article.xml revision 134118 
1<!-- 
2	FreeBSD errata document.  Unlike some of the other RELNOTESng
3	files, this file should remain as a single SGML file, so that
4	the dollar FreeBSD dollar header has a meaningful modification
5	time.  This file is all but useless without a datestamp on it,
6	so we'll take some extra care to make sure it has one.
7
8	(If we didn't do this, then the file with the datestamp might
9	not be the one that received the last change in the document.)
10
11-->
12
13<!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
14<!ENTITY % articles.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Articles Entity Set//EN">
15%articles.ent;
16
17<!ENTITY % release PUBLIC "-//FreeBSD//ENTITIES Release Specification//EN">
18%release;
19<!ENTITY release.bugfix "5.2.1-RELEASE">
20]>
21
22<article>
23  <articleinfo>
24    <title>&os;
25<![ %release.type.snapshot [
26    &release.prev;
27]]>
28<![ %release.type.release [
29    &release.current;
30]]>
31    Errata</title>
32
33    <corpauthor>
34    The &os; Project
35    </corpauthor>
36
37    <pubdate>$FreeBSD: head/release/doc/en_US.ISO8859-1/errata/article.sgml 134118 2004-08-21 14:27:21Z hrs $</pubdate>
38
39    <copyright>
40      <year>2000</year>
41      <year>2001</year>
42      <year>2002</year>
43      <year>2003</year>
44      <year>2004</year>
45      <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder>
46    </copyright>
47
48    <legalnotice id="trademarks" role="trademarks">
49      &tm-attrib.freebsd;
50      &tm-attrib.intel;
51      &tm-attrib.sparc;
52      &tm-attrib.general;
53    </legalnotice>
54  </articleinfo>
55
56  <abstract>
57    <para>This document lists errata items for &os; 
58<![ %release.type.current [
59      &release.prev;,
60]]>
61<![ %release.type.snapshot [
62      &release.prev;,
63]]>
64<![ %release.type.release [
65      &release.current;,
66]]>
67      containing significant information discovered after the release
68      or too late in the release cycle to be otherwise included in the
69      release documentation.
70      This information includes security advisories, as well as news
71      relating to the software or documentation that could affect its
72      operation or usability.  An up-to-date version of this document
73      should always be consulted before installing this version of
74      &os;.</para>
75
76    <para>This document also contains errata for &os;
77      &release.bugfix;, a <quote>point release</quote> made about one
78      month after &os; &release.prev;.  Unless otherwise noted, all
79      errata items in this document apply to both &release.prev;
80      and &release.bugfix;.</para>
81
82    <para>This errata document for &os; 
83<![ %release.type.current [
84      &release.prev;
85]]>
86<![ %release.type.snapshot [
87      &release.prev;
88]]>
89<![ %release.type.release [
90      &release.current;
91]]>
92      will be maintained until the release of &os; &release.next;.</para>
93  </abstract>
94
95  <sect1 id="intro">
96    <title>Introduction</title>
97
98    <para>This errata document contains <quote>late-breaking news</quote>
99      about &os;
100<![ %release.type.current [
101      &release.prev;.
102]]>
103<![ %release.type.snapshot [
104      &release.prev;.
105]]>
106<![ %release.type.release [
107      &release.current;.
108]]>
109      Before installing this version, it is important to consult this
110      document to learn about any post-release discoveries or problems
111      that may already have been found and fixed.</para>
112
113    <para>Any version of this errata document actually distributed
114      with the release (for example, on a CDROM distribution) will be
115      out of date by definition, but other copies are kept updated on
116      the Internet and should be consulted as the <quote>current
117      errata</quote> for this release.  These other copies of the
118      errata are located at <ulink
119      url="http://www.FreeBSD.org/releases/"></ulink>, plus any sites
120      which keep up-to-date mirrors of this location.</para>
121
122    <para>Source and binary snapshots of &os; &release.branch; also
123      contain up-to-date copies of this document (as of the time of
124      the snapshot).</para>
125
126    <para>For a list of all &os; CERT security advisories, see <ulink
127      url="http://www.FreeBSD.org/security/"></ulink> or <ulink
128      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/"></ulink>.</para>
129
130  </sect1>
131
132  <sect1 id="security">
133    <title>Security Advisories</title>
134
135<![ %release.type.release [
136    <para>No advisories.</para>
137]]>
138
139<![ %release.type.current [
140    <para>No advisories.</para>
141]]>
142
143<![ %release.type.snapshot [
144
145    <para>(30 Jan 2004, updated 28 Feb 2004) A bug in &man.mksnap.ffs.8; causes the creation of a
146      filesystem snapshot to reset the flags on the filesystem to
147      their default values.  The possible consequences depend on local
148      usage, but can include disabling extended access control lists
149      or enabling the use of setuid executables stored on an untrusted
150      filesystem.  This bug also affects the &man.dump.8;
151      <option>-L</option> option, which uses &man.mksnap.ffs.8;.  Note
152      that &man.mksnap.ffs.8; is normally only available to the
153      superuser and members of the <groupname>operator</groupname>
154      group.  This bug has been fixed on the &os; &release.prev;
155      security fix branch and in &os; &release.bugfix;.  For more information, see security advisory <ulink
156      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:01.mksnap_ffs.asc">FreeBSD-SA-04:01</ulink>.</para>
157
158    <para>(8 Feb 2004, updated 28 Feb 2004) A bug with the System V Shared Memory interface
159      (specifically the &man.shmat.2; system call)
160      can cause a shared memory segment to reference
161      unallocated kernel memory.  In turn, this can permit a local
162      attacker to gain unauthorized access to parts of kernel memory,
163      possibly resulting in disclosure of sensitive information,
164      bypass of access control mechanisms, or privilege escalation.
165      This bug has been fixed on the &os; &release.prev;
166      security fix branch and in &os; &release.bugfix;.
167      More details, including bugfix and workaround information,
168      can be found in security advisory <ulink
169      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:02.shmat.asc">FreeBSD-SA-04:02</ulink>.</para>
170
171    <para>(28 Feb 2004) It is possible, under some circumstances, for
172      a processor with superuser privileges inside a &man.jail.8;
173      environment to change its root directory to a different jail,
174      giving it read and write access to the files and directories
175      within.  This vulnerability has been closed on the &os;
176      &release.prev; security fix branch and in &os;
177      &release.bugfix;.  Information on the bug fix can be found in
178      security advisory <ulink
179      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:03.jail.asc">FreeBSD-SA-04:03</ulink>.</para>
180
181    <para>(4 Mar 2004) It is possible for a remote attacker to conduct
182      a low-bandwidth denial-of-service attack against a machine
183      providing TCP-based services, filling up the target's memory
184      buffers and potentially leading to a system crash.  This
185      vulnerability has been addressed on the &os; &release.prev;
186      security fix branch, but is present in both &os; &release.prev;
187      and &release.bugfix;.  Security advisory <ulink
188      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:04.tcp.asc">FreeBSD-SA-04:04</ulink>
189      contains more details, as well as information on patching
190      existing systems.</para>
191
192    <para>(17 Mar 2004) By performing a specially crafted SSL/TLS
193      handshake with an application that uses OpenSSL a null pointer
194      may be dereferenced.  This may in turn cause the application to
195      crash, resulting in a denial of service attack.  For more information
196      see the Security Advisory <ulink
197      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:05.openssl.asc">FreeBSD-SA-04:05</ulink>
198      which contains more details and instructions on how to patch existing
199      systems.</para>
200
201    <para>(29 Mar 2004) A local attacker may take advantage of a
202      programming error in the handling of certain IPv6 socket options
203      in the &man.setsockopt.2; system call to read portions of kernel
204      memory without proper authorization.  This may result in disclosure
205      of sensitive data, or potentially cause a panic.  See Security
206      Advisory <ulink
207      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:06.ipv6.asc">FreeBSD-SA-04:06</ulink>
208      for a more detailed description and instructions on how to patch
209      existing systems.</para>
210
211    <para>(9 May 2004) Two programming errors in
212      <application>CVS</application> can allow a server to overwrite
213      arbitrary files on the client, and a client to read arbitrary
214      files on the server when accessing remote CVS repositories.
215      More details, including patch and upgrade information, can be
216      found in security advisory <ulink
217      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:07.cvs.asc">FreeBSD-SA-04:07</ulink>.</para>
218
219    <para>(9 May 2004) <application>Heimdal</application> may, under
220      some circumstances, not perform adequate checking of
221      authentication across autonomous realms.  For more information,
222      see security advisory <ulink
223      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:08.heimdal.asc">FreeBSD-SA-04:08</ulink>.</para>
224
225]]>
226
227  </sect1>
228
229  <sect1 id="open-issues">
230    <title>Open Issues</title>
231
232<![ %release.type.current [
233    <para>No open issues.</para>
234]]>
235
236<![ %release.type.release [
237    <para>No open issues.</para>
238]]>
239
240<![ %release.type.snapshot [
241
242    <para>(9 Jan 2004) Due to a change in &man.cpp.1; behavior, the
243      login screen for &man.xdm.1; is in black and white, even on
244      systems with color displays.  As a workaround, update to a newer
245      version of the 
246      <filename role="package">x11/XFree86-4-clients</filename>
247      port/package.</para>
248
249    <para>(9 Jan 2004) There remain some residual problems with ACPI.
250      In some cases, systems may behave erratically, or hang at boot
251      time.  As a workaround, disable ACPI, using the <quote>safe
252      mode</quote> option of the bootloader or using the
253      <varname>hint.acpi.0.disabled</varname> kernel environment
254      variable.  These problems are being investigated.  For problems
255      that have not already been reported (check the mailing list
256      archives <emphasis>before</emphasis> posting), sending the
257      output of &man.dmesg.8; and &man.acpidump.8; to the
258      &a.current; may help diagnose the problem.</para>
259
260    <para>(9 Jan 2004, updated 28 Feb 2004) In some cases, ATA devices may behave
261      erratically, particularly SATA devices.  Reported symptoms
262      include command timeouts or missing interrupts.  These problems
263      appear to be timing-dependent, making them rather difficult to
264      isolate.  Workarounds include:</para>
265
266    <itemizedlist>
267      <listitem>
268	<para>Turn off ATA DMA using the <quote>safe mode</quote>
269	  option of the bootloader or the
270	  <varname>hw.ata.ata_dma</varname> sysctl variable.</para>
271      </listitem>
272
273      <listitem>
274	<para>Use the host's BIOS setup options to put the ATA
275	  controller in its <quote>legacy mode</quote>, if
276	  available.</para>
277      </listitem>
278
279      <listitem>
280	<para>Disable ACPI, for example using the <quote>safe mode</quote>
281	  option of the bootloader or using the
282	  <varname>hint.acpi.0.disabled</varname> kernel environment
283	  variable.</para>
284      </listitem>
285    </itemizedlist>
286
287    <para>Some of these problems were addressed in &os;
288      &release.bugfix; with the import of a newer &man.ata.4; from
289      &release.current;.</para>
290
291    <para>(9 Jan 2004) Installing over NFS when using the install
292      floppies requires that the <filename>nfsclient.ko</filename>
293      module be manually loaded from the third floppy disk.  This can
294      be done by following the prompts when &man.sysinstall.8;
295      launches to load a driver off of the third floppy disk.</para>
296
297    <para>(9 Jan 2004) The use of multiple vchans (virtual audio
298      channels with dynamic mixing in software) in the &man.pcm.4;
299      driver has been known to cause some instability.</para>
300
301    <para>(10 Jan 2004) Although APIC interrupt routing seems to work
302      correctly on many systems, on some others (such as some laptops)
303      it can cause various errors, such as &man.ata.4; errors or hangs
304      when starting or exiting X11.  For these situations, it may be
305      advisable to disable APIC routing, using the <quote>safe
306      mode</quote> of the bootloader or the
307      <varname>hint.apic.0.disabled</varname> loader tunable.  Note
308      that disabling APIC is not compatible with SMP systems.</para>
309
310    <para>(10 Jan 2004, updated 28 Feb 2004) The NFSv4 client may panic when attempting an
311      NFSv4 operation against an NFSv3/NFSv2-only server.  This
312      problem has been fixed with revision 1.4 of
313      <filename>src/sys/rpc/rpcclnt.c</filename> in &os;
314      &release.current;.  It was also fixed in &os;
315      &release.bugfix;.</para>
316
317    <para>(11 Jan 2004, updated 28 Feb 2004) Some problems have been encountered when using
318      third-party NSS modules, such as <filename>nss_ldap</filename>,
319      and groups with large membership lists.  These have been fixed
320      with revision 1.2 of <filename>src/include/nss.h</filename> and
321      revision 1.2 of
322      <filename>src/lib/libc/net/nss_compat.c</filename> in &os;
323      &release.current;; this fix was backported to &os;
324      &release.bugfix;.</para>
325
326    <para>(13 Jan 2004) The &os; &release.current; release notes
327      incorrectly stated that <application>GCC</application> was a
328      post-release GCC 3.3.3 snapshot.  They should have stated that
329      GCC was a <emphasis>pre-release</emphasis> GCC 3.3.3
330      snapshot.</para>
331
332    <para>(13 Jan 2004, updated 28 Feb 2004) The <filename
333      role="package">sysutils/kdeadmin3</filename> port/package has a
334      bug in the <application>KUser</application> component that can
335      cause deletion of the <username>root</username> user from the
336      system password file.  Users are strongly urged to upgrade to
337      version 3.1.4_1 of this port/package.  The package set included
338      with &os; &release.bugfix; contains the fixed version of this
339      package.</para>
340
341    <para>(21 Jan 2004, updated 28 Feb 2004) Some bugs in the IPsec implementation imported
342      from the KAME Project can result in memory objects being freed
343      before all references to them were removed.  Reported symptoms
344      include erratic behavior or kernel panics after flushing the
345      Security Policy Database (SPD).  Some of these problems have
346      been fixed in &os; &release.current; in rev. 1.31 of
347      <filename>src/sys/netinet6/ipsec.c</filename>, rev. 1.136 of
348      <filename>src/sys/netinet/in_pcb.c</filename>, and revs. 1.63
349      and 1.64 of <filename>src/sys/netkey/key.c</filename>.  These
350      bugfixes were backported to &os; &release.bugfix;.  More
351      information about these problems has been posted to the
352      &a.current;, in particular the thread entitled <ulink 
353      url="http://lists.FreeBSD.org/pipermail/freebsd-current/2004-January/thread.html#18084">
354      <quote>[PATCH] IPSec fixes</quote></ulink>.</para>
355
356    <para>(28 Feb 2004) The edition of the Porters Handbook included
357      with &os; &release.bugfix; contained an incorrect value for
358      &release.bugfix;'s <varname>__FreeBSD_version</varname>.  The
359      correct value is <literal>502010</literal>.</para>
360
361]]>
362
363  </sect1>
364
365  <sect1 id="late-news">
366    <title>Late-Breaking News</title>
367
368<![ %release.type.current [
369    <para>No news.</para>
370]]>
371
372<![ %release.type.release [
373    <para>No news.</para>
374]]>
375
376<![ %release.type.snapshot [
377
378    <para>(10 Jan 2004, updated 28 Feb 2004) The TCP implementation in &os; now includes
379      protection against a certain class of TCP MSS resource
380      exhaustion attacks, in the form of limits on the size and rate
381      of TCP segments.  The first limit sets the minimum allowed
382      maximum TCP segment size, and is controlled by the
383      <varname>net.inet.tcp.minmss</varname> sysctl variable (the
384      default value is <literal>216</literal> bytes).  The second
385      limit is set by the
386      <varname>net.inet.tcp.minmssoverload</varname> variable, and
387      controls the maximum rate of connections whose average segment
388      size is less than <varname>net.inet.tcp.minmss</varname>.
389      Connections exceeding this packet rate are reset and dropped.
390      Because this feature was added late in the &release.prev;
391      release cycle, connection rate limiting is disabled by default,
392      but can be enabled manually by assigning a non-zero value to
393      <varname>net.inet.tcp.minmssoverload</varname>.  This feature
394      was added to &os; &release.prev; too late for inclusion in its
395      release notes.</para>
396
397]]>
398
399  </sect1>
400
401</article>
402