The FreeBSD Project $FreeBSD: head/release/doc/en_US.ISO8859-1/relnotes/article.sgml 112634 2003-03-25 20:18:37Z olgeni $ 2000 2001 2002 2003 The FreeBSD Documentation Project The release notes for &os; &release.current; contain a summary of Both changes for kernel and userland are listed, as well as applicable security advisories that were issued since the last release. Some brief remarks on upgrading are also presented. This document contains the release notes for &os; &release.current; on the &arch.print; hardware platform. It describes recently added, changed, or deleted features of &os;. It also provides some notes on upgrading from previous versions of &os;. The &release.type; distribution to which these release notes apply represents a point along the &release.branch; development branch between &release.prev; and the future &release.next;. Some pre-built, binary &release.type; distributions along this branch can be found at . ]]> This distribution of &os; &release.current; is a &release.type; distribution. It can be found at or any of its mirrors. More information on obtaining this (or other) &release.type; distributions of &os; can be found in the Obtaining FreeBSD appendix to the FreeBSD Handbook. ]]> This section describes Typical release note items document new drivers or hardware support, new commands or options, major bugfixes, or contributed software upgrades. Applicable security advisories issued after &release.prev.historic; are also listed. Many additional changes were made to &os; that are not listed here for lack of space. For example, documentation was corrected and improved, minor bugs were fixed, insecure coding practices were audited and corrected, and source code was cleaned up. A remotely exploitable vulnerability in CVS has been corrected with the import of version 1.11.5. More details can be found in security advisory FreeBSD-SA-03:01. &merged; A timing-based attack on OpenSSL, which could allow a very powerful attacker access to plaintext under certain circumstances, has been prevented via an upgrade to OpenSSL 0.9.7. See security advisory FreeBSD-SA-03:02 for more details. &merged; The security and performance of the syncookies feature has been improved to decrease the chance of an attacker being able to spoof connections. More details are given in security advisory FreeBSD-SA-03:03. &merged; A remotely-exploitable buffer overflow vulnerability in sendmail has been fixed by updating sendmail to version 8.12.8. For more details, see security advisory FreeBSD-SA-03:04. &merged; A bounds-checking bug in the XDR implementation, which could allow a remote attacker to cause a denial-of-service, has been fixed. For more details see security advisory FreeBSD-SA-03:05. &merged; Two recently-publicized flaws in OpenSSL have been corrected. For more details, see security advisory FreeBSD-SA-03:06. &merged; Support for the CanBe power management controller has been added. &merged; &man.devfs.5; is now mandatory; the NODEVFS option has been removed from the set of possible kernel configuration options. The DRM kernel modules have been updated to a snapshot from the DRI CVS repository, roughly equivalent to XFree86 4.3.0 but also including some additional bugfixes. A minor bug in the permissions handling of /dev/tty has been fixed. As a result, &man.ssh.1; can now be used after &man.su.1;. A bug that caused &man.fstat.2; to return 0 as the number of bytes available to read from a TCP socket has been fixed. A bug that caused &man.kqueue.2; to report 0 as the number of bytes available to read from a TCP socket has been fixed. The NOTE_LOWAT flag for EVFILT_READ has been fixed. Linux emulation mode now supports IPv6. A second process scheduler, designed to be a general purpose scheduler with many SMP benefits, has been added to the scheduler framework. Exactly one scheduler must be specified in a kernel configuration. The original scheduler may be selected using options SCHED_4BSD. The newer (experimental) scheduler can be selected by using options SCHED_ULE. Device major numbers are now allocated dynamically by default. This change greatly decreases the need for a static, centralized table of major number assignments to device drivers (a few drivers retain their old static major numbers for compatibility), and also reduces the possibility of running out of device major numbers. &os; now has rudimentary support for HyperThreading (HTT). SMP kernels with the HTT kernel option will detect and start up the logical processors on HTT-capable machines. The logical processors will be treated like additional physical processors for the purposes of process scheduling. &merged; The alpha boot loader (boot1) can now be called boot for consistency with other platforms. The two parts of the boot loader (boot1 and boot2) have been combined into a single boot file, to simplify programs that need to write or otherwise manipulate the boot loader. The PC98 bootloader now has support for booting from SCSI MO media. &merged; The /modules directory (once the default location for modules on &os; 4.X) is no longer a part of the default kern.module_path. Third-party modules should be placed in /boot/modules. Modules designed for use with &os; 4.X are likely to panic and should be used with extreme caution. The cm driver now supports IPX. &merged; A new wlan module provides 802.11 link-layer support. The &man.wi.4; driver now uses this facility. A timing bug in the &man.xl.4; driver, which could cause a kernel panic (or other problems) when configuring an interface, has been fixed. &man.ipfw.4; skipto rules can once again be used with the log keyword. &man.ipfw.4; uid rules are once again working. It is now possible to build the FAST_IPSEC and INET6 options into the same kernel. (They still cannot be used together, however.) A bug in TCP NewReno, which caused premature exit from fast recovery when NewReno was enabled, has been fixed. &merged; TCP now has support for the Limited Transmit mechanism proposed by RFC 3042. This feature is intended to improve the effectiveness of TCP loss recovery in certain circumstances. It is off by default but can be enabled with the net.inet.tcp.rfc3042 sysctl variable. More information can be found in &man.tcp.4;. TCP now has support for increased initial congestion window sizes as described in RFC 3390. This feature can improve the throughput of short transfers, as well as high-bandwidth, large propagation-delay connections. It is off by default but can be enabled with the net.inet.tcp.rfc3390 sysctl variable. More information can be found in &man.tcp.4;. The IP fragment reassembly code behaves more gracefully when receiving a large number of packet fragments (it is designed to be more resistant to fragment-based denial of service attacks). &merged; TCP connections in the TIME_WAIT state now use a special protocol control block that uses less space than a full-blown TCP PCB. This allows some of the data structures and resources used by such a connection to be freed earlier. It is now possible to specify the range of privileged ports (TCP and UDP ports that require superuser access to &man.bind.2; to). The range is now specified with the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl variables, defaulting to the traditional UNIX behavior. This feature is intended to help network servers bind to traditionally privileged ports without requiring superuser access. &man.ip.4; has more details. Some bugs in the non-blocking RPC code has been fixed. As a result, &man.amd.8; users are now able to mount volumes from a &release.current; server. Support for XNS networking, which has not worked correctly for almost seven years, has been removed. The &man.aac.4; driver now runs free of the Giant kernel lock. This change has given a nearly 20% performance speedup on an SMP system running multiple I/O intensive loads. The &man.ata.4; driver now supports all known SiS chipsets. (More details can be found in the Hardware Notes.) A number of changes have been made to the &man.cd.4; driver. The primary user-visible change is improved compatibility with ATAPI/USB/Firewire CDROM drives. &man.geom.4; is now mandatory; the NO_GEOM has been removed from the set of kernel configuration options. A bug in the &man.mly.4; driver that caused hangs has been corrected. Support has been added for volume labels on UFS and UFS2 filesystems. These labels are strings that can be used to identify a volume, regardless of what device it appears on. Labels can be set with the -L options to &man.newfs.8; or &man.tunefs.8;. With the GEOM_VOL module, volumes can be accessed using their labels under /dev/vol. The root filesystem can now be located on a &man.vinum.4; volume. More information can be found in the &man.vinum.4; manual page. The wfd and wst drivers, which have been broken for some time, have been removed. NETNCP and Netware Filesystem Support (nwfs) are once again working. Bugs that could cause the unmounting of a smbfs share to fail or cause a kernel panic have been fixed. IPFilter has been updated to 3.4.31. &merged; &man.adduser.8; now correctly handles setting user passwords containing special shell characters. The compat4x distribution now includes the libcrypto.so.2, libgmp.so.3, and libssl.so.2 libraries from &os; 4.7-RELEASE. &man.config.8; now implements a nodevice kernel configuration file directive that cancels the effect of a device directive. The new nooption and nomakeoption directives cancel prior option and makeoption directives, respectively. The -N and -W flags to &man.disklabel.8; have been retired. &man.disklabel.8; is now only built for architectures where it is useful (i386, pc98, alpha, and ia64). The -s to &man.disklabel.8; has been removed because the i386 boot loader now resides in a single file. &man.dump.8; now supports caching of disk blocks with the -C option. This can improve dump performance at the cost of possibly missing filesystem updates that occur between passes. &man.dumpfs.8; now supports a -m flag to print file system parameters in the form of a &man.newfs.8; command. &man.elfdump.1;, a utility to display information about &man.elf.5; format executable files, has been added. &man.fetch.1; uses the .netrc support in &man.fetch.3; and also supports a -N to specify an alternate .netrc file. &man.fetch.3; now has support for .netrc files (see &man.ftp.1; for more details). &man.ftpd.8; now supports a -h option to disable printing any host-specific information, such as the &man.ftpd.8; version or hostname, in server messages. &merged; &man.ftpd.8; now supports a -P option to specify a port on which to listen in daemon mode. The default data port number is now set to be one less than the control port number, rather than being hard-coded. &merged; &man.ftpd.8; now supports an extended format of the /etc/ftpchroot file. Please refer to the &man.ftpchroot.5; manpage, which is now available, for details. &merged; &man.ftpd.8; now supports login directory pathnames that specify simultaneously a directory for &man.chroot.2; and that to change to in the chrooted environment. The /./ separator is used for this purpose, like in other FTP daemons having this feature. It may be used in both &man.ftpchroot.5; and &man.passwd.5;. &merged; &man.fwcontrol.8; now supports -R and -S options for receiving and sending DV streams. &merged; &man.ipfw.8; now supports enable and disable commands to control various aspects of the operation of &man.ipfw.4; (including enabling and disabling the firewall itself). These provide a more convenient and visible interface than the existing sysctl variables. &merged; &man.kenv.1; has been moved from /usr/bin to /bin to make it available at times during system startup when only the root filesystem is mounted. The MAKEDEV script is now unnecessary, due to the mandatory presence of &man.devfs.5;, and has been removed. The &man.libgeom.3; library has been added to allow some userland access to the &man.geom.4; subsystem. The mac_portacl MAC policy module has been added. It provides a simple ACL mechanism to permit users and groups to bind ports for TCP or UDP, and is intended to be used in conjunction with the recently-added net.inet.ip.portrange.reservedhigh sysctl. The &man.mksnap.ffs.8; program has been added to allow easier creation of FFS snapshots. It is a SUID-root executable designed for use by members of the operatorgroup. &man.mount.nfs.8; now supports a -c flag to avoid doing a &man.connect.2; for UDP mount points. This option must be used if the server does not reply to requests from the standard NFS port number 2049 or if it replies to requests using a different IP address (which can occur if the server is multi-homed). Setting the vfs.nfs.nfs_ip_paranoia sysctl to 0 will make this option the default. &merged; &man.newsyslog.8; now supports a W flag to force previously-started compression jobs for an entry (or group of entries specified with the G flag) to finish before beginning a new one. This feature is designed to prevent system overloads caused by starting several compression jobs on big files simultaneously. &merged; &man.pam.ssh.8; has been rewritten. One side effect of the rewrite is that it now starts a separate instance of &man.ssh-agent.1; for each session instead of trying to connect each session to the agent started by the first session. &man.ping.8; now supports a -D flag to set the Don't Fragment bit on outgoing packets. &man.ping.8; now supports a -M option to use ICMP mask request or timestamp request messages instead of ICMP echo requests. &man.ping.8; now supports a -z flag to set the Type of Service bits in outgoing packets. &man.pw.8; can now add a user whose name ends with a $ character; this change is intended to help administration of Samba services. &merged; A bug in &man.rand.3; that could cause a sequence to remain stuck at 0 has been fixed. (&man.rand.3; remains unsuitable for all but trivial uses.) &man.sem.open.3; now correctly handles multiple opens of the same semaphore; as a result, &man.sem.close.3; no longer crashes calling programs. The seeding algorithm used by &man.srandom.3; has been strengthened. The sunlabel utility, a program analogous to &man.disklabel.8; that works on Sun disk labels, has been added. The &man.swapoff.8; command has been added to disable paging and swapping on a device. A related &man.swapctl.8; command has been added to provide an interface to &man.swapon.8; and &man.swapoff.8; similar to other BSDs. The &man.swapoff.8; feature should be considered experimental. &man.syslogd.8; now allows multiple hosts or programs to be named in host or program specifications in &man.syslog.conf.5; files. &man.systat.1; now includes an -ifstat display mode that displays the network traffic going through active intrfaces on the system. &man.xargs.1; now supports a -P option to execute multiple copies of the same utility in parallel. awk from Bell Labs has been updated to a 14 March 2003 snapshot. BIND has been updated to version 8.3.4. &merged; All of the bzip2 suite of applications is now installed in the base system (in particular, bzip2recover is now built and installed). &merged; CVS has been updated to 1.11.5. &merged; FILE has been updated to 3.41. &merged; GCC has been updated to 3.2.2 (release version). The ISC DHCP client has been updated to 3.0.1RC11. &merged; Kerberos IV support (in the form of KTH eBones) has been removed. Users requiring this functionality can still get it from the security/krb4 port (or package). Kerberos IV compatibility mode for Kerberos 5 has been removed, and the k5program userland utilities have been renamed to kprogram. libpcap now has support for selecting among multiple data link types on an interface. OpenPAM has been updated to the Daffodil release. OpenSSL has been updated to release 0.9.7a. Among other features, this release includes support for AES and takes advantage of &man.crypto.4; devices. &merged; sendmail has been updated to version 8.12.8. &merged; &man.tcpdump.1; has been updated to version 3.7.2. &merged; It also now supports a -L flag to list the data link types available on an interface and a -y option to specify the data link type to use while capturing packets. The one-line pkg-comment files have been eliminated from each port skeleton; their contents have been moved into each port's Makefile. This change reduces the disk space and inodes used by the ports tree. &merged; The supported release of GNOME has been updated to 2.2. &merged; The supported release of KDE has been updated to 3.1. &merged; &man.sysinstall.8; once again supports installing individual components of XFree86. Supporting changes (not user-visible) generalize the concept of installing parts of distributions as packages. The supported release of XFree86 has been updated to 4.3.0. &merged; Users with existing &os; systems are highly encouraged to read the Early Adopter's Guide to &os; 5.0. This document generally has the filename EARLY.TXT on the distribution media, or any other place that the release notes can be found. It offers some notes on upgrading, but more importantly, also discusses some of the relative merits of upgrading to &os; 5.X versus running &os; 4.X. Upgrading &os; should, of course, only be attempted after backing up all data and configuration files.