article.xml revision 126629 
1<!-- 
2	FreeBSD errata document.  Unlike some of the other RELNOTESng
3	files, this file should remain as a single SGML file, so that
4	the dollar FreeBSD dollar header has a meaningful modification
5	time.  This file is all but useless without a datestamp on it,
6	so we'll take some extra care to make sure it has one.
7
8	(If we didn't do this, then the file with the datestamp might
9	not be the one that received the last change in the document.)
10
11-->
12
13<!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
14<!ENTITY % man PUBLIC "-//FreeBSD//ENTITIES DocBook Manual Page Entities//EN">
15%man;
16<!ENTITY % authors PUBLIC  "-//FreeBSD//ENTITIES DocBook Author Entities//EN">
17%authors;
18<!ENTITY % mlists PUBLIC "-//FreeBSD//ENTITIES DocBook Mailing List Entities//EN">
19%mlists;
20<!ENTITY % trademarks PUBLIC "-//FreeBSD//ENTITIES DocBook Trademark Entities//EN">
21%trademarks;
22<!ENTITY % release PUBLIC "-//FreeBSD//ENTITIES Release Specification//EN">
23%release;
24<!ENTITY % misc PUBLIC  "-//FreeBSD//ENTITIES DocBook Miscellaneous FreeBSD Entities//EN">
25%misc;
26
27<!ENTITY release.bugfix "5.2.1-RELEASE">
28]>
29
30<article>
31  <articleinfo>
32    <title>&os;
33<![ %release.type.snapshot [
34    &release.prev;
35]]>
36<![ %release.type.release [
37    &release.current;
38]]>
39    Errata</title>
40
41    <corpauthor>
42    The &os; Project
43    </corpauthor>
44
45    <pubdate>$FreeBSD: head/release/doc/en_US.ISO8859-1/errata/article.sgml 126629 2004-03-05 04:19:06Z bmah $</pubdate>
46
47    <copyright>
48      <year>2000</year>
49      <year>2001</year>
50      <year>2002</year>
51      <year>2003</year>
52      <year>2004</year>
53      <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder>
54    </copyright>
55
56    <legalnotice id="trademarks" role="trademarks">
57      &tm-attrib.freebsd;
58      &tm-attrib.intel;
59      &tm-attrib.sparc;
60      &tm-attrib.general;
61    </legalnotice>
62  </articleinfo>
63
64  <abstract>
65    <para>This document lists errata items for &os; 
66<![ %release.type.snapshot [
67      &release.prev;,
68]]>
69<![ %release.type.release [
70      &release.current;,
71]]>
72      containing significant information discovered after the release
73      or too late in the release cycle to be otherwise included in the
74      release documentation.
75      This information includes security advisories, as well as news
76      relating to the software or documentation that could affect its
77      operation or usability.  An up-to-date version of this document
78      should always be consulted before installing this version of
79      &os;.</para>
80
81    <para>This document also contains errata for &os;
82      &release.bugfix;, a <quote>point release</quote> made about one
83      month after &os; &release.prev;.  Unless otherwise noted, all
84      errata items in this document apply to both &release.prev;
85      and &release.bugfix;.</para>
86
87    <para>This errata document for &os; 
88<![ %release.type.snapshot [
89      &release.prev;
90]]>
91<![ %release.type.release [
92      &release.current;
93]]>
94      will be maintained until the release of &os; &release.next;.</para>
95  </abstract>
96
97  <sect1 id="intro">
98    <title>Introduction</title>
99
100    <para>This errata document contains <quote>late-breaking news</quote>
101      about &os;
102<![ %release.type.snapshot [
103      &release.prev;.
104]]>
105<![ %release.type.release [
106      &release.current;.
107]]>
108      Before installing this version, it is important to consult this
109      document to learn about any post-release discoveries or problems
110      that may already have been found and fixed.</para>
111
112    <para>Any version of this errata document actually distributed
113      with the release (for example, on a CDROM distribution) will be
114      out of date by definition, but other copies are kept updated on
115      the Internet and should be consulted as the <quote>current
116      errata</quote> for this release.  These other copies of the
117      errata are located at <ulink
118      url="http://www.FreeBSD.org/releases/"></ulink>, plus any sites
119      which keep up-to-date mirrors of this location.</para>
120
121    <para>Source and binary snapshots of &os; &release.branch; also
122      contain up-to-date copies of this document (as of the time of
123      the snapshot).</para>
124
125    <para>For a list of all &os; CERT security advisories, see <ulink
126      url="http://www.FreeBSD.org/security/"></ulink> or <ulink
127      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/"></ulink>.</para>
128
129  </sect1>
130
131  <sect1 id="security">
132    <title>Security Advisories</title>
133
134<![ %release.type.release [
135    <para>No advisories.</para>
136]]>
137
138<![ %release.type.snapshot [
139
140    <para>(30 Jan 2004, updated 28 Feb 2004) A bug in &man.mksnap.ffs.8; causes the creation of a
141      filesystem snapshot to reset the flags on the filesystem to
142      their default values.  The possible consequences depend on local
143      usage, but can include disabling extended access control lists
144      or enabling the use of setuid executables stored on an untrusted
145      filesystem.  This bug also affects the &man.dump.8;
146      <option>-L</option> option, which uses &man.mksnap.ffs.8;.  Note
147      that &man.mksnap.ffs.8; is normally only available to the
148      superuser and members of the <groupname>operator</groupname>
149      group.  This bug has been fixed on the &os; &release.prev;
150      security fix branch and in &os; &release.bugfix;.  For more information, see security advisory <ulink
151      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:01.mksnap_ffs.asc">FreeBSD-SA-04:01</ulink>.</para>
152
153    <para>(8 Feb 2004, updated 28 Feb 2004) A bug with the System V Shared Memory interface
154      (specifically the &man.shmat.2; system call)
155      can cause a shared memory segment to reference
156      unallocated kernel memory.  In turn, this can permit a local
157      attacker to gain unauthorized access to parts of kernel memory,
158      possibly resulting in disclosure of sensitive information,
159      bypass of access control mechanisms, or privilege escalation.
160      This bug has been fixed on the &os; &release.prev;
161      security fix branch and in &os; &release.bugfix;.
162      More details, including bugfix and workaround information,
163      can be found in security advisory <ulink
164      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:02.shmat.asc">FreeBSD-SA-04:02</ulink>.</para>
165
166    <para>(28 Feb 2004) It is possible, under some circumstances, for
167      a processor with superuser privileges inside a &man.jail.8;
168      environment to change its root directory to a different jail,
169      giving it read and write access to the files and directories
170      within.  This vulnerability has been closed on the &os;
171      &release.prev; security fix branch and in &os;
172      &release.bugfix;.  Information on the bug fix can be found in
173      security advisory <ulink
174      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:03.jail.asc">FreeBSD-SA-04:03</ulink>.</para>
175
176    <para>(4 Mar 2004) It is possible for a remote attacker to conduct
177      a low-bandwidth denial-of-service attack against a machine
178      providing TCP-based services, filling up the target's memory
179      buffers and potentially leading to a system crash.  This
180      vulnerability has been addressed on the &os; &release.prev;
181      security fix branch, but is present in both &os; &release.prev;
182      and &release.bugfix;.  Security advisory <ulink
183      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:04.tcp.asc">FreeBSD-SA-04:04</ulink>
184      contains more details, as well as information on patching
185      existing systems.</para>
186
187]]>
188
189  </sect1>
190
191  <sect1 id="open-issues">
192    <title>Open Issues</title>
193
194<![ %release.type.release [
195    <para>No open issues.</para>
196]]>
197
198<![ %release.type.snapshot [
199
200    <para>(9 Jan 2004) Due to a change in &man.cpp.1; behavior, the
201      login screen for &man.xdm.1; is in black and white, even on
202      systems with color displays.  As a workaround, update to a newer
203      version of the 
204      <filename role="package">x11/XFree86-4-clients</filename>
205      port/package.</para>
206
207    <para>(9 Jan 2004) There remain some residual problems with ACPI.
208      In some cases, systems may behave erratically, or hang at boot
209      time.  As a workaround, disable ACPI, using the <quote>safe
210      mode</quote> option of the bootloader or using the
211      <varname>hint.acpi.0.disabled</varname> kernel environment
212      variable.  These problems are being investigated.  For problems
213      that have not already been reported (check the mailing list
214      archives <emphasis>before</emphasis> posting), sending the
215      output of &man.dmesg.8; and &man.acpidump.8; to the
216      &a.current; may help diagnose the problem.</para>
217
218    <para>(9 Jan 2004, updated 28 Feb 2004) In some cases, ATA devices may behave
219      erratically, particularly SATA devices.  Reported symptoms
220      include command timeouts or missing interrupts.  These problems
221      appear to be timing-dependent, making them rather difficult to
222      isolate.  Workarounds include:</para>
223
224    <itemizedlist>
225      <listitem>
226	<para>Turn off ATA DMA using the <quote>safe mode</quote>
227	  option of the bootloader or the
228	  <varname>hw.ata.ata_dma</varname> sysctl variable.</para>
229      </listitem>
230
231      <listitem>
232	<para>Use the host's BIOS setup options to put the ATA
233	  controller in its <quote>legacy mode</quote>, if
234	  available.</para>
235      </listitem>
236
237      <listitem>
238	<para>Disable ACPI, for example using the <quote>safe mode</quote>
239	  option of the bootloader or using the
240	  <varname>hint.acpi.0.disabled</varname> kernel environment
241	  variable.</para>
242      </listitem>
243    </itemizedlist>
244
245    <para>Some of these problems were addressed in &os;
246      &release.bugfix; with the import of a newer &man.ata.4; from
247      &release.current;.</para>
248
249    <para>(9 Jan 2004) Installing over NFS when using the install
250      floppies requires that the <filename>nfsclient.ko</filename>
251      module be manually loaded from the third floppy disk.  This can
252      be done by following the prompts when &man.sysinstall.8;
253      launches to load a driver off of the third floppy disk.</para>
254
255    <para>(9 Jan 2004) The use of multiple vchans (virtual audio
256      channels with dynamic mixing in software) in the &man.pcm.4;
257      driver has been known to cause some instability.</para>
258
259    <para>(10 Jan 2004) Although APIC interrupt routing seems to work
260      correctly on many systems, on some others (such as some laptops)
261      it can cause various errors, such as &man.ata.4; errors or hangs
262      when starting or exiting X11.  For these situations, it may be
263      advisable to disable APIC routing, using the <quote>safe
264      mode</quote> of the bootloader or the
265      <varname>hint.apic.0.disabled</varname> loader tunable.  Note
266      that disabling APIC is not compatible with SMP systems.</para>
267
268    <para>(10 Jan 2004, updated 28 Feb 2004) The NFSv4 client may panic when attempting an
269      NFSv4 operation against an NFSv3/NFSv2-only server.  This
270      problem has been fixed with revision 1.4 of
271      <filename>src/sys/rpc/rpcclnt.c</filename> in &os;
272      &release.current;.  It was also fixed in &os;
273      &release.bugfix;.</para>
274
275    <para>(11 Jan 2004, updated 28 Feb 2004) Some problems have been encountered when using
276      third-party NSS modules, such as <filename>nss_ldap</filename>,
277      and groups with large membership lists.  These have been fixed
278      with revision 1.2 of <filename>src/include/nss.h</filename> and
279      revision 1.2 of
280      <filename>src/lib/libc/net/nss_compat.c</filename> in &os;
281      &release.current;; this fix was backported to &os;
282      &release.bugfix;.</para>
283
284    <para>(13 Jan 2004) The &os; &release.current; release notes
285      incorrectly stated that <application>GCC</application> was a
286      post-release GCC 3.3.3 snapshot.  They should have stated that
287      GCC was a <emphasis>pre-release</emphasis> GCC 3.3.3
288      snapshot.</para>
289
290    <para>(13 Jan 2004, updated 28 Feb 2004) The <filename
291      role="package">sysutils/kdeadmin3</filename> port/package has a
292      bug in the <application>KUser</application> component that can
293      cause deletion of the <username>root</username> user from the
294      system password file.  Users are strongly urged to upgrade to
295      version 3.1.4_1 of this port/package.  The package set included
296      with &os; &release.bugfix; contains the fixed version of this
297      package.</para>
298
299    <para>(21 Jan 2004, updated 28 Feb 2004) Some bugs in the IPsec implementation imported
300      from the KAME Project can result in memory objects being freed
301      before all references to them were removed.  Reported symptoms
302      include erratic behavior or kernel panics after flushing the
303      Security Policy Database (SPD).  Some of these problems have
304      been fixed in &os; &release.current; in rev. 1.31 of
305      <filename>src/sys/netinet6/ipsec.c</filename>, rev. 1.136 of
306      <filename>src/sys/netinet/in_pcb.c</filename>, and revs. 1.63
307      and 1.64 of <filename>src/sys/netkey/key.c</filename>.  These
308      bugfixes were backported to &os; &release.bugfix;.  More
309      information about these problems has been posted to the
310      &a.current;, in particular the thread entitled <ulink 
311      url="http://lists.FreeBSD.org/pipermail/freebsd-current/2004-January/thread.html#18084">
312      <quote>[PATCH] IPSec fixes</quote></ulink>.</para>
313
314    <para>(28 Feb 2004) The edition of the Porters Handbook included
315      with &os; &release.bugfix; contained an incorrect value for
316      &release.bugfix;'s <varname>__FreeBSD_version</varname>.  The
317      correct value is <literal>502010</literal>.</para>
318
319]]>
320
321  </sect1>
322
323  <sect1 id="late-news">
324    <title>Late-Breaking News</title>
325
326<![ %release.type.release [
327    <para>No news.</para>
328]]>
329
330<![ %release.type.snapshot [
331
332    <para>(10 Jan 2004, updated 28 Feb 2004) The TCP implementation in &os; now includes
333      protection against a certain class of TCP MSS resource
334      exhaustion attacks, in the form of limits on the size and rate
335      of TCP segments.  The first limit sets the minimum allowed
336      maximum TCP segment size, and is controlled by the
337      <varname>net.inet.tcp.minmss</varname> sysctl variable (the
338      default value is <literal>216</literal> bytes).  The second
339      limit is set by the
340      <varname>net.inet.tcp.minmssoverload</varname> variable, and
341      controls the maximum rate of connections whose average segment
342      size is less than <varname>net.inet.tcp.minmss</varname>.
343      Connections exceeding this packet rate are reset and dropped.
344      Because this feature was added late in the &release.prev;
345      release cycle, connection rate limiting is disabled by default,
346      but can be enabled manually by assigning a non-zero value to
347      <varname>net.inet.tcp.minmssoverload</varname>.  This feature
348      was added to &os; &release.prev; too late for inclusion in its
349      release notes.</para>
350
351]]>
352
353  </sect1>
354
355</article>
356