article.xml revision 133328
176082Sbmah<!-- 276082Sbmah FreeBSD errata document. Unlike some of the other RELNOTESng 376082Sbmah files, this file should remain as a single SGML file, so that 476082Sbmah the dollar FreeBSD dollar header has a meaningful modification 576082Sbmah time. This file is all but useless without a datestamp on it, 676082Sbmah so we'll take some extra care to make sure it has one. 776082Sbmah 876082Sbmah (If we didn't do this, then the file with the datestamp might 976082Sbmah not be the one that received the last change in the document.) 1076082Sbmah 1176082Sbmah--> 1276082Sbmah 1376082Sbmah<!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [ 14133328Shrs<!ENTITY % articles.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Articles Entity Set//EN"> 15133328Shrs%articles.ent; 16133328Shrs 1776082Sbmah<!ENTITY % release PUBLIC "-//FreeBSD//ENTITIES Release Specification//EN"> 1876082Sbmah%release; 19126389Sbmah<!ENTITY release.bugfix "5.2.1-RELEASE"> 2076082Sbmah]> 2176082Sbmah 2276082Sbmah<article> 2376082Sbmah <articleinfo> 24109307Sbmah <title>&os; 25109543Sbmah<![ %release.type.snapshot [ 26109543Sbmah &release.prev; 27109543Sbmah]]> 28109543Sbmah<![ %release.type.release [ 29109543Sbmah &release.current; 30109543Sbmah]]> 31109307Sbmah Errata</title> 3277914Sbmah 3376082Sbmah <corpauthor> 3476082Sbmah The &os; Project 3576082Sbmah </corpauthor> 3676082Sbmah 3776082Sbmah <pubdate>$FreeBSD: head/release/doc/en_US.ISO8859-1/errata/article.sgml 133328 2004-08-08 14:59:27Z hrs $</pubdate> 3876082Sbmah 3976082Sbmah <copyright> 4076082Sbmah <year>2000</year> 4176082Sbmah <year>2001</year> 4288820Sbmah <year>2002</year> 43108829Sbmah <year>2003</year> 44124312Sbmah <year>2004</year> 4576082Sbmah <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder> 4676082Sbmah </copyright> 47119884Ssimon 48119884Ssimon <legalnotice id="trademarks" role="trademarks"> 49119884Ssimon &tm-attrib.freebsd; 50119884Ssimon &tm-attrib.intel; 51119884Ssimon &tm-attrib.sparc; 52119884Ssimon &tm-attrib.general; 53119884Ssimon </legalnotice> 5476082Sbmah </articleinfo> 5576082Sbmah 5677914Sbmah <abstract> 5779807Sbmah <para>This document lists errata items for &os; 58109543Sbmah<![ %release.type.snapshot [ 59109543Sbmah &release.prev;, 60109543Sbmah]]> 61109543Sbmah<![ %release.type.release [ 62109543Sbmah &release.current;, 63109543Sbmah]]> 64112874Sbmah containing significant information discovered after the release 65112874Sbmah or too late in the release cycle to be otherwise included in the 66112874Sbmah release documentation. 6792295Sbmah This information includes security advisories, as well as news 6892295Sbmah relating to the software or documentation that could affect its 6992295Sbmah operation or usability. An up-to-date version of this document 7092295Sbmah should always be consulted before installing this version of 7192295Sbmah &os;.</para> 7277914Sbmah 73126389Sbmah <para>This document also contains errata for &os; 74126389Sbmah &release.bugfix;, a <quote>point release</quote> made about one 75126389Sbmah month after &os; &release.prev;. Unless otherwise noted, all 76126389Sbmah errata items in this document apply to both &release.prev; 77126389Sbmah and &release.bugfix;.</para> 78126389Sbmah 79109307Sbmah <para>This errata document for &os; 80109543Sbmah<![ %release.type.snapshot [ 81109543Sbmah &release.prev; 82109543Sbmah]]> 83109543Sbmah<![ %release.type.release [ 84109543Sbmah &release.current; 85109543Sbmah]]> 86116130Sbmah will be maintained until the release of &os; &release.next;.</para> 8777914Sbmah </abstract> 8877914Sbmah 89109143Sroam <sect1 id="intro"> 9076082Sbmah <title>Introduction</title> 9176082Sbmah 9279807Sbmah <para>This errata document contains <quote>late-breaking news</quote> 9392295Sbmah about &os; 94109543Sbmah<![ %release.type.snapshot [ 95109543Sbmah &release.prev;. 96109543Sbmah]]> 97109543Sbmah<![ %release.type.release [ 98109543Sbmah &release.current;. 99109543Sbmah]]> 10092295Sbmah Before installing this version, it is important to consult this 10192295Sbmah document to learn about any post-release discoveries or problems 10292295Sbmah that may already have been found and fixed.</para> 10379807Sbmah 10492295Sbmah <para>Any version of this errata document actually distributed 10592295Sbmah with the release (for example, on a CDROM distribution) will be 10692295Sbmah out of date by definition, but other copies are kept updated on 10792295Sbmah the Internet and should be consulted as the <quote>current 10892295Sbmah errata</quote> for this release. These other copies of the 10992295Sbmah errata are located at <ulink 11092295Sbmah url="http://www.FreeBSD.org/releases/"></ulink>, plus any sites 11192295Sbmah which keep up-to-date mirrors of this location.</para> 11276082Sbmah 11379807Sbmah <para>Source and binary snapshots of &os; &release.branch; also 11492295Sbmah contain up-to-date copies of this document (as of the time of 11592295Sbmah the snapshot).</para> 11676082Sbmah 11777914Sbmah <para>For a list of all &os; CERT security advisories, see <ulink 11892295Sbmah url="http://www.FreeBSD.org/security/"></ulink> or <ulink 11992295Sbmah url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/"></ulink>.</para> 12092295Sbmah 12176082Sbmah </sect1> 12276082Sbmah 123109143Sroam <sect1 id="security"> 12476082Sbmah <title>Security Advisories</title> 125109309Sbmah 126115963Sbmah<![ %release.type.release [ 127115963Sbmah <para>No advisories.</para> 128115963Sbmah]]> 129109309Sbmah 130115963Sbmah<![ %release.type.snapshot [ 131125249Sbmah 132126389Sbmah <para>(30 Jan 2004, updated 28 Feb 2004) A bug in &man.mksnap.ffs.8; causes the creation of a 133125249Sbmah filesystem snapshot to reset the flags on the filesystem to 134125249Sbmah their default values. The possible consequences depend on local 135125249Sbmah usage, but can include disabling extended access control lists 136125249Sbmah or enabling the use of setuid executables stored on an untrusted 137125249Sbmah filesystem. This bug also affects the &man.dump.8; 138125249Sbmah <option>-L</option> option, which uses &man.mksnap.ffs.8;. Note 139125249Sbmah that &man.mksnap.ffs.8; is normally only available to the 140125249Sbmah superuser and members of the <groupname>operator</groupname> 141126599Srushani group. This bug has been fixed on the &os; &release.prev; 142126389Sbmah security fix branch and in &os; &release.bugfix;. For more information, see security advisory <ulink 143125249Sbmah url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:01.mksnap_ffs.asc">FreeBSD-SA-04:01</ulink>.</para> 144125249Sbmah 145126389Sbmah <para>(8 Feb 2004, updated 28 Feb 2004) A bug with the System V Shared Memory interface 146125606Sbmah (specifically the &man.shmat.2; system call) 147125606Sbmah can cause a shared memory segment to reference 148125606Sbmah unallocated kernel memory. In turn, this can permit a local 149125606Sbmah attacker to gain unauthorized access to parts of kernel memory, 150125606Sbmah possibly resulting in disclosure of sensitive information, 151125606Sbmah bypass of access control mechanisms, or privilege escalation. 152126599Srushani This bug has been fixed on the &os; &release.prev; 153126389Sbmah security fix branch and in &os; &release.bugfix;. 154125606Sbmah More details, including bugfix and workaround information, 155125606Sbmah can be found in security advisory <ulink 156125606Sbmah url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:02.shmat.asc">FreeBSD-SA-04:02</ulink>.</para> 157125606Sbmah 158126389Sbmah <para>(28 Feb 2004) It is possible, under some circumstances, for 159126389Sbmah a processor with superuser privileges inside a &man.jail.8; 160126389Sbmah environment to change its root directory to a different jail, 161126389Sbmah giving it read and write access to the files and directories 162126389Sbmah within. This vulnerability has been closed on the &os; 163126599Srushani &release.prev; security fix branch and in &os; 164126389Sbmah &release.bugfix;. Information on the bug fix can be found in 165126389Sbmah security advisory <ulink 166126629Sbmah url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:03.jail.asc">FreeBSD-SA-04:03</ulink>.</para> 167126389Sbmah 168126629Sbmah <para>(4 Mar 2004) It is possible for a remote attacker to conduct 169126629Sbmah a low-bandwidth denial-of-service attack against a machine 170126629Sbmah providing TCP-based services, filling up the target's memory 171126629Sbmah buffers and potentially leading to a system crash. This 172126629Sbmah vulnerability has been addressed on the &os; &release.prev; 173126629Sbmah security fix branch, but is present in both &os; &release.prev; 174126629Sbmah and &release.bugfix;. Security advisory <ulink 175126629Sbmah url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:04.tcp.asc">FreeBSD-SA-04:04</ulink> 176126629Sbmah contains more details, as well as information on patching 177126629Sbmah existing systems.</para> 178126629Sbmah 179127626Skensmith <para>(17 Mar 2004) By performing a specially crafted SSL/TLS 180127626Skensmith handshake with an application that uses OpenSSL a null pointer 181127626Skensmith may be dereferenced. This may in turn cause the application to 182127626Skensmith crash, resulting in a denial of service attack. For more information 183127626Skensmith see the Security Advisory <ulink 184127626Skensmith url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:05.openssl.asc">FreeBSD-SA-04:05</ulink> 185127626Skensmith which contains more details and instructions on how to patch existing 186127626Skensmith systems.</para> 187127626Skensmith 188127626Skensmith <para>(29 Mar 2004) A local attacker may take advantage of a 189127626Skensmith programming error in the handling of certain IPv6 socket options 190127626Skensmith in the &man.setsockopt.2; system call to read portions of kernel 191127626Skensmith memory without proper authorization. This may result in disclosure 192127626Skensmith of sensitive data, or potentially cause a panic. See Security 193127626Skensmith Advisory <ulink 194127626Skensmith url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:06.ipv6.asc">FreeBSD-SA-04:06</ulink> 195127626Skensmith for a more detailed description and instructions on how to patch 196127626Skensmith existing systems.</para> 197127626Skensmith 198129078Sbmah <para>(9 May 2004) Two programming errors in 199129078Sbmah <application>CVS</application> can allow a server to overwrite 200129078Sbmah arbitrary files on the client, and a client to read arbitrary 201129078Sbmah files on the server when accessing remote CVS repositories. 202129078Sbmah More details, including patch and upgrade information, can be 203129078Sbmah found in security advisory <ulink 204129078Sbmah url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:07.cvs.asc">FreeBSD-SA-04:07</ulink>.</para> 205129078Sbmah 206129078Sbmah <para>(9 May 2004) <application>Heimdal</application> may, under 207129078Sbmah some circumstances, not perform adequate checking of 208129078Sbmah authentication across autonomous realms. For more information, 209129078Sbmah see security advisory <ulink 210129078Sbmah url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:08.heimdal.asc">FreeBSD-SA-04:08</ulink>.</para> 211129078Sbmah 212115963Sbmah]]> 213111435Sbmah 214115963Sbmah </sect1> 215111435Sbmah 216115963Sbmah <sect1 id="open-issues"> 217115963Sbmah <title>Open Issues</title> 218111834Sbmah 219115963Sbmah<![ %release.type.release [ 220115963Sbmah <para>No open issues.</para> 221115963Sbmah]]> 222112435Sbmah 223115963Sbmah<![ %release.type.snapshot [ 224124312Sbmah 225124312Sbmah <para>(9 Jan 2004) Due to a change in &man.cpp.1; behavior, the 226124312Sbmah login screen for &man.xdm.1; is in black and white, even on 227124312Sbmah systems with color displays. As a workaround, update to a newer 228124312Sbmah version of the 229124312Sbmah <filename role="package">x11/XFree86-4-clients</filename> 230124312Sbmah port/package.</para> 231124312Sbmah 232124312Sbmah <para>(9 Jan 2004) There remain some residual problems with ACPI. 233124312Sbmah In some cases, systems may behave erratically, or hang at boot 234124312Sbmah time. As a workaround, disable ACPI, using the <quote>safe 235124312Sbmah mode</quote> option of the bootloader or using the 236124312Sbmah <varname>hint.acpi.0.disabled</varname> kernel environment 237124312Sbmah variable. These problems are being investigated. For problems 238124312Sbmah that have not already been reported (check the mailing list 239124312Sbmah archives <emphasis>before</emphasis> posting), sending the 240124312Sbmah output of &man.dmesg.8; and &man.acpidump.8; to the 241124312Sbmah &a.current; may help diagnose the problem.</para> 242124312Sbmah 243126389Sbmah <para>(9 Jan 2004, updated 28 Feb 2004) In some cases, ATA devices may behave 244124312Sbmah erratically, particularly SATA devices. Reported symptoms 245124352Sbmah include command timeouts or missing interrupts. These problems 246124312Sbmah appear to be timing-dependent, making them rather difficult to 247124312Sbmah isolate. Workarounds include:</para> 248124312Sbmah 249124312Sbmah <itemizedlist> 250124312Sbmah <listitem> 251124312Sbmah <para>Turn off ATA DMA using the <quote>safe mode</quote> 252124312Sbmah option of the bootloader or the 253124312Sbmah <varname>hw.ata.ata_dma</varname> sysctl variable.</para> 254124312Sbmah </listitem> 255124312Sbmah 256124312Sbmah <listitem> 257124312Sbmah <para>Use the host's BIOS setup options to put the ATA 258124312Sbmah controller in its <quote>legacy mode</quote>, if 259124312Sbmah available.</para> 260124312Sbmah </listitem> 261124312Sbmah 262124312Sbmah <listitem> 263124312Sbmah <para>Disable ACPI, for example using the <quote>safe mode</quote> 264124312Sbmah option of the bootloader or using the 265124312Sbmah <varname>hint.acpi.0.disabled</varname> kernel environment 266124312Sbmah variable.</para> 267124312Sbmah </listitem> 268124312Sbmah </itemizedlist> 269124312Sbmah 270126389Sbmah <para>Some of these problems were addressed in &os; 271126389Sbmah &release.bugfix; with the import of a newer &man.ata.4; from 272126389Sbmah &release.current;.</para> 273126389Sbmah 274124312Sbmah <para>(9 Jan 2004) Installing over NFS when using the install 275124312Sbmah floppies requires that the <filename>nfsclient.ko</filename> 276124312Sbmah module be manually loaded from the third floppy disk. This can 277124312Sbmah be done by following the prompts when &man.sysinstall.8; 278124312Sbmah launches to load a driver off of the third floppy disk.</para> 279124312Sbmah 280124312Sbmah <para>(9 Jan 2004) The use of multiple vchans (virtual audio 281124312Sbmah channels with dynamic mixing in software) in the &man.pcm.4; 282124312Sbmah driver has been known to cause some instability.</para> 283124312Sbmah 284124352Sbmah <para>(10 Jan 2004) Although APIC interrupt routing seems to work 285124352Sbmah correctly on many systems, on some others (such as some laptops) 286124352Sbmah it can cause various errors, such as &man.ata.4; errors or hangs 287124352Sbmah when starting or exiting X11. For these situations, it may be 288124352Sbmah advisable to disable APIC routing, using the <quote>safe 289124352Sbmah mode</quote> of the bootloader or the 290124352Sbmah <varname>hint.apic.0.disabled</varname> loader tunable. Note 291124352Sbmah that disabling APIC is not compatible with SMP systems.</para> 292124352Sbmah 293126389Sbmah <para>(10 Jan 2004, updated 28 Feb 2004) The NFSv4 client may panic when attempting an 294124352Sbmah NFSv4 operation against an NFSv3/NFSv2-only server. This 295124352Sbmah problem has been fixed with revision 1.4 of 296124352Sbmah <filename>src/sys/rpc/rpcclnt.c</filename> in &os; 297126389Sbmah &release.current;. It was also fixed in &os; 298126389Sbmah &release.bugfix;.</para> 299124352Sbmah 300126389Sbmah <para>(11 Jan 2004, updated 28 Feb 2004) Some problems have been encountered when using 301124484Sbmah third-party NSS modules, such as <filename>nss_ldap</filename>, 302124484Sbmah and groups with large membership lists. These have been fixed 303124484Sbmah with revision 1.2 of <filename>src/include/nss.h</filename> and 304124484Sbmah revision 1.2 of 305124484Sbmah <filename>src/lib/libc/net/nss_compat.c</filename> in &os; 306126389Sbmah &release.current;; this fix was backported to &os; 307126389Sbmah &release.bugfix;.</para> 308124484Sbmah 309124484Sbmah <para>(13 Jan 2004) The &os; &release.current; release notes 310124484Sbmah incorrectly stated that <application>GCC</application> was a 311124484Sbmah post-release GCC 3.3.3 snapshot. They should have stated that 312124484Sbmah GCC was a <emphasis>pre-release</emphasis> GCC 3.3.3 313124484Sbmah snapshot.</para> 314124484Sbmah 315126389Sbmah <para>(13 Jan 2004, updated 28 Feb 2004) The <filename 316124485Sbmah role="package">sysutils/kdeadmin3</filename> port/package has a 317124485Sbmah bug in the <application>KUser</application> component that can 318124485Sbmah cause deletion of the <username>root</username> user from the 319124485Sbmah system password file. Users are strongly urged to upgrade to 320126389Sbmah version 3.1.4_1 of this port/package. The package set included 321126389Sbmah with &os; &release.bugfix; contains the fixed version of this 322126389Sbmah package.</para> 323124485Sbmah 324126389Sbmah <para>(21 Jan 2004, updated 28 Feb 2004) Some bugs in the IPsec implementation imported 325124801Sbmah from the KAME Project can result in memory objects being freed 326124801Sbmah before all references to them were removed. Reported symptoms 327124801Sbmah include erratic behavior or kernel panics after flushing the 328124801Sbmah Security Policy Database (SPD). Some of these problems have 329124801Sbmah been fixed in &os; &release.current; in rev. 1.31 of 330124801Sbmah <filename>src/sys/netinet6/ipsec.c</filename>, rev. 1.136 of 331124801Sbmah <filename>src/sys/netinet/in_pcb.c</filename>, and revs. 1.63 332126389Sbmah and 1.64 of <filename>src/sys/netkey/key.c</filename>. These 333126389Sbmah bugfixes were backported to &os; &release.bugfix;. More 334124801Sbmah information about these problems has been posted to the 335124801Sbmah &a.current;, in particular the thread entitled <ulink 336124947Sbmah url="http://lists.FreeBSD.org/pipermail/freebsd-current/2004-January/thread.html#18084"> 337124801Sbmah <quote>[PATCH] IPSec fixes</quote></ulink>.</para> 338124801Sbmah 339126389Sbmah <para>(28 Feb 2004) The edition of the Porters Handbook included 340126389Sbmah with &os; &release.bugfix; contained an incorrect value for 341126389Sbmah &release.bugfix;'s <varname>__FreeBSD_version</varname>. The 342126389Sbmah correct value is <literal>502010</literal>.</para> 343126389Sbmah 344115963Sbmah]]> 345112477Sbmah 34676082Sbmah </sect1> 34776082Sbmah 348109309Sbmah <sect1 id="late-news"> 349109309Sbmah <title>Late-Breaking News</title> 350109309Sbmah 351115963Sbmah<![ %release.type.release [ 352115963Sbmah <para>No news.</para> 353115963Sbmah]]> 354109583Schris 355115963Sbmah<![ %release.type.snapshot [ 356124352Sbmah 357126389Sbmah <para>(10 Jan 2004, updated 28 Feb 2004) The TCP implementation in &os; now includes 358124352Sbmah protection against a certain class of TCP MSS resource 359124352Sbmah exhaustion attacks, in the form of limits on the size and rate 360124352Sbmah of TCP segments. The first limit sets the minimum allowed 361124352Sbmah maximum TCP segment size, and is controlled by the 362124352Sbmah <varname>net.inet.tcp.minmss</varname> sysctl variable (the 363124352Sbmah default value is <literal>216</literal> bytes). The second 364124352Sbmah limit is set by the 365124352Sbmah <varname>net.inet.tcp.minmssoverload</varname> variable, and 366124352Sbmah controls the maximum rate of connections whose average segment 367124352Sbmah size is less than <varname>net.inet.tcp.minmss</varname>. 368124352Sbmah Connections exceeding this packet rate are reset and dropped. 369124352Sbmah Because this feature was added late in the &release.prev; 370124352Sbmah release cycle, connection rate limiting is disabled by default, 371124352Sbmah but can be enabled manually by assigning a non-zero value to 372126389Sbmah <varname>net.inet.tcp.minmssoverload</varname>. This feature 373126389Sbmah was added to &os; &release.prev; too late for inclusion in its 374126389Sbmah release notes.</para> 375124352Sbmah 376115963Sbmah]]> 377109309Sbmah 378115963Sbmah </sect1> 379109583Schris 38076082Sbmah</article> 381