article.xml revision 129380
1<articleinfo> 2 <title>&os;/&arch; &release.current; Release Notes</title> 3 4 <corpauthor>The FreeBSD Project</corpauthor> 5 6 <pubdate>$FreeBSD: head/release/doc/en_US.ISO8859-1/relnotes/article.sgml 129380 2004-05-18 07:38:46Z rik $</pubdate> 7 8 <copyright> 9 <year>2000</year> 10 <year>2001</year> 11 <year>2002</year> 12 <year>2003</year> 13 <year>2004</year> 14 <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder> 15 </copyright> 16 17 <abstract> 18 <para>The release notes for &os; &release.current; contain a summary 19 of 20<![ %include.historic; [ 21 the changes made to the &os; base system since &release.prev;. 22]]> 23<![ %no.include.historic; [ 24 recent changes made to the &os; base system on the &release.branch; 25 development branch. 26]]> 27 This document lists applicable security advisories that were issued since 28 the last release, as well as significant changes to the &os; 29 kernel and userland. 30 Some brief remarks on upgrading are also presented.</para> 31 </abstract> 32</articleinfo> 33 34<sect1 id="intro"> 35 <title>Introduction</title> 36 37 <para>This document contains the release notes for &os; 38 &release.current; on the &arch.print; hardware platform. It 39 describes recently added, changed, or deleted features of &os;. 40 It also provides some notes on upgrading 41 from previous versions of &os;.</para> 42 43<![ %release.type.snapshot [ 44 45 <para>The &release.type; distribution to which these release notes 46 apply represents a point along the &release.branch; development 47 branch between &release.prev; and the future &release.next;. Some 48 pre-built, binary &release.type; distributions along this branch 49 can be found at <ulink url="&release.url;"></ulink>.</para> 50 51]]> 52 53<![ %release.type.release [ 54 55 <para>This distribution of &os; &release.current; is a 56 &release.type; distribution. It can be found at <ulink 57 url="&release.url;"></ulink> or any of its mirrors. More 58 information on obtaining this (or other) &release.type; 59 distributions of &os; can be found in the <ulink 60 url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html"><quote>Obtaining 61 FreeBSD</quote> appendix</ulink> to the <ulink 62 url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/">FreeBSD 63 Handbook</ulink>.</para> 64 65]]> 66 67 <para>Users who are new to the &release.branch; series of &os; 68 &release.type;s should also read the <quote>Early Adopters Guide 69 to &os; &release.current;</quote>. This document can generally be 70 found in the same location as the release notes (either as a part of a 71 &os; distribution or on the &os; Web site). It contains important 72 information regarding the advantages and disadvantages of using 73 &os; &release.current;, as opposed to releases based on the &os; 74 4-STABLE development branch.</para> 75 76 <para>All users are encouraged to consult the release errata before 77 installing &os;. The errata document is updated with 78 <quote>late-breaking</quote> information discovered late in the 79 release cycle or after the release. Typically, it contains 80 information on known bugs, security advisories, and corrections to 81 documentation. An up-to-date copy of the errata for &os; 82 &release.current; can be found on the &os; Web site.</para> 83 84</sect1> 85 86<sect1 id="new"> 87 <title>What's New</title> 88 89 <para>This section describes 90<![ %include.historic; [ 91 the most user-visible new or changed features in &os; 92 since &release.prev;. 93 In general, changes described here are unique to the &release.branch; 94 branch unless specifically marked as &merged; features. 95]]> 96<![ %no.include.historic; [ 97 many of the user-visible new or changed features in &os; 98 since &release.prev;. It includes items that are unique to the 99 &release.branch; branch, as well as some features that may have been 100 recently merged to 101 other branches (after &os; &release.prev.historic;). The latter 102 items are marked as &merged;. 103]]> 104 </para> 105 106 <para>Typical release note items 107 document recent security advisories issued after 108 &release.prev.historic;, 109 new drivers or hardware support, new commands or options, 110 major bug fixes, or contributed software upgrades. They may also 111 list changes to major ports/packages or release engineering 112 practices. Clearly the release notes cannot list every single 113 change made to &os; between releases; this document focuses 114 primarily on security advisories, user-visible changes, and major 115 architectural improvements.</para> 116 117 <sect2 id="security"> 118 <title>Security Advisories</title> 119 120 <para>A bug in &man.mksnap.ffs.8; has been fixed; it caused the creation of a 121 filesystem snapshot to reset the flags on the filesystem to 122 their default values. The possible consequences depended on local 123 usage, but could include disabling extended access control lists 124 or enabling the use of setuid executables stored on an untrusted 125 filesystem. This bug also affected the &man.dump.8; 126 <option>-L</option> option, which uses &man.mksnap.ffs.8;. Note 127 that &man.mksnap.ffs.8; is normally only available to the 128 superuser and members of the <groupname>operator</groupname> 129 group. For more information, see security advisory <ulink 130 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:01.mksnap_ffs.asc">FreeBSD-SA-04:01</ulink>.</para> 131 132 <para>A bug with the System V Shared Memory interface 133 (specifically the &man.shmat.2; system call) has been fixed. 134 This bug can cause a shared memory segment to reference 135 unallocated kernel memory. In turn, this can permit a local 136 attacker to gain unauthorized access to parts of kernel memory, 137 possibly resulting in disclosure of sensitive information, 138 bypass of access control mechanisms, or privilege escalation. 139 More details can be found in security advisory <ulink 140 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:02.shmat.asc">FreeBSD-SA-04:02</ulink>. 141 &merged;</para> 142 143 <para>A programming error in the &man.jail.attach.2; system call 144 has been fixed. This error could allow a process with superuser 145 privileges inside a &man.jail.8; environment to change its root 146 directory to that of a different jail, and thus gain full read 147 and write access to files and directories within the target 148 jail. More information can be found in security advisory <ulink 149 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:03.jail.asc">FreeBSD-SA-04:03</ulink>.</para> 150 151 <para>A potential low-bandwidth denial-of-service attack against 152 the &os; TCP stack has been prevented by limiting the number of 153 out-of-sequence TCP segments that can be held at one time. More 154 details can be found in security advisory <ulink 155 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:04.tcp.asc">FreeBSD-SA-04:04</ulink>. 156 &merged;</para> 157 158 <para>A bug in <application>OpenSSL</application>'s SSL/TLS 159 ChangeCipherSpec message processing could result in 160 a null pointer dereference, has been fixed. 161 This could allow a remote attacker to crash an 162 <application>OpenSSL</application>-using 163 application and cause a denial-of-service on the system. 164 More details can be found in security advisory <ulink 165 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:05.openssl.asc">FreeBSD-SA-04:05</ulink>. 166 &merged;</para> 167 168 <para>A programming error in the handling of some IPv6 169 socket options within the &man.setsockopt.2; system call 170 has been fixed. This allows a local attacker to cause a 171 system panic, and may allow to gain unauthorized access to 172 parts of kernel memory, possibly resulting in disclosure 173 of sensitive information, bypass of access control 174 mechanisms, or privilege escalation. 175 More details can be found in security advisory <ulink 176 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:06.ipv6.asc">FreeBSD-SA-04:06</ulink>.</para> 177 178 <para>Two programming errors in <application>CVS</application> 179 have been fixed. They allow a server to overwrite arbitrary 180 files on the client, and a client to read arbitrary files 181 on the server when accessing remote CVS repositories. 182 More details can be found in security advisory <ulink 183 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:07.cvs.asc">FreeBSD-SA-04:07</ulink>. &merged;</para> 184 185 <para>A bugfix for <application>Heimdal</application> rectifies a 186 problem in which it would not perform adequate checking of 187 authentication across autonomous realms. For more information, 188 see security advisory <ulink 189 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:08.heimdal.asc">FreeBSD-SA-04:08</ulink>. &merged;</para> 190 </sect2> 191 192 <sect2 id="kernel"> 193 <title>Kernel Changes</title> 194 195 <para arch="i386">The &man.acpi.asus.4; driver has been added 196 to use ACPI-controlled hardware features such as hot keys and 197 LCD on ASUSTek laptops.</para> 198 199 <para arch="i386">The &man.acpi.toshiba.4; driver has been added 200 to use Toshiba's Hardware Control Interface to manipulate 201 certain hardware features on Toshiba laptops.</para> 202 203 <para arch="i386">The &man.acpi.toshiba.4; driver now supports 204 video output switching.</para> 205 206 <para>The &man.acpi.video.4; driver has been added to provide 207 control display switching and backlight brightness using the 208 ACPI Video Extensions.</para> 209 210 <para arch="i386">The &man.ctau.4; driver has been added for Cronyx Tau 211 synchronous serial adapters. This driver was known for a long time as 212 <quote>ct</quote> in its previous life outside the &os; source tree. &merged; 213 214 <note> 215 <para>The driver name has changed, but the network interface still 216 has the <quote>ct</quote> name.</para> 217 </note> 218 </para> 219 220 <para arch="i386">The &man.cp.4; driver has been added for Cronyx Tau-PCI 221 synchronous serial adapters. 222 </para> 223 224 <para>&man.devfs.5; path rules now work correctly on 225 directories.</para> 226 227 <para arch="i386,pc98">The dgb (DigiBoard intelligent serial card) driver has been 228 removed due to breakage. Its replacement is the &man.digi.4; driver, 229 which supports all the hardware of the dgb driver.</para> 230 231 <para>The &man.getvfsent.3; API has been removed.</para> 232 233 <para arch="sparc64">The &man.hme.4; driver now natively supports 234 long frames, so it can be used for &man.vlan.4; with full ethernet 235 MTU size.</para> 236 237 <para>&man.jail.8; now supports use of raw sockets from within a jail. 238 This feature is disabled by default, and controlled using the 239 <varname>security.jail.allow_raw_sockets</varname> sysctl.</para> 240 241 <para arch="i386">The loran (Loran-C receiver) driver has been removed due to 242 breakage and lack of maintainership.</para> 243 244 <para>A bug in &man.mmap.2; that pages marked as <literal>PROT_NONE</literal> 245 may become readable under certain circumstances, has been fixed. &merged;</para> 246 247 <para>The raid(4), RAIDframe disk driver from NetBSD has been removed. 248 This is currently non-functional, and would require some amount of work 249 to make it work under the &man.geom.4; API in 5-CURRENT.</para> 250 251 <para arch="i386,pc98">The sx driver, which supports Specialix I/O8+ and I/O4+ 252 intelligent multiport serial controllers has been added.</para> 253 254 <para arch="alpha,amd64,i386">For the &man.uart.4; device 255 <varname>hw.uart.console</varname> and 256 <varname>hw.uart.dbgport</varname> environment variables 257 have been added. They can be used to select a serial console and 258 debug port respectively, as well as the attributes.</para> 259 260 <para>The &man.ubser.4; device driver has been added to support 261 BWCT console management serial adapters.</para> 262 263 <para>The ULE scheduler is now the default scheduler in the 264 <filename>GENERIC</filename> kernel. For the average user, 265 interactivity is reported to be better in many cases. This 266 means less <quote>skipping</quote> and <quote>jerking</quote> in 267 interactive applications while the machine is very busy. This 268 will not prevent problems due to overloaded disk subsystems, but 269 it does help with overloaded CPUs. On SMP machines, ULE has 270 per-CPU run queues which allow for CPU affinity, CPU binding, 271 and advanced HyperThreading support, as well as providing a 272 framework for more optimizations in the future. As fine-grained 273 kernel locking continues, the scheduler will be able to make 274 more efficient use of the available parallel resources.</para> 275 276 <!-- Above this line, sort kernel changes by manpage/keyword--> 277 278 <para>The device driver infrastructure (as well as many drivers) 279 have been updated. Among the changes: Many more drivers now use 280 automatically-assigned major numbers (instead of the old static 281 major numbers). Enhanced functions to support cloning of 282 pseudodevices. Several changes to the driver API, including a 283 new <varname>d_version</varname> field in <varname>struct 284 cdevsw</varname>. Note that third-party device drivers will 285 require recompiling after this change.</para> 286 287 <para>The kernel's file descriptor allocation code has been 288 updated, and is now derived from similar code in OpenBSD.</para> 289 290 <para arch="sparc64">On &os;/sparc64, <varname>time_t</varname> 291 has been changed from a 32-bit value to a 64-bit value. 292 293 <note> 294 <para>Since this change is not backward-compatible, 295 any programs which were built on an older system using 296 a 32-bit <varname>time_t</varname> and 297 call system routines for handling 298 <varname>time_t</varname> values, will have to be recompiled. 299 More detailed information and notice on upgrading from 300 the source can be found in 301 <filename>/usr/src/UPDATING.64BTT</filename>.</para> 302 </note> 303 </para> 304 305 <para arch="i386">It is now possible to compile the &os;/i386 306 kernel with the Intel C/C++ Compiler (as in the <filename 307 role="package">lang/icc</filename> port).</para> 308 309 <sect3 id="proc"> 310 <title>Platform-Specific Hardware Support</title> 311 312 <para arch="i386">The entropy device &man.random.4; now 313 supports a hardware random number generator (RNG) 314 in the VIA C3 Nehemiah (Stepping 3 and above) CPU.</para> 315 316 <para arch="i386">Several old drivers for ISA cards have been removed, 317 including 318 the asc driver for GI1904-based hand scanners, 319 the ctx driver for CORTEX-I Frame Grabber, 320 the gp driver for National Instruments AT-GPIB and AT-GPIB/TNT boards, 321 the gsc driver for the Genius GS-4500 hand scanner, 322 the le driver for DEC EtherWORKS II and III ethernet controllers, 323 the rdp driver for RealTek RTL 8002-based pocket ethernet adapters, 324 the spigot driver for the Creative Labs Video Spigot video-acquisition board, 325 the stl and stli drivers for Stallion Technologies multiport serial 326 controllers, and the wt driver for Archive/Wangtek cartridge tapes. 327 They are currently non-functional, and would require a considerable 328 amount of work to make them work under the new API in 5-CURRENT. 329 The userland support such as related ioctls and utilities including 330 sasc and sgsc has also been removed.</para> 331 </sect3> 332 333 <sect3 id="boot"> 334 <title>Boot Loader Changes</title> 335 336 <para arch="i386">A serial console-capable version of 337 <filename>boot0</filename> has been added. It can be written 338 to a disk using &man.boot0cfg.8; and specifying 339 <filename>/boot/boot0sio</filename> as the argument to the 340 <option>-b</option> option.</para> 341 342 <para arch="i386"><filename>cdboot</filename> now works around a 343 BIOS problem observed on some systems when booting from USB 344 CDROM drives.</para> 345 346 <!-- Above this line, order boot loader changes by keyword--> 347 348 </sect3> 349 350 <sect3 id="net-if"> 351 <title>Network Interface Support</title> 352 353 <para arch="i386">The &man.arl.4; driver, which supports 354 Aironet Arlan 655 wireless adapters has been added.</para> 355 356 <para arch="sparc64">The &man.dc.4; driver now supports sparc64 357 Davicom cards that store their MAC address in 358 OpenFirmware.</para> 359 360 <para>A short hiccup in the &man.em.4; driver during parameter 361 reconfiguration, has been fixed. &merged;</para> 362 363 <para arch="i386,pc98">The hea (Efficient Networks, Inc. ENI-155p ATM adapter) 364 driver has been removed due to breakage. Its functionality 365 has been subsumed into the &man.en.4; driver.</para> 366 367 <para arch="i386">The lmc (LAN Media Corp. PCI WAN adapter) driver has been 368 removed due to breakage and lack of maintainership.</para> 369 370 <para arch="i386">&os; now provides a binary compatibility layer 371 for using µsoft.windows; NDIS drivers for network 372 adapters under &os;/i386. It includes a relocator/linker for 373 &windows; <filename>.SYS</filename> files to interface with 374 the &os; kernel and emulates various parts of the NDIS API 375 using native &os; kernel functions. This system supports PCI 376 and CardBus network devices, and is designed principally for 377 Ethernet and wireless network interfaces. 378 For more information, see the &man.ndis.4; and 379 &man.ndiscvt.8; manual pages.</para> 380 381 <para>The &man.ng.atmllc.4; Netgraph node type, which handles 382 RFC 1483 ATM LLC encapsulation, has been added.</para> 383 384 <para>The &man.ng.hub.4; Netgraph node type, which supports 385 a simple packet distribution that acts like an Ethernet hub 386 has been added. &merged;</para> 387 388 <para>The &man.ng.sppp.4; Netgraph node type, which is a &man.netgraph.4 389 interface to the original &man.sppp.4 network module for synchronous 390 lines has been added.</para> 391 392 <para>The &man.ng.vlan.4; Netgraph node type, which supports 393 IEEE 802.1Q VLAN tagging has been added. &merged;</para> 394 395 <para>A bug that prevents VLAN support in the &man.nge.4; driver 396 from working has been fixed. &merged;</para> 397 398 <para>The &man.pci.4; bus resource and power management have 399 been updated. 400 401 <note> 402 <para>Although the &man.pci.4; bus power state management 403 has been enabled, it may cause problems on some systems. 404 This can be disabled by setting the tunable 405 <varname>hw.pci.do_powerstate</varname> to 0.</para> 406 </note> 407 </para> 408 409 <para>Several bugs related to &man.polling.4; support 410 in the &man.rl.4; driver have been fixed. &merged;</para> 411 412 <para>Several bugs related to multicast and promiscuous mode 413 handling in the &man.sk.4; driver have been fixed.</para> 414 415 <para>The &man.ste.4; driver now supports &man.polling.4;. 416 &merged;</para> 417 418 <para>The &man.udav.4; driver has been added. It provides 419 support for USB Ethernet adapters based on the Davicom DM9601 420 chipset.</para> 421 422 <para>The &man.vr.4; driver now supports &man.polling.4;. &merged;</para> 423 424 <para>The hardware TX checksum support in the &man.xl.4; driver 425 has been disabled as it does not work correctly and slows down 426 the transmission rate. &merged;</para> 427 428 <para>The per-interface &man.polling.4; support has been 429 implemented. All of the network drivers that support &man.polling.4; 430 (&man.dc.4;, &man.fxp.4;, &man.em.4;, &man.nge.4;, &man.re.4;, 431 &man.rl.4;, &man.sis.4;, &man.ste.4;, and &man.vr.4;) 432 now also support this capability and it can be controlled 433 via &man.ifconfig.8;. &merged;</para> 434 </sect3> 435 436 <sect3 id="net-proto"> 437 <title>Network Protocols</title> 438 439 <para>The <literal>DA_OLD_QUIRKS</literal> kernel option, 440 which is for the CAM SCSI disk driver (&man.cam.4;) 441 has been removed. &merged;</para> 442 443 <para>The &man.gre.4; tunnel driver now supports WCCP version 444 2.</para> 445 446 <para>&man.ipfw.4; rules now support the <literal>versrcreach</literal> 447 option to verify that a valid route to the source address 448 of a packet exists in the routing table. 449 This option is very useful for routers with a complete view of 450 the Internet (BGP) in the routing table to reject packets with 451 spoofed or unroutable source addresses. For example, 452 453 <programlisting>deny ip from any to any not versrcreach</programlisting> 454 455 is equivalent to the following in Cisco IOS syntax: 456 457 <programlisting>ip verify unicast source reachable-via any</programlisting> 458 </para> 459 460 <para>Some bugs in the IPsec implementation from the KAME 461 Project have been fixed. These bugs were related to freeing 462 memory objects before all references to them were removed, and 463 could cause erratic behavior or kernel panics after flushing 464 the Security Policy Database (SPD).</para> 465 466 <para>The <literal>PFIL_HOOKS</literal> option is now enabled by 467 default in the <filename>GENERIC</filename> kernel. The most 468 notable effect of this change is to make 469 <application>IPFilter</application> work correctly when loaded 470 as a kernel module.</para> 471 472 <para>The following TCP features are now enabled by default: RFC 473 3042 (Limited Retransmit), RFC 3390 (increased initial 474 congestion window sizes), TCP bandwidth-delay product 475 limiting. More information can be found in &man.tcp.4;.</para> 476 477 <para>&os;'s TCP implementation now includes support for a 478 minimum MSS (settable via the 479 <varname>net.inet.tcp.minmss</varname> sysctl variable) and a 480 rate limit on connections that send many small TCP segments 481 within a short period of time (via the 482 <varname>net.inet.tcp.minmssoverload</varname> sysctl 483 variable). Connections exceeding this limit may be reset and 484 dropped. This feature provides protection against a class of 485 resource exhaustion attacks.</para> 486 487 <para>The TCP implementation now includes partial (output-only) 488 support for RFC 2385 (TCP-MD5) digest support. This feature, 489 enabled with the <literal>TCP_SIGNATURE</literal> and 490 <literal>FAST_IPSEC</literal> kernel options, is a TCP option 491 for authenticating TCP sessions. &man.setkey.8; now includes 492 support for the TCP-MD5 class of security associations. 493 &merged;</para> 494 495 <para>The TCP connection reset handling has been improved to 496 make several reset attacks as difficult as possible while 497 maintaining compatibility with the widest range of TCP stacks.</para> 498 499 <para>The implementation of RFC 1948 has been improved. 500 The time offset component of an ISN now includes random positive 501 increments between clock ticks so that ISNs will always 502 be increasing, no matter how quickly the port is recycled.</para> 503 504 <para>The random ephemeral port allocation, which come from OpenBSD 505 has been implemented. This is enabled by default and can be disabled 506 using the <varname>net.inet.ip.portrange.randomized</varname> 507 sysctl. &merged;</para> 508 </sect3> 509 510 <sect3 id="disks"> 511 <title>Disks and Storage</title> 512 513 <para>The &man.ata.4; driver now supports cardbus ATA/SATA 514 controllers.</para> 515 516 <para>A number of bugs in the &man.ata.4; driver have been 517 fixed. Most notably, master/slave device detection should 518 work better, and some problems with timeouts should be 519 resolved.</para> 520 521 <para>The &man.ata.4; driver now supports the Promise command 522 sequencer present on all modern Promise controllers 523 (PDC203** PDC206**). 524 525 <note> 526 <para>This also adds preliminary support for the 527 Promise SX4/SX4000 as a <quote>normal</quote> Promise ATA 528 controller; ATA RAID's are supported though 529 but only RAID0, RAID1 and RAID0+1.</para> 530 </note> 531 </para> 532 533 <para arch="pc98">A bug of the automatic density selection code 534 in the &man.fd.4; driver has been fixed.</para> 535 536 <para>The &man.ips.4; driver now supports the recent 537 Adaptec ServeRAID series SCSI controller cards.</para> 538 539 <para arch="sparc64">A bug in the &man.isp.4; driver 540 which prevents the cards on SBus from working correctly, 541 has been fixed.</para> 542 543 <para arch="i386">The &man.twa.4; driver, which supports 544 3ware's 9000 series PATA/SATA RAID controllers has been added. &merged;</para> 545 546 <para>The &man.umass.4; driver now supports the missing 547 ATAPI MMC commands and handles the timeout properly. &merged;</para> 548 </sect3> 549 550 <sect3 id="fs"> 551 <title>File Systems</title> 552 553 <para>The EXT2FS file system code now includes partial support 554 for large (> 4GB) files. This support is partial in that 555 it will refuse to create large files on filesystems that have 556 not been upgraded to <literal>EXT2_DYN_REV</literal> or that 557 do not have the 558 <literal>EXT2_FEATURE_RO_COMPAT_LARGE_FILE</literal> flag set 559 in the superblock.</para> 560 561 <para>A bug in GEOM that could result in I/O hangs in some rare 562 cases has been fixed.</para> 563 564 <para>A new geom_concat class has been added to concatenate 565 multiple disks to appear as a single larger disk. The 566 &man.gconcat.8; utility is used for configurating concatenated 567 disks.</para> 568 569 <para>A panic in the NFSv4 client has been fixed; this occurred 570 when attempting operations against an NFSv3/NFSv2-only 571 server.</para> 572 573 <para>The SMBFS client now has support for SMB request signing, 574 which prevents <quote>man in the middle</quote> attacks and is 575 required in order to connect to Windows 2003 servers in their 576 default configuration. As signing each message imposes a 577 significant performance penalty, this feature is only enabled 578 if the server requires it; this may eventually become an 579 option to &man.mount.smbfs.8;.</para> 580 </sect3> 581 582 <sect3 id="mm"> 583 <title>Multimedia Support</title> 584 585 <para>The meteor (video capture) driver has been removed due to 586 breakage and lack of maintainership.</para> 587 588 </sect3> 589 590 </sect2> 591 592 <sect2 id="userland"> 593 <title>Userland Changes</title> 594 595 <para>&man.bsdlabel.8; now supports a <option>-f</option> option 596 to work on files instead of disk partitions.</para> 597 598 <para>The <command>bthidcontrol</command> command and the 599 <command>bthidd</command> command, which support Bluetooth 600 HID (Human Interface Device), have been added.</para> 601 602 <para>The &man.cron.8 daemon now accepts two new options, 603 <option>-j</option> and <option>-J</option>, to enable 604 time jitter for jobs to run as unpriviliged users and the 605 superuser, respectively. Time jitter means that &man.cron.8 606 will sleep for a small random period of time in the specified 607 range before executing a job. This feature is intended to 608 smooth load peaks appearing when a lot of jobs are scheduled 609 for a particular moment.</para> 610 611 <para>&man.df.1; now supports a <option>-c</option> option to display 612 a grand total of statistics for file systems.</para> 613 614 <para>The <command>doscmd</command> utility has been 615 removed from the &os; base system, and has been available 616 in the &os; Ports Collection instead.</para> 617 618 <para>&man.dump.8; and &man.restore.8; now support 619 a <option>-P</option> option to specify backup methods 620 other than files and tapes. The argument is passed to 621 a normal &man.sh.1; pipeline with either 622 <varname>$DUMP_VOLUME</varname> or <varname>$RESTORE_VOLUME</varname> 623 defined in the environment, respectively. 624 For more information, see &man.dump.8; and &man.restore.8;.</para> 625 626 <para arch="pc98">The &man.fdcontrol.8;, &man.fdformat.1;, and 627 &man.fdread.1; utilities now work on &os;/pc98.</para> 628 629 <para>The &man.find.1; utility now supports a <option>-acl</option> 630 primary to locate files with &man.acl.3;.</para> 631 632 <para>&man.indent.1; now supports a <option>-ldi</option> option 633 to control indentation of local variables. A number of other 634 tunings were made to this utility.</para> 635 636 <para>&man.ifconfig.8; now supports renaming of network interfaces 637 at run-time using the <option>name</option> parameter.</para> 638 639 <para>&man.ifconfig.8; now prints the &man.polling.4; status 640 on the interface. &merged;</para> 641 642 <para>&man.ip6fw.8; now supports a <option>-n</option> flag to 643 stop it from making any changes to the rules in the kernel</para> 644 645 <para>&man.ipcs.1; now supports a <option>-u</option> option to 646 display information about IPC mechanisms owned by the specified 647 user.</para> 648 649 <para>&man.ipfw.8; now supports a <option>-b</option> flag to 650 print only the action and comment for each rule, thus omitting 651 the rule body.</para> 652 653 <para>&man.killall.1; now supports a <option>-e</option> flag to 654 make the <option>-u</option> operate on effective, rather than 655 real, user IDs. &merged;</para> 656 657 <para>&man.libalias.3; now has support (and a new API) for 658 multiple aliasing instances in a single process. The existing 659 API has been reimplemented in terms of the new one to preserve 660 compatibility.</para> 661 662 <para>A <filename>libarchive</filename> library for manipulation 663 of compressed and uncompressed archive files has been 664 added. More details can be found in &man.libarchive.3;.</para> 665 666 <para arch="pc98"><filename>libdisk</filename> now uses the 667 correct PC98 disk partition value for &os;. This permits the 668 &man.sysinstall.8; disk partition editor to correctly create a 669 single &os; partition covering the entire disk. &merged;</para> 670 671 <para><filename>libdisk</filename> now uses 672 <varname>d_addr_t</varname> for disk addresses. 673 This allows &man.sysinstall.8; to properly handle disks 674 and filesystems more than 1 TB.</para> 675 676 <para arch="i386,pc98,amd64,ia64">The library formerly known as 677 <filename>libkse</filename> has been renamed 678 <filename>libpthread</filename> and is now the default threading 679 library on the i386, amd64, and ia64 platforms. 680 <application>GCC</application>'s <option>-pthread</option> 681 option has been changed to use <filename>libpthread</filename> 682 rather than <filename>libc_r</filename>. 683 684 <note> 685 <para>Users with older binaries (for example, ports compiled 686 before this change was made) should use &man.libmap.conf.5; 687 to map <filename>libc_r</filename> and/or 688 <filename>libkse</filename> to 689 <filename>libpthread</filename>.</para> 690 </note> 691 692 <note> 693 <para>Users with NVIDIA-supplied drivers and libraries may 694 need to use a &man.libmap.conf.5; that maps 695 <filename>libpthread</filename> references to the older 696 <filename>libc_r</filename> since these drivers and 697 utilities do not work with 698 <filename>libpthread</filename>.</para> 699 </note> 700 </para> 701 702 <para>&man.make.1; now supports the new <literal>.warning</literal> 703 directive.</para> 704 705 <para>Initial support for UTF-8 versions of all the currently 706 supported system locales has been added. This is primarily 707 for the benefit of the <filename role="package">misc/utf8locale</filename> 708 port.</para> 709 710 <para>An Israel Hebrew locale <literal>he_IL.UTF-8</literal> 711 has been added.</para> 712 713 <para>The &man.logins.1; utility has been added to display 714 information about user and system accounts.</para> 715 716 <para>&man.mountd.8; now supports the <option>-p</option> option, 717 which allows users to specify a known port for use 718 in firewall rulesets.</para> 719 720 <para>&man.netstat.1; now displays the multicast group 721 memberships present in the system.</para> 722 723 <para>&man.newfs.8; and &man.mdmfs.8; now support a 724 <option>-l</option> flag to enable them to set the MAC 725 multilabel flag on new filesystems without requiring the use of 726 &man.tunefs.8;.</para> 727 728 <para>&man.nologin.8; now reports login attempts via 729 &man.syslogd.8;.</para> 730 731 <para>&man.nologin.8; has been moved from <filename>/sbin/nologin</filename> 732 to <filename>/usr/sbin/nologin</filename>, and 733 <filename>/sbin/nologin</filename> remains as a symbolic link 734 for backward compatibility.</para> 735 736 <para>A bugfix has been applied to NSS support, which fixes 737 problems when using third-party NSS modules (such as <filename 738 role="package">net/nss_ldap</filename>) and groups with large 739 membership lists.</para> 740 741 <para>The &man.pgrep.1; and &man.pkill.1; commands, which come from NetBSD, 742 have been added. They also support a <option>-M</option> option 743 to extract values associated with the name list from the 744 specified core instead of the default <filename>/dev/kmem</filename>, 745 and a <option>-N</option> option to extract the name list from 746 the specified system instead of the default kernel.</para> 747 748 <para>&man.ps.1; compatibility with POSIX/SUSv3 has been improved. 749 The changes include <option>-p</option> for a list of process IDs, 750 <option>-t</option> for a list of terminal names, 751 <option>-A</option> which is equivalent to <option>-ax</option>, 752 <option>-G</option> for a list of group IDs, 753 <option>-X</option> which is the opposite of <option>-x</option>, 754 and some minor improvements. For more information, see &man.ps.1;. 755 &merged;</para> 756 757 <para>&man.pw.8; now supports a <option>-H</option> option, which 758 accepts an encrypted password on a file descriptor. &merged;</para> 759 760 <para>A bug in &man.rarpd.8; that prevents it from working properly 761 when a interface has more than one IP address has been fixed. 762 &merged;</para> 763 764 <para>The configuration files used by the &man.resolver.3; now 765 support the <literal>timeout:</literal> and 766 <literal>attempts:</literal> keywords.</para> 767 768 <para>The &man.resolver.3; and associated interfaces are now much 769 more reentrant and thread-safe. Multiple DNS lookups can now be 770 run at the same time, showing major improvements in the 771 performance of some multi-threaded applications. Some 772 multi-threaded programs need to be recompiled; examples from the 773 Ports Collection are <filename 774 role="package">www/mozilla</filename> and variants, <filename 775 role="package">mail/evolution</filename>, <filename 776 role="package">devel/gnomevfs</filename>, and <filename 777 role="package">devel/gnomevfs2</filename>.</para> 778 779 <para>&man.rmdir.1; now supports a <option>-v</option> flag, 780 which makes it verbose.</para> 781 782 <para>&man.savecore.8; now works correctly for dump files larger 783 than 2GB.</para> 784 785 <para>A bug in &man.script.1; has been fixed so that it now works 786 correctly if its stdin is closed. This fix prevents a 787 potentially dangerous interaction with the <filename 788 role="package">sysutils/portupgrade</filename> package; if it was 789 run non-interactively, it could remove all out-of-date 790 ports without reinstalling them.</para> 791 792 <para>The &man.sdpd.8; Bluetooth Service Discovery Protocol daemon 793 has been added.</para> 794 795 <para>Many userland utilities in the base system (mostly GNU 796 contributed utilities) now use the system version of 797 &man.getopt.long.3;, rather than the GNU version.</para> 798 799 <sect3 id="rc-scripts"> 800 <title><filename>/etc/rc.d</filename> Scripts</title> 801 802 <para>The <filename>diskless</filename> script has been 803 split out into <filename>hostname</filename>, 804 <filename>resolve</filename>, <filename>tmp</filename>, and 805 <filename>var</filename> scripts.</para> 806 807 <para>The <filename>gbde_swap</filename> script, which supports 808 gbde-enabled swap devices has been added. 809 When the <varname>gbde_swap_enable</varname> variable is specified 810 in &man.rc.conf.5;, a swap device named 811 <filename>/dev/<replaceable>foo.bde</replaceable></filename> 812 in &man.fstab.5; 813 is automatically attached at boot time with the device 814 <filename>/dev/<replaceable>foo</replaceable></filename> 815 and a random key, which 816 generated by computing the MD5 checksum of 512 bytes read 817 from <filename>/dev/random</filename>. 818 Note that this prevents recovery of kernel dumps.</para> 819 820 <para>The <filename>mixer</filename> script has been added. 821 It saves the current settings of all audio mixers present 822 in the system on shutdown and restores the settings on boot.</para> 823 824 <para>The <filename>pf</filename> and <filename>pflog</filename> 825 scripts for &man.pf.4; has been added.</para> 826 </sect3> 827 </sect2> 828 829 <sect2 id="contrib"> 830 <title>Contributed Software</title> 831 832 <para>The <application>ACPI-CA</application> code has been updated 833 from the 20030619 snapshot to the 20040402 snapshot.</para> 834 835 <para><application>awk</application> from Bell Labs has been 836 updated from the 29 July 2003 release to the 7 February 2004 837 release.</para> 838 839 <para><application>CVS</application> has been updated from 840 version 1.11.10 to version 1.11.15.</para> 841 842 <para><application>gdtoa</application> (a library that performs 843 conversions of numbers between binary and decimal form) has been 844 updated from version 20030324 to version 20040118.</para> 845 846 <para><application>GNU grep</application> has been updated from 847 2.4d to 2.4.2.</para> 848 849 <para><application>less</application> has been updated from 850 version 371 to version 381.</para> 851 852 <para><application>GNU readline</application> 4.3 has been updated 853 with official patches 001 through 005.</para> 854 855 <para>The <application>GNU regex</application> library has been 856 updated to the version included with <application>GNU 857 grep</application> 2.4.2.</para> 858 859 <para>The <application>GNU tar</application> implementation in the 860 base system is now called <filename>gtar</filename>, with 861 <filename>tar</filename> being a link to 862 <filename>gtar</filename>.</para> 863 864 <para><application>Heimdal Kerberos</application> has been 865 updated from 0.6 to 0.6.1. 866 867 <para><application>libpcap</application> has been updated from 868 version 0.7.1 to version 0.8.3.</para> 869 870 <para><application>lukemftp</application> 871 has been updated from a snapshot as of 872 November 3, 2003 to one as of April 26, 2004.</para> 873 874 <para><application>OpenPAM</application> has been updated from the 875 Dogwood release to the Eelgrass release.</para> 876 877 <para><application>OpenSSH</application> has been updated from 878 3.6.1p1 to 3.8.1p1. 879 880 <note> 881 <para>The configuration defaults for &man.sshd.8; have been 882 changed. SSH protocol version 1 is no longer enabled by 883 default. In addition, password authentication over SSH is 884 disabled by default if PAM is enabled.</para> 885 </note> 886 887 </para> 888 889 <para><application>OpenSSL</application> has been updated from 890 0.9.7c to 0.9.7d. &merged;</para> 891 892 <para><application>pf</application>, OpenBSD's packet filter as of 893 OpenBSD 3.4, has been imported into &os; source tree and is now installed 894 by default. A new user <username>proxy</username>, and two new 895 groups <username>authpf</username> and <username>proxy</username>, 896 which <application>pf</application> needs, are added as well. 897 898 <note> 899 <para>On upgrading from the source, these user accounts must be 900 added in advance. The <varname>NO_PF</varname> variable 901 in <filename>make.conf</filename> can be used to prevent 902 <application>pf</application> from building.</para> 903 </note> 904 905 <para>Several userland utilities of OpenBSD's 906 <application>pf</application> have been imported. 907 <filename>libexec/ftp-proxy</filename> is an ftp proxy for 908 <application>pf</application>, 909 <filename>sbin/pfctl</filename> is an equivalent to 910 <filename>sbin/ipf</filename>, 911 <filename>sbin/pflogd</filename> 912 is a daemon logging packets via <literal>if_pflog</literal> 913 in pcap format, and 914 <filename>usr.sbin/authpf</filename> is an authentication shell 915 to modify pf rulesets.</para> 916 917 <para><application>routed</application> has been updated from 918 release 2.22 to release 2.27 from rhyolite.com. Note that for 919 users relying on RIP's MD5 authentication feature, 920 &man.routed.8; routed is now incompatible with previous versions 921 of &os;; however it is now compatible with implementations from 922 Sun, Cisco and other vendors.</para> 923 924 <para><application>sendmail</application> has been updated from 925 version 8.12.10 to version 8.12.11. &merged;</para> 926 927 <para><application>tcpdump</application> has been updated from 928 version 3.7.1 to version 3.8.3.</para> 929 </sect2> 930 931 <sect2 id="ports"> 932 <title>Ports/Packages Collection Infrastructure</title> 933 934 <para>The <literal>SIZE</literal> attribute for distfiles, 935 which can be used for checking file sizes before fetching, 936 has been added and enabled by default. 937 <varname>DISABLE_SIZE</varname> is a user control knob 938 to disable the distfile size checking. This is especially 939 useful on old &os; versions which did not have &man.fetch.1; 940 support for this, and for some FTP proxies which always 941 report incorrect or bogus sizes.</para> 942 943 <para>Two new files have been added to the ports tree to track 944 note-worthy changes: <filename>ports/CHANGES</filename> lists 945 major changes to the Ports Collection and its infrastructure. 946 <filename>ports/UPDATING</filename> describes some potential 947 pitfalls that can be encountered when updating certain ports, 948 analogous to <filename>src/UPDATING</filename> for the base 949 system.</para> 950 951 </sect2> 952 953 <sect2 id="releng"> 954 <title>Release Engineering and Integration</title> 955 956 <para arch="i386,pc98">The building process for boot floppy images 957 has been completely overhauled. The most significant change is 958 that the loader now boots a stock <filename>GENERIC</filename> 959 kernel split across multiple disks (two at the time of this 960 writing). This greatly improves installations that begin with a 961 boot from floppy disk, because they now use exactly the same 962 kernel (and thus support the same hardware) as CDROM 963 installations. The stripped-down <filename>MFSROOT</filename> 964 kernel is no longer needed, and the <filename>mfsroot</filename> 965 image no longer requires kernel modules. The 966 <filename>boot.flp</filename> and 967 <filename>driver.flp</filename> images are also obsolete and no 968 longer built.</para> 969 970 <para>The supported release of <application>GNOME</application> 971 has been updated from 2.4 to 2.6. 972 973 <note> 974 <para>If you are using the older <application>GNOME</application> 975 desktop itself (<filename role="package">x11/gnome2</filename>), simply upgrading it from the &os; Ports Collection 976 with 977 &man.portupgrade.1; 978 (<filename role="package">sysutils/portupgrade</filename>) 979 will cause serious problems. 980 If you are a <application>GNOME</application> desktop user, 981 please read the instructions carefully at 982 <ulink url="http://www.FreeBSD.org/gnome/docs/faq26.html"></ulink>, 983 and use the <filename>gnome_upgrade.sh</filename> script to 984 properly upgrade to <application>GNOME</application> 2.6.</para> 985 986 <para>Note that if you are just a casual user of some of the 987 <application>GNOME</application> libraries, 988 &man.portupgrade.1; should be sufficient 989 to update your ports.</para> 990 </note> 991 </para> 992 993 <para>The supported release of <application>KDE</application> 994 has been updated from 3.1.4 to 3.2.1.</para> 995 </sect2> 996 997 <sect2 id="doc"> 998 <title>Documentation</title> 999 1000 <para></para> 1001 1002 </sect2> 1003 1004</sect1> 1005 1006<sect1 id="upgrade"> 1007 <title>Upgrading from previous releases of &os;</title> 1008 1009 <para>Users with existing &os; systems are 1010 <emphasis>highly</emphasis> encouraged to read the <quote>Early 1011 Adopter's Guide to &os; &release.current;</quote>. This document generally has 1012 the filename <filename>EARLY.TXT</filename> on the distribution 1013 media, or any other place that the release notes can be found. It 1014 offers some notes on upgrading, but more importantly, also 1015 discusses some of the relative merits of upgrading to &os; 1016 5.<replaceable>X</replaceable> versus running &os; 1017 4.<replaceable>X</replaceable>.</para> 1018 1019 <important> 1020 <para>Upgrading &os; should, of course, only be attempted after 1021 backing up <emphasis>all</emphasis> data and configuration 1022 files.</para> 1023 </important> 1024</sect1> 1025