article.xml revision 97497
1<articleinfo> 2 <title>&os;/&arch; &release.current; Release Notes</title> 3 4 <corpauthor>The FreeBSD Project</corpauthor> 5 6 <pubdate>$FreeBSD: head/release/doc/en_US.ISO8859-1/relnotes/article.sgml 97497 2002-05-29 18:27:14Z bmah $</pubdate> 7 8 <copyright> 9 <year>2000</year> 10 <year>2001</year> 11 <year>2002</year> 12 <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder> 13 </copyright> 14 15 <abstract> 16 <para>The release notes for &os; &release.current; contain a summary 17 of the changes made in the &os; base system since &release.prev;. 18 Both changes for kernel and userland are listed, as well as 19 applicable security advisories that were issued since the last 20 release. Some brief remarks on upgrading are also presented.</para> 21 </abstract> 22</articleinfo> 23 24<sect1> 25 <title>Introduction</title> 26 27 <para>This document contains the release notes for &os; 28 &release.current; on the &arch.print; hardware platform. It 29 describes new features of &os; that have been added (or changed) 30 since &release.prev;. It also provides some notes on upgrading 31 from previous versions of &os;.</para> 32 33<![ %release.type.snapshot [ 34 35 <para>The &release.type; distribution to which these release notes 36 apply represents a point along the &release.branch; development 37 branch between &release.prev; and the future &release.next;. Some 38 pre-built, binary &release.type; distributions along this branch 39 can be found at <ulink url="&release.url;"></ulink>.</para> 40 41]]> 42 43<![ %release.type.release [ 44 45 <para>This distribution of &os; &release.current; is a 46 &release.type; distribution. It can be found at <ulink 47 url="&release.url;"></ulink> or any of its mirrors. More 48 information on obtaining this (or other) &release.type; 49 distributions of &os; can be found in the <ulink 50 url="http://www.FreeBSD.org/handbook/mirrors.html"><quote>Obtaining 51 FreeBSD</quote> appendix</ulink> to the <ulink 52 url="http://www.FreeBSD.org/handbook/">FreeBSD 53 Handbook</ulink>.</para> 54 55]]> 56</sect1> 57 58<sect1> 59 <title>What's New</title> 60 61 <para>This section describes the most user-visible new or changed 62 features in &os; since &release.prev;. Typical release note items 63 document new drivers or hardware support, new commands or options, 64 major bugfixes, or contributed software upgrades. Security 65 advisories issued after &release.prev; are also listed. In 66 general, changes described here are unique to the &release.branch; 67 branch unless specifically marked as &merged; features.</para> 68 69 <para>Many additional changes were made to &os; that are not listed 70 here for lack of space. For example, documentation was corrected 71 and improved, minor bugs were fixed, insecure coding practices 72 were audited and corrected, and source code was cleaned up.</para> 73 74 <sect2 id="kernel"> 75 <title>Kernel Changes</title> 76 77 <para arch="i386">The &man.amdpm.4; driver has been added to 78 provide access to the system monitoring functions of the AMD 756 79 chipset. &merged;</para> 80 81 <para>The &man.agp.4; driver for AGP devices has been 82 added. &merged;</para> 83 84 <para>A new &man.ddb.4; command <command>show pcpu</command> lists 85 some of the per-CPU data.</para> 86 87 <para>Two new &man.ddb.4; commands, <command>hwatch</command> and 88 <command>dhwatch</command>, have been introduced. Analogous to 89 <command>watch</command> and <command>dwatch</command>, they 90 install hardware watchpoints (as opposed to software 91 watchpoints) if supported by the architecture. &merged;</para> 92 93 <para>&man.devfs.5;, which allows entries in the 94 <filename>/dev</filename> directory to be built automatically 95 and supports more flexible attachment of devices, has been 96 largely reworked. &man.devfs.5; is now enabled by default and 97 can be disabled by the <literal>NODEVFS</literal> kernel 98 option.</para> 99 100 <para>The dgm driver has been removed in favor of the digi driver.</para> 101 102 <para>A new digi driver has been added to support PCI Xr-based and 103 ISA Xem Digiboard cards. A new &man.digictl.8; program is 104 (mainly) used to re-initialize cards that have external port 105 modules attached such as the PC/Xem.</para> 106 107 <para>An &man.eaccess.2; system call has been added, similar to 108 &man.access.2; except that the former uses effective credentials 109 rather than real credentials.</para> 110 111 <para arch="sparc64">Support has been added for EBus-based 112 devices.</para> 113 114 <para arch="i386">The &man.ichsmb.4; driver for the Intel 82801AA 115 (ICH) SMBus controller and compatibles has been 116 added. &merged;</para> 117 118 <para>Each &man.jail.2; environment can now run under its own 119 securelevel.</para> 120 121 <para>The tunable sysctl variables for &man.jail.2; have moved 122 from <varname>jail.*</varname> to the 123 <varname>security.*</varname> hierarchy. Other security-related 124 sysctl variables have moved from <varname>kern.security.*</varname> to 125 <varname>security.*</varname>.</para> 126 127 <para>The <varname>kern.maxvnodes</varname> limit now properly 128 limits the number of vnodes in use. Previously only vnodes with 129 no cached pages could be freed; this could allow the number of 130 vnodes to grow without limit on large-memory machines accessing 131 many small files. A <literal>vnlru</literal> kernel thread 132 helps to flush and reuse vnodes. &merged;</para> 133 134 <para>The kernel message buffer is now accessible by the 135 (machine-independent) <varname>kern.msgbuf</varname> sysctl 136 variable; &man.dmesg.8; no longer needs to be SGID 137 <groupname>kmem</groupname>. &merged;</para> 138 139 <para>The kernel environment is now dynamic, and can be changed 140 via the new &man.kenv.2; system call.</para> 141 142 <para>The &man.kqueue.2; event notification facility was added to 143 the &os; kernel. This is a new interface which is able to 144 replace &man.poll.2;/&man.select.2;, offering improved 145 performance, as well as the ability to report many different 146 types of events. Support for monitoring changes in sockets, 147 pipes, fifos, and files are present, as well as for signals and 148 processes. &merged;</para> 149 150 <para arch="i386">A new <varname>KVA_SPACE</varname> kernel option 151 can be used to reconfigure the size of the kernel virtual 152 address space. &merged;</para> 153 154 <para>The &man.labpc.4; driver has been removed due to 155 <quote>bitrot</quote>.</para> 156 157 <para>The loader and kernel linker now look for files named 158 <filename>linker.hints</filename> in each directory with KLDs 159 for a module name and version to KLD filename mapping. The new 160 &man.kldxref.8; utility is used to generate these files.</para> 161 162 <para>Linux emulation now supports the kernel functionality 163 required by the 164 <filename role="package">emulators/linux_base-7</filename> 165 (RedHat 7.X emulation) port. &merged;</para> 166 167 <para>Linux emulation now requires <literal>options 168 SYSVSEM</literal> in the kernel configuration. &merged;</para> 169 170 <para>&man.lomac.4;, a Low-Watermark Mandatory Access Control 171 security facility, has been added as a kernel module. It 172 provides a drop-in security mechanism in addition to the 173 traditional UID-based security facilities, requiring no 174 additional configuration from the administrator. Work on this 175 feature was sponsored by DARPA and NAI Labs.</para> 176 177 <para>The <varname>maxusers</varname> kernel configuration 178 parameter is now a boot-time tunable variable. The kernel 179 parameters derived from <varname>maxusers</varname> are now also 180 tunables and can be overridden at boot-time. The 181 <varname>hz</varname> parameter is also now a 182 tunable. &merged;</para> 183 184 <para>Specifying a value of <literal>0</literal> for the 185 <varname>maxusers</varname> kernel configuration parameter will 186 now cause an appropriate value to be calculated at boot-time 187 (between 32 and 384, depending on the amount of memory present). 188 This value is now the default for all 189 <filename>GENERIC</filename> kernels. &merged;</para> 190 191 <para arch="alpha">A <varname>MAXMEM</varname> kernel option, 192 along with the <varname>hw.physmem</varname> loader tunable, can 193 be used to artificially reduce the memory size of a machine for 194 testing (or other purposes). &merged;</para> 195 196 <para>The kernel configuration parameters 197 <varname>MAXTSIZ</varname>, <varname>DFLDSIZ</varname>, 198 <varname>MAXDSIZ</varname>, <varname>DFLSSIZ</varname>, 199 <varname>MAXSSIZ</varname>, and <varname>SGROWSIZ</varname> are 200 all loader tunables (<varname>kern.maxtsiz</varname>, 201 <varname>kern.maxdfldsiz</varname>, etc.). &merged;</para> 202 203 <para>&man.mutex.9; profiling code has been added, enabled by the 204 <literal>MUTEX_PROFILING</literal> kernel configuration option. 205 It enables the <varname>debug.mutex.prof.*</varname> hierarchy 206 of sysctl variables.</para> 207 208 <para arch="i386">The <literal>NCPU</literal>, <literal>NAPIC</literal>, 209 <literal>NBUS</literal>, and <literal>NINTR</literal> kernel 210 configuration options, for configuring SMP kernels, have been 211 removed. <literal>NCPU</literal> is now set to a maximum of 16, 212 and the other, aforementioned options are now 213 dynamic. &merged;</para> 214 215 <para>A &man.nmdm.4; null-modem terminal driver has been added. 216 &merged;</para> 217 218 <para>The <literal>O_DIRECT</literal> flag has been added to 219 &man.open.2; and &man.fcntl.2;. Specifying this flag for open 220 files will attempt to minimize the cache effects of reading and 221 writing. &merged;</para> 222 223 <para>An &man.orm.4; device has been added to claim the option 224 ROMs in the ISA memory I/O space, to prevent other drivers from 225 mistakenly assigning addresses that conflict with these 226 ROMs. &merged;</para> 227 228 <para arch="i386">PECOFF (Win32 Execution file format) support has 229 been added.</para> 230 231 <para arch="i386">The pmc driver, which supports the power 232 management controller of the NEC PC-98NOTE, has been 233 added. &merged;</para> 234 235 <para>POSIX.1b Shared Memory Objects are now supported. The 236 implementation uses regular files, but automatically enables the 237 MAP_NOSYNC flag when they are &man.mmap.2;-ed. &merged;</para> 238 239 <para>Replaced the <literal>PQ_*CACHE</literal> options with a 240 single <literal>PQ_CACHESIZE</literal> option to be set to the 241 cache size in kilobytes. The old options are still supported 242 for backwards compatibility. &merged;</para> 243 244 <para arch="i386">The &man.puc.4; (PCI <quote>Universal</quote> 245 Communications) driver has been added, to help connect PCI-based 246 serial ports to the &man.sio.4; driver. &merged;</para> 247 248 <para>The &man.random.4; device has been rewritten to use the 249 <application>Yarrow</application> algorithm. It harvests 250 entropy from a variety of interrupt sources, including the 251 console devices, Ethernet and point-to-point network interfaces, 252 and mass-storage devices. Entropy from the &man.random.4; 253 device is now periodically saved to files in 254 <filename>/var/db/entropy</filename>, as well as at shutdown 255 time. The semantics of <filename>/dev/random</filename> have 256 changed; it never blocks waiting for entropy bits but generates 257 a stream of pseudo-random data and now behaves exactly as 258 <filename>/dev/urandom</filename>.</para> 259 260 <para>A new kernel option, <literal>options REGRESSION</literal>, 261 enables interfaces and functionality intended for use during 262 correctness and regression testing.</para> 263 264 <para arch="sparc64">Support has been added for SBus-based 265 devices.</para> 266 267 <para arch="sparc64">The se driver, which supports the Siemens 268 SAB82532 serial chip found on many newer Sparc Ultra machines, 269 has been added.</para> 270 271 <para>The &man.snp.4; device is no longer static and can now be 272 compiled as a module. &merged;</para> 273 274 <para arch="i386">The &man.spic.4; driver, which provides access 275 to the Jog Dial device on some Sony laptops, has been 276 added. &man.moused.8; support for this device has also been 277 added. &merged;</para> 278 279 <para>The &man.syscons.4; driver now supports keyboard-controlled 280 pasting, by default bound to 281 <keycap>Shift</keycap>-<keycap>Insert</keycap>.</para> 282 283 <para>Support for USB devices was added to the 284 <filename>GENERIC</filename> kernel and to the installation 285 programs to support USB devices out of the box. Note that SRM 286 does not support USB devices at the moment, so you must still 287 use an AT keyboard if you are not using a serial 288 console. &merged;</para> 289 290 <para arch="i386">The &man.umodem.4; driver for USB modems has been added. 291 Support is provided for the 3Com 5605 and Metricom Ricochet GS 292 wireless USB modems. &merged;</para> 293 294 <para arch="i386">The &man.uscanner.4; driver for basic USB 295 scanner support using SANE has been added. See <ulink 296 url="http://www.mostang.com/sane/">the SANE home page</ulink> 297 for supported scanners. The HP ScanJet 4100C, 5200C and 6300C 298 are known to be working. &merged;</para> 299 300 <para>The &man.ucom.4; device driver has been added, to support USB 301 modems, serial devices, and other programs that need to look 302 like a tty. The related &man.uplcom.4; and &man.uvscom.4; drivers provide specific 303 support for the Prolific PL-2303 serial adapter and the SUNTAC 304 Slipper U VS-10U, respectively.</para> 305 306 <para>To increase security, the <literal>UCONSOLE</literal> kernel 307 configuration option has been removed.</para> 308 309 <para arch="i386">The UserConfig boot-time kernel configuration 310 feature, usually used to enable, disable, or configure ISA 311 devices, has been removed. Its functionality has been replaced 312 by the kernel hints file in 313 <filename>/boot/device.hints</filename>.</para> 314 315 <para>The <literal>USER_LDT</literal> kernel option is now 316 activated by default.</para> 317 318 <para>A VESA S3 linear framebuffer driver has been added.</para> 319 320 <para arch="i386">The &man.viapm.4; driver for VIA SMBus 321 power management controllers has been added. &merged;</para> 322 323 <!-- Above this line, sort kernel changes by manpage/keyword--> 324 325 <para>Write combining for crashdumps has been implemented. This 326 feature is useful when write caching is disabled on both SCSI 327 and IDE disks, where large memory dumps could take up to an hour 328 to complete. &merged;</para> 329 330 <para>The kernel crashdump infrastructure has been revised, to 331 support new platforms and in general clean up the logic in the 332 code. One implication of this change is that the on-disk format 333 for kernel dumps has changed, and is now 334 byte-order-agnostic.</para> 335 336 <para>Extremely large swap areas (>67 GB) no longer panic the 337 system.</para> 338 339 <para arch="alpha">Support for threads under Linux emulation has 340 been added.</para> 341 342 <para>The <maketarget>buildkernel</maketarget> target now gets the 343 name of the configuration(s) to build from the 344 <varname>KERNCONF</varname> variable, not 345 <varname>KERNEL</varname>. It is no longer required, in some 346 cases, for a <maketarget>buildworld</maketarget> to precede a 347 <maketarget>buildkernel</maketarget>. (The 348 <maketarget>buildworld</maketarget> is still required when 349 upgrading across major releases, across 350 <application>binutil</application> updates and when 351 &man.config.8; changes version.) &merged;</para> 352 353 <para>The out-of-swap process termination code now begins killing 354 processes earlier to avoid deadlocks; it now also takes into 355 account the swap space used by processes when computing the 356 process sizes. &merged;</para> 357 358 <para>Linker sets are now self-contained; &man.gensetdefs.8; is 359 unnecessary and has been removed.</para> 360 361 <para>Network device cloning has been implemented, and the 362 &man.gif.4; device has been modified to take advantage of it. 363 Thus, instead of specifying how many &man.gif.4; interfaces are 364 available in kernel configuration files, &man.ifconfig.8;'s 365 <option>create</option> option should be used when another device 366 instance is desired. &merged;</para> 367 368 <para>It is now possible to hardwire kernel environment variables 369 (such as tuneables) at compile-time using &man.config.8;'s 370 <literal>ENV</literal> directive.</para> 371 372 <para>Idle zeroing of pages can be enabled with the 373 <varname>vm.idlezero_enable</varname> sysctl variable.</para> 374 375 <para arch="i386">The load addresses of kernels are now exported 376 to the symbol table and various hard-coded constants have been 377 removed so that utilities such as &man.ps.1; can work with 378 kernels compiled at different addresses. &merged;</para> 379 380 <para>Coredumps of large processes (or of a large number of 381 processes) no longer lock up the machine for long periods of 382 time. &merged;</para> 383 384 <para>The Kernel-Scheduled Entity project has made changes to the 385 kernel scheduler to more efficiently handle multi-threaded 386 programs.</para> 387 388 <para>The kernel now has support for multiple low-level console 389 devices. The new &man.conscontrol.8; utility helps to manage 390 the different consoles.</para> 391 392 <para arch="alpha">The console driver has gained support for 393 TGA-based display adapters.</para> 394 395 <para>The kernel on the installation CDs is now separated from the 396 <filename>mfsroot</filename> image. This permits the use of a 397 full kernel when installing from CD on machines that support CD 398 booting (instead of the stripped-down kernel used on 399 floppies). &merged;</para> 400 401 <para>The system load average computation now adds some jitter to 402 the timing of samples, in order to avoid synchronization with 403 processes that run periodically. &merged;</para> 404 405 <para>If a debugging kernel with modules is being built 406 (i.e. using <literal>makeoptions DEBUG=-g</literal>), the 407 modules will now be built with debugging support as well, for 408 completeness. A side effect of this change is that modules 409 built and installed with debugging kernels will now occupy more 410 space on disk than they did previously. &merged;</para> 411 412 <para>The kernel dump device can now be set via the 413 <varname>dumpdev</varname> loader tunable. As a result, it is 414 now possible to obtain crash dumps from panics during the late 415 stages of kernel initialization (before the system enters into 416 single-user mode). &merged;</para> 417 418 <para>The kernel memory allocator is now a slab memory allocator, 419 similar to that used in Solaris. This is a SMP-safe memory 420 allocator that has near-linear performance as the number of CPUs 421 increases. It also allows for reduced memory 422 fragmentation.</para> 423 424 <sect3> 425 <title>Processor/Motherboard Support</title> 426 427 <para>SMP support has been largely reworked, incorporating code 428 from BSD/OS 5.0. One of the main features of SMPng 429 (<quote>SMP Next Generation</quote>) is to allow more 430 processes to run in kernel, without the need for spin locks 431 that can dramatically reduce the efficiency of multiple 432 processors. Interrupt handlers now have contexts associated 433 with them that allow them to be blocked, which reduces the 434 need to lock out interrupts.</para> 435 436 <para arch="i386">Support for the 80386 processor has been 437 removed from the <filename>GENERIC</filename> kernel, as this 438 code seriously pessimizes performance on other IA32 439 processors. 440 The <literal>I386_CPU</literal> kernel option 441 to support the 80386 processor is now mutually exclusive with 442 support for other IA32 processors; this should slightly 443 improve performance on the 80386 due to the elimination of 444 runtime processor type checks. 445 Custom kernels that will run on the 80386 can 446 still be built by changing the cpu options in the kernel 447 configuration file to only include 448 <literal>I386_CPU</literal>.</para> 449 450 <para arch="alpha">AlphaServer 1200 (<quote>Tincup</quote>) has 451 been tested and works OK. Currently it does not want to boot 452 from CD or floppy but a transplanted disk that was installed 453 on another Alpha works well. &merged;</para> 454 455 <para arch="alpha">The API UP1100 mainboard has been verified to 456 work.</para> 457 458 <para arch="alpha">The API CS20 1U high server has been verified 459 to work.</para> 460 461 <para arch="alpha">The DEC3000 series support has been removed 462 from the mfsroot floppy image so that it fits on a 1.44 Mbyte 463 floppy again. As the DEC3000 is currently only usable diskless 464 this should not cause any problems.</para> 465 466 <para arch="alpha">Support for AlphaServer 2100A 467 (<quote>Lynx</quote>) has been added.</para> 468 469 <para arch="alpha">Kernel code has been added that allows older 470 generation Alpha CPUs (EV4 and EV5) to emulate instructions of 471 the newer Alpha CPU generations. This enables the use of 472 binary-only programs like <application>Adobe Acrobat 473 4</application> on EV4 and EV5.</para> 474 475 <para arch="alpha">SMP support for the Alpha is now operational.</para> 476 477 <para arch="i386">Detection for new processors, such as the 478 FC-PGA2 Pentium III (Tualatin), Transmeta Crusoe, and 479 Transmeta Crusoe LongRun, has been added. &merged;</para> 480 481 <para arch="alpha">Support for the following hardware has been 482 removed from the installation kernel to make it fit on a 483 1.44MB floppy again: Multia, NoName, PC64, EB64, Aspen Alpine, 484 sa (SCSI tape), amr, parallel port support, vx (3c590, 3c595), 485 pcn (AMD Am79C97x PCI 10/100), sf (Adaptec AIC-6915), sis (SiS 486 900/SiS 7016), ste (Sundance ST201 (D-Link DFE-550TX)), wb 487 (Winbond W89C840F).</para> 488 489 <para arch="i386">Support for Streaming <acronym>SIMD</acronym> 490 Extensions (<acronym>SSE</acronym>) has been introduced. The 491 <literal>CPU_ENABLE_SSE</literal> kernel option controls 492 whether support is compiled into the kernel. &merged;</para> 493 494 <para arch="i386">The <literal>CPU_ATHLON_SSE_HACK</literal> 495 kernel option has been added, which attempts to enable the SSE 496 feature bit on newer Athlon CPUs if the BIOS has forgotten to 497 enable it. &merged;</para> 498 499 <para arch="sparc64">The UltraSPARC platform is now supported by 500 &os;. The following machines are supported to at least some 501 degree: Ultra 1/2/5/10/30/60, Enterprise 220R/420R, Netra T1 AC200/DC200, Netra T 105, and Blade 502 100. SMP is supported, and has been tested on the 503 Ultra 2, Ultra 60, Enterprise 220R, and 504 Enterprise 420R.</para> 505 506 <para arch="i386">On some systems, the BIOS does not activate 507 the I/O ports and memory of PC devices, thus making them 508 unusable. The <literal>PCI_ENABLE_IO_MODES</literal> kernel 509 option forces &os; to enable these devices so that they can be 510 used. &merged;</para> 511 512 </sect3> 513 514 <sect3> 515 <title>Bootloader Changes</title> 516 517 <para arch="i386"><filename>boot2</filename> now supports a 518 <option>-n</option> option to disallow boot interruption by 519 keypresses. &merged;</para> 520 521 <para arch="i386">A new <filename>cdboot</filename> bootstrap 522 utility for CDROMs provides better compatability with some 523 BIOS implementations that do not completely implement the El 524 Torito bootable CDROM standard. This boot loader supports 525 <quote>no emulation</quote> mode booting, thus eliminating the 526 need for an emulated floppy disk image on a bootable 527 CDROM. &merged;</para> 528 529 <para arch="i386">The i386 boot loader now has support for a 530 <literal>nullconsole</literal> console type, for use on 531 systems with neither a video console nor a serial 532 port. &merged;</para> 533 534 <para arch="i386">The &man.loader.8; now has optional support 535 (enabled at compile-time, off by default) for loading 536 <application>bzip2</application>-compressed kernels and 537 modules. &merged;</para> 538 539 <para arch="i386">Support for Intel's Wired for Management 2.0 540 (PXE) was added to the &os; boot loader. Due to API 541 differences, the older PXE versions are not supported. This 542 allow network booting using DHCP. &merged;</para> 543 544 <!-- Above this line, order bootloader changes by keyword--> 545 546 <para arch="i386">The &os; boot loader now contains a workaround 547 to support CDROM booting on certain IBM BIOSs that expect the 548 first sector of the emulated floppy to contain a valid MS-DOS 549 BPB that they can modify. &merged;</para> 550 551 <para arch="i386">The &os; boot loader now supports a 552 <option>-p</option> flag to force the kernel to pause after 553 each line of output during the probing phase. &merged;</para> 554 555 <para arch="alpha,i386">The &os; boot loader is now capable of 556 booting from filesystems with block sizes larger than 557 8K. &merged;</para> 558 559 <para>The kernel and modules have been moved to the directory 560 <filename>/boot/kernel</filename>, so they can be easily 561 manipulated together. The boot loader has been updated to 562 make this change as seamless as possible.</para> 563 </sect3> 564 565 <sect3> 566 <title>Network Interface Support</title> 567 568 <para>The &man.an.4; driver for Cisco Aironet cards now supports 569 Wired Equivalent Privacy (WEP) encryption, settable via 570 &man.ancontrol.8;. &merged;</para> 571 572 <para>The &man.an.4; driver now supports the Cisco Aironet 350 573 series of adaptors. &merged;</para> 574 575 <para>The &man.an.4; driver now supports <quote>monitor</quote> 576 mode, settable via the <option>-M</option> option to 577 &man.ancontrol.8;. &merged;</para> 578 579 <para>The &man.an.4; driver now supports Cisco LEAP, as well as 580 the <quote>Home</quote> WEP key. The Linux Aironet utilities 581 are now supported under emulation. &merged;</para> 582 583 <para arch="i386">Generic support for ARCNET token-based 584 networks has been added. &merged;</para> 585 586 <para arch="i386">The &man.bge.4; driver has been added to 587 support the Broadcom BCM570x family of Gigabit Ethernet 588 controllers, including the 3Com 3c996-T, the SysKonnect 589 SK-9D21 and SK-9D41, and the built-in Gigabit Ethernet NICs on 590 Dell PowerEdge 2550 servers. Output TCP/IP checksum offload, 591 jumbo frames and VLAN tag insertion/stripping are supported, 592 as well as interrupt moderation. &merged;</para> 593 594 <para arch="i386">The cm driver has been added to support SMC 595 COM90cx6 ARCNET network adapters. &merged;</para> 596 597 <para>The &man.dc.4; driver now supports NICs based on the Xircom 598 3201 and Conexant LANfinity RS7112 chips.</para> 599 600 <para>The &man.dc.4; driver now has support for 601 VLANs. &merged;</para> 602 603 <para>The &man.de.4; driver now performs round-robin arbitration 604 between the transmit and receive units of the 21143, instead 605 of giving priority to the receive unit. This gives a 606 10–15% performance improvement in the forwarding rate 607 under heavy load. &merged;</para> 608 609 <para arch="alpha">The &man.ed.4; driver is now supported.</para> 610 611 <para arch="i386">Linksys Fast Ethernet PCCARD cards supported 612 by the &man.ed.4; driver now require the addition of flag 613 <literal>0x80000</literal> to their config line in 614 &man.pccard.conf.5;. This flag is not optional. These 615 Linksys cards will not be recognized without 616 it. &merged;</para> 617 618 <para>A bug in the &man.ed.4; driver that could cause panics 619 with very short packets and BPF or bridging active has been 620 fixed. &merged;</para> 621 622 <para>The &man.ed.4; driver now has support for D-Link DL10022 623 chips, necessary for the NetGear FA-410TX and other cards. As 624 a result, <literal>device miibus</literal> is required in 625 kernel configurations using the &man.ed.4; 626 driver. &merged;</para> 627 628 <para arch="i386">The &man.el.4; driver can now be loaded as a 629 module.</para> 630 631 <para arch="i386">The &man.em.4; driver has been added to 632 support NICs based on the Intel 82542, 82543, and 82544 633 Gigabit Ethernet controller chips. The driver supports 634 transmit/receive checksum offload and jumbo frames on 82543 635 and 82544-based adapters. &merged;</para> 636 637 <para>The &man.faith.4; device is now loadable, unloadable, and 638 clonable. &merged;</para> 639 640 <para arch="i386">Support for Fujitsu MB86960A/MB86965A based 641 Ethernet PC-Cards has been added back in the &man.fe.4; 642 driver. &merged;</para> 643 644 <para arch="alpha">The &man.fpa.4; driver now supports Digital's 645 DEFPA FDDI adaptors on the Alpha. &merged;</para> 646 647 <para>The &man.fxp.4; driver now requires a <literal>device 648 miibus</literal> entry in the kernel configuration 649 file. &merged;</para> 650 651 <para>The &man.fxp.4; driver now contains a workaround for PCI 652 protocol violations caused by defects in some systems based on 653 the Intel ICH2/ICH2-M chip. The workaround is to rewrite the 654 EEPROM on the interface to disable Dynamic Standby Mode; once 655 the EEPROM is rewritten, the system needs to be rebooted for 656 the new settings to take effect. &merged;</para> 657 658 <para>The &man.fxp.4; driver now supports Intel's loadable 659 microcode to implement receive-side interrupt coalescing and 660 packet bundling, on NICs that support these features. This 661 support can be activated by the use of the 662 <option>link0</option> option to 663 &man.ifconfig.8;. &merged;</para> 664 665 <para arch="sparc64">The gem driver has been added to support 666 the Sun GEM Gigabit Ethernet and ERI Fast Ethernet 667 adapters.</para> 668 669 <para>The &man.gx.4; driver has been added to support NICs based 670 on the Intel 82542 and 82543 Gigabit Ethernet controller 671 chips. Both fiber and copper variants of the cards are 672 supported. Both boards support VLAN tagging/insertion, and 673 the 82543 additionally supports TCP/IP checksum 674 offload. &merged;</para> 675 676 <para arch="sparc64">The hme driver has been added to support 677 the Sun HME Fast Ethernet adapter, onboard on many Sun Ultra 678 series machines.</para> 679 680 <para>The &man.lge.4; driver has been added to support the Level 681 1 LXT1001 NetCellerator Gigabit Ethernet controller chip. This 682 device is used on some fiber optic GigE cards from SMC, D-Link 683 and Addtron. Jumbograms and TCP/IP checksum offload on 684 receive are supported, although hardware VLAN filtering is 685 not. &merged;</para> 686 687 <para>The my driver, which supports the Myson Fast Ethernet and 688 Gigabit Ethernet adapters, has been added. &merged;</para> 689 690 <para>Added the &man.nge.4; driver, which supports PCI Gigabit 691 Ethernet adapters based on the National Semiconductor DP83820 692 and DP83821 Gigabit Ethernet controller chips, including the 693 D-Link DGE-500T, SMC EZ Card 1000 (SMC9462TX), Asante 694 FriendlyNet GigaNIC 1000TA and 1000TPC and Addtron AEG320T. 695 This driver supports transmit and receive checksum 696 offloading. &merged;</para> 697 698 <para>The &man.pcn.4; driver, which supports the AMD PCnet/FAST, 699 PCnet/FAST+, PCnet/FAST III, PCnet/PRO, PCnet/Home, and 700 HomePNA adapters, has been added. Although these cards are 701 already supported by the &man.lnc.4; driver, the &man.pcn.4; 702 driver runs these chips in 32-bit mode and uses the RX 703 alignment feature to achieve zero-copy receive. This driver 704 is also machine-independent, so it will work on both the i386 705 and Alpha platforms. The &man.lnc.4; driver is still needed 706 to support non-PCI cards. &merged;</para> 707 708 <para>The &man.ray.4; driver, which supports the Webgear Aviator 709 wireless network cards, has been committed. The operation of 710 &man.ray.4; interfaces can be modified by 711 &man.raycontrol.8;. &merged;</para> 712 713 <para arch="i386">The sbni driver, for supporting the Granch 714 SBNI12 series of ISA and PCI point-to-point communications 715 interfaces, has been added. The <filename 716 role="package">sysutils/sbniconfig</filename> port in the &os; 717 Ports Collection can be used for configuring these 718 devices. &merged;</para> 719 720 <para>Added support for PCI Ethernet adapters based on the SiS 721 900 and SiS 7016 Fast Ethernet controller chips (for example, 722 as seen on the SiS 635 and 735 motherboard chipsets), as well 723 as the National Semiconductor DP83815 chipset (including the 724 NetGear FA311-TX and FA312-TX) in the form of the &man.sis.4; 725 driver. This device has support for VLANs. &merged;</para> 726 727 <para arch="i386">The snc driver for the National Semiconductor 728 DP8393X (SONIC) Ethernet controller has been added. 729 Currently, this driver is only used on the PC-98 730 architecture. &merged;</para> 731 732 <para>The &man.stf.4; device is now clonable.</para> 733 734 <para>The &man.tap.4; driver, a virtual Ethernet device driver 735 for bridged configurations, has been added. This device is 736 clonable. &merged;</para> 737 738 <para>The &man.ti.4; driver now supports the Alteon AceNIC 739 1000baseT Gigabit Ethernet and Netgear GA620T 1000baseT 740 Gigabit cards. &merged;</para> 741 742 <para>The &man.ti.4; driver correctly masks VLAN tags. &merged;</para> 743 744 <para>The &man.txp.4; driver has been added to support NICs 745 based on the 3Com 3XP Typhoon/Sidewinder (3CR990) 746 chipset. &merged;</para> 747 748 <para>&man.vlan.4; devices are now loadable, unloadable, and 749 clonable. &merged;</para> 750 751 <para>The &man.wi.4; driver now has support for Prism II and 752 Prism 2.5-based NICs. 104/128-bit WEP now works on Prism 753 cards. &merged;</para> 754 755 <para>The &man.wi.4; driver now supports using a &os; host as 756 a wireless access point. This functionality can be enabled 757 using the <literal>mediaopt hostap</literal> option of 758 &man.ifconfig.8;. This feature requires a wireless 759 adapter based on the Prism II chipset. &merged;</para> 760 761 <para>The &man.wi.4; driver now has support for 762 <application>bsd-airtools</application>. &merged;</para> 763 764 <para>The xe driver can now be built as a 765 module. &merged;</para> 766 767 <para>The &man.xl.4; driver now supports the 3Com 3C556 and 768 3C556B MiniPCI adapters used on some laptops. &merged;</para> 769 770 <para>The &man.xl.4; driver now supports reception of VLAN 771 tagged frames (on the <quote>Cyclone</quote> or newer 772 chipsets). &merged;</para> 773 774 <para>The &man.xl.4; driver now supports send- and receive-side 775 TCP/IP checksum offloading for NICs implementing this feature, 776 such as the 3C905B, 3C905C, and 3C980C. &merged;</para> 777 778 <para>A bug in the &man.xl.4; driver, related to statistics 779 overflow interrupt handling, was causing slowdowns at medium 780 to high packet rates; this has been fixed. &merged;</para> 781 782 <para>The per-interface <varname>ifnet</varname> structure now 783 has the ability to indicate a set of capabilities supported by 784 a network interface, and which ones are enabled. 785 &man.ifconfig.8; has support for querying these 786 capabilities. &merged;</para> 787 788 <para>Performance with hosts having a large number of IP aliases 789 has been improved, by replacing the per-interface 790 <varname>if_inaddr</varname> linear list with a hash table. &merged;</para> 791 792 <para>Network devices now automatically appear as special files in 793 <filename>/dev/net</filename>. Interface hardware ioctls (not 794 protocol or routing) can be performed on these devices. The 795 <varname>SIOCGIFCONF</varname> ioctl may be performed on the 796 special <filename>/dev/network</filename> node.</para> 797 798 <para>Selected network drivers now implement a semi-polling 799 mode, which makes systems much more resilient to attacks and 800 overloads. To enable polling, the following options are 801 required in a kernel configuration file: 802 803 <programlisting>options DEVICE_POLLING 804options HZ=1000 # not compulsory but strongly recommended</programlisting> 805 806 The <varname>kern.polling.enable</varname> sysctl variable 807 will then activate polling mode; with the 808 <varname>kern.polling.user_frac</varname> sysctl indicating 809 the percentage of CPU time to be reserved for userland. The 810 devices initially supporting polling are &man.dc.4;, 811 &man.fxp.4;, &man.rl.4;, and &man.sis.4;. More details can be found in 812 the &man.polling.4; manual page. &merged;</para> 813 814 <para arch="i386">The packet-forwarding performance of certain 815 network drivers (specifically &man.dc.4; and &man.sis.4;) has 816 been enhanced by the elimination of unnecessary buffer 817 copies. &merged;</para> 818 </sect3> 819 820 <sect3> 821 <title>Network Protocols</title> 822 823 <para>&man.accept.filter.9;, a kernel feature to reduce 824 overheads when accepting and reading new connections on 825 listening sockets, has been added. &merged;</para> 826 827 <para>The <literal>proxy</literal> modifier to &man.arp.8;'s 828 <option>-d</option> option has been renamed to 829 <literal>pub</literal>, for consistency with the 830 <option>-s</option> option. The <literal>only</literal> keyword 831 has been added to the <option>-s</option> and 832 <option>-S</option> flags, to be used in creating 833 <quote>proxy-only</quote> published entries. &merged;</para> 834 835 <para>The read timeout feature of &man.bpf.4; now works more 836 correctly with &man.select.2;/&man.poll.2;, and therefore with 837 pthreads. &merged;</para> 838 839 <para>&man.bridge.4; and &man.dummynet.4; have received some 840 enhancements and bug fixes, and are now loadable 841 modules. &merged;</para> 842 843 <para>&man.bridge.4; now has better support for multiple, 844 fully-independent bridging clusters, and is much more stable 845 in the presence of dynamic attachments and detatchments. Full 846 support for VLANs is also supported. &merged;</para> 847 848 <para>ICMP ECHO and TSTAMP replies are now rate limited. TCP 849 RSTs generated due to packets sent to open and unopen ports 850 are now limited by separate counters. Each rate limiting 851 queue now has its own description.</para> 852 853 <para>ICMP <literal>UNREACH_FILTER_PROHIB</literal> messages can 854 now RST TCP connections in the <literal>SYN_SENT</literal> 855 state if the correct sequence numbers are sent back, as 856 controlled by the 857 <varname>net.inet.tcp.icmp_may_rst</varname> sysctl. &merged;</para> 858 859 <para>IP multicast now works on VLAN devices. Several other 860 bugs in the VLAN code have also been fixed.</para> 861 862 <para>A bug in the IPsec processing for IPv4, which caused the 863 inbound SPD checks to be ignored, has been fixed. &merged;</para> 864 865 <para>&man.ipfw.4; now filters correctly in the presence of ECN 866 bits in TCP segments. &merged;</para> 867 868 <para>A new ng_eiface netgraph module has been added, which 869 appears as an Ethernet interface but delivers its Ethernet 870 frames to a Netgraph hook. &merged;</para> 871 872 <para>A new &man.ng.etf.4; netgraph node allows Ethernet type 873 packets to be filtered to different hooks depending on 874 ethertype. &merged;</para> 875 876 <para>The &man.ng.gif.4; and &man.ng.gif.demux.4; netgraph 877 nodes, for operating on &man.gif.4; devices, have been 878 added.</para> 879 880 <para>The &man.ng.ip.input.4; netgraph node, for queueing IP 881 packets into the main IP input processing code, has been 882 added.</para> 883 884 <para>The &man.ng.mppc.4; and &man.ng.bridge.4; node types have 885 been added to the &man.netgraph.4; subsystem. The 886 &man.ng.ether.4; node is now dynamically loadable. 887 Miscellaneous bug fixes and enhancements have also been 888 made. &merged;</para> 889 890 <para>A new netgraph node type &man.ng.one2many.4; for 891 multiplexing and demultiplexing packets over multiple links 892 has been added. &merged;</para> 893 894 <para>A new ng_split node type has been added for splitting a 895 bidirectional packet flow into two unidirectional flows.</para> 896 897 <para>A new sysctl 898 <varname>net.inet.ip.check_interface</varname>, which is on by 899 default, causes IP to verify that an incoming packet arrives 900 on an interface that has an address matching the packet's 901 destination address. &merged;</para> 902 903 <para>A new sysctl 904 <varname>net.link.ether.inet.log_arp_wrong_iface</varname> has 905 been added to control the suppression of logging when ARP 906 replies arrive on the wrong interface. &merged;</para> 907 908 <para>A new <literal>options RANDOM_IP_ID</literal> kernel 909 option causes the ID field of IP packets to be randomized. 910 This closes a minor information leak which allows a remote 911 observer to determine the rate at which the machine is 912 generating packets, since the default behavior is to increment 913 a counter for each packet sent. &merged;</para> 914 915 <para arch="alpha">SLIP has been removed from the 916 <filename>mfsroot</filename> floppy image.</para> 917 918 <para>TCP has received some bug fixes for its delayed ACK 919 behavior. &merged;</para> 920 921 <para>TCP now supports the NewReno modification to the TCP Fast 922 Recovery algorithm. This behavior can be controlled via the 923 <varname>net.inet.tcp.newreno</varname> sysctl 924 variable. &merged;</para> 925 926 <para>TCP now uses a more aggressive timeout for initial SYN 927 segments; this allows initial connection attempts to be 928 dropped much faster. &merged;</para> 929 930 <para>The <literal>TCP_COMPAT_42</literal> kernel option has 931 been removed. &merged;</para> 932 933 <para>The <literal>TCP_RESTRICT_RST</literal> kernel option has 934 been removed. Similar functionality can be achieved with the 935 <varname>net.inet.tcp.blackhole</varname> sysctl 936 variable. &merged;</para> 937 938 <para>TCP now has RFC 1323 extensions enabled by default in 939 &man.rc.conf.5;. &merged;</para> 940 941 <para>RFC 1323 and RFC 1644 TCP extensions are now disabled for 942 a connection in progress if no response has been received by 943 the third SYN segment sent. This behavior tries to work 944 around (very old) terminal servers with buggy VJ header 945 compression implementations. &merged;</para> 946 947 <para>The TCP implementation no longer requires the allocation 948 of a TCP template structure for each connection; this should 949 reduce the buffer usage on large systems handling many 950 connections. &merged;</para> 951 952 <para>TCP's default buffer sizes, controlled by the 953 <varname>net.inet.tcp.sendspace</varname> and 954 <varname>net.inet.tcp.recvspace</varname> sysctl variables, 955 have been increased to 32K and 64K respectively. Previously, 956 the default for both buffer sizes was 16K. To try to avoid 957 increasing congestion, the default value for 958 <varname>net.inet.tcp.local_slowstart_flightsize</varname> has 959 been changed from infinity to 4. &merged; 960 961 <note> 962 <para>On busy hosts, the new larger buffer sizes may require 963 manually increasing the 964 <varname>NMBCLUSTERS</varname> parameter, either in the 965 kernel configuration file or via the 966 <varname>kern.ipc.nmbclusters</varname> loader tunable. 967 <command>netstat -mb</command> can be used to monitor the 968 state of mbuf clusters.</para> 969 </note> 970 </para> 971 972 <para>TCP now supports RFC 1948 (Defending Against Sequence 973 Number Attacks). The 974 <varname>net.inet.tcp.isn_reseed_interval</varname> sysctl 975 variable controls the reseeding of the secret data used in 976 the RFC 1948 initial sequence number calculations. &merged;</para> 977 978 <para>The TCP implementation in &os; now implements a cache of 979 outstanding, received SYN segments. Incoming SYN segments now 980 cause entries to be placed in the cache until the TCP 981 three-way handshake is complete, at which point, memory is 982 allocated for the connection as usual. In addition, all TCP 983 Initial Sequence Numbers (ISNs) are used as cookies, allowing 984 entries in the cache to be dropped, but still have their 985 corresponding ACKs accepted later. The combination of the 986 so-called 987 <quote>syncache</quote> and <quote>syncookies</quote> features 988 makes a host much more resistant to TCP-based Denial of 989 Service attacks. Work on this feature was sponsored by DARPA 990 and NAI Labs. &merged;</para> 991 992 <para>A bug in the TCP implementation, which could cause 993 connections to stall if a sender saw a zero-sized window, has 994 been corrected. &merged;</para> 995 996 <para>The TCP implementation now properly ignores packets 997 addressed to IP-layer broadcast addresses. &merged;</para> 998 999 <para>The ephemeral port range used for TCP and UDP has been 1000 changed to 49152–65535 (the old default was 1001 1024–5000). This increases the number of concurrent 1002 outgoing connections/streams.</para> 1003 </sect3> 1004 1005 <sect3> 1006 <title>Disks and Storage</title> 1007 1008 <para arch="i386">Support for the Adaptec FSA family of PCI-SCSI 1009 RAID controllers has been added, in the form of the 1010 &man.aac.4; driver. This driver includes proper handling of 1011 commands initiated by the adapter, addition/removal of disk 1012 devices, crashdump functionality, and &man.ioctl.2; commands 1013 necessary for the management CLI, and is fully qualified and 1014 sanctioned by Adaptec. &merged;</para> 1015 1016 <para>The &man.ahc.4; driver has received numerous updates, 1017 bugfixes, and enhancements. Among various improvements are 1018 improved compatibility with chips in <quote>RAID Port</quote> 1019 mode and systems with AAA and/or ARO cards installed, as well 1020 as performance improvements. Some bugs were also fixed, 1021 including a rare hang on Ultra2/U160 1022 controllers. &merged;</para> 1023 1024 <para arch="i386">The &man.asr.4; driver, which provides support 1025 for the Adaptec SCSI RAID controller family, as well as the 1026 DPT SmartRAID V and VI families, has been 1027 added. &merged;</para> 1028 1029 <para arch="i386">The &man.asr.4; driver now supports the 1030 Adaptec 2000S and 2005S Zero-Channel RAID 1031 controllers. &merged;</para> 1032 1033 <para>The &man.ata.4; driver now has support for ATA100 1034 controllers. In addition, it now supports the ServerWorks 1035 ROSB4 ATA33 chipset, the CMD 648 ATA66 and CMD 649 ATA100 1036 chipsets, and the Cyrix 5530. &merged;</para> 1037 1038 <para>To provide more flexible configuration, the various 1039 options for the &man.ata.4; driver are now boot loader 1040 tunables, rather than kernel configure-time 1041 options. &merged;</para> 1042 1043 <para>The &man.ata.4; driver now has support for tagged queuing, 1044 which is enabled by the <varname>hw.ata.tags</varname> loader 1045 tunable. &merged;</para> 1046 1047 <para>The &man.ata.4; driver now has support for ATA 1048 <quote>pseudo</quote> RAID controllers as the Promise Fasttrak 1049 and HighPoint HPT370 controllers. &merged;</para> 1050 1051 <para>The &man.ata.4; driver now supports a wider variety of SiS 1052 chipsets, as listed in the Hardware Notes. &merged;</para> 1053 1054 <para>The &man.ata.4; driver now has support for creating, 1055 deleting, querying, and rebuilding ATA RAIDs under control of 1056 &man.atacontrol.8;. &merged;</para> 1057 1058 <para>The BurnProof(TM) feature, for applicable ATAPI CD-ROM 1059 burners, is now supported. &merged;</para> 1060 1061 <para>The &man.ata.4; driver now has support for 48-bit 1062 addressing. Devices larger than 137GB are now 1063 supported. &merged;</para> 1064 1065 <para>The &man.ata.4; driver now contains fixes for some data 1066 corruption problems on systems using the VIA 82C686B 1067 Southbridge chip. &merged;</para> 1068 1069 <para>The &man.cd.4; driver now has support for write 1070 operations. This allows writing to DVD-RAM, PD and similar 1071 drives that probe as CD devices. Note that change affects 1072 only random-access writeable devices, not sequential-only 1073 writeable devices such as CD-R drives, which are supported by 1074 &man.cdrecord.1; (a part of 1075 <filename role="package">sysutils/cdrtools</filename> in the 1076 Ports Collection. &merged;</para> 1077 1078 <para arch="i386">The ciss driver, for devices utilizing the 1079 Common Interface for SCSI-3 Support, has been added. This 1080 driver supports the Compaq SmartRAID 5* family of RAID 1081 controllers (5300, 532, 5i). &merged;</para> 1082 1083 <para>The &man.fdc.4; floppy disk has undergone a number of 1084 enhancements. Density selection for common settings is now 1085 automatic; the driver is also much more flexible in setting 1086 the densities of various subdevices.</para> 1087 1088 <para>The &man.geom.4; disk I/O request transformation framework 1089 has been added; this extensible framework is designed to 1090 support a wide variety of operations on I/O requests on their 1091 way from the upper kernel to the device drivers.</para> 1092 1093 <para>The ida disk driver now has crashdump 1094 support. &merged;</para> 1095 1096 <para arch="i386">The iir driver has been added to support the 1097 Intel Integrated RAID controllers, as well as prior ICP Vortex 1098 controllers.</para> 1099 1100 <para arch="alpha">A bug that made certain CDROM drives fail to 1101 attach when connected to a SCSI card driven by &man.isp.4; has 1102 been fixed. &merged;</para> 1103 1104 <para>The &man.isp.4; driver is now proactive about discovering 1105 Fibre Channel topology changes.</para> 1106 1107 <para>The &man.isp.4; driver now supports target mode for Qlogic 1108 SCSI cards, including Ultra2 and Ultra3 and dual bus 1109 cards.</para> 1110 1111 <para>The &man.isp.4; driver now supports the Qlogic 2300 and 1112 2312 Optical Fibre Channel PCI cards. &merged;</para> 1113 1114 <para>&man.md.4;, the memory disk device, has had the 1115 functionality of &man.vn.4; incorporated into it. &man.md.4; 1116 devices can now be configured by &man.mdconfig.8;. &man.vn.4; 1117 has been removed. The Memory Filesystem (MFS) has also been 1118 removed.</para> 1119 1120 <para arch="i386">The &man.mly.4; driver, for Mylex PCI to SCSI 1121 AccelRAID and eXtremeRAID controllers with firmware 6.X and 1122 later, has been added. &merged;</para> 1123 1124 <para arch="i386">The ncv, nsp, and stg drivers have been ported 1125 from NetBSD/pc98. They support the NCR 53C50 / Workbit Ninja 1126 SCSI-3 / TMC 18C30, 18C50 based PC-Card/ISA SCSI controllers. 1127 All three drivers can be built and loaded as 1128 modules. &merged;</para> 1129 1130 <para arch="powerpc">The ofw driver, a basic OpenFirmware disk 1131 driver, has been added.</para> 1132 1133 <para>Some problems in &man.sa.4; error handling have been 1134 fixed, including the <quote>tape drive spinning indefinitely 1135 upon &man.mt.1; <option>stat</option></quote> problem.</para> 1136 1137 <para arch="i386">The &man.twe.4; 3ware ATA RAID driver has 1138 added. &merged;</para> 1139 1140 <para>The &man.wd.4; compatibility devices were removed from the 1141 &man.ata.4; driver. &merged;</para> 1142 </sect3> 1143 1144 <sect3> 1145 <title>Filesystems</title> 1146 1147 <para>Support for named extended attributes was added to the 1148 &os; kernel. This allows the kernel, and appropriately 1149 privileged userland processes, to tag files and directories 1150 with attribute data. Extended attributes were added to 1151 support the TrustedBSD Project, in particular ACLs, capability 1152 data, and mandatory access control labels (see 1153 <filename>/usr/src/sys/ufs/ufs/README.extattr</filename> for 1154 details).</para> 1155 1156 <para>Due to a licensing change, softupdates have been 1157 integrated into the main portion of the kernel source tree. 1158 As a consequence, softupdates are now available with the 1159 <filename>GENERIC</filename> kernel. &merged;</para> 1160 1161 <para>A filesystem snapshot capability has been added to FFS. 1162 Details can be found in 1163 <filename>/usr/src/sys/ufs/ffs/README.snapshot</filename>.</para> 1164 1165<!-- The following note needs to be made more specific or eliminated. --> 1166 <para>Softupdates for FFS have received some bug fixes and 1167 enhancements.</para> 1168 1169 <para>When running with softupdates, &man.statfs.2; and 1170 &man.df.1; will track the number of blocks and files that are 1171 committed to being freed.</para> 1172 1173 <para>A bug in FFS that could cause superblock corruption on 1174 very large filesystems has been corrected. &merged;</para> 1175 1176 <para>The ISO-9660 filesystem now has a hook that supports a 1177 loadable character conversion routine. The 1178 <filename role="package">sysutils/cd9660_unicode</filename> 1179 port contains a set of common conversions. &merged;</para> 1180 1181 <para>&man.kernfs.5; is obsolete and has been retired.</para> 1182 1183 <para>A bug in the NFS client that caused bogus access times with 1184 <literal>O_EXCL|O_CREAT</literal> opens was 1185 fixed. &merged;</para> 1186 1187 <para>A new NFS hash function (based on the Fowler/Noll/Vo hash 1188 algorithm) has been implemented to improve NFS performance by 1189 increasing the efficiency of the <varname>nfsnode</varname> 1190 hash tables. &merged;</para> 1191 1192 <para>Client-side NFS locks have been implemented.</para> 1193 1194 <para>The client-side and server-side of the NFS code in the 1195 kernel used to be intertwined in various complex ways. They 1196 have been split apart for ease of maintenance and further 1197 development.</para> 1198 1199 <para>Support for filesystem Access Control Lists (ACLs) has 1200 been introduced, allowing more fine-grained control of 1201 discretionary access control on files and directories. This 1202 support was integrated from the TrustedBSD Project. More 1203 details can be found in 1204 <filename>/usr/src/sys/ufs/ufs/README.acls</filename>.</para> 1205 1206 <para>The directory layout preference algorithm for FFS 1207 (<literal>dirprefs</literal>) has been changed. Rather than 1208 scattering directory blocks across a disk, it attempts to 1209 group related directory blocks together. Operations 1210 traversing large directory hierarchies, such as the &os; Ports 1211 tree, have shown marked speedups. This change is transparent 1212 and automatic for new directories. &merged;</para> 1213 1214 <para arch="i386">smbfs (CIFS) support in kernel has been added. 1215 The userland programs &man.smbutil.1; and &man.mount.smbfs.8; 1216 can be used to work with SMB shares. Note that 1217 &man.mount.smbfs.8; will automatically load the 1218 <filename>smbfs.ko</filename> module into the kernel, even if 1219 <literal>LIBMCHAIN</literal> and 1220 <literal>LIBICONV</literal> were not compiled into the kernel. 1221 &merged;</para> 1222 1223 <para>For consistency, the fdesc, fifo, null, msdos, portal, 1224 umap, and union filesystems have been renamed to fdescfs, 1225 fifofs, msdosfs, nullfs, portalfs, umapfs, and unionfs. Where 1226 applicable, modules and mount_* programs have been renamed. 1227 Compatibility <quote>glue</quote> has been added to 1228 &man.mount.8; so that <literal>msdos</literal> filesystem 1229 entries in &man.fstab.5; will work without changes.</para> 1230 1231 <para>pseudofs, a pseudo-filesystem framework, has been added. 1232 &man.linprocfs.5; and &man.procfs.5; have been modified to use 1233 pseudofs.</para> 1234 1235 <para>A simple hash-based lookup optimization for large 1236 directories called <literal>dirhash</literal> has been added. 1237 Conditional on the 1238 <literal>UFS_DIRHASH</literal> kernel option (enabled by 1239 default in the <filename>GENERIC</filename> kernel), it 1240 improves the speed of operations on very large directories at 1241 the expense of some memory. &merged;</para> 1242 1243 <para>The virtual memory subsystem now backs UFS directory 1244 memory requirements by default (this behavior is controlled 1245 via the <varname>vfs.vmiodirenable</varname> sysctl 1246 variable). &merged;</para> 1247 1248 <para>A bug that prevented the root filesystem from being 1249 mounted from a SCSI CDROM has been fixed (ATAPI CDROMs were 1250 always supported). &merged;</para> 1251 1252 <para>A number of bugs in the filesystem code, discovered 1253 through the use of the <application>fsx</application> 1254 filesystem test tool, have been fixed. Under certain 1255 circumstances (primarily related to use of NFS), these bugs 1256 could cause data corruption or kernel panics. &merged;</para> 1257 1258 <para>Network filesystems (such as NFS and smbfs filesystems) 1259 listed in <filename>/etc/fstab</filename> can now be properly 1260 mounted during startup initialization; their mounts are 1261 deferred until after the network is initialized.</para> 1262 1263 <para>Read-only support for the Universal Disk Format (UDF) has 1264 been added. This format is used on packet-written CD-RWs and 1265 most commercial DVD-Video disks. The &man.mount.udf.8; 1266 command can be used to mount these disks.</para> 1267 </sect3> 1268 1269 <sect3> 1270 <title>PCCARD Support</title> 1271 1272 <para arch="i386">The pccard driver and &man.pccardc.8; now 1273 support multiple <quote>beep types</quote> upon card insertion 1274 and removal. &merged;</para> 1275 1276 <para>On many modern hosts, PCCARD devices can be configured to 1277 route their interrupts via either the ISA or PCI interrupt 1278 paths. The &man.pcic.4; driver has been updated to support 1279 both interrupt paths (formerly, only routing via ISA was 1280 supported). &merged; In most cases, configuration of PCMCIA 1281 devices in laptops is simpler and more flexible. In addition, 1282 various Cardbus bridge PCI cards (such as those used by 1283 Orinoco PCI NICs) are now supported. Some hosts may 1284 experience problems, such as hangs or panics, with PCI 1285 interrupt routing; they can frequently be made to work by 1286 forcing the older-style ISA interrupt routing. The following 1287 lines, placed in <filename>/boot/loader.conf</filename>, may 1288 fix the problem:</para> 1289 1290 <programlisting>hw.pcic.intr_path="1" 1291 hw.pcic.irq="0"</programlisting> 1292 1293 <para>When installing &os; on such a system, typing the 1294 following lines to the boot loader may be helpful in starting 1295 up &os; for the first time:<para> 1296 1297 <screen><prompt>ok</prompt> <userinput>set hw.pcic.intr_path="1"</userinput> 1298<prompt>ok</prompt> <userinput>set hw.pcic.irq="0"</userinput></screen> 1299 1300 <para arch="i386">Preliminary Cardbus support under NEWCARD has 1301 been added. This code supports the TI113X, TI12XX, TI125X, 1302 Ricoh 5C46/5C47, Topic 95/97/100 and Cirrus Logic PD683X 1303 bridges. 16-bit PC Card support is not yet functional.</para> 1304 </sect3> 1305 1306 <sect3> 1307 <title>Multimedia Support</title> 1308 1309 <para arch="i386">The &man.pcm.4; driver now supports the ESS 1310 Solo 1, Maestro-1, Maestro-2, and Maestro-2e; Forte Media 1311 fm801, ESS Maestro-2e, and VIA Technologies VT82C686A sound 1312 card/chipsets, and has received some other updates. Separate 1313 drivers for the SoundBlaster 8 and SoundBlaster 16 now replace 1314 an older, unified driver. A driver for the CMedia 1315 CMI8338/CMI8738 sound chips has been added. A driver for the 1316 CS4281 sound chip has been added. A driver for the S3 1317 SonicVibes chipset has been added. &merged;</para> 1318 1319 <para arch="i386">A driver for the Avance Logic ALS4000 has been 1320 added. &merged;</para> 1321 1322 <para arch="i386">A driver for the ESS Maestro-3/Allegro has 1323 been added, however due to licensing restrictions, it cannot 1324 be compiled into the kernel. &merged; To use this driver, add 1325 the following line to 1326 <filename>/boot/loader.conf</filename>:</para> 1327 1328 <programlisting>snd_maestro3_load="YES"</programlisting> 1329 1330 <para>The &man.bktr.4; driver has been updated to 2.18. This 1331 update provides a number of new features. New tuner types 1332 have been added, and improvements to the KLD module and to 1333 memory allocation have been made. Bugs in &man.devfs.5; when 1334 unloading and reloading have been fixed. Support for new 1335 Hauppauge Model 44xxx WinTV Cards (the ones with no audio mux) 1336 has been added. &merged;</para> 1337 1338 <para arch="i386">The ufm driver, supporting the D-Link DSB-R100 1339 USB Radio, has been added. &merged;</para> 1340 1341 <para>When sound modules are built, one can now load all the 1342 drivers and infrastructure by <command>kldload 1343 snd</command>. &merged;</para> 1344 1345 <para>A new API has been added for sound cards with hardware 1346 volume control.</para> 1347 1348 <para arch="i386">A driver for the Intel 443MX, 810, 815, and 1349 815E integrated sound devices has been added. &merged;</para> 1350 1351 <para arch="i386">The via82c686 sound driver now supports the VIA 1352 VT8233. &merged;</para> 1353 1354 <para arch="i386">The ich sound driver now support the SiS 1355 7012 chipset. &merged;</para> 1356 1357 <para arch="i386">Drivers have been added to support the Direct 1358 Rendering Infrastructure, which can used to provide 3D 1359 acceleration within <application>XFree86</application>. Video 1360 cards supported include the 3Dlabs Oxygen GMX 2000 (gammadrm), 1361 AGP Matrox G200/G400/G450/G550 (mgadrm), 3dfx Voodoo 1362 3/4/5/Banshee (tdfxdrm), AGI ATI Rage 128 (r128drm), and AGP 1363 ATI Radeon (radeondrm).</para> 1364 1365 </sect3> 1366 1367 <sect3> 1368 <title>Contributed Software</title> 1369 1370 <para>The Forth Inspired Command Language 1371 (<application>FICL</application>) used in the boot loader has 1372 been updated to 3.02.</para> 1373 1374 <para>Support for Advanced Configuration and Power Interface 1375 (ACPI), a multi-vendor standard for configuration and power 1376 management, has been added. This functionality has been 1377 provided by the <application>Intel ACPI Component 1378 Architecture</application> project, as of the ACPI CA 20020308 1379 snapshot. Some backward compatability for applications using 1380 the older APM standard has been provided.</para> 1381 1382 <sect4> 1383 <title>IPFilter</title> 1384 1385 <para><application>IPFilter</application> has been updated to 1386 3.4.27. &merged;</para> 1387 1388 <para><application>IPFilter</application> now supports 1389 IPv6. &merged;</para> 1390 1391 </sect4> 1392 1393 <sect4 arch="i386"> 1394 <title>isdn4bsd</title> 1395 1396 <para><application>isdn4bsd</application> has been updated to 1397 version 1.0.2.</para> 1398 1399 <para>The &man.ifpi.4; driver for supporting the AVM 1400 Fritz!Card PCI controller has been added. &merged;</para> 1401 1402 <para>The &man.ifpi2.4; driver for supporting the AVM 1403 Fritz!Card PCI version 2 controller has been added. &merged;</para> 1404 1405 <para>The &man.ihfc.4; driver for supporting Cologne Chip 1406 Designs HFC devices under 1407 <application>isdn4bsd</application> has been 1408 added. &merged;</para> 1409 1410 <para>The &man.itjc.4; driver for supporting NETjet-S / Teles 1411 PCI-TJ devices under <application>isdn4bsd</application> has 1412 been added. &merged;</para> 1413 1414 <para>Experimental support for the Eicon.Diehl DIVA 2.0 and 1415 2.02 ISA PnP ISDN cards has been added to the &man.isic.4; 1416 <application>isdn4bsd</application> driver. &merged;</para> 1417 1418 <para>The &man.isic.4; driver now supports the Compaq Microcom 1419 610 ISDN ISA PnP card. &merged;</para> 1420 1421 <para>Active CAPI-based ISDN cards manufactured by AVM are now 1422 supported using the &man.i4bcapi.4; and the &man.iavc.4; 1423 driver. The supported cards are the AVM B1 PCI and AVM B1 1424 ISA Basic Rate cards and the AVM T1 Primary Rate 1425 cards. &merged;</para> 1426 1427 <para>A new <literal>maxconnecttime</literal> keyword is now 1428 accepted in &man.isdnd.rc.5; files to limit the time a 1429 connection may remain open. &merged;</para> 1430 1431 <para>&man.isdnphone.8; now supports a <option>-k</option> 1432 option for sending messages via the keypad facility to a PBX 1433 or exchange office. &merged;</para> 1434 1435 <para><application>isdn4bsd</application> now supports Q.931 1436 subaddressing.</para> 1437 1438 </sect4> 1439 1440 <sect4 id="kame-kernel"> 1441 <title>KAME</title> 1442 1443 <para>The IPv6 stack is now based on a snapshot based on the 1444 KAME Project's IPv6 snapshot as of 28 May, 2001. Most of 1445 the items listed in this section are a result of this 1446 import. <xref linkend="kame-userland"> lists userland 1447 updates to the KAME IPv6 stack. &merged;</para> 1448 1449 <para>&man.gif.4; is now based on RFC 2893, rather than RFC 1450 1933. The <literal>IFF_LINK2</literal> interface flag can 1451 be used to control ingress filtering. &merged;</para> 1452 1453 <para><application>IPsec</application> has received some 1454 enhancements, including the ability to use the Rijndael and 1455 SHA2 algorithms. IPsec RC5 support has been removed due to 1456 patent issues. &merged;</para> 1457 1458 <para>&man.stf.4; now conforms to RFC 3056; the 1459 <literal>IFF_LINK2</literal> interface flag can be used to 1460 control ingress filtering. &merged;</para> 1461 1462 <para>IPv6 has better checking of illegal addresses (such as 1463 loopback addresses) on physical networks. &merged;</para> 1464 1465 <para>The <varname>IPV6_V6ONLY</varname> socket option is now 1466 completely supported. The kernel's default behavior with 1467 respect to this option is controlled by the 1468 <varname>net.inet6.ip6.v6only</varname> sysctl 1469 variable. &merged;</para> 1470 1471 <para>RFC 3041 (Privacy Extensions for Stateless Address 1472 Autoconfiguration) is now supported. It can be enabled via 1473 the <varname>net.inet6.ip6.use_tempaddr</varname> sysctl 1474 variable. &merged;</para> 1475 </sect4> 1476 </sect3> 1477 </sect2> 1478 1479 <sect2 id="security"> 1480 <title>Security-Related Changes</title> 1481 1482 <para>&man.sysinstall.8; now allows the user to select one of two 1483 <quote>security profiles</quote> at install-time. These 1484 profiles enable different levels of system security by enabling 1485 or disabling various system services in &man.rc.conf.5; on new 1486 installs. &merged;</para> 1487 1488 <para>A bug in which malformed ELF executable images can hang the 1489 system has been fixed (see security advisory 1490 FreeBSD-SA-00:41). &merged;</para> 1491 1492 <para>A security hole in Linux emulation was fixed (see security 1493 advisory FreeBSD-SA-00:42). &merged;</para> 1494 1495 <para>String-handling library calls in many programs were fixed to 1496 reduce the possibility of buffer overflow-related exploits. 1497 &merged;</para> 1498 1499 <para>TCP now uses stronger randomness in choosing its initial 1500 sequence numbers (see security advisory 1501 FreeBSD-SA-00:52). &merged;</para> 1502 1503 <para>Several buffer overflows in &man.tcpdump.1; were corrected 1504 (see security advisory FreeBSD-SA-00:61). &merged;</para> 1505 1506 <para>A security hole in &man.top.1; was corrected (see security 1507 advisory FreeBSD-SA-00:62). &merged;</para> 1508 1509 <para>A potential security hole caused by an off-by-one-error in 1510 &man.gethostbyname.3; has been fixed (see security advisory 1511 FreeBSD-SA-00:63). &merged;</para> 1512 1513 <para>A potential buffer overflow in the &man.ncurses.3; library, 1514 which could cause arbitrary code to be run from within 1515 &man.systat.1;, has been corrected (see security advisory 1516 FreeBSD-SA-00:68). &merged;</para> 1517 1518 <para>A vulnerability in &man.telnetd.8; that could cause it to 1519 consume large amounts of server resources has been fixed (see 1520 security advisory FreeBSD-SA-00:69). &merged;</para> 1521 1522 <para>The <literal>nat deny_incoming</literal> command in 1523 &man.ppp.8; now works correctly (see security advisory 1524 FreeBSD-SA-00:70). &merged;</para> 1525 1526 <para>A vulnerability in &man.csh.1;/&man.tcsh.1; temporary files 1527 that could allow overwriting of arbitrary user-writable files 1528 has been closed (see security advisory 1529 FreeBSD-SA-00:76). &merged;</para> 1530 1531 <para>The &man.ssh.1; binary is no longer SUID root by 1532 default. &merged;</para> 1533 1534 <para>Some fixes were applied to the Kerberos IV implementation 1535 related to environment variables, a possible buffer overrun, and 1536 overwriting ticket files. &merged;</para> 1537 1538 <para>&man.telnet.1; now does a better job of sanitizing its 1539 environment. &merged;</para> 1540 1541 <para>Several vulnerabilities in &man.procfs.5; were fixed (see 1542 security advisory FreeBSD-SA-00:77). &merged;</para> 1543 1544 <para>A bug in <application>OpenSSH</application> in which a 1545 server was unable to disable &man.ssh-agent.1; or 1546 <literal>X11Forwarding</literal> was fixed (see security 1547 advisory FreeBSD-SA-01:01). &merged;</para> 1548 1549 <para>A bug in &man.ipfw.8; and &man.ip6fw.8; in which inbound TCP 1550 segments could incorrectly be treated as being part of an 1551 <literal>established</literal> connection has been fixed (see 1552 security advisory FreeBSD-SA-01:08). &merged;</para> 1553 1554 <para>A bug in &man.crontab.1; that could allow users to read any 1555 file on the system in valid &man.crontab.5; syntax has been 1556 fixed (see security advisory FreeBSD-SA-01:09). &merged;</para> 1557 1558 <para>A vulnerability in &man.inetd.8; that could allow 1559 read-access to the initial 16 bytes of 1560 <groupname>wheel</groupname>-accessible files has been fixed 1561 (see security advisory FreeBSD-SA-01:11). &merged;</para> 1562 1563 <para>A bug in &man.periodic.8; that used insecure temporary files 1564 has been corrected (see security advisory 1565 FreeBSD-SA-01:12). &merged;</para> 1566 1567 <para><application>OpenSSH</application> now has code to prevent 1568 (instead of just mitigating through connection limits) an attack 1569 that can lead to guessing the server key (not host key) by 1570 regenerating the server key when an RSA failure is detected (see 1571 security advisory FreeBSD-SA-01:24). &merged;</para> 1572 1573 <para>A number of programs have had output formatting strings 1574 corrected so as to reduce the risk of 1575 vulnerabilities. &merged;</para> 1576 1577 <para>A number of programs that use temporary files now do so more 1578 securely. &merged;</para> 1579 1580 <para>A bug in ICMP that could cause an attacker to disrupt TCP and UDP 1581 <quote>sessions</quote> has been corrected. &merged;</para> 1582 1583 <para>A bug in &man.timed.8;, which caused it to crash if send 1584 certain malformed packets, has been corrected (see security 1585 advisory FreeBSD-SA-01:28). &merged;</para> 1586 1587 <para>A bug in &man.rwhod.8;, which caused it to crash if send 1588 certain malformed packets, has been corrected (see security 1589 advisory FreeBSD-SA-01:29). &merged;</para> 1590 1591 <para>A security hole in &os;'s FFS and EXT2FS implementations, 1592 which allowed a race condition that could cause users to have 1593 unauthorized access to data, has been fixed (see security 1594 advisory FreeBSD-SA-01:30). &merged;</para> 1595 1596 <para>A remotely-exploitable vulnerability in &man.ntpd.8; has 1597 been closed (see security advisory 1598 FreeBSD-SA-01:31). &merged;</para> 1599 1600 <para>A security hole in <application>IPFilter</application>'s 1601 fragment cache has been closed (see security advisory 1602 FreeBSD-SA-01:32). &merged;</para> 1603 1604 <para>Buffer overflows in &man.glob.3;, which could cause 1605 arbitrary code to be run on an FTP server, have been closed. In 1606 addition, to prevent some forms of DOS attacks, &man.glob.3; 1607 allows specification of a limit on the number of pathname 1608 matches it will return. &man.ftpd.8; now uses this feature (see 1609 security advisory FreeBSD-SA-01:33). &merged;</para> 1610 1611 <para>Initial sequence numbers in TCP are more thoroughly 1612 randomized (see security advisory FreeBSD-SA-01:39). Due to 1613 some possible compatibility issues, the behavior of this 1614 security fix can be enabled or disabled via the 1615 <varname>net.inet.tcp.tcp_seq_genscheme</varname> sysctl 1616 variable.&merged;</para> 1617 1618 <para>A vulnerability in the &man.fts.3; routines (used by 1619 applications for recursively traversing a filesystem) could 1620 allow a program to operate on files outside the intended 1621 directory hierarchy. This bug has been fixed (see security 1622 advisory FreeBSD-SA-01:40). &merged;</para> 1623 1624 <para><application>OpenSSH</application> now switches to the 1625 user's UID before attempting to unlink the authentication 1626 forwarding file, nullifying the effects of a race.</para> 1627 1628 <para>A flaw allowed some signal handlers to remain in effect in a 1629 child process after being exec-ed from its parent. This allowed 1630 an attacker to execute arbitrary code in the context of a setuid 1631 binary. This flaw has been corrected (see security advisory 1632 FreeBSD-SA-01:42). &merged;</para> 1633 1634 <para>A remote buffer overflow in &man.tcpdump.1; has been fixed 1635 (see security advisory FreeBSD-SA-01:48). &merged;</para> 1636 1637 <para>A remote buffer overflow in &man.telnetd.8; has been fixed 1638 (see security advisory FreeBSD-SA-01:49). &merged;</para> 1639 1640 <para>The new <varname>net.inet.ip.maxfragpackets</varname> and 1641 <varname>net.inet.ip6.maxfragpackets</varname> sysctl variables 1642 limit the amount of memory that can be consumed by IPv4 and IPv6 1643 packet fragments, which defends against some denial of service 1644 attacks (see security advisory 1645 FreeBSD-SA-01:52). &merged;</para> 1646 1647 <para>All services in <filename>inetd.conf</filename> are now 1648 disabled by default for new installations. &man.sysinstall.8; 1649 gives the option of enabling or disabling &man.inetd.8; on new 1650 installations, as well as editing 1651 <filename>inetd.conf</filename>. &merged;</para> 1652 1653 <para>A flaw in the implementation of the &man.ipfw.8; 1654 <literal>me</literal> rules on point-to-point links has been 1655 corrected. Formerly, <literal>me</literal> filter rules would 1656 match the remote IP address of a point-to-point interface in 1657 addition to the intended local IP address (see security advisory 1658 FreeBSD-SA-01:53). &merged;</para> 1659 1660 <para>A vulnerability in &man.procfs.5;, which could allow a 1661 process to read sensitive information from another process's 1662 memory space, has been closed (see security advisory 1663 FreeBSD-SA-01:55). &merged;</para> 1664 1665 <para>The <literal>PARANOID</literal> hostname checking in 1666 <application>tcp_wrappers</application> now works as advertised 1667 (see security advisory FreeBSD-SA-01:56). &merged;</para> 1668 1669 <para>A local root exploit in &man.sendmail.8; has been closed 1670 (see security advisory FreeBSD-SA-01:57). &merged;</para> 1671 1672 <para>A remote root vulnerability in &man.lpd.8; has been closed 1673 (see security advisory FreeBSD-SA-01:58). &merged;</para> 1674 1675 <para>A race condition in &man.rmuser.8; that briefly exposed a 1676 world-readable <filename>/etc/master.passwd</filename> has been 1677 fixed (see security advisory FreeBSD-SA-01:59). &merged;</para> 1678 1679 <para>A vulnerability in <application>UUCP</application> has been 1680 closed (see security advisory FreeBSD-SA-01:62). All 1681 non-<username>root</username>-owned binaries in standard system 1682 paths now have the <literal>schg</literal> flag set to prevent 1683 exploit vectors when run by &man.cron.8;, by 1684 <username>root</username>, or by a user other then the one owning 1685 the binary. In addition, &man.uustat.1; is now run via 1686 <filename>/etc/periodic/daily/410.status-uucp</filename> as 1687 <username>uucp</username>, not <username>root</username>. In 1688 &os; -CURRENT, <application>UUCP</application> has since been 1689 moved to the Ports Collection and no longer a part of the base 1690 system. &merged;</para> 1691 1692 <para>A security hole in the form of a buffer overflow in the 1693 &man.semop.2; system call has been closed. &merged;</para> 1694 1695 <para>A security hole in <application>OpenSSH</application>, which 1696 could allow users to execute code with arbitrary privileges if 1697 <literal>UseLogin yes</literal> was set, has been closed. Note 1698 that the default value of this setting is 1699 <literal>UseLogin no</literal>. (See security advisory 1700 FreeBSD-SA-01:63.) &merged;</para> 1701 1702 <para>The use of an insecure temporary directory by 1703 &man.pkg.add.1; could permit a local attacker to modify the 1704 contents of binary packages while they were being installed. 1705 This hole has been closed. (See security advisory 1706 FreeBSD-SA-02:01.) &merged;</para> 1707 1708 <para>A race condition in &man.pw.8;, which could expose the 1709 contents of <filename>/etc/master.passwd</filename>, has been 1710 eliminated. (See security advisory FreeBSD-SA-02:02.) 1711 &merged;</para> 1712 1713 <para>A bug in &man.k5su.8; could have allowed a process that had 1714 given up superuser privileges to regain them. This bug has been 1715 fixed. (See security advisory FreeBSD-SA-02:07.) 1716 &merged;</para> 1717 1718 <para>An <quote>off-by-one</quote> bug has been fixed in 1719 <application>OpenSSH</application>'s multiplexing code. This bug 1720 could have allowed an authenticated remote user to cause 1721 &man.sshd.8; to execute arbitrary code with superuser 1722 privileges, or allowed a malicious SSH server to execute arbitrary 1723 code on the client system with the privileges of the client user. (See security 1724 advisory <ulink 1725 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc">FreeBSD-SA-02:13</ulink>.) 1726 &merged;</para> 1727 1728 <para>A programming error in <application>zlib</application> could 1729 result in attempts to free memory multiple times. The 1730 &man.malloc.3;/&man.free.3; routines used in &os; are not 1731 vulnerable to this error, but applications receiving 1732 specially-crafted blocks of invalid compressed data could 1733 be made to function incorrectly or abort. This 1734 <application>zlib</application> bug has been fixed. For a 1735 workaround and solutions, see security advisory <ulink 1736 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:18.zlib.v1.2.asc">FreeBSD-SA-02:18</ulink>. 1737 &merged;</para> 1738 1739 <para>Bugs in the TCP SYN cache (<quote>syncache</quote>) and SYN 1740 cookie (<quote>syncookie</quote>) implementations, which could 1741 cause legitimate TCP/IP traffic to crash a machine, have been 1742 fixed. For a workaround and patches, see security advisory 1743 <ulink 1744 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:20.syncache.asc">FreeBSD-SA-02:20</ulink>. 1745 &merged;</para> 1746 1747 <para>A routing table memory leak, which could allow a remote 1748 attacker to exhaust the memory of a target machine, has been 1749 fixed. A workaround and patches can be found in security 1750 advisory <ulink 1751 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:21.tcpip.asc">FreeBSD-SA-02:21</ulink>. 1752 &merged;</para> 1753 1754 <para>A bug with memory-mapped I/O, which could cause a system 1755 crash, has been fixed. For more information about a solution, 1756 see security advisory <ulink 1757 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:22.mmap.asc">FreeBSD-SA-02:22</ulink>. 1758 &merged;</para> 1759 1760 <para>A security hole, in which SUID programs could be made to 1761 read from or write to inappropriate files through manipulation 1762 of their standard I/O file descriptors, has been fixed. 1763 Information regarding a solution can be found in security 1764 advisory <ulink 1765 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc">FreeBSD-SA-02:23</ulink>. 1766 &merged;</para> 1767 1768 <para>Some unexpected behavior could be allowed with &man.k5su.8; 1769 because it does not require that an invoking user be a member of 1770 the <groupname>wheel</groupname> group when attempting to become 1771 the superuser (this is the case with &man.su.1;). To avoid this 1772 situation, &man.k5su.8; is now installed non-SUID by default 1773 (effectively disabling it). More information can be found in 1774 security advisory <ulink 1775 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:24.k5su.asc">FreeBSD-SA-02:24</ulink>. 1776 &merged;</para> 1777 1778 <para>Multiple vulnerabilities were found in the &man.bzip2.1; 1779 utility, which could allow files to be overwritten without 1780 warning or allow local users unintended access to files. These 1781 problems have been corrected with a new import of 1782 <application>bzip2</application>. For more information, see 1783 security advisory <ulink 1784 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:25.bzip2.asc">FreeBSD-SA-02:25</ulink>. 1785 &merged;</para> 1786 1787 <para>A bug has been fixed in the implementation of the TCP SYN 1788 cache (<quote>syncache</quote>), which could allow a remote 1789 attacker to deny access to a service when accept filters 1790 (see &man.accept.filter.9;) were in use. This bug has been 1791 fixed; for more information, see security advisory <ulink 1792 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:26.accept.asc">FreeBSD-SA-02:26</ulink>. 1793 &merged;</para> 1794 1795 <para>Due to a bug in &man.rc.8;'s use of shell globbing, users 1796 may be able to remove the contents of arbitrary files if 1797 <filename>/tmp/.X11-unix</filename> does not exist and the 1798 system can be made to reboot. This bug has been corrected (see 1799 security advisory <ulink 1800 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:27.rc.asc">FreeBSD-SA-02:27</ulink>). 1801 &merged;</para> 1802 1803 </sect2> 1804 1805 <sect2 id="userland"> 1806 <title>Userland Changes</title> 1807 1808 <para>If the first argument to &man.ancontrol.8; or 1809 &man.wicontrol.8; doesn't start with a <literal>-</literal>, it 1810 is assumed to be an interface. &merged;</para> 1811 1812 <para>&man.apmd.8; now has the ability to monitor battery levels 1813 and execute commands based on percentage or minutes of battery 1814 life remaining via the <literal>apm_battery</literal> 1815 configuration directive. See the commented-out examples in 1816 <filename>/etc/apmd.conf</filename> for the 1817 syntax. &merged;</para> 1818 1819 <para>&man.arp.8; now prints the applicable interface name for 1820 each ARP entry. &merged;</para> 1821 1822 <para>&man.arp.8; now prints <literal>[fddi]</literal> or 1823 <literal>[atm]</literal> tags for addresses on interfaces of 1824 those types.</para> 1825 1826 <para>The &man.asa.1; utility, to interpret FORTRAN 1827 carriage-control characters, has been added.</para> 1828 1829 <para>&man.at.1; now supports the <option>-r</option> command-line 1830 option to remove jobs and the <option>-t</option> option to 1831 specify times in POSIX time format.</para> 1832 1833 <para>&man.atacontrol.8; has been added to control various aspects 1834 of the &man.ata.4; driver. &merged;</para> 1835 1836 <para>The system &man.awk.1; now refers to 1837 <application>BWK awk</application>. <application>GNU 1838 awk</application> is now available as &man.gawk.1;.</para> 1839 1840 <para arch="i386">&man.boot98cfg.8;, a PC-98 boot manager 1841 installation and configuration utility, has been 1842 added. &merged;</para> 1843 1844 <para>&man.burncd.8; now supports a <option>-m</option> option for 1845 multisession mode (the default behavior now is to close disks as 1846 single-session). A <option>-l</option> option to take a list of 1847 image files from a filename was also added; 1848 <filename>-</filename> can be used as a filename for 1849 <literal>stdin</literal>. &merged;</para> 1850 1851 <para>&man.burncd.8; now supports Disk At Once (DAO) mode, 1852 selectable via the <option>-d</option> flag.</para> 1853 1854 <para>&man.burncd.8; now has the ability to write VCDs/SVCDs.</para> 1855 1856 <para>&man.c89.1; has been converted from a shell script to a 1857 binary executable, fixing some minor bugs. &merged;</para> 1858 1859 <para arch="i386">A minimalized version of &man.camcontrol.8; is 1860 now available on the installation floppy. This allows it to 1861 rescan for devices that have been connected after booting, or to 1862 show the devices attached to SCSI busses (e. g. from within the 1863 <quote>emergency holographic shell</quote>). &merged;</para> 1864 1865 <para>&man.cat.1; now has the ability to read from UNIX-domain 1866 sockets. &merged;</para> 1867 1868 <para>&man.catman.1; is now a C program, instead of a 1869 Perl script.</para> 1870 1871 <para>&man.cdcontrol.1; now supports a <literal>cdid</literal> 1872 command, which calculates and displays the CD serial number, 1873 using the same algorithm used by the CDDB 1874 database. &merged;</para> 1875 1876 <para>&man.cdcontrol.1; now uses the <envar>CDROM</envar> 1877 environment variable to pick a default device. &merged;</para> 1878 1879 <para>&man.cdcontrol.1; now supports <literal>next</literal> and 1880 <literal>prev</literal> commands to skip forwards or backwards a 1881 specified number of tracks while playing an audio 1882 CD. &merged;</para> 1883 1884 <para>On ATAPI CDROM drives, &man.cdcontrol.1; now supports a 1885 <literal>speed</literal> command to set the maximum speed to be 1886 used by the drive. &merged;</para> 1887 1888 <para>&man.chflags.1; has moved from <filename>/usr/bin</filename> 1889 to <filename>/bin</filename>.</para> 1890 1891 <para>&man.chio.1; now has the ability to specify elements by 1892 volume tag instead of by their physical location as well as the 1893 ability to return an element to its previous 1894 location. &merged;</para> 1895 1896 <para>&man.chmod.1; now supports a <option>-h</option> for 1897 changing the mode of a symbolic link.</para> 1898 1899 <para>&man.chown.8; now correctly follows symbolic links named as 1900 command line arguments if run without 1901 <option>-R</option>. &merged;</para> 1902 1903 <para>&man.chown.8; no longer takes <literal>.</literal> as a 1904 user/group delimeter. This change was made to support usernames 1905 containing a <literal>.</literal>.</para> 1906 1907 <para>Use of the <literal>CSMG_*</literal> macros no longer 1908 require inclusion of 1909 <filename><sys/param.h></filename></para> 1910 1911 <para>&man.col.1; now takes a <option>-p</option> flag to force 1912 unknown control sequences to be passed through 1913 unchanged. &merged;</para> 1914 1915 <para>The <filename>compat3x</filename> distribution has been 1916 updated to include libraries present in &os; 1917 3.5.1-RELEASE. &merged;</para> 1918 1919 <para>A <filename>compat4x</filename> distribution has been added 1920 for compatibility with &os; 4-STABLE.</para> 1921 1922 <para>&man.config.8; is now better about converting various 1923 warnings that should have been errors into actual fatal errors 1924 with an exit code. This ensures that <literal>make 1925 buildkernel</literal> doesn't quietly ignore them and build a 1926 bogus kernel without a human to read the errors. &merged;</para> 1927 1928 <para>A number of buffer overflows in &man.config.8; have been 1929 fixed. &merged;</para> 1930 1931 <para>A new &man.csplit.1; utility, which splits files based on 1932 context, has been added.</para> 1933 1934 <para>&man.ctags.1; no longer creates a corrupt tags file if the 1935 source file used <literal>//</literal> (C++-style) 1936 comments. &merged;</para> 1937 1938 <para>The &man.daemon.8; program, a command-line interface to 1939 &man.daemon.3;, has been added. It detaches itself from its 1940 controlling terminal and executes a program specified on the 1941 command line. This allows the user to run an arbitrary program 1942 as if it were written to be a daemon.</para> 1943 1944 <para>&man.devinfo.8;, a simple tool to print the device tree and resource 1945 usage by devices, has been added.</para> 1946 1947 <para>&man.df.1; now takes a <option>-l</option> option to only 1948 display information about locally-mounted 1949 filesystems. &merged;</para> 1950 1951 <para>&man.disklabel.8; now supports partition sizes expressed in 1952 kilobytes, megabytes, or gigabytes, in addition to 1953 sectors. &merged;</para> 1954 1955 <para>&man.diskpart.8; has been declared obsolete, and has been 1956 removed.</para> 1957 1958 <para>&man.dmesg.8; now has a <option>-a</option> option to show 1959 the entire message buffer, including &man.syslogd.8; records and 1960 <filename>/dev/console</filename> output. &merged;</para> 1961 1962 <para>&man.du.1; now takes a <option>-I</option> command-line flag 1963 to ignore/skip files and subdirectories matching a specified 1964 shell-glob mask. &merged;</para> 1965 1966 <para>&man.dump.8; now supports inheritance of the 1967 <literal>nodump</literal> flag down a hierarchy. &merged;</para> 1968 1969 <para>The <option>-T</option> option to &man.dump.8; no longer 1970 swallows an extra argument. &merged;</para> 1971 1972 <para>&man.dump.8; has a new <option>-D</option> option, allowing 1973 the path to the <filename>/etc/dumpdates</filename> file to be 1974 changed. &merged;</para> 1975 1976 <para>&man.dump.8; now supplies progress information in its 1977 process title, useful for monitoring automated 1978 backups. &merged;</para> 1979 1980 <para>&man.dump.8; now supports a new <option>-S</option> flag to allow 1981 it to just print out the dump size estimates and exit.</para> 1982 1983 <para>&man.edquota.8; now takes a <option>-f</option> option to 1984 allow limiting the prototype quota distribution (specified with 1985 <option>-p</option>) to a single filesystem. &merged;</para> 1986 1987 <para><filename>/etc/rc.firewall</filename> and 1988 <filename>/etc/rc.firewall6</filename> will no longer add their own 1989 hardcoded rules in the cases of a rules file in the 1990 <varname>firewall_type</varname> variable or a non-existent 1991 firewall type. (The motivation for this change is to avoid 1992 acting on assumptions about a site's firewall policies.) In 1993 addition, the <literal>closed</literal> firewall type now works 1994 as documented in the &man.rc.firewall.8; manual page. &merged;</para> 1995 1996 <para>The functionality of <filename>/etc/security</filename> has 1997 been been moved into a set of scripts under the &man.periodic.8; 1998 framework, to make local customization easier and more 1999 maintainable. These scripts now reside in 2000 <filename>/etc/periodic/security/</filename>. &merged;</para> 2001 2002 <para>&man.expr.1; is now compliant with the POSIX Utility Syntax 2003 Guidelines. Some programs depend on the old, historic behavior 2004 (the <filename role="package">devel/libtool</filename> 2005 port/package was/is a notable example). In these situations, 2006 the <envar>EXPR_COMPAT</envar> environment variable can be 2007 defined, which causes &man.expr.1; to behave more like previous 2008 versions.</para> 2009 2010 <para>&man.fbtab.5; now accepts glob matching patterns for target 2011 devices, not just individual devices and directories.</para> 2012 2013 <para arch="i386">&man.fdisk.8; no longer attempts to search for a 2014 device if none has been specified on the command line, but 2015 instead tries to figure out the default device name from the 2016 root device.</para> 2017 2018 <para>&man.fdread.1;, a program to read data from floppy disks, 2019 has been added. It is a counterpart to &man.fdwrite.1; and is 2020 designed to provide a means of recovering at least some data 2021 from bad media, and to obviate for a complex invocation of 2022 &man.dd.1;.</para> 2023 2024 <para>&man.find.1; now takes the <option>-empty</option> flag, 2025 which returns true if a file or directory is 2026 empty. &merged;</para> 2027 2028 <para>&man.find.1; now takes the <option>-iname</option> and 2029 <option>-ipath</option> primaries for case-insensitive matches, 2030 and the <option>-regexp</option> and <option>-iregexp</option> 2031 primaries for regular-expression matches. The 2032 <option>-E</option> flag now enables extended regular 2033 expressions. &merged;</para> 2034 2035 <para>&man.find.1; now has the <option>-anewer</option>, 2036 <option>-cnewer</option>, <option>-mnewer</option>, 2037 <option>-okdir</option>, and <option>-newer[acm][acmt]</option> 2038 primaries for comparisons of file timestamps. The latter 2039 primaries can be specified with various units of 2040 time. &merged;</para> 2041 2042 <para>&man.finger.1; now has the ability to support fingering 2043 aliases, via the &man.finger.conf.5; file. &merged;</para> 2044 2045 <para>&man.finger.1; now has support for a 2046 <filename>.pubkey</filename> file.</para> 2047 2048 <para>&man.fmt.1; has been rewritten; the rewrite fixes a number 2049 of bugs compared to its prior behavior. &merged;</para> 2050 2051 <para>&man.fmtcheck.3;, a function for checking consistency of 2052 format string arguments, has been added. &merged;</para> 2053 2054 <para>&man.fold.1; now supports a <option>-b</option> flag to 2055 break at byte positions and a <option>-s</option> flag to break at 2056 word boundaries.</para> 2057 2058 <para>&man.fsdb.8; now supports a <literal>blocks</literal> 2059 command to list the blocks allocated by a particular 2060 inode. &merged;</para> 2061 2062 <para>&man.fsck.8; wrappers have been imported; this feature 2063 provides infrastructure for &man.fsck.8; to work on different 2064 types of filesystems (analogous to &man.mount.8;).</para> 2065 2066 <para>The behavior of &man.fsck.8; when dealing with various 2067 passes (a la <filename>/etc/fstab</filename>) has been modified 2068 to accommodate multiple-disk filesystems.</para> 2069 2070 <para>&man.fsck.8; now has support for foreground 2071 (<option>-F</option>) and background (<option>-B</option>) 2072 checks. Traditionally, &man.fsck.8; is invoked before the 2073 filesystems are mounted and all checks are done to completion at 2074 that time. If background checking is available, &man.fsck.8; is 2075 invoked twice. It is first invoked at the traditional time, 2076 before the filesystems are mounted, with the <option>-F</option> 2077 flag to do checking on all the filesystems that cannot do 2078 background checking. It is then invoked a second time, after 2079 the system has completed going multiuser, with the 2080 <option>-B</option> flag to do checking on all the filesystems 2081 that can do background checking. Unlike the foreground 2082 checking, the background checking is started asynchronously so 2083 that other system activity can proceed even on the filesystems 2084 that are being checked. Boot-time enabling of this feature is 2085 controlled by the 2086 <varname>background_fsck</varname> option in &man.rc.conf.5;.</para> 2087 2088 <para>Shortly after the receipt of a <literal>SIGINFO</literal> 2089 signal (normally control-T from the controlling tty), 2090 &man.fsck.ffs.8; will now output a line indicating the current 2091 phase number and progress information relevant to the current 2092 phase. &merged;</para> 2093 2094 <para>&man.fsck.ffs.8; now supports background filesystem checks 2095 to mounted FFS filesystems with the <option>-B</option> option 2096 (softupdates must be enabled on these filesystems). The 2097 <option>-F</option> flag now determines whether a specified 2098 filesystem needs foreground checking.</para> 2099 2100 <para>A new &man.fsck.msdosfs.8; utility has been added to check 2101 the consistency of MS-DOS filesystems. &merged;</para> 2102 2103 <para>&man.ftpd.8; now supports a <option>-r</option> flag for 2104 read-only mode and a <option>-E</option> flag to disable 2105 <literal>EPSV</literal>. It also has some fixes to reduce 2106 information leakage and the ability to specify compile-time port 2107 ranges. &merged;</para> 2108 2109 <para>&man.ftpd.8; now supports <option>-o</option> and 2110 <option>-O</option> options to disable the 2111 <literal>RETR</literal> command; the former for everybody, and 2112 the latter only for guest users. Coupled with 2113 <option>-A</option> and appropriate file permissions, these can 2114 be used to create a relatively safe anonymous FTP drop box for 2115 others to upload to.</para> 2116 2117 <para arch="i386">&man.gdb.1; now supports hardware watchpoints (using the 2118 kernel's debug register + support that has been introduced in 2119 &os; 4.0). &merged;</para> 2120 2121 <para>The &man.getprogname.3; and &man.setprogname.3; library 2122 functions have been added to manipulate the name of the current 2123 program. They are used by error-reporting routines to produce 2124 consistent output. &merged;</para> 2125 2126 <para>&man.gprof.1; now has a <option>-K</option> option to enable 2127 dynamic symbol resolution from the currently-running kernel. 2128 With this change, properly-compiled KLD modules are now able to 2129 be profiled.</para> 2130 2131 <para>&man.growfs.8;, a utility for growing FFS filesystems, has 2132 been added. &man.ffsinfo.8;, a utility for dump all the 2133 meta-information of an existing filesystem, has also been 2134 added. &merged;</para> 2135 2136 <para>The &man.groups.1; and &man.whoami.1; shell scripts are now 2137 unnecessary; their functionality has been completely folded into 2138 &man.id.1;. &merged;</para> 2139 2140 <para>The &man.ibcs2.8;, &man.linux.8;, &man.osf1.8;, and 2141 &man.svr4.8; scripts, whose sole purpose was to load emulation 2142 kernel modules, have been removed. The kernel module system 2143 will automatically load them as needed to fulfill 2144 dependencies.</para> 2145 2146 <para>&man.indent.1; has gained some new formatting 2147 options. &merged;</para> 2148 2149 <para>&man.ifconfig.8; can set the link-layer address of 2150 an interface using the <option>link</option> parameter. 2151 &merged;</para> 2152 2153 <para>&man.ifconfig.8; can now accept addresses in slash/CIDR 2154 notation. &merged;</para> 2155 2156 <para>&man.ifconfig.8; now has support for setting parameters for 2157 IEEE 802.11 wireless network devices. &man.wi.4; and &man.an.4; 2158 devices are supported, and partial support is provided for 2159 &man.awi.4; devices. &merged;</para> 2160 2161 <para>&man.ifconfig.8; no longer displays the list of supported 2162 media by default. Instead it displays it when the 2163 <option>-m</option> flag is given. &merged;</para> 2164 2165 <para>The syntax of &man.inetd.8;'s support for &man.faithd.8; is 2166 now compatible with that of other BSDs. &merged;</para> 2167 2168 <para>The <literal>ident</literal> protocol support in 2169 &man.inetd.8; has been cleaned up and updated. &merged;</para> 2170 2171 <para>&man.inetd.8; now has the ability to manage UNIX-domain 2172 sockets. &merged;</para> 2173 2174 <para>By default, &man.inetd.8; is no longer run by &man.rc.8; at 2175 boot-time, although &man.sysinstall.8; gives the option of 2176 enabling it during binary installations. &man.inetd.8; can also 2177 be enabled by adding the following line to 2178 <filename>/etc/rc.conf</filename>:</para> 2179 2180 <programlisting>inetd_enable="YES"</programlisting> 2181 2182 <para>&man.install.1; has a number of new features, including the 2183 <option>-b</option> and <option>-B</option> options for backing up 2184 existing target files and the <option>-S</option> option for 2185 <quote>safe</quote> (atomic copy) operation. The 2186 <option>-c</option> (copy) flag is now the default, and the 2187 <option>-D</option> (debugging) flag has been withdrawn. 2188 &man.install.1; now issues a warning if <option>-d</option> 2189 (create directories) and <option>-C</option> (copy changed files 2190 only) are used together. &merged;</para> 2191 2192 <para>IP Filter is now supported by the &man.rc.conf.5; boot-time 2193 configuration and initialization. &merged;</para> 2194 2195 <para>&man.ipfstat.8; now supports the <option>-t</option> option 2196 to turn on a &man.top.1;-like display. &merged;</para> 2197 2198 <para>&man.ipfw.8; will now avoid the display of dynamic firewall 2199 rules unless the <option>-d</option> flag is passed to it. The 2200 <option>-e</option> option lists expired dynamic 2201 rules. &merged;</para> 2202 2203 <para>&man.ipfw.8; has a new feature (<literal>me</literal>) that 2204 allows for packet matching on interfaces with 2205 dynamically-changing IP addresses. &merged;</para> 2206 2207 <para>&man.ipfw.8; has a new <literal>limit</literal> type of 2208 firewall rule, which limits the number of sessions between 2209 address pairs. &merged;</para> 2210 2211 <para>&man.ipfw.8; filter rules can now match on the value of the 2212 IPv4 precedence field.</para> 2213 2214 <para>&man.ip6fw.8; now has the ability to use a preprocessor and 2215 use the <option>-q</option> (quiet) flag when reading from a 2216 file. &merged;</para> 2217 2218 <para>&man.ispppcontrol.8; has been deleted, and its functionality 2219 has been folded into &man.spppcontrol.8;. &merged;</para> 2220 2221 <para>&man.k5su.8; is no longer installed SUID 2222 <username>root</username> by default. Users requiring this 2223 feature can either manually change the permissions on the 2224 &man.k5su.8; executable or add 2225 <literal>ENABLE_SUID_K5SU=yes</literal> to 2226 <filename>/etc/make.conf</filename> before a source 2227 upgrade. &merged;</para> 2228 2229 <para>&man.kenv.1;, a command to dump the kernel environment, has 2230 been added. &merged;</para> 2231 2232 <para>&man.kenv.1; now has the ability to set or delete kernel 2233 environment variables.</para> 2234 2235 <para>&man.keyinfo.1; is now a C program, rather than a Perl 2236 script. &merged;</para> 2237 2238 <para>The &man.kget.8; utility has been removed (it was only 2239 useful for UserConfig, which is not present in &os; 2240 &release.current;).</para> 2241 2242 <para>&man.killall.1; is now a C program, rather than a Perl 2243 script. As a result, its <option>-m</option> option now uses 2244 the regular expression syntax of &man.regex.3;, rather than that 2245 of Perl. &merged;</para> 2246 2247 <para>&man.killall.1; no longer tries to kill zombie processes 2248 unless the <option>-z</option> flag is specified.</para> 2249 2250 <para>The &man.kldconfig.8; utility has been added to make it 2251 easier to manipulate the kernel module search 2252 path. &merged;</para> 2253 2254 <para>ktrdump, a utility to dump the ktr trace buffer from 2255 userland, has been added.</para> 2256 2257 <para>&man.last.1; now implements a <option>-d</option> that 2258 provides a <quote>snapshot</quote> of who was logged in at a 2259 particular date and time. &merged;</para> 2260 2261 <para>&man.last.1; now supports a <option>-y</option> flag, which 2262 causes the year to be included in the session start time. &merged;</para> 2263 2264 <para>The &man.lastlogin.8; utility, which prints the last login 2265 time of each user, has been imported from 2266 NetBSD. &merged;</para> 2267 2268 <para>&man.ldconfig.8; now checks directory ownerships and 2269 permissions for greater security; these checks can be disabled 2270 with the <option>-i</option> flag. &merged;</para> 2271 2272 <para>&man.ldd.1; can now be used on shared libraries, in addition 2273 to executables. &merged;</para> 2274 2275 <para>&man.ldd.1; now supports a <option>-a</option> flag to list 2276 all the objects that are needed by each loaded object.</para> 2277 2278 <para><filename>libc</filename> is now thread-safe by default; 2279 <filename>libc_r</filename> contains only thread 2280 functions.</para> 2281 2282 <para><filename>libcrypt</filename> and 2283 <filename>libdescrypt</filename> have been unified to provide a 2284 configurable password authentication hash library. Both the md5 2285 and des hash methods are provided unless the des hash is 2286 specifically compiled out. &merged;</para> 2287 2288 <para><filename>libcrypt</filename> now has support for Blowfish 2289 password hashing. &merged;</para> 2290 2291 <para arch="i386"><filename>libdisk</filename> can now do 2292 install-time configuration of the <filename>boot0</filename> 2293 boot loader. &merged;</para> 2294 2295 <para><filename>libstand</filename> now has support for 2296 filesystems containing 2297 <application>bzip2</application>-compressed 2298 files. &merged;</para> 2299 2300 <para><filename>libstand</filename> now has support for 2301 overwriting the contents of a file on a UFS filesystem (it 2302 cannot expand or truncate files because the filesystem may be 2303 dirty or inconsistent).</para> 2304 2305 <para><filename>libstand</filename> now has support for loading 2306 large kernels and modules split across several physical 2307 media. &merged;</para> 2308 2309 <para>The default TCP port range used by 2310 <filename>libfetch</filename> for passive FTP retrievals has 2311 changed; this affects the behavior of &man.fetch.1;, which has 2312 gained the <option>-U</option> option to restore the old 2313 behavior. &merged;</para> 2314 2315 <para><filename>libfetch</filename> now has support for an 2316 authentication callback. &merged;</para> 2317 2318 <para><filename>libfetch</filename> now has support for a 2319 <envar>HTTP_USER_AGENT</envar> environment 2320 variable. &merged;</para> 2321 2322 <para><filename>libgmp</filename> has been superceded by 2323 <filename>libmp</filename>. 2324 2325 <para>The functions from <filename>libposix1e</filename> have been 2326 integrated into <filename>libc</filename>.</para> 2327 2328 <para><filename>libusb</filename> has been renamed as 2329 <filename>libusbhid</filename>, following NetBSD's naming 2330 conventions. &merged;</para> 2331 2332 <para>&man.ln.1; now takes an <option>-i</option> option to 2333 request user confirmation before overwriting an existing 2334 file. &merged;</para> 2335 2336 <para>&man.ln.1; now takes a <option>-h</option> flag to avoid 2337 following a target that is a link, with a <option>-n</option> 2338 flag for compatibility with other 2339 implementations. &merged;</para> 2340 2341 <para>&man.logger.1; can now send messages directly to a remote 2342 syslog. &merged;</para> 2343 2344 <para>&man.login.1; now exports environment variables set by 2345 <application>PAM</application> modules. &merged;</para> 2346 2347 <para>&man.lpc.8; has been improved; <command>lpc clean</command> 2348 is now somewhat safer, and a new <command>lpc tclean</command> 2349 command has been added to check to see what files would be 2350 removed by <command>lpc clean</command>. &merged;</para> 2351 2352 <para>&man.lpd.8; now takes two new options: <option>-c</option> 2353 will log all connection errors to &man.syslogd.8;, while 2354 <option>-W</option> will allow connections from non-reserved 2355 ports. &merged;</para> 2356 2357 <para>&man.lpd.8; now has some support for 2358 <literal>o</literal>-type print-file actions in its control 2359 files, which allows printing of PostScript files generated by 2360 <application>MacOS</application> 10.1. &merged;</para> 2361 2362 <para>&man.lpd.8; now recognizes the <option>-s</option> flag as 2363 the preferred synonym for <option>-p</option> (these flags 2364 cause &man.lpd.8; not to open a socket for network print 2365 jobs). &merged;</para> 2366 2367 <para>&man.lpd.8; now implements a new <literal>rc</literal> 2368 printcap option. When specified in a print queue for a remote 2369 host, boolean option causes &man.lpd.8; to resend the data file 2370 for each copy the user requested via <command>lpr 2371 -#<replaceable>n</replaceable></command>. &merged;</para> 2372 2373 <para>Catching up with most other network utilities in the base 2374 system, &man.lpr.1;, &man.lpd.8;, &man.syslogd.8;, and 2375 &man.logger.1; are now all IPv6-capable. &merged;</para> 2376 2377 <para><command>lprm -</command> now works for remote printer 2378 queues. &merged;</para> 2379 2380 <para>&man.ls.1; can produce colorized listings with the 2381 <option>-G</option> flag (and appropriate terminal support). 2382 The <envar>CLICOLOR</envar> environment variable can be set to 2383 enable colorized listings by default. &merged;</para> 2384 2385 <para>&man.ls.1; now accepts a <option>-h</option> flag, which 2386 when combined with the <option>-l</option> flag, causes file 2387 sizes to be printed with unit suffixes, such that the number of 2388 digits printed is less than three. &merged;</para> 2389 2390 <para>The &man.ls.1; program now supports a <option>-m</option> 2391 flag to list files across a page, a <option>-p</option> flag to 2392 force printing of a <literal>/</literal> after directories, and 2393 a <option>-x</option> flag to sort filenames across a 2394 page.</para> 2395 2396 <para>&man.m4.1; now accepts a <option>-s</option> flag to cause 2397 it to emit <literal>#line</literal> directives for use by 2398 &man.cpp.1;. &merged;</para> 2399 2400 <para>&man.mail.1; now takes a <option>-E</option> flag to avoid 2401 sending messages with empty bodies. &merged;</para> 2402 2403 <para>&man.make.1; has gained the <literal>:C///</literal> 2404 (regular expression substitution), <literal>:L</literal> 2405 (lowercase), and <literal>:U</literal> (uppercase) variable 2406 modifiers. These were added to reduce the differences between 2407 the &os; and OpenBSD/NetBSD &man.make.1; programs. 2408 &merged;</para> 2409 2410 <para>Bugs in &man.make.1;, among which include broken null suffix 2411 behavior, bad assumptions about current directory permissions, 2412 and potential buffer overflows, have been fixed. &merged;</para> 2413 2414 <para>The new <varname>CPUTYPE</varname> 2415 <filename>make.conf</filename> variable controls the compilation 2416 of processor-specific optimizations in various pieces of code 2417 such as <application>OpenSSL</application>. &merged;</para> 2418 2419 <para>The &os; <filename>Makefile</filename> infrastructure now 2420 supports the <varname>WARNS</varname> directive from NetBSD. 2421 This directive controls the addition of compiler warning flags 2422 to <varname>CFLAGS</varname> in a relatively compiler-neutral 2423 manner. &merged;</para> 2424 2425 <para>&man.makewhatis.1; is now a C program, instead of a 2426 Perl script.</para> 2427 2428 <para>&man.man.1; is no longer installed SUID 2429 <username>man</username>, in order to reduce vulnerabilities 2430 associated with generating <quote>catpages</quote> (preformatted 2431 manual pages cached for repeated viewing). As a result, 2432 &man.man.1; can no longer create system catpages on a regular 2433 user's behalf. It is still able to do so if the user has write 2434 permissions to the directory holding catpages (e.g. a user's own 2435 manpages) or if the running user is 2436 <username>root</username>.</para> 2437 2438 <para>The &man.mdmfs.8; command has been added; it is a wrapper 2439 around &man.mdconfig.8;, &man.disklabel.8;, &man.newfs.8;, and 2440 &man.mount.8; that mimics the command line option set of the 2441 deprecated &man.mount.mfs.8;.</para> 2442 2443 <para>&man.mergemaster.8; now sources an 2444 <filename>/etc/mergemaster.rc</filename> file and also prompts 2445 the user to run recommended commands (such as 2446 <command>newaliases</command>) as needed. &merged;</para> 2447 2448 <para>&man.mergemaster.8; now supports two new flags. 2449 The <option>-p</option> flag enables a 2450 <quote>pre-<literal>buildworld</literal></quote> mode to files 2451 known to be essential to the success of the 2452 <literal>buildworld</literal> and 2453 <literal>installworld</literal> system updating steps. The 2454 <option>-C</option> flag, used after a successful 2455 &man.mergemaster.8; run, compares options in 2456 <filename>/etc/rc.conf</filename> to the default options in 2457 <filename>/etc/defaults/rc.conf</filename>. &merged;</para> 2458 2459 <para>&man.mk.cmds.1; and the associated 2460 <filename>libss</filename> have been removed; they have been 2461 unused for quite some time. &merged;</para> 2462 2463 <para>&man.moused.8; now takes a <option>-a</option> option to 2464 control mouse acceleration. &merged;</para> 2465 2466 <para>&man.mtree.8; now includes support for a file that lists 2467 pathnames to be excluded when creating and verifying prototypes. 2468 This makes it easier to use &man.mtree.8; as a part of an 2469 intrusion-detection system. &merged;</para> 2470 2471 <para>&man.mv.1; now takes a (nonstandard) <option>-n</option> to 2472 automatically answer <quote>no</quote> when it would ask to 2473 overwrite a file.</para> 2474 2475 <para>&man.natd.8; now supports a 2476 <option>-log_ipfw_denied</option> option to log packets that 2477 cannot be re-injected because they are blocked by &man.ipfw.8; 2478 rules. &merged;</para> 2479 2480 <para>The <quote>in use</quote> percentage metric displayed by 2481 &man.netstat.1; now really reflects the percentage of network 2482 mbufs used. &merged;</para> 2483 2484 <para>&man.netstat.1; now has a <option>-W</option> flag that 2485 tells it not to truncate addresses, even if they're too long for 2486 the column they're printed in. &merged;</para> 2487 2488 <para>&man.netstat.1; now keeps track of input and output packets 2489 on a per-address basis for each interface. &merged;</para> 2490 2491 <para>&man.netstat.1; now has a <option>-z</option> flag to reset 2492 statistics. &merged;</para> 2493 2494 <para>&man.netstat.1; now has a <option>-S</option> flag to print 2495 address numerically but port names symbolically. &merged;</para> 2496 2497 <para>&man.newfs.8; now implements write combining, which can make 2498 creation of new filesystems up to seven times 2499 faster. &merged;</para> 2500 2501 <para>&man.newfs.8; now takes a <option>-U</option> option to 2502 enable softupdates on a new filesystem. &merged;</para> 2503 2504 <para>The default number of cylinders per group in &man.newfs.8; 2505 is now computed to be the maximum allowable given the current 2506 filesystem parameters. It can be overridden with the 2507 <option>-c</option> option. Formerly, the default was fixed at 2508 16. This change leads to better &man.fsck.8; performance and 2509 reduced fragmentation. &merged;</para> 2510 2511 <para><anchor id="newfs-block-frag-sizes">The default block and 2512 fragment sizes for new filesystems created by &man.newfs.8; are 2513 now 16384 and 2048 bytes, respectively (the old defaults were 2514 8192 and 1024 bytes). This change generally provides increased 2515 performance, at the expense of some wasted disk 2516 space. &merged;</para> 2517 2518 <para>A number of archaic features of &man.newfs.8; have been 2519 removed; these implement tuning features that are essentially 2520 useless on modern hard disks. These features were controlled by 2521 the <option>-O</option>, <option>-d</option>, 2522 <option>-k</option>, <option>-l</option>, <option>-n</option>, 2523 <option>-p</option>, <option>-r</option>, <option>-t</option>, 2524 and <option>-x</option> flags.</para> 2525 2526 <para>&man.newsyslog.8; now has the ability to compress log files 2527 using &man.bzip2.1;. &merged;</para> 2528 2529 <para><application>NFS</application> now works over IPv6.</para> 2530 2531 <para>&man.ngctl.8; now supports a <option>write</option> command 2532 to send a data packet down a given hook. &merged;</para> 2533 2534 <para>&man.nl.1;, a line numbering filter program, has been 2535 added. &merged;</para> 2536 2537 <para><application>nsswitch</application> support has been merged 2538 from NetBSD. By creating an &man.nsswitch.conf.5; file, &os; 2539 can be configured so that various databases such as 2540 &man.passwd.5; and &man.group.5; can be looked up using flat 2541 files, NIS, or Hesiod. The old 2542 <filename>hosts.conf</filename> file is no longer used.</para> 2543 2544 <para><application>PAM</application> support has been added for 2545 account management and sessions.</para> 2546 2547 <para><application>PAM</application> configuration is now 2548 specified by files in <filename>/etc/pam.d/</filename>, rather 2549 than a single <filename>/etc/pam.conf</filename> file. 2550 <filename>/etc/pam.d/README</filename> has more details.</para> 2551 2552 <para>A &man.pam.ftp.8; module has been added to allow 2553 authentication of anonymous FTP users.</para> 2554 2555 <para>A &man.pam.ftpusers.8; module has been added to perform 2556 checks against the &man.ftpusers.5; file.</para> 2557 2558 <para>A &man.pam.lastlog.8; module has been added to record 2559 sessions in the &man.utmp.5;, &man.wtmp.5;, and &man.lastlog.5; 2560 databases.</para> 2561 2562 <para>A &man.pam.login.access.8; module has been added, to allow 2563 checking against <filename>/etc/login.access</filename>.</para> 2564 2565 <para>The &man.pam.nologin.8; module, which can disallow logins 2566 using &man.nologin.5;, has been added.</para> 2567 2568 <para>The &man.pam.opie.8; and &man.pam.opieaccess.8; modules have 2569 been added to control authentication via &man.opie.4;.</para> 2570 2571 <para>A &man.pam.passwdqc.8; module has been added, to check the 2572 quality of passwords submitted during password changes.</para> 2573 2574 <para>A &man.pam.rhosts.8; module has been added to support 2575 &man.rhosts.5; authentication.</para> 2576 2577 <para>The &man.pam.rootok.8; module, which can be used to 2578 authenticate only the superuser, has been added.</para> 2579 2580 <para>A &man.pam.securetty.8; module has been added to check the 2581 <quote>security</quote> of a TTY, as listed in &man.ttys.5;.</para> 2582 2583 <para>A &man.pam.self.8; module, which allows self-authentication 2584 of a user, has been added.</para> 2585 2586 <para>A &man.pam.ssh.8; module has been added to allow the use of 2587 SSH passphrases and keypairs for authentication. This module 2588 also handles session management by invoking 2589 &man.ssh-agent.1;. &merged;</para> 2590 2591 <para>A &man.pam.wheel.8; module has been added to permit 2592 authentication to members of a group, which defaults to 2593 <groupname>wheel</groupname>.</para> 2594 2595 <para>&man.passwd.1; and &man.pw.8; now select the password hash 2596 algorithm at run time. See the <literal>passwd_format</literal> 2597 attribute in 2598 <filename>/etc/login.conf</filename>. &merged;</para> 2599 2600 <para>&man.patch.1; now accepts a <option>-i</option> command-line 2601 flag to read a patch from a file, rather than standard 2602 input. &merged;</para> 2603 2604 <para>The &man.pathchk.1; utility, which checks pathnames for 2605 validity or portability between POSIX systems, has been 2606 added.</para> 2607 2608 <para>&man.pax.1; has received a number of enhancements, including 2609 &man.cpio.1; functionality, &man.tar.1; compatibility 2610 enhancements, <option>-z</option> and <option>-Z</option> flags 2611 for &man.gzip.1; and &man.compress.1; functionality, and a 2612 number of bug fixes. &merged;</para> 2613 2614 <para>&man.pciconf.8; now supports a <option>-v</option> option to 2615 display the vendor/device information of configured devices, in 2616 conjunction with the <option>-l</option> option. The default 2617 vendor/device database can be found at 2618 <filename>/usr/share/misc/pci_vendors</filename>. &merged;</para> 2619 2620 <para>The behavior of &man.periodic.8; is now controlled by 2621 <filename>/etc/defaults/periodic.conf</filename> and 2622 <filename>/etc/periodic.conf</filename>. &merged;</para> 2623 2624 <para>&man.ping.8; now supports a <option>-m</option> option to 2625 set the TTL of outgoing packets. &merged;</para> 2626 2627 <para>&man.ping.8; now supports a <option>-A</option> option to 2628 beep when packets are lost. &merged;</para> 2629 2630 <para>Userland &man.ppp.8; has received a number of updates and 2631 bug fixes. &merged;</para> 2632 2633 <para>&man.ppp.8; has gained the <literal>tcpmssfixup</literal> 2634 option, which adjusts outgoing and incoming TCP SYN packets so 2635 that the maximum receive segment size is no larger than allowed 2636 by the interface MTU. &merged;</para> 2637 2638 <para>&man.ppp.8; now supports IPv6. &merged;</para> 2639 2640 <para>&man.pppd.8; (the control program for kernel-level PPP) is 2641 now installed mode <literal>4550</literal> and 2642 <username>root</username><literal>:</literal><groupname>dialer</groupname>, 2643 rather than mode <literal>4555</literal> (in other words, it is 2644 no longer world-executable). Users of &man.pppd.8; may need to 2645 change their group settings. &merged;</para> 2646 2647 <para>&man.pr.1; now supports the <option>-f</option> and 2648 <option>-p</option> flags to pause output going to a 2649 terminal. &merged;</para> 2650 2651 <para>The <option>-W</option> option to &man.ps.1; (to extract 2652 information from a specified swap device) has been useless for 2653 some time; it has been removed. &merged;</para> 2654 2655 <para>&man.pwd.1; can now double as &man.realpath.1;, a program to 2656 resolve pathnames to their underlying physical 2657 paths. &merged;</para> 2658 2659 <para>&man.pwd.1; now supports the <option>-L</option> flag to 2660 print the logical current working directory.</para> 2661 2662 <para>The pseudo-random number generator implemented by 2663 &man.rand.3; has been improved to provide less biased 2664 results.</para> 2665 2666 <para>&man.rc.8; now has an framework for handling dependencies 2667 between &man.rc.conf.5; variables. &merged;</para> 2668 2669 <para>&man.rc.8; now deletes all non-directory files in 2670 <filename>/var/run</filename> and 2671 <filename>/var/spool/lock</filename> at boot 2672 time. &merged;</para> 2673 2674 <para>&man.rcmd.3; now supports the use of the 2675 <envar>RSH</envar> environment variable to specify a program to 2676 use other than &man.rsh.1; for remote execution. As a result, 2677 programs such as &man.dump.8;, can use &man.ssh.1; for remote 2678 transport.</para> 2679 2680 <para>&man.rdist.1; has been retired from the base system, but is 2681 still available from &os; Ports Collection as 2682 <filename role="package">net/44bsd-rdist</filename>.</para> 2683 2684 <para>&man.reboot.8; now takes a <option>-k</option> to specify 2685 the next kernel to boot. &merged;</para> 2686 2687 <para>The &man.renice.8; command implements a <option>-n</option> 2688 option, which specifies an increment to be applied to the 2689 priority of a process.</para> 2690 2691 <para>The &man.resolver.3; in &os; now implements EDNS0 support, 2692 which will be necessary when working with IPv6 transport-ready 2693 resolvers/DNS servers. &merged;</para> 2694 2695 <para>The &man.rfork.thread.3; library call has been added as a 2696 helper function to &man.rfork.2;. Using this function should 2697 avoid the need to implement complex stack swap 2698 code. &merged;</para> 2699 2700 <para>The <option>-v</option> option to &man.rm.1; now displays 2701 the entire pathname of a file being removed.</para> 2702 2703 <para>&man.route.8; is now more verbose when changing indirect 2704 routes, in the case of a gateway route that is the same route as 2705 the one being modified. &merged;</para> 2706 2707 <para>&man.route.8; now uses 2708 <literal><replaceable>host</replaceable>/<replaceable>bits</replaceable></literal> 2709 syntax instead of 2710 <literal><replaceable>net</replaceable>/<replaceable>bits</replaceable></literal> 2711 syntax, for compatibility with &man.netstat.1;. &merged;</para> 2712 2713 <para>&man.route.8; can now create <quote>proxy only</quote> 2714 published ARP entries. &merged;</para> 2715 2716 <para>The &man.route.8; <option>add</option> command now supports 2717 the <option>-ifp</option> and <option>-ifa</option> 2718 modifiers. &merged;</para> 2719 2720 <para>&man.rpcbind.8; has replaced &man.portmap.8;.</para> 2721 2722 <para>&man.rpcgen.1; now uses <filename>/usr/bin/cpp</filename> 2723 (as on NetBSD), not 2724 <filename>/usr/libexec/cpp</filename>.</para> 2725 2726 <para>&man.rpc.lockd.8; has been imported from NetBSD. This 2727 daemon provides support for servicing client NFS locks.</para> 2728 2729 <para>The performance of the ELF dynamic linker &man.rtld.1; has 2730 been improved. &merged;</para> 2731 2732 <para>RSA Security has waived all patent rights to the 2733 <application>RSA</application> algorithm. As a result, the 2734 native <application>OpenSSL</application> implementation of the 2735 RSA algorithm is now activated by default, and the <filename 2736 role="package">security/rsaref</filename> port and the 2737 <filename>librsaUSA</filename> and 2738 <filename>librsaINTL</filename> libraries are no longer required 2739 for USA and non-USA residents respectively. &merged;</para> 2740 2741 <para>&man.rtld.1; will now print the names of all objects that 2742 cause each object to be loaded, if the 2743 <varname>LD_TRACE_LOADED_OBJECTS_ALL</varname> environment 2744 variable is defined.</para> 2745 2746 <para>&man.savecore.8; now supports a <option>-k</option> option 2747 to prevent clearing a crash dump after saving it. It also 2748 attempts to avoid writing large stretches of zeros to crash dump 2749 files to save space and time. &merged;</para> 2750 2751 <para>&man.savecore.8; now works correctly on machines with 2 GB 2752 or more of RAM. &merged;</para> 2753 2754 <para>The &man.sccs.1; front-end to the Source Code Control System 2755 has been revived.</para> 2756 2757 <para>&man.sed.1; now takes a <option>-E</option> option for 2758 extended regular expression support. &merged;</para> 2759 2760 <para>&man.sed.1; now takes a <option>-i</option> option to enable 2761 in-place editing of files.</para> 2762 2763 <para>&man.send-pr.1; now takes a <option>-a</option> option to 2764 include a file into the <literal>Fix:</literal> section of a 2765 problem report. &merged;</para> 2766 2767 <para>The &man.setfacl.1; and &man.getfacl.1; commands have been 2768 added to manage filesystem Access Control Lists.</para> 2769 2770 <para>&man.setproctitle.3; has been moved from 2771 <filename>libutil</filename> to 2772 <filename>libc</filename>. &merged;</para> 2773 2774 <para>&man.sh.1; now implements <command>test</command> as a 2775 built-in command for improved efficiency. &merged;</para> 2776 2777 <para>&man.sh.1; no longer implements <command>printf</command> as 2778 a built-in command because it was considered less valuable 2779 compared to the other built-in commands (this functionality is, 2780 of course, still available through the &man.printf.1; 2781 executable).</para> 2782 2783 <para>&man.sh.1; now supports a <option>-C</option> option to 2784 prevent existing regular files from being overwritten by output 2785 redirection, and a <option>-u</option> to give an error if an 2786 unset variable is expanded.</para> 2787 2788 <para>&man.sockstat.1; now has <option>-c</option> and 2789 <option>-l</option> flags for listing connected and listening 2790 sockets, respectively. &merged;</para> 2791 2792 <para>&man.spkrtest.8; is now a &man.sh.1; script, rather than a 2793 Perl script.</para> 2794 2795 <para>&man.split.1; now has the ability to split a file longer 2796 than 2GB. &merged;</para> 2797 2798 <para>&man.split.1; now supports a <option>-a</option> option to 2799 specify the number of letters to use for the suffix of split 2800 files.</para> 2801 2802 <para>In preparation for meeting SUSv2/POSIX 2803 <filename><sys/select.h></filename> requirements, 2804 <literal>struct selinfo</literal> and related functions have been 2805 moved to <filename><sys/selinfo.h></filename>.</para> 2806 2807 <para>The &man.strnstr.3; and &man.strcasestr.3; variants of 2808 &man.strstr.3; have been implemented. &merged;</para> 2809 2810 <para>&man.stty.1; now has support for an 2811 <literal>erase2</literal> control character, so that, for 2812 example, both the <keycap>Delete</keycap> and 2813 <keycap>Backspace</keycap> keys can be used to erase 2814 characters. &merged;</para> 2815 2816 <para>&man.su.1; now uses <application>PAM</application> for 2817 authentication.</para> 2818 2819 <para>Boot-time &man.syscons.4; configuration was moved to a 2820 machine-independent 2821 <filename>/etc/rc.syscons</filename>. &merged;</para> 2822 2823 <para>&man.sysctl.8; now supports a <option>-N</option> option to 2824 print out variable names only. &merged;</para> 2825 2826 <para>&man.sysctl.8; has replaced the <option>-A</option> and 2827 <option>-X</option> options with <option>-ao</option> and 2828 <option>-ax</option> respectively; the former options are now 2829 deprecated. The <option>-w</option> option is deprecated as 2830 well; it is not needed to determine the user's 2831 intentions. &merged;</para> 2832 2833 <para>&man.sysctl.8; now supports a <option>-e</option> option to 2834 separate variable names and values by <literal>=</literal> 2835 rather than <literal>:</literal>. This feature is useful for 2836 producing output that can be fed back to 2837 &man.sysctl.8;. &merged;</para> 2838 2839 <para>&man.sysctl.8; now accepts a <option>-d</option> flag to print 2840 the descriptions of variables.</para> 2841 2842 <para>&man.sysinstall.8; now properly preserves 2843 <filename>/etc/mail</filename> during a binary 2844 upgrade. &merged;</para> 2845 2846 <para>&man.sysinstall.8; now uses some more intuitive defaults 2847 thanks to some new dialog support functions. &merged;</para> 2848 2849 <para>The default root partition in &man.sysinstall.8; is now 2850 100MB on the i386 and 120MB on the Alpha.</para> 2851 2852 <para>&man.sysinstall.8; now lives in 2853 <filename>/usr/sbin</filename>, which simplifies the 2854 installation process. The &man.sysinstall.8; manpage is also 2855 installed in a more consistent fashion now.</para> 2856 2857 <para>&man.sysinstall.8; now has the ability to load KLDs as a 2858 part of the installation. &merged;</para> 2859 2860 <para>When run from the installation media, &man.sysinstall.8; 2861 will automatically load any device drivers found in the 2862 <filename>/stand/modules</filename> directory of the 2863 <literal>mfsroot</literal> floppy or filesystem image. Note 2864 that any drivers so loaded will not appear in the kernel's boot 2865 messages; the &man.sysinstall.8; debugging screen will provide 2866 additional information. &merged;</para> 2867 2868 <para>&man.sysinstall.8; now enables Soft Updates by default on 2869 all filesystems it creates, except for the root 2870 filesystem. &merged;</para> 2871 2872 <para>&man.sysinstall.8; has received updates for its 2873 <quote>auto</quote> partitioning mode which provide more 2874 reasonable defaults for the sizes of partitions that are 2875 created; auto-sized partitions can now also recover the space 2876 that becomes available when other partitions are 2877 deleted. &merged;</para> 2878 2879 <para>&man.sysinstall.8; no longer mounts the &man.procfs.5; 2880 filesystem by default on new installs.</para> 2881 2882 <para>&man.sysinstall.8; now has rudimentary support for 2883 retrieving packages from the correct volume of a multiple-volume 2884 installation (such as a multi-CD distribution). &merged;</para> 2885 2886 <para>&man.syslogd.8; can take a <option>-n</option> option to 2887 disable DNS queries for every request. &merged;</para> 2888 2889 <para>&man.syslogd.8; now supports a 2890 <literal>LOG_CONSOLE</literal> facility (disabled by default), 2891 which can be used to log <filename>/dev/console</filename> 2892 output. &merged;</para> 2893 2894 <para>&man.syslogd.8; now has the ability to bind to a specific 2895 address (as opposed to using every available one) via the 2896 <option>-b</option> option. &merged;</para> 2897 2898 <para>&man.syslogd.8; now accepts a <option>-c</option> flag to 2899 disable repeated line compression. &merged;</para> 2900 2901 <para>&man.tabs.1;, a utility to set terminal tab stops, has been 2902 added.</para> 2903 2904 <para>&man.tail.1; now has the ability to work on files longer 2905 than 2GB. &merged;</para> 2906 2907 <para>&man.tar.1; now supports the <varname>TAR_RSH</varname> 2908 variable, principally to enable the use of &man.ssh.1; as a 2909 transport. &merged;</para> 2910 2911 <para>&man.telnet.1; now does autologin and encryption by default; 2912 a new <option>-y</option> option turns off encryption. &merged;</para> 2913 2914 <para>&man.telnet.1; now supports a <option>-u</option> flag to 2915 allow connections to UNIX-domain (<literal>AF_UNIX</literal>) 2916 sockets. &merged;</para> 2917 2918 <para>&man.tftp.1; and &man.tftpd.8; now support IPv6. &merged;</para> 2919 2920 <para>&man.tftpd.8; now takes the <option>-c</option> and 2921 <option>-C</option> options, which allow the server to 2922 &man.chroot.2; based on the IP address of the connecting client. 2923 &man.tftp.1; and &man.tftpd.8; can now transfer files larger 2924 than 65535 blocks. &merged;</para> 2925 2926 <para>&man.tftpd.8; now supports RFC 2349 (TFTP Timeout Interval 2927 and Transfer Size Options); this feature is required by some 2928 firmware like EFI boot managers (at least on HP i2000 Itanium 2929 servers) in order to boot an image using 2930 <application>TFTP</application>.</para> 2931 2932 <para arch="alpha">&man.timed.8; now works on the alpha.</para> 2933 2934 <para>A version of Transport Independent RPC 2935 (<application>TI-RPC</application>) has been imported.</para> 2936 2937 <para>&man.tmpnam.3; will now use the <envar>TMPDIR</envar> 2938 environment variable, if set, to specify the location of 2939 temporary files. &merged;</para> 2940 2941 <para>&man.tip.1; has been updated from 2942 <application>OpenBSD</application>, and has the ability to act 2943 as a &man.cu.1; substitute.</para> 2944 2945 <para>&man.top.1; will now use the full width of its tty.</para> 2946 2947 <para>&man.touch.1; now takes a <option>-h</option> option to 2948 operate on a symbolic link, rather than what the link points 2949 to.</para> 2950 2951 <para>The &man.truncate.1; utility, which truncates or extends the 2952 length of files, has been added. &merged;</para> 2953 2954 <para>Ukrainian language support has been added to the &os; 2955 console. &merged;</para> 2956 2957 <para><application>UUCP</application> has been removed from the 2958 base system. It can be found in the Ports Collection, in 2959 <filename role="package">net/freebsd-uucp</filename>.</para> 2960 2961 <para>&man.unexpand.1; now supports a <option>-t</option> to 2962 specify tabstabs analogous to &man.expand.1;.</para> 2963 2964 <para>&man.units.1; has received some updates and 2965 bugfixes. &merged;</para> 2966 2967 <para>&man.usbdevs.8; now supports a <option>-d</option> flag to 2968 show the device driver associated with each device.</para> 2969 2970 <para>The &man.usbhidctl.1; utility has been added to manipulate 2971 USB Human Interface Devices. &merged;</para> 2972 2973 <para>&man.uuencode.1; and &man.uudecode.1; now accept a <option>-o</option> option to 2974 set their output files. &man.uuencode.1; can now be made to do base64 encoding 2975 when given the <option>-m</option> flag, while &man.uudecode.1; 2976 can now automatically decode base64 files. &merged;</para> 2977 2978 <para>The base64 capabilities of &man.uuencode.1; and 2979 &man.uudecode.1; can now be automatically enabled by invoking 2980 these utilities as &man.b64encode.1; and &man.b64decode.1; 2981 respectively.</para> 2982 2983 <para>&man.vidcontrol.1; now accepts a <option>-g</option> 2984 parameter to select custom text geometry in the 2985 <literal>VESA_800x600</literal> raster text mode. &merged;</para> 2986 2987 <para>&man.vidcontrol.1; now allows the user to omit the font size 2988 specification when loading a font, and has some better 2989 error-handling. &merged;</para> 2990 2991 <para>&man.vidcontrol.1; now supports a <option>-p</option> option 2992 to take a snapshot of a &man.syscons.4; video buffer. These 2993 snapshots can be manipulated by the 2994 <filename role="package">graphics/scr2png</filename> utility in 2995 the Ports Collection. &merged;</para> 2996 2997 <para>&man.vidcontrol.1; now supports a <option>-C</option> option 2998 to clear the history buffer for a given tty, as well as a 2999 <option>-h</option> option to set the size of the history 3000 buffer. &merged;</para> 3001 3002 <para>The default stripe size in &man.vinum.8; has been changed 3003 from 256KB to 279KB, to spread out superblocks more evenly 3004 between stripes.</para> 3005 3006 <para>&man.wall.1; now supports a <option>-g</option> flag to 3007 write a message to all users of a given group. &merged;</para> 3008 3009 <para>&man.watch.8; now takes a <option>-f</option> option to 3010 specify a &man.snp.4; device to use. &merged;</para> 3011 3012 <para>&man.which.1; is now a C program, rather than a Perl 3013 script.</para> 3014 3015 <para>&man.who.1; now has a number of new options: 3016 <option>-H</option> shows column headings; <option>-T</option> 3017 shows &man.mesg.1; state; <option>-m</option> is an equivalent 3018 to <option>am i</option>; <option>-u</option> shows idle time; 3019 <option>-q</option> to list names in columns.</para> 3020 3021 <para>&man.whois.1; now directs queries for IP addresses to ARIN. 3022 If a query to ARIN references APNIC or RIPE, the appropriate 3023 server will also be queried, provided that the 3024 <option>-Q</option> option is not specified. &merged;</para> 3025 3026 <para>&man.whois.1; supports a <option>-c</option> option to 3027 specify a country code to help direct queries towards a 3028 particular whois server. &merged;</para> 3029 3030 <para>&man.xargs.1; now supports a <option>-I</option> 3031 <replaceable>replstr</replaceable> option that allows the user 3032 to tell &man.xargs.1; to insert the data read from standard 3033 input at specific points in the command line arguments rather 3034 than at the end. (A &os;-specific <option>-J</option> option is 3035 similar, but is now deprecated in favor of the more portable 3036 <option>-I</option> option.)</para> 3037 3038 <para>&man.xargs.1; now supports a <option>-L</option> option to 3039 force its utility argument to be called after some number of 3040 lines.</para> 3041 3042 <para>The compiler chain now uses the FSF-supplied C/C++ runtime 3043 initialization code. This change brings about better 3044 compatibility with code generated from the various egcs and gcc 3045 ports, as well as the stock public FSF source. &merged;</para> 3046 3047 <para>The threads library has gained some signal handling changes, 3048 bug fixes, and performance enhancements (including zero system 3049 call thread switching). &man.gdb.1; thread support has been 3050 updated to match these changes. &merged;</para> 3051 3052 <para>Significant additions have been made to internationalization 3053 support; &os; now has complete locale support for the 3054 <literal>LC_MONETARY</literal>, <literal>LC_NUMERIC</literal>, 3055 and <literal>LC_MESSAGES</literal> categories. A number of 3056 applications have been updated to take advantage of this 3057 support. &merged;</para> 3058 3059 <para>Locale names have been changed to improve compatibility with 3060 the names used by X11R6, as well as a number of other UNIX 3061 versions. As an example, the 3062 <literal>en_US.ISO_8859-1</literal> locale name has been changed 3063 to 3064 <literal>en_US.ISO8859-1</literal>. Entries in 3065 <filename>/etc/locale.alias</filename> provide backward 3066 compatibility. &merged;</para> 3067 3068 <para><filename>/usr/src/share/examples/BSD_daemon/</filename> now 3069 contains a scalable Beastie graphic. &merged;</para> 3070 3071 <para>As part of an ongoing process, many manual pages were 3072 improved, both in terms of their formatting markup and in their 3073 content. &merged;</para> 3074 3075 <para>A number of utilities and libraries were enhanced to improve 3076 their conformance with the Single UNIX Specification (SUSv3) and 3077 IEEE Std 1003.1-2001 (<quote>POSIX.1</quote>). Specific 3078 features added have been listed in the release notes for each 3079 utility. The standards conformance of each utility or library 3080 function is generally listed in its manual page.</para> 3081 3082 <sect3> 3083 <title>Contributed Software</title> 3084 3085 <para><application>am-utils</application> has been updated to 3086 6.0.7.</para> 3087 3088 <para>A 10 February 2002 snapshot of <application>awk</application> from Bell Labs (variously 3089 known as <quote>BWK awk</quote> or <quote>The One True 3090 AWK</quote>) has been imported. It is available as 3091 <command>awk</command> or 3092 <command>nawk</command>.</para> 3093 3094 <para><application>bc</application> has been updated from 1.04 to 3095 1.06. &merged;</para> 3096 3097 <para>The ISC library from the <application>BIND</application> 3098 distribution is now built as 3099 <filename>libisc</filename>. &merged;</para> 3100 3101 <para><application>BIND</application> is now built with the 3102 <literal>NOADDITIONAL</literal> flag, which causes 3103 &man.named.8; to operate in a more consistent fashion for 3104 certain common misconfigurations. &merged;</para> 3105 3106 <para><application>BIND</application> has been updated to 3107 8.3.2-T1B. &merged;</para> 3108 3109 <para><application>Binutils</application> has been updated to 3110 2.12.0.</para> 3111 3112 <para><application>bzip2</application> 1.0.2 has been imported; 3113 this brings the &man.bzip2.1; program and the 3114 <filename>libbz2</filename> library to the base 3115 system. &merged;</para> 3116 3117 <para>The &man.ee.1; <application>Easy Editor</application> has 3118 been updated to 1.4.2. &merged;</para> 3119 3120 <para><application>file</application> has been updated to 3121 3.37.</para> 3122 3123 <para><application>gcc</application> has been updated to 3124 a snapshot of <application>gcc</application> 3.1. 3125 <warning> 3126 <para>The integration of <application>gcc</application> is 3127 very new. Some applications and programs in the base 3128 system require fixes or compiler flags to build 3129 correctly. Work to address these problems is ongoing.</para> 3130 </warning> 3131 </para> 3132 3133 <para>&man.gcc.1; now uses a unified <filename>libgcc</filename> 3134 rather than a separate one for threaded and non-threaded 3135 programs. <filename>/usr/lib/libgcc_r.a</filename> can be 3136 removed. &merged;</para> 3137 3138 <para>&man.gcc.1; now supports the environment variable 3139 <envar>GCC_OPTIONS</envar>, which can hold a set of default 3140 options for <application>GCC</application>. &merged;</para> 3141 3142 <para><application>GNATS</application> has been updated to 3143 3.113. &merged;</para> 3144 3145 <para><application>GNU awk</application> has been updated to 3146 3.1.0. It is now available as <command>gawk</command>.</para> 3147 3148 <para><application>gperf</application> has been updated to 3149 2.7.2.</para> 3150 3151 <para><application>groff</application> and its related utilities 3152 have been updated to FSF version 1.17.2. This import brings 3153 in a new &man.mdoc.7; macro package (sometimes referred to as 3154 <literal>mdocNG</literal>), which removes many of the 3155 limitations of its predecessor. &merged;</para> 3156 3157 <para><application>Heimdal Kerberos</application> has been updated to 3158 0.4e. &merged;</para> 3159 3160 <para>The version of <application>IPFilter</application> 3161 provided with &os; now includes the &man.ipfs.8; program, 3162 which allows state information created for NAT entries and 3163 stateful rules to be saved to disk and restored after a 3164 reboot. Boot-time configuration of these features is 3165 supported by &man.rc.conf.5;. &merged;</para> 3166 3167 <para>The <application>ISC DHCP</application> client has been 3168 updated to 3.0.1RC8. &merged;</para> 3169 3170 <para><application>Kerberos IV</application> has been updated to 3171 1.0.5. &merged;</para> 3172 3173 <para>The &man.more.1; command has been replaced by 3174 &man.less.1;, although it can still be run as 3175 <command>more</command>. &merged; Version 371 of 3176 <application>less</application> has been imported.</para> 3177 3178 <para><application>libpcap</application> has been updated to 3179 0.6.2. &merged;</para> 3180 3181 <para><application>libreadline</application> has been updated to 3182 4.2.</para> 3183 3184 <para><application>libz</application> has been updated to 3185 1.1.4.</para> 3186 3187 <para><application>lint</application> has been updated to 3188 snapshot of NetBSD &man.lint.1; as of 3 March 2002.</para> 3189 3190 <para><application>lukemftp</application> (the FTP client from 3191 NetBSD) has replaced the &os; &man.ftp.1; program. Among its 3192 new features are more automation methods, better standards 3193 compliance, transfer rate throttling, and a customizable 3194 command-line prompt. Some environment variables and 3195 command-line arguments have changed.</para> 3196 3197 <para>The FTP daemon from NetBSD, otherwise known as 3198 <application>lukemftpd</application>, has been imported and is 3199 available as &man.lukemftpd.8;.</para> 3200 3201 <para>&man.m4.1; has been imported from OpenBSD, as of 26 April 3202 2002.</para> 3203 3204 <para><application>ncurses</application> has been updated to 3205 5.2-20020518.</para> 3206 3207 <para>The <application>NTP</application> suite of programs has 3208 been updated to 4.1.0. &merged;</para> 3209 3210 <para><application>OpenPAM</application> 3211 (<quote>Cinnamon</quote> release) has been imported, 3212 replacing 3213 <application>Linux-PAM</application>.</para> 3214 3215 <para>The <application>OPIE</application> one-time-password 3216 suite has been updated to 2.4. It has completely 3217 replaced the functionality of 3218 <application>S/Key</application>.</para> 3219 3220 <para><application>Perl</application> has been removed from the 3221 &os; base system. It can still be installed from the &os; 3222 Ports Collection or as a binary package; moving it out of the 3223 base system will make future upgrades and maintenence easier. 3224 To reduce the dependence of the base system on 3225 Perl, many utilities have been 3226 rewritten as shell scripts or C programs (specific notes are 3227 made for each affected utility). 3228 <filename>/usr/bin/perl</filename> is now a 3229 <quote>wrapper</quote> program, so that programs expecting to 3230 find a Perl interpreter there will 3231 be able to function correctly. 3232 3233 <warning> 3234 <para>The Perl removal and 3235 package integration work is ongoing.</para> 3236 </warning> 3237 3238 </para> 3239 3240 <para><application>GNU ptx</application> has been removed from 3241 the base system. It is not used anywhere in the base system, 3242 and has not been recently updated or maintained. Users 3243 requiring its functionality can install this utility as a part 3244 of the <filename role="package">textproc/textutils</filename> 3245 port.</para> 3246 3247 <para>&man.routed.8; has been updated to version 3248 2.22. &merged;</para> 3249 3250 <para arch="i386">Version 1.4.4 of the 3251 <application>smbfs</application> userland utilities have been 3252 imported.</para> 3253 3254 <para><application>tcpdump</application> has been updated to 3255 3.6.3. &merged;</para> 3256 3257 <para>The &man.csh.1; shell has been replaced by &man.tcsh.1;, 3258 although it can still be run as <command>csh</command>. 3259 <application>tcsh</application> has been updated to version 3260 6.11. &merged;</para> 3261 3262 <para>The contributed version of 3263 <application>tcp_wrappers</application> now includes the 3264 &man.tcpd.8; helper daemon. While not strictly necessary in a 3265 standard &os; installation (because &man.inetd.8; already 3266 incorporates this functionality), this may be useful for 3267 &man.inetd.8; replacements such as 3268 <application>xinetd</application>.</para> 3269 3270 <para><application>texinfo</application> has been updated to 3271 4.1. &merged;</para> 3272 3273 <para><application>top</application> has been updated to version 3274 3.5b12.</para> 3275 3276 <para>&man.traceroute.8; now takes its default maximum TTL value 3277 from the <varname>net.inet.ip.ttl</varname> sysctl 3278 variable. &merged;</para> 3279 3280 <para>The timezone database has been updated to the 3281 <filename>tzdata2002c</filename> release. &merged;</para> 3282 3283 <sect4> 3284 <title>CVS</title> 3285 3286 <para><application>cvs</application> has been updated to 3287 1.11.1p1. &merged;</para> 3288 3289 <para>The default value for &man.cvs.1;'s 3290 <envar>CVS_RSH</envar> variable is now 3291 <literal>ssh</literal>, rather than 3292 <literal>rsh</literal>. &merged;</para> 3293 3294 <para>&man.cvs.1; now supports a <option>-T</option> option to 3295 update a sandbox's <filename>CVS/Template</filename> file 3296 from the repository. &merged;</para> 3297 3298 <para>&man.cvs.1; <literal>diff</literal> now supports the 3299 <option>-j</option> option to perform differences against a 3300 revision relative to a branch tag. &merged;</para> 3301 </sect4> 3302 3303 <sect4> 3304 <title>CVSup</title> 3305 3306 <para><application>CVSup</application>, a frequently used 3307 utility in the &os; Ports Collection, was formerly 3308 installable using several ports and packages. The 3309 <filename role="package">net/cvsup-bin</filename> and 3310 <filename role="package">net/cvsupd-bin</filename> 3311 ports/packages are no longer necessary or available; the 3312 <filename role="package">net/cvsup</filename> port should be 3313 used instead. &merged;</para> 3314 3315 <para><application>CVSup</application> has been updated to 3316 16.1_3, which is available in the &os; Ports Collection as 3317 <filename role="package">net/cvsup</filename>. This update 3318 fixes a long-standing (but only recently encountered) bug 3319 which affects the timestamps on all files after Sun Sep 9 3320 01:46:40 UTC 2001 (1,000,000,000 seconds after the UNIX 3321 epoch). &merged;</para> 3322 </sect4> 3323 3324 <sect4 id="kame-userland"> 3325 <title>KAME</title> 3326 3327 <para>The IPv6 stack is now based on a snapshot based on the 3328 KAME Project's IPv6 snapshot as of 28 May, 2001. Most of 3329 the items listed in this section are a result of this 3330 import. 3331 <xref linkend="kame-kernel"> lists kernel updates to the 3332 KAME IPv6 stack. &merged;</para> 3333 3334 <para>&man.faithd.8; now supports a configuration file for 3335 access control. &merged;</para> 3336 3337 <para>&man.ifconfig.8; can now perform the functions of 3338 &man.gifconfig.8;. &merged;</para> 3339 3340 <para>&man.ifconfig.8; can now perform the functions of 3341 &man.prefix.8;. &man.prefix.8; is now a shell script for 3342 partial backwards compatibility. &merged;</para> 3343 3344 <para>&man.ndp.8; now implements garbage collection for stale 3345 NDP entries, as described in RFC 2461 (Neighbor Discovery 3346 for IP Version 6 (IPv6)). &merged;</para> 3347 3348 <para>&man.pim6dd.8; and &man.pim6sd.8; have been removed due 3349 to restrictive licensing conditions. These programs are 3350 available in the ports collection as 3351 <filename role="package">net/pim6dd</filename> and 3352 <filename role="package">net/pim6sd</filename>. &merged;</para> 3353 3354 <para>&man.route6d.8; now supports an <option>-n</option> flag 3355 to avoid updating the kernel forwarding 3356 table. &merged;</para> 3357 3358 <para>The <option>-R</option> (router renumbering) option to 3359 &man.rtadvd.8; is currently ignored. &merged;</para> 3360 </sect4> 3361 3362 <sect4> 3363 <title>OpenSSH</title> 3364 3365 <para><application>OpenSSH</application> has been updated to 3366 2.9, which provides support for the SSH2 protocol (now the 3367 default) and DSA keys. &man.ssh-add.1; and 3368 &man.ssh-agent.1; can now handle DSA keys, with support for 3369 authentication forwarding. 3370 <application>OpenSSH</application> users in the USA no 3371 longer need to rely on the restrictively-licensed RSAREF 3372 toolkit which is required to handle RSA keys. Among other 3373 new features: A client and server for &man.sftp.1; has been added. 3374 &man.scp.1; can now handle files larger than 2 GBytes. A 3375 limit on the number of outstanding, unauthenticated 3376 connections in &man.sshd.8; has been added. Support has 3377 been added for the Rijndael encryption algorithm. Rekeying 3378 of existing sessions is now supported, and an experimental 3379 <application>SOCKS4</application> proxy has been added to 3380 &man.ssh.1;. &merged;</para> 3381 3382 <para><application>OpenSSH</application> has been updated to 3383 version 3.1. Among the changes: 3384 <itemizedlist> 3385 <listitem> 3386 <para>The <filename>*2</filename> files are obsolete 3387 (for example, 3388 <filename>~/.ssh/known_hosts</filename> can hold the 3389 contents of 3390 <filename>~/.ssh/known_hosts2</filename>).</para> 3391 </listitem> 3392 <listitem> 3393 <para>&man.ssh-keygen.1; can import and export keys using 3394 the SECSH Public Key File Format, for key exchange 3395 with several commercial SSH implementations.</para> 3396 </listitem> 3397 <listitem> 3398 <para>&man.ssh-add.1; now adds all three default keys.</para> 3399 </listitem> 3400 <listitem> 3401 <para>&man.ssh-keygen.1; no longer defaults to a 3402 specific key type; one must be specified with the 3403 <option>-t</option> option.</para> 3404 </listitem> 3405 </itemizedlist> 3406 </para> 3407 3408 <para><application>OpenSSH</application> can now authenticate 3409 using <application>OPIE</application> passwords.</para> 3410 3411 <para><application>PAM</application> support for 3412 <application>OpenSSH</application> has been added.</para> 3413 3414 <para>A long-standing bug in 3415 <application>OpenSSH</application>, which sometimes resulted 3416 in a dropped session when an X11-forwarded client was 3417 closed, was fixed.</para> 3418 3419 <para><application>Kerberos</application> compatibility has 3420 been added to 3421 <application>OpenSSH</application>. &merged;</para> 3422 3423 <para><application>OpenSSH</application> has been modified to 3424 be more resistant to traffic analysis by requiring that 3425 <quote>non-echoed</quote> characters are still echoed back 3426 in a null packet, as well as by padding passwords sent so as 3427 not to hint at password lengths. &merged;</para> 3428 3429 <para>&man.sshd.8; is now enabled by default on new 3430 installs. &merged;</para> 3431 3432 <para>&man.sshd.8; <literal>X11Forwarding</literal> is now 3433 turned on by default on the server (any risk is to the 3434 client, where it is already disabled by 3435 default). &merged;</para> 3436 3437 <para>In <filename>/etc/ssh/sshd_config</filename>, the 3438 <literal>ConnectionsPerPeriod</literal> parameter has been 3439 deprecated in favor of 3440 <literal>MaxStartups</literal>. &merged;</para> 3441 3442 <para><application>OpenSSH</application> now has a 3443 <literal>VersionAddendum</literal> configuration setting for 3444 &man.sshd.8; to allow changing the part of the 3445 <application>OpenSSH</application> version string after the 3446 main version number. &merged;</para> 3447 </sect4> 3448 3449 <sect4> 3450 <title>OpenSSL</title> 3451 3452 <para><application>OpenSSL</application> has been updated to 3453 0.9.6c.</para> 3454 3455 <para><application>OpenSSL</application> now has support for 3456 machine-dependent ASM optimizations, activated by the new 3457 <varname>MACHINE_CPU</varname> and/or 3458 <varname>CPUTYPE</varname> 3459 <filename>make.conf</filename> variables. &merged;</para> 3460 </sect4> 3461 3462 <sect4> 3463 <title>sendmail</title> 3464 3465 <para><application>sendmail</application> has been updated 3466 from version 8.9.3 to version 8.12.3. Important changes 3467 include: &man.sendmail.8; is no longer installed as a 3468 set-user-ID root binary (now set-group-ID smmsp); new 3469 default file locations (see 3470 <filename>/usr/src/contrib/sendmail/cf/README</filename>); 3471 &man.newaliases.1; is limited to <username>root</username> 3472 and trusted users; STARTTLS encryption; and the MSA port 3473 (587) is turned on by default. See 3474 <filename>/usr/src/contrib/sendmail/RELEASE_NOTES</filename> 3475 for more information. &merged;</para> 3476 3477 <para>&man.mail.local.8; is no longer installed as a 3478 set-user-ID binary. If you are using a 3479 <filename>/etc/mail/sendmail.cf</filename> from the default 3480 <filename>sendmail.cf</filename> included with &os; any time 3481 after 3.1.0, you are fine. If you are using a 3482 hand-configured <filename>sendmail.cf</filename> and 3483 <command>mail.local</command> for delivery, check to make sure the 3484 <literal>F=S</literal> flag is set on the 3485 <literal>Mlocal</literal> line. Those with 3486 <filename>.mc</filename> files who need to add the flag can 3487 do so by adding the following line to their 3488 <filename>.mc</filename> file and regenerating the 3489 <filename>sendmail.cf</filename> file:</para> 3490 3491 <programlisting>MODIFY_MAILER_FLAGS(`LOCAL',`+S')dnl</programlisting> 3492 3493 <para>Note that <literal>FEATURE(`local_lmtp')</literal> already 3494 does this. &merged;</para> 3495 3496 <para>The default <filename>/etc/mail/sendmail.cf</filename> 3497 disables the SMTP <literal>EXPN</literal> and 3498 <literal>VRFY</literal> commands. &merged;</para> 3499 3500 <para>&man.vacation.1; has been updated to use the version 3501 included with <application>sendmail</application>. &merged;</para> 3502 3503 <para>The <application>sendmail</application> configuration 3504 building tools are installed in 3505 <filename>/usr/share/sendmail/cf/</filename>. &merged;</para> 3506 3507 <para>New <filename>make.conf</filename> options: 3508 <varname>SENDMAIL_MC</varname> and 3509 <varname>SENDMAIL_ADDITIONAL_MC</varname>. See 3510 <filename>/usr/share/examples/etc/make.conf</filename> for more 3511 information. &merged;</para> 3512 3513 <para><filename>/etc/mail/Makefile</filename> now supports: 3514 the new <varname>SENDMAIL_MC</varname> 3515 <filename>make.conf</filename> option; the ability to build 3516 <filename>.cf</filename> files from 3517 <filename>.mc</filename> files; generalized map rebuilding; 3518 rebuilding the aliases file; and the ability to stop, start, 3519 and restart 3520 <application>sendmail</application>. &merged;</para> 3521 3522 <para>The <username>smmsp</username> and 3523 <username>mailnull</username> users have been added to 3524 <filename>/etc/master.passwd</filename>. In the absence of a 3525 <literal>confDEF_USER_ID</literal> setting, by default, 3526 <application>sendmail</application> will use the 3527 <username>mailnull</username> user for extra security. 3528 Previously, if the <username>mailnull</username> user did 3529 not exist, the <username>daemon</username> user was used. 3530 This change may generate some permissions issues when 3531 mailing to files or to programs (such as <filename 3532 role="package">mail/majordomo</filename>). &merged; The 3533 previous behavior can be restored by adding the following 3534 line to a system's 3535 <filename><replaceable>*</replaceable>.mc</filename> 3536 configuration file: 3537 3538 <programlisting>define(`confDEF_USER_ID', `daemon')</programlisting> 3539 </para> 3540 3541 <para>Beginning with the import of 3542 <application>sendmail</application> 8.12.2, multiple 3543 <application>sendmail</application> daemons (some required 3544 to handle outgoing mail) are started by &man.rc.8;, even if 3545 the <varname>sendmail_enable</varname> variable is set to 3546 <literal>NO</literal>. To completely disable 3547 <application>sendmail</application>, 3548 <varname>sendmail_enable</varname> must be set to 3549 <literal>NONE</literal>. Alternatively, for systems using a 3550 different MTA, the <varname>mta_start_script</varname> can 3551 be used to point to a different startup script (more details 3552 can be found in &man.rc.sendmail.8;). &merged;</para> 3553 3554 <para>By default, &man.rc.8; no longer enables 3555 <application>sendmail</application> for inbound SMTP 3556 connections. Note that &man.sysinstall.8; may override this 3557 default for a binary installation, based on what security 3558 profile is selected. This functionality can also be 3559 manually enabled by adding the following line to 3560 <filename>/etc/rc.conf</filename>:</para> 3561 3562 <programlisting>sendmail_enable="YES"</programlisting> 3563 3564 <para>The permissions for <application>sendmail</application> 3565 alias and map databases built via 3566 <filename>/etc/mail/Makefile</filename> now default to mode 3567 0640 to protect against a file locking local denial of service. 3568 It can be changed by setting the new 3569 <varname>SENDMAIL_MAP_PERMS</varname> 3570 <filename>make.conf</filename> option. &merged;</para> 3571 3572 <para>The permissions for the <application>sendmail</application> 3573 statistics file, <filename>/var/log/sendmail.st</filename>, have 3574 been changed from mode 0644 to mode 0640 to protect against 3575 a file locking local denial of service. &merged;</para> 3576 3577 </sect4> 3578 </sect3> 3579 3580 <sect3> 3581 <title>Ports/Packages Collection Infrastructure</title> 3582 3583 <para><application>BSDPAN</application>, a collection of modules 3584 that provides tighter integration of 3585 <application>Perl</application> into the &os; Ports 3586 Collection, has been added.</para> 3587 3588 <para>&man.pkg.create.1; and &man.pkg.add.1; can now work with 3589 packages that have been compressed using 3590 &man.bzip2.1;. &man.pkg.add.1; will use the PACKAGEROOT 3591 environment variable to determine a mirror site for new 3592 packages. &merged;</para> 3593 3594 <para>&man.pkg.create.1; now records dependencies in dependency 3595 order rather than in the order specified on the command line. 3596 This improves the functioning of <command>pkg_add 3597 -r</command>. &merged;</para> 3598 3599 <para>&man.pkg.create.1; now supports a <option>-b</option> to 3600 create a package file from a locally-installed 3601 package. &merged;</para> 3602 3603 <para>When requested to delete multiple packages, 3604 &man.pkg.delete.1; will now attempt to remove them in 3605 dependency order rather than the order specified on the 3606 command line. &merged;</para> 3607 3608 <para>&man.pkg.delete.1; now can perform glob/regexp matching of 3609 package names. In addition, it supports a <option>-a</option> 3610 option for removing all packages and a <option>-i</option> 3611 option for &man.rm.1;-style interactive 3612 confirmation. &merged;</para> 3613 3614 <para>&man.pkg.delete.1; now supports a <option>-r</option> 3615 option for recursive package removal. &merged;</para> 3616 3617 <para>&man.pkg.info.1; now supports globbing against names of 3618 installed packages. The <option>-G</option> option disables 3619 this behavior, and the <option>-x</option> option causes 3620 regular expression matching instead of shell 3621 globbing. &merged;</para> 3622 3623 <para>&man.pkg.info.1; can now accept a <option>-g</option> flag 3624 for verifying an installed package against its recorded 3625 checksums (to see if it's been modified post-installation). 3626 Naturally, this mechanism is only as secure as the contents of 3627 <filename>/var/db/pkg</filename> if it's to be used for auditing 3628 purposes. &merged;</para> 3629 3630 <para>&man.pkg.sign.1; and &man.pkg.check.1; have been added to 3631 digitally sign and verify the signatures on binary package 3632 files. &merged;</para> 3633 3634 <para>For some time, &os; 5.0-CURRENT (as well as some 4.X 3635 releases) included a pkg_update(1) utility to update installed 3636 packages, as well as their dependencies. This utility has 3637 been removed; a superset of its functionality can be found in 3638 the <filename role="package">sysutils/portupgrade</filename> 3639 port.</para> 3640 3641 <para>&man.pkg.version.1; now has a version number comparison 3642 routine that corresponds to the Porters Handbook. It also has 3643 a <option>-t</option> option for testing address comparisons. 3644 &merged;</para> 3645 3646 <para>&man.pkg.version.1; now takes a <option>-s</option> flag 3647 to limit its operation to ports/packages matching a given 3648 string. &merged;</para> 3649 3650 <para>Version numbers of installed packages have a new 3651 (backward-compatible) syntax, which supports the 3652 <varname>PORTREVISION</varname> and 3653 <varname>PORTEPOCH</varname> variables in Ports Collection 3654 <filename>Makefile</filename>s. These changes help keep track 3655 of changes in the ports collection entries such as security 3656 patches or &os;-specific updates, which aren't reflected in 3657 the original, third-party software distributions. 3658 &man.pkg.version.1; can now compare these new-style version 3659 numbers. &merged;</para> 3660 3661 <para>To improve performance and disk utilization, the 3662 <quote>ports skeletons</quote> in the &os; Ports Collection 3663 have been restructured. Installed ports and packages should 3664 not be affected. &merged;</para> 3665 3666 <para>All packages and ports now contain an 3667 <quote>origin</quote> directive, which makes it easier for 3668 programs such as &man.pkg.version.1; to determine the 3669 directory from which a package was built. &merged;</para> 3670 3671 <para>The Ports Collection infrastructure now uses 3672 <application>XFree86</application> 4.2.0 as the default version 3673 of the X Window System for the purposes of satisfying 3674 dependencies. To return to using 3675 <application>XFree86</application> 3.3.6, add the following line 3676 to <filename>/etc/make.conf</filename>: &merged;</para> 3677 3678 <programlisting>XFREE86_VERSION=3</programlisting> 3679 3680 </sect3> 3681 </sect2> 3682 3683 <sect2> 3684 <title>Release Engineering and Integration</title> 3685 3686 <para>The <filename>bin</filename> distribution has been renamed 3687 <filename>base</filename>, in order to make creation of combined 3688 install/recovery disks easier.</para> 3689 3690 <para arch="i386">ISO images and CDROMs now use the 3691 <filename>cdboot</filename> boot loader by default. This 3692 eliminates the need for an emulated floppy disk image on 3693 a bootable CDROM and allows for a full 3694 <filename>GENERIC</filename> kernel to be used for CDROM 3695 installations, at the expense of compatability with some old 3696 BIOSs.</para> 3697 3698 <para arch="i386,alpha"><application>XFree86</application> 4.2.0 3699 is now the default version of the X Window System supported by 3700 &man.sysinstall.8;. It installs 3701 <application>XFree86</application> as a set of standard binary 3702 packages, so the usual package utilities such as 3703 &man.pkg.info.1; can be used to examine/manipulate its 3704 components. &merged;</para> 3705 3706 <para>It is now possible to make releases of &os; 3707 &release.current; on a &os; 4-STABLE host. Cross-architecture 3708 (building a release for a target architecture on a host of a 3709 different architecture) releases are also possible. See 3710 &man.release.7; for details.</para> 3711 3712 </sect2> 3713</sect1> 3714 3715<sect1> 3716 <title>Upgrading from previous releases of &os;</title> 3717 3718 <para>If you're upgrading from a previous release of &os;, you 3719 generally will have three options: 3720 3721 <itemizedlist> 3722 <listitem> 3723 <para>Using the binary upgrade option of &man.sysinstall.8;. 3724 This option is perhaps the quickest, although it presumes 3725 that your installation of &os; uses no special compilation 3726 options.</para> 3727 </listitem> 3728 <listitem> 3729 <para>Performing a complete reinstall of &os;. Technically, 3730 this is not an upgrading method, and in any case is usually less 3731 convenient than a binary upgrade, in that it requires you to 3732 manually backup and restore the contents of 3733 <filename>/etc</filename>. However, it may be useful in 3734 cases where you want (or need) to change the partitioning of 3735 your disks. 3736 </listitem> 3737 <listitem> 3738 <para>From source code in <filename>/usr/src</filename>. This 3739 route is more flexible, but requires more disk space, time, 3740 and more technical expertise. Upgrading from very old 3741 versions of &os; may be problematic; in cases like this, it 3742 is usually more effective to perform a binary upgrade or a 3743 complete reinstall.</para> 3744 </listitem> 3745 </itemizedlist> 3746 </para> 3747 3748 <para>Please read the <filename>INSTALL.TXT</filename> file for more 3749 information, preferably <emphasis>before</emphasis> beginning an 3750 upgrade. If you are upgrading from source, please be sure to read 3751 <filename>/usr/src/UPDATING</filename> as well.</para> 3752 3753 <para>Finally, if you want to use one of various means to track the 3754 -STABLE or -CURRENT branches of &os;, please be sure to consult 3755 the <ulink 3756 url="http://www.FreeBSD.org/handbook/current-stable.html"><quote>-CURRENT 3757 vs. -STABLE</quote></ulink> section of the <ulink 3758 url="http://www.FreeBSD.org/handbook/">FreeBSD 3759 Handbook</ulink>.</para> 3760 3761 <important> 3762 <para>Upgrading &os; should, of course, only be attempted after 3763 backing up <emphasis>all</emphasis> data and configuration 3764 files.</para> 3765 </important> 3766</sect1> 3767