article.xml revision 129380 
1<articleinfo>
2  <title>&os;/&arch; &release.current; Release Notes</title>
3
4  <corpauthor>The FreeBSD Project</corpauthor>
5
6  <pubdate>$FreeBSD: head/release/doc/en_US.ISO8859-1/relnotes/article.sgml 129380 2004-05-18 07:38:46Z rik $</pubdate>
7
8  <copyright>
9    <year>2000</year>
10    <year>2001</year>
11    <year>2002</year>
12    <year>2003</year>
13    <year>2004</year>
14    <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder>
15  </copyright>
16
17  <abstract>
18    <para>The release notes for &os; &release.current; contain a summary
19      of
20<![ %include.historic; [
21      the changes made to the &os; base system since &release.prev;.
22]]>
23<![ %no.include.historic; [
24      recent changes made to the &os; base system on the &release.branch;
25      development branch.
26]]>
27      This document lists applicable security advisories that were issued since
28      the last release, as well as significant changes to the &os;
29      kernel and userland.
30      Some brief remarks on upgrading are also presented.</para>
31  </abstract>
32</articleinfo>
33
34<sect1 id="intro">
35  <title>Introduction</title>
36
37  <para>This document contains the release notes for &os;
38    &release.current; on the &arch.print; hardware platform.  It
39    describes recently added, changed, or deleted features of &os;.
40    It also provides some notes on upgrading
41    from previous versions of &os;.</para>
42
43<![ %release.type.snapshot [
44
45  <para>The &release.type; distribution to which these release notes
46    apply represents a point along the &release.branch; development
47    branch between &release.prev; and the future &release.next;.  Some
48    pre-built, binary &release.type; distributions along this branch
49    can be found at <ulink url="&release.url;"></ulink>.</para>
50
51]]>
52
53<![ %release.type.release [
54
55  <para>This distribution of &os; &release.current; is a
56    &release.type; distribution.  It can be found at <ulink
57    url="&release.url;"></ulink> or any of its mirrors.  More
58    information on obtaining this (or other) &release.type;
59    distributions of &os; can be found in the <ulink
60    url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html"><quote>Obtaining
61    FreeBSD</quote> appendix</ulink> to the <ulink
62    url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/">FreeBSD
63    Handbook</ulink>.</para>
64
65]]>
66
67  <para>Users who are new to the &release.branch; series of &os;
68    &release.type;s should also read the <quote>Early Adopters Guide
69    to &os; &release.current;</quote>.  This document can generally be
70    found in the same location as the release notes (either as a part of a
71    &os; distribution or on the &os; Web site).  It contains important
72    information regarding the advantages and disadvantages of using
73    &os; &release.current;, as opposed to releases based on the &os;
74    4-STABLE development branch.</para>
75
76  <para>All users are encouraged to consult the release errata before
77    installing &os;.  The errata document is updated with
78    <quote>late-breaking</quote> information discovered late in the
79    release cycle or after the release.  Typically, it contains
80    information on known bugs, security advisories, and corrections to
81    documentation.  An up-to-date copy of the errata for &os;
82    &release.current; can be found on the &os; Web site.</para>
83
84</sect1>
85
86<sect1 id="new">
87  <title>What's New</title>
88
89  <para>This section describes
90<![ %include.historic; [
91      the most user-visible new or changed features in &os;
92      since &release.prev;.
93      In general, changes described here are unique to the &release.branch;
94      branch unless specifically marked as &merged; features.
95]]>
96<![ %no.include.historic; [
97      many of the user-visible new or changed features in &os;
98      since &release.prev;.  It includes items that are unique to the
99      &release.branch; branch, as well as some features that may have been
100      recently merged to
101      other branches (after &os; &release.prev.historic;).  The latter
102      items are marked as &merged;.
103]]>
104  </para>
105
106  <para>Typical release note items
107    document recent security advisories issued after
108    &release.prev.historic;,
109    new drivers or hardware support, new commands or options,
110    major bug fixes, or contributed software upgrades.  They may also
111    list changes to major ports/packages or release engineering
112    practices.  Clearly the release notes cannot list every single
113    change made to &os; between releases; this document focuses
114    primarily on security advisories, user-visible changes, and major
115    architectural improvements.</para>
116
117  <sect2 id="security">
118    <title>Security Advisories</title>
119
120    <para>A bug in &man.mksnap.ffs.8; has been fixed; it caused the creation of a
121      filesystem snapshot to reset the flags on the filesystem to
122      their default values.  The possible consequences depended on local
123      usage, but could include disabling extended access control lists
124      or enabling the use of setuid executables stored on an untrusted
125      filesystem.  This bug also affected the &man.dump.8;
126      <option>-L</option> option, which uses &man.mksnap.ffs.8;.  Note
127      that &man.mksnap.ffs.8; is normally only available to the
128      superuser and members of the <groupname>operator</groupname>
129      group.  For more information, see security advisory <ulink
130      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:01.mksnap_ffs.asc">FreeBSD-SA-04:01</ulink>.</para>
131
132    <para>A bug with the System V Shared Memory interface
133      (specifically the &man.shmat.2; system call) has been fixed.
134      This bug can cause a shared memory segment to reference
135      unallocated kernel memory.  In turn, this can permit a local
136      attacker to gain unauthorized access to parts of kernel memory,
137      possibly resulting in disclosure of sensitive information,
138      bypass of access control mechanisms, or privilege escalation.
139      More details can be found in security advisory <ulink
140      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:02.shmat.asc">FreeBSD-SA-04:02</ulink>.
141      &merged;</para>
142
143    <para>A programming error in the &man.jail.attach.2; system call
144      has been fixed.  This error could allow a process with superuser
145      privileges inside a &man.jail.8; environment to change its root
146      directory to that of a different jail, and thus gain full read
147      and write access to files and directories within the target
148      jail.  More information can be found in security advisory <ulink
149      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:03.jail.asc">FreeBSD-SA-04:03</ulink>.</para>
150
151    <para>A potential low-bandwidth denial-of-service attack against
152      the &os; TCP stack has been prevented by limiting the number of
153      out-of-sequence TCP segments that can be held at one time.  More
154      details can be found in security advisory <ulink
155      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:04.tcp.asc">FreeBSD-SA-04:04</ulink>.
156      &merged;</para>
157
158    <para>A bug in <application>OpenSSL</application>'s SSL/TLS
159      ChangeCipherSpec message processing could result in
160      a null pointer dereference, has been fixed.
161      This could allow a remote attacker to crash an
162      <application>OpenSSL</application>-using
163      application and cause a denial-of-service on the system.
164      More details can be found in security advisory <ulink
165      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:05.openssl.asc">FreeBSD-SA-04:05</ulink>.
166      &merged;</para>
167
168    <para>A programming error in the handling of some IPv6
169      socket options within the &man.setsockopt.2; system call
170      has been fixed.  This allows a local attacker to cause a
171      system panic, and may allow to gain unauthorized access to
172      parts of kernel memory, possibly resulting in disclosure
173      of sensitive information, bypass of access control
174      mechanisms, or privilege escalation.
175      More details can be found in security advisory <ulink
176      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:06.ipv6.asc">FreeBSD-SA-04:06</ulink>.</para>
177
178    <para>Two programming errors in <application>CVS</application>
179      have been fixed.  They allow a server to overwrite arbitrary
180      files on the client, and a client to read arbitrary files
181      on the server when accessing remote CVS repositories.
182      More details can be found in security advisory <ulink
183      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:07.cvs.asc">FreeBSD-SA-04:07</ulink>. &merged;</para>
184
185    <para>A bugfix for <application>Heimdal</application> rectifies a
186      problem in which it would not perform adequate checking of
187      authentication across autonomous realms.  For more information,
188      see security advisory <ulink
189      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:08.heimdal.asc">FreeBSD-SA-04:08</ulink>. &merged;</para>
190  </sect2>
191
192  <sect2 id="kernel">
193    <title>Kernel Changes</title>
194
195    <para arch="i386">The &man.acpi.asus.4; driver has been added
196      to use ACPI-controlled hardware features  such as hot keys and
197      LCD on ASUSTek laptops.</para>
198
199    <para arch="i386">The &man.acpi.toshiba.4; driver has been added
200      to use Toshiba's Hardware Control Interface to manipulate
201      certain hardware features on Toshiba laptops.</para>
202
203    <para arch="i386">The &man.acpi.toshiba.4; driver now supports
204      video output switching.</para>
205
206    <para>The &man.acpi.video.4; driver has been added to provide
207      control display switching and backlight brightness using the
208      ACPI Video Extensions.</para>
209
210    <para arch="i386">The &man.ctau.4; driver has been added for Cronyx Tau
211      synchronous serial adapters. This driver was known for a long time as
212      <quote>ct</quote> in its previous life outside the &os; source tree. &merged;
213
214      <note>
215	<para>The driver name has changed, but the network interface still
216	  has the <quote>ct</quote> name.</para>
217      </note>
218    </para>
219
220    <para arch="i386">The &man.cp.4; driver has been added for Cronyx Tau-PCI
221      synchronous serial adapters.
222    </para>
223
224    <para>&man.devfs.5; path rules now work correctly on
225      directories.</para>
226
227    <para arch="i386,pc98">The dgb (DigiBoard intelligent serial card) driver has been
228      removed due to breakage.  Its replacement is the &man.digi.4; driver,
229      which supports all the hardware of the dgb driver.</para>
230
231    <para>The &man.getvfsent.3; API has been removed.</para>
232
233    <para arch="sparc64">The &man.hme.4; driver now natively supports
234      long frames, so it can be used for &man.vlan.4; with full ethernet
235      MTU size.</para>
236
237    <para>&man.jail.8; now supports use of raw sockets from within a jail.
238      This feature is disabled by default, and controlled using the
239      <varname>security.jail.allow_raw_sockets</varname> sysctl.</para>
240
241    <para arch="i386">The loran (Loran-C receiver) driver has been removed due to
242      breakage and lack of maintainership.</para>
243
244    <para>A bug in &man.mmap.2; that pages marked as <literal>PROT_NONE</literal>
245      may become readable under certain circumstances, has been fixed.  &merged;</para>
246
247    <para>The raid(4), RAIDframe disk driver from NetBSD has been removed.
248      This is currently non-functional, and would require some amount of work
249      to make it work under the &man.geom.4; API in 5-CURRENT.</para>
250
251    <para arch="i386,pc98">The sx driver, which supports Specialix I/O8+ and I/O4+
252      intelligent multiport serial controllers has been added.</para>
253
254    <para arch="alpha,amd64,i386">For the &man.uart.4; device
255      <varname>hw.uart.console</varname> and
256      <varname>hw.uart.dbgport</varname> environment variables
257      have been added.  They can be used to select a serial console and
258      debug port respectively, as well as the attributes.</para>
259
260    <para>The &man.ubser.4; device driver has been added to support
261      BWCT console management serial adapters.</para>
262
263    <para>The ULE scheduler is now the default scheduler in the
264      <filename>GENERIC</filename> kernel.  For the average user,
265      interactivity is reported to be better in many cases.  This
266      means less <quote>skipping</quote> and <quote>jerking</quote> in
267      interactive applications while the machine is very busy.  This
268      will not prevent problems due to overloaded disk subsystems, but
269      it does help with overloaded CPUs.  On SMP machines, ULE has
270      per-CPU run queues which allow for CPU affinity, CPU binding,
271      and advanced HyperThreading support, as well as providing a
272      framework for more optimizations in the future.  As fine-grained
273      kernel locking continues, the scheduler will be able to make
274      more efficient use of the available parallel resources.</para>
275
276    <!-- Above this line, sort kernel changes by manpage/keyword-->
277
278    <para>The device driver infrastructure (as well as many drivers)
279      have been updated.  Among the changes: Many more drivers now use
280      automatically-assigned major numbers (instead of the old static
281      major numbers).  Enhanced functions to support cloning of
282      pseudodevices.  Several changes to the driver API, including a
283      new <varname>d_version</varname> field in <varname>struct
284      cdevsw</varname>.  Note that third-party device drivers will
285      require recompiling after this change.</para>
286
287    <para>The kernel's file descriptor allocation code has been
288      updated, and is now derived from similar code in OpenBSD.</para>
289
290    <para arch="sparc64">On &os;/sparc64, <varname>time_t</varname>
291      has been changed from a 32-bit value to a 64-bit value.
292
293      <note>
294	<para>Since this change is not backward-compatible,
295	  any programs which were built on an older system using
296	  a 32-bit <varname>time_t</varname> and
297	  call system routines for handling
298	  <varname>time_t</varname> values, will have to be recompiled.
299	  More detailed information and notice on upgrading from
300	  the source can be found in
301	  <filename>/usr/src/UPDATING.64BTT</filename>.</para>
302      </note>
303    </para>
304
305    <para arch="i386">It is now possible to compile the &os;/i386
306      kernel with the Intel C/C++ Compiler (as in the <filename
307      role="package">lang/icc</filename> port).</para>
308
309    <sect3 id="proc">
310      <title>Platform-Specific Hardware Support</title>
311
312      <para arch="i386">The entropy device &man.random.4; now
313        supports a hardware random number generator (RNG)
314        in the VIA C3 Nehemiah (Stepping 3 and above) CPU.</para>
315
316      <para arch="i386">Several old drivers for ISA cards have been removed,
317	including
318	the asc driver for GI1904-based hand scanners,
319	the ctx driver for CORTEX-I Frame Grabber,
320	the gp driver for National Instruments AT-GPIB and AT-GPIB/TNT boards,
321	the gsc driver for the Genius GS-4500 hand scanner,
322	the le driver for DEC EtherWORKS II and III ethernet controllers,
323	the rdp driver for RealTek RTL 8002-based pocket ethernet adapters,
324	the spigot driver for the Creative Labs Video Spigot video-acquisition board,
325	the stl and stli drivers for Stallion Technologies multiport serial
326	controllers, and the wt driver for Archive/Wangtek cartridge tapes.
327	They are currently non-functional, and would require a considerable
328	amount of work to make them work under the new API in 5-CURRENT.
329	The userland support such as related ioctls and utilities including
330	sasc and sgsc has also been removed.</para>
331    </sect3>
332
333    <sect3 id="boot">
334      <title>Boot Loader Changes</title>
335
336      <para arch="i386">A serial console-capable version of
337	<filename>boot0</filename> has been added.  It can be written
338	to a disk using &man.boot0cfg.8; and specifying
339	<filename>/boot/boot0sio</filename> as the argument to the
340	<option>-b</option> option.</para>
341
342      <para arch="i386"><filename>cdboot</filename> now works around a
343	BIOS problem observed on some systems when booting from USB
344	CDROM drives.</para>
345
346      <!-- Above this line, order boot loader changes by keyword-->
347
348    </sect3>
349
350    <sect3 id="net-if">
351      <title>Network Interface Support</title>
352
353      <para arch="i386">The &man.arl.4; driver, which supports
354	Aironet Arlan 655 wireless adapters has been added.</para>
355
356      <para arch="sparc64">The &man.dc.4; driver now supports sparc64
357	Davicom cards that store their MAC address in
358	OpenFirmware.</para>
359
360      <para>A short hiccup in the &man.em.4; driver during parameter
361	reconfiguration, has been fixed.  &merged;</para>
362
363      <para arch="i386,pc98">The hea (Efficient Networks, Inc. ENI-155p ATM adapter)
364	driver has been removed due to breakage.  Its functionality
365	has been subsumed into the &man.en.4; driver.</para>
366
367      <para arch="i386">The lmc (LAN Media Corp. PCI WAN adapter) driver has been
368	removed due to breakage and lack of maintainership.</para>
369
370      <para arch="i386">&os; now provides a binary compatibility layer
371	for using &microsoft.windows; NDIS drivers for network
372	adapters under &os;/i386.  It includes a relocator/linker for
373	&windows; <filename>.SYS</filename> files to interface with
374	the &os; kernel and emulates various parts of the NDIS API
375	using native &os; kernel functions.  This system supports PCI
376	and CardBus network devices, and is designed principally for
377	Ethernet and wireless network interfaces.
378	For more information, see the &man.ndis.4; and
379	&man.ndiscvt.8; manual pages.</para>
380
381      <para>The &man.ng.atmllc.4; Netgraph node type, which handles
382        RFC 1483 ATM LLC encapsulation, has been added.</para>
383
384      <para>The &man.ng.hub.4; Netgraph node type, which supports
385        a simple packet distribution that acts like an Ethernet hub
386        has been added.  &merged;</para>
387
388      <para>The &man.ng.sppp.4; Netgraph node type, which is a &man.netgraph.4
389	interface to the original &man.sppp.4 network module for synchronous
390	lines has been added.</para>
391
392      <para>The &man.ng.vlan.4; Netgraph node type, which supports
393        IEEE 802.1Q VLAN tagging has been added.  &merged;</para>
394
395      <para>A bug that prevents VLAN support in the &man.nge.4; driver
396        from working has been fixed.  &merged;</para>
397
398      <para>The &man.pci.4; bus resource and power management have
399	been updated.
400
401	<note>
402	  <para>Although the &man.pci.4; bus power state management
403	    has been enabled, it may cause problems on some systems.
404	    This can be disabled by setting the tunable
405	    <varname>hw.pci.do_powerstate</varname> to 0.</para>
406	</note>
407      </para>
408
409      <para>Several bugs related to &man.polling.4; support
410        in the &man.rl.4; driver have been fixed.  &merged;</para>
411
412      <para>Several bugs related to multicast and promiscuous mode
413	handling in the &man.sk.4; driver have been fixed.</para>
414
415      <para>The &man.ste.4; driver now supports &man.polling.4;.
416        &merged;</para>
417
418      <para>The &man.udav.4; driver has been added.  It provides
419	support for USB Ethernet adapters based on the Davicom DM9601
420	chipset.</para>
421
422      <para>The &man.vr.4; driver now supports &man.polling.4;.  &merged;</para>
423
424      <para>The hardware TX checksum support in the &man.xl.4; driver
425	has been disabled as it does not work correctly and slows down
426	the transmission rate.  &merged;</para>
427
428      <para>The per-interface &man.polling.4; support has been
429	implemented.  All of the network drivers that support &man.polling.4;
430	(&man.dc.4;, &man.fxp.4;, &man.em.4;, &man.nge.4;, &man.re.4;,
431	&man.rl.4;, &man.sis.4;, &man.ste.4;, and &man.vr.4;)
432	now also support this capability and it can be controlled
433	via &man.ifconfig.8;.  &merged;</para>
434    </sect3>
435
436    <sect3 id="net-proto">
437      <title>Network Protocols</title>
438
439      <para>The <literal>DA_OLD_QUIRKS</literal> kernel option,
440	which is for the CAM SCSI disk driver (&man.cam.4;)
441	has been removed.  &merged;</para>
442
443      <para>The &man.gre.4; tunnel driver now supports WCCP version
444	2.</para>
445
446      <para>&man.ipfw.4; rules now support the <literal>versrcreach</literal>
447        option to verify that a valid route to the source address
448	of a packet exists in the routing table.
449	This option is very useful for routers with a complete view of
450	the Internet (BGP) in the routing table to reject packets with
451	spoofed or unroutable source addresses.  For example,
452
453	<programlisting>deny ip from any to any not versrcreach</programlisting>
454
455	is equivalent to the following in Cisco IOS syntax:
456
457	<programlisting>ip verify unicast source reachable-via any</programlisting>
458      </para>
459
460      <para>Some bugs in the IPsec implementation from the KAME
461	Project have been fixed.  These bugs were related to freeing
462	memory objects before all references to them were removed, and
463	could cause erratic behavior or kernel panics after flushing
464	the Security Policy Database (SPD).</para>
465
466      <para>The <literal>PFIL_HOOKS</literal> option is now enabled by
467	default in the <filename>GENERIC</filename> kernel.  The most
468	notable effect of this change is to make
469	<application>IPFilter</application> work correctly when loaded
470	as a kernel module.</para>
471
472      <para>The following TCP features are now enabled by default: RFC
473	3042 (Limited Retransmit), RFC 3390 (increased initial
474	congestion window sizes), TCP bandwidth-delay product
475	limiting.  More information can be found in &man.tcp.4;.</para>
476
477      <para>&os;'s TCP implementation now includes support for a
478	minimum MSS (settable via the
479	<varname>net.inet.tcp.minmss</varname> sysctl variable) and a
480	rate limit on connections that send many small TCP segments
481	within a short period of time (via the
482	<varname>net.inet.tcp.minmssoverload</varname> sysctl
483	variable).  Connections exceeding this limit may be reset and
484	dropped.  This feature provides protection against a class of
485	resource exhaustion attacks.</para>
486
487      <para>The TCP implementation now includes partial (output-only)
488	support for RFC 2385 (TCP-MD5) digest support.  This feature,
489	enabled with the <literal>TCP_SIGNATURE</literal> and
490	<literal>FAST_IPSEC</literal> kernel options, is a TCP option
491	for authenticating TCP sessions.  &man.setkey.8; now includes
492	support for the TCP-MD5 class of security associations.
493	&merged;</para>
494
495      <para>The TCP connection reset handling has been improved to
496        make several reset attacks as difficult as possible while
497	maintaining compatibility with the widest range of TCP stacks.</para>
498
499      <para>The implementation of RFC 1948 has been improved.
500	The time offset component of an ISN now includes random positive
501	increments between clock ticks so that ISNs will always
502	be increasing, no matter how quickly the port is recycled.</para>
503
504      <para>The random ephemeral port allocation, which come from OpenBSD
505	has been implemented.  This is enabled by default and can be disabled
506	using the <varname>net.inet.ip.portrange.randomized</varname>
507	sysctl.  &merged;</para>
508    </sect3>
509
510    <sect3 id="disks">
511      <title>Disks and Storage</title>
512
513      <para>The &man.ata.4; driver now supports cardbus ATA/SATA
514        controllers.</para>
515
516      <para>A number of bugs in the &man.ata.4; driver have been
517	fixed.  Most notably, master/slave device detection should
518	work better, and some problems with timeouts should be
519	resolved.</para>
520
521      <para>The &man.ata.4; driver now supports the Promise command
522	sequencer present on all modern Promise controllers
523	(PDC203** PDC206**).
524
525	<note>
526	  <para>This also adds preliminary support for the
527	    Promise SX4/SX4000 as a <quote>normal</quote> Promise ATA
528	    controller; ATA RAID's are supported though
529	    but only RAID0, RAID1 and RAID0+1.</para>
530	</note>
531      </para>
532
533      <para arch="pc98">A bug of the automatic density selection code
534	in the &man.fd.4; driver has been fixed.</para>
535
536      <para>The &man.ips.4; driver now supports the recent
537	Adaptec ServeRAID series SCSI controller cards.</para>
538
539      <para arch="sparc64">A bug in the &man.isp.4; driver
540        which prevents the cards on SBus from working correctly,
541	has been fixed.</para>
542
543      <para arch="i386">The &man.twa.4; driver, which supports
544	3ware's 9000 series PATA/SATA RAID controllers has been added.  &merged;</para>
545
546      <para>The &man.umass.4; driver now supports the missing
547	ATAPI MMC commands and handles the timeout properly.  &merged;</para>
548    </sect3>
549
550    <sect3 id="fs">
551      <title>File Systems</title>
552
553      <para>The EXT2FS file system code now includes partial support
554	for large (&gt; 4GB) files.  This support is partial in that
555	it will refuse to create large files on filesystems that have
556	not been upgraded to <literal>EXT2_DYN_REV</literal> or that
557	do not have the
558	<literal>EXT2_FEATURE_RO_COMPAT_LARGE_FILE</literal> flag set
559	in the superblock.</para>
560
561      <para>A bug in GEOM that could result in I/O hangs in some rare
562	cases has been fixed.</para>
563
564      <para>A new geom_concat class has been added to concatenate
565        multiple disks to appear as a single larger disk.  The
566        &man.gconcat.8; utility is used for configurating concatenated
567        disks.</para>
568
569      <para>A panic in the NFSv4 client has been fixed; this occurred
570	when attempting operations against an NFSv3/NFSv2-only
571	server.</para>
572
573      <para>The SMBFS client now has support for SMB request signing,
574	which prevents <quote>man in the middle</quote> attacks and is
575	required in order to connect to Windows 2003 servers in their
576	default configuration.  As signing each message imposes a
577	significant performance penalty, this feature is only enabled
578	if the server requires it; this may eventually become an
579	option to &man.mount.smbfs.8;.</para>
580    </sect3>
581
582    <sect3 id="mm">
583      <title>Multimedia Support</title>
584
585      <para>The meteor (video capture) driver has been removed due to
586	breakage and lack of maintainership.</para>
587
588    </sect3>
589
590  </sect2>
591
592  <sect2 id="userland">
593    <title>Userland Changes</title>
594
595    <para>&man.bsdlabel.8; now supports a <option>-f</option> option
596      to work on files instead of disk partitions.</para>
597
598    <para>The <command>bthidcontrol</command> command and the
599      <command>bthidd</command> command, which support Bluetooth
600      HID (Human Interface Device), have been added.</para>
601
602    <para>The &man.cron.8 daemon now accepts two new options,
603      <option>-j</option> and <option>-J</option>, to enable
604      time jitter for jobs to run as unpriviliged users and the
605      superuser, respectively.  Time jitter means that &man.cron.8
606      will sleep for a small random period of time in the specified
607      range before executing a job.  This feature is intended to
608      smooth load peaks appearing when a lot of jobs are scheduled
609      for a particular moment.</para>
610
611    <para>&man.df.1; now supports a <option>-c</option> option to display
612      a grand total of statistics for file systems.</para>
613
614    <para>The <command>doscmd</command> utility has been
615      removed from the &os; base system, and has been available
616      in the &os; Ports Collection instead.</para>
617
618    <para>&man.dump.8; and &man.restore.8; now support
619      a <option>-P</option> option to specify backup methods
620      other than files and tapes.  The argument is passed to
621      a normal &man.sh.1; pipeline with either
622      <varname>$DUMP_VOLUME</varname> or <varname>$RESTORE_VOLUME</varname>
623      defined in the environment, respectively.
624      For more information, see &man.dump.8; and &man.restore.8;.</para>
625
626    <para arch="pc98">The &man.fdcontrol.8;, &man.fdformat.1;, and
627      &man.fdread.1; utilities now work on &os;/pc98.</para>
628
629    <para>The &man.find.1; utility now supports a <option>-acl</option>
630      primary to locate files with &man.acl.3;.</para>
631
632    <para>&man.indent.1; now supports a <option>-ldi</option> option
633      to control indentation of local variables.  A number of other
634      tunings were made to this utility.</para>
635
636    <para>&man.ifconfig.8; now supports renaming of network interfaces
637      at run-time using the <option>name</option> parameter.</para>
638
639    <para>&man.ifconfig.8; now prints the &man.polling.4; status
640      on the interface.  &merged;</para>
641
642    <para>&man.ip6fw.8; now supports a <option>-n</option> flag to
643      stop it from making any changes to the rules in the kernel</para>
644
645    <para>&man.ipcs.1; now supports a <option>-u</option> option to
646      display information about IPC mechanisms owned by the specified
647      user.</para>
648
649    <para>&man.ipfw.8; now supports a <option>-b</option> flag to
650      print only the action and comment for each rule, thus omitting
651      the rule body.</para>
652
653    <para>&man.killall.1; now supports a <option>-e</option> flag to
654      make the <option>-u</option> operate on effective, rather than
655      real, user IDs. &merged;</para>
656
657    <para>&man.libalias.3; now has support (and a new API) for
658      multiple aliasing instances in a single process.  The existing
659      API has been reimplemented in terms of the new one to preserve
660      compatibility.</para>
661
662    <para>A <filename>libarchive</filename> library for manipulation
663      of compressed and uncompressed archive files has been
664      added.  More details can be found in &man.libarchive.3;.</para>
665
666    <para arch="pc98"><filename>libdisk</filename> now uses the
667      correct PC98 disk partition value for &os;.  This permits the
668      &man.sysinstall.8; disk partition editor to correctly create a
669      single &os; partition covering the entire disk. &merged;</para>
670
671    <para><filename>libdisk</filename> now uses
672      <varname>d_addr_t</varname> for disk addresses.
673      This allows &man.sysinstall.8; to properly handle disks
674      and filesystems more than 1 TB.</para>
675
676    <para arch="i386,pc98,amd64,ia64">The library formerly known as
677      <filename>libkse</filename> has been renamed
678      <filename>libpthread</filename> and is now the default threading
679      library on the i386, amd64, and ia64 platforms.
680      <application>GCC</application>'s <option>-pthread</option>
681      option has been changed to use <filename>libpthread</filename>
682      rather than <filename>libc_r</filename>.
683
684      <note>
685	<para>Users with older binaries (for example, ports compiled
686	  before this change was made) should use &man.libmap.conf.5;
687	  to map <filename>libc_r</filename> and/or
688	  <filename>libkse</filename> to
689	  <filename>libpthread</filename>.</para>
690      </note>
691
692      <note>
693	<para>Users with NVIDIA-supplied drivers and libraries may
694	  need to use a &man.libmap.conf.5; that maps
695	  <filename>libpthread</filename> references to the older
696	  <filename>libc_r</filename> since these drivers and
697	  utilities do not work with
698	  <filename>libpthread</filename>.</para>
699      </note>
700    </para>
701
702    <para>&man.make.1; now supports the new <literal>.warning</literal>
703      directive.</para>
704
705    <para>Initial support for UTF-8 versions of all the currently
706      supported system locales has been added.  This is primarily
707      for the benefit of the <filename role="package">misc/utf8locale</filename>
708      port.</para>
709
710    <para>An Israel Hebrew locale <literal>he_IL.UTF-8</literal>
711      has been added.</para>
712
713    <para>The &man.logins.1; utility has been added to display
714      information about user and system accounts.</para>
715
716    <para>&man.mountd.8; now supports the <option>-p</option> option,
717       which allows users to specify a known port for use
718       in firewall rulesets.</para>
719
720    <para>&man.netstat.1; now displays the multicast group
721      memberships present in the system.</para>
722
723    <para>&man.newfs.8; and &man.mdmfs.8; now support a
724      <option>-l</option> flag to enable them to set the MAC
725      multilabel flag on new filesystems without requiring the use of
726      &man.tunefs.8;.</para>
727
728    <para>&man.nologin.8; now reports login attempts via
729       &man.syslogd.8;.</para>
730
731    <para>&man.nologin.8; has been moved from <filename>/sbin/nologin</filename>
732       to <filename>/usr/sbin/nologin</filename>, and
733       <filename>/sbin/nologin</filename> remains as a symbolic link
734       for backward compatibility.</para>
735
736    <para>A bugfix has been applied to NSS support, which fixes
737      problems when using third-party NSS modules (such as <filename
738      role="package">net/nss_ldap</filename>) and groups with large
739      membership lists.</para>
740
741    <para>The &man.pgrep.1; and &man.pkill.1; commands, which come from NetBSD,
742      have been added.  They also support a <option>-M</option> option
743      to extract values associated with the name list from the
744      specified core instead of the default <filename>/dev/kmem</filename>,
745      and a <option>-N</option> option to extract the name list from
746      the specified system instead of the default kernel.</para>
747
748    <para>&man.ps.1; compatibility with POSIX/SUSv3 has been improved.
749      The changes include <option>-p</option> for a list of process IDs,
750      <option>-t</option> for a list of terminal names,
751      <option>-A</option> which is equivalent to <option>-ax</option>,
752      <option>-G</option> for a list of group IDs,
753      <option>-X</option> which is the opposite of <option>-x</option>,
754      and some minor improvements.  For more information, see &man.ps.1;.
755      &merged;</para>
756
757    <para>&man.pw.8; now supports a <option>-H</option> option, which
758      accepts an encrypted password on a file descriptor. &merged;</para>
759
760    <para>A bug in &man.rarpd.8; that prevents it from working properly
761      when a interface has more than one IP address has been fixed.
762      &merged;</para>
763
764    <para>The configuration files used by the &man.resolver.3; now
765      support the <literal>timeout:</literal> and
766      <literal>attempts:</literal> keywords.</para>
767
768    <para>The &man.resolver.3; and associated interfaces are now much
769      more reentrant and thread-safe.  Multiple DNS lookups can now be
770      run at the same time, showing major improvements in the
771      performance of some multi-threaded applications.  Some
772      multi-threaded programs need to be recompiled; examples from the
773      Ports Collection are <filename
774      role="package">www/mozilla</filename> and variants, <filename
775      role="package">mail/evolution</filename>, <filename
776      role="package">devel/gnomevfs</filename>, and <filename
777      role="package">devel/gnomevfs2</filename>.</para>
778
779    <para>&man.rmdir.1; now supports a <option>-v</option> flag,
780      which makes it verbose.</para>
781
782    <para>&man.savecore.8; now works correctly for dump files larger
783      than 2GB.</para>
784
785    <para>A bug in &man.script.1; has been fixed so that it now works
786      correctly if its stdin is closed.  This fix prevents a
787      potentially dangerous interaction with the <filename
788      role="package">sysutils/portupgrade</filename> package; if it was
789      run non-interactively, it could remove all out-of-date
790      ports without reinstalling them.</para>
791
792    <para>The &man.sdpd.8; Bluetooth Service Discovery Protocol daemon
793      has been added.</para>
794
795    <para>Many userland utilities in the base system (mostly GNU
796      contributed utilities) now use the system version of
797      &man.getopt.long.3;, rather than the GNU version.</para>
798
799    <sect3 id="rc-scripts">
800      <title><filename>/etc/rc.d</filename> Scripts</title>
801
802      <para>The <filename>diskless</filename> script has been
803	split out into <filename>hostname</filename>,
804        <filename>resolve</filename>, <filename>tmp</filename>, and
805        <filename>var</filename> scripts.</para>
806
807      <para>The <filename>gbde_swap</filename> script, which supports
808	gbde-enabled swap devices has been added.
809	When the <varname>gbde_swap_enable</varname> variable is specified
810	in &man.rc.conf.5;, a swap device named
811	<filename>/dev/<replaceable>foo.bde</replaceable></filename>
812	in &man.fstab.5;
813	is automatically attached at boot time with the device
814	<filename>/dev/<replaceable>foo</replaceable></filename>
815	and a random key, which
816	generated by computing the MD5 checksum of 512 bytes read
817	from <filename>/dev/random</filename>.
818	Note that this prevents recovery of kernel dumps.</para>
819
820      <para>The <filename>mixer</filename> script has been added.
821	It saves the current settings of all audio mixers present
822	in the system on shutdown and restores the settings on boot.</para>
823
824      <para>The <filename>pf</filename> and <filename>pflog</filename>
825        scripts for &man.pf.4; has been added.</para>
826    </sect3>
827  </sect2>
828
829  <sect2 id="contrib">
830    <title>Contributed Software</title>
831
832    <para>The <application>ACPI-CA</application> code has been updated
833      from the 20030619 snapshot to the 20040402 snapshot.</para>
834
835    <para><application>awk</application> from Bell Labs has been
836      updated from the 29 July 2003 release to the 7 February 2004
837      release.</para>
838
839    <para><application>CVS</application> has been updated from
840      version 1.11.10 to version 1.11.15.</para>
841
842    <para><application>gdtoa</application> (a library that performs
843      conversions of numbers between binary and decimal form) has been
844      updated from version 20030324 to version 20040118.</para>
845
846    <para><application>GNU grep</application> has been updated from
847      2.4d to 2.4.2.</para>
848
849    <para><application>less</application> has been updated from
850      version 371 to version 381.</para>
851
852    <para><application>GNU readline</application> 4.3 has been updated
853      with official patches 001 through 005.</para>
854
855    <para>The <application>GNU regex</application> library has been
856      updated to the version included with <application>GNU
857      grep</application> 2.4.2.</para>
858
859    <para>The <application>GNU tar</application> implementation in the
860      base system is now called <filename>gtar</filename>, with
861      <filename>tar</filename> being a link to
862      <filename>gtar</filename>.</para>
863
864    <para><application>Heimdal Kerberos</application> has been
865       updated from 0.6 to 0.6.1.
866
867    <para><application>libpcap</application> has been updated from
868      version 0.7.1 to version 0.8.3.</para>
869
870    <para><application>lukemftp</application>
871      has been updated from a snapshot as of
872      November 3, 2003 to one as of April 26, 2004.</para>
873
874    <para><application>OpenPAM</application> has been updated from the
875      Dogwood release to the Eelgrass release.</para>
876
877    <para><application>OpenSSH</application> has been updated from
878      3.6.1p1 to 3.8.1p1.
879
880      <note>
881	<para>The configuration defaults for &man.sshd.8; have been
882	  changed.  SSH protocol version 1 is no longer enabled by
883	  default.  In addition, password authentication over SSH is
884	  disabled by default if PAM is enabled.</para>
885      </note>
886
887      </para>
888
889    <para><application>OpenSSL</application> has been updated from
890      0.9.7c to 0.9.7d.  &merged;</para>
891
892    <para><application>pf</application>, OpenBSD's packet filter as of
893      OpenBSD 3.4, has been imported into &os; source tree and is now installed
894      by default.  A new user <username>proxy</username>, and two new
895      groups <username>authpf</username> and <username>proxy</username>,
896      which <application>pf</application> needs, are added as well.
897
898      <note>
899	<para>On upgrading from the source, these user accounts must be
900	  added in advance.  The <varname>NO_PF</varname> variable
901	  in <filename>make.conf</filename> can be used to prevent
902	  <application>pf</application> from building.</para>
903      </note>
904
905    <para>Several userland utilities of OpenBSD's
906      <application>pf</application> have been imported.
907      <filename>libexec/ftp-proxy</filename> is an ftp proxy for
908      <application>pf</application>,
909      <filename>sbin/pfctl</filename> is an equivalent to
910      <filename>sbin/ipf</filename>,
911      <filename>sbin/pflogd</filename>
912      is a daemon logging packets via <literal>if_pflog</literal>
913      in pcap format, and
914      <filename>usr.sbin/authpf</filename> is an authentication shell
915      to modify pf rulesets.</para>
916
917    <para><application>routed</application> has been updated from
918      release 2.22 to release 2.27 from rhyolite.com.  Note that for
919      users relying on RIP's MD5 authentication feature,
920      &man.routed.8; routed is now incompatible with previous versions
921      of &os;; however it is now compatible with implementations from
922      Sun, Cisco and other vendors.</para>
923
924    <para><application>sendmail</application> has been updated from
925      version 8.12.10 to version 8.12.11. &merged;</para>
926
927    <para><application>tcpdump</application> has been updated from
928      version 3.7.1 to version 3.8.3.</para>
929  </sect2>
930
931  <sect2 id="ports">
932    <title>Ports/Packages Collection Infrastructure</title>
933
934    <para>The <literal>SIZE</literal> attribute for distfiles,
935      which can be used for checking file sizes before fetching,
936      has been added and enabled by default.
937      <varname>DISABLE_SIZE</varname> is a user control knob
938      to disable the distfile size checking.  This is especially
939      useful on old &os; versions which did not have &man.fetch.1;
940      support for this, and for some FTP proxies which always
941      report incorrect or bogus sizes.</para>
942
943    <para>Two new files have been added to the ports tree to track
944      note-worthy changes:  <filename>ports/CHANGES</filename> lists
945      major changes to the Ports Collection and its infrastructure.
946      <filename>ports/UPDATING</filename> describes some potential
947      pitfalls that can be encountered when updating certain ports,
948      analogous to <filename>src/UPDATING</filename> for the base
949      system.</para>
950
951  </sect2>
952
953  <sect2 id="releng">
954    <title>Release Engineering and Integration</title>
955
956    <para arch="i386,pc98">The building process for boot floppy images
957      has been completely overhauled.  The most significant change is
958      that the loader now boots a stock <filename>GENERIC</filename>
959      kernel split across multiple disks (two at the time of this
960      writing).  This greatly improves installations that begin with a
961      boot from floppy disk, because they now use exactly the same
962      kernel (and thus support the same hardware) as CDROM
963      installations.  The stripped-down <filename>MFSROOT</filename>
964      kernel is no longer needed, and the <filename>mfsroot</filename>
965      image no longer requires kernel modules.  The
966      <filename>boot.flp</filename> and
967      <filename>driver.flp</filename> images are also obsolete and no
968      longer built.</para>
969
970    <para>The supported release of <application>GNOME</application>
971      has been updated from 2.4 to 2.6.
972
973      <note>
974	<para>If you are using the older <application>GNOME</application>
975	  desktop itself (<filename role="package">x11/gnome2</filename>), simply upgrading it from the &os; Ports Collection
976	  with
977	  &man.portupgrade.1;
978	  (<filename role="package">sysutils/portupgrade</filename>)
979	  will cause serious problems.
980	  If you are a <application>GNOME</application> desktop user,
981	  please read the instructions carefully at
982	  <ulink url="http://www.FreeBSD.org/gnome/docs/faq26.html"></ulink>,
983	  and use the <filename>gnome_upgrade.sh</filename> script to
984	  properly upgrade to <application>GNOME</application> 2.6.</para>
985
986	<para>Note that if you are just a casual user of some of the
987	  <application>GNOME</application> libraries,
988	  &man.portupgrade.1; should be sufficient
989	  to update your ports.</para>
990      </note>
991    </para>
992
993    <para>The supported release of <application>KDE</application>
994      has been updated from 3.1.4 to 3.2.1.</para>
995  </sect2>
996
997  <sect2 id="doc">
998    <title>Documentation</title>
999
1000    <para></para>
1001
1002  </sect2>
1003
1004</sect1>
1005
1006<sect1 id="upgrade">
1007  <title>Upgrading from previous releases of &os;</title>
1008
1009  <para>Users with existing &os; systems are
1010    <emphasis>highly</emphasis> encouraged to read the <quote>Early
1011    Adopter's Guide to &os; &release.current;</quote>.  This document generally has
1012    the filename <filename>EARLY.TXT</filename> on the distribution
1013    media, or any other place that the release notes can be found.  It
1014    offers some notes on upgrading, but more importantly, also
1015    discusses some of the relative merits of upgrading to &os;
1016    5.<replaceable>X</replaceable> versus running &os;
1017    4.<replaceable>X</replaceable>.</para>
1018
1019  <important>
1020    <para>Upgrading &os; should, of course, only be attempted after
1021      backing up <emphasis>all</emphasis> data and configuration
1022      files.</para>
1023  </important>
1024</sect1>
1025