article.xml revision 84821
1<articleinfo> 2 <title>&os; &release.current; &arch; Release Notes</title> 3 4 <corpauthor>The FreeBSD Project</corpauthor> 5 6 <pubdate>$FreeBSD: head/release/doc/en_US.ISO8859-1/relnotes/article.sgml 84821 2001-10-11 21:48:35Z bmah $</pubdate> 7 8 <copyright> 9 <year>2000</year> 10 <year>2001</year> 11 <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder> 12 </copyright> 13</articleinfo> 14 15<abstract> 16 <para>The release notes for &os; &release.current; contain a summary 17 of the changes made in the &os; base system since &release.prev;. 18 Both changes for kernel and userland are listed, as well as 19 applicable security advisories that were issued since the last 20 release. Some brief remarks on upgrading are also presented.</para> 21</abstract> 22 23<sect1> 24 <title>Introduction</title> 25 26 <para>This document contains the release notes for &os; &release.current; on 27 the &arch; hardware platform. It describes new features of &os; 28 that have been added (or changed) since &release.prev;. It also 29 provides some notes on upgrading from previous versions of &os;.</para> 30 31<![ %release.type.snapshot [ 32 33 <para>The &release.type; distribution to which these release notes 34 apply represents a point along the &release.branch; development 35 branch between &release.prev; and &release.next;. Some pre-built, 36 binary &release.type; distributions along this branch can be found 37 at <ulink url="&release.url;"></ulink>.</para> 38 39]]> 40 41<![ %release.type.release [ 42 43 <para>This distribution of &os; &release.current; is a &release.type; 44 distribution. It can be found at <ulink 45 url="&release.url;"></ulink> or any of its mirrors. More 46 information on obtaining this (or other) &release.type; distributions of 47 &os; can be found in the <ulink 48 url="http://www.FreeBSD.org/handbook/mirrors.html"><quote>Obtaining 49 FreeBSD</quote> appendix</ulink> to the <ulink 50 url="http://www.FreeBSD.org/handbook/">FreeBSD Handbook</ulink>.</para> 51 52]]> 53</sect1> 54 55<sect1> 56 <title>What's New</title> 57 58 <para>This section describes the most user-visible new or changed 59 features in &os; since &release.prev;. Typical release note items 60 document new drivers or hardware support, new commands or options, 61 major bugfixes, or contributed software upgrades. Security 62 advisories issued after &release.prev; are also listed. In general, changes 63 described here are unique to the &release.branch; branch unless 64 specifically marked as &merged; features.</para> 65 66 <para>Many additional changes were made to &os; that are not listed 67 here for lack of space. For example, documentation was corrected 68 and improved, minor bugs were fixed, insecure coding practices were 69 audited and corrected, and source code was cleaned up.</para> 70 71 <para>The release notes items are organized into three different 72 sections. <xref linkend="kernel"> lists recent changes to the &os; 73 kernel. Security fixes, including those pertaining to security 74 advisories, are listed in <xref linkend="security">. Finally, <xref 75 linkend="userland"> covers changes to &os; userland applications 76 included in the base system.</para> 77 78 <sect2 id="kernel"> 79 <title>Kernel Changes</title> 80 81 <para>The &man.kqueue.2; event notification facility was added to 82 the &os; kernel. This is a new interface which is able to 83 replace &man.poll.2;/&man.select.2;, offering improved performance, 84 as well as the ability to report many different types of events. 85 Support for monitoring changes in sockets, pipes, fifos, and files 86 are present, as well as for signals and processes. &merged;</para> 87 88 <para arch="i386">Support for Intel's Wired for Management 2.0 (PXE) 89 was added to the &os; boot loader. Due to API differences, the 90 older PXE versions are not supported. This allow network booting 91 using DHCP. &merged;</para> 92 93 <para arch="i386">The &os; boot loader now contains a workaround 94 to support CDROM booting on certain IBM BIOSs that expect the 95 first sector of the emulated floppy to contain a valid MS-DOS BPB 96 that they can modify. &merged;</para> 97 98 <para>Support for USB devices was added to the 99 <filename>GENERIC</filename> kernel and to the installation 100 programs to support USB devices out of the box. Note that SRM 101 does not support USB devices at the moment, so you must still use 102 an AT keyboard if you are not using a serial console. &merged;</para> 103 104 <para>POSIX.1b Shared Memory Objects are now supported. The 105 implementation uses regular files, but automatically enables the 106 MAP_NOSYNC flag when they are &man.mmap.2;-ed. &merged;</para> 107 108 <para>The &man.agp.4; driver for AGP devices has been added. &merged;</para> 109 110 <para>The kernel and modules have been moved to the directory 111 <filename>/boot/kernel</filename>, so they can be easily 112 manipulated together. The boot loader has been updated to make 113 this change as seamless as possible.</para> 114 115 <para arch="i386">The i386 boot loader now has support for a 116 <literal>nullconsole</literal> 117 console type, for use on systems with neither a video console nor 118 a serial port. &merged;</para> 119 120 <para>Replaced the <literal>PQ_*CACHE</literal> options with a 121 single <literal>PQ_CACHESIZE</literal> option to be set to 122 the cache size in kilobytes. The old options are still supported 123 for backwards compatibility. &merged;</para> 124 125 <para arch="i386">The <literal>NCPU</literal>, <literal>NAPIC</literal>, 126 <literal>NBUS</literal>, and <literal>NINTR</literal> kernel 127 configuration options, for configuring SMP kernels, have been 128 removed. <literal>NCPU</literal> is now set to a maximum of 16, 129 and the other, aforementioned options are now 130 dynamic. &merged;</para> 131 132 <para>&man.devfs.5;, which allows entries in the 133 <filename>/dev</filename> directory to be built automatically and 134 supports more flexible attachment of devices, has been largely 135 reworked. &man.devfs.5; is now enabled by default and can be 136 disabled by the <literal>NODEVFS</literal> kernel option.</para> 137 138 <para>Write combining for crashdumps has been implemented. This 139 feature is useful when write caching is disabled on both SCSI and 140 IDE disks, where large memory dumps could take up to an hour to 141 complete. &merged;</para> 142 143 <para>Extremely large swap areas (>67 GB) no longer panic the 144 system.</para> 145 146 <para arch="i386">The &man.ichsmb.4; driver for the Intel 82801AA 147 (ICH) SMBus controller and compatibles has been 148 added. &merged;</para> 149 150 <para arch="i386">The &man.uscanner.4; driver for basic USB scanner support 151 using SANE has been added. See <ulink 152 url="http://www.mostang.com/sane/">the SANE home page</ulink> for 153 supported scanners. The HP ScanJet 4100C, 5200C and 6300C are 154 known to be working.</para> 155 156 <para arch="i386">The umodem driver for USB modems has been added. 157 Support is provided for the 3Com 5605 and Metricom Ricochet GS 158 wireless USB modems.</para> 159 160 <para arch="alpha">Support for threads under Linux emulation has been 161 added.</para> 162 163 <para>A number of cleanups and enhancements have been applied to 164 the PCI subsystem. 165 <filename>/usr/share/misc/pci_vendors</filename> now contains a 166 vendor/device database, which can be used by 167 &man.pciconf.8;.</para> 168 169 <para arch="i386">The &man.spic.4; driver, which provides access to the jog 170 dial device on some Sony laptops, has been added.</para> 171 172 <para arch="i386">PECOFF (Win32 Execution file format) support has been 173 added.</para> 174 175 <para>A VESA S3 linear framebuffer driver has been added.</para> 176 177 <para>The <maketarget>buildkernel</maketarget> target now gets the 178 name of the configuration(s) to build from the 179 <varname>KERNCONF</varname> variable, not 180 <varname>KERNEL</varname>. It is no longer required, in some 181 cases, for a <maketarget>buildworld</maketarget> to precede a 182 <maketarget>buildkernel</maketarget>. (The 183 <maketarget>buildworld</maketarget> is still required when 184 upgrading across major releases, across 185 <application>binutil</application> updates and when &man.config.8; 186 changes version.) &merged; 187 </para> 188 189 <para>The &man.random.4; device has been rewritten to use the 190 <application>Yarrow</application> algorithm. It harvests entropy 191 from a variety of interrupt sources, including the console 192 devices, Ethernet and point-to-point network interfaces, and 193 mass-storage devices. Entropy from the &man.random.4; device is 194 now periodically saved to files in 195 <filename>/var/db/entropy</filename>, as well as at 196 shutdown time. The semantics of <filename>/dev/random</filename> 197 have changed; it never blocks waiting for entropy bits but 198 generates a stream of pseudo-random data and now behaves exactly 199 as <filename>/dev/urandom</filename>.</para> 200 201 <para>The &man.syscons.4; driver now supports keyboard-controlled 202 pasting, by default bound to 203 <keycap>Shift</keycap>-<keycap>Insert</keycap>.</para> 204 205 <para>The &man.labpc.4; driver has been removed due to 206 <quote>bitrot</quote>.</para> 207 208 <para>A new kernel option, <literal>options REGRESSION</literal>, 209 enables interfaces and functionality intended for use during 210 correctness and regression testing.</para> 211 212 <para>The <literal>USER_LDT</literal> kernel option is now 213 activated by default.</para> 214 215 <para>A new &man.ddb.4; command <command>show pcpu</command> lists 216 some of the per-CPU data.</para> 217 218 <para>A new digi driver has been added to support PCI Xr-based and ISA 219 Xem Digiboard cards. A new &man.digictl.8; program is (mainly) used to 220 re-initialise cards that have external port modules attached such as 221 the PC/Xem.</para> 222 223 <para>The dgm driver has been removed in favor of the digi driver.</para> 224 225 <para>The <literal>O_DIRECT</literal> flag has been added to 226 &man.open.2; and &man.fcntl.2;. Specifying this flag for open 227 files will attempt to minimize the cache effects of reading and 228 writing. &merged;</para> 229 230 <para>An &man.orm.4; device has been added to claim the option 231 ROMs in the ISA memory I/O space, to prevent other drivers from 232 mistakenly assigning addresses that conflict with these ROMs. &merged;</para> 233 234 <para>The out-of-swap process termination code now begins killing 235 processes earlier to avoid deadlocks; it now also takes into 236 account the swap space used by processes when computing the 237 process sizes. &merged;</para> 238 239 <para>Linker sets are now self-contained; &man.gensetdefs.8; is 240 unnecessary and has been removed.</para> 241 242 <para>Numerous SMP-friendly changes have been made to the kernel's 243 mbuf allocator.</para> 244 245 <para>Network device cloning has been implemented, and the &man.gif.4; 246 device has been modified to take advantage of it. 247 Thus, instead of specifying how many &man.gif.4; interfaces 248 are available in kernel configuration files, &man.ifconfig.8;'s 249 <option>create</option> option should be used when another device 250 instance is desired. &merged;</para> 251 252 <para>The kernel message buffer is now accessible by the 253 (machine-independent) <varname>kern.msgbuf</varname> sysctl 254 variable; &man.dmesg.8; no longer needs to be SGID 255 <groupname>kmem</groupname>.</para> 256 257 <para>Two new &man.ddb.4; commands, <command>hwatch</command> and 258 <command>dhwatch</command>, have been introduced. Analogous to 259 <command>watch</command> and <command>dwatch</command>, they install 260 hardware watchpoints (as opposed to software watchpoints) if supported 261 by the architecture. &merged;</para> 262 263 <para>A &man.nmdm.4; null-modem terminal driver has been added. 264 &merged;</para> 265 266 <para>The <varname>maxusers</varname> kernel configuration 267 parameter is now a boot-time tunable variable. The kernel 268 parameters derived from <varname>maxusers</varname> are now also 269 tunables and can be overridden at boot-time. The 270 <varname>hz</varname> parameter is also now a tunable. &merged;</para> 271 272 <para>It is now possible to hardwire kernel environment variables (such 273 as tuneables) at compile-time using &man.config.8;'s 274 <literal>ENV</literal> directive.</para> 275 276 <para>The loader and kernel linker now look for files named 277 <filename>linker.hints</filename> in each directory with KLDs for a 278 module name and version to KLD filename mapping. The new 279 &man.kldxref.8; utility is used to generate these files.</para> 280 281 <para>Idle zeroing of pages can be enabled with the 282 <varname>vm.zeroidle_enable</varname> sysctl variable.</para> 283 284 <para arch="i386">The load addresses of kernels has been exported to the 285 symbol table and various hard-coded constants removed so that 286 utilities such as &man.ps.1; can work with kernels compiled at 287 different addresses. &merged;</para> 288 289 <para arch="i386">A new <varname>KVA_SPACE</varname> kernel option 290 can be used to reconfigure the size of the kernel virtual address 291 space. &merged;</para> 292 293 <para>Coredumps of large processes (or of a large number of 294 processes) no longer lock up the machine for long periods of 295 time. &merged;</para> 296 297 <para>Each &man.jail.2; environment can now run under its own 298 securelevel.</para> 299 300 <para arch="alpha">A <varname>MAXMEM</varname> kernel option, 301 along with the <varname>hw.physmem</varname> environment, can be 302 used to artificially reduce the memory size of a machine for 303 testing (or other purposes). &merged;</para> 304 305 <para>An &man.eaccess.2; system call has been added, similar to 306 &man.access.2; except that the former uses effective credentials 307 rather than real credentials.</para> 308 309 <para arch="i386">The &man.amdpm.4; driver has been added to 310 provide access to the system monitoring functions of the AMD 756 311 chipset. &merged;</para> 312 313 <para>The kernel is now aware of the concept that there are 314 smaller units of scheduling than a process (but only one thread 315 per process is allowed at this time).</para> 316 317 <sect3> 318 <title>Processor/Motherboard Support</title> 319 320 <para>SMP support has been largely reworked, incorporating code 321 from BSD/OS 5.0. One of the main features of SMPng (<quote>SMP 322 Next Generation</quote>) is to allow more processes to run in 323 kernel, without the need for spin locks that can dramatically 324 reduce the efficiency of multiple processors. Interrupt 325 handlers now have contexts associated with them that allow them 326 to be blocked, which reduces the need to lock out 327 interrupts.</para> 328 329 <para arch="i386">Support for the 80386 processor has been 330 removed from the <filename>GENERIC</filename> kernel, as this 331 code seriously pessimizes performance on other IA32 332 processors.</para> 333 334 <para arch="i386">The <literal>I386_CPU</literal> kernel option 335 to support the 80386 processor is now mutually exclusive with 336 support for other IA32 processors; this should slightly improve 337 performance on the 80386 due to the elimination of runtime 338 processor type checks.</para> 339 340 <para arch="i386">Custom kernels that will run on the 80386 can 341 still be built by changing the cpu options in the kernel 342 configuration file to only include 343 <literal>I386_CPU</literal>.</para> 344 345 <para arch="alpha">AlphaServer 1200 (<quote>Tincup</quote>) has 346 been tested and works OK. Currently it does not want to boot 347 from CD or floppy but a transplanted disk that was installed on 348 another Alpha works well. &merged;</para> 349 350 <para arch="alpha">The API UP1100 mainboard has been verified to work.</para> 351 352 <para arch="alpha">The API CS20 1U high server has been verified to work.</para> 353 354 <para arch="alpha">The DEC3000 series support has been removed from the mfsroot 355 floppy image so that it fits on a 1.44 Mbyte floppy again. As the 356 DEC3000 is currently only usable diskless this should not cause 357 any problems.</para> 358 359 <para arch="alpha">Support for AlphaServer 2100A (<quote>Lynx</quote>) has been 360 added.</para> 361 362 <para arch="alpha">Kernel code has been added that allows older generation Alpha CPUs 363 (EV4 and EV5) to emulate instructions of the newer Alpha CPU 364 generations. This enables the use of binary-only programs like <application>Adobe 365 Acrobat 4</application> on EV4 and EV5.</para> 366 367 <para arch="alpha">SMP support for the Alpha is now operational.</para> 368 369 <para arch="i386">Detection for new processors, such as the 370 FC-PGA2 Pentium III (Tualatin), Transmeta Crusoe, and Transmeta 371 Crusoe LongRun, has been added. &merged;</para> 372 373 <para arch="alpha">Support for the following hardware has been removed 374 from the installation kernel to make it fit on a 1.44MB floppy again: 375 Multia, NoName, PC64, EB64, Aspen Alpine, sa (SCSI tape), amr, parallel 376 port support, vx (3c590, 3c595), pcn (AMD Am79C97x PCI 10/100), 377 sf (Adaptec AIC-6915), sis (SiS 900/SiS 7016), ste (Sundance ST201 378 (D-Link DFE-550TX)), wb (Winbond W89C840F).</para> 379 380 <para arch="i386">Support for Streaming <acronym>SIMD</acronym> 381 Extensions (<acronym>SSE</acronym>) has been introduced. The 382 <literal>CPU_ENABLE_SSE</literal> kernel option controls whether 383 support is compiled into the kernel. &merged;</para> 384 </sect3> 385 386 <sect3> 387 <title>Network Interface Support</title> 388 389 <para>Added support for PCI Ethernet adapters based on the 390 National Semiconductor DP83815 chipset, including the NetGear 391 FA311-TX and FA312-TX, in the form of the &man.sis.4; driver.</para> 392 393 <para>The &man.tap.4; driver, a virtual Ethernet device driver for 394 bridged configurations, has been added. This device is 395 clonable. &merged;</para> 396 397 <para>The &man.ti.4; driver now supports the Alteon AceNIC 398 1000baseT Gigabit Ethernet and Netgear GA620T 1000baseT Gigabit 399 cards. &merged;</para> 400 401 <para>The &man.xl.4; driver now supports the 3Com 3C556 and 3C556B 402 MiniPCI adapters used on some laptops. &merged;</para> 403 404 <para arch="alpha">The &man.ed.4; driver is now supported.</para> 405 406 <para>The &man.pcn.4; driver, which supports the AMD PCnet/FAST, 407 PCnet/FAST+, PCnet/FAST III, PCnet/PRO, PCnet/Home, and HomePNA 408 adapters, has been added. Although these cards are already 409 supported by the &man.lnc.4; driver, the &man.pcn.4; driver runs 410 these chips in 32-bit mode and uses the RX alignment feature to 411 achieve zero-copy receive. This driver is also 412 machine-independent, so it will work on both the i386 and Alpha 413 platforms. The &man.lnc.4; driver is still needed to support non-PCI 414 cards. &merged;</para> 415 416 <para>Support for Fujitsu MB86960A/MB86965A based Ethernet 417 PC-Cards is back. &merged;</para> 418 419 <para arch="i386">The snc driver for the National Semiconductor 420 DP8393X (SONIC) Ethernet controller has been added. Currently, 421 this driver is only used on the PC-98 architecture. &merged;</para> 422 423 <para>The &man.an.4; driver for Cisco Aironet cards now supports 424 Wired Equivalent Privacy (WEP) encryption, settable via 425 &man.ancontrol.8;. &merged;</para> 426 427 <para>The &man.an.4; driver now supports the Cisco Aironet 350 428 series of adaptors. &merged;</para> 429 430 <para>The &man.an.4; driver now supports <quote>monitor</quote> 431 mode, settable via the <option>-M</option> option to 432 &man.ancontrol.8;. &merged;</para> 433 434 <para arch="i386">The &man.el.4; driver can now be loaded as a 435 module.</para> 436 437 <para>The &man.ray.4; driver, which supports the Webgear Aviator 438 wireless network cards, has been committed. The operation of 439 &man.ray.4; interfaces can be modified by 440 &man.raycontrol.8;. &merged;</para> 441 442 <para arch="alpha">The &man.fpa.4; driver now supports Digital's 443 DEFPA FDDI adaptors on the Alpha.</para> 444 445 <para arch="i386">Linksys Fast Ethernet PCCARD cards supported by the 446 &man.ed.4; driver now require the addition of flag 447 <literal>0x80000</literal> to their config line in 448 &man.pccard.conf.5;. This flag is not optional. These Linksys 449 cards will not be recognized without it. &merged;</para> 450 451 <para>A bug in the &man.ed.4; driver that could cause panics with 452 very short packets and BPF or bridging active has been 453 fixed. &merged;</para> 454 455 <para>The &man.ed.4; driver now has support for D-Link 456 DL10022 chips, necessary for the NetGear FA-410TX and other 457 cards. As a result, <literal>device miibus</literal> is 458 required in kernel configurations using the &man.ed.4; 459 driver. &merged;</para> 460 461 <para>The &man.fxp.4; driver now requires a <literal>device 462 miibus</literal> entry in the kernel configuration file. &merged;</para> 463 464 <para>The &man.wx.4; driver now supports the Intel PRO1000-F and 465 PRO1000-T (10/100/1000) adapters. &merged;</para> 466 467 <para>Added the &man.nge.4; driver, which supports PCI Gigabit 468 Ethernet adapters based on the National Semiconductor DP83820 469 and DP83821 Gigabit Ethernet controller chips, including the 470 D-Link DGE-500T, SMC EZ Card 1000 (SMC9462TX), Asante 471 FriendlyNet GigaNIC 1000TA and 1000TPC and Addtron 472 AEG320T. This driver supports transmit and receive checksum 473 offloading. &merged;</para> 474 475 <para>The &man.lge.4; driver has been added to support the Level 476 1 LXT1001 NetCellerator Gigabit Ethernet controller chip. This 477 device is used on some fiber optic GigE cards from SMC, D-Link 478 and Addtron. Jumbograms and TCP/IP checksum offload on receive 479 are supported, although hardware VLAN filtering is not. &merged;</para> 480 481 <para>The &man.xl.4; driver now supports reception of VLAN 482 tagged frames (on the <quote>Cyclone</quote> or newer 483 chipsets). &merged;</para> 484 485 <para>The &man.ti.4; driver correctly masks VLAN tags. &merged;</para> 486 487 <para>The &man.txp.4; driver has been added to support NICs 488 based on the 3Com 3XP Typhoon/Sidewinder (3CR990) chipset. &merged;</para> 489 490 <para>The &man.faith.4; device is now loadable, unloadable, and 491 clonable.</para> 492 493 <para>The &man.stf.4; device is now clonable.</para> 494 495 <para>The &man.vlan.4; device is now loadable, unloadable, and 496 clonable.</para> 497 498 <para arch="i386">The &man.bge.4; driver has been added to 499 support the Broadcom BCM570x family of Gigabit Ethernet 500 controllers, including the 3Com 3c996-T, the SysKonnect SK-9D21 501 and SK-9D41, and the built-in Gigabit Ethernet NICs on Dell 502 PowerEdge 2550 servers. TCP/IP checksum offload, jumbo frames 503 and VLAN tag insertion/stripping are supported, as well as 504 interrupt moderation. &merged;</para> 505 506 <para>The per-interface <varname>ifnet</varname> structure now 507 has the ability to indicate a set of capabilities supported by a 508 network interface, and which ones are enabled. &man.ifconfig.8; 509 has support for querying these capabilities.</para> 510 511 <para>Performance with hosts having a large number of IP aliases 512 has been improved, by replacing the per-interface 513 <varname>if_inaddr</varname> linear list with a hash table.</para> 514 515 <para>Network devices now automatically appear in 516 <filename>/dev</filename>. Interface hardware ioctls (not 517 protocol or routing) can be performed on these devices. The 518 <varname>SIOCGIFCONF</varname> ioctl may be performed on the 519 special <filename>/dev/network</filename> node.</para> 520 </sect3> 521 522 <sect3> 523 <title>Network Protocols</title> 524 525 <para>&man.accept.filter.9;, a kernel feature to reduce overheads 526 when accepting and reading new connections on listening sockets, 527 has been added. &merged;</para> 528 529 <para>The &man.ng.mppc.4; and &man.ng.bridge.4; node types have 530 been added to the &man.netgraph.4; subsystem. The &man.ng.ether.4; node 531 is now dynamically loadable. Miscellaneous bug fixes and 532 enhancements have also been made. &merged;</para> 533 534 <para>&man.netgraph.4; has received some updates and bugfixes.</para> 535 536 <para>A new netgraph node type &man.ng.one2many.4; for multiplexing 537 and demultiplexing packets over multiple links has been added. 538 &merged;</para> 539 540 <para>The &man.ng.gif.4; and &man.ng.gif.demux.4; netgraph 541 nodes, for operating on &man.gif.4; devices, have been 542 added.</para> 543 544 <para>The &man.ng.ip.input.4; netgraph node, for queueing IP 545 packets into the main IP input processing code, has been 546 added.</para> 547 548 <para arch="alpha">SLIP has been removed from the 549 <filename>mfsroot</filename> floppy image.</para> 550 551 <para>ICMP ECHO and TSTAMP replies are now rate limited. TCP RSTs 552 generated due to packets sent to open and unopen ports are now 553 limited by separate counters. Each rate limiting queue now has 554 its own description.</para> 555 556 <para>ICMP <literal>UNREACH_FILTER_PROHIB</literal> messages can 557 now RST TCP connections in the <literal>SYN_SENT</literal> state 558 if the correct sequence numbers are sent back, as controlled by the 559 <varname>net.inet.tcp.icmp_may_rst</varname> 560 sysctl.</para> 561 562 <para>TCP has received some bug fixes for its delayed ACK 563 behavior. &merged;</para> 564 565 <para>TCP now supports the NewReno modification to the TCP Fast Recovery 566 algorithm. This behavior can be controlled via the 567 <varname>net.inet.tcp.newreno</varname> sysctl variable. &merged;</para> 568 569 <para>TCP now uses a more aggressive timeout for initial SYN segments; this 570 allows initial connection attempts to be dropped much 571 faster. &merged;</para> 572 573 <para>The <literal>TCP_COMPAT_42</literal> kernel option has 574 been removed.</para> 575 576 <para>The <literal>TCP_RESTRICT_RST</literal> kernel option has 577 been removed. Similar functionality can be achieved with the 578 <varname>net.inet.tcp.blackhole</varname> sysctl 579 variable. &merged;</para> 580 581 <para>TCP now has RFC 1323 extensions enabled by default in 582 &man.rc.conf.5;. &merged;</para> 583 584 <para>RFC 1323 and RFC 1644 TCP extensions are now disabled for a 585 connection in progress if no response has been received by the 586 third SYN segment sent. This behavior tries to work around 587 (very old) terminal servers with buggy VJ header compression 588 implementations. &merged;</para> 589 590 <para>The TCP implementation no longer requires the 591 allocation of a TCP template structure for each connection; this 592 should reduce the buffer usage on large systems handling many 593 connections. &merged;</para> 594 595 <para>TCP's default buffer sizes, controlled by the 596 <varname>net.inet.tcp.sendspace</varname> and 597 <varname>net.inet.tcp.recvspace</varname> sysctl variables, have 598 been increased to 32K and 64K respectively.</para> 599 600 <para>TCP now supports RFC 1948 (Defending Against Sequence 601 Number Attacks). This functionality is controlled by the 602 <varname>net.inet.tcp.strict_rfc1948</varname> and 603 <varname>net.inet.tcp.isn_reseed_interval</varname> sysctl 604 variables. &merged;</para> 605 606 <para>A new sysctl <varname>net.inet.ip.check_interface</varname>, 607 which is on by default, causes IP to verify that an incoming 608 packet arrives on an interface that has an address matching the 609 packet's destination address. &merged;</para> 610 611 <para>A new sysctl 612 <varname>net.link.ether.inet.log_arp_wrong_iface</varname> has 613 been added to control the suppression of logging when ARP replies 614 arrive on the wrong interface. &merged;</para> 615 616 <para>The <literal>proxy</literal> modifier to &man.arp.8;'s 617 <option>-d</option> option has been renamed to 618 <literal>pub</literal>, for consistency with the 619 <option>-s</option> option. The <literal>only</literal> keyword 620 has been added to the <option>-s</option> and 621 <option>-S</option> flags, to be used in creating 622 <quote>proxy-only</quote> published entries.</para> 623 624 <para>&man.ipfw.4; now filters correctly in the presence of ECN bits in TCP 625 segments. &merged;</para> 626 627 <para>&man.ipfw.8; will now avoid the display of dynamic 628 firewall rules unless the <option>-d</option> flag is passed to 629 it. The <option>-e</option> lists expired dynamic rules.</para> 630 631 <para>&man.bridge.4; and &man.dummynet.4; have received some 632 enhancements and bug fixes.</para> 633 634 <para>&man.ipfw.8; has a new feature (<literal>me</literal>) that 635 allows for packet matching on interfaces with dynamically-changing 636 IP addresses. &merged;</para> 637 638 <para>&man.ip6fw.8; now has the ability to use a preprocessor 639 and use the <option>-q</option> (quiet) flag when reading from a 640 file. &merged;</para> 641 642 <para>A new <literal>options RANDOM_IP_ID</literal> kernel 643 option causes the ID field of IP packets to be randomized. This 644 closes a minor information leak which allows a remote observer 645 to determine the rate at which the machine is generating 646 packets, since the default behavior is to increment a counter 647 for each packet sent. &merged;</para> 648 649 <para>IP multicast now works on VLAN devices. Several other 650 bugs in the VLAN code have also been fixed.</para> 651 </sect3> 652 653 <sect3> 654 <title>Disks and Storage</title> 655 656 <para arch="i386">The &man.asr.4; driver now supports the Adaptec 657 2000S and 2005S Zero-Channel RAID controllers. &merged;</para> 658 659 <para arch="i386">The &man.aac.4; driver now supports the Adaptec 660 SCSI RAID 5400S controller. &merged;</para> 661 662 <para arch="i386">The &man.twe.4; 3ware ATA RAID driver has added. &merged;</para> 663 664 <para>The &man.ata.4; driver now has support for ATA100 665 controllers. In addition, it now supports the ServerWorks ROSB4 666 ATA33 chipset, the CMD 648 ATA66 and CMD 649 ATA100 chipsets, and 667 the Cyrix 5530. &merged;</para> 668 669 <para>To provide more flexible configuration, the various options for the 670 &man.ata.4; driver are now boot loader tunables, rather than kernel 671 configure-time options. &merged;</para> 672 673 <para>The &man.ata.4; driver now has support for tagged queuing, 674 which is enabled by the <varname>hw.ata.tags</varname> loader 675 tunable. &merged;</para> 676 677 <para>The &man.ata.4; driver now has support for ATA 678 <quote>pseudo</quote> RAID controllers as the Promise Fasttrak and 679 HighPoint HPT370 controllers. &merged;</para> 680 681 <para>The &man.wd.4; compatibility devices were removed from the 682 &man.ata.4; driver. &merged;</para> 683 684 <para arch="i386">The &man.mly.4; driver, for Mylex PCI to SCSI 685 AccelRAID and eXtremeRAID controllers with firmware 6.X and 686 later, has been added. &merged;</para> 687 688 <para arch="i386">The &man.asr.4; driver, which provides support 689 for the Adaptec SCSI RAID controller family, as well as the DPT 690 SmartRAID V and VI families, has been added. &merged;</para> 691 692 <para arch="i386">Support for the Adaptec FSA family of PCI-SCSI 693 RAID controllers has been added, in the form of the &man.aac.4; 694 driver. &merged;</para> 695 696 <para arch="i386">The &man.aac.4; driver has been updated to 697 include proper handling of commands initiated by the adapter, 698 addition/removal of disk devices, crashdump functionality, and 699 &man.ioctl.2; command necessary for the management 700 CLI. &merged;</para> 701 702 <para>The &man.ahc.4; driver has received numerous updates, 703 bugfixes, and enhancements. Among various improvements are 704 improved compatibility with chips in <quote>RAID Port</quote> mode 705 and systems with AAA and/or ARO cards installed, as well as 706 performance improvements. Some bugs were also fixed, including a 707 rare hang on Ultra2/U160 controllers. &merged;</para> 708 709 <para arch="i386">The ncv, nsp, and stg drivers have 710 been ported from NetBSD/pc98. They support the NCR 53C50 / 711 Workbit Ninja SCSI-3 / TMC 18C30, 18C50 based PC-Card/ISA SCSI 712 controllers. &merged;</para> 713 714 <para>The &man.cd.4; driver now has support for write operations. 715 This allows writing to DVD-RAM, PD and similar drives that probe 716 as CD devices. Note that change affects only random-access 717 writeable devices, not sequential-only writeable devices such as 718 CD-R drives, which are supported by &man.cdrecord.1; (a part of 719 <port>sysutils/cdrtools</port> in the Ports Collection. &merged;</para> 720 721 <para>The &man.vinum.4; volume manager has received some bug fixes and 722 enhancements.</para> 723 724 <para>&man.md.4;, the memory disk device, has had the 725 functionality of &man.vn.4; incorporated into it. &man.md.4; 726 devices can now be configured by &man.mdconfig.8;. &man.vn.4; has 727 been removed. The Memory Filesystem (MFS) has also been 728 removed.</para> 729 730 <para>The BurnProof(TM) feature, for applicable ATAPI CD-ROM burners, is now 731 supported. &merged;</para> 732 733 <para arch="alpha">A bug that made certain CDROM drives fail to 734 attach when connected to a SCSI card driven by &man.isp.4; has 735 been fixed. &merged;</para> 736 737 <para>The &man.isp.4; driver is now proactive about discovering 738 Fibre Channel topology changes.</para> 739 740 <para>The &man.isp.4; driver now supports target mode for Qlogic 741 SCSI cards, including Ultra2 and Ultra3 and dual bus cards.</para> 742 743 <para>The &man.isp.4; driver now supports the Qlogic 2300 and 744 2312 Optical Fibre Channel PCI cards. &merged;</para> 745 746 <para>The ida disk driver now has crashdump support. &merged;</para> 747 748 <para>The CAM error recovery code has been updated.</para> 749 750 <para>Some problems in &man.sa.4; error handling have been 751 fixed, including the <quote>tape drive spinning indefinitely 752 upon &man.mt.1; <option>stat</option></quote> problem.</para> 753 754 </sect3> 755 756 <sect3> 757 <title>Filesystems</title> 758 759 <para>Support for named extended attributes was added to the &os; 760 kernel. This allows the kernel, and appropriately privileged 761 userland processes, to tag files and directories with attribute 762 data. Extended attributes were added to support the TrustedBSD 763 Project, in particular ACLs, capability data, and mandatory access 764 control labels (see 765 <filename>/usr/src/sys/ufs/ufs/README.extattr</filename> for 766 details).</para> 767 768 <para>Due to a licensing change, softupdates have been integrated 769 into the main portion of the kernel source tree. As a 770 consequence, softupdates are now available with the 771 <filename>GENERIC</filename> kernel. &merged;</para> 772 773 <para>A filesystem snapshot capability has been added to FFS. 774 Details can be found in 775 <filename>/usr/src/sys/ufs/ffs/README.snapshot</filename>.</para> 776 777 <para>Softupdates for FFS have received some bug fixes and 778 enhancements.</para> 779 780 <para>When running with softupdates, &man.statfs.2; and 781 &man.df.1; will track the number of blocks and files that are 782 committed to being freed.</para> 783 784 <para>A bug in FFS that could cause superblock corruption on very large 785 filesystems has been corrected. &merged;</para> 786 787 <para>The Inode Filesystem (IFS) has been added; more information 788 can be found in 789 <filename>/usr/src/sys/ufs/ifs/README</filename>.</para> 790 791 <para>The ISO-9660 filesystem now has a hook that supports a loadable 792 character conversion routine. The 793 <port>sysutils/cd9660_unicode</port> port 794 contains a set of common conversions.</para> 795 796 <para>&man.kernfs.5; is obsolete and has been retired.</para> 797 798 <para>A bug in the NFS client that caused bogus access times with 799 <literal>O_EXCL|O_CREAT</literal> opens was fixed. &merged;</para> 800 801 <para>A new NFS hash function (based on the Fowler/Noll/Vo hash 802 algorithm) has been implemented to improve NFS performance by 803 increasing the efficiency of the <varname>nfsnode</varname> hash 804 tables. &merged;</para> 805 806 <para>Client-side NFS locks have been implemented.</para> 807 808 <para>The client-side and server-side of the NFS code in the 809 kernel used to be intertwined in various complex ways. They 810 have been split apart for ease of maintenence and further 811 development.</para> 812 813 <para>Support for file system Access Control Lists (ACLs) has been 814 introduced, allowing more fine-grained control of discretionary 815 access control on files and directories. This support was 816 integrated from the TrustedBSD Project. More details can be found in 817 <filename>/usr/src/sys/ufs/ufs/README.acls</filename>.</para> 818 819 <para>The directory layout preference algorithm for FFS has been 820 changed to improve its speed on large filesystems. &merged;</para> 821 822 <para arch="i386">smbfs (CIFS) support in kernel has been added. 823 The corresponding userland filesystem mount utility can be found 824 in the <port>net/smbfs</port> port in the &os; Ports 825 Collection. &merged;</para> 826 827 <para>For consistency, the fdesc, fifo, null, msdos, portal, 828 umap, and union filesystems have been renamed to fdescfs, 829 fifofs, msdosfs, nullfs, portalfs, umapfs, and unionfs. Where 830 applicable, modules and mount_* programs have been 831 renamed. Compatibility <quote>glue</quote> has been added to 832 &man.mount.8; so that <literal>msdos</literal> filesystem 833 entries in &man.fstab.5; will work without changes.</para> 834 835 <para>pseudofs, a pseudo-filesystem framework, has been added. 836 &man.linprocfs.5; has been modified to use pseudofs.</para> 837 838 <para>A simple hash-based lookup optimization for large directories 839 called <literal>dirhash</literal> has been added. Conditional on the 840 <literal>UFS_DIRHASH</literal> kernel option, it improves the speed 841 of operations on very large directories at the expense of some 842 memory. &merged;</para> 843 844 <para>The virtual memory subsystem now backs UFS directory 845 memory requirements by default (this behavior is controlled via 846 the <varname>vfs.vmiodirenable</varname> sysctl variable.</para> 847 </sect3> 848 849 <sect3> 850 <title>PCCARD Support</title> 851 852 <para arch="i386">The pccard driver and &man.pccardc.8; now support multiple 853 <quote>beep types</quote> upon card insertion and removal. &merged;</para> 854 855 <para>On many modern hosts, PCCARD devices can be configured to 856 route their interrupts via either the ISA or PCI interrupt paths. 857 The &man.pcic.4; driver has been updated to support both interrupt 858 paths (formerly, only routing via ISA was supported). &merged; In most 859 cases, configuration of PCMCIA devices in laptops is simpler and 860 more flexible. In addition, various Cardbus bridge PCI cards 861 (such as those used by Orinoco PCI NICs) are now supported. Some 862 hosts may experience problems, such as hangs or panics, with PCI 863 interrupt routing; they can frequently be made to work by forcing 864 the older-style ISA interrupt routing. The following lines, 865 placed in <filename>/boot/loader.conf</filename>, may fix the 866 problem:</para> 867 868 <programlisting>hw.pcic.intr_path="1" 869 hw.pcic.irq="0"</programlisting> 870 871 <para>When installing &os; on such a system, typing the following 872 lines to the boot loader may be helpful in starting up &os; for 873 the first time:<para> 874 875 <screen><prompt>ok</prompt> <userinput>set hw.pcic.intr_path="1"</userinput> 876<prompt>ok</prompt> <userinput>set hw.pcic.irq="0"</userinput></screen> 877 878 <para arch="i386">Preliminary Cardbus support under NEWCARD has been added. 879 This code supports the TI113X, TI12XX, TI125X, Ricoh 5C46/5C47, Topic 880 95/97/100 and Cirrus Logic PD683X bridges. 16-bit PC Card support 881 is not yet functional.</para> 882 </sect3> 883 884 <sect3> 885 <title>Multimedia Support</title> 886 887 <para arch="i386">The &man.pcm.4; driver now supports the ESS Solo 1, 888 Maestro-1, Maestro-2, and Maestro-2e; Forte Media fm801, ESS 889 Maestro-2e, and VIA Technologies VT82C686A sound card/chipsets, 890 and has received some other updates. 891 Separate drivers for the SoundBlaster 8 and SoundBlaster 16 now 892 replace an older, unified driver. A driver for the CMedia 893 CMI8338/CMI8738 sound chips has been added. A driver for the 894 CS4281 sound chip has been added. A driver for the S3 895 SonicVibes chipset has been added. &merged;</para> 896 897 <para arch="i386">A driver for the Avance Logic ALS4000 has 898 been added. &merged;</para> 899 900 <para arch="i386">A driver for the 901 ESS Maestro-3/Allegro has been added, however due to licensing 902 restrictions, it cannot be compiled into the kernel. &merged; To 903 use this driver, add the following line to 904 <filename>/boot/loader.conf</filename>:</para> 905 906 <programlisting>snd_maestro3_load="YES"</programlisting> 907 908 <para>The &man.bktr.4; driver has been updated to 2.18. This 909 update provides a number of new features. New tuner 910 types have been added, and improvements to the KLD module and to 911 memory allocation have been made. Bugs in &man.devfs.5; when 912 unloading and reloading have been fixed. 913 Support for new Hauppauge Model 44xxx WinTV Cards (the ones with 914 no audio mux) has been added.</para> 915 916 <para>When sound modules are built, one can now load all the 917 drivers and infrastructure by <command>kldload 918 snd</command>.</para> 919 920 <para>A new API has been added for sound cards with hardware 921 volume control.</para> 922 923 <para arch="i386">A driver for the Intel 443MX, 810, 815, and 815E 924 integrated sound devices has been added.</para> 925 926 </sect3> 927 928 <sect3> 929 <title>Contributed Software</title> 930 931 <para><application>IPFilter</application> has been updated to 932 3.4.20. &merged;</para> 933 934 <para>The Forth Inspired Command Language 935 (<application>FICL</application>) used in the boot loader has 936 been updated to 2.05.</para> 937 938 <para>Support for Advanced Configuration and Power Interface 939 (ACPI), a multi-vendor standard for configuration and power 940 management, has been added. This functionality has been 941 provided by the <application>Intel ACPI Component 942 Architecture</application> project, updated to the ACPI CA 943 20010831 release.</para> 944 945 <sect4 arch="i386"> 946 <title>isdn4bsd</title> 947 948 <para><application>isdn4bsd</application> has been updated to 949 version 1.0.1. As a result of this update, users of the 950 &man.i4bisppp.4; (kernel PPP over ISDN) driver 951 <emphasis>must</emphasis> now use &man.ispppcontrol.8; instead 952 of &man.spppcontrol.8; to configure and control these 953 network interfaces. &merged;</para> 954 955 <para>The &man.ihfc.4; driver for supporting Cologne Chip 956 Designs HFC devices under <application>isdn4bsd</application> 957 has been added. &merged;</para> 958 959 <para>The &man.itjc.4; driver for supporting NETjet-S / Teles 960 PCI-TJ devices under <application>isdn4bsd</application> has 961 been added. &merged;</para> 962 963 <para>Experimental support for the Eicon.Diehl DIVA 2.0 and 964 2.02 ISA PnP ISDN cards has been added to the &man.isic.4; 965 <application>isdn4bsd</application> driver. &merged;</para> 966 967 <para>Active CAPI-based ISDN cards manufacured by AVM are now 968 supported using the &man.i4bcapi.4; and the &man.iavc.4; driver. The 969 supported cards are the AVM B1 PCI and AVM B1 ISA Basic Rate 970 cards and the AVM T1 Primary Rate cards. &merged;</para> 971 972 <para>A new <literal>maxconnecttime</literal> keyword is now 973 accepted in &man.isdnd.rc.5; files to limit the time a 974 connection may remain open. &merged;</para> 975 </sect4> 976 977 <sect4 id="kame-kernel"> 978 <title>KAME</title> 979 980 <para>The IPv6 stack is now based on a snapshot based on the KAME 981 Project's IPv6 snapshot as of 28 May, 2001. Most of the 982 items listed in this section are a result of this import. 983 <xref linkend="kame-userland"> lists userland updates to the 984 KAME IPv6 stack. &merged;</para> 985 986 <para>&man.gif.4; is now based on RFC 2893, rather than RFC 987 1933. The <literal>IFF_LINK2</literal> interface flag can 988 be used to control ingress filtering. &merged;</para> 989 990 <para><application>IPSec</application> has received some 991 enhancements, including the ability to use the Rijndael and 992 SHA2 algorithms. IPSec RC5 support has been removed due to 993 patent issues. &merged;</para> 994 995 <para>&man.stf.4; now conforms to RFC 3056; the 996 <literal>IFF_LINK2</literal> interface flag can be used to 997 control ingress filtering. &merged;</para> 998 999 <para>IPv6 has better checking of illegal addresses (such as 1000 loopback addresses) on physical networks. &merged;</para> 1001 1002 <para>The <varname>IPV6_V6ONLY</varname> socket option is 1003 now completely supported. The kernel's default behavior 1004 with respect to this option is controlled by the 1005 <varname>net.inet6.ip6.v6only</varname> sysctl 1006 variable. &merged;</para> 1007 1008 <para>RFC 3041 (Privacy Extensions for Stateless Address 1009 Autoconfiguration) is now supported. It can be enabled via 1010 the <varname>net.inet6.ip6.use_tempaddr</varname> sysctl 1011 variable. &merged;</para> 1012 </sect4> 1013 </sect3> 1014 </sect2> 1015 <sect2 id="security"> 1016 <title>Security-Related Changes</title> 1017 1018 <para>&man.sysinstall.8; now allows the user to select one of two 1019 <quote>security profiles</quote> at install-time. These profiles enable 1020 different levels of system security by enabling or disabling 1021 various system services in &man.rc.conf.5; on new 1022 installs. &merged;</para> 1023 1024 <para>A bug in which malformed ELF executable images can hang the 1025 system has been fixed (see security advisory 1026 FreeBSD-SA-00:41). &merged;</para> 1027 1028 <para>A security hole in Linux emulation was fixed (see security 1029 advisory FreeBSD-SA-00:42). &merged;</para> 1030 1031 <para>String-handling library calls in many programs were fixed to 1032 reduce the possibility of buffer overflow-related exploits. 1033 &merged;</para> 1034 1035 <para>TCP now uses stronger randomness in choosing its initial sequence 1036 numbers (see security advisory FreeBSD-SA-00:52). &merged;</para> 1037 1038 <para>Several buffer overflows in &man.tcpdump.1; were corrected 1039 (see security advisory FreeBSD-SA-00:61). &merged;</para> 1040 1041 <para>A security hole in &man.top.1; was corrected (see security advisory 1042 FreeBSD-SA-00:62). &merged;</para> 1043 1044 <para>A potential security hole caused by an off-by-one-error in 1045 &man.gethostbyname.3; has been fixed (see security advisory 1046 FreeBSD-SA-00:63). &merged;</para> 1047 1048 <para>A potential buffer overflow in the &man.ncurses.3; library, 1049 which could cause arbitrary code to be run from within 1050 &man.systat.1;, has been corrected (see security advisory 1051 FreeBSD-SA-00:68). &merged;</para> 1052 1053 <para>A vulnerability in &man.telnetd.8; that could cause it to 1054 consume large amounts of server resources has been fixed (see 1055 security advisory FreeBSD-SA-00:69). &merged;</para> 1056 1057 <para>The <literal>nat deny_incoming</literal> command in 1058 &man.ppp.8; now works correctly (see security advisory 1059 FreeBSD-SA-00:70). &merged;</para> 1060 1061 <para>A vulnerability in &man.csh.1;/&man.tcsh.1; temporary files 1062 that could allow overwriting of arbitrary user-writable files has 1063 been closed (see security advisory FreeBSD-SA-00:76). &merged;</para> 1064 1065 <para>The &man.ssh.1; binary is no longer SUID root by 1066 default. &merged;</para> 1067 1068 <para>Some fixes were applied to the Kerberos 1069 IV implementation related to environment variables, a 1070 possible buffer overrun, and overwriting ticket files. &merged;</para> 1071 1072 <para>&man.telnet.1; now does a better job of sanitizing its 1073 environment. &merged;</para> 1074 1075 <para>Several vulnerabilities in &man.procfs.5; were fixed (see 1076 security advisory FreeBSD-SA-00:77). &merged;</para> 1077 1078 <para>A bug in <application>OpenSSH</application> in which a 1079 server was unable to disable &man.ssh-agent.1; or 1080 <literal>X11Forwarding</literal> was fixed (see security advisory 1081 FreeBSD-SA-01:01). &merged;</para> 1082 1083 <para>A bug in &man.ipfw.8; and &man.ip6fw.8; in which inbound TCP 1084 segments could incorrectly be treated as being part of an 1085 <literal>established</literal> connection has been fixed (see 1086 security advisory FreeBSD-SA-01:08). &merged;</para> 1087 1088 <para>A bug in &man.crontab.1; that could allow users to read any 1089 file on the system in valid &man.crontab.5; syntax has been fixed 1090 (see security advisory FreeBSD-SA-01:09). &merged;</para> 1091 1092 <para>A vulnerability in &man.inetd.8; that could allow 1093 read-access to the initial 16 bytes of 1094 <groupname>wheel</groupname>-accessible files has been fixed (see security 1095 advisory FreeBSD-SA-01:11). &merged;</para> 1096 1097 <para>A bug in &man.periodic.8; that used insecure temporary files has been 1098 corrected (see security advisory FreeBSD-SA-01:12). &merged;</para> 1099 1100 <para>A bug in &man.sort.1; in which an attacker might be able to 1101 cause it to abort processing has been fixed (see security advisory 1102 FreeBSD-SA-01:13). &merged;</para> 1103 1104 <para><application>OpenSSH</application> now has code to prevent 1105 (instead of just mitigating through connection limits) an attack 1106 that can lead to guessing the server key (not host key) by 1107 regenerating the server key when an RSA failure is detected (see 1108 security advisory FreeBSD-SA-01:24). &merged;</para> 1109 1110 <para>A number of programs have had output formatting strings 1111 corrected so as to reduce the risk of vulnerabilities. &merged;</para> 1112 1113 <para>A number of programs that use temporary files now do so more 1114 securely. &merged;</para> 1115 1116 <para>A bug in ICMP that could cause an attacker to disrupt TCP and UDP 1117 <quote>sessions</quote> has been corrected. &merged;</para> 1118 1119 <para>A bug in &man.timed.8;, which caused it to crash if send 1120 certain malformed packets, has been corrected (see security 1121 advisory FreeBSD-SA-01:28). &merged;</para> 1122 1123 <para>A bug in &man.rwhod.8;, which caused it to crash if send 1124 certain malformed packets, has been corrected (see security 1125 advisory FreeBSD-SA-01:29). &merged;</para> 1126 1127 <para>A security hole in &os;'s FFS and EXT2FS implementations, 1128 which allowed a race condition that could cause users to have 1129 unauthorized access to data, has been fixed (see security advisory 1130 FreeBSD-SA-01:30). &merged;</para> 1131 1132 <para>A remotely-exploitable vulnerability in &man.ntpd.8; has 1133 been closed (see security advisory FreeBSD-SA-01:31). &merged;</para> 1134 1135 <para>A security hole in <application>IPFilter</application>'s 1136 fragment cache has been closed (see 1137 security advisory FreeBSD-SA-01:32). &merged;</para> 1138 1139 <para>Buffer overflows in &man.glob.3;, which could cause 1140 arbitrary code to be run on an FTP server, have been closed. In 1141 addition, to prevent some forms of DOS attacks, &man.glob.3; 1142 allows specification of a limit on the number of pathname matches 1143 it will return. &man.ftpd.8; now uses this feature (see security 1144 advisory FreeBSD-SA-01:33). &merged;</para> 1145 1146 <para>Initial sequence numbers in TCP are more thoroughly 1147 randomized (see security advisory FreeBSD-SA-01:39). Due to some 1148 possible compatibility issues, the behavior of this security fix 1149 can be enabled or disabled via the 1150 <varname>net.inet.tcp.tcp_seq_genscheme</varname> sysctl 1151 variable.&merged;</para> 1152 1153 <para>A vulnerability in the &man.fts.3; routines (used by 1154 applications for recursively traversing a filesystem) could 1155 allow a program to operate on files outside the intended directory 1156 hierarchy. This bug has been fixed (see security advisory 1157 FreeBSD-SA-01:40). &merged;</para> 1158 1159 <para>&os;'s TCP implementation has been made more resistant to 1160 SYN floods, by eliminating the RST segment normally sent when 1161 removing a connection from the listen queue.</para> 1162 1163 <para><application>OpenSSH</application> now switches to the 1164 user's UID before attempting to unlink the authentication 1165 forwarding file, nullifying the effects of a race.</para> 1166 1167 <para>A flaw allowed some signal handlers to remain in effect in a 1168 child process after being exec-ed from its parent. This allowed 1169 an attacker to execute arbitrary code in the context of a setuid 1170 binary. This flaw has been corrected (see security advisory 1171 FreeBSD-SA-01:42). &merged;</para> 1172 1173 <para>A remote buffer overflow in &man.tcpdump.1; has been fixed 1174 (see security advisory FreeBSD-SA-01:48). &merged;</para> 1175 1176 <para>A remote buffer overflow in &man.telnetd.8; has been 1177 fixed (see security advisory FreeBSD-SA-01:49). &merged;</para> 1178 1179 <para>The new <varname>net.inet.ip.maxfragpackets</varname> 1180 and <varname>net.inet.ip6.maxfragpackets</varname> sysctl 1181 variables limit the amount of memory that can be consumed by IPv4 1182 and IPv6 packet fragments, which defends against some denial of service 1183 attacks (see security advisory FreeBSD-SA-01:52). &merged;</para> 1184 1185 <para>All services in <filename>inetd.conf</filename> are now 1186 disabled by default for new installations. &man.sysinstall.8; 1187 gives the option of enabling or disabling &man.inetd.8; on new 1188 installations, as well as editing 1189 <filename>inetd.conf</filename>. &merged;</para> 1190 1191 <para>A flaw in the implementation of the &man.ipfw.8; 1192 <literal>me</literal> rules on point-to-point links has been 1193 corrected. Formerly, <literal>me</literal> filter rules would 1194 match the remote IP address of a point-to-point interface in 1195 addition to the intended local IP address (see security advisory 1196 FreeBSD-SA-01:53). &merged;</para> 1197 1198 <para>A vulnerability in &man.procfs.5;, which could allow a 1199 process to read sensitive information from another process's 1200 memory space, has been closed (see security advisory 1201 FreeBSD-SA-01:55). &merged;</para> 1202 1203 <para>The <literal>PARANOID</literal> hostname checking in 1204 <application>tcp_wrappers</application> now works as advertised 1205 (see security advisory FreeBSD-SA-01:56). &merged;</para> 1206 1207 <para>A local root exploit in &man.sendmail.8; has been closed 1208 (see security advisory FreeBSD-SA-01:57). &merged;</para> 1209 1210 <para>A remote root vulnerability in &man.lpd.8; has been closed 1211 (see security advisory FreeBSD-SA-01:58). &merged;</para> 1212 1213 <para>A race condition in &man.rmuser.8; that briefly exposed a 1214 world-readable <filename>/etc/master.passwd</filename> has been 1215 fixed (see security advisory FreeBSD-SA-01:59). &merged;</para> 1216 1217 <para>A vulnerability in <application>UUCP</application> has been 1218 closed (see security advisory FreeBSD-SA-01:62). 1219 All non-<username>root</username>-owned binaries in standard 1220 system paths now have the <literal>schg</literal> flag set to 1221 prevent exploit vectors when run by &man.cron.8;, by 1222 <username>root</username>, or by a user other then the one owning 1223 the binary. In addition, &man.uustat.1; is now run via 1224 <filename>/etc/periodic/daily/410.status-uucp</filename> as 1225 <username>uucp</username>, not <username>root</username>. 1226 In &os; -CURRENT, <application>UUCP</application> has since been moved 1227 to the Ports Collection and no longer a part of the base 1228 system. &merged;</para> 1229 1230 <para>A security hole in the form of a buffer overflow in the 1231 &man.semop.2; system call has been closed. &merged;</para> 1232 </sect2> 1233 <sect2 id="userland"> 1234 <title>Userland Changes</title> 1235 1236 <para>&man.cdcontrol.1; now supports a <literal>cdid</literal> 1237 command, which calculates and displays the CD serial number, using 1238 the same algorithm used by the CDDB database. &merged;</para> 1239 1240 <para>&man.mtree.8; now includes support for a file that lists 1241 pathnames to be excluded when creating and verifying prototypes. 1242 This makes it easier to use &man.mtree.8; as a part of an 1243 intrusion-detection system. &merged;</para> 1244 1245 <para>&man.ls.1; can produce colorized listings with the 1246 <option>-G</option> flag (and appropriate terminal 1247 support). The <envar>CLICOLOR</envar> environment variable can be set 1248 to enable colorized listings by default. &merged;</para> 1249 1250 <para>&man.sysinstall.8; now properly preserves 1251 <filename>/etc/mail</filename> during a binary upgrade. &merged;</para> 1252 1253 <para>The &man.truncate.1; utility, which truncates or extends the length 1254 of files, has been added. &merged;</para> 1255 1256 <para>&man.syslogd.8; can take a <option>-n</option> option to 1257 disable DNS queries for every request. &merged;</para> 1258 1259 <para>&man.kenv.1;, a command to dump the kernel environment, has 1260 been added. &merged;</para> 1261 1262 <para>The behavior of &man.periodic.8; is now controlled by 1263 <filename>/etc/defaults/periodic.conf</filename> and 1264 <filename>/etc/periodic.conf</filename>. &merged;</para> 1265 1266 <para arch="i386">&man.boot98cfg.8;, a PC-98 boot manager installation and 1267 configuration utility, has been added. &merged;</para> 1268 1269 <para>&man.logger.1; can now send messages directly to a remote 1270 syslog. &merged;</para> 1271 1272 <para arch="i386">&man.gdb.1; now supports hardware watchpoints (using the 1273 kernel's debug register + support that has been introduced in 1274 &os; 4.0). &merged;</para> 1275 1276 <para>&man.which.1; is now a C program, rather than a Perl 1277 script.</para> 1278 1279 <para>&man.killall.1; is now a C program, rather than a Perl 1280 script. As a result, its <option>-m</option> option now uses the 1281 regular expression syntax of &man.regex.3;, rather than that of 1282 &man.perl.1;. &merged;</para> 1283 1284 <para>&man.killall.1; now allows non-root users to kill SUID root 1285 processes that they started, the same as the Perl version did.</para> 1286 1287 <para>&man.finger.1; now has the ability to support fingering 1288 aliases, via the &man.finger.conf.5; file. &merged;</para> 1289 1290 <para>&man.finger.1; now has support for a 1291 <filename>.pubkey</filename> file.</para> 1292 1293 <para>nsswitch support has been merged from NetBSD. By creating 1294 an &man.nsswitch.conf.5; file, &os; can be configured so that 1295 various databases such as &man.passwd.5; and &man.group.5; can be 1296 looked up using flat files, NIS, or Hesiod. The old 1297 <filename>hosts.conf</filename> file is no longer used.</para> 1298 1299 <para>RSA Security has waived all patent rights to the RSA 1300 algorithm. As a 1301 result, the native <application>OpenSSL</application> 1302 implementation of the RSA algorithm is now activated by default, 1303 and the <port>security/rsaref</port> port and the 1304 <filename>librsaUSA</filename> and <filename>librsaINTL</filename> 1305 libraries are 1306 no longer required for USA and non-USA residents respectively. &merged;</para> 1307 1308 <para>&man.ifconfig.8; command can set the link-layer address 1309 of an interface using the <option>lladdr</option> parameter. 1310 &merged;</para> 1311 1312 <para>&man.ifconfig.8; can now accept addresses in slash/CIDR 1313 notation. &merged;</para> 1314 1315 <para>&man.ifconfig.8; now has support for setting parameters for 1316 IEEE 802.11 wireless network devices. &man.wi.4; and 1317 &man.an.4; devices are supported, and partial support is provided 1318 for &man.awi.4; devices. &merged;</para> 1319 1320 <para>&man.ifconfig.8; no longer displays the list of supported 1321 media by default. Instead it displays it when the 1322 <option>-m</option> flag is given. &merged;</para> 1323 1324 <para>&man.setproctitle.3; has been moved from 1325 <filename>libutil</filename> to 1326 <filename>libc</filename>. &merged;</para> 1327 1328 <para>&man.chio.1; now has the ability to specify elements by 1329 volume tag instead of by their physical location as well as the 1330 ability to return an element to its previous location. &merged;</para> 1331 1332 <para>&man.sed.1; now takes a <option>-E</option> option for 1333 extended regular expression support. &merged;</para> 1334 1335 <para>&man.ln.1; now takes an <option>-i</option> option to 1336 request user confirmation before overwriting an existing 1337 file. &merged;</para> 1338 1339 <para>&man.ln.1; now takes a <option>-h</option> flag to avoid 1340 following a target that is a link, with a <option>-n</option> flag 1341 for compatibility with other implementations. &merged;</para> 1342 1343 <para>Userland &man.ppp.8; has received a number of updates and 1344 bug fixes. &merged;</para> 1345 1346 <para>&man.make.1; has gained the <literal>:C///</literal> 1347 (regular expression substitution), <literal>:L</literal> 1348 (lowercase), and <literal>:U</literal> (uppercase) variable 1349 modifiers. These were added to reduce the differences between the 1350 &os; and 1351 OpenBSD/NetBSD 1352 &man.make.1; programs. &merged; </para> 1353 1354 <para>Bugs in &man.make.1;, among which include broken null suffix 1355 behavior, bad assumptions about current directory permissions, and 1356 potential buffer overflows, have been fixed. &merged;</para> 1357 1358 <para>The &os; <filename>Makefile</filename> infrastructure now 1359 supports the <varname>WARNS</varname> directive from NetBSD. This 1360 directive controls the addition of compiler warning flags to 1361 <varname>CFLAGS</varname> in a relatively compiler-neutral 1362 manner. &merged;</para> 1363 1364 <para>&man.fsck.8; wrappers have been imported; this feature 1365 provides infrastructure for &man.fsck.8; to work on different 1366 types of filesystems (analogous to &man.mount.8;).</para> 1367 1368 <para>The behavior of &man.fsck.8; when dealing with various 1369 passes (a la <filename>/etc/fstab</filename>) has been modified to 1370 accomodate multiple-disk filesystems.</para> 1371 1372 <para>&man.style.perl.7;, a style guide for Perl code in the &os; 1373 base system, has been added.</para> 1374 1375 <para>The <quote>in use</quote> percentage metric displayed by 1376 &man.netstat.1; now really reflects the percentage of network 1377 mbufs used. &merged;</para> 1378 1379 <para>&man.netstat.1; now has a <option>-W</option> flag that 1380 tells it not to truncate addresses, even if they're too long for 1381 the column they're printed in. &merged;</para> 1382 1383 <para>&man.netstat.1; now keeps track of input and output packets 1384 on a per-address basis for each interface. &merged;</para> 1385 1386 <para>&man.netstat.1; now has a <option>-z</option> flag to reset 1387 statistics. &merged;</para> 1388 1389 <para>&man.netstat.1; now has a <option>-S</option> flag to print 1390 address numerically but port names symbolically. &merged;</para> 1391 1392 <para>&man.sockstat.1; now has <option>-c</option> and 1393 <option>-l</option> flags for listing connected and listening 1394 sockets, respectively. &merged;</para> 1395 1396 <para>&man.mergemaster.8; has gained some new features, has been 1397 cleaned up somewhat, and is now more cross-platform friendly.</para> 1398 1399 <para>&man.mergemaster.8; now sources an 1400 <filename>/etc/mergemaster.rc</filename> file and also prompts the 1401 user to run recommended commands (such as 1402 <command>newaliases</command>) as needed. &merged;</para> 1403 1404 <para>The compiler chain now uses the FSF-supplied C/C++ runtime 1405 initialization code. This change brings about better 1406 compatibility with code generated from the various egcs and gcc 1407 ports, as well as the stock public FSF source. &merged;</para> 1408 1409 <para>The threads library has gained some signal handling changes, 1410 bug fixes, and performance enhancements (including zero system 1411 call thread switching). &man.gdb.1; thread support has been 1412 updated to match these changes. &merged;</para> 1413 1414 <para>&man.chflags.1; has moved from <filename>/usr/bin</filename> 1415 to <filename>/bin</filename>.</para> 1416 1417 <para>Use of the <literal>CSMG_*</literal> macros no longer 1418 require inclusion of 1419 <filename><sys/param.h></filename></para> 1420 1421 <para>IP Filter is now supported by the 1422 &man.rc.conf.5; boot-time configuration and 1423 initialization. &merged;</para> 1424 1425 <para>The &man.lastlogin.8; utility, which prints the last login 1426 time of each user, has been imported from 1427 NetBSD. &merged;</para> 1428 1429 <para>&man.last.1; now implements a <option>-d</option> that 1430 provides a <quote>snapshot</quote> of who was logged in at a 1431 particular date and time. &merged;</para> 1432 1433 <para>&man.newfs.8; now implements write combining, which can make 1434 creation of new filesystems up to seven times 1435 faster. &merged;</para> 1436 1437 <para>&man.newfs.8; now takes a <option>-U</option> option to 1438 enable softupdates on a new filesystem. &merged;</para> 1439 1440 <para>The default number of cylinders per group in &man.newfs.8; 1441 is now computed to be the maximum allowable given the current 1442 filesystem parameters. It can be overridden with the 1443 <option>-c</option>. Formerly, the default was fixed at 16. This 1444 change leads to better &man.fsck.8; performance and reduced 1445 fragmentation. &merged;</para> 1446 1447 <para>A number of buffer overflows in &man.config.8; have been 1448 fixed. &merged;</para> 1449 1450 <para>&man.pwd.1; can now double as &man.realpath.1;, a program to 1451 resolve pathnames to their underlying physical paths. &merged;</para> 1452 1453 <para>&man.stty.1; now has support for an 1454 <literal>erase2</literal> control character, so that, for example, 1455 both the <keycap>Delete</keycap> and <keycap>Backspace</keycap> 1456 keys can be used to erase characters. &merged;</para> 1457 1458 <para>The &man.ibcs2.8;, &man.linux.8;, &man.osf1.8;, and &man.svr4.8; 1459 scripts, whose sole purpose was to load emulation 1460 kernel modules, have been removed. The kernel module system will 1461 automatically load them as needed to fulfill dependencies.</para> 1462 1463 <para>&man.top.1; will now use the full width of its tty.</para> 1464 1465 <para>&man.growfs.8;, a utility for growing FFS filesystems, has 1466 been added. &man.ffsinfo.8;, a utility for dump all the 1467 meta-information of an existing filesystem, has also been 1468 added. &merged;</para> 1469 1470 <para>&man.indent.1; has gained some new formatting 1471 options. &merged;</para> 1472 1473 <para>&man.sysinstall.8; now uses some more intuitive defaults 1474 thanks to some new dialog support functions. &merged;</para> 1475 1476 <para>The default root partition in &man.sysinstall.8; is now 1477 100MB on the i386 and 120MB on the Alpha.</para> 1478 1479 <para>Shortly after the receipt of a <literal>SIGINFO</literal> 1480 signal (normally control-T from the controlling tty), &man.fsck.ffs.8; 1481 will now output a line indicating the current phase number and 1482 progress information relevant to the current phase. &merged;</para> 1483 1484 <para>&man.fsck.ffs.8; now supports background filesystem checks 1485 to mounted FFS filesystems with the <option>-B</option> option 1486 (softupdates must be enabled on these filesystems). The 1487 <option>-F</option> flag now determines whether a specified 1488 filesystem needs foreground checking.</para> 1489 1490 <para>&man.fsck.8; now has support for foreground 1491 (<option>-F</option>) and background (<option>-B</option>) checks. 1492 Traditionally, &man.fsck.8; is invoked before the filesystems are 1493 mounted and all checks are done to completion at that time. If 1494 background checking is available, &man.fsck.8; is invoked twice. 1495 It is first invoked at the traditional time, before the 1496 filesystems are mounted, with the <option>-F</option> flag to do 1497 checking on all the filesystems that cannot do background 1498 checking. It is then invoked a second time, after the system has 1499 completed going multiuser, with the <option>-B</option> flag to do 1500 checking on all the filesystems that can do background checking. 1501 Unlike the foreground checking, the background checking is started 1502 asynchronously so that other system activity can proceed even on 1503 the filesystems that are being checked. Boot-time enabling of 1504 this feature is controlled by the 1505 <varname>background_fsck</varname> option in &man.rc.conf.5;.</para> 1506 1507 <para>A new &man.fsck.msdosfs.8; utility has been added to check 1508 the consistency of MS-DOS filesystems. &merged;</para> 1509 1510 <para>Catching up with most other network utilities in the base 1511 system, &man.lpr.1;, &man.lpd.8;, &man.syslogd.8;, and 1512 &man.logger.1; are now all IPv6-capable. &merged;</para> 1513 1514 <para arch="i386"><filename>libdisk</filename> can now do 1515 install-time configuration of the <filename>boot0</filename> 1516 boot loader. &merged;</para> 1517 1518 <para>The <option>-v</option> option to &man.rm.1; now displays 1519 the entire pathname of a file being removed.</para> 1520 1521 <para>&man.lpr.1;, &man.lpq.1;, and &man.lpd.8; have received a 1522 few minor enhancements. &merged;</para> 1523 1524 <para>&man.lpd.8; now takes two new options: <option>-c</option> 1525 will log all connection errors to &man.syslogd.8;, while 1526 <option>-W</option> will allow connections from non-reserved 1527 ports. &merged;</para> 1528 1529 <para>&man.lpd.8; now has some support for 1530 <literal>o</literal>-type print-file actions in its control files, 1531 which allows printing of PostScript files generated by 1532 <application>MacOS</application> 10.1. &merged;</para> 1533 1534 <para>&man.lpc.8; has been improved; <command>lpc clean</command> 1535 is now somewhat safer, and a new <command>lpc tclean</command> 1536 command has been added to check to see what files would be removed 1537 by <command>lpc clean</command>. &merged;</para> 1538 1539 <para>If the first argument to &man.ancontrol.8; or 1540 &man.wicontrol.8; doesn't start with a <literal>-</literal>, it is 1541 assumed to be an interface.</para> 1542 1543 <para>&man.rdist.1; has been retired from the base system, but is still 1544 available from &os; Ports Collection as 1545 <port>net/44bsd-rdist</port>.</para> 1546 1547 <para>&man.ppp.8; has gained the <literal>tcpmssfixup</literal> 1548 option, which adjusts outgoing and incoming TCP SYN packets so that the maximum 1549 receive segment size is no larger than allowed by the interface 1550 MTU. &merged;</para> 1551 1552 <para>&man.ppp.8; now supports IPv6.</para> 1553 1554 <para><filename>libcrypt</filename> and 1555 <filename>libdescrypt</filename> have been unified to provide a 1556 configurable password authentication hash library. Both the md5 1557 and des hash methods are provided unless the des hash is 1558 specifically compiled out. &merged;</para> 1559 1560 <para>&man.passwd.1; and &man.pw.8; now select the password hash 1561 algorithm at run time. See the <literal>passwd_format</literal> 1562 attribute in <filename>/etc/login.conf</filename>. &merged;</para> 1563 1564 <para>In preparation for meeting SUSv2/POSIX 1565 <filename><sys/select.h></filename> requirements, 1566 <literal>struct selinfo</literal> and related functions have been 1567 moved to <filename><sys/selinfo.h></filename>.</para> 1568 1569 <para>&man.syslogd.8; now supports a <literal>LOG_CONSOLE</literal> 1570 facility (disabled by 1571 default), which can be used to log <filename>/dev/console</filename> 1572 output. &merged;</para> 1573 1574 <para>&man.rpcgen.1; now uses <filename>/usr/bin/cpp</filename> 1575 (as on NetBSD), not <filename>/usr/libexec/cpp</filename>.</para> 1576 1577 <para>Boot-time &man.syscons.4; configuration was moved to a 1578 machine-independent <filename>/etc/rc.syscons</filename>. &merged;</para> 1579 1580 <para>&man.burncd.8; now supports a <option>-m</option> option for 1581 multisession mode (the default behavior now is to close disks as 1582 single-session). A <option>-l</option> option to take a list of 1583 image files from a filename was also added; <filename>-</filename> 1584 can be used as a filename for <literal>stdin</literal>. &merged;</para> 1585 1586 <para>&man.burncd.8; now supports Disk At Once (DAO) mode, 1587 selectable via the <option>-d</option> flag.</para> 1588 1589 <para>&man.dmesg.8; now has a <option>-a</option> option to show 1590 the entire message buffer, including &man.syslogd.8; records and 1591 <filename>/dev/console</filename> output. &merged;</para> 1592 1593 <para>&man.cdcontrol.1; now uses the <envar>CDROM</envar> 1594 environment variable to pick a default device. &merged;</para> 1595 1596 <para>&man.cdcontrol.1; now supports <literal>next</literal> and 1597 <literal>prev</literal> commands to skip forwards or backwards a 1598 specified number of tracks while playing an audio CD. &merged;</para> 1599 1600 <para>&man.sysctl.8; now supports a <option>-N</option> option to 1601 print out variable names only. &merged;</para> 1602 1603 <para>&man.sysctl.8; has replaced the <option>-A</option> and 1604 <option>-X</option> options with <option>-ao</option> and 1605 <option>-ax</option> respectively; the former options are now 1606 deprecated. The <option>-w</option> option is deprecated as well; it is 1607 not needed to determine the user's intentions. &merged;</para> 1608 1609 <para>&man.sysinstall.8; now lives in <filename>/usr/sbin</filename>, 1610 which simplifies the installation process. The &man.sysinstall.8; 1611 manpage is also installed in a more consistent fashion now.</para> 1612 1613 <para>&man.config.8; is now better about converting various 1614 warnings that should 1615 have been errors into actual fatal errors with an exit code. This 1616 ensures that <literal>make buildkernel</literal> 1617 doesn't quietly ignore them and 1618 build a bogus kernel without a human to read the errors. &merged;</para> 1619 1620 <para><filename>libc</filename> is now thread-safe by default; 1621 <filename>libc_r</filename> contains only thread functions.</para> 1622 1623 <para>&man.find.1; now takes the <option>-empty</option> flag, 1624 which returns true if a file or directory is empty. &merged;</para> 1625 1626 <para>&man.find.1; now takes the <option>-iname</option> and 1627 <option>-ipath</option> primaries for case-insensitive matches, 1628 and the <option>-regexp</option> and <option>-iregexp</option> 1629 primaries for regular-expression matches. The <option>-E</option> 1630 flag now enables extended regular expressions. &merged;</para> 1631 1632 <para>&man.find.1; now has the <option>-anewer</option>, 1633 <option>-cnewer</option>, <option>-mnewer</option>, 1634 <option>-okdir</option>, and <option>-newer[acm][acmt]</option> 1635 primaries for comparisons of file timestamps. The latter 1636 primaries can be specified with various units of time. &merged;</para> 1637 1638 <para>&man.tftpd.8; now takes the <option>-c</option> and 1639 <option>-C</option> options, which allow the server to 1640 &man.chroot.2; based on the IP address of the connecting client. 1641 &man.tftp.1; and &man.tftpd.8; can now transfer files larger than 1642 65535 blocks. &merged;</para> 1643 1644 <para>&man.tftpd.8; now supports RFC 2349 (TFTP Timeout Interval 1645 and Transfer Size Options); this feature is required by some 1646 firmware like EFI boot managers (at least on HP i2000 Itanium 1647 servers) in order to boot an image using 1648 <application>TFTP</application>.</para> 1649 1650 <para>&man.vidcontrol.1; now accepts a <option>-g</option> 1651 parameter to select custom text geometry in the 1652 <literal>VESA_800x600</literal> raster text mode. &merged;</para> 1653 1654 <para>&man.ldconfig.8; now checks directory ownerships and 1655 permissions for greater security; these checks can be disabled 1656 with the <option>-i</option> flag. &merged;</para> 1657 1658 <para>The &man.rfork.thread.3; library call has been added as a 1659 helper function to &man.rfork.2;. Using this function should 1660 avoid the need to implement complex stack swap 1661 code. &merged;</para> 1662 1663 <para>Significant additions have been made to internationalization 1664 support; &os; now has complete locale support for the 1665 <literal>LC_MONETARY</literal>, <literal>LC_NUMERIC</literal>, and 1666 <literal>LC_MESSAGES</literal> categories. A number of 1667 applications have been updated to take advantage of this 1668 support.</para> 1669 1670 <para>Locale names have been changed to improve compatibility with 1671 the names used by X11R6, as well as a number of other UNIX 1672 versions. As an example, the <literal>en_US.ISO_8859-1</literal> 1673 locale name has been changed to 1674 <literal>en_US.ISO8859-1</literal>. Entries in 1675 <filename>/etc/locale.alias</filename> provide backward 1676 compatibility.</para> 1677 1678 <para>A <filename>compat4x</filename> distribution has been added 1679 for compatibility with &os; 4-STABLE.</para> 1680 1681 <para>The 1682 <filename>compat3x</filename> distribution has been updated to 1683 include libraries present in &os; 3.5.1-RELEASE. &merged;</para> 1684 1685 <para>&man.savecore.8; now supports a <option>-k</option> option 1686 to prevent clearing a crash dump after saving it. It also 1687 attempts to avoid writing large stretches of zeros to crash dump 1688 files to save space and time. &merged;</para> 1689 1690 <para>&man.savecore.8; now works correctly on machines with 2 GB 1691 or more of RAM. &merged;</para> 1692 1693 <para>&man.tar.1; now supports the <varname>TAR_RSH</varname> 1694 variable, principally to enable the use of &man.ssh.1; as a 1695 transport. &merged;</para> 1696 1697 <para>&man.disklabel.8; now supports partition sizes expressed in 1698 kilobytes, megabytes, or gigabytes, in addition to sectors. &merged;</para> 1699 1700 <para>The pseudo-random number generator implemented by 1701 &man.rand.3; has been improved to provide less biased results.</para> 1702 1703 <para>&man.login.1; now exports environment variables set by 1704 <application>PAM</application> modules. &merged;</para> 1705 1706 <para><application>PAM</application> support has been added for 1707 account management and sessions.</para> 1708 1709 <para>&man.su.1; now uses <application>PAM</application> for 1710 authentication.</para> 1711 1712 <para>&man.wall.1; now supports a <option>-g</option> flag to 1713 write a message to all users of a given group. &merged;</para> 1714 1715 <para>The new <varname>CPUTYPE</varname> 1716 <filename>make.conf</filename> variable controls the compilation 1717 of processor-specific optimizations in various pieces of code such 1718 as <application>OpenSSL</application>. &merged;</para> 1719 1720 <para>&man.ipfstat.8; now supports the <option>-t</option> option 1721 to turn on a &man.top.1;-like display. &merged;</para> 1722 1723 <para><filename>/usr/src/share/examples/BSD_daemon/</filename> now 1724 contains a scalable Beastie graphic. &merged;</para> 1725 1726 <para>&man.dump.8; now supports inheritance of the 1727 <literal>nodump</literal> flag down a hierarchy. &merged;</para> 1728 1729 <para>The <option>-T</option> option to &man.dump.8; no longer swallows 1730 an extra argument. &merged;</para> 1731 1732 <para>&man.dump.8; has a new <option>-D</option> option, allowing 1733 the path to the <filename>/etc/dumpdates</filename> file to be 1734 changed. &merged;</para> 1735 1736 <para>&man.split.1; now has the ability to split a file longer 1737 than 2GB. &merged;</para> 1738 1739 <para>&man.tail.1; now has the ability to work on files longer 1740 than 2GB. &merged;</para> 1741 1742 <para>&man.units.1; has received some updates and bugfixes. &merged;</para> 1743 1744 <para>As part of an ongoing process, many manual pages were 1745 improved, both in terms of their formatting markup and in their 1746 content. &merged;</para> 1747 1748 <para><command>lprm -</command> now works for remote printer 1749 queues. &merged;</para> 1750 1751 <para>&man.ftpd.8; now supports a <option>-r</option> flag for 1752 read-only mode and a <option>-E</option> flag to disable 1753 <literal>EPSV</literal>. It also has some fixes to reduce 1754 information leakage and the ability to specify compile-time port 1755 ranges. &merged;</para> 1756 1757 <para>&man.ping.8; now supports a <option>-m</option> option to 1758 set the TTL of outgoing packets. &merged;</para> 1759 1760 <para>&man.ping.8; now supports a <option>-A</option> option to 1761 beep when packets are lost. &merged;</para> 1762 1763 <para>A version of Transport Independent RPC 1764 (<application>TI-RPC</application>) has been imported.</para> 1765 1766 <para>&man.rpcbind.8; has replaced &man.portmap.8;.</para> 1767 1768 <para>NFS now works over IPv6.</para> 1769 1770 <para>&man.rpc.lockd.8; has been imported from NetBSD. This 1771 daemon enables locking on NFS filesystems.</para> 1772 1773 <para>&man.rc.8; now has an framework for handling dependencies between 1774 &man.rc.conf.5; variables. &merged;</para> 1775 1776 <para>&man.rc.8; now deletes all non-directory files in 1777 <filename>/var/run</filename> and 1778 <filename>/var/spool/lock</filename> at boot time. &merged;</para> 1779 1780 <para>The &man.setfacl.1; and &man.getfacl.1; commands have been 1781 added to manage file system Access Control Lists.</para> 1782 1783 <para>The default TCP port range used by 1784 <filename>libfetch</filename> for passive FTP retrievals has 1785 changed; this affects the behavior of &man.fetch.1;, which has 1786 gained the <option>-U</option> option to restore the old 1787 behavior. &merged;</para> 1788 1789 <para><filename>libfetch</filename> now has support for an 1790 authentication callback.</para> 1791 1792 <para><filename>libfetch</filename> now has support for a 1793 <envar>HTTP_USER_AGENT</envar> environment variable. &merged;</para> 1794 1795 <para>&man.atacontrol.8; has been added to control various aspects 1796 of the &man.ata.4; driver.</para> 1797 1798 <para><filename>libcrypt</filename> now has support for Blowfish 1799 password hashing. &merged;</para> 1800 1801 <para>The functions from <filename>libposix1e</filename> have been 1802 integrated into <filename>libc</filename>.</para> 1803 1804 <para>&man.vidcontrol.1; now allows the user to omit the font size 1805 specification when loading a font, and has some better 1806 error-handling. &merged;</para> 1807 1808 <para>&man.vidcontrol.1; now supports a <option>-p</option> option to 1809 take a snapshot of a &man.syscons.4; video buffer. These 1810 snapshots can be manipulated by the 1811 <port>graphics/scr2png</port> utility in the Ports 1812 Collection. &merged;</para> 1813 1814 <para>&man.vidcontrol.1; now supports a <option>-C</option> option 1815 to clear the history buffer for a given tty, as well as a 1816 <option>-h</option> option to set the size of the history buffer. &merged;</para> 1817 1818 <para>devinfo, a simple tool to print the device tree and resource usage by 1819 devices, has been added.</para> 1820 1821 <para>&man.fmtcheck.3;, a function for checking consistency of 1822 format string arguments, has been added. &merged;</para> 1823 1824 <para>&man.nl.1;, a line numbering filter program, has been 1825 added. &merged;</para> 1826 1827 <para>&man.c89.1; has been converted from a shell script to a 1828 binary executable, fixing some minor bugs. &merged;</para> 1829 1830 <para>&man.pax.1; has received a number of enhancements, including 1831 &man.cpio.1; functionality, &man.tar.1; compatibility 1832 enhancements, <option>-z</option> and <option>-Z</option> flags 1833 for &man.gzip.1; and &man.compress.1; functionality, and a number 1834 of bug fixes.</para> 1835 1836 <para>Ukrainian language support has been added to the &os; 1837 console. &merged;</para> 1838 1839 <para>The performance of the ELF dynamic linker &man.rtld.1; has 1840 been improved. &merged;</para> 1841 1842 <para>&man.fdread.1;, a program to read data from floppy disks, 1843 has been added. It is a counterpart to &man.fdwrite.1; and is 1844 designed to provide a means of recovering at least some data from 1845 bad media, and to obviate for a complex invocation of 1846 &man.dd.1;.</para> 1847 1848 <para>&man.xargs.1; now supports a <option>-J</option> 1849 <replaceable>replstr</replaceable> option that allows the user to 1850 tell &man.xargs.1; to insert the data read from standard input at 1851 a specific point in the command line arguments rather than at the 1852 end. &merged;</para> 1853 1854 <para>&man.apmd.8; now has the ability to monitor battery levels and 1855 execute commands based on percentage or minutes of battery life 1856 remaining via the <literal>apm_battery</literal> configuration 1857 directive. See the commented-out examples in 1858 <filename>/etc/apmd.conf</filename> for the syntax. &merged;</para> 1859 1860 <para>&man.telnet.1; now does autologin and encryption by default; 1861 a new <option>-y</option> option turns off encryption.</para> 1862 1863 <para>&man.telnet.1; now supports a <option>-u</option> flag to 1864 allow connections to UNIX-domain (<literal>AF_UNIX</literal>) 1865 sockets. &merged;</para> 1866 1867 <para>The default stripe size in &man.vinum.8; has been changed 1868 from 256KB to 279KB, to spread out superblocks more evenly between 1869 stripes.</para> 1870 1871 <para>&man.chown.8; now correctly follows symbolic links named as 1872 command line arguments if run without <option>-R</option>.</para> 1873 1874 <para>&man.chown.8; no longer takes <literal>.</literal> as a 1875 user/group delimeter. This change was made to support usernames 1876 containing a <literal>.</literal>.</para> 1877 1878 <para>&man.chmod.1; now supports a <option>-h</option> for 1879 changing the mode of a symbolic link.</para> 1880 1881 <para>&man.install.1; has a number of new features, including the 1882 <option>-b</option> and <option>-B</option> options for backing up 1883 existing target files and the <option>-S</option> option for 1884 <quote>safe</quote> (atomic copy) operation. The 1885 <option>-c</option> (copy) flag is now the default, and the 1886 <option>-D</option> (debugging) flag has been withdrawn. 1887 &man.install.1; now issues a warning if <option>-d</option> 1888 (create directories) and <option>-C</option> (copy changed files 1889 only) are used together. &merged;</para> 1890 1891 <para>&man.whois.1; now directs queries for IP addresses to 1892 ARIN. If a query to ARIN references APNIC or RIPE, the 1893 appropriate server will also be queried, provided that the 1894 <option>-Q</option> option is not specified. &merged;</para> 1895 1896 <para>&man.fmt.1; has been rewritten; the rewrite fixes a number 1897 of bugs compared to its prior behavior. &merged;</para> 1898 1899 <para>&man.df.1; now takes a <option>-l</option> option to only 1900 display information about locally-mounted filesystems. &merged;</para> 1901 1902 <para>The syntax of &man.inetd.8;'s support for &man.faithd.8; is 1903 now compatible with that of other BSDs. &merged;</para> 1904 1905 <para>The <literal>ident</literal> protocol support in &man.inetd.8; has 1906 been cleaned up and updated. &merged;</para> 1907 1908 <para>&man.inetd.8; now has the ability to manage UNIX-domain 1909 sockets. &merged;</para> 1910 1911 <para>&man.du.1; now takes a <option>-I</option> command-line flag 1912 to ignore/skip files and subdirectories matching a specified 1913 shell-glob mask. &merged;</para> 1914 1915 <para>The &man.resolver.3; in &os; now implements EDNS0 support, 1916 which will be necessary when working with IPv6 transport-ready 1917 resolvers/DNS servers. &merged;</para> 1918 1919 <para>&man.col.1; now takes a <option>-p</option> flag to force unknown 1920 control sequences to be passed through unchanged. &merged;</para> 1921 1922 <para>The &man.mdmfs.8; command has been added; it is a wrapper 1923 around &man.mdconfig.8;, &man.disklabel.8;, &man.newfs.8;, and 1924 &man.mount.8; that mimics the command line option set of the 1925 deprecated &man.mount.mfs.8;.</para> 1926 1927 <para>The &man.getprogname.3; and &man.setprogname.3; library 1928 functions have been added to manipulate the name of the current 1929 program. They are used by error-reporting routines to produce 1930 consistent output. &merged;</para> 1931 1932 <para>The &man.kldconfig.8; utility has been added to make it easier to 1933 manipulate the kernel module search path. &merged;</para> 1934 1935 <para>&man.moused.8; now takes a <option>-a</option> option to control 1936 mouse acceleration. &merged;</para> 1937 1938 <para arch="i386">&man.fdisk.8; no longer attempts to search for 1939 a device if none has been specified on the command line, but 1940 instead tries to figure out the default device name from the 1941 root device.</para> 1942 1943 <para>&man.mail.1; now takes a <option>-E</option> flag to avoid 1944 sending messages with empty bodies. &merged;</para> 1945 1946 <para>&man.route.8; is now more verbose when changing indirect 1947 routes, in the case of a gateway route that is the same route as 1948 the one being modified. &merged;</para> 1949 1950 <para>&man.route.8; now uses 1951 <literal><replaceable>host</replaceable>/<replaceable>bits</replaceable></literal> 1952 syntax instead of 1953 <literal><replaceable>net</replaceable>/<replaceable>bits</replaceable></literal> 1954 syntax, for compatibility with &man.netstat.1;. &merged;</para> 1955 1956 <para>&man.route.8; can now create <quote>proxy only</quote> 1957 published ARP entries. &merged;</para> 1958 1959 <para>&man.tmpnam.3; will now use the <envar>TMPDIR</envar> 1960 environment variable, if set, to specify the location of temporary 1961 files. &merged;</para> 1962 1963 <para>&man.pppd.8; (the control program for kernel-level PPP) is 1964 now installed mode <literal>4550</literal> and 1965 <username>root</username><literal>:</literal><groupname>dialer</groupname>, 1966 rather than mode <literal>4555</literal> (in other words, it is no 1967 longer world-executable). Users of &man.pppd.8; may need to 1968 change their group settings. &merged;</para> 1969 1970 <para>&man.ftpd.8; now supports <option>-o</option> and 1971 <option>-O</option> options to disable the <literal>RETR</literal> 1972 command; the former for everybody, and the latter only for guest users. 1973 Coupled with <option>-A</option> and appropriate file permissions, 1974 these can be used to create a relatively safe anonymous FTP drop box 1975 for others to upload to.</para> 1976 1977 <para>The &man.daemon.8; program, a command-line interface to 1978 &man.daemon.3;, has been added. It detaches itself from its 1979 controlling terminal and executes a program specified on the command 1980 line. This allows the user to run an arbitrary program as if it were 1981 written to be a daemon.</para> 1982 1983 <para>&man.syslogd.8; now has the ability to bind to a specific 1984 address--as opposed to using every available one--via the 1985 <option>-b</option> option.</para> 1986 1987 <para>&man.cat.1; now has the ability to read from UNIX-domain 1988 sockets. &merged;</para> 1989 1990 <para>The &man.groups.1; and &man.whoami.1; shell scripts are now 1991 unnecessary; their functionality has been completely folded into 1992 &man.id.1;.</para> 1993 1994 <para>&man.touch.1; now takes a <option>-h</option> option to 1995 operate on a symbolic link, rather than what the link points 1996 to.</para> 1997 1998 <para>&man.edquota.8; now takes a <option>-f</option> option to 1999 allow limiting the prototype quota distribution (specified with 2000 <option>-p</option>) to a single filesystem.</para> 2001 2002 <para><filename>libgmp</filename> has been superceded by 2003 <filename>libmp</filename>. 2004 2005 <para><application>UUCP</application> has been removed from the 2006 base system, with the exceptions of &man.cu.1; and &man.rmail.8;. 2007 The remainder of <application>UUCP</application> can be found in 2008 the Ports Collection, in <port>net/freebsd-uucp</port>.</para> 2009 2010 <sect3> 2011 <title>Contributed Software</title> 2012 2013 <para><application>am-utils</application> has been updated to 2014 6.0.7.</para> 2015 2016 <para><application>bc</application> has been updated from 1.04 to 2017 1.06. &merged;</para> 2018 2019 <para>The ISC library from the <application>BIND</application> 2020 distribution is now built as 2021 <filename>libisc</filename>. &merged;</para> 2022 2023 <para><application>BIND</application> is now built with the 2024 <literal>NOADDITIONAL</literal> flag, which causes &man.named.8; 2025 to operate in a more consistent fashion for certain common 2026 misconfigurations. &merged;</para> 2027 2028 <para><application>BIND</application> has been updated to 2029 8.2.4-REL. &merged;</para> 2030 2031 <para><application>Binutils</application> have been updated to 2032 2.11.2. &merged;</para> 2033 2034 <para><application>bzip2</application> 1.0.1 has been imported; this 2035 brings the &man.bzip2.1; program and the <filename>libbz2</filename> 2036 library to the base system. &merged;</para> 2037 2038 <para>The &man.ee.1; <application>Easy Editor</application> has 2039 been updated to 1.4.2. &merged;</para> 2040 2041 <para><application>file</application> has been updated to 3.37.</para> 2042 2043 <para>&man.awk.1;, in the form of 2044 <application>gawk</application>, has been updated from 3.0.4 to 3.0.6. 2045 This fixes a number of non-critical bugs and includes a few 2046 performance tweaks. &merged;</para> 2047 2048 <para><application>gcc</application> has been updated to 2.95.3. &merged;</para> 2049 2050 <para>&man.gcc.1; now uses a unified <filename>libgcc</filename> 2051 rather than a separate one for threaded and non-threaded programs. 2052 <filename>/usr/lib/libgcc_r.a</filename> can be removed. 2053 &merged;</para> 2054 2055 <para>&man.gcc.1; now supports the environment variable 2056 <envar>GCC_OPTIONS</envar>, which can hold a set of default 2057 options for <application>GCC</application>. &merged;</para> 2058 2059 <para><application>GNATS</application> has been updated to 2060 3.113. &merged;</para> 2061 2062 <para><application>gperf</application> has been updated to 2.7.2.</para> 2063 2064 <para><application>groff</application> and its related utilities 2065 have been updated to FSF version 1.17.2. This import brings in a 2066 new &man.mdoc.7; macro package (sometimes referred to as 2067 <literal>mdocNG</literal>), which removes many of the 2068 limitations of its predecessor. &merged;</para> 2069 2070 <para><application>Heimdal</application> has been updated to 2071 0.3f.</para> 2072 2073 <para>The <application>ISC DHCP</application> client has been 2074 updated to 2.0pl5. &merged;</para> 2075 2076 <para><application>Kerberos IV</application> has been updated to 2077 1.0.5. &merged;</para> 2078 2079 <para>The &man.more.1; command has been replaced by &man.less.1;, 2080 although it can still be run as 2081 <command>more</command>. <application>less</application> has 2082 been imported at 3.5.8. &merged;</para> 2083 2084 <para><application>libpcap</application> has been updated to 2085 0.6.2. &merged;</para> 2086 2087 <para><application>libreadline</application> has been updated to 2088 4.2.</para> 2089 2090 <para><application>Linux-PAM</application> has been updated to 2091 0.75. &merged;</para> 2092 2093 <para>A number of new <application>Linux-PAM</application> modules 2094 have been added, including: <filename>pam_ftp</filename>, 2095 <filename>pam_krb5</filename>, 2096 <filename>pam_nologin</filename>, 2097 <filename>pam_rootok</filename>, 2098 <filename>pam_securetty</filename>, 2099 <filename>pam_wheel</filename>.</para> 2100 2101 <para><application>ncurses</application> has been updated to 2102 5.2-20010512.</para> 2103 2104 <para>The <application>NTP</application> suite of programs has been 2105 updated to 4.1.0.</para> 2106 2107 <para>The <application>OPIE</application> one-time-password suite 2108 has been updated to 2.32. &merged; It has completely replaced 2109 the functionality of <application>S/Key</application>.</para> 2110 2111 <para><application>Perl</application> has been updated to version 2112 5.6.0.</para> 2113 2114 <para>&man.routed.8; has been updated to version 2.22. &merged;</para> 2115 2116 <para><application>tcpdump</application> has been updated to 2117 3.6.3. &merged;</para> 2118 2119 <para>The &man.csh.1; shell has been replaced by &man.tcsh.1;, 2120 although it can still be run as <command>csh</command>. 2121 <application>tcsh</application> has been updated to version 2122 6.11. &merged;</para> 2123 2124 <para>&man.traceroute.8; now takes its default maximum TTL value 2125 from the <varname>net.inet.ip.ttl</varname> sysctl 2126 variable. &merged;</para> 2127 2128 <sect4> 2129 <title>CVS</title> 2130 2131 <para><application>cvs</application> has been updated to 2132 1.11.1p1. &merged;</para> 2133 2134 <para>The default value for &man.cvs.1;'s 2135 <envar>CVS_RSH</envar> variable is now <literal>ssh</literal>, 2136 rather than <literal>rsh</literal>. &merged;</para> 2137 2138 <para>&man.cvs.1; now supports a <option>-T</option> option to 2139 update a sandbox's <filename>CVS/Template</filename> file from 2140 the repository. &merged;</para> 2141 2142 <para>&man.cvs.1; <literal>diff</literal> now supports the 2143 <option>-j</option> option to perform differences against a 2144 revision relative to a branch tag. &merged;</para> 2145 </sect4> 2146 2147 <sect4> 2148 <title>CVSup</title> 2149 2150 <para><application>CVSup</application>, a frequently used 2151 utility in the &os; Ports Collection, was formerly installable 2152 using several ports and packages. The 2153 <port>net/cvsup-bin</port> and <port>net/cvsupd-bin</port> 2154 ports/packages are no longer necessary or available; the 2155 <port>net/cvsup</port> port should be used instead. &merged;</para> 2156 2157 <para><application>CVSup</application> has been updated to 2158 16.1_3, which is available in the &os; Ports Collection as 2159 <port>net/cvsup</port>. This update fixes a long-standing 2160 (but only recently encountered) bug which affects the 2161 timestamps on all files after Sun Sep 9 01:46:40 UTC 2001 2162 (1,000,000,000 seconds after the UNIX epoch). &merged;</para> 2163 </sect4> 2164 2165 <sect4 id="kame-userland"> 2166 <title>KAME</title> 2167 2168 <para>The IPv6 stack is now based on a snapshot based on the KAME 2169 Project's IPv6 snapshot as of 28 May, 2001. Most of the 2170 items listed in this section are a result of this import. 2171 <xref linkend="kame-kernel"> lists kernel updates to the KAME 2172 IPv6 stack. &merged;</para> 2173 2174 <para>&man.faithd.8; now supports a configuration file for 2175 access control. &merged;</para> 2176 2177 <para>&man.ifconfig.8; can now perform the functions of 2178 &man.gifconfig.8;. &merged;</para> 2179 2180 <para>&man.ifconfig.8; can now perform the functions of 2181 &man.prefix.8;. &man.prefix.8; is now a shell script for 2182 partial backwards compatibility. &merged;</para> 2183 2184 <para>&man.ndp.8; now implements garbage collection for stale 2185 NDP entries, as described in RFC 2461 (Neighbor Discovery for 2186 IP Version 6 (IPv6)). &merged;</para> 2187 2188 <para>&man.pim6dd.8; and &man.pim6sd.8; have been removed due to 2189 restrictive licensing conditions. These programs are available 2190 in the ports collection as <port>net/pim6dd</port> and 2191 <port>net/pim6sd</port>. &merged;</para> 2192 2193 <para>&man.route6d.8; now supports an <option>-n</option> flag 2194 to avoid updating the kernel forwarding table. &merged;</para> 2195 2196 <para>The <option>-R</option> (router renumbering) option to 2197 &man.rtadvd.8; is currently ignored. &merged;</para> 2198 </sect4> 2199 2200 <sect4> 2201 <title>OpenSSH</title> 2202 2203 <para><application>OpenSSH</application> has been updated to 2204 2.9, which provides support for the SSH2 protocol (now the 2205 default) and DSA keys. &man.ssh-add.1; and &man.ssh-agent.1; 2206 can now handle DSA keys, with support for authentication 2207 forwarding. <application>OpenSSH</application> users in the 2208 USA no longer need to rely on the restrictively-licensed 2209 RSAREF toolkit which is required to handle RSA keys. Among 2210 other new features: A client and server for sftp has been 2211 added. &man.scp.1; can now handle files larger than 2 GBytes. 2212 A limit on the number of outstanding, unauthenticated 2213 connections in &man.sshd.8; has been added. Support has been 2214 added for the Rijndael encryption algorithm. Rekeying of 2215 existing sessions is now supported, and an experimental 2216 <application>SOCKS4</application> proxy has been added to 2217 &man.ssh.1;.</para> 2218 2219 <para><application>OpenSSH</application> can now authenticate 2220 using OPIE passwords in SSH1 mode. Support is not yet available 2221 in SSH2 mode. &merged;</para> 2222 2223 <para><application>PAM</application> support for 2224 <application>OpenSSH</application> has been added.</para> 2225 2226 <para>A long-standing bug in <application>OpenSSH</application>, 2227 which sometimes resulted in a dropped session when an 2228 X11-forwarded client was closed, was fixed.</para> 2229 2230 <para><application>Kerberos</application> compatibility has been 2231 added to <application>OpenSSH</application>. &merged;</para> 2232 2233 <para><application>OpenSSH</application> has been modified to be 2234 more resistant to traffic analysis by requiring that 2235 <quote>non-echoed</quote> characters are still echoed back in a 2236 null packet, as well as by padding passwords sent so as not to 2237 hint at password lengths. &merged;</para> 2238 2239 <para>&man.sshd.8; is now enabled by default on new 2240 installs. &merged;</para> 2241 2242 <para>&man.sshd.8; <literal>X11Forwarding</literal> is now turned 2243 on by default on the server (any risk is to the client, where it 2244 is already disabled by default). &merged;</para> 2245 2246 <para>In <filename>/etc/ssh/sshd_config</filename>, the 2247 <literal>ConnectionsPerPeriod</literal> parameter has been 2248 deprecated in favor of <literal>MaxStartups</literal>. &merged;</para> 2249 2250 <para><application>OpenSSH</application> now has a 2251 <literal>VersionAddendum</literal> configuration setting for 2252 &man.sshd.8; to allow changing the part of the 2253 <application>OpenSSH</application> version string after the 2254 main version number.</para> 2255 </sect4> 2256 2257 <sect4> 2258 <title>OpenSSL</title> 2259 2260 <para><application>OpenSSL</application> has been updated to 2261 0.9.6b.</para> 2262 2263 <para><application>OpenSSL</application> now has support for 2264 machine-dependent ASM optimizations, activated by the new 2265 <varname>MACHINE_CPU</varname> and/or <varname>CPUTYPE</varname> 2266 <filename>make.conf</filename> variables. &merged;</para> 2267 </sect4> 2268 2269 <sect4> 2270 <title>sendmail</title> 2271 2272 <para><application>sendmail</application> has been updated from 2273 version 8.9.3 to version 8.11.6. Important changes include: new 2274 default file locations (see 2275 <filename>/usr/src/contrib/sendmail/cf/README</filename>); 2276 &man.newaliases.1; is limited to <username>root</username> and 2277 trusted users; STARTTLS encryption; and the MSA port (587) is 2278 turned on by default. See 2279 <filename>/usr/src/contrib/sendmail/RELEASE_NOTES</filename> for 2280 more information. &merged;</para> 2281 2282 <para>&man.mail.local.8; is no longer installed as a SUID binary. 2283 If you are using a <filename>/etc/mail/sendmail.cf</filename> from 2284 the default <filename>sendmail.cf</filename> included with &os; 2285 any time after 3.1.0, you are fine. If you are using a 2286 hand-configured <filename>sendmail.cf</filename> and 2287 <command>mail.local</command> for delivery, check to make sure the 2288 <literal>F=S</literal> flag is set on the 2289 <literal>Mlocal</literal> line. Those with 2290 <filename>.mc</filename> files who need to add the flag can do so 2291 by adding the following line to their <filename>.mc</filename> 2292 file and regenerating the <filename>sendmail.cf</filename> 2293 file:</para> 2294 2295 <programlisting>MODIFY_MAILER_FLAGS(`LOCAL',`+S')dnl</programlisting> 2296 2297 <para>Note that <literal>FEATURE(`local_lmtp')</literal> already 2298 does this. &merged;</para> 2299 2300 <para>The default <filename>/etc/mail/sendmail.cf</filename> 2301 disables the SMTP <literal>EXPN</literal> and 2302 <literal>VRFY</literal> commands. &merged;</para> 2303 2304 <para>&man.vacation.1; has been updated to use the version included with 2305 <application>sendmail</application>. &merged;</para> 2306 2307 <para>The <application>sendmail</application> configuration 2308 building tools are installed in 2309 <filename>/usr/share/sendmail/cf/</filename>. &merged;</para> 2310 2311 <para>New <filename>make.conf</filename> options: 2312 <varname>SENDMAIL_MC</varname> and 2313 <varname>SENDMAIL_ADDITIONAL_MC</varname>. See 2314 <filename>/usr/share/examples/etc/make.conf</filename> for more 2315 information. &merged;</para> 2316 2317 <para><filename>/etc/mail/Makefile</filename> now supports: the 2318 new <varname>SENDMAIL_MC</varname> <filename>make.conf</filename> 2319 option; the ability to build <filename>.cf</filename> files from 2320 <filename>.mc</filename> files; generalized map rebuilding; 2321 rebuilding the aliases file; and the ability to stop, start, and 2322 restart <application>sendmail</application>. &merged;</para> 2323 </sect4> 2324 </sect3> 2325 2326 <sect3> 2327 <title>Ports/Packages Collection</title> 2328 2329 <para>Version numbers of installed packages have a new 2330 (backward-compatible) syntax, which supports the 2331 <varname>PORTREVISION</varname> and <varname>PORTEPOCH</varname> 2332 variables in Ports Collection <filename>Makefile</filename>s. 2333 These changes help keep track of changes in the ports collection 2334 entries such as security patches or &os;-specific updates, which 2335 aren't reflected in the original, third-party software 2336 distributions. &man.pkg.version.1; can now compare these 2337 new-style version numbers. &merged;</para> 2338 2339 <para>To improve performance and disk utilization, the <quote>ports 2340 skeletons</quote> in the &os; Ports Collection have been restructured. 2341 Installed ports and packages should not be affected. &merged;</para> 2342 2343 <para>All packages and ports now contain an <quote>origin</quote> 2344 directive, which makes it easier for programs such as 2345 &man.pkg.version.1; to determine the directory from which a 2346 package was built. &merged;</para> 2347 2348 <para>&man.pkg.update.1;, a utility to update installed packages 2349 and update their dependencies, has been added. &merged;</para> 2350 2351 <para>&man.pkg.info.1; now supports globbing against names of 2352 installed packages. The <option>-G</option> option disables this 2353 behavior, and the <option>-x</option> option causes regular 2354 expression matching instead of shell globbing. &merged;</para> 2355 2356 <para>&man.pkg.info.1; can now accept a <option>-g</option> flag for 2357 verifying an installed package against its recorded checksums (to 2358 see if it's been modified post-installation). Naturally, this 2359 mechanism is only as secure as the contents of 2360 <filename>/var/db/pkg</filename> if it's to be used for auditing 2361 purposes. &merged;</para> 2362 2363 <para>&man.pkg.create.1; and &man.pkg.add.1; can now work with 2364 packages that have been compressed using 2365 &man.bzip2.1;. &man.pkg.add.1; will use the PACKAGEROOT 2366 environment variable to determine a mirror site for new 2367 packages. &merged;</para> 2368 2369 <para>&man.pkg.create.1; now records dependencies in dependency 2370 order rather than in the order specified on the command line. 2371 This improves the functioning of <command>pkg_add 2372 -r</command>. &merged;</para> 2373 2374 <para>&man.pkg.version.1; now has a version number comparison 2375 routine that corresponds to the Porters Handbook. It also has a 2376 <option>-t</option> option for testing address comparisons. 2377 &merged;</para> 2378 2379 <para>&man.pkg.version.1; now takes a <option>-s</option> flag 2380 to limit its operation to ports/packages matching a given 2381 string. &merged;</para> 2382 2383 <para>When requested to delete multiple packages, 2384 &man.pkg.delete.1; will now attempt to remove them in dependency 2385 order rather than the order specified on the command 2386 line. &merged;</para> 2387 2388 <para>&man.pkg.delete.1; now can perform glob/regexp matching of 2389 package names. In addition, it supports a <option>-a</option> 2390 option for removing all packages and a <option>-i</option> option 2391 for &man.rm.1;-style interactive confirmation. &merged;</para> 2392 2393 <para>&man.pkg.sign.1; and &man.pkg.check.1; have been added to 2394 digitally sign and verify the signatures on binary package 2395 files. &merged;</para> 2396 2397 <para><application>BSDPAN</application>, a collection of modules 2398 that provides tighter integration of 2399 <application>Perl</application> into the &os; Ports 2400 Collection, has been added.</para> 2401 </sect3> 2402 </sect2> 2403</sect1> 2404 2405<sect1> 2406 <title>Upgrading from previous releases of &os;</title> 2407 2408 <para>If you're upgrading from a previous release of &os;, you 2409 generally will have three options: 2410 2411 <itemizedlist> 2412 <listitem> 2413 <para>Using the binary upgrade option of &man.sysinstall.8;. 2414 This option is perhaps the quickest, although it presumes 2415 that your installation of &os; uses no special compilation 2416 options.</para> 2417 </listitem> 2418 <listitem> 2419 <para>Performing a complete reinstall of &os;. Technically, 2420 this is not an upgrading method, and in any case is usually less 2421 convenient than a binary upgrade, in that it requires you to 2422 manually backup and restore the contents of 2423 <filename>/etc</filename>. However, it may be useful in 2424 cases where you want (or need) to change the partitioning of 2425 your disks. 2426 </listitem> 2427 <listitem> 2428 <para>From source code in <filename>/usr/src</filename>. This 2429 route is more flexible, but requires more disk space, time, 2430 and more technical expertise. Upgrading from very old 2431 versions of &os; may be problematic; in cases like this, it 2432 is usually more effective to perform a binary upgrade or a 2433 complete reinstall.</para> 2434 </listitem> 2435 </itemizedlist> 2436 </para> 2437 2438 <para>Please read the <filename>INSTALL.TXT</filename> file for more 2439 information, preferably <emphasis>before</emphasis> beginning an 2440 upgrade. If you are upgrading from source, please be sure to read 2441 <filename>/usr/src/UPDATING</filename> as well.</para> 2442 2443 <para>Finally, if you want to use one of various means to track the 2444 -STABLE or -CURRENT branches of &os;, please be sure to consult the 2445 <ulink 2446 url="http://www.FreeBSD.org/handbook/current-stable.html"><quote>-CURRENT 2447 vs. -STABLE</quote></ulink> section of the <ulink 2448 url="http://www.FreeBSD.org/handbook/">FreeBSD 2449 Handbook</ulink>.</para> 2450 2451 <important> 2452 <para>Upgrading &os; should, of course, only be attempted after 2453 backing up <emphasis>all</emphasis> data and configuration 2454 files.</para> 2455 </important> 2456</sect1> 2457 2458