has been fixed. Linux emulation mode now supports IPv6. &man.madvise.2; now supports a MADV_PROTECT behavior, which informs the virtual memory system that a process is critical and should not be killed when swap space has been exhausted. The process must be owned by the superuser. The tw driver for TW-523 power line interfaces (used by X-10 home control products) has been removed. It is currently non-functional, and would require a considerable amount of work to make it work under &release.branch;. The xten and xtend userland control programs have also been removed. A second process scheduler, designed to be a general purpose scheduler with many SMP benefits, has been added to the scheduler framework. Exactly one scheduler must be specified in a kernel configuration. The original scheduler may be selected using options SCHED_4BSD. The newer (experimental) scheduler can be selected by using options SCHED_ULE. Device major numbers are now allocated dynamically by default. This change greatly decreases the need for a static, centralized table of major number assignments to device drivers (a few drivers retain their old static major numbers for compatibility), and also reduces the possibility of running out of device major numbers. A partial lazy switch mechanism for in-kernel threads has been implemented; it is designed to reduce the overhead of short context switches (such as for interrupt handlers) that do not involve another process. This feature can be enabled with options LAZY_SWITCH. Processor/Motherboard Support SMP kernels now have rudimentary support for HyperThreading (HTT). The scheduler treats the logical CPUs as if they were additional physical CPUs. This can actually cause suboptimal performance in some cases due to contention for resources. Therefore, logical CPUs are halted by default at startup. They can be enabled with the machdep.hlt_logical_cpus sysctl variable. It is also possible to halt any CPU in the idle loop with the machdep.hlt_cpus sysctl variable. The &man.smp.4; manual page has more details. Some other versions of &os;, including early 5.0-CURRENT snapshots and 4.8-RELEASE, used options HTT to enable HyperThreading support at kernel configuration time. This option is no longer necessary. Support for the Physical Address Extensions (PAE) capability on Intel Pentium Pro and higher processors has been added. This allows the use of up to 64GB of RAM in a machine, although the amount of memory usable by any single process (or the &os; kernel) is unchanged. For more information, see the &man.pae.4; manual page. Work on this feature was sponsored by DARPA and Network Associates Laboratories. A new &man.vpd.4; driver has been added to read hardware information from the Vital Product Data structure on IBM ThinkPad machines. Boot Loader Changes The alpha boot loader (boot1) can now be called boot for consistency with other platforms. The two parts of the boot loader (boot1 and boot2) have been combined into a single boot file, to simplify programs that need to write or otherwise manipulate the boot loader. The PC98 boot loader now has support for booting from SCSI MO media. &merged; The /modules directory (once the default location for modules on &os; 4.X) is no longer a part of the default kern.module_path. Third-party modules should be placed in /boot/modules. Modules designed for use with &os; 4.X are likely to panic when loaded into a &os; &release.current; kernel and should be used with extreme caution. Due to code size limitations, the i386 boot loader can only load kernels from root file systems that are 1.5TB or smaller in size. Network Interface Support A new &man.axe.4; network driver has been added. It provides support for USB Ethernet adapters based on the ASIX Electronics AX88172 USB 2.0 chipset. The cm driver now supports IPX. &merged; The &man.rue.4; network has been added, providing support for Ethernet adapters based on the RealTek RTL8150 USB to Fast Ethernet controller chip. The &man.sbsh.4; driver for the Granch SBNI16 SHDSL modem has been added. &merged; A new &man.wlan.4; module provides 802.11 link-layer support. The &man.wi.4; and &man.an.4; drivers now use this facility. A timing bug in the &man.xl.4; driver, which could cause a kernel panic (or other problems) when configuring an interface, has been fixed. Network Protocols &man.ipfw.4; skipto rules can once again be used with the log keyword. &man.ipfw.4; uid rules are once again working. It is now possible to build the FAST_IPSEC and INET6 options into the same kernel. (They still cannot be used together, however.) A bug in TCP NewReno, which caused premature exit from fast recovery when NewReno was enabled, has been fixed. &merged; TCP now has support for the Limited Transmit mechanism proposed by RFC 3042. This feature is intended to improve the effectiveness of TCP loss recovery in certain circumstances. It is off by default but can be enabled with the net.inet.tcp.rfc3042 sysctl variable. More information can be found in &man.tcp.4;. TCP now has support for increased initial congestion window sizes as described in RFC 3390. This feature can improve the throughput of short transfers, as well as high-bandwidth, large propagation-delay connections. It is off by default but can be enabled with the net.inet.tcp.rfc3390 sysctl variable. More information can be found in &man.tcp.4;. The IP fragment reassembly code behaves more gracefully when receiving a large number of packet fragments (it is designed to be more resistant to fragment-based denial of service attacks). &merged; TCP connections in the TIME_WAIT state now use a special protocol control block that uses less space than a full-blown TCP PCB. This allows some of the data structures and resources used by such a connection to be freed earlier. It is now possible to specify the range of privileged ports (TCP and UDP ports that require superuser access to &man.bind.2; to). The range is now specified with the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl variables, defaulting to the traditional UNIX behavior. This feature is intended to help network servers bind to traditionally privileged ports without requiring superuser access. &man.ip.4; has more details. Some bugs in the non-blocking RPC code has been fixed. As a result, &man.amd.8; users are now able to mount volumes from a &release.current; server. Support for XNS networking, which has not worked correctly for almost seven years, has been removed. Disks and Storage The &man.aac.4; driver now runs free of the Giant kernel lock. This change has given a nearly 20% performance speedup on an SMP system running multiple I/O intensive loads. The &man.ata.4; driver now supports all known SiS chipsets. (More details can be found in the Hardware Notes.) The &man.ata.4; driver now supports the Promise SATA150 TX2 and TX4 Serial ATA/150 controllers. The &man.ata.4; driver now flushes devices on shutdown. This change may result in failure messages being printed on the console for devices that do not support flushing. The CAM layer now has support for devices with more than 232 blocks. (Assuming 512-byte blocks, this means support for devices larger than 2TB.) For users upgrading across this change, note that all userland applications that talk to &man.pass.4; or &man.xpt.4; devices must be recompiled. Examples of such programs are &man.camcontrol.8; in the base system, the sysutils/cdrtools port, and the multimedia/xmms port. A number of changes have been made to the &man.cd.4; driver. The primary user-visible change is improved compatibility with ATAPI/USB/Firewire CDROM drives. &man.geom.4; is now mandatory; the NO_GEOM has been removed from the set of kernel configuration options. The &man.iir.4; driver has been updated; this update is believed to fix problems detecting attached disks during installation. A bug in the &man.mly.4; driver that caused hangs has been corrected. Support has been added for volume labels on UFS and UFS2 file systems. These labels are strings that can be used to identify a volume, regardless of what device it appears on. Labels can be set with the options to &man.newfs.8; or &man.tunefs.8;. With the GEOM_VOL module, volumes can be accessed using their labels under /dev/vol. The root file system can now be located on a &man.vinum.4; volume. More information can be found in the &man.vinum.4; manual page. The wfd and wst drivers, which have been broken for some time, have been removed. File Systems A new DIRECTIO kernel option enables support for read operations that bypass the buffer cache and put data directly into a userland buffer. This feature requires that the O_DIRECT flag is set on the file descriptor and that both the offset and length for the read operation are multiples of the physical media sector size. &merged; NETNCP and Netware File System Support (nwfs) are once again working. Bugs that could cause the unmounting of a smbfs share to fail or cause a kernel panic have been fixed. PCCARD Support Multimedia Support The atspeaker.ko and pcspeaker.ko modules for the &man.speaker.4; device have been renamed speaker.ko. Userland Changes &man.adduser.8; now correctly handles setting user passwords containing special shell characters. &man.adduser.8; now supports a option to set a user's default login group. The compat4x distribution now includes the libcrypto.so.2, libgmp.so.3, and libssl.so.2 libraries from &os; 4.7-RELEASE. &man.chgrp.1 and &man.chown.8 now, when the owner/group is modified, print the old and new uid/gid if the option is specified more than once. &man.config.8; now implements a nodevice kernel configuration file directive that cancels the effect of a device directive. The new nooption and nomakeoption directives cancel prior options and makeoptions directives, respectively. The &man.diskinfo.8; utility has been added to show information about a disk device and optionally to run a naive performance test. The and flags to &man.disklabel.8; have been retired. &man.disklabel.8; is now only built for architectures where it is useful (i386, pc98, alpha, and ia64). The option to &man.disklabel.8; has been removed because the i386 boot loader now resides in a single file. &man.dump.8; now supports caching of disk blocks with the option. This can improve dump performance at the cost of possibly missing file system updates that occur between passes. &man.dumpfs.8; now supports a flag to print file system parameters in the form of a &man.newfs.8; command. &man.elfdump.1;, a utility to display information about &man.elf.5; format executable files, has been added. &man.fetch.1; uses the .netrc support in &man.fetch.3; and also supports a to specify an alternate .netrc file. &man.fetch.3; now has support for .netrc files (see &man.ftp.1; for more details). &man.ftpd.8; now supports a option to disable printing any host-specific information, such as the &man.ftpd.8; version or hostname, in server messages. &merged; &man.ftpd.8; now supports a option to specify a port on which to listen in daemon mode. The default data port number is now set to be one less than the control port number, rather than being hard-coded. &merged; &man.ftpd.8; now supports an extended format of the /etc/ftpchroot file. Please refer to the &man.ftpchroot.5; manpage, which is now available, for details. &merged; &man.ftpd.8; now supports login directory pathnames that specify simultaneously a directory for &man.chroot.2; and that to change to in the chrooted environment. The /./ separator is used for this purpose, like in other FTP daemons having this feature. It may be used in both &man.ftpchroot.5; and &man.passwd.5;. &merged; &man.fwcontrol.8; now supports and options for receiving and sending DV streams. &merged; The &man.gstat.8; utility has been added to show the disk activity inside the &man.geom.4; subsystem. &man.ipfw.8; now supports enable and disable commands to control various aspects of the operation of &man.ipfw.4; (including enabling and disabling the firewall itself). These provide a more convenient and visible interface than the existing sysctl variables. &merged; &man.jail.8; now supports a flag to output an identifier for a newly-created jail. The &man.jexec.8; utility has been added to execute a command inside an existing jail. The &man.jls.8; utility has been added to list existing jails. &man.kenv.1; has been moved from /usr/bin to /bin to make it available at times during system startup when only the root file system is mounted. &man.killall.1; now supports a option to kill all processes inside a jail. The &man.libgeom.3; library has been added to allow some userland access to the &man.geom.4; subsystem. The mac_portacl MAC policy module has been added. It provides a simple ACL mechanism to permit users and groups to bind ports for TCP or UDP, and is intended to be used in conjunction with the recently-added net.inet.ip.portrange.reservedhigh sysctl. The MAKEDEV script is now unnecessary, due to the mandatory presence of &man.devfs.5;, and has been removed. &man.mergemaster.8; now supports a option to preserve the contents of files being replaced. &man.mixer.8; can now implement relative volume adjustments. The &man.mksnap.ffs.8; program has been added to allow easier creation of FFS snapshots. It is a SUID-root executable designed for use by members of the operator group. &man.mount.8; and &man.umount.8; now accept a option to specify an alternate &man.fstab.5; file. &man.mount.nfs.8; now supports a flag to avoid doing a &man.connect.2; for UDP mount points. This option must be used if the server does not reply to requests from the standard NFS port number 2049 or if it replies to requests using a different IP address (which can occur if the server is multi-homed). Setting the vfs.nfs.nfs_ip_paranoia sysctl to 0 will make this option the default. &merged; &man.mount.nfs.8; now supports the and mount options to prevent NFS mounts from using IPv4 or IPv6 respectively. &man.newfs.8; will now create UFS2 file systems by default, unless UFS1 is specifically requested with the option. &man.newsyslog.8; now supports a W flag to force previously-started compression jobs for an entry (or group of entries specified with the G flag) to finish before beginning a new one. This feature is designed to prevent system overloads caused by starting several compression jobs on big files simultaneously. &merged; &man.nsdispatch.3; is now thread-safe and implements support for Name Service Switch (NSS) modules. NSS modules may be statically built into libc or dynamically loaded via &man.dlopen.3;. They are loaded/initialized at configuration time (i.e. when &man.nsdispatch.3; is called and &man.nsswitch.conf.5; is read or re-read). A new &man.pam.chroot.8; module has been added, which does a &man.chroot.2; operation for users into either a predetermined directory or one derived from their home directory. &man.pam.ssh.8; has been rewritten. One side effect of the rewrite is that it now starts a separate instance of &man.ssh-agent.1; for each session instead of trying to connect each session to the agent started by the first session. &man.ping.8; now supports a flag to set the Don't Fragment bit on outgoing packets. &man.ping.8; now supports a option to use ICMP mask request or timestamp request messages instead of ICMP echo requests. &man.ping.8; now supports a flag to set the Type of Service bits in outgoing packets. &man.pw.8; can now add a user whose name ends with a $ character; this change is intended to help administration of Samba services. &merged; The format of the /etc/pwd.db and /etc/spwd.db password databases created by &man.pwd.mkdb.8; is now byte-order dependent. The pre-processed password databases can now be moved between machines of different architectures. The format includes version numbers on entries to ensure compatibility with old binaries. A bug in &man.rand.3; that could cause a sequence to remain stuck at 0 has been fixed. (&man.rand.3; remains unsuitable for all but trivial uses.) &man.rtld.1; now has support for the dynamic mapping of shared object dependencies. This optional feature is especially useful when experimenting with different threading libraries. It is not, however, built by default. More information on enabling and using this feature can be found in &man.libmap.conf.5;. &man.sem.open.3; now correctly handles multiple opens of the same semaphore; as a result, &man.sem.close.3; no longer crashes calling programs. The seeding algorithm used by &man.srandom.3; has been strengthened. The sunlabel utility, a program analogous to &man.disklabel.8; that works on Sun disk labels, has been added. &man.sysinstall.8; will now select UFS2 as the default layout for new file systems unless specifically requested in the disk labeler. Due to i386 boot loader limitations, the root file system must be 1.5TB or smaller in size. The &man.swapoff.8; command has been added to disable paging and swapping on a device. A related &man.swapctl.8; command has been added to provide an interface to &man.swapon.8; and &man.swapoff.8; similar to other BSDs. The &man.swapoff.8; feature should be considered experimental. &man.syslogd.8; now allows multiple hosts or programs to be named in host or program specifications in &man.syslog.conf.5; files. &man.systat.1; now includes an display mode that displays the network traffic going through active interfaces on the system. The &man.usbhidaction.1; command has been added; it performs actions according to its configuration in response to USB HID controls. &man.uudecode.1; and &man.b64decode.1; now support a flag for decoding raw (or broken) files that may be missing the initial and possibly final framing lines. &merged; &man.vmstat.8; has re-implemented the flag, which displays statistics on fork operations. &man.xargs.1; now supports a option to execute multiple copies of the same utility in parallel. &man.xargs.1; now supports a flag to reopen /dev/tty for the child process before executing the command. This is useful when the child process is an interactive application. - The libkse library, + The libkse library, providing POSIX threading support using KSE, is now enabled and installed by default. It is still considered a work-in-progress, and is not used by default. However, it can be used as a replacement for the libc_r thread library. - A 1:1 threading package (where for every pthread in an + A 1:1 threading package (where for every pthread in an application there is one KSE and thread) has been implemented. Under this model, the kernel handles all thread scheduling decisions and all signal delivery. This uses some of the common KSE code, and is a restricted case of the M:N threading work still in progress. The libthr library implementing the userland portion of this functionality is a drop-in replacement for the libc_r library. Note that libthr is not (at this time) built by default. The historic BSD boot scripts in /etc have been removed, in favor of the rc.d system imported from NetBSD (sometimes referred to as rcNG). All functionality of the historic system has been preserved. In particular, files such as /etc/rc.conf continue to be the recommended means of configuring the system startup. The rc.d system has been the default since &os; 5.0-RELEASE, so this change should be largely transparent for the vast majority of users. Users who have customized their historic-style startup scripts should be aware that the following files have been removed from /etc: rc.atm, rc.devfs, rc.diskless1, rc.diskless2, rc.i386, rc.alpha, rc.amd64, rc.ia64, rc.sparc64, rc.isdn, rc.network, rc.network6, rc.pccard, rc.serial, rc.syscons, rc.sysctl. &man.mergemaster.8;, when run, will offer to move these files out of the way for convenience. More details can be found in &man.rc.subr.8;. Contributed Software The ACPI-CA code has been updated from the 20021118 snapshot to the 20030228 snapshot. awk from Bell Labs has been updated to a 14 March 2003 snapshot. BIND has been updated to version 8.3.4. &merged; All of the bzip2 suite of applications is now installed in the base system (in particular, bzip2recover is now built and installed). &merged; CVS has been updated to 1.11.5. &merged; The DRM kernel modules have been updated to a snapshot from the DRI CVS repository, as of 24 April 2003. The DRM_LINUX kernel option hsa been removed because the handler is now provided by the Linux compatibility code. FILE has been updated to 3.41. &merged; GCC has been updated to 3.2.2 (release version). The gdtoa library, for conversions between strings and floating point, has been imported. These sources were dated 24 March 2003. groff (and related utilities) have been updated from 1.18.1 to 1.19. IPFilter has been updated to 3.4.31. &merged; The ISC DHCP client has been updated to 3.0.1RC11. &merged; The ISC DHCP client now includes the &man.omshell.1; utility and the &man.dhcpctl.3; library for run-time control of the client. Kerberos IV support (in the form of KTH eBones) has been removed. Users requiring this functionality can still get it from the security/krb4 port (or package). Kerberos IV compatibility mode for Kerberos 5 has been removed, and the k5program userland utilities have been renamed to kprogram. libpcap now has support for selecting among multiple data link types on an interface. lukemftpd (not built or installed by default) has been updated to a snapshot from 22 January 2003. OpenPAM has been updated from the Citronella release to the Dianthus release. OpenSSH has been updated to 3.6.1p1. OpenSSL has been updated to release 0.9.7a. Among other features, this release includes support for AES and takes advantage of &man.crypto.4; devices. &merged; sendmail has been updated to version 8.12.9. &merged; &man.tcpdump.1; has been updated to version 3.7.2. &merged; It also now supports a flag to list the data link types available on an interface and a option to specify the data link type to use while capturing packets. texinfo has been updated from 4.2 to 4.5. The timezone database has been updated from tzdata2002d to tzdata2003a. &merged; Ports/Packages Collection Infrastructure The one-line pkg-comment files have been eliminated from each port skeleton; their contents have been moved into each port's Makefile. This change reduces the disk space and inodes used by the ports tree. &merged; When fetching distfiles for building a port, the FETCH_REGET Makefile variable can be used to specify the number of times to try continuing to fetch a distfile if it fails its MD5 checksum. The port infrastructure also supports re-fetching interrupted distfiles. &man.pkg.create.1; now supports a option, which allows packages to register a list of other packages with which they conflict. They will refuse to install (via &man.pkg.add.1;) if one of the listed packages is already present. The flag to &man.pkg.add.1; overrides this conflict-checking. &man.pkg.info.1; now honors the BLOCKSIZE environment variable in its output when the flag is given. &man.pkg.info.1; now implements a option, which is similar to the quiet option except that it prefixes the output with the package name. Release Engineering and Integration The supported release of GNOME has been updated to 2.2.1. &merged; The supported release of KDE has been updated to 3.1.1a. &merged; &man.sysinstall.8; once again supports installing individual components of XFree86. Supporting changes (not user-visible) generalize the concept of installing parts of distributions as packages. The supported release of XFree86 has been updated to 4.3.0. &merged; Several upgrade mechanisms designed to permit major version upgrades from &os; 2.X to 3.X and from &os; 3.X to 4.X have been removed. Documentation The following new articles have been added to the documentation set: FreeBSD From Scratch, The Roadmap for 5-STABLE. A new Danish (da_DK.ISO8859-1) translation project has been started. Upgrading from previous releases of &os; Users with existing &os; systems are highly encouraged to read the Early Adopter's Guide to &os; &release.current;. This document generally has the filename EARLY.TXT on the distribution media, or any other place that the release notes can be found. It offers some notes on upgrading, but more importantly, also discusses some of the relative merits of upgrading to &os; 5.X versus running &os; 4.X. Upgrading &os; should, of course, only be attempted after backing up all data and configuration files. diff --git a/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml b/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml index ffead8a9137f..db49b464ab10 100644 --- a/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml +++ b/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml @@ -1,1015 +1,1015 @@ &os;/&arch; &release.current; Release Notes The FreeBSD Project $FreeBSD$ 2000 2001 2002 2003 The FreeBSD Documentation Project The release notes for &os; &release.current; contain a summary of This document lists applicable security advisories that were issued since the last release, as well as significant changes to the &os; kernel and userland. Some brief remarks on upgrading are also presented. Introduction This document contains the release notes for &os; &release.current; on the &arch.print; hardware platform. It describes recently added, changed, or deleted features of &os;. It also provides some notes on upgrading from previous versions of &os;. The &release.type; distribution to which these release notes apply represents a point along the &release.branch; development branch between &release.prev; and the future &release.next;. Some pre-built, binary &release.type; distributions along this branch can be found at . ]]> This distribution of &os; &release.current; is a &release.type; distribution. It can be found at or any of its mirrors. More information on obtaining this (or other) &release.type; distributions of &os; can be found in the Obtaining FreeBSD appendix to the FreeBSD Handbook. ]]> Users who are new to the &release.branch; series of &os; &release.type;s should also read the Early Adopters Guide to &os; &release.current;. This document can generally be found in the same location as the release notes (either as a part of a &os; distribution or on the &os; Web site). It contains important information regarding the advantages and disadvantages of using &os; &release.current;, as opposed to releases based on the &os; 4-STABLE development branch. All users are encouraged to consult the release errata before installing &os;. The errata document is updated with late-breaking information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for &os; &release.current; can be found on the &os; Web site. What's New This section describes Typical release note items document recent security advisories issued after &release.prev.historic;, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to &os; between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. Security Advisories A remotely exploitable vulnerability in CVS has been corrected with the import of version 1.11.5. More details can be found in security advisory FreeBSD-SA-03:01. &merged; A timing-based attack on OpenSSL, which could allow a very powerful attacker access to plaintext under certain circumstances, has been prevented via an upgrade to OpenSSL 0.9.7. See security advisory FreeBSD-SA-03:02 for more details. &merged; The security and performance of the syncookies feature has been improved to decrease the chance of an attacker being able to spoof connections. More details are given in security advisory FreeBSD-SA-03:03. &merged; Remotely-exploitable buffer overflow vulnerabilities in sendmail have been fixed by updating sendmail. For more details, see security advisory FreeBSD-SA-03:04 and FreeBSD-SA-03:07. &merged; A bounds-checking bug in the XDR implementation, which could allow a remote attacker to cause a denial-of-service, has been fixed. For more details see security advisory FreeBSD-SA-03:05. &merged; Two recently-publicized flaws in OpenSSL have been corrected. For more details, see security advisory FreeBSD-SA-03:06. &merged; Kernel Changes Support for the CanBe power management controller has been added. &merged; &man.devfs.5; is now mandatory; the NODEVFS option has been removed from the set of possible kernel configuration options. An ehci driver has been added; it supports the USB Enhanced Host Controller Interface used by USB 2.0 controllers. A minor bug in the permissions handling of /dev/tty has been fixed. As a result, &man.ssh.1; can now be used after &man.su.1;. A bug that caused &man.fstat.2; to return 0 as the number of bytes available to read from a TCP socket has been fixed. A bug that caused &man.kqueue.2; to report 0 as the number of bytes available to read from a TCP socket has been fixed. The NOTE_LOWAT flag for EVFILT_READ has been fixed. Linux emulation mode now supports IPv6. &man.madvise.2; now supports a MADV_PROTECT behavior, which informs the virtual memory system that a process is critical and should not be killed when swap space has been exhausted. The process must be owned by the superuser. The tw driver for TW-523 power line interfaces (used by X-10 home control products) has been removed. It is currently non-functional, and would require a considerable amount of work to make it work under &release.branch;. The xten and xtend userland control programs have also been removed. A second process scheduler, designed to be a general purpose scheduler with many SMP benefits, has been added to the scheduler framework. Exactly one scheduler must be specified in a kernel configuration. The original scheduler may be selected using options SCHED_4BSD. The newer (experimental) scheduler can be selected by using options SCHED_ULE. Device major numbers are now allocated dynamically by default. This change greatly decreases the need for a static, centralized table of major number assignments to device drivers (a few drivers retain their old static major numbers for compatibility), and also reduces the possibility of running out of device major numbers. A partial lazy switch mechanism for in-kernel threads has been implemented; it is designed to reduce the overhead of short context switches (such as for interrupt handlers) that do not involve another process. This feature can be enabled with options LAZY_SWITCH. Processor/Motherboard Support SMP kernels now have rudimentary support for HyperThreading (HTT). The scheduler treats the logical CPUs as if they were additional physical CPUs. This can actually cause suboptimal performance in some cases due to contention for resources. Therefore, logical CPUs are halted by default at startup. They can be enabled with the machdep.hlt_logical_cpus sysctl variable. It is also possible to halt any CPU in the idle loop with the machdep.hlt_cpus sysctl variable. The &man.smp.4; manual page has more details. Some other versions of &os;, including early 5.0-CURRENT snapshots and 4.8-RELEASE, used options HTT to enable HyperThreading support at kernel configuration time. This option is no longer necessary. Support for the Physical Address Extensions (PAE) capability on Intel Pentium Pro and higher processors has been added. This allows the use of up to 64GB of RAM in a machine, although the amount of memory usable by any single process (or the &os; kernel) is unchanged. For more information, see the &man.pae.4; manual page. Work on this feature was sponsored by DARPA and Network Associates Laboratories. A new &man.vpd.4; driver has been added to read hardware information from the Vital Product Data structure on IBM ThinkPad machines. Boot Loader Changes The alpha boot loader (boot1) can now be called boot for consistency with other platforms. The two parts of the boot loader (boot1 and boot2) have been combined into a single boot file, to simplify programs that need to write or otherwise manipulate the boot loader. The PC98 boot loader now has support for booting from SCSI MO media. &merged; The /modules directory (once the default location for modules on &os; 4.X) is no longer a part of the default kern.module_path. Third-party modules should be placed in /boot/modules. Modules designed for use with &os; 4.X are likely to panic when loaded into a &os; &release.current; kernel and should be used with extreme caution. Due to code size limitations, the i386 boot loader can only load kernels from root file systems that are 1.5TB or smaller in size. Network Interface Support A new &man.axe.4; network driver has been added. It provides support for USB Ethernet adapters based on the ASIX Electronics AX88172 USB 2.0 chipset. The cm driver now supports IPX. &merged; The &man.rue.4; network has been added, providing support for Ethernet adapters based on the RealTek RTL8150 USB to Fast Ethernet controller chip. The &man.sbsh.4; driver for the Granch SBNI16 SHDSL modem has been added. &merged; A new &man.wlan.4; module provides 802.11 link-layer support. The &man.wi.4; and &man.an.4; drivers now use this facility. A timing bug in the &man.xl.4; driver, which could cause a kernel panic (or other problems) when configuring an interface, has been fixed. Network Protocols &man.ipfw.4; skipto rules can once again be used with the log keyword. &man.ipfw.4; uid rules are once again working. It is now possible to build the FAST_IPSEC and INET6 options into the same kernel. (They still cannot be used together, however.) A bug in TCP NewReno, which caused premature exit from fast recovery when NewReno was enabled, has been fixed. &merged; TCP now has support for the Limited Transmit mechanism proposed by RFC 3042. This feature is intended to improve the effectiveness of TCP loss recovery in certain circumstances. It is off by default but can be enabled with the net.inet.tcp.rfc3042 sysctl variable. More information can be found in &man.tcp.4;. TCP now has support for increased initial congestion window sizes as described in RFC 3390. This feature can improve the throughput of short transfers, as well as high-bandwidth, large propagation-delay connections. It is off by default but can be enabled with the net.inet.tcp.rfc3390 sysctl variable. More information can be found in &man.tcp.4;. The IP fragment reassembly code behaves more gracefully when receiving a large number of packet fragments (it is designed to be more resistant to fragment-based denial of service attacks). &merged; TCP connections in the TIME_WAIT state now use a special protocol control block that uses less space than a full-blown TCP PCB. This allows some of the data structures and resources used by such a connection to be freed earlier. It is now possible to specify the range of privileged ports (TCP and UDP ports that require superuser access to &man.bind.2; to). The range is now specified with the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl variables, defaulting to the traditional UNIX behavior. This feature is intended to help network servers bind to traditionally privileged ports without requiring superuser access. &man.ip.4; has more details. Some bugs in the non-blocking RPC code has been fixed. As a result, &man.amd.8; users are now able to mount volumes from a &release.current; server. Support for XNS networking, which has not worked correctly for almost seven years, has been removed. Disks and Storage The &man.aac.4; driver now runs free of the Giant kernel lock. This change has given a nearly 20% performance speedup on an SMP system running multiple I/O intensive loads. The &man.ata.4; driver now supports all known SiS chipsets. (More details can be found in the Hardware Notes.) The &man.ata.4; driver now supports the Promise SATA150 TX2 and TX4 Serial ATA/150 controllers. The &man.ata.4; driver now flushes devices on shutdown. This change may result in failure messages being printed on the console for devices that do not support flushing. The CAM layer now has support for devices with more than 232 blocks. (Assuming 512-byte blocks, this means support for devices larger than 2TB.) For users upgrading across this change, note that all userland applications that talk to &man.pass.4; or &man.xpt.4; devices must be recompiled. Examples of such programs are &man.camcontrol.8; in the base system, the sysutils/cdrtools port, and the multimedia/xmms port. A number of changes have been made to the &man.cd.4; driver. The primary user-visible change is improved compatibility with ATAPI/USB/Firewire CDROM drives. &man.geom.4; is now mandatory; the NO_GEOM has been removed from the set of kernel configuration options. The &man.iir.4; driver has been updated; this update is believed to fix problems detecting attached disks during installation. A bug in the &man.mly.4; driver that caused hangs has been corrected. Support has been added for volume labels on UFS and UFS2 file systems. These labels are strings that can be used to identify a volume, regardless of what device it appears on. Labels can be set with the options to &man.newfs.8; or &man.tunefs.8;. With the GEOM_VOL module, volumes can be accessed using their labels under /dev/vol. The root file system can now be located on a &man.vinum.4; volume. More information can be found in the &man.vinum.4; manual page. The wfd and wst drivers, which have been broken for some time, have been removed. File Systems A new DIRECTIO kernel option enables support for read operations that bypass the buffer cache and put data directly into a userland buffer. This feature requires that the O_DIRECT flag is set on the file descriptor and that both the offset and length for the read operation are multiples of the physical media sector size. &merged; NETNCP and Netware File System Support (nwfs) are once again working. Bugs that could cause the unmounting of a smbfs share to fail or cause a kernel panic have been fixed. PCCARD Support Multimedia Support The atspeaker.ko and pcspeaker.ko modules for the &man.speaker.4; device have been renamed speaker.ko. Userland Changes &man.adduser.8; now correctly handles setting user passwords containing special shell characters. &man.adduser.8; now supports a option to set a user's default login group. The compat4x distribution now includes the libcrypto.so.2, libgmp.so.3, and libssl.so.2 libraries from &os; 4.7-RELEASE. &man.chgrp.1 and &man.chown.8 now, when the owner/group is modified, print the old and new uid/gid if the option is specified more than once. &man.config.8; now implements a nodevice kernel configuration file directive that cancels the effect of a device directive. The new nooption and nomakeoption directives cancel prior options and makeoptions directives, respectively. The &man.diskinfo.8; utility has been added to show information about a disk device and optionally to run a naive performance test. The and flags to &man.disklabel.8; have been retired. &man.disklabel.8; is now only built for architectures where it is useful (i386, pc98, alpha, and ia64). The option to &man.disklabel.8; has been removed because the i386 boot loader now resides in a single file. &man.dump.8; now supports caching of disk blocks with the option. This can improve dump performance at the cost of possibly missing file system updates that occur between passes. &man.dumpfs.8; now supports a flag to print file system parameters in the form of a &man.newfs.8; command. &man.elfdump.1;, a utility to display information about &man.elf.5; format executable files, has been added. &man.fetch.1; uses the .netrc support in &man.fetch.3; and also supports a to specify an alternate .netrc file. &man.fetch.3; now has support for .netrc files (see &man.ftp.1; for more details). &man.ftpd.8; now supports a option to disable printing any host-specific information, such as the &man.ftpd.8; version or hostname, in server messages. &merged; &man.ftpd.8; now supports a option to specify a port on which to listen in daemon mode. The default data port number is now set to be one less than the control port number, rather than being hard-coded. &merged; &man.ftpd.8; now supports an extended format of the /etc/ftpchroot file. Please refer to the &man.ftpchroot.5; manpage, which is now available, for details. &merged; &man.ftpd.8; now supports login directory pathnames that specify simultaneously a directory for &man.chroot.2; and that to change to in the chrooted environment. The /./ separator is used for this purpose, like in other FTP daemons having this feature. It may be used in both &man.ftpchroot.5; and &man.passwd.5;. &merged; &man.fwcontrol.8; now supports and options for receiving and sending DV streams. &merged; The &man.gstat.8; utility has been added to show the disk activity inside the &man.geom.4; subsystem. &man.ipfw.8; now supports enable and disable commands to control various aspects of the operation of &man.ipfw.4; (including enabling and disabling the firewall itself). These provide a more convenient and visible interface than the existing sysctl variables. &merged; &man.jail.8; now supports a flag to output an identifier for a newly-created jail. The &man.jexec.8; utility has been added to execute a command inside an existing jail. The &man.jls.8; utility has been added to list existing jails. &man.kenv.1; has been moved from /usr/bin to /bin to make it available at times during system startup when only the root file system is mounted. &man.killall.1; now supports a option to kill all processes inside a jail. The &man.libgeom.3; library has been added to allow some userland access to the &man.geom.4; subsystem. The mac_portacl MAC policy module has been added. It provides a simple ACL mechanism to permit users and groups to bind ports for TCP or UDP, and is intended to be used in conjunction with the recently-added net.inet.ip.portrange.reservedhigh sysctl. The MAKEDEV script is now unnecessary, due to the mandatory presence of &man.devfs.5;, and has been removed. &man.mergemaster.8; now supports a option to preserve the contents of files being replaced. &man.mixer.8; can now implement relative volume adjustments. The &man.mksnap.ffs.8; program has been added to allow easier creation of FFS snapshots. It is a SUID-root executable designed for use by members of the operator group. &man.mount.8; and &man.umount.8; now accept a option to specify an alternate &man.fstab.5; file. &man.mount.nfs.8; now supports a flag to avoid doing a &man.connect.2; for UDP mount points. This option must be used if the server does not reply to requests from the standard NFS port number 2049 or if it replies to requests using a different IP address (which can occur if the server is multi-homed). Setting the vfs.nfs.nfs_ip_paranoia sysctl to 0 will make this option the default. &merged; &man.mount.nfs.8; now supports the and mount options to prevent NFS mounts from using IPv4 or IPv6 respectively. &man.newfs.8; will now create UFS2 file systems by default, unless UFS1 is specifically requested with the option. &man.newsyslog.8; now supports a W flag to force previously-started compression jobs for an entry (or group of entries specified with the G flag) to finish before beginning a new one. This feature is designed to prevent system overloads caused by starting several compression jobs on big files simultaneously. &merged; &man.nsdispatch.3; is now thread-safe and implements support for Name Service Switch (NSS) modules. NSS modules may be statically built into libc or dynamically loaded via &man.dlopen.3;. They are loaded/initialized at configuration time (i.e. when &man.nsdispatch.3; is called and &man.nsswitch.conf.5; is read or re-read). A new &man.pam.chroot.8; module has been added, which does a &man.chroot.2; operation for users into either a predetermined directory or one derived from their home directory. &man.pam.ssh.8; has been rewritten. One side effect of the rewrite is that it now starts a separate instance of &man.ssh-agent.1; for each session instead of trying to connect each session to the agent started by the first session. &man.ping.8; now supports a flag to set the Don't Fragment bit on outgoing packets. &man.ping.8; now supports a option to use ICMP mask request or timestamp request messages instead of ICMP echo requests. &man.ping.8; now supports a flag to set the Type of Service bits in outgoing packets. &man.pw.8; can now add a user whose name ends with a $ character; this change is intended to help administration of Samba services. &merged; The format of the /etc/pwd.db and /etc/spwd.db password databases created by &man.pwd.mkdb.8; is now byte-order dependent. The pre-processed password databases can now be moved between machines of different architectures. The format includes version numbers on entries to ensure compatibility with old binaries. A bug in &man.rand.3; that could cause a sequence to remain stuck at 0 has been fixed. (&man.rand.3; remains unsuitable for all but trivial uses.) &man.rtld.1; now has support for the dynamic mapping of shared object dependencies. This optional feature is especially useful when experimenting with different threading libraries. It is not, however, built by default. More information on enabling and using this feature can be found in &man.libmap.conf.5;. &man.sem.open.3; now correctly handles multiple opens of the same semaphore; as a result, &man.sem.close.3; no longer crashes calling programs. The seeding algorithm used by &man.srandom.3; has been strengthened. The sunlabel utility, a program analogous to &man.disklabel.8; that works on Sun disk labels, has been added. &man.sysinstall.8; will now select UFS2 as the default layout for new file systems unless specifically requested in the disk labeler. Due to i386 boot loader limitations, the root file system must be 1.5TB or smaller in size. The &man.swapoff.8; command has been added to disable paging and swapping on a device. A related &man.swapctl.8; command has been added to provide an interface to &man.swapon.8; and &man.swapoff.8; similar to other BSDs. The &man.swapoff.8; feature should be considered experimental. &man.syslogd.8; now allows multiple hosts or programs to be named in host or program specifications in &man.syslog.conf.5; files. &man.systat.1; now includes an display mode that displays the network traffic going through active interfaces on the system. The &man.usbhidaction.1; command has been added; it performs actions according to its configuration in response to USB HID controls. &man.uudecode.1; and &man.b64decode.1; now support a flag for decoding raw (or broken) files that may be missing the initial and possibly final framing lines. &merged; &man.vmstat.8; has re-implemented the flag, which displays statistics on fork operations. &man.xargs.1; now supports a option to execute multiple copies of the same utility in parallel. &man.xargs.1; now supports a flag to reopen /dev/tty for the child process before executing the command. This is useful when the child process is an interactive application. - The libkse library, + The libkse library, providing POSIX threading support using KSE, is now enabled and installed by default. It is still considered a work-in-progress, and is not used by default. However, it can be used as a replacement for the libc_r thread library. - A 1:1 threading package (where for every pthread in an + A 1:1 threading package (where for every pthread in an application there is one KSE and thread) has been implemented. Under this model, the kernel handles all thread scheduling decisions and all signal delivery. This uses some of the common KSE code, and is a restricted case of the M:N threading work still in progress. The libthr library implementing the userland portion of this functionality is a drop-in replacement for the libc_r library. Note that libthr is not (at this time) built by default. The historic BSD boot scripts in /etc have been removed, in favor of the rc.d system imported from NetBSD (sometimes referred to as rcNG). All functionality of the historic system has been preserved. In particular, files such as /etc/rc.conf continue to be the recommended means of configuring the system startup. The rc.d system has been the default since &os; 5.0-RELEASE, so this change should be largely transparent for the vast majority of users. Users who have customized their historic-style startup scripts should be aware that the following files have been removed from /etc: rc.atm, rc.devfs, rc.diskless1, rc.diskless2, rc.i386, rc.alpha, rc.amd64, rc.ia64, rc.sparc64, rc.isdn, rc.network, rc.network6, rc.pccard, rc.serial, rc.syscons, rc.sysctl. &man.mergemaster.8;, when run, will offer to move these files out of the way for convenience. More details can be found in &man.rc.subr.8;. Contributed Software The ACPI-CA code has been updated from the 20021118 snapshot to the 20030228 snapshot. awk from Bell Labs has been updated to a 14 March 2003 snapshot. BIND has been updated to version 8.3.4. &merged; All of the bzip2 suite of applications is now installed in the base system (in particular, bzip2recover is now built and installed). &merged; CVS has been updated to 1.11.5. &merged; The DRM kernel modules have been updated to a snapshot from the DRI CVS repository, as of 24 April 2003. The DRM_LINUX kernel option hsa been removed because the handler is now provided by the Linux compatibility code. FILE has been updated to 3.41. &merged; GCC has been updated to 3.2.2 (release version). The gdtoa library, for conversions between strings and floating point, has been imported. These sources were dated 24 March 2003. groff (and related utilities) have been updated from 1.18.1 to 1.19. IPFilter has been updated to 3.4.31. &merged; The ISC DHCP client has been updated to 3.0.1RC11. &merged; The ISC DHCP client now includes the &man.omshell.1; utility and the &man.dhcpctl.3; library for run-time control of the client. Kerberos IV support (in the form of KTH eBones) has been removed. Users requiring this functionality can still get it from the security/krb4 port (or package). Kerberos IV compatibility mode for Kerberos 5 has been removed, and the k5program userland utilities have been renamed to kprogram. libpcap now has support for selecting among multiple data link types on an interface. lukemftpd (not built or installed by default) has been updated to a snapshot from 22 January 2003. OpenPAM has been updated from the Citronella release to the Dianthus release. OpenSSH has been updated to 3.6.1p1. OpenSSL has been updated to release 0.9.7a. Among other features, this release includes support for AES and takes advantage of &man.crypto.4; devices. &merged; sendmail has been updated to version 8.12.9. &merged; &man.tcpdump.1; has been updated to version 3.7.2. &merged; It also now supports a flag to list the data link types available on an interface and a option to specify the data link type to use while capturing packets. texinfo has been updated from 4.2 to 4.5. The timezone database has been updated from tzdata2002d to tzdata2003a. &merged; Ports/Packages Collection Infrastructure The one-line pkg-comment files have been eliminated from each port skeleton; their contents have been moved into each port's Makefile. This change reduces the disk space and inodes used by the ports tree. &merged; When fetching distfiles for building a port, the FETCH_REGET Makefile variable can be used to specify the number of times to try continuing to fetch a distfile if it fails its MD5 checksum. The port infrastructure also supports re-fetching interrupted distfiles. &man.pkg.create.1; now supports a option, which allows packages to register a list of other packages with which they conflict. They will refuse to install (via &man.pkg.add.1;) if one of the listed packages is already present. The flag to &man.pkg.add.1; overrides this conflict-checking. &man.pkg.info.1; now honors the BLOCKSIZE environment variable in its output when the flag is given. &man.pkg.info.1; now implements a option, which is similar to the quiet option except that it prefixes the output with the package name. Release Engineering and Integration The supported release of GNOME has been updated to 2.2.1. &merged; The supported release of KDE has been updated to 3.1.1a. &merged; &man.sysinstall.8; once again supports installing individual components of XFree86. Supporting changes (not user-visible) generalize the concept of installing parts of distributions as packages. The supported release of XFree86 has been updated to 4.3.0. &merged; Several upgrade mechanisms designed to permit major version upgrades from &os; 2.X to 3.X and from &os; 3.X to 4.X have been removed. Documentation The following new articles have been added to the documentation set: FreeBSD From Scratch, The Roadmap for 5-STABLE. A new Danish (da_DK.ISO8859-1) translation project has been started. Upgrading from previous releases of &os; Users with existing &os; systems are highly encouraged to read the Early Adopter's Guide to &os; &release.current;. This document generally has the filename EARLY.TXT on the distribution media, or any other place that the release notes can be found. It offers some notes on upgrading, but more importantly, also discusses some of the relative merits of upgrading to &os; 5.X versus running &os; 4.X. Upgrading &os; should, of course, only be attempted after backing up all data and configuration files.