article.xml revision 84278
1<!-- 2 The "What's New" section of the release notes. Within 3 each subsection (i.e. kernel, security, userland), list 4 items in chronological order, unless necessary to keep 5 related items together, such as multiple release notes 6 pertaining to a single program or module. 7 8--> 9 10<sect1> 11 <sect1info> 12 <pubdate>$FreeBSD: head/release/doc/en_US.ISO8859-1/relnotes/article.sgml 84278 2001-10-01 12:36:52Z dd $</pubdate> 13 </sect1info> 14 15 <title>What's New</title> 16 17 <para>This section describes the most user-visible new or changed 18 features in &os; since &release.prev;. All changes 19 described here are unique to the &release.branch; branch unless 20 specifically marked as &merged; features.</para> 21 22 <para>Many additional changes were made to &os; that are not listed 23 here for lack of space. For example, documentation was corrected 24 and improved, minor bugs were fixed, insecure coding practices were 25 audited and corrected, and source code was cleaned up.</para> 26 27 <para>The release notes items are organized into three different 28 sections. <xref linkend="kernel"> lists recent changes to the &os; 29 kernel. Security fixes, including those pertaining to security 30 advisories, are listed in <xref linkend="security">. Finally, <xref 31 linkend="userland"> covers changes to &os; userland applications 32 included in the base system.</para> 33 34 <sect2 id="kernel"> 35 <title>Kernel Changes</title> 36 37 <para>The &man.kqueue.2; event notification facility was added to 38 the &os; kernel. This is a new interface which is able to 39 replace &man.poll.2;/&man.select.2;, offering improved performance, 40 as well as the ability to report many different types of events. 41 Support for monitoring changes in sockets, pipes, fifos, and files 42 are present, as well as for signals and processes. &merged;</para> 43 44 <para arch="i386">Support for Intel's Wired for Management 2.0 (PXE) 45 was added to the &os; boot loader. Due to API differences, the 46 older PXE versions are not supported. This allow network booting 47 using DHCP. &merged;</para> 48 49 <para arch="i386">The &os; boot loader now contains a workaround 50 to support CDROM booting on certain IBM BIOSs that expect the 51 first sector of the emulated floppy to contain a valid MS-DOS BPB 52 that they can modify. &merged;</para> 53 54 <para>Support for USB devices was added to the 55 <filename>GENERIC</filename> kernel and to the installation 56 programs to support USB devices out of the box. Note that SRM 57 does not support USB devices at the moment, so you must still use 58 an AT keyboard if you are not using a serial console. &merged;</para> 59 60 <para>POSIX.1b Shared Memory Objects are now supported. The 61 implementation uses regular files, but automatically enables the 62 MAP_NOSYNC flag when they are &man.mmap.2;-ed. &merged;</para> 63 64 <para arch="i386">A driver for AGP hardware has been added. &merged;</para> 65 66 <para>The kernel and modules have been moved to the directory 67 <filename>/boot/kernel</filename>, so they can be easily 68 manipulated together. The boot loader has been updated to make 69 this change as seamless as possible.</para> 70 71 <para arch="i386">The i386 boot loader now has support for a 72 <literal>nullconsole</literal> 73 console type, for use on systems with neither a video console nor 74 a serial port. &merged;</para> 75 76 <para>Replaced the <literal>PQ_*CACHE</literal> options with a 77 single <literal>PQ_CACHESIZE</literal> option to be set to 78 the cache size in kilobytes. The old options are still supported 79 for backwards compatibility. &merged;</para> 80 81 <para arch="i386">The <literal>NCPU</literal>, <literal>NAPIC</literal>, 82 <literal>NBUS</literal>, and <literal>NINTR</literal> kernel 83 configuration options, for configuring SMP kernels, have been 84 removed. <literal>NCPU</literal> is now set to a maximum of 16, 85 and the other, aforementioned options are now 86 dynamic. &merged;</para> 87 88 <para>&man.devfs.5;, which allows entries in the 89 <filename>/dev</filename> directory to be built automatically and 90 supports more flexible attachment of devices, has been largely 91 reworked. &man.devfs.5; is now enabled by default and can be 92 disabled by the <literal>NODEVFS</literal> kernel option.</para> 93 94 <para arch="i386">Preliminary Cardbus support under NEWCARD has been added. 95 This code supports the TI113X, TI12XX, TI125X, Ricoh 5C46/5C47, Topic 96 95/97/100 and Cirrus Logic PD683X bridges. 16-bit PC Card support 97 is not yet functional.</para> 98 99 <para>Write combining for crashdumps has been implemented. This 100 feature is useful when write caching is disabled on both SCSI and 101 IDE disks, where large memory dumps could take up to an hour to 102 complete. &merged;</para> 103 104 <para>Extremely large swap areas (>67 GB) no longer panic the 105 system.</para> 106 107 <para arch="i386">The &man.ichsmb.4; driver for the Intel 82801AA 108 (ICH) SMBus controller and compatibles has been 109 added. &merged;</para> 110 111 <para arch="i386">The &man.uscanner.4; driver for basic USB scanner support 112 using SANE has been added. See <ulink 113 url="http://www.mostang.com/sane/">the SANE home page</ulink> for 114 supported scanners. The HP ScanJet 4100C, 5200C and 6300C are 115 known to be working.</para> 116 117 <para arch="i386">The umodem driver for USB modems has been added. 118 Support is provided for the 3Com 5605 and Metricom Ricochet GS 119 wireless USB modems.</para> 120 121 <para arch="alpha">Support for threads under Linux emulation has been 122 added.</para> 123 124 <para>A number of cleanups and enhancements have been applied to 125 the PCI subsystem. 126 <filename>/usr/share/misc/pci_vendors</filename> now contains a 127 vendor/device database, which can be used by 128 &man.pciconf.8;.</para> 129 130 <para arch="i386">The &man.spic.4; driver, which provides access to the jog 131 dial device on some Sony laptops, has been added.</para> 132 133 <para arch="i386">PECOFF (Win32 Execution file format) support has been 134 added.</para> 135 136 <para>A VESA S3 linear framebuffer driver has been added.</para> 137 138 <para>The <maketarget>buildkernel</maketarget> target now gets the 139 name of the configuration(s) to build from the 140 <varname>KERNCONF</varname> variable, not 141 <varname>KERNEL</varname>. It is no longer required, in some 142 cases, for a <maketarget>buildworld</maketarget> to precede a 143 <maketarget>buildkernel</maketarget>. (The 144 <maketarget>buildworld</maketarget> is still required when 145 upgrading across major releases, across 146 <application>binutil</application> updates and when &man.config.8; 147 changes version.) &merged; 148 </para> 149 150 <para>The &man.random.4; device has been rewritten to use the 151 <application>Yarrow</application> algorithm. It harvests entropy 152 from a variety of interrupt sources, including the console 153 devices, Ethernet and point-to-point network interfaces, and 154 mass-storage devices. Entropy from the &man.random.4; device is 155 now periodically saved to files in 156 <filename>/var/db/entropy</filename>, as well as at 157 shutdown time. The semantics of <filename>/dev/random</filename> 158 have changed; it never blocks waiting for entropy bits but 159 generates a stream of pseudo-random data and now behaves exactly 160 as <filename>/dev/urandom</filename>.</para> 161 162 <para>The &man.syscons.4; driver now supports keyboard-controlled 163 pasting, by default bound to 164 <keycap>Shift</keycap>-<keycap>Insert</keycap>.</para> 165 166 <para>The &man.labpc.4; driver has been removed due to 167 <quote>bitrot</quote>.</para> 168 169 <para>A new kernel option, <literal>options REGRESSION</literal>, 170 enables interfaces and functionality intended for use during 171 correctness and regression testing.</para> 172 173 <para>The <literal>USER_LDT</literal> kernel option is now 174 activated by default.</para> 175 176 <para>A new &man.ddb.4; command <command>show pcpu</command> lists 177 some of the per-CPU data.</para> 178 179 <para>A new digi driver has been added to support PCI Xr-based and ISA 180 Xem Digiboard cards. A new &man.digictl.8; program is (mainly) used to 181 re-initialise cards that have external port modules attached such as 182 the PC/Xem.</para> 183 184 <para>The dgm driver has been removed in favor of the digi driver.</para> 185 186 <para>The <literal>O_DIRECT</literal> flag has been added to 187 &man.open.2; and &man.fcntl.2;. Specifying this flag for open 188 files will attempt to minimize the cache effects of reading and 189 writing. &merged;</para> 190 191 <para>An &man.orm.4; device has been added to claim the option 192 ROMs in the ISA memory I/O space, to prevent other drivers from 193 mistakenly assigning addresses that conflict with these ROMs. &merged;</para> 194 195 <para>The out-of-swap process termination code now begins killing 196 processes earlier to avoid deadlocks; it now also takes into 197 account the swap space used by processes when computing the 198 process sizes. &merged;</para> 199 200 <para>Linker sets are now self-contained; &man.gensetdefs.8; is 201 unnecessary and has been removed.</para> 202 203 <para>Numerous SMP-friendly changes have been made to the kernel's 204 mbuf allocator.</para> 205 206 <para>Network device cloning has been implemented, and the &man.gif.4; 207 device has been modified to take advantage of it. 208 Thus, instead of specifying how many &man.gif.4; interfaces 209 are available in kernel configuration files, &man.ifconfig.8;'s 210 <option>create</option> option should be used when another device 211 instance is desired. &merged;</para> 212 213 <para>The kernel message buffer is now accessible by the 214 (machine-independent) <varname>kern.msgbuf</varname> sysctl 215 variable; &man.dmesg.8; no longer needs to be SGID 216 <groupname>kmem</groupname>.</para> 217 218 <para>Two new &man.ddb.4; commands, <command>hwatch</command> and 219 <command>dhwatch</command>, have been introduced. Analogous to 220 <command>watch</command> and <command>dwatch</command>, they install 221 hardware watchpoints (as opposed to software watchpoints) if supported 222 by the architecture. &merged;</para> 223 224 <para>A &man.nmdm.4; null-modem terminal driver has been added. 225 &merged;</para> 226 227 <para>The <varname>maxusers</varname> kernel configuration 228 parameter is now a boot-time tunable variable. The kernel 229 parameters derived from <varname>maxusers</varname> are now also 230 tunables and can be overridden at boot-time. The 231 <varname>hz</varname> parameter is also now a tunable. &merged;</para> 232 233 <para>It is now possible to hardwire kernel environment variables (such 234 as tuneables) at compile-time using &man.config.8;'s 235 <literal>ENV</literal> directive.</para> 236 237 <para>The loader and kernel linker now look for files named 238 <filename>linker.hints</filename> in each directory with KLDs for a 239 module name and version to KLD filename mapping. The new 240 &man.kldxref.8; utility is used to generate these files.</para> 241 242 <para>Idle zeroing of pages can be enabled with the 243 <varname>vm.zeroidle_enable</varname> sysctl variable.</para> 244 245 <para arch="i386">The load addresses of kernels has been exported to the 246 symbol table and various hard-coded constants removed so that 247 utilities such as &man.ps.1; can work with kernels compiled at 248 different addresses. &merged;</para> 249 250 <para arch="i386">A new <varname>KVA_SPACE</varname>kernel option 251 can be used to reconfigure the size of the kernel virtual address 252 space.</para> 253 254 <para>Coredumps of large processes (or of a large number of 255 processes) no longer lock up the machine for long periods of 256 time. &merged;</para> 257 258 <sect3> 259 <title>Processor/Motherboard Support</title> 260 261 <para>SMP support has been largely reworked, incorporating code 262 from BSD/OS 5.0. One of the main features of SMPng (<quote>SMP 263 Next Generation</quote>) is to allow more processes to run in 264 kernel, without the need for spin locks that can dramatically 265 reduce the efficiency of multiple processors. Interrupt 266 handlers now have contexts associated with them that allow them 267 to be blocked, which reduces the need to lock out 268 interrupts.</para> 269 270 <para arch="i386">Support for the 80386 processor has been 271 removed from the <filename>GENERIC</filename> kernel, as this 272 code seriously pessimizes performance on other IA32 273 processors.</para> 274 275 <para arch="i386">The <literal>I386_CPU</literal> kernel option 276 to support the 80386 processor is now mutually exclusive with 277 support for other IA32 processors; this should slightly improve 278 performance on the 80386 due to the elimination of runtime 279 processor type checks.</para> 280 281 <para arch="i386">Custom kernels that will run on the 80386 can 282 still be built by changing the cpu options in the kernel 283 configuration file to only include 284 <literal>I386_CPU</literal>.</para> 285 286 <para arch="alpha">AlphaServer 1200 (<quote>Tincup</quote>) has 287 been tested and works OK. Currently it does not want to boot 288 from CD or floppy but a transplanted disk that was installed on 289 another Alpha works well. &merged;</para> 290 291 <para arch="alpha">The API UP1100 mainboard has been verified to work.</para> 292 293 <para arch="alpha">The API CS20 1U high server has been verified to work.</para> 294 295 <para arch="alpha">The DEC3000 series support has been removed from the mfsroot 296 floppy image so that it fits on a 1.44 Mbyte floppy again. As the 297 DEC3000 is currently only usable diskless this should not cause 298 any problems.</para> 299 300 <para arch="alpha">Support for AlphaServer 2100A (<quote>Lynx</quote>) has been 301 added.</para> 302 303 <para arch="alpha">Kernel code has been added that allows older generation Alpha CPUs 304 (EV4 and EV5) to emulate instructions of the newer Alpha CPU 305 generations. This enables the use of binary-only programs like <application>Adobe 306 Acrobat 4</application> on EV4 and EV5.</para> 307 308 <para arch="alpha">SMP support for the Alpha is now operational.</para> 309 310 <para arch="i386">Detection for new processors, such as the 311 FC-PGA2 Pentium III (Tualatin), Transmeta Crusoe, and Transmeta 312 Crusoe LongRun, has been added. &merged;</para> 313 314 <para arch="alpha">Support for the following hardware has been removed 315 from the installation kernel to make it fit on a 1.44MB floppy again: 316 Multia, NoName, PC64, EB64, Aspen Alpine, sa (SCSI tape), amr, parallel 317 port support, vx (3c590, 3c595), pcn (AMD Am79C97x PCI 10/100), 318 sf (Adaptec AIC-6915), sis (SiS 900/SiS 7016), ste (Sundance ST201 319 (D-Link DFE-550TX)), wb (Winbond W89C840F).</para> 320 321 <para arch="i386">Support for Streaming <acronym>SIMD</acronym> 322 Extensions (<acronym>SSE</acronym>) has been introduced. The 323 <literal>CPU_ENABLE_SSE</literal> kernel option controls whether 324 support is compiled into the kernel. &merged;</para> 325 326 <para arch="i386">The &man.amdpm.4; driver has been added to 327 provide access to the system monitoring functions of the AMD 756 328 chipset.</para> 329 330 <para>The kernel is now aware of the concept that there are 331 smaller units of scheduling than a process (but only one thread 332 per process is allowed at this time).</para> 333 </sect3> 334 335 <sect3> 336 <title>Network Interface Support</title> 337 338 <para>Added support for PCI Ethernet adapters based on the 339 National Semiconductor DP83815 chipset, including the NetGear 340 FA311-TX and FA312-TX, in the form of the &man.sis.4; driver.</para> 341 342 <para>The &man.tap.4; driver, a virtual Ethernet device driver for 343 bridged configurations, has been added. &merged;</para> 344 345 <para>The &man.ti.4; driver now supports the Alteon AceNIC 346 1000baseT Gigabit Ethernet and Netgear GA620T 1000baseT Gigabit 347 cards. &merged;</para> 348 349 <para>The &man.xl.4; driver now supports the 3Com 3C556 and 3C556B 350 MiniPCI adapters used on some laptops. &merged;</para> 351 352 <para arch="alpha">The &man.ed.4; driver is now supported.</para> 353 354 <para>The &man.pcn.4; driver, which supports the AMD PCnet/FAST, 355 PCnet/FAST+, PCnet/FAST III, PCnet/PRO, PCnet/Home, and HomePNA 356 adapters, has been added. Although these cards are already 357 supported by the &man.lnc.4; driver, the &man.pcn.4; driver runs 358 these chips in 32-bit mode and uses the RX alignment feature to 359 achieve zero-copy receive. This driver is also 360 machine-independent, so it will work on both the i386 and Alpha 361 platforms. The &man.lnc.4; driver is still needed to support non-PCI 362 cards. &merged;</para> 363 364 <para>Support for Fujitsu MB86960A/MB86965A based Ethernet 365 PC-Cards is back. &merged;</para> 366 367 <para arch="i386">The snc driver for the National Semiconductor 368 DP8393X (SONIC) Ethernet controller has been added. Currently, 369 this driver is only used on the PC-98 architecture. &merged;</para> 370 371 <para>The &man.an.4; driver for Cisco Aironet cards now supports 372 Wired Equivalent Privacy (WEP) encryption, settable via 373 &man.ancontrol.8;. &merged;</para> 374 375 <para>The &man.an.4; driver now supports the Cisco Aironet 350 376 series of adaptors. &merged;</para> 377 378 <para>The &man.an.4; driver now supports <quote>monitor</quote> 379 mode, settable via the <option>-M</option> option to 380 &man.ancontrol.8;. &merged;</para> 381 382 <para arch="i386">The &man.el.4; driver can now be loaded as a 383 module.</para> 384 385 <para>The &man.ray.4; driver, which supports the Webgear Aviator 386 wireless network cards, has been committed. The operation of 387 &man.ray.4; interfaces can be modified by 388 &man.raycontrol.8;. &merged;</para> 389 390 <para arch="alpha">The &man.fpa.4; driver now supports Digital's 391 DEFPA FDDI adaptors on the Alpha.</para> 392 393 <para arch="i386">Linksys Fast Ethernet PCCARD cards supported by the 394 &man.ed.4; driver now require the addition of flag 395 <literal>0x80000</literal> to their config line in 396 &man.pccard.conf.5;. This flag is not optional. These Linksys 397 cards will not be recognized without it. &merged;</para> 398 399 <para>A bug in the &man.ed.4; driver that could cause panics with 400 very short packets and BPF or bridging active has been 401 fixed. &merged;</para> 402 403 <para>The &man.ed.4; driver now has support for D-Link 404 DL10022 chips, necessary for the NetGear FA-410TX and other 405 cards. As a result, <literal>device miibus</literal> is 406 required in kernel configurations using the &man.ed.4; 407 driver. &merged;</para> 408 409 <para>The &man.fxp.4; driver now requires a <literal>device 410 miibus</literal> entry in the kernel configuration file. &merged;</para> 411 412 <para>The &man.wx.4; driver now supports the Intel PRO1000-F and 413 PRO1000-T (10/100/1000) adapters. &merged;</para> 414 415 <para>Added the &man.nge.4; driver, which supports PCI Gigabit 416 Ethernet adapters based on the National Semiconductor DP83820 417 and DP83821 Gigabit Ethernet controller chips, including the 418 D-Link DGE-500T, SMC EZ Card 1000 (SMC9462TX), Asante 419 FriendlyNet GigaNIC 1000TA and 1000TPC and Addtron 420 AEG320T. This driver supports transmit and receive checksum 421 offloading. &merged;</para> 422 423 <para>The &man.lge.4; driver has been added to support the Level 424 1 LXT1001 NetCellerator Gigabit Ethernet controller chip. This 425 device is used on some fiber optic GigE cards from SMC, D-Link 426 and Addtron. Jumbograms and TCP/IP checksum offload on receive 427 are supported, although hardware VLAN filtering is not. &merged;</para> 428 429 <para>The &man.xl.4; driver now supports reception of VLAN 430 tagged frames (on the <quote>Cyclone</quote> or newer 431 chipsets). &merged;</para> 432 433 <para>The &man.ti.4; driver correctly masks VLAN tags. &merged;</para> 434 435 <para>The &man.txp.4; driver has been added to support NICs 436 based on the 3Com 3XP Typhoon/Sidewinder (3CR990) chipset. &merged;</para> 437 438 <para arch="i386">The &man.bge.4; driver has been added to 439 support the Broadcom BCM570x family of Gigabit Ethernet 440 controllers, including the 3Com 3c996-T, the SysKonnect SK-9D21 441 and SK-9D41, and the built-in Gigabit Ethernet NICs on Dell 442 PowerEdge 2550 servers. TCP/IP checksum offload, jumbo frames 443 and VLAN tag insertion/stripping are supported, as well as 444 interrupt moderation.</para> 445 446 <para>The per-interface <varname>ifnet</varname> structure now 447 has the ability to indicate a set of capabilities supported by a 448 network interface, and which ones are enabled. &man.ifconfig.8; 449 has support for querying these capabilities.</para> 450 </sect3> 451 452 <sect3> 453 <title>Network Protocols</title> 454 455 <para>&man.accept.filter.9;, a kernel feature to reduce overheads 456 when accepting and reading new connections on listening sockets, 457 has been added. &merged;</para> 458 459 <para>The &man.ng.mppc.4; and &man.ng.bridge.4; node types have 460 been added to the &man.netgraph.4; subsystem. The &man.ng.ether.4; node 461 is now dynamically loadable. Miscellaneous bug fixes and 462 enhancements have also been made. &merged;</para> 463 464 <para>&man.netgraph.4; has received some updates and bugfixes.</para> 465 466 <para>A new netgraph node type &man.ng.one2many.4; for multiplexing 467 and demultiplexing packets over multiple links has been added. 468 &merged;</para> 469 470 <para>The &man.ng.gif.4; and &man.ng.gif.demux.4; netgraph 471 nodes, for operating on &man.gif.4; devices, have been 472 added.</para> 473 474 <para>The &man.ng.ip.input.4; netgraph node, for queueing IP 475 packets into the main IP input processing code, has been 476 added.</para> 477 478 <para arch="alpha">SLIP has been removed from the 479 <filename>mfsroot</filename> floppy image.</para> 480 481 <para>ICMP ECHO and TSTAMP replies are now rate limited. TCP RSTs 482 generated due to packets sent to open and unopen ports are now 483 limited by separate counters. Each rate limiting queue now has 484 its own description.</para> 485 486 <para>ICMP <literal>UNREACH_FILTER_PROHIB</literal> messages can 487 now RST TCP connections in the <literal>SYN_SENT</literal> state 488 if the correct sequence numbers are sent back, as controlled by the 489 <varname>net.inet.tcp.icmp_may_rst</varname> 490 sysctl.</para> 491 492 <para>TCP has received some bug fixes for its delayed ACK 493 behavior. &merged;</para> 494 495 <para>TCP now supports the NewReno modification to the TCP Fast Recovery 496 algorithm. This behavior can be controlled via the 497 <varname>net.inet.tcp.newreno</varname> sysctl variable. &merged;</para> 498 499 <para>TCP now uses a more aggressive timeout for initial SYN segments; this 500 allows initial connection attempts to be dropped much 501 faster. &merged;</para> 502 503 <para>The <literal>TCP_COMPAT_42</literal> kernel option has 504 been removed.</para> 505 506 <para>The <literal>TCP_RESTRICT_RST</literal> kernel option has 507 been removed. Similar functionality can be achieved with the 508 <varname>net.inet.tcp.blackhole</varname> sysctl 509 variable. &merged;</para> 510 511 <para>TCP now has RFC 1323 extensions enabled by default in 512 &man.rc.conf.5;. &merged;</para> 513 514 <para>RFC 1323 and RFC 1644 TCP extensions are now disabled for a 515 connection in progress if no response has been received by the 516 third SYN segment sent. This behavior tries to work around 517 (very old) terminal servers with buggy VJ header compression 518 implementations. &merged;</para> 519 520 <para>The TCP implementation no longer requires the 521 allocation of a TCP template structure for each connection; this 522 should reduce the buffer usage on large systems handling many 523 connections. &merged;</para> 524 525 <para>TCP's default buffer sizes, controlled by the 526 <varname>net.inet.tcp.sendspace</varname> and 527 <varname>net.inet.tcp.recvspace</varname> sysctl variables, have 528 been increased to 32K and 64K respectively.</para> 529 530 <para>TCP now supports RFC 1948 (Defending Against Sequence 531 Number Attacks). This functionality is controlled by the 532 <varname>net.inet.tcp.strict_rfc1948</varname> and 533 <varname>net.inet.tcp.isn_reseed_interval</varname> sysctl 534 variables. &merged;</para> 535 536 <para>A new sysctl <varname>net.inet.ip.check_interface</varname>, 537 which is on by default, causes IP to verify that an incoming 538 packet arrives on an interface that has an address matching the 539 packet's destination address. &merged;</para> 540 541 <para>A new sysctl 542 <varname>net.link.ether.inet.log_arp_wrong_iface</varname> has 543 been added to control the suppression of logging when ARP replies 544 arrive on the wrong interface. &merged;</para> 545 546 <para>The <literal>proxy</literal> modifier to &man.arp.8;'s 547 <option>-d</option> option has been renamed to 548 <literal>pub</literal>, for consistency with the 549 <option>-s</option> option. The <literal>only</literal> keyword 550 has been added to the <option>-s</option> and 551 <option>-S</option> flags, to be used in creating 552 <quote>proxy-only</quote> published entries.</para> 553 554 <para>&man.ipfw.4; now filters correctly in the presence of ECN bits in TCP 555 segments. &merged;</para> 556 557 <para>&man.ipfw.8; will now avoid the display of dynamic 558 firewall rules unless the <option>-d</option> flag is passed to 559 it. The <option>-e</option> lists expired dynamic rules.</para> 560 561 <para>&man.bridge.4; and &man.dummynet.4; have received some 562 enhancements and bug fixes.</para> 563 564 <para>&man.ipfw.8; has a new feature (<literal>me</literal>) that 565 allows for packet matching on interfaces with dynamically-changing 566 IP addresses. &merged;</para> 567 568 <para>&man.ip6fw.8; now has the ability to use a preprocessor 569 and use the <option>-q</option> (quiet) flag when reading from a 570 file. &merged;</para> 571 572 <para>A new <literal>options RANDOM_IP_ID</literal> kernel 573 option causes the ID field of IP packets to be randomized. This 574 closes a minor information leak which allows a remote observer 575 to determine the rate at which the machine is generating 576 packets, since the default behavior is to increment a counter 577 for each packet sent. &merged;</para> 578 579 <para>IP multicast now works on VLAN devices. Several other 580 bugs in the VLAN code have also been fixed.</para> 581 582 <para>The &man.faith.4; device is now loadable, unloadable, and 583 clonable.</para> 584 585 <para>The &man.stf.4; device is now clonable.</para> 586 587 <para>The &man.tap.4; device is now clonable.</para> 588 589 <para>The &man.vlan.4; device is now loadable, unloadable, and 590 clonable.</para> 591 </sect3> 592 593 <sect3> 594 <title>Disks and Storage</title> 595 596 <para arch="i386">The &man.asr.4; driver now supports the Adaptec 597 2000S and 2005S Zero-Channel RAID controllers. &merged;</para> 598 599 <para arch="i386">The &man.aac.4; driver now supports the Adaptec 600 SCSI RAID 5400S controller. &merged;</para> 601 602 <para arch="i386">The &man.twe.4; 3ware ATA RAID driver has added. &merged;</para> 603 604 <para>The &man.ata.4; driver now has support for ATA100 605 controllers. In addition, it now supports the ServerWorks ROSB4 606 ATA33 chipset, the CMD 648 ATA66 and CMD 649 ATA100 chipsets, and 607 the Cyrix 5530. &merged;</para> 608 609 <para>To provide more flexible configuration, the various options for the 610 &man.ata.4; driver are now boot loader tunables, rather than kernel 611 configure-time options. &merged;</para> 612 613 <para>The &man.ata.4; driver now has support for tagged queuing, 614 which is enabled by the <varname>hw.ata.tags</varname> loader 615 tunable. &merged;</para> 616 617 <para>The &man.ata.4; driver now has support for ATA 618 <quote>pseudo</quote> RAID controllers as the Promise Fasttrak and 619 HighPoint HPT370 controllers. &merged;</para> 620 621 <para>The &man.wd.4; compatibility devices were removed from the 622 &man.ata.4; driver. &merged;</para> 623 624 <para arch="i386">The &man.mly.4; driver, for Mylex PCI to SCSI 625 AccelRAID and eXtremeRAID controllers with firmware 6.X and 626 later, has been added. &merged;</para> 627 628 <para arch="i386">The &man.asr.4; driver, which provides support 629 for the Adaptec SCSI RAID controller family, as well as the DPT 630 SmartRAID V and VI families, has been added. &merged;</para> 631 632 <para arch="i386">Support for the Adaptec FSA family of PCI-SCSI 633 RAID controllers has been added, in the form of the &man.aac.4; 634 driver. &merged;</para> 635 636 <para arch="i386">The &man.aac.4; driver has been updated to 637 include proper handling of commands initiated by the adapter, 638 addition/removal of disk devices, crashdump functionality, and 639 &man.ioctl.2; command necessary for the management 640 CLI. &merged;</para> 641 642 <para>The &man.ahc.4; driver has received numerous updates, 643 bugfixes, and enhancements. Among various improvements are 644 improved compatibility with chips in <quote>RAID Port</quote> mode 645 and systems with AAA and/or ARO cards installed, as well as 646 performance improvements. Some bugs were also fixed, including a 647 rare hang on Ultra2/U160 controllers. &merged;</para> 648 649 <para arch="i386">The ncv, nsp, and stg drivers have 650 been ported from NetBSD/pc98. They support the NCR 53C50 / 651 Workbit Ninja SCSI-3 / TMC 18C30, 18C50 based PC-Card/ISA SCSI 652 controllers. &merged;</para> 653 654 <para>The &man.cd.4; driver now has support for write operations. 655 This allows writing to DVD-RAM, PD and similar drives that probe 656 as CD devices. Note that change affects only random-access 657 writeable devices, not sequential-only writeable devices such as 658 CD-R drives, which are supported by &man.cdrecord.1; (a part of 659 <port>sysutils/cdrtools</port> in the Ports Collection. &merged;</para> 660 661 <para>The &man.vinum.4; volume manager has received some bug fixes and 662 enhancements.</para> 663 664 <para>&man.md.4;, the memory disk device, has had the 665 functionality of &man.vn.4; incorporated into it. &man.md.4; 666 devices can now be configured by &man.mdconfig.8;. &man.vn.4; has 667 been removed. The Memory Filesystem (MFS) has also been 668 removed.</para> 669 670 <para>The BurnProof(TM) feature, for applicable ATAPI CD-ROM burners, is now 671 supported. &merged;</para> 672 673 <para arch="alpha">A bug that made certain CDROM drives fail to 674 attach when connected to a SCSI card driven by &man.isp.4; has 675 been fixed. &merged;</para> 676 677 <para>The &man.isp.4; driver is now proactive about discovering 678 Fibre Channel topology changes.</para> 679 680 <para>The &man.isp.4; driver now supports target mode for Qlogic 681 SCSI cards, including Ultra2 and Ultra3 and dual bus cards.</para> 682 683 <para>The ida disk driver now has crashdump support. &merged;</para> 684 685 <para>The CAM error recovery code has been updated.</para> 686 687 <para>Some problems in &man.sa.4; error handling have been 688 fixed, including the <quote>tape drive spinning indefinitely 689 upon &man.mt.1; <option>stat</option></quote> problem.</para> 690 691 </sect3> 692 693 <sect3> 694 <title>Filesystems</title> 695 696 <para>Support for named extended attributes was added to the &os; 697 kernel. This allows the kernel, and appropriately privileged 698 userland processes, to tag files and directories with attribute 699 data. Extended attributes were added to support the TrustedBSD 700 Project, in particular ACLs, capability data, and mandatory access 701 control labels (see 702 <filename>/usr/src/sys/ufs/ufs/README.extattr</filename> for 703 details).</para> 704 705 <para>Due to a licensing change, softupdates have been integrated 706 into the main portion of the kernel source tree. As a 707 consequence, softupdates are now available with the 708 <filename>GENERIC</filename> kernel. &merged;</para> 709 710 <para>A filesystem snapshot capability has been added to FFS. 711 Details can be found in 712 <filename>/usr/src/sys/ufs/ffs/README.snapshot</filename>.</para> 713 714 <para>Softupdates for FFS have received some bug fixes and 715 enhancements.</para> 716 717 <para>When running with softupdates, &man.statfs.2; and 718 &man.df.1; will track the number of blocks and files that are 719 committed to being freed.</para> 720 721 <para>A bug in FFS that could cause superblock corruption on very large 722 filesystems has been corrected. &merged;</para> 723 724 <para>The Inode Filesystem (IFS) has been added; more information 725 can be found in 726 <filename>/usr/src/sys/ufs/ifs/README</filename>.</para> 727 728 <para>The ISO-9660 filesystem now has a hook that supports a loadable 729 character conversion routine. The 730 <port>sysutils/cd9660_unicode</port> port 731 contains a set of common conversions.</para> 732 733 <para>&man.kernfs.5; is obsolete and has been retired.</para> 734 735 <para>A bug in the NFS client that caused bogus access times with 736 <literal>O_EXCL|O_CREAT</literal> opens was fixed. &merged;</para> 737 738 <para>A new NFS hash function (based on the Fowler/Noll/Vo hash 739 algorithm) has been implemented to improve NFS performance by 740 increasing the efficiency of the <varname>nfsnode</varname> hash 741 tables. &merged;</para> 742 743 <para>Client-side NFS locks have been implemented.</para> 744 745 <para>The client-side and server-side of the NFS code in the 746 kernel used to be intertwined in various complex ways. They 747 have been split apart for ease of maintenence and further 748 development.</para> 749 750 <para>Support for file system Access Control Lists (ACLs) has been 751 introduced, allowing more fine-grained control of discretionary 752 access control on files and directories. This support was 753 integrated from the TrustedBSD Project. More details can be found in 754 <filename>/usr/src/sys/ufs/ufs/README.acls</filename>.</para> 755 756 <para>The directory layout preference algorithm for FFS has been 757 changed to improve its speed on large filesystems. &merged;</para> 758 759 <para arch="i386">smbfs (CIFS) support in kernel has been added. 760 The corresponding userland filesystem mount utility can be found 761 in the <port>net/smbfs</port> port in the &os; Ports 762 Collection. &merged;</para> 763 764 <para>For consistency, the fdesc, fifo, null, msdos, portal, 765 umap, and union filesystems have been renamed to fdescfs, 766 fifofs, msdosfs, nullfs, portalfs, umapfs, and unionfs. Where 767 applicable, modules and mount_* programs have been 768 renamed. Compatibility <quote>glue</quote> has been added to 769 &man.mount.8; so that <literal>msdos</literal> filesystem 770 entries in &man.fstab.5; will work without changes.</para> 771 772 <para>pseudofs, a pseudo-filesystem framework, has been added. 773 &man.linprocfs.5; has been modified to use pseudofs.</para> 774 775 <para>A simple hash-based lookup optimization for large directories 776 called <literal>dirhash</literal> has been added. Conditional on the 777 <literal>UFS_DIRHASH</literal> kernel option, it improves the speed 778 of operations on very large directories at the expense of some 779 memory. &merged;</para> 780 781 </sect3> 782 783 <sect3> 784 <title>PCCARD Support</title> 785 786 <para arch="i386">The pccard driver and &man.pccardc.8; now support multiple 787 <quote>beep types</quote> upon card insertion and removal. &merged;</para> 788 789 <para>On many modern hosts, PCCARD devices can be configured to 790 route their interrupts via either the ISA or PCI interrupt paths. 791 The &man.pcic.4; driver has been updated to support both interrupt 792 paths (formerly, only routing via ISA was supported). &merged; In most 793 cases, configuration of PCMCIA devices in laptops is simpler and 794 more flexible. In addition, various Cardbus bridge PCI cards 795 (such as those used by Orinoco PCI NICs) are now supported. Some 796 hosts may experience problems, such as hangs or panics, with PCI 797 interrupt routing; they can frequently be made to work by forcing 798 the older-style ISA interrupt routing. The following lines, 799 placed in <filename>/boot/loader.conf</filename>, may fix the 800 problem:</para> 801 802 <programlisting>hw.pcic.intr_path="1" 803 hw.pcic.irq="0"</programlisting> 804 805 <para>When installing &os; on such a system, typing the following 806 lines to the boot loader may be helpful in starting up &os; for 807 the first time:<para> 808 809 <screen><prompt>ok</prompt> <userinput>set hw.pcic.intr_path="1"</userinput> 810<prompt>ok</prompt> <userinput>set hw.pcic.irq="0"</userinput></screen> 811 </sect3> 812 813 <sect3> 814 <title>Multimedia Support</title> 815 816 <para arch="i386">The &man.pcm.4; driver now supports the ESS Solo 1, 817 Maestro-1, Maestro-2, and Maestro-2e; Forte Media fm801, ESS 818 Maestro-2e, and VIA Technologies VT82C686A sound card/chipsets, 819 and has received some other updates. 820 Separate drivers for the SoundBlaster 8 and SoundBlaster 16 now 821 replace an older, unified driver. A driver for the CMedia 822 CMI8338/CMI8738 sound chips has been added. A driver for the 823 CS4281 sound chip has been added. A driver for the S3 824 SonicVibes chipset has been added. &merged;</para> 825 826 <para arch="i386">A driver for the Avance Logic ALS4000 has 827 been added. &merged;</para> 828 829 <para arch="i386">A driver for the 830 ESS Maestro-3/Allegro has been added, however due to licensing 831 restrictions, it cannot be compiled into the kernel. &merged; To 832 use this driver, add the following line to 833 <filename>/boot/loader.conf</filename>:</para> 834 835 <programlisting>snd_maestro3_load="YES"</programlisting> 836 837 <para>The &man.bktr.4; driver has been updated to 2.18. This 838 update provides a number of new features. New tuner 839 types have been added, and improvements to the KLD module and to 840 memory allocation have been made. Bugs in &man.devfs.5; when 841 unloading and reloading have been fixed. 842 Support for new Hauppauge Model 44xxx WinTV Cards (the ones with 843 no audio mux) has been added.</para> 844 845 <para>When sound modules are built, one can now load all the 846 drivers and infrastructure by <command>kldload 847 snd</command>.</para> 848 849 <para>A new API has been added for sound cards with hardware 850 volume control.</para> 851 852 <para arch="i386">A driver for the Intel 443MX, 810, 815, and 815E 853 integrated sound devices has been added.</para> 854 855 </sect3> 856 857 <sect3> 858 <title>Contributed Software</title> 859 860 <para><application>IPFilter</application> has been updated to 861 3.4.20. &merged;</para> 862 863 <para>The Forth Inspired Command Language 864 (<application>FICL</application>) used in the boot loader has 865 been updated to 2.05.</para> 866 867 <para>Support for Advanced Configuration and Power Interface 868 (ACPI), a multi-vendor standard for configuration and power 869 management, has been added. This functionality has been 870 provided by the <application>Intel ACPI Component 871 Architecture</application> project, updated to the ACPI CA 872 20010831 release.</para> 873 874 <sect4 arch="i386"> 875 <title>isdn4bsd</title> 876 877 <para><application>isdn4bsd</application> has been updated to 878 version 1.0.1. As a result of this update, users of the 879 &man.i4bisppp.4; (kernel PPP over ISDN) driver 880 <emphasis>must</emphasis> now use &man.ispppcontrol.8; instead 881 of &man.spppcontrol.8; to configure and control these 882 network interfaces. &merged;</para> 883 884 <para>The &man.ihfc.4; driver for supporting Cologne Chip 885 Designs HFC devices under <application>isdn4bsd</application> 886 has been added. &merged;</para> 887 888 <para>The &man.itjc.4; driver for supporting NETjet-S / Teles 889 PCI-TJ devices under <application>isdn4bsd</application> has 890 been added. &merged;</para> 891 892 <para>Experimental support for the Eicon.Diehl DIVA 2.0 and 893 2.02 ISA PnP ISDN cards has been added to the &man.isic.4; 894 <application>isdn4bsd</application> driver. &merged;</para> 895 896 <para>Active CAPI-based ISDN cards manufacured by AVM are now 897 supported using the &man.i4bcapi.4; and the &man.iavc.4; driver. The 898 supported cards are the AVM B1 PCI and AVM B1 ISA Basic Rate 899 cards and the AVM T1 Primary Rate cards. &merged;</para> 900 901 <para>A new <literal>maxconnecttime</literal> keyword is now 902 accepted in &man.isdnd.rc.5; files to limit the time a 903 connection may remain open. &merged;</para> 904 </sect4> 905 906 <sect4 id="kame-kernel"> 907 <title>KAME</title> 908 909 <para>The IPv6 stack is now based on a snapshot based on the KAME 910 Project's IPv6 snapshot as of 28 May, 2001. Most of the 911 items listed in this section are a result of this import. 912 <xref linkend="kame-userland"> lists userland updates to the 913 KAME IPv6 stack. &merged;</para> 914 915 <para>&man.gif.4; is now based on RFC 2893, rather than RFC 916 1933. The <literal>IFF_LINK2</literal> interface flag can 917 be used to control ingress filtering. &merged;</para> 918 919 <para><application>IPSec</application> has received some 920 enhancements, including the ability to use the Rijndael and 921 SHA2 algorithms. IPSec RC5 support has been removed due to 922 patent issues. &merged;</para> 923 924 <para>&man.stf.4; now conforms to RFC 3056; the 925 <literal>IFF_LINK2</literal> interface flag can be used to 926 control ingress filtering. &merged;</para> 927 928 <para>IPv6 has better checking of illegal addresses (such as 929 loopback addresses) on physical networks. &merged;</para> 930 931 <para>The <varname>IPV6_V6ONLY</varname> socket option is 932 now completely supported. The kernel's default behavior 933 with respect to this option is controlled by the 934 <varname>net.inet6.ip6.v6only</varname> sysctl 935 variable. &merged;</para> 936 937 <para>RFC 3041 (Privacy Extensions for Stateless Address 938 Autoconfiguration) is now supported. It can be enabled via 939 the <varname>net.inet6.ip6.use_tempaddr</varname> sysctl 940 variable. &merged;</para> 941 </sect4> 942 </sect3> 943 </sect2> 944 <sect2 id="security"> 945 <title>Security-Related Changes</title> 946 947 <para>&man.sysinstall.8; now allows the user to select one of two 948 <quote>security profiles</quote> at install-time. These profiles enable 949 different levels of system security by enabling or disabling 950 various system services in &man.rc.conf.5; on new 951 installs. &merged;</para> 952 953 <para>A bug in which malformed ELF executable images can hang the 954 system has been fixed (see security advisory 955 FreeBSD-SA-00:41). &merged;</para> 956 957 <para>A security hole in Linux emulation was fixed (see security 958 advisory FreeBSD-SA-00:42). &merged;</para> 959 960 <para>String-handling library calls in many programs were fixed to 961 reduce the possibility of buffer overflow-related exploits. 962 &merged;</para> 963 964 <para>TCP now uses stronger randomness in choosing its initial sequence 965 numbers (see security advisory FreeBSD-SA-00:52). &merged;</para> 966 967 <para>Several buffer overflows in &man.tcpdump.1; were corrected 968 (see security advisory FreeBSD-SA-00:61). &merged;</para> 969 970 <para>A security hole in &man.top.1; was corrected (see security advisory 971 FreeBSD-SA-00:62). &merged;</para> 972 973 <para>A potential security hole caused by an off-by-one-error in 974 &man.gethostbyname.3; has been fixed (see security advisory 975 FreeBSD-SA-00:63). &merged;</para> 976 977 <para>A potential buffer overflow in the &man.ncurses.3; library, 978 which could cause arbitrary code to be run from within 979 &man.systat.1;, has been corrected (see security advisory 980 FreeBSD-SA-00:68). &merged;</para> 981 982 <para>A vulnerability in &man.telnetd.8; that could cause it to 983 consume large amounts of server resources has been fixed (see 984 security advisory FreeBSD-SA-00:69). &merged;</para> 985 986 <para>The <literal>nat deny_incoming</literal> command in 987 &man.ppp.8; now works correctly (see security advisory 988 FreeBSD-SA-00:70). &merged;</para> 989 990 <para>A vulnerability in &man.csh.1;/&man.tcsh.1; temporary files 991 that could allow overwriting of arbitrary user-writable files has 992 been closed (see security advisory FreeBSD-SA-00:76). &merged;</para> 993 994 <para>The &man.ssh.1; binary is no longer SUID root by 995 default. &merged;</para> 996 997 <para>Some fixes were applied to the Kerberos 998 IV implementation related to environment variables, a 999 possible buffer overrun, and overwriting ticket files. &merged;</para> 1000 1001 <para>&man.telnet.1; now does a better job of sanitizing its 1002 environment. &merged;</para> 1003 1004 <para>Several vulnerabilities in &man.procfs.5; were fixed (see 1005 security advisory FreeBSD-SA-00:77). &merged;</para> 1006 1007 <para>A bug in <application>OpenSSH</application> in which a 1008 server was unable to disable &man.ssh-agent.1; or 1009 <literal>X11Forwarding</literal> was fixed (see security advisory 1010 FreeBSD-SA-01:01). &merged;</para> 1011 1012 <para>A bug in &man.ipfw.8; and &man.ip6fw.8; in which inbound TCP 1013 segments could incorrectly be treated as being part of an 1014 <literal>established</literal> connection has been fixed (see 1015 security advisory FreeBSD-SA-01:08). &merged;</para> 1016 1017 <para>A bug in &man.crontab.1; that could allow users to read any 1018 file on the system in valid &man.crontab.5; syntax has been fixed 1019 (see security advisory FreeBSD-SA-01:09). &merged;</para> 1020 1021 <para>A vulnerability in &man.inetd.8; that could allow 1022 read-access to the initial 16 bytes of 1023 <groupname>wheel</groupname>-accessible files has been fixed (see security 1024 advisory FreeBSD-SA-01:11). &merged;</para> 1025 1026 <para>A bug in &man.periodic.8; that used insecure temporary files has been 1027 corrected (see security advisory FreeBSD-SA-01:12). &merged;</para> 1028 1029 <para>A bug in &man.sort.1; in which an attacker might be able to 1030 cause it to abort processing has been fixed (see security advisory 1031 FreeBSD-SA-01:13). &merged;</para> 1032 1033 <para><application>OpenSSH</application> now has code to prevent 1034 (instead of just mitigating through connection limits) an attack 1035 that can lead to guessing the server key (not host key) by 1036 regenerating the server key when an RSA failure is detected (see 1037 security advisory FreeBSD-SA-01:24). &merged;</para> 1038 1039 <para>A number of programs have had output formatting strings 1040 corrected so as to reduce the risk of vulnerabilities. &merged;</para> 1041 1042 <para>A number of programs that use temporary files now do so more 1043 securely. &merged;</para> 1044 1045 <para>A bug in ICMP that could cause an attacker to disrupt TCP and UDP 1046 <quote>sessions</quote> has been corrected. &merged;</para> 1047 1048 <para>A bug in &man.timed.8;, which caused it to crash if send 1049 certain malformed packets, has been corrected (see security 1050 advisory FreeBSD-SA-01:28). &merged;</para> 1051 1052 <para>A bug in &man.rwhod.8;, which caused it to crash if send 1053 certain malformed packets, has been corrected (see security 1054 advisory FreeBSD-SA-01:29). &merged;</para> 1055 1056 <para>A security hole in &os;'s FFS and EXT2FS implementations, 1057 which allowed a race condition that could cause users to have 1058 unauthorized access to data, has been fixed (see security advisory 1059 FreeBSD-SA-01:30). &merged;</para> 1060 1061 <para>A remotely-exploitable vulnerability in &man.ntpd.8; has 1062 been closed (see security advisory FreeBSD-SA-01:31). &merged;</para> 1063 1064 <para>A security hole in <application>IPFilter</application>'s 1065 fragment cache has been closed (see 1066 security advisory FreeBSD-SA-01:32). &merged;</para> 1067 1068 <para>Buffer overflows in &man.glob.3;, which could cause 1069 arbitrary code to be run on an FTP server, have been closed. In 1070 addition, to prevent some forms of DOS attacks, &man.glob.3; 1071 allows specification of a limit on the number of pathname matches 1072 it will return. &man.ftpd.8; now uses this feature (see security 1073 advisory FreeBSD-SA-01:33). &merged;</para> 1074 1075 <para>Initial sequence numbers in TCP are more thoroughly 1076 randomized (see security advisory FreeBSD-SA-01:39). Due to some 1077 possible compatibility issues, the behavior of this security fix 1078 can be enabled or disabled via the 1079 <varname>net.inet.tcp.tcp_seq_genscheme</varname> sysctl 1080 variable.&merged;</para> 1081 1082 <para>A vulnerability in the &man.fts.3; routines (used by 1083 applications for recursively traversing a filesystem) could 1084 allow a program to operate on files outside the intended directory 1085 hierarchy. This bug has been fixed (see security advisory 1086 FreeBSD-SA-01:40). &merged;</para> 1087 1088 <para>&os;'s TCP implementation has been made more resistant to 1089 SYN floods, by eliminating the RST segment normally sent when 1090 removing a connection from the listen queue.</para> 1091 1092 <para><application>OpenSSH</application> now switches to the 1093 user's UID before attempting to unlink the authentication 1094 forwarding file, nullifying the effects of a race.</para> 1095 1096 <para>A flaw allowed some signal handlers to remain in effect in a 1097 child process after being exec-ed from its parent. This allowed 1098 an attacker to execute arbitrary code in the context of a setuid 1099 binary. This flaw has been corrected (see security advisory 1100 FreeBSD-SA-01:42). &merged;</para> 1101 1102 <para>A remote buffer overflow in &man.tcpdump.1; has been fixed 1103 (see security advisory FreeBSD-SA-01:48). &merged;</para> 1104 1105 <para>A remote buffer overflow in &man.telnetd.8; has been 1106 fixed (see security advisory FreeBSD-SA-01:49). &merged;</para> 1107 1108 <para>The new <varname>net.inet.ip.maxfragpackets</varname> 1109 and <varname>net.inet.ip6.maxfragpackets</varname> sysctl 1110 variables limit the amount of memory that can be consumed by IPv4 1111 and IPv6 packet fragments, which defends against some denial of service 1112 attacks (see security advisory FreeBSD-SA-01:52). &merged;</para> 1113 1114 <para>All services in <filename>inetd.conf</filename> are now 1115 disabled by default for new installations. &man.sysinstall.8; 1116 gives the option of enabling or disabling &man.inetd.8; on new 1117 installations, as well as editing 1118 <filename>inetd.conf</filename>. &merged;</para> 1119 1120 <para>A flaw in the implementation of the &man.ipfw.8; 1121 <literal>me</literal> rules on point-to-point links has been 1122 corrected. Formerly, <literal>me</literal> filter rules would 1123 match the remote IP address of a point-to-point interface in 1124 addition to the intended local IP address (see security advisory 1125 FreeBSD-SA-01:53). &merged;</para> 1126 1127 <para>A vulnerability in &man.procfs.5;, which could allow a 1128 process to read sensitive information from another process's 1129 memory space, has been closed (see security advisory 1130 FreeBSD-SA-01:55). &merged;</para> 1131 1132 <para>The <literal>PARANOID</literal> hostname checking in 1133 <application>tcp_wrappers</application> now works as advertised 1134 (see security advisory FreeBSD-SA-01:56). &merged;</para> 1135 1136 <para>A local root exploit in &man.sendmail.8; has been closed 1137 (see security advisory FreeBSD-SA-01:57). &merged;</para> 1138 1139 <para>A remote root vulnerability in &man.lpd.8; has been closed 1140 (see security advisory FreeBSD-SA-01:58). &merged;</para> 1141 1142 <para>A race condition in &man.rmuser.8; that briefly exposed a 1143 world-readable <filename>/etc/master.passwd</filename> has been 1144 fixed (see security advisory FreeBSD-SA-01:59). &merged;</para> 1145 1146 <para>All non-<username>root</username>-owned binaries in standard 1147 system paths now have the <literal>schg</literal> flag set to 1148 prevent exploit vectors when run by &man.cron.8;, by 1149 <username>root</username>, or by a user other then the one owning 1150 the binary. In addition, &man.uustat.1; is now run via 1151 <filename>/etc/periodic/daily/410.status-uucp</filename> as 1152 <username>uucp</username>, not <username>root</username>. &merged;</para> 1153 1154 <para>A security hole in the form of a buffer overflow in the 1155 &man.semop.2; system call has been closed. &merged;</para> 1156 </sect2> 1157 <sect2 id="userland"> 1158 <title>Userland Changes</title> 1159 1160 <para>&man.cdcontrol.1; now supports a <literal>cdid</literal> 1161 command, which calculates and displays the CD serial number, using 1162 the same algorithm used by the CDDB database. &merged;</para> 1163 1164 <para>&man.mtree.8; now includes support for a file that lists 1165 pathnames to be excluded when creating and verifying prototypes. 1166 This makes it easier to use &man.mtree.8; as a part of an 1167 intrusion-detection system. &merged;</para> 1168 1169 <para>&man.ls.1; can produce colorized listings with the 1170 <option>-G</option> flag (and appropriate terminal 1171 support). The <envar>CLICOLOR</envar> environment variable can be set 1172 to enable colorized listings by default. &merged;</para> 1173 1174 <para>&man.sysinstall.8; now properly preserves 1175 <filename>/etc/mail</filename> during a binary upgrade. &merged;</para> 1176 1177 <para>The &man.truncate.1; utility, which truncates or extends the length 1178 of files, has been added. &merged;</para> 1179 1180 <para>&man.syslogd.8; can take a <option>-n</option> option to 1181 disable DNS queries for every request. &merged;</para> 1182 1183 <para>&man.kenv.1;, a command to dump the kernel environment, has 1184 been added. &merged;</para> 1185 1186 <para>The behavior of &man.periodic.8; is now controlled by 1187 <filename>/etc/defaults/periodic.conf</filename> and 1188 <filename>/etc/periodic.conf</filename>. &merged;</para> 1189 1190 <para arch="i386">&man.boot98cfg.8;, a PC-98 boot manager installation and 1191 configuration utility, has been added. &merged;</para> 1192 1193 <para>&man.logger.1; can now send messages directly to a remote 1194 syslog. &merged;</para> 1195 1196 <para arch="i386">&man.gdb.1; now supports hardware watchpoints (using the 1197 kernel's debug register + support that has been introduced in 1198 &os; 4.0). &merged;</para> 1199 1200 <para>&man.which.1; is now a C program, rather than a Perl 1201 script.</para> 1202 1203 <para>&man.killall.1; is now a C program, rather than a Perl 1204 script. As a result, its <option>-m</option> option now uses the 1205 regular expression syntax of &man.regex.3;, rather than that of 1206 &man.perl.1;. &merged;</para> 1207 1208 <para>&man.killall.1; now allows non-root users to kill SUID root 1209 processes that they started, the same as the Perl version did.</para> 1210 1211 <para>&man.finger.1; now has the ability to support fingering 1212 aliases, via the &man.finger.conf.5; file. &merged;</para> 1213 1214 <para>&man.finger.1; now has support for a 1215 <filename>.pubkey</filename> file.</para> 1216 1217 <para>nsswitch support has been merged from NetBSD. By creating 1218 an &man.nsswitch.conf.5; file, &os; can be configured so that 1219 various databases such as &man.passwd.5; and &man.group.5; can be 1220 looked up using flat files, NIS, or Hesiod. The old 1221 <filename>hosts.conf</filename> file is no longer used.</para> 1222 1223 <para>RSA Security has waived all patent rights to the RSA 1224 algorithm. As a 1225 result, the native <application>OpenSSL</application> 1226 implementation of the RSA algorithm is now activated by default, 1227 and the <port>security/rsaref</port> port and the 1228 <filename>librsaUSA</filename> and <filename>librsaINTL</filename> 1229 libraries are 1230 no longer required for USA and non-USA residents respectively. &merged;</para> 1231 1232 <para>&man.ifconfig.8; command can set the link-layer address 1233 of an interface using the <option>lladdr</option> parameter. 1234 &merged;</para> 1235 1236 <para>&man.ifconfig.8; can now accept addresses in slash/CIDR 1237 notation. &merged;</para> 1238 1239 <para>&man.ifconfig.8; now has support for setting parameters for 1240 IEEE 802.11 wireless network devices. &man.wi.4; and 1241 &man.an.4; devices are supported, and partial support is provided 1242 for &man.awi.4; devices. &merged;</para> 1243 1244 <para>&man.ifconfig.8; no longer displays the list of supported 1245 media by default. Instead it displays it when the 1246 <option>-m</option> flag is given. &merged;</para> 1247 1248 <para>&man.setproctitle.3; has been moved from 1249 <filename>libutil</filename> to 1250 <filename>libc</filename>. &merged;</para> 1251 1252 <para>&man.chio.1; now has the ability to specify elements by 1253 volume tag instead of by their physical location as well as the 1254 ability to return an element to its previous location. &merged;</para> 1255 1256 <para>&man.sed.1; now takes a <option>-E</option> option for 1257 extended regular expression support. &merged;</para> 1258 1259 <para>&man.ln.1; now takes an <option>-i</option> option to 1260 request user confirmation before overwriting an existing 1261 file. &merged;</para> 1262 1263 <para>&man.ln.1; now takes a <option>-h</option> flag to avoid 1264 following a target that is a link, with a <option>-n</option> flag 1265 for compatibility with other implementations. &merged;</para> 1266 1267 <para>Userland &man.ppp.8; has received a number of updates and 1268 bug fixes. &merged;</para> 1269 1270 <para>&man.make.1; has gained the <literal>:C///</literal> 1271 (regular expression substitution), <literal>:L</literal> 1272 (lowercase), and <literal>:U</literal> (uppercase) variable 1273 modifiers. These were added to reduce the differences between the 1274 &os; and 1275 OpenBSD/NetBSD 1276 &man.make.1; programs. &merged; </para> 1277 1278 <para>Bugs in &man.make.1;, among which include broken null suffix 1279 behavior, bad assumptions about current directory permissions, and 1280 potential buffer overflows, have been fixed. &merged;</para> 1281 1282 <para>The &os; <filename>Makefile</filename> infrastructure now 1283 supports the <varname>WARNS</varname> directive from NetBSD. This 1284 directive controls the addition of compiler warning flags to 1285 <varname>CFLAGS</varname> in a relatively compiler-neutral 1286 manner. &merged;</para> 1287 1288 <para>&man.fsck.8; wrappers have been imported; this feature 1289 provides infrastructure for &man.fsck.8; to work on different 1290 types of filesystems (analogous to &man.mount.8;).</para> 1291 1292 <para>The behavior of &man.fsck.8; when dealing with various 1293 passes (a la <filename>/etc/fstab</filename>) has been modified to 1294 accomodate multiple-disk filesystems.</para> 1295 1296 <para>&man.style.perl.7;, a style guide for Perl code in the &os; 1297 base system, has been added.</para> 1298 1299 <para>The <quote>in use</quote> percentage metric displayed by 1300 &man.netstat.1; now really reflects the percentage of network 1301 mbufs used. &merged;</para> 1302 1303 <para>&man.netstat.1; now has a <option>-W</option> flag that 1304 tells it not to truncate addresses, even if they're too long for 1305 the column they're printed in. &merged;</para> 1306 1307 <para>&man.netstat.1; now keeps track of input and output packets 1308 on a per-address basis for each interface. &merged;</para> 1309 1310 <para>&man.netstat.1; now has a <option>-z</option> flag to reset 1311 statistics. &merged;</para> 1312 1313 <para>&man.netstat.1; now has a <option>-S</option> flag to print 1314 address numerically but port names symbolically. &merged;</para> 1315 1316 <para>&man.sockstat.1; now has <option>-c</option> and 1317 <option>-l</option> flags for listing connected and listening 1318 sockets, respectively. &merged;</para> 1319 1320 <para>&man.mergemaster.8; has gained some new features, has been 1321 cleaned up somewhat, and is now more cross-platform friendly.</para> 1322 1323 <para>&man.mergemaster.8; now sources an 1324 <filename>/etc/mergemaster.rc</filename> file and also prompts the 1325 user to run recommended commands (such as 1326 <command>newaliases</command>) as needed. &merged;</para> 1327 1328 <para>The compiler chain now uses the FSF-supplied C/C++ runtime 1329 initialization code. This change brings about better 1330 compatibility with code generated from the various egcs and gcc 1331 ports, as well as the stock public FSF source. &merged;</para> 1332 1333 <para>The threads library has gained some signal handling changes, 1334 bug fixes, and performance enhancements (including zero system 1335 call thread switching). &man.gdb.1; thread support has been 1336 updated to match these changes. &merged;</para> 1337 1338 <para>&man.chflags.1; has moved from <filename>/usr/bin</filename> 1339 to <filename>/bin</filename>.</para> 1340 1341 <para>Use of the <literal>CSMG_*</literal> macros no longer 1342 require inclusion of 1343 <filename><sys/param.h></filename></para> 1344 1345 <para>IP Filter is now supported by the 1346 &man.rc.conf.5; boot-time configuration and 1347 initialization. &merged;</para> 1348 1349 <para>The &man.lastlogin.8; utility, which prints the last login 1350 time of each user, has been imported from 1351 NetBSD. &merged;</para> 1352 1353 <para>&man.last.1; now implements a <option>-d</option> that 1354 provides a <quote>snapshot</quote> of who was logged in at a 1355 particular date and time. &merged;</para> 1356 1357 <para>&man.newfs.8; now implements write combining, which can make 1358 creation of new filesystems up to seven times 1359 faster. &merged;</para> 1360 1361 <para>&man.newfs.8; now takes a <option>-U</option> option to 1362 enable softupdates on a new filesystem. &merged;</para> 1363 1364 <para>The default number of cylinders per group in &man.newfs.8; 1365 is now 22, up from 16.</para> 1366 1367 <para>A number of buffer overflows in &man.config.8; have been 1368 fixed. &merged;</para> 1369 1370 <para>&man.pwd.1; can now double as &man.realpath.1;, a program to 1371 resolve pathnames to their underlying physical paths. &merged;</para> 1372 1373 <para>&man.stty.1; now has support for an 1374 <literal>erase2</literal> control character, so that, for example, 1375 both the <keycap>Delete</keycap> and <keycap>Backspace</keycap> 1376 keys can be used to erase characters. &merged;</para> 1377 1378 <para>The &man.ibcs2.8;, &man.linux.8;, &man.osf1.8;, and &man.svr4.8; 1379 scripts, whose sole purpose was to load emulation 1380 kernel modules, have been removed. The kernel module system will 1381 automatically load them as needed to fulfill dependencies.</para> 1382 1383 <para>&man.top.1; will now use the full width of its tty.</para> 1384 1385 <para>&man.growfs.8;, a utility for growing FFS filesystems, has 1386 been added. &man.ffsinfo.8;, a utility for dump all the 1387 meta-information of an existing filesystem, has also been 1388 added. &merged;</para> 1389 1390 <para>&man.indent.1; has gained some new formatting 1391 options. &merged;</para> 1392 1393 <para>&man.sysinstall.8; now uses some more intuitive defaults 1394 thanks to some new dialog support functions. &merged;</para> 1395 1396 <para>The default root partition in &man.sysinstall.8; is now 1397 100MB on the i386 and 120MB on the Alpha.</para> 1398 1399 <para>Shortly after the receipt of a <literal>SIGINFO</literal> 1400 signal (normally control-T from the controlling tty), &man.fsck.ffs.8; 1401 will now output a line indicating the current phase number and 1402 progress information relevant to the current phase. &merged;</para> 1403 1404 <para>&man.fsck.ffs.8; now supports background filesystem checks 1405 to mounted FFS filesystems with the <option>-B</option> option 1406 (softupdates must be enabled on these filesystems). The 1407 <option>-F</option> flag now determines whether a specified 1408 filesystem needs foreground checking.</para> 1409 1410 <para>&man.fsck.8; now has support for foreground 1411 (<option>-F</option>) and background (<option>-B</option>) checks. 1412 Traditionally, &man.fsck.8; is invoked before the filesystems are 1413 mounted and all checks are done to completion at that time. If 1414 background checking is available, &man.fsck.8; is invoked twice. 1415 It is first invoked at the traditional time, before the 1416 filesystems are mounted, with the <option>-F</option> flag to do 1417 checking on all the filesystems that cannot do background 1418 checking. It is then invoked a second time, after the system has 1419 completed going multiuser, with the <option>-B</option> flag to do 1420 checking on all the filesystems that can do background checking. 1421 Unlike the foreground checking, the background checking is started 1422 asynchronously so that other system activity can proceed even on 1423 the filesystems that are being checked. Boot-time enabling of 1424 this feature is controlled by the 1425 <varname>background_fsck</varname> option in &man.rc.conf.5;.</para> 1426 1427 <para>A new &man.fsck.msdosfs.8; utility has been added to check 1428 the consistency of MS-DOS filesystems. &merged;</para> 1429 1430 <para>Catching up with most other network utilities in the base 1431 system, &man.lpr.1;, &man.lpd.8;, &man.syslogd.8;, and 1432 &man.logger.1; are now all IPv6-capable. &merged;</para> 1433 1434 <para arch="i386"><filename>libdisk</filename> can now do 1435 install-time configuration of the &arch; <filename>boot0</filename> 1436 boot loader. &merged;</para> 1437 1438 <para>The <option>-v</option> option to &man.rm.1; now displays 1439 the entire pathname of a file being removed.</para> 1440 1441 <para>&man.lpr.1;, &man.lpq.1;, and &man.lpd.8; have received a 1442 few minor enhancements. &merged;</para> 1443 1444 <para>&man.lpd.8; now takes two new options: <option>-c</option> 1445 will log all connection errors to &man.syslogd.8;, while 1446 <option>-W</option> will allow connections from non-reserved 1447 ports. &merged;</para> 1448 1449 <para>&man.lpd.8; now has some support for 1450 <literal>o</literal>-type print-file actions in its control files, 1451 which allows printing of PostScript files generated by 1452 <application>MacOS</application> 10.1. &merged;</para> 1453 1454 <para>&man.lpc.8; has been improved; <command>lpc clean</command> 1455 is now somewhat safer, and a new <command>lpc tclean</command> 1456 command has been added to check to see what files would be removed 1457 by <command>lpc clean</command>. &merged;</para> 1458 1459 <para>If the first argument to &man.ancontrol.8; or 1460 &man.wicontrol.8; doesn't start with a <literal>-</literal>, it is 1461 assumed to be an interface.</para> 1462 1463 <para>&man.rdist.1; has been retired from the base system, but is still 1464 available from &os; Ports Collection as 1465 <port>net/44bsd-rdist</port>.</para> 1466 1467 <para>&man.ppp.8; has gained the <literal>tcpmssfixup</literal> 1468 option, which adjusts outgoing and incoming TCP SYN packets so that the maximum 1469 receive segment size is no larger than allowed by the interface 1470 MTU. &merged;</para> 1471 1472 <para>&man.ppp.8; now supports IPv6.</para> 1473 1474 <para><filename>libcrypt</filename> and 1475 <filename>libdescrypt</filename> have been unified to provide a 1476 configurable password authentication hash library. Both the md5 1477 and des hash methods are provided unless the des hash is 1478 specifically compiled out. &merged;</para> 1479 1480 <para>&man.passwd.1; and &man.pw.8; now select the password hash 1481 algorithm at run time. See the <literal>passwd_format</literal> 1482 attribute in <filename>/etc/login.conf</filename>. &merged;</para> 1483 1484 <para>In preparation for meeting SUSv2/POSIX 1485 <filename><sys/select.h></filename> requirements, 1486 <literal>struct selinfo</literal> and related functions have been 1487 moved to <filename><sys/selinfo.h></filename>.</para> 1488 1489 <para>&man.syslogd.8; now supports a <literal>LOG_CONSOLE</literal> 1490 facility (disabled by 1491 default), which can be used to log <filename>/dev/console</filename> 1492 output. &merged;</para> 1493 1494 <para>&man.rpcgen.1; now uses <filename>/usr/bin/cpp</filename> 1495 (as on NetBSD), not <filename>/usr/libexec/cpp</filename>.</para> 1496 1497 <para>Boot-time &man.syscons.4; configuration was moved to a 1498 machine-independent <filename>/etc/rc.syscons</filename>. &merged;</para> 1499 1500 <para>&man.burncd.8; now supports a <option>-m</option> option for 1501 multisession mode (the default behavior now is to close disks as 1502 single-session). A <option>-l</option> option to take a list of 1503 image files from a filename was also added; <filename>-</filename> 1504 can be used as a filename for <literal>stdin</literal>. &merged;</para> 1505 1506 <para>&man.burncd.8; now supports Disk At Once (DAO) mode, 1507 selectable via the <option>-d</option> flag.</para> 1508 1509 <para>&man.dmesg.8; now has a <option>-a</option> option to show 1510 the entire message buffer, including &man.syslogd.8; records and 1511 <filename>/dev/console</filename> output. &merged;</para> 1512 1513 <para>&man.cdcontrol.1; now uses the <envar>CDROM</envar> 1514 environment variable to pick a default device. &merged;</para> 1515 1516 <para>&man.cdcontrol.1; now supports <literal>next</literal> and 1517 <literal>prev</literal> commands to skip forwards or backwards a 1518 specified number of tracks while playing an audio CD. &merged;</para> 1519 1520 <para>&man.sysctl.8; now supports a <option>-N</option> option to 1521 print out variable names only. &merged;</para> 1522 1523 <para>&man.sysctl.8; has replaced the <option>-A</option> and 1524 <option>-X</option> options with <option>-ao</option> and 1525 <option>-ax</option> respectively; the former options are now 1526 deprecated. The <option>-w</option> option is deprecated as well; it is 1527 not needed to determine the user's intentions. &merged;</para> 1528 1529 <para>&man.sysinstall.8; now lives in <filename>/usr/sbin</filename>, 1530 which simplifies the installation process. The &man.sysinstall.8; 1531 manpage is also installed in a more consistent fashion now.</para> 1532 1533 <para>&man.config.8; is now better about converting various 1534 warnings that should 1535 have been errors into actual fatal errors with an exit code. This 1536 ensures that <literal>make buildkernel</literal> 1537 doesn't quietly ignore them and 1538 build a bogus kernel without a human to read the errors. &merged;</para> 1539 1540 <para><filename>libc</filename> is now thread-safe by default; 1541 <filename>libc_r</filename> contains only thread functions.</para> 1542 1543 <para>&man.find.1; now takes the <option>-empty</option> flag, 1544 which returns true if a file or directory is empty. &merged;</para> 1545 1546 <para>&man.find.1; now takes the <option>-iname</option> and 1547 <option>-ipath</option> primaries for case-insensitive matches, 1548 and the <option>-regexp</option> and <option>-iregexp</option> 1549 primaries for regular-expression matches. The <option>-E</option> 1550 flag now enables extended regular expressions. &merged;</para> 1551 1552 <para>&man.find.1; now has the <option>-anewer</option>, 1553 <option>-cnewer</option>, <option>-mnewer</option>, 1554 <option>-okdir</option>, and <option>-newer[acm][acmt]</option> 1555 primaries for comparisons of file timestamps. The latter 1556 primaries can be specified with various units of time. &merged;</para> 1557 1558 <para>&man.tftpd.8; now takes the <option>-c</option> and 1559 <option>-C</option> options, which allow the server to 1560 &man.chroot.2; based on the IP address of the connecting client. 1561 &man.tftp.1; and &man.tftpd.8; can now transfer files larger than 1562 65535 blocks. &merged;</para> 1563 1564 <para>&man.tftpd.8; now supports RFC 2349 (TFTP Timeout Interval 1565 and Transfer Size Options); this feature is required by some 1566 firmware like EFI boot managers (at least on HP i2000 Itanium 1567 servers) in order to boot an image using 1568 <application>TFTP</application>.</para> 1569 1570 <para>&man.vidcontrol.1; now accepts a <option>-g</option> 1571 parameter to select custom text geometry in the 1572 <literal>VESA_800x600</literal> raster text mode. &merged;</para> 1573 1574 <para>&man.ldconfig.8; now checks directory ownerships and 1575 permissions for greater security; these checks can be disabled 1576 with the <option>-i</option> flag. &merged;</para> 1577 1578 <para>The &man.rfork.thread.3; library call has been added as a 1579 helper function to &man.rfork.2;. Using this function should 1580 avoid the need to implement complex stack swap 1581 code. &merged;</para> 1582 1583 <para>Significant additions have been made to internationalization 1584 support; &os; now has complete locale support for the 1585 <literal>LC_MONETARY</literal>, <literal>LC_NUMERIC</literal>, and 1586 <literal>LC_MESSAGES</literal> categories. A number of 1587 applications have been updated to take advantage of this 1588 support.</para> 1589 1590 <para>Locale names have been changed to improve compatibility with 1591 the names used by X11R6, as well as a number of other UNIX 1592 versions. As an example, the <literal>en_US.ISO_8859-1</literal> 1593 locale name has been changed to 1594 <literal>en_US.ISO8859-1</literal>. Entries in 1595 <filename>/etc/locale.alias</filename> provide backward 1596 compatibility.</para> 1597 1598 <para>A <filename>compat4x</filename> distribution has been added 1599 for compatibility with &os; 4-STABLE.</para> 1600 1601 <para>The 1602 <filename>compat3x</filename> distribution has been updated to 1603 include libraries present in &os; 3.5.1-RELEASE. &merged;</para> 1604 1605 <para>&man.savecore.8; now supports a <option>-k</option> option 1606 to prevent clearing a crash dump after saving it. It also 1607 attempts to avoid writing large stretches of zeros to crash dump 1608 files to save space and time. &merged;</para> 1609 1610 <para>&man.savecore.8; now works correctly on machines with 2 GB 1611 or more of RAM. &merged;</para> 1612 1613 <para>&man.tar.1; now supports the <varname>TAR_RSH</varname> 1614 variable, principally to enable the use of &man.ssh.1; as a 1615 transport. &merged;</para> 1616 1617 <para>&man.disklabel.8; now supports partition sizes expressed in 1618 kilobytes, megabytes, or gigabytes, in addition to sectors. &merged;</para> 1619 1620 <para>The pseudo-random number generator implemented by 1621 &man.rand.3; has been improved to provide less biased results.</para> 1622 1623 <para>&man.login.1; now exports environment variables set by 1624 <application>PAM</application> modules. &merged;</para> 1625 1626 <para><application>PAM</application> support has been added for 1627 account management and sessions.</para> 1628 1629 <para>&man.su.1; now uses <application>PAM</application> for 1630 authentication.</para> 1631 1632 <para>&man.wall.1; now supports a <option>-g</option> flag to 1633 write a message to all users of a given group.</para> 1634 1635 <para>The new <varname>CPUTYPE</varname> 1636 <filename>make.conf</filename> variable controls the compilation 1637 of processor-specific optimizations in various pieces of code such 1638 as <application>OpenSSL</application>. &merged;</para> 1639 1640 <para>&man.ipfstat.8; now supports the <option>-t</option> option 1641 to turn on a &man.top.1;-like display. &merged;</para> 1642 1643 <para><filename>/usr/src/share/examples/BSD_daemon/</filename> now 1644 contains a scalable Beastie graphic. &merged;</para> 1645 1646 <para>&man.dump.8; now supports inheritance of the 1647 <literal>nodump</literal> flag down a hierarchy. &merged;</para> 1648 1649 <para>The <option>-T</option> option to &man.dump.8; no longer swallows 1650 an extra argument. &merged;</para> 1651 1652 <para>&man.dump.8; has a new <option>-D</option> option, allowing 1653 the path to the <filename>/etc/dumpdates</filename> file to be 1654 changed. &merged;</para> 1655 1656 <para>&man.split.1; now has the ability to split a file longer 1657 than 2GB. &merged;</para> 1658 1659 <para>&man.tail.1; now has the ability to work on files longer 1660 than 2GB. &merged;</para> 1661 1662 <para>&man.units.1; has received some updates and bugfixes. &merged;</para> 1663 1664 <para>As part of an ongoing process, many manual pages were 1665 improved, both in terms of their formatting markup and in their 1666 content. &merged;</para> 1667 1668 <para><command>lprm -</command> now works for remote printer 1669 queues. &merged;</para> 1670 1671 <para>&man.ftpd.8; now supports a <option>-r</option> flag for 1672 read-only mode and a <option>-E</option> flag to disable 1673 <literal>EPSV</literal>. It also has some fixes to reduce 1674 information leakage and the ability to specify compile-time port 1675 ranges. &merged;</para> 1676 1677 <para>&man.ping.8; now supports a <option>-m</option> option to 1678 set the TTL of outgoing packets. &merged;</para> 1679 1680 <para>&man.ping.8; now supports a <option>-A</option> option to 1681 beep when packets are lost.</para> 1682 1683 <para>A version of Transport Independent RPC 1684 (<application>TI-RPC</application>) has been imported.</para> 1685 1686 <para>&man.rpcbind.8; has replaced &man.portmap.8;.</para> 1687 1688 <para>NFS now works over IPv6.</para> 1689 1690 <para>&man.rpc.lockd.8; has been imported from NetBSD. This 1691 daemon enables locking on NFS filesystems.</para> 1692 1693 <para>&man.rc.8; now has an framework for handling dependencies between 1694 &man.rc.conf.5; variables. &merged;</para> 1695 1696 <para>&man.rc.8; now deletes all non-directory files in 1697 <filename>/var/run</filename> and 1698 <filename>/var/spool/lock</filename> at boot time. &merged;</para> 1699 1700 <para>The &man.setfacl.1; and &man.getfacl.1; commands have been 1701 added to manage file system Access Control Lists.</para> 1702 1703 <para>The default TCP port range used by 1704 <filename>libfetch</filename> for passive FTP retrievals has 1705 changed; this affects the behavior of &man.fetch.1;, which has 1706 gained the <option>-U</option> option to restore the old 1707 behavior. &merged;</para> 1708 1709 <para><filename>libfetch</filename> now has support for an 1710 authentication callback.</para> 1711 1712 <para><filename>libfetch</filename> now has support for a 1713 <envar>HTTP_USER_AGENT</envar> environment variable. &merged;</para> 1714 1715 <para>&man.atacontrol.8; has been added to control various aspects 1716 of the &man.ata.4; driver.</para> 1717 1718 <para><filename>libcrypt</filename> now has support for Blowfish 1719 password hashing. &merged;</para> 1720 1721 <para>The functions from <filename>libposix1e</filename> have been 1722 integrated into <filename>libc</filename>.</para> 1723 1724 <para>&man.vidcontrol.1; now allows the user to omit the font size 1725 specification when loading a font, and has some better 1726 error-handling. &merged;</para> 1727 1728 <para>&man.vidcontrol.1; now supports a <option>-p</option> option to 1729 take a snapshot of a &man.syscons.4; video buffer. These 1730 snapshots can be manipulated by the 1731 <port>graphics/scr2png</port> utility in the Ports 1732 Collection. &merged;</para> 1733 1734 <para>&man.vidcontrol.1; now supports a <option>-C</option> option 1735 to clear the history buffer for a given tty, as well as a 1736 <option>-h</option> option to set the size of the history buffer. &merged;</para> 1737 1738 <para>devinfo, a simple tool to print the device tree and resource usage by 1739 devices, has been added.</para> 1740 1741 <para>&man.fmtcheck.3;, a function for checking consistency of 1742 format string arguments, has been added. &merged;</para> 1743 1744 <para>&man.nl.1;, a line numbering filter program, has been 1745 added. &merged;</para> 1746 1747 <para>&man.c89.1; has been converted from a shell script to a 1748 binary executable, fixing some minor bugs. &merged;</para> 1749 1750 <para>&man.pax.1; has received a number of enhancements, including 1751 &man.cpio.1; functionality, &man.tar.1; compatibility 1752 enhancements, <option>-z</option> and <option>-Z</option> flags 1753 for &man.gzip.1; and &man.compress.1; functionality, and a number 1754 of bug fixes.</para> 1755 1756 <para>Ukrainian language support has been added to the &os; 1757 console. &merged;</para> 1758 1759 <para>The performance of the ELF dynamic linker &man.rtld.1; has 1760 been improved. &merged;</para> 1761 1762 <para>&man.fdread.1;, a program to read data from floppy disks, 1763 has been added. It is a counterpart to &man.fdwrite.1; and is 1764 designed to provide a means of recovering at least some data from 1765 bad media, and to obviate for a complex invocation of 1766 &man.dd.1;.</para> 1767 1768 <para>&man.xargs.1; now supports a <option>-J</option> 1769 <replaceable>replstr</replaceable> option that allows the user to 1770 tell &man.xargs.1; to insert the data read from standard input at 1771 a specific point in the command line arguments rather than at the 1772 end. &merged;</para> 1773 1774 <para>&man.apmd.8; now has the ability to monitor battery levels and 1775 execute commands based on percentage or minutes of battery life 1776 remaining via the <literal>apm_battery</literal> configuration 1777 directive. See the commented-out examples in 1778 <filename>/etc/apmd.conf</filename> for the syntax. &merged;</para> 1779 1780 <para>&man.telnet.1; now does autologin and encryption by default; 1781 a new <option>-y</option> option turns off encryption.</para> 1782 1783 <para>&man.telnet.1; now supports a <option>-u</option> flag to 1784 allow connections to UNIX-domain (<literal>AF_UNIX</literal>) 1785 sockets. &merged;</para> 1786 1787 <para>The default stripe size in &man.vinum.8; has been changed 1788 from 256KB to 279KB, to spread out superblocks more evenly between 1789 stripes.</para> 1790 1791 <para>&man.chown.8; now correctly follows symbolic links named as 1792 command line arguments if run without <option>-R</option>.</para> 1793 1794 <para>&man.chown.8; no longer takes <literal>.</literal> as a 1795 user/group delimeter. This change was made to support usernames 1796 containing a <literal>.</literal>.</para> 1797 1798 <para>&man.chmod.1; now supports a <option>-h</option> for 1799 changing the mode of a symbolic link.</para> 1800 1801 <para>&man.install.1; has a number of new features, including the 1802 <option>-b</option> and <option>-B</option> options for backing up 1803 existing target files and the <option>-S</option> option for 1804 <quote>safe</quote> (atomic copy) operation. The 1805 <option>-c</option> (copy) flag is now the default, and the 1806 <option>-D</option> (debugging) flag has been withdrawn. 1807 &man.install.1; now issues a warning if <option>-d</option> 1808 (create directories) and <option>-C</option> (copy changed files 1809 only) are used together. &merged;</para> 1810 1811 <para>&man.whois.1; now directs queries for IP addresses to 1812 ARIN. If a query to ARIN references APNIC or RIPE, the 1813 appropriate server will also be queried, provided that the 1814 <option>-Q</option> option is not specified. &merged;</para> 1815 1816 <para>&man.fmt.1; has been rewritten; the rewrite fixes a number 1817 of bugs compared to its prior behavior.</para> 1818 1819 <para>&man.df.1; now takes a <option>-l</option> option to only 1820 display information about locally-mounted filesystems. &merged;</para> 1821 1822 <para>The syntax of &man.inetd.8;'s support for &man.faithd.8; is 1823 now compatible with that of other BSDs. &merged;</para> 1824 1825 <para>The <literal>ident</literal> protocol support in &man.inetd.8; has 1826 been cleaned up and updated. &merged;</para> 1827 1828 <para>&man.inetd.8; now has the ability to manage UNIX-domain 1829 sockets. &merged;</para> 1830 1831 <para>&man.du.1; now takes a <option>-I</option> command-line flag 1832 to ignore/skip files and subdirectories matching a specified 1833 shell-glob mask. &merged;</para> 1834 1835 <para>The &man.resolver.3; in &os; now implements EDNS0 support, 1836 which will be necessary when working with IPv6 transport-ready 1837 resolvers/DNS servers. &merged;</para> 1838 1839 <para>&man.col.1; now takes a <option>-p</option> flag to force unknown 1840 control sequences to be passed through unchanged. &merged;</para> 1841 1842 <para>The &man.mdmfs.8; command has been added; it is a wrapper 1843 around &man.mdconfig.8;, &man.disklabel.8;, &man.newfs.8;, and 1844 &man.mount.8; that mimics the command line option set of the 1845 deprecated &man.mount.mfs.8;.</para> 1846 1847 <para>The &man.getprogname.3; and &man.setprogname.3; library 1848 functions have been added to manipulate the name of the current 1849 program. They are used by error-reporting routines to produce 1850 consistent output. &merged;</para> 1851 1852 <para>The &man.kldconfig.8; utility has been added to make it easier to 1853 manipulate the kernel module search path. &merged;</para> 1854 1855 <para>&man.moused.8; now takes a <option>-a</option> option to control 1856 mouse acceleration. &merged;</para> 1857 1858 <para arch="i386">&man.fdisk.8; no longer attempts to search for 1859 a device if none has been specified on the command line, but 1860 instead tries to figure out the default device name from the 1861 root device.</para> 1862 1863 <para>&man.mail.1; now takes a <option>-E</option> flag to avoid 1864 sending messages with empty bodies. &merged;</para> 1865 1866 <para>&man.route.8; is now more verbose when changing indirect 1867 routes, in the case of a gateway route that is the same route as 1868 the one being modified.</para> 1869 1870 <para>&man.route.8; now uses 1871 <literal><replaceable>host</replaceable>/<replaceable>bits</replaceable></literal> 1872 syntax instead of 1873 <literal><replaceable>net</replaceable>/<replaceable>bits</replaceable></literal> 1874 syntax, for compatibility with &man.netstat.1;.</para> 1875 1876 <para>&man.route.8; can now create <quote>proxy only</quote> 1877 published ARP entries.</para> 1878 1879 <para>&man.tmpnam.3; will now use the <envar>TMPDIR</envar> 1880 environment variable, if set, to specify the location of temporary 1881 files. &merged;</para> 1882 1883 <para>&man.pppd.8; (the control program for kernel-level PPP) is 1884 now installed mode <literal>4550</literal> and 1885 <username>root</username><literal>:</literal><groupname>dialer</groupname>, 1886 rather than mode <literal>4555</literal> (in other words, it is no 1887 longer world-executable). Users of &man.pppd.8; may need to 1888 change their group settings. &merged;</para> 1889 1890 <para>&man.ftpd.8; now supports <option>-o</option> and 1891 <option>-O</option> options to disable the <literal>RETR</literal> 1892 command; the former for everybody, and the latter only for guest users. 1893 Coupled with <option>-A</option> and appropriate file permissions, 1894 these can be used to create a relatively safe anonymous FTP drop box 1895 for others to upload to.</para> 1896 1897 <para>The &man.daemon.8; program, a command-line interface to 1898 &man.daemon.3;, has been added. It detaches itself from its 1899 controlling terminal and executes a program specified on the command 1900 line. This allows the user to run an arbitrary program as if it were 1901 written to be a daemon.</para> 1902 1903 <para>&man.syslogd.8; now has the ability to bind to a specific 1904 address--as opposed to using every available one--via the 1905 <option>-b</option> option.</para> 1906 1907 <para>&man.cat.1; now has the ability to read from UNIX-domain 1908 sockets. &merged;</para> 1909 1910 <para>The &man.groups.1; and &man.whoami.1; shell scripts are now 1911 unnecessary; their functionality has been completely folded into 1912 &man.id.1;.</para> 1913 1914 <para>&man.touch.1; now takes a <option>-h</option> option to 1915 operate on a symbolic link, rather than what the link points 1916 to.</para> 1917 1918 <para>&man.edquota.8; now takes a <option>-f</option> option to 1919 allow limiting the prototype quota distribution (specified with 1920 <option>-p</option>) to a single filesystem.</para> 1921 1922 <para><filename>libgmp</filename> has been superceded by 1923 <filename>libmp</filename>. 1924 1925 <sect3> 1926 <title>Contributed Software</title> 1927 1928 <para><application>am-utils</application> has been updated to 1929 6.0.7.</para> 1930 1931 <para><application>bc</application> has been updated from 1.04 to 1932 1.06. &merged;</para> 1933 1934 <para>The ISC library from the <application>BIND</application> 1935 distribution is now built as 1936 <filename>libisc</filename>. &merged;</para> 1937 1938 <para><application>BIND</application> is now built with the 1939 <literal>NOADDITIONAL</literal> flag, which causes &man.named.8; 1940 to operate in a more consistent fashion for certain common 1941 misconfigurations. &merged;</para> 1942 1943 <para><application>BIND</application> has been updated to 1944 8.2.4-REL. &merged;</para> 1945 1946 <para><application>Binutils</application> have been updated to 1947 2.11.2. &merged;</para> 1948 1949 <para><application>bzip2</application> 1.0.1 has been imported; this 1950 brings the &man.bzip2.1; program and the <filename>libbz2</filename> 1951 library to the base system. &merged;</para> 1952 1953 <para>The &man.ee.1; <application>Easy Editor</application> has 1954 been updated to 1.4.2. &merged;</para> 1955 1956 <para><application>file</application> has been updated to 3.36. 1957 &merged;</para> 1958 1959 <para>&man.awk.1;, in the form of 1960 <application>gawk</application>, has been updated from 3.0.4 to 3.0.6. 1961 This fixes a number of non-critical bugs and includes a few 1962 performance tweaks. &merged;</para> 1963 1964 <para><application>gcc</application> has been updated to 2.95.3. &merged;</para> 1965 1966 <para>&man.gcc.1; now uses a unified <filename>libgcc</filename> 1967 rather than a separate one for threaded and non-threaded programs. 1968 <filename>/usr/lib/libgcc_r.a</filename> can be removed. 1969 &merged;</para> 1970 1971 <para>&man.gcc.1; now supports the environment variable 1972 <envar>GCC_OPTIONS</envar>, which can hold a set of default 1973 options for <application>GCC</application>. &merged;</para> 1974 1975 <para><application>GNATS</application> has been updated to 1976 3.113. &merged;</para> 1977 1978 <para><application>gperf</application> has been updated to 2.7.2.</para> 1979 1980 <para><application>groff</application> and its related utilities 1981 have been updated to FSF version 1.17.2. This import brings in a 1982 new &man.mdoc.7; macro package (sometimes referred to as 1983 <literal>mdocNG</literal>), which removes many of the 1984 limitations of its predecessor. &merged;</para> 1985 1986 <para><application>Heimdal</application> has been updated to 1987 0.3f.</para> 1988 1989 <para>The <application>ISC DHCP</application> client has been 1990 updated to 2.0pl5. &merged;</para> 1991 1992 <para><application>Kerberos IV</application> has been updated to 1993 1.0.5. &merged;</para> 1994 1995 <para>The &man.more.1; command has been replaced by &man.less.1;, 1996 although it can still be run as 1997 <command>more</command>. <application>less</application> has 1998 been imported at 3.5.8. &merged;</para> 1999 2000 <para><application>libpcap</application> has been updated to 2001 0.6.2. &merged;</para> 2002 2003 <para><application>libreadline</application> has been updated to 2004 4.2.</para> 2005 2006 <para><application>Linux-PAM</application> has been updated to 2007 0.75. &merged;</para> 2008 2009 <para>A number of new <application>Linux-PAM</application> modules 2010 have been added, including: <filename>pam_ftp</filename>, 2011 <filename>pam_krb5</filename>, 2012 <filename>pam_nologin</filename>, 2013 <filename>pam_rootok</filename>, 2014 <filename>pam_securetty</filename>, 2015 <filename>pam_wheel</filename>.</para> 2016 2017 <para><application>ncurses</application> has been updated to 2018 5.2-20010512.</para> 2019 2020 <para>The <application>NTP</application> suite of programs has been 2021 updated to 4.1.0.</para> 2022 2023 <para>The <application>OPIE</application> one-time-password suite 2024 has been updated to 2.32. &merged; It has completely replaced 2025 the functionality of <application>S/Key</application>.</para> 2026 2027 <para><application>Perl</application> has been updated to version 2028 5.6.0.</para> 2029 2030 <para>&man.routed.8; has been updated to version 2.22. &merged;</para> 2031 2032 <para><application>tcpdump</application> has been updated to 2033 3.6.3. &merged;</para> 2034 2035 <para>The &man.csh.1; shell has been replaced by &man.tcsh.1;, 2036 although it can still be run as <command>csh</command>. 2037 <application>tcsh</application> has been updated to version 2038 6.11.</para> 2039 2040 <para>&man.traceroute.8; now takes its default maximum TTL value 2041 from the <varname>net.inet.ip.ttl</varname> sysctl 2042 variable. &merged;</para> 2043 2044 <sect4> 2045 <title>CVS</title> 2046 2047 <para><application>cvs</application> has been updated to 2048 1.11.1p1. &merged;</para> 2049 2050 <para>The default value for &man.cvs.1;'s 2051 <envar>CVS_RSH</envar> variable is now <literal>ssh</literal>, 2052 rather than <literal>rsh</literal>. &merged;</para> 2053 2054 <para>&man.cvs.1; now supports a <option>-T</option> option to 2055 update a sandbox's <filename>CVS/Template</filename> file from 2056 the repository. &merged;</para> 2057 2058 <para>&man.cvs.1; <literal>diff</literal> now supports the 2059 <option>-j</option> option to perform differences against a 2060 revision relative to a branch tag. &merged;</para> 2061 </sect4> 2062 2063 <sect4> 2064 <title>CVSup</title> 2065 2066 <para><application>CVSup</application>, a frequently used 2067 utility in the &os; Ports Collection, was formerly installable 2068 using several ports and packages. The 2069 <port>net/cvsup-bin</port> and <port>net/cvsupd-bin</port> 2070 ports/packages are no longer necessary or available; the 2071 <port>net/cvsup</port> port should be used instead. &merged;</para> 2072 2073 <para><application>CVSup</application> has been updated to 2074 16.1_3, which is available in the &os; Ports Collection as 2075 <port>net/cvsup</port>. This update fixes a long-standing 2076 (but only recently encountered) bug which affects the 2077 timestamps on all files after Sun Sep 9 01:46:40 UTC 2001 2078 (1,000,000,000 seconds after the UNIX epoch). &merged;</para> 2079 </sect4> 2080 2081 <sect4 id="kame-userland"> 2082 <title>KAME</title> 2083 2084 <para>The IPv6 stack is now based on a snapshot based on the KAME 2085 Project's IPv6 snapshot as of 28 May, 2001. Most of the 2086 items listed in this section are a result of this import. 2087 <xref linkend="kame-kernel"> lists kernel updates to the KAME 2088 IPv6 stack. &merged;</para> 2089 2090 <para>&man.faithd.8; now supports a configuration file for 2091 access control. &merged;</para> 2092 2093 <para>&man.ifconfig.8; can now perform the functions of 2094 &man.gifconfig.8;. &merged;</para> 2095 2096 <para>&man.ifconfig.8; can now perform the functions of 2097 &man.prefix.8;. &man.prefix.8; is now a shell script for 2098 partial backwards compatibility. &merged;</para> 2099 2100 <para>&man.ndp.8; now implements garbage collection for stale 2101 NDP entries, as described in RFC 2461 (Neighbor Discovery for 2102 IP Version 6 (IPv6)). &merged;</para> 2103 2104 <para>&man.pim6dd.8; and &man.pim6sd.8; have been removed due to 2105 restrictive licensing conditions. These programs are available 2106 in the ports collection as <port>net/pim6dd</port> and 2107 <port>net/pim6sd</port>. &merged;</para> 2108 2109 <para>&man.route6d.8; now supports an <option>-n</option> flag 2110 to avoid updating the kernel forwarding table. &merged;</para> 2111 2112 <para>The <option>-R</option> (router renumbering) option to 2113 &man.rtadvd.8; is currently ignored. &merged;</para> 2114 </sect4> 2115 2116 <sect4> 2117 <title>OpenSSH</title> 2118 2119 <para><application>OpenSSH</application> has been updated to 2120 2.1.0, which provides support for the SSH2 protocol, including DSA 2121 keys. Therefore, <application>OpenSSH</application> users in the 2122 US no longer need to rely on the restrictively-licensed 2123 RSAREF toolkit which is required to 2124 handle RSA keys. <application>OpenSSH</application> 2.1 interoperates well with other SSH2 2125 clients and servers, including the <filename>ssh2</filename> port. 2126 See the <ulink url="http://www.openssh.com/">OpenSSH Web 2127 site</ulink> for more details. &merged;</para> 2128 2129 <para><application>OpenSSH</application> can now authenticate 2130 using OPIE passwords in SSH1 mode. Support is not yet available 2131 in SSH2 mode. &merged;</para> 2132 2133 <para><application>OpenSSH</application> has been updated to 2134 2.2.0. &man.ssh-add.1; and &man.ssh-agent.1; can now handle DSA 2135 keys. A server for sftp, interoperable with ssh.com 2136 clients and others has been added. &man.scp.1; can now handle 2137 files larger than 2 GBytes. Interoperability with other SSH2 2138 clients/servers has been improved. A new feature to limit the 2139 number of outstanding unauthenticated ssh connections in 2140 &man.sshd.8; has been added. &merged;</para> 2141 2142 <para><application>OpenSSH</application> has been updated to 2143 2.3.0. This version adds support for the Rijndael encryption 2144 algorithm. &merged;</para> 2145 2146 <para><application>PAM</application> support for 2147 <application>OpenSSH</application> has been added.</para> 2148 2149 <para>A long-standing bug in <application>OpenSSH</application>, 2150 which sometimes resulted in a dropped session when an 2151 X11-forwarded client was closed, was fixed.</para> 2152 2153 <para><application>Kerberos</application> compatibility has been 2154 added to <application>OpenSSH</application>. &merged;</para> 2155 2156 <para><application>OpenSSH</application> has been modified to be 2157 more resistant to traffic analysis by requiring that 2158 <quote>non-echoed</quote> characters are still echoed back in a 2159 null packet, as well as by padding passwords sent so as not to 2160 hint at password lengths. &merged;</para> 2161 2162 <para>&man.sshd.8; is now enabled by default on new 2163 installs. &merged;</para> 2164 2165 <para>&man.sshd.8; <literal>X11Forwarding</literal> is now turned 2166 on by default on the server (any risk is to the client, where it 2167 is already disabled by default). &merged;</para> 2168 2169 <para>In <filename>/etc/ssh/sshd_config</filename>, the 2170 <literal>ConnectionsPerPeriod</literal> parameter has been 2171 deprecated in favor of <literal>MaxStartups</literal>. &merged;</para> 2172 2173 <para><application>OpenSSH</application> now has a 2174 <literal>VersionAddendum</literal> configuration setting for 2175 &man.sshd.8; to allow changing the part of the 2176 <application>OpenSSH</application> version string after the 2177 main version number.</para> 2178 2179 <para><application>OpenSSH</application> has been updated to 2180 version 2.9, which adds two new programs, &man.sftp.1; and 2181 &man.ssh-keyscan.1;. Among the various enhancements: The 2182 default protocol is now v2, rekeying of existing SSH sessions 2183 is now supported, and an experimental 2184 <application>SOCKS4</application> proxy has been added to 2185 &man.ssh.1;. &merged;</para> 2186 </sect4> 2187 2188 <sect4> 2189 <title>OpenSSL</title> 2190 2191 <para><application>OpenSSL</application> has been updated to 2192 0.9.6b.</para> 2193 2194 <para><application>OpenSSL</application> now has support for 2195 machine-dependent ASM optimizations, activated by the new 2196 <varname>MACHINE_CPU</varname> and/or <varname>CPUTYPE</varname> 2197 <filename>make.conf</filename> variables. &merged;</para> 2198 </sect4> 2199 2200 <sect4> 2201 <title>sendmail</title> 2202 2203 <para><application>sendmail</application> has been updated from 2204 version 8.9.3 to version 8.11.6. Important changes include: new 2205 default file locations (see 2206 <filename>/usr/src/contrib/sendmail/cf/README</filename>); 2207 &man.newaliases.1; is limited to <username>root</username> and 2208 trusted users; STARTTLS encryption; and the MSA port (587) is 2209 turned on by default. See 2210 <filename>/usr/src/contrib/sendmail/RELEASE_NOTES</filename> for 2211 more information. &merged;</para> 2212 2213 <para>&man.mail.local.8; is no longer installed as a SUID binary. 2214 If you are using a <filename>/etc/mail/sendmail.cf</filename> from 2215 the default <filename>sendmail.cf</filename> included with &os; 2216 any time after 3.1.0, you are fine. If you are using a 2217 hand-configured <filename>sendmail.cf</filename> and 2218 <command>mail.local</command> for delivery, check to make sure the 2219 <literal>F=S</literal> flag is set on the 2220 <literal>Mlocal</literal> line. Those with 2221 <filename>.mc</filename> files who need to add the flag can do so 2222 by adding the following line to their <filename>.mc</filename> 2223 file and regenerating the <filename>sendmail.cf</filename> 2224 file:</para> 2225 2226 <programlisting>MODIFY_MAILER_FLAGS(`LOCAL',`+S')dnl</programlisting> 2227 2228 <para>Note that <literal>FEATURE(`local_lmtp')</literal> already 2229 does this. &merged;</para> 2230 2231 <para>The default <filename>/etc/mail/sendmail.cf</filename> 2232 disables the SMTP <literal>EXPN</literal> and 2233 <literal>VRFY</literal> commands. &merged;</para> 2234 2235 <para>&man.vacation.1; has been updated to use the version included with 2236 <application>sendmail</application>. &merged;</para> 2237 2238 <para>The <application>sendmail</application> configuration 2239 building tools are installed in 2240 <filename>/usr/share/sendmail/cf/</filename>. &merged;</para> 2241 2242 <para>New <filename>make.conf</filename> options: 2243 <varname>SENDMAIL_MC</varname> and 2244 <varname>SENDMAIL_ADDITIONAL_MC</varname>. See 2245 <filename>/usr/share/examples/etc/make.conf</filename> for more 2246 information. &merged;</para> 2247 2248 <para><filename>/etc/mail/Makefile</filename> now supports: the 2249 new <varname>SENDMAIL_MC</varname> <filename>make.conf</filename> 2250 option; the ability to build <filename>.cf</filename> files from 2251 <filename>.mc</filename> files; generalized map rebuilding; 2252 rebuilding the aliases file; and the ability to stop, start, and 2253 restart <application>sendmail</application>. &merged;</para> 2254 </sect4> 2255 </sect3> 2256 2257 <sect3> 2258 <title>Ports/Packages Collection</title> 2259 2260 <para>Version numbers of installed packages have a new 2261 (backward-compatible) syntax, which supports the 2262 <varname>PORTREVISION</varname> and <varname>PORTEPOCH</varname> 2263 variables in Ports Collection <filename>Makefile</filename>s. 2264 These changes help keep track of changes in the ports collection 2265 entries such as security patches or &os;-specific updates, which 2266 aren't reflected in the original, third-party software 2267 distributions. &man.pkg.version.1; can now compare these 2268 new-style version numbers. &merged;</para> 2269 2270 <para>To improve performance and disk utilization, the <quote>ports 2271 skeletons</quote> in the &os; Ports Collection have been restructured. 2272 Installed ports and packages should not be affected. &merged;</para> 2273 2274 <para>All packages and ports now contain an <quote>origin</quote> 2275 directive, which makes it easier for programs such as 2276 &man.pkg.version.1; to determine the directory from which a 2277 package was built. &merged;</para> 2278 2279 <para>&man.pkg.update.1;, a utility to update installed packages 2280 and update their dependencies, has been added. &merged;</para> 2281 2282 <para>&man.pkg.info.1; now supports globbing against names of 2283 installed packages. The <option>-G</option> option disables this 2284 behavior, and the <option>-x</option> option causes regular 2285 expression matching instead of shell globbing. &merged;</para> 2286 2287 <para>&man.pkg.info.1; can now accept a <option>-g</option> flag for 2288 verifying an installed package against its recorded checksums (to 2289 see if it's been modified post-installation). Naturally, this 2290 mechanism is only as secure as the contents of 2291 <filename>/var/db/pkg</filename> if it's to be used for auditing 2292 purposes. &merged;</para> 2293 2294 <para>&man.pkg.create.1; and &man.pkg.add.1; can now work with 2295 packages that have been compressed using 2296 &man.bzip2.1;. &man.pkg.add.1; will use the PACKAGEROOT 2297 environment variable to determine a mirror site for new 2298 packages. &merged;</para> 2299 2300 <para>&man.pkg.create.1; now records dependencies in dependency 2301 order rather than in the order specified on the command line. 2302 This improves the functioning of <command>pkg_add 2303 -r</command>. &merged;</para> 2304 2305 <para>&man.pkg.version.1; now has a version number comparison 2306 routine that corresponds to the Porters Handbook. It also has a 2307 <option>-t</option> option for testing address comparisons. 2308 &merged;</para> 2309 2310 <para>&man.pkg.version.1; now takes a <option>-s</option> flag 2311 to limit its operation to ports/packages matching a given 2312 string. &merged;</para> 2313 2314 <para>When requested to delete multiple packages, 2315 &man.pkg.delete.1; will now attempt to remove them in dependency 2316 order rather than the order specified on the command 2317 line. &merged;</para> 2318 2319 <para>&man.pkg.delete.1; now can perform glob/regexp matching of 2320 package names. In addition, it supports a <option>-a</option> 2321 option for removing all packages and a <option>-i</option> option 2322 for &man.rm.1;-style interactive confirmation. &merged;</para> 2323 2324 <para>&man.pkg.sign.1; and &man.pkg.check.1; have been added to 2325 digitally sign and verify the signatures on binary package 2326 files. &merged;</para> 2327 2328 <para><application>BSDPAN</application>, a collection of modules 2329 that provides tighter integration of 2330 <application>Perl</application> into the &os; Ports 2331 Collection, has been added.</para> 2332 </sect3> 2333 </sect2> 2334</sect1> 2335