2 <title>&os;/&arch; &release.current; Release Notes</title>
4 <corpauthor>The FreeBSD Project</corpauthor>
6 <pubdate>$FreeBSD$</pubdate>
11 <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder>
15 <para>The release notes for &os; &release.current; contain a summary
16 of the changes made in the &os; base system since &release.prev;.
17 Both changes for kernel and userland are listed, as well as
18 applicable security advisories that were issued since the last
19 release. Some brief remarks on upgrading are also presented.</para>
24 <title>Introduction</title>
26 <para>This document contains the release notes for &os; &release.current; on
27 the &arch.print; hardware platform. It describes new features of &os;
28 that have been added (or changed) since &release.prev;. It also
29 provides some notes on upgrading from previous versions of &os;.</para>
31 <![ %release.type.snapshot [
33 <para>The &release.type; distribution to which these release notes
34 apply represents a point along the &release.branch; development
35 branch between &release.prev; and the future &release.next;. Some pre-built,
36 binary &release.type; distributions along this branch can be found
37 at <ulink url="&release.url;"></ulink>.</para>
41 <![ %release.type.release [
43 <para>This distribution of &os; &release.current; is a &release.type;
44 distribution. It can be found at <ulink
45 url="&release.url;"></ulink> or any of its mirrors. More
46 information on obtaining this (or other) &release.type; distributions of
47 &os; can be found in the <ulink
48 url="http://www.FreeBSD.org/handbook/mirrors.html"><quote>Obtaining
49 FreeBSD</quote> appendix</ulink> to the <ulink
50 url="http://www.FreeBSD.org/handbook/">FreeBSD Handbook</ulink>.</para>
56 <title>What's New</title>
58 <para>This section describes the most user-visible new or changed
59 features in &os; since &release.prev;. Typical release note items
60 document new drivers or hardware support, new commands or options,
61 major bugfixes, or contributed software upgrades. Security
62 advisories issued after &release.prev; are also listed. In general, changes
63 described here are unique to the &release.branch; branch unless
64 specifically marked as &merged; features.</para>
66 <para>Many additional changes were made to &os; that are not listed
67 here for lack of space. For example, documentation was corrected
68 and improved, minor bugs were fixed, insecure coding practices were
69 audited and corrected, and source code was cleaned up.</para>
72 <title>Kernel Changes</title>
74 <para>The &man.kqueue.2; event notification facility was added to
75 the &os; kernel. This is a new interface which is able to
76 replace &man.poll.2;/&man.select.2;, offering improved performance,
77 as well as the ability to report many different types of events.
78 Support for monitoring changes in sockets, pipes, fifos, and files
79 are present, as well as for signals and processes. &merged;</para>
81 <para arch="i386">Support for Intel's Wired for Management 2.0 (PXE)
82 was added to the &os; boot loader. Due to API differences, the
83 older PXE versions are not supported. This allow network booting
84 using DHCP. &merged;</para>
86 <para arch="i386">The &os; boot loader now contains a workaround
87 to support CDROM booting on certain IBM BIOSs that expect the
88 first sector of the emulated floppy to contain a valid MS-DOS BPB
89 that they can modify. &merged;</para>
91 <para>Support for USB devices was added to the
92 <filename>GENERIC</filename> kernel and to the installation
93 programs to support USB devices out of the box. Note that SRM
94 does not support USB devices at the moment, so you must still use
95 an AT keyboard if you are not using a serial console. &merged;</para>
97 <para>POSIX.1b Shared Memory Objects are now supported. The
98 implementation uses regular files, but automatically enables the
99 MAP_NOSYNC flag when they are &man.mmap.2;-ed. &merged;</para>
101 <para>The &man.agp.4; driver for AGP devices has been added. &merged;</para>
103 <para>The kernel and modules have been moved to the directory
104 <filename>/boot/kernel</filename>, so they can be easily
105 manipulated together. The boot loader has been updated to make
106 this change as seamless as possible.</para>
108 <para arch="i386">The i386 boot loader now has support for a
109 <literal>nullconsole</literal>
110 console type, for use on systems with neither a video console nor
111 a serial port. &merged;</para>
113 <para>Replaced the <literal>PQ_*CACHE</literal> options with a
114 single <literal>PQ_CACHESIZE</literal> option to be set to
115 the cache size in kilobytes. The old options are still supported
116 for backwards compatibility. &merged;</para>
118 <para arch="i386">The <literal>NCPU</literal>, <literal>NAPIC</literal>,
119 <literal>NBUS</literal>, and <literal>NINTR</literal> kernel
120 configuration options, for configuring SMP kernels, have been
121 removed. <literal>NCPU</literal> is now set to a maximum of 16,
122 and the other, aforementioned options are now
123 dynamic. &merged;</para>
125 <para>&man.devfs.5;, which allows entries in the
126 <filename>/dev</filename> directory to be built automatically and
127 supports more flexible attachment of devices, has been largely
128 reworked. &man.devfs.5; is now enabled by default and can be
129 disabled by the <literal>NODEVFS</literal> kernel option.</para>
131 <para>Write combining for crashdumps has been implemented. This
132 feature is useful when write caching is disabled on both SCSI and
133 IDE disks, where large memory dumps could take up to an hour to
134 complete. &merged;</para>
136 <para>Extremely large swap areas (>67 GB) no longer panic the
139 <para arch="i386">The &man.ichsmb.4; driver for the Intel 82801AA
140 (ICH) SMBus controller and compatibles has been
141 added. &merged;</para>
143 <para arch="i386">The &man.uscanner.4; driver for basic USB scanner support
144 using SANE has been added. See <ulink
145 url="http://www.mostang.com/sane/">the SANE home page</ulink> for
146 supported scanners. The HP ScanJet 4100C, 5200C and 6300C are
147 known to be working.</para>
149 <para arch="i386">The umodem driver for USB modems has been added.
150 Support is provided for the 3Com 5605 and Metricom Ricochet GS
151 wireless USB modems.</para>
153 <para arch="alpha">Support for threads under Linux emulation has been
156 <para>A number of cleanups and enhancements have been applied to
158 <filename>/usr/share/misc/pci_vendors</filename> now contains a
159 vendor/device database, which can be used by
160 &man.pciconf.8;.</para>
162 <para arch="i386">The &man.spic.4; driver, which provides access to the jog
163 dial device on some Sony laptops, has been added.</para>
165 <para arch="i386">PECOFF (Win32 Execution file format) support has been
168 <para>A VESA S3 linear framebuffer driver has been added.</para>
170 <para>The <maketarget>buildkernel</maketarget> target now gets the
171 name of the configuration(s) to build from the
172 <varname>KERNCONF</varname> variable, not
173 <varname>KERNEL</varname>. It is no longer required, in some
174 cases, for a <maketarget>buildworld</maketarget> to precede a
175 <maketarget>buildkernel</maketarget>. (The
176 <maketarget>buildworld</maketarget> is still required when
177 upgrading across major releases, across
178 <application>binutil</application> updates and when &man.config.8;
179 changes version.) &merged;
182 <para>The &man.random.4; device has been rewritten to use the
183 <application>Yarrow</application> algorithm. It harvests entropy
184 from a variety of interrupt sources, including the console
185 devices, Ethernet and point-to-point network interfaces, and
186 mass-storage devices. Entropy from the &man.random.4; device is
187 now periodically saved to files in
188 <filename>/var/db/entropy</filename>, as well as at
189 shutdown time. The semantics of <filename>/dev/random</filename>
190 have changed; it never blocks waiting for entropy bits but
191 generates a stream of pseudo-random data and now behaves exactly
192 as <filename>/dev/urandom</filename>.</para>
194 <para>The &man.syscons.4; driver now supports keyboard-controlled
195 pasting, by default bound to
196 <keycap>Shift</keycap>-<keycap>Insert</keycap>.</para>
198 <para>The &man.labpc.4; driver has been removed due to
199 <quote>bitrot</quote>.</para>
201 <para>A new kernel option, <literal>options REGRESSION</literal>,
202 enables interfaces and functionality intended for use during
203 correctness and regression testing.</para>
205 <para>The <literal>USER_LDT</literal> kernel option is now
206 activated by default.</para>
208 <para>A new &man.ddb.4; command <command>show pcpu</command> lists
209 some of the per-CPU data.</para>
211 <para>A new digi driver has been added to support PCI Xr-based and ISA
212 Xem Digiboard cards. A new &man.digictl.8; program is (mainly) used to
213 re-initialize cards that have external port modules attached such as
216 <para>The dgm driver has been removed in favor of the digi driver.</para>
218 <para>The <literal>O_DIRECT</literal> flag has been added to
219 &man.open.2; and &man.fcntl.2;. Specifying this flag for open
220 files will attempt to minimize the cache effects of reading and
221 writing. &merged;</para>
223 <para>An &man.orm.4; device has been added to claim the option
224 ROMs in the ISA memory I/O space, to prevent other drivers from
225 mistakenly assigning addresses that conflict with these ROMs. &merged;</para>
227 <para>The out-of-swap process termination code now begins killing
228 processes earlier to avoid deadlocks; it now also takes into
229 account the swap space used by processes when computing the
230 process sizes. &merged;</para>
232 <para>Linker sets are now self-contained; &man.gensetdefs.8; is
233 unnecessary and has been removed.</para>
235 <para>Numerous SMP-friendly changes have been made to the kernel's
236 mbuf allocator.</para>
238 <para>Network device cloning has been implemented, and the &man.gif.4;
239 device has been modified to take advantage of it.
240 Thus, instead of specifying how many &man.gif.4; interfaces
241 are available in kernel configuration files, &man.ifconfig.8;'s
242 <option>create</option> option should be used when another device
243 instance is desired. &merged;</para>
245 <para>The kernel message buffer is now accessible by the
246 (machine-independent) <varname>kern.msgbuf</varname> sysctl
247 variable; &man.dmesg.8; no longer needs to be SGID
248 <groupname>kmem</groupname>.</para>
250 <para>Two new &man.ddb.4; commands, <command>hwatch</command> and
251 <command>dhwatch</command>, have been introduced. Analogous to
252 <command>watch</command> and <command>dwatch</command>, they install
253 hardware watchpoints (as opposed to software watchpoints) if supported
254 by the architecture. &merged;</para>
256 <para>A &man.nmdm.4; null-modem terminal driver has been added.
259 <para>The <varname>maxusers</varname> kernel configuration
260 parameter is now a boot-time tunable variable. The kernel
261 parameters derived from <varname>maxusers</varname> are now also
262 tunables and can be overridden at boot-time. The
263 <varname>hz</varname> parameter is also now a tunable. &merged;</para>
265 <para>It is now possible to hardwire kernel environment variables (such
266 as tuneables) at compile-time using &man.config.8;'s
267 <literal>ENV</literal> directive.</para>
269 <para>The loader and kernel linker now look for files named
270 <filename>linker.hints</filename> in each directory with KLDs for a
271 module name and version to KLD filename mapping. The new
272 &man.kldxref.8; utility is used to generate these files.</para>
274 <para>Idle zeroing of pages can be enabled with the
275 <varname>vm.zeroidle_enable</varname> sysctl variable.</para>
277 <para arch="i386">The load addresses of kernels has been exported to the
278 symbol table and various hard-coded constants removed so that
279 utilities such as &man.ps.1; can work with kernels compiled at
280 different addresses. &merged;</para>
282 <para arch="i386">A new <varname>KVA_SPACE</varname> kernel option
283 can be used to reconfigure the size of the kernel virtual address
284 space. &merged;</para>
286 <para>Coredumps of large processes (or of a large number of
287 processes) no longer lock up the machine for long periods of
288 time. &merged;</para>
290 <para>Each &man.jail.2; environment can now run under its own
293 <para arch="alpha">A <varname>MAXMEM</varname> kernel option,
294 along with the <varname>hw.physmem</varname> environment, can be
295 used to artificially reduce the memory size of a machine for
296 testing (or other purposes). &merged;</para>
298 <para>An &man.eaccess.2; system call has been added, similar to
299 &man.access.2; except that the former uses effective credentials
300 rather than real credentials.</para>
302 <para arch="i386">The &man.amdpm.4; driver has been added to
303 provide access to the system monitoring functions of the AMD 756
304 chipset. &merged;</para>
306 <para>The kernel is now aware of the concept that there are
307 smaller units of scheduling than a process (but only one thread
308 per process is allowed at this time).</para>
310 <para arch="i386">The &man.loader.8; now has optional support
311 (enabled at compile-time, off by default) for loading
312 <application>bzip2</application>-compressed kernels and
313 modules. &merged;</para>
315 <para>The kernel now has support for multiple low-level console
316 devices. The new &man.conscontrol.8; utility helps to manage the
317 different consoles.</para>
319 <para arch="alpha">The console driver has gained support for TGA-based
320 display adapters.</para>
322 <para arch="i386">A new cdboot bootstrap utility for CDROMs provides
323 better compatability with some BIOS implementations that do not
324 completely implement the El Torito bootable CDROM standard.</para>
326 <para arch="i386">The pmc driver, which supports the power
327 management controller of the NEC PC-98NOTE, has been
328 added. &merged;</para>
330 <para>The kernel configuration parameters
331 <varname>MAXTSIZ</varname>, <varname>DFLDSIZ</varname>,
332 <varname>MAXDSIZ</varname>, <varname>DFLSSIZ</varname>,
333 <varname>MAXSSIZ</varname>, and <varname>SGROWSIZ</varname> are
334 all loader tunables. &merged;</para>
336 <para>The system load average computation now adds some jitter to
337 the timing of samples, in order to avoid synchronization with
338 processes that run periodically. &merged;</para>
340 <para>Linux emulation now supports the kernel functionality
342 <port>emulators/linux_base-7</port> (RedHat 7.X emulation)
343 port. &merged;</para>
345 <para>If a debugging kernel with modules is being built
346 (i.e. using <literal>makeoptions DEBUG=-g</literal>), the modules
347 will now be built with debugging support as well, for
348 completeness. A side effect of this change is that modules built
349 and installed with debugging kernels will now occupy more space on
350 disk than they did previously. &merged;</para>
352 <para>&man.lomac.4;, a Low-Watermark Mandatory Access Control
353 security facility, has been added as a kernel module. It provides
354 a drop-in security mechanism in addition to the traditional
355 UID-based security facilities, requiring no additional
356 configuration from the administrator. Work on this feature was
357 sponsored by DARPA and NAI Labs.</para>
360 <title>Processor/Motherboard Support</title>
362 <para>SMP support has been largely reworked, incorporating code
363 from BSD/OS 5.0. One of the main features of SMPng (<quote>SMP
364 Next Generation</quote>) is to allow more processes to run in
365 kernel, without the need for spin locks that can dramatically
366 reduce the efficiency of multiple processors. Interrupt
367 handlers now have contexts associated with them that allow them
368 to be blocked, which reduces the need to lock out
371 <para arch="i386">Support for the 80386 processor has been
372 removed from the <filename>GENERIC</filename> kernel, as this
373 code seriously pessimizes performance on other IA32
376 <para arch="i386">The <literal>I386_CPU</literal> kernel option
377 to support the 80386 processor is now mutually exclusive with
378 support for other IA32 processors; this should slightly improve
379 performance on the 80386 due to the elimination of runtime
380 processor type checks.</para>
382 <para arch="i386">Custom kernels that will run on the 80386 can
383 still be built by changing the cpu options in the kernel
384 configuration file to only include
385 <literal>I386_CPU</literal>.</para>
387 <para arch="alpha">AlphaServer 1200 (<quote>Tincup</quote>) has
388 been tested and works OK. Currently it does not want to boot
389 from CD or floppy but a transplanted disk that was installed on
390 another Alpha works well. &merged;</para>
392 <para arch="alpha">The API UP1100 mainboard has been verified to work.</para>
394 <para arch="alpha">The API CS20 1U high server has been verified to work.</para>
396 <para arch="alpha">The DEC3000 series support has been removed from the mfsroot
397 floppy image so that it fits on a 1.44 Mbyte floppy again. As the
398 DEC3000 is currently only usable diskless this should not cause
401 <para arch="alpha">Support for AlphaServer 2100A (<quote>Lynx</quote>) has been
404 <para arch="alpha">Kernel code has been added that allows older generation Alpha CPUs
405 (EV4 and EV5) to emulate instructions of the newer Alpha CPU
406 generations. This enables the use of binary-only programs like <application>Adobe
407 Acrobat 4</application> on EV4 and EV5.</para>
409 <para arch="alpha">SMP support for the Alpha is now operational.</para>
411 <para arch="i386">Detection for new processors, such as the
412 FC-PGA2 Pentium III (Tualatin), Transmeta Crusoe, and Transmeta
413 Crusoe LongRun, has been added. &merged;</para>
415 <para arch="alpha">Support for the following hardware has been removed
416 from the installation kernel to make it fit on a 1.44MB floppy again:
417 Multia, NoName, PC64, EB64, Aspen Alpine, sa (SCSI tape), amr, parallel
418 port support, vx (3c590, 3c595), pcn (AMD Am79C97x PCI 10/100),
419 sf (Adaptec AIC-6915), sis (SiS 900/SiS 7016), ste (Sundance ST201
420 (D-Link DFE-550TX)), wb (Winbond W89C840F).</para>
422 <para arch="i386">Support for Streaming <acronym>SIMD</acronym>
423 Extensions (<acronym>SSE</acronym>) has been introduced. The
424 <literal>CPU_ENABLE_SSE</literal> kernel option controls whether
425 support is compiled into the kernel. &merged;</para>
429 <title>Network Interface Support</title>
431 <para>The &man.an.4; driver for Cisco Aironet cards now supports
432 Wired Equivalent Privacy (WEP) encryption, settable via
433 &man.ancontrol.8;. &merged;</para>
435 <para>The &man.an.4; driver now supports the Cisco Aironet 350
436 series of adaptors. &merged;</para>
438 <para>The &man.an.4; driver now supports <quote>monitor</quote>
439 mode, settable via the <option>-M</option> option to
440 &man.ancontrol.8;. &merged;</para>
442 <para arch="i386">The &man.bge.4; driver has been added to
443 support the Broadcom BCM570x family of Gigabit Ethernet
444 controllers, including the 3Com 3c996-T, the SysKonnect SK-9D21
445 and SK-9D41, and the built-in Gigabit Ethernet NICs on Dell
446 PowerEdge 2550 servers. TCP/IP checksum offload, jumbo frames
447 and VLAN tag insertion/stripping are supported, as well as
448 interrupt moderation. &merged;</para>
450 <para>The &man.de.4; driver now performs round-robin arbitration
451 between transmit and receive unit of the 21143, instead of
452 giving priority to the receive unit. This gives a 10–15%
453 performance improvement in the forwarding rate under heavy
454 load. &merged;</para>
456 <para arch="alpha">The &man.ed.4; driver is now supported.</para>
458 <para arch="i386">Linksys Fast Ethernet PCCARD cards supported by the
459 &man.ed.4; driver now require the addition of flag
460 <literal>0x80000</literal> to their config line in
461 &man.pccard.conf.5;. This flag is not optional. These Linksys
462 cards will not be recognized without it. &merged;</para>
464 <para>A bug in the &man.ed.4; driver that could cause panics with
465 very short packets and BPF or bridging active has been
466 fixed. &merged;</para>
468 <para>The &man.ed.4; driver now has support for D-Link
469 DL10022 chips, necessary for the NetGear FA-410TX and other
470 cards. As a result, <literal>device miibus</literal> is
471 required in kernel configurations using the &man.ed.4;
472 driver. &merged;</para>
474 <para arch="i386">The &man.el.4; driver can now be loaded as a
477 <para>The &man.faith.4; device is now loadable, unloadable, and
480 <para arch="i386">Support for Fujitsu MB86960A/MB86965A based Ethernet
481 PC-Cards has been added back in the &man.fe.4; driver. &merged;</para>
483 <para arch="alpha">The &man.fpa.4; driver now supports Digital's
484 DEFPA FDDI adaptors on the Alpha.</para>
486 <para>The &man.fxp.4; driver now requires a <literal>device
487 miibus</literal> entry in the kernel configuration file. &merged;</para>
489 <para>The &man.fxp.4; driver now contains a workaround for
490 PCI protocol violations caused by defects in some systems based
491 on the Intel ICH2/ICH2-M chip. The workaround is to rewrite the
492 EEPROM on the interface to disable Dynamic Standby Mode; once
493 the EEPROM is rewritten, the system needs to be rebooted for the
494 new settings to take effect. &merged;</para>
496 <para>The &man.fxp.4; driver now supports Intel's loadable
497 microcode to implement receive-side interrupt coalescing and
498 packet bundling, on NICs that support these features. This
499 support can be activated by the use of the
500 <option>link0</option> option to &man.ifconfig.8;. &merged;</para>
502 <para>The &man.gx.4; driver has been added to support NICs based
503 on the Intel 82542 and 82543 Gigabit Ethernet controller chips.
504 Both fiber and copper variants of the cards are supported. Both
505 boards support VLAN tagging/insertion, and the 82543 additionally
506 supports TCP/IP checksum offload. &merged;</para>
508 <para>The &man.lge.4; driver has been added to support the Level
509 1 LXT1001 NetCellerator Gigabit Ethernet controller chip. This
510 device is used on some fiber optic GigE cards from SMC, D-Link
511 and Addtron. Jumbograms and TCP/IP checksum offload on receive
512 are supported, although hardware VLAN filtering is not. &merged;</para>
514 <para>Added the &man.nge.4; driver, which supports PCI Gigabit
515 Ethernet adapters based on the National Semiconductor DP83820
516 and DP83821 Gigabit Ethernet controller chips, including the
517 D-Link DGE-500T, SMC EZ Card 1000 (SMC9462TX), Asante
518 FriendlyNet GigaNIC 1000TA and 1000TPC and Addtron
519 AEG320T. This driver supports transmit and receive checksum
520 offloading. &merged;</para>
522 <para>The &man.pcn.4; driver, which supports the AMD PCnet/FAST,
523 PCnet/FAST+, PCnet/FAST III, PCnet/PRO, PCnet/Home, and HomePNA
524 adapters, has been added. Although these cards are already
525 supported by the &man.lnc.4; driver, the &man.pcn.4; driver runs
526 these chips in 32-bit mode and uses the RX alignment feature to
527 achieve zero-copy receive. This driver is also
528 machine-independent, so it will work on both the i386 and Alpha
529 platforms. The &man.lnc.4; driver is still needed to support non-PCI
530 cards. &merged;</para>
532 <para>The &man.ray.4; driver, which supports the Webgear Aviator
533 wireless network cards, has been committed. The operation of
534 &man.ray.4; interfaces can be modified by
535 &man.raycontrol.8;. &merged;</para>
537 <para arch="i386">The sbni driver, for supporting the Granch
538 SBNI12 series of ISA and PCI point-to-point communications
539 interfaces, has been added.</para>
541 <para>Added support for PCI Ethernet adapters based on the
542 National Semiconductor DP83815 chipset, including the NetGear
543 FA311-TX and FA312-TX, in the form of the &man.sis.4; driver.</para>
545 <para arch="i386">The snc driver for the National Semiconductor
546 DP8393X (SONIC) Ethernet controller has been added. Currently,
547 this driver is only used on the PC-98 architecture. &merged;</para>
549 <para>The &man.stf.4; device is now clonable.</para>
551 <para>The &man.tap.4; driver, a virtual Ethernet device driver for
552 bridged configurations, has been added. This device is
553 clonable. &merged;</para>
555 <para>The &man.ti.4; driver now supports the Alteon AceNIC
556 1000baseT Gigabit Ethernet and Netgear GA620T 1000baseT Gigabit
557 cards. &merged;</para>
559 <para>The &man.ti.4; driver correctly masks VLAN tags. &merged;</para>
561 <para>The &man.txp.4; driver has been added to support NICs
562 based on the 3Com 3XP Typhoon/Sidewinder (3CR990) chipset. &merged;</para>
564 <para>The &man.vlan.4; device is now loadable, unloadable, and
567 <para>The &man.xl.4; driver now supports the 3Com 3C556 and 3C556B
568 MiniPCI adapters used on some laptops. &merged;</para>
570 <para>The &man.xl.4; driver now supports reception of VLAN
571 tagged frames (on the <quote>Cyclone</quote> or newer
572 chipsets). &merged;</para>
574 <para>The &man.xl.4; driver now supports send- and receive-side TCP/IP
575 checksum offloading for NICs implementing this feature, such as
576 the 3C905B, 3C905C, and 3C980C. &merged;</para>
578 <para>The per-interface <varname>ifnet</varname> structure now
579 has the ability to indicate a set of capabilities supported by a
580 network interface, and which ones are enabled. &man.ifconfig.8;
581 has support for querying these capabilities.</para>
583 <para>Performance with hosts having a large number of IP aliases
584 has been improved, by replacing the per-interface
585 <varname>if_inaddr</varname> linear list with a hash table.</para>
587 <para>Network devices now automatically appear as special files in
588 <filename>/dev/net</filename>. Interface hardware ioctls (not
589 protocol or routing) can be performed on these devices. The
590 <varname>SIOCGIFCONF</varname> ioctl may be performed on the
591 special <filename>/dev/network</filename> node.</para>
595 <title>Network Protocols</title>
597 <para>&man.accept.filter.9;, a kernel feature to reduce overheads
598 when accepting and reading new connections on listening sockets,
599 has been added. &merged;</para>
601 <para>The <literal>proxy</literal> modifier to &man.arp.8;'s
602 <option>-d</option> option has been renamed to
603 <literal>pub</literal>, for consistency with the
604 <option>-s</option> option. The <literal>only</literal> keyword
605 has been added to the <option>-s</option> and
606 <option>-S</option> flags, to be used in creating
607 <quote>proxy-only</quote> published entries.</para>
609 <para>&man.bridge.4; and &man.dummynet.4; have received some
610 enhancements and bug fixes, and are now loadable
611 modules. &merged;</para>
613 <para>ICMP ECHO and TSTAMP replies are now rate limited. TCP RSTs
614 generated due to packets sent to open and unopen ports are now
615 limited by separate counters. Each rate limiting queue now has
616 its own description.</para>
618 <para>ICMP <literal>UNREACH_FILTER_PROHIB</literal> messages can
619 now RST TCP connections in the <literal>SYN_SENT</literal> state
620 if the correct sequence numbers are sent back, as controlled by the
621 <varname>net.inet.tcp.icmp_may_rst</varname>
624 <para>IP multicast now works on VLAN devices. Several other
625 bugs in the VLAN code have also been fixed.</para>
626 <para>&man.ipfw.4; now filters correctly in the presence of ECN bits in TCP
627 segments. &merged;</para>
629 <para>&man.netgraph.4; has received some updates and bugfixes.</para>
631 <para>A new &man.ng.eth.4; netgraph node allows Ethernet type
632 packets to be filtered to different hooks depending on
635 <para>The &man.ng.gif.4; and &man.ng.gif.demux.4; netgraph
636 nodes, for operating on &man.gif.4; devices, have been
639 <para>The &man.ng.ip.input.4; netgraph node, for queueing IP
640 packets into the main IP input processing code, has been
643 <para>The &man.ng.mppc.4; and &man.ng.bridge.4; node types have
644 been added to the &man.netgraph.4; subsystem. The &man.ng.ether.4; node
645 is now dynamically loadable. Miscellaneous bug fixes and
646 enhancements have also been made. &merged;</para>
648 <para>A new netgraph node type &man.ng.one2many.4; for multiplexing
649 and demultiplexing packets over multiple links has been added.
652 <para>A new sysctl <varname>net.inet.ip.check_interface</varname>,
653 which is on by default, causes IP to verify that an incoming
654 packet arrives on an interface that has an address matching the
655 packet's destination address. &merged;</para>
658 <varname>net.link.ether.inet.log_arp_wrong_iface</varname> has
659 been added to control the suppression of logging when ARP replies
660 arrive on the wrong interface. &merged;</para>
662 <para>A new <literal>options RANDOM_IP_ID</literal> kernel
663 option causes the ID field of IP packets to be randomized. This
664 closes a minor information leak which allows a remote observer
665 to determine the rate at which the machine is generating
666 packets, since the default behavior is to increment a counter
667 for each packet sent. &merged;</para>
669 <para arch="alpha">SLIP has been removed from the
670 <filename>mfsroot</filename> floppy image.</para>
672 <para>TCP has received some bug fixes for its delayed ACK
673 behavior. &merged;</para>
675 <para>TCP now supports the NewReno modification to the TCP Fast Recovery
676 algorithm. This behavior can be controlled via the
677 <varname>net.inet.tcp.newreno</varname> sysctl variable. &merged;</para>
679 <para>TCP now uses a more aggressive timeout for initial SYN segments; this
680 allows initial connection attempts to be dropped much
681 faster. &merged;</para>
683 <para>The <literal>TCP_COMPAT_42</literal> kernel option has
686 <para>The <literal>TCP_RESTRICT_RST</literal> kernel option has
687 been removed. Similar functionality can be achieved with the
688 <varname>net.inet.tcp.blackhole</varname> sysctl
689 variable. &merged;</para>
691 <para>TCP now has RFC 1323 extensions enabled by default in
692 &man.rc.conf.5;. &merged;</para>
694 <para>RFC 1323 and RFC 1644 TCP extensions are now disabled for a
695 connection in progress if no response has been received by the
696 third SYN segment sent. This behavior tries to work around
697 (very old) terminal servers with buggy VJ header compression
698 implementations. &merged;</para>
700 <para>The TCP implementation no longer requires the
701 allocation of a TCP template structure for each connection; this
702 should reduce the buffer usage on large systems handling many
703 connections. &merged;</para>
705 <para>TCP's default buffer sizes, controlled by the
706 <varname>net.inet.tcp.sendspace</varname> and
707 <varname>net.inet.tcp.recvspace</varname> sysctl variables, have
708 been increased to 32K and 64K respectively.</para>
710 <para>TCP now supports RFC 1948 (Defending Against Sequence
711 Number Attacks). This functionality is controlled by the
712 <varname>net.inet.tcp.strict_rfc1948</varname> and
713 <varname>net.inet.tcp.isn_reseed_interval</varname> sysctl
714 variables. &merged;</para>
716 <para>The TCP implementation in &os; now implements a cache of
717 outstanding, received SYN segments. Incoming SYN segments now
718 cause entries to be placed in the cache until the TCP three-way
719 handshake is complete, at which point, memory is allocated for
720 the connection as usual. This so-called
721 <quote>syncache</quote> makes a host much more resistant to
722 TCP-based Denial of Service attacks. Work on this feature was
723 sponsored by DARPA and NAI Labs.</para>
727 <title>Disks and Storage</title>
729 <para arch="i386">Support for the Adaptec FSA family of PCI-SCSI
730 RAID controllers has been added, in the form of the &man.aac.4;
731 driver. &merged;</para>
733 <para arch="i386">The &man.aac.4; driver now supports the Adaptec
734 SCSI RAID 5400S controller. &merged;</para>
736 <para arch="i386">The &man.aac.4; driver has been updated to
737 include proper handling of commands initiated by the adapter,
738 addition/removal of disk devices, crashdump functionality, and
739 &man.ioctl.2; command necessary for the management
742 <para>The &man.ahc.4; driver has received numerous updates,
743 bugfixes, and enhancements. Among various improvements are
744 improved compatibility with chips in <quote>RAID Port</quote> mode
745 and systems with AAA and/or ARO cards installed, as well as
746 performance improvements. Some bugs were also fixed, including a
747 rare hang on Ultra2/U160 controllers. &merged;</para>
749 <para arch="i386">The &man.asr.4; driver, which provides support
750 for the Adaptec SCSI RAID controller family, as well as the DPT
751 SmartRAID V and VI families, has been added. &merged;</para>
753 <para arch="i386">The &man.asr.4; driver now supports the Adaptec
754 2000S and 2005S Zero-Channel RAID controllers. &merged;</para>
756 <para>The &man.ata.4; driver now has support for ATA100
757 controllers. In addition, it now supports the ServerWorks ROSB4
758 ATA33 chipset, the CMD 648 ATA66 and CMD 649 ATA100 chipsets, and
759 the Cyrix 5530. &merged;</para>
761 <para>To provide more flexible configuration, the various options for the
762 &man.ata.4; driver are now boot loader tunables, rather than kernel
763 configure-time options. &merged;</para>
765 <para>The &man.ata.4; driver now has support for tagged queuing,
766 which is enabled by the <varname>hw.ata.tags</varname> loader
767 tunable. &merged;</para>
769 <para>The &man.ata.4; driver now has support for ATA
770 <quote>pseudo</quote> RAID controllers as the Promise Fasttrak and
771 HighPoint HPT370 controllers. &merged;</para>
773 <para>The BurnProof(TM) feature, for applicable ATAPI CD-ROM burners, is now
774 supported. &merged;</para>
776 <para>The CAM error recovery code has been updated.</para>
778 <para>The &man.cd.4; driver now has support for write operations.
779 This allows writing to DVD-RAM, PD and similar drives that probe
780 as CD devices. Note that change affects only random-access
781 writeable devices, not sequential-only writeable devices such as
782 CD-R drives, which are supported by &man.cdrecord.1; (a part of
783 <port>sysutils/cdrtools</port> in the Ports Collection. &merged;</para>
785 <para>The ciss driver, for devices utilizing the Common
786 Interface for SCSI-3 Support, has been added. This driver
787 supports the Compaq SmartRAID 5* family of RAID controllers
788 (5300, 532, 5i).</para>
790 <para>The ida disk driver now has crashdump support. &merged;</para>
792 <para arch="alpha">A bug that made certain CDROM drives fail to
793 attach when connected to a SCSI card driven by &man.isp.4; has
794 been fixed. &merged;</para>
796 <para>The &man.isp.4; driver is now proactive about discovering
797 Fibre Channel topology changes.</para>
799 <para>The &man.isp.4; driver now supports target mode for Qlogic
800 SCSI cards, including Ultra2 and Ultra3 and dual bus cards.</para>
802 <para>The &man.isp.4; driver now supports the Qlogic 2300 and
803 2312 Optical Fibre Channel PCI cards. &merged;</para>
805 <para>&man.md.4;, the memory disk device, has had the
806 functionality of &man.vn.4; incorporated into it. &man.md.4;
807 devices can now be configured by &man.mdconfig.8;. &man.vn.4; has
808 been removed. The Memory Filesystem (MFS) has also been
811 <para arch="i386">The &man.mly.4; driver, for Mylex PCI to SCSI
812 AccelRAID and eXtremeRAID controllers with firmware 6.X and
813 later, has been added. &merged;</para>
815 <para arch="i386">The ncv, nsp, and stg drivers have
816 been ported from NetBSD/pc98. They support the NCR 53C50 /
817 Workbit Ninja SCSI-3 / TMC 18C30, 18C50 based PC-Card/ISA SCSI
818 controllers. &merged;</para>
820 <para>Some problems in &man.sa.4; error handling have been
821 fixed, including the <quote>tape drive spinning indefinitely
822 upon &man.mt.1; <option>stat</option></quote> problem.</para>
824 <para arch="i386">The &man.twe.4; 3ware ATA RAID driver has added. &merged;</para>
826 <para>The &man.vinum.4; volume manager has received some bug fixes and
829 <para>The &man.wd.4; compatibility devices were removed from the
830 &man.ata.4; driver. &merged;</para>
834 <title>Filesystems</title>
836 <para>Support for named extended attributes was added to the &os;
837 kernel. This allows the kernel, and appropriately privileged
838 userland processes, to tag files and directories with attribute
839 data. Extended attributes were added to support the TrustedBSD
840 Project, in particular ACLs, capability data, and mandatory access
842 <filename>/usr/src/sys/ufs/ufs/README.extattr</filename> for
845 <para>Due to a licensing change, softupdates have been integrated
846 into the main portion of the kernel source tree. As a
847 consequence, softupdates are now available with the
848 <filename>GENERIC</filename> kernel. &merged;</para>
850 <para>A filesystem snapshot capability has been added to FFS.
851 Details can be found in
852 <filename>/usr/src/sys/ufs/ffs/README.snapshot</filename>.</para>
854 <para>Softupdates for FFS have received some bug fixes and
857 <para>When running with softupdates, &man.statfs.2; and
858 &man.df.1; will track the number of blocks and files that are
859 committed to being freed.</para>
861 <para>A bug in FFS that could cause superblock corruption on very large
862 filesystems has been corrected. &merged;</para>
864 <para>The Inode Filesystem (IFS) has been added; more information
866 <filename>/usr/src/sys/ufs/ifs/README</filename>.</para>
868 <para>The ISO-9660 filesystem now has a hook that supports a loadable
869 character conversion routine. The
870 <port>sysutils/cd9660_unicode</port> port
871 contains a set of common conversions.</para>
873 <para>&man.kernfs.5; is obsolete and has been retired.</para>
875 <para>A bug in the NFS client that caused bogus access times with
876 <literal>O_EXCL|O_CREAT</literal> opens was fixed. &merged;</para>
878 <para>A new NFS hash function (based on the Fowler/Noll/Vo hash
879 algorithm) has been implemented to improve NFS performance by
880 increasing the efficiency of the <varname>nfsnode</varname> hash
881 tables. &merged;</para>
883 <para>Client-side NFS locks have been implemented.</para>
885 <para>The client-side and server-side of the NFS code in the
886 kernel used to be intertwined in various complex ways. They
887 have been split apart for ease of maintenance and further
890 <para>Support for file system Access Control Lists (ACLs) has been
891 introduced, allowing more fine-grained control of discretionary
892 access control on files and directories. This support was
893 integrated from the TrustedBSD Project. More details can be found in
894 <filename>/usr/src/sys/ufs/ufs/README.acls</filename>.</para>
896 <para>The directory layout preference algorithm for FFS has been
897 changed to improve its speed on large filesystems. &merged;</para>
899 <para arch="i386">smbfs (CIFS) support in kernel has been added.
900 The corresponding userland filesystem mount utility can be found
901 in the <port>net/smbfs</port> port in the &os; Ports
902 Collection. &merged;</para>
904 <para>For consistency, the fdesc, fifo, null, msdos, portal,
905 umap, and union filesystems have been renamed to fdescfs,
906 fifofs, msdosfs, nullfs, portalfs, umapfs, and unionfs. Where
907 applicable, modules and mount_* programs have been
908 renamed. Compatibility <quote>glue</quote> has been added to
909 &man.mount.8; so that <literal>msdos</literal> filesystem
910 entries in &man.fstab.5; will work without changes.</para>
912 <para>pseudofs, a pseudo-filesystem framework, has been added.
913 &man.linprocfs.5; has been modified to use pseudofs.</para>
915 <para>A simple hash-based lookup optimization for large directories
916 called <literal>dirhash</literal> has been added. Conditional on the
917 <literal>UFS_DIRHASH</literal> kernel option, it improves the speed
918 of operations on very large directories at the expense of some
919 memory. &merged;</para>
921 <para>The virtual memory subsystem now backs UFS directory
922 memory requirements by default (this behavior is controlled via
923 the <varname>vfs.vmiodirenable</varname> sysctl variable. &merged;</para>
927 <title>PCCARD Support</title>
929 <para arch="i386">The pccard driver and &man.pccardc.8; now support multiple
930 <quote>beep types</quote> upon card insertion and removal. &merged;</para>
932 <para>On many modern hosts, PCCARD devices can be configured to
933 route their interrupts via either the ISA or PCI interrupt paths.
934 The &man.pcic.4; driver has been updated to support both interrupt
935 paths (formerly, only routing via ISA was supported). &merged; In most
936 cases, configuration of PCMCIA devices in laptops is simpler and
937 more flexible. In addition, various Cardbus bridge PCI cards
938 (such as those used by Orinoco PCI NICs) are now supported. Some
939 hosts may experience problems, such as hangs or panics, with PCI
940 interrupt routing; they can frequently be made to work by forcing
941 the older-style ISA interrupt routing. The following lines,
942 placed in <filename>/boot/loader.conf</filename>, may fix the
945 <programlisting>hw.pcic.intr_path="1"
946 hw.pcic.irq="0"</programlisting>
948 <para>When installing &os; on such a system, typing the following
949 lines to the boot loader may be helpful in starting up &os; for
950 the first time:<para>
952 <screen><prompt>ok</prompt> <userinput>set hw.pcic.intr_path="1"</userinput>
953 <prompt>ok</prompt> <userinput>set hw.pcic.irq="0"</userinput></screen>
955 <para arch="i386">Preliminary Cardbus support under NEWCARD has been added.
956 This code supports the TI113X, TI12XX, TI125X, Ricoh 5C46/5C47, Topic
957 95/97/100 and Cirrus Logic PD683X bridges. 16-bit PC Card support
958 is not yet functional.</para>
962 <title>Multimedia Support</title>
964 <para arch="i386">The &man.pcm.4; driver now supports the ESS Solo 1,
965 Maestro-1, Maestro-2, and Maestro-2e; Forte Media fm801, ESS
966 Maestro-2e, and VIA Technologies VT82C686A sound card/chipsets,
967 and has received some other updates.
968 Separate drivers for the SoundBlaster 8 and SoundBlaster 16 now
969 replace an older, unified driver. A driver for the CMedia
970 CMI8338/CMI8738 sound chips has been added. A driver for the
971 CS4281 sound chip has been added. A driver for the S3
972 SonicVibes chipset has been added. &merged;</para>
974 <para arch="i386">A driver for the Avance Logic ALS4000 has
975 been added. &merged;</para>
977 <para arch="i386">A driver for the
978 ESS Maestro-3/Allegro has been added, however due to licensing
979 restrictions, it cannot be compiled into the kernel. &merged; To
980 use this driver, add the following line to
981 <filename>/boot/loader.conf</filename>:</para>
983 <programlisting>snd_maestro3_load="YES"</programlisting>
985 <para>The &man.bktr.4; driver has been updated to 2.18. This
986 update provides a number of new features. New tuner
987 types have been added, and improvements to the KLD module and to
988 memory allocation have been made. Bugs in &man.devfs.5; when
989 unloading and reloading have been fixed.
990 Support for new Hauppauge Model 44xxx WinTV Cards (the ones with
991 no audio mux) has been added.</para>
993 <para>When sound modules are built, one can now load all the
994 drivers and infrastructure by <command>kldload
995 snd</command>.</para>
997 <para>A new API has been added for sound cards with hardware
998 volume control.</para>
1000 <para arch="i386">A driver for the Intel 443MX, 810, 815, and 815E
1001 integrated sound devices has been added.</para>
1006 <title>Contributed Software</title>
1008 <para>The Forth Inspired Command Language
1009 (<application>FICL</application>) used in the boot loader has
1010 been updated to 2.05.</para>
1012 <para>Support for Advanced Configuration and Power Interface
1013 (ACPI), a multi-vendor standard for configuration and power
1014 management, has been added. This functionality has been
1015 provided by the <application>Intel ACPI Component
1016 Architecture</application> project, updated to the ACPI CA
1017 20011120 snapshot. Some backward compatability for
1018 applications using the older APM standard has been provided.</para>
1021 <title>IPFilter</title>
1023 <para><application>IPFilter</application> has been updated to
1024 3.4.20. &merged;</para>
1026 <para><application>IPFilter</application> now supports
1027 IPv6. &merged;</para>
1032 <title>isdn4bsd</title>
1034 <para><application>isdn4bsd</application> has been updated to
1035 version 1.0.1. As a result of this update, users of the
1036 &man.i4bisppp.4; (kernel PPP over ISDN) driver
1037 <emphasis>must</emphasis> now use &man.ispppcontrol.8; instead
1038 of &man.spppcontrol.8; to configure and control these
1039 network interfaces. &merged;</para>
1041 <para>The &man.ihfc.4; driver for supporting Cologne Chip
1042 Designs HFC devices under <application>isdn4bsd</application>
1043 has been added. &merged;</para>
1045 <para>The &man.itjc.4; driver for supporting NETjet-S / Teles
1046 PCI-TJ devices under <application>isdn4bsd</application> has
1047 been added. &merged;</para>
1049 <para>Experimental support for the Eicon.Diehl DIVA 2.0 and
1050 2.02 ISA PnP ISDN cards has been added to the &man.isic.4;
1051 <application>isdn4bsd</application> driver. &merged;</para>
1053 <para>The &man.isic.4; driver now supports the Compaq Microcom
1054 610 ISDN ISA PnP card.</para>
1056 <para>Active CAPI-based ISDN cards manufactured by AVM are now
1057 supported using the &man.i4bcapi.4; and the &man.iavc.4; driver. The
1058 supported cards are the AVM B1 PCI and AVM B1 ISA Basic Rate
1059 cards and the AVM T1 Primary Rate cards. &merged;</para>
1061 <para>A new <literal>maxconnecttime</literal> keyword is now
1062 accepted in &man.isdnd.rc.5; files to limit the time a
1063 connection may remain open. &merged;</para>
1065 <para>&man.isdnphone.8; now supports a <option>-k</option> option for
1066 sending messages via the keypad facility to a PBX or exchange
1070 <sect4 id="kame-kernel">
1073 <para>The IPv6 stack is now based on a snapshot based on the KAME
1074 Project's IPv6 snapshot as of 28 May, 2001. Most of the
1075 items listed in this section are a result of this import.
1076 <xref linkend="kame-userland"> lists userland updates to the
1077 KAME IPv6 stack. &merged;</para>
1079 <para>&man.gif.4; is now based on RFC 2893, rather than RFC
1080 1933. The <literal>IFF_LINK2</literal> interface flag can
1081 be used to control ingress filtering. &merged;</para>
1083 <para><application>IPSec</application> has received some
1084 enhancements, including the ability to use the Rijndael and
1085 SHA2 algorithms. IPSec RC5 support has been removed due to
1086 patent issues. &merged;</para>
1088 <para>&man.stf.4; now conforms to RFC 3056; the
1089 <literal>IFF_LINK2</literal> interface flag can be used to
1090 control ingress filtering. &merged;</para>
1092 <para>IPv6 has better checking of illegal addresses (such as
1093 loopback addresses) on physical networks. &merged;</para>
1095 <para>The <varname>IPV6_V6ONLY</varname> socket option is
1096 now completely supported. The kernel's default behavior
1097 with respect to this option is controlled by the
1098 <varname>net.inet6.ip6.v6only</varname> sysctl
1099 variable. &merged;</para>
1101 <para>RFC 3041 (Privacy Extensions for Stateless Address
1102 Autoconfiguration) is now supported. It can be enabled via
1103 the <varname>net.inet6.ip6.use_tempaddr</varname> sysctl
1104 variable. &merged;</para>
1108 <sect2 id="security">
1109 <title>Security-Related Changes</title>
1111 <para>&man.sysinstall.8; now allows the user to select one of two
1112 <quote>security profiles</quote> at install-time. These profiles enable
1113 different levels of system security by enabling or disabling
1114 various system services in &man.rc.conf.5; on new
1115 installs. &merged;</para>
1117 <para>A bug in which malformed ELF executable images can hang the
1118 system has been fixed (see security advisory
1119 FreeBSD-SA-00:41). &merged;</para>
1121 <para>A security hole in Linux emulation was fixed (see security
1122 advisory FreeBSD-SA-00:42). &merged;</para>
1124 <para>String-handling library calls in many programs were fixed to
1125 reduce the possibility of buffer overflow-related exploits.
1128 <para>TCP now uses stronger randomness in choosing its initial sequence
1129 numbers (see security advisory FreeBSD-SA-00:52). &merged;</para>
1131 <para>Several buffer overflows in &man.tcpdump.1; were corrected
1132 (see security advisory FreeBSD-SA-00:61). &merged;</para>
1134 <para>A security hole in &man.top.1; was corrected (see security advisory
1135 FreeBSD-SA-00:62). &merged;</para>
1137 <para>A potential security hole caused by an off-by-one-error in
1138 &man.gethostbyname.3; has been fixed (see security advisory
1139 FreeBSD-SA-00:63). &merged;</para>
1141 <para>A potential buffer overflow in the &man.ncurses.3; library,
1142 which could cause arbitrary code to be run from within
1143 &man.systat.1;, has been corrected (see security advisory
1144 FreeBSD-SA-00:68). &merged;</para>
1146 <para>A vulnerability in &man.telnetd.8; that could cause it to
1147 consume large amounts of server resources has been fixed (see
1148 security advisory FreeBSD-SA-00:69). &merged;</para>
1150 <para>The <literal>nat deny_incoming</literal> command in
1151 &man.ppp.8; now works correctly (see security advisory
1152 FreeBSD-SA-00:70). &merged;</para>
1154 <para>A vulnerability in &man.csh.1;/&man.tcsh.1; temporary files
1155 that could allow overwriting of arbitrary user-writable files has
1156 been closed (see security advisory FreeBSD-SA-00:76). &merged;</para>
1158 <para>The &man.ssh.1; binary is no longer SUID root by
1159 default. &merged;</para>
1161 <para>Some fixes were applied to the Kerberos
1162 IV implementation related to environment variables, a
1163 possible buffer overrun, and overwriting ticket files. &merged;</para>
1165 <para>&man.telnet.1; now does a better job of sanitizing its
1166 environment. &merged;</para>
1168 <para>Several vulnerabilities in &man.procfs.5; were fixed (see
1169 security advisory FreeBSD-SA-00:77). &merged;</para>
1171 <para>A bug in <application>OpenSSH</application> in which a
1172 server was unable to disable &man.ssh-agent.1; or
1173 <literal>X11Forwarding</literal> was fixed (see security advisory
1174 FreeBSD-SA-01:01). &merged;</para>
1176 <para>A bug in &man.ipfw.8; and &man.ip6fw.8; in which inbound TCP
1177 segments could incorrectly be treated as being part of an
1178 <literal>established</literal> connection has been fixed (see
1179 security advisory FreeBSD-SA-01:08). &merged;</para>
1181 <para>A bug in &man.crontab.1; that could allow users to read any
1182 file on the system in valid &man.crontab.5; syntax has been fixed
1183 (see security advisory FreeBSD-SA-01:09). &merged;</para>
1185 <para>A vulnerability in &man.inetd.8; that could allow
1186 read-access to the initial 16 bytes of
1187 <groupname>wheel</groupname>-accessible files has been fixed (see security
1188 advisory FreeBSD-SA-01:11). &merged;</para>
1190 <para>A bug in &man.periodic.8; that used insecure temporary files has been
1191 corrected (see security advisory FreeBSD-SA-01:12). &merged;</para>
1193 <para>A bug in &man.sort.1; in which an attacker might be able to
1194 cause it to abort processing has been fixed (see security advisory
1195 FreeBSD-SA-01:13). &merged;</para>
1197 <para><application>OpenSSH</application> now has code to prevent
1198 (instead of just mitigating through connection limits) an attack
1199 that can lead to guessing the server key (not host key) by
1200 regenerating the server key when an RSA failure is detected (see
1201 security advisory FreeBSD-SA-01:24). &merged;</para>
1203 <para>A number of programs have had output formatting strings
1204 corrected so as to reduce the risk of vulnerabilities. &merged;</para>
1206 <para>A number of programs that use temporary files now do so more
1207 securely. &merged;</para>
1209 <para>A bug in ICMP that could cause an attacker to disrupt TCP and UDP
1210 <quote>sessions</quote> has been corrected. &merged;</para>
1212 <para>A bug in &man.timed.8;, which caused it to crash if send
1213 certain malformed packets, has been corrected (see security
1214 advisory FreeBSD-SA-01:28). &merged;</para>
1216 <para>A bug in &man.rwhod.8;, which caused it to crash if send
1217 certain malformed packets, has been corrected (see security
1218 advisory FreeBSD-SA-01:29). &merged;</para>
1220 <para>A security hole in &os;'s FFS and EXT2FS implementations,
1221 which allowed a race condition that could cause users to have
1222 unauthorized access to data, has been fixed (see security advisory
1223 FreeBSD-SA-01:30). &merged;</para>
1225 <para>A remotely-exploitable vulnerability in &man.ntpd.8; has
1226 been closed (see security advisory FreeBSD-SA-01:31). &merged;</para>
1228 <para>A security hole in <application>IPFilter</application>'s
1229 fragment cache has been closed (see
1230 security advisory FreeBSD-SA-01:32). &merged;</para>
1232 <para>Buffer overflows in &man.glob.3;, which could cause
1233 arbitrary code to be run on an FTP server, have been closed. In
1234 addition, to prevent some forms of DOS attacks, &man.glob.3;
1235 allows specification of a limit on the number of pathname matches
1236 it will return. &man.ftpd.8; now uses this feature (see security
1237 advisory FreeBSD-SA-01:33). &merged;</para>
1239 <para>Initial sequence numbers in TCP are more thoroughly
1240 randomized (see security advisory FreeBSD-SA-01:39). Due to some
1241 possible compatibility issues, the behavior of this security fix
1242 can be enabled or disabled via the
1243 <varname>net.inet.tcp.tcp_seq_genscheme</varname> sysctl
1244 variable.&merged;</para>
1246 <para>A vulnerability in the &man.fts.3; routines (used by
1247 applications for recursively traversing a filesystem) could
1248 allow a program to operate on files outside the intended directory
1249 hierarchy. This bug has been fixed (see security advisory
1250 FreeBSD-SA-01:40). &merged;</para>
1252 <para>&os;'s TCP implementation has been made more resistant to
1253 SYN floods, by eliminating the RST segment normally sent when
1254 removing a connection from the listen queue.</para>
1256 <para><application>OpenSSH</application> now switches to the
1257 user's UID before attempting to unlink the authentication
1258 forwarding file, nullifying the effects of a race.</para>
1260 <para>A flaw allowed some signal handlers to remain in effect in a
1261 child process after being exec-ed from its parent. This allowed
1262 an attacker to execute arbitrary code in the context of a setuid
1263 binary. This flaw has been corrected (see security advisory
1264 FreeBSD-SA-01:42). &merged;</para>
1266 <para>A remote buffer overflow in &man.tcpdump.1; has been fixed
1267 (see security advisory FreeBSD-SA-01:48). &merged;</para>
1269 <para>A remote buffer overflow in &man.telnetd.8; has been
1270 fixed (see security advisory FreeBSD-SA-01:49). &merged;</para>
1272 <para>The new <varname>net.inet.ip.maxfragpackets</varname>
1273 and <varname>net.inet.ip6.maxfragpackets</varname> sysctl
1274 variables limit the amount of memory that can be consumed by IPv4
1275 and IPv6 packet fragments, which defends against some denial of service
1276 attacks (see security advisory FreeBSD-SA-01:52). &merged;</para>
1278 <para>All services in <filename>inetd.conf</filename> are now
1279 disabled by default for new installations. &man.sysinstall.8;
1280 gives the option of enabling or disabling &man.inetd.8; on new
1281 installations, as well as editing
1282 <filename>inetd.conf</filename>. &merged;</para>
1284 <para>A flaw in the implementation of the &man.ipfw.8;
1285 <literal>me</literal> rules on point-to-point links has been
1286 corrected. Formerly, <literal>me</literal> filter rules would
1287 match the remote IP address of a point-to-point interface in
1288 addition to the intended local IP address (see security advisory
1289 FreeBSD-SA-01:53). &merged;</para>
1291 <para>A vulnerability in &man.procfs.5;, which could allow a
1292 process to read sensitive information from another process's
1293 memory space, has been closed (see security advisory
1294 FreeBSD-SA-01:55). &merged;</para>
1296 <para>The <literal>PARANOID</literal> hostname checking in
1297 <application>tcp_wrappers</application> now works as advertised
1298 (see security advisory FreeBSD-SA-01:56). &merged;</para>
1300 <para>A local root exploit in &man.sendmail.8; has been closed
1301 (see security advisory FreeBSD-SA-01:57). &merged;</para>
1303 <para>A remote root vulnerability in &man.lpd.8; has been closed
1304 (see security advisory FreeBSD-SA-01:58). &merged;</para>
1306 <para>A race condition in &man.rmuser.8; that briefly exposed a
1307 world-readable <filename>/etc/master.passwd</filename> has been
1308 fixed (see security advisory FreeBSD-SA-01:59). &merged;</para>
1310 <para>A vulnerability in <application>UUCP</application> has been
1311 closed (see security advisory FreeBSD-SA-01:62).
1312 All non-<username>root</username>-owned binaries in standard
1313 system paths now have the <literal>schg</literal> flag set to
1314 prevent exploit vectors when run by &man.cron.8;, by
1315 <username>root</username>, or by a user other then the one owning
1316 the binary. In addition, &man.uustat.1; is now run via
1317 <filename>/etc/periodic/daily/410.status-uucp</filename> as
1318 <username>uucp</username>, not <username>root</username>.
1319 In &os; -CURRENT, <application>UUCP</application> has since been moved
1320 to the Ports Collection and no longer a part of the base
1321 system. &merged;</para>
1323 <para>A security hole in the form of a buffer overflow in the
1324 &man.semop.2; system call has been closed. &merged;</para>
1326 <sect2 id="userland">
1327 <title>Userland Changes</title>
1329 <para>If the first argument to &man.ancontrol.8; or
1330 &man.wicontrol.8; doesn't start with a <literal>-</literal>, it is
1331 assumed to be an interface.</para>
1333 <para>&man.apmd.8; now has the ability to monitor battery levels and
1334 execute commands based on percentage or minutes of battery life
1335 remaining via the <literal>apm_battery</literal> configuration
1336 directive. See the commented-out examples in
1337 <filename>/etc/apmd.conf</filename> for the syntax. &merged;</para>
1339 <para>&man.arp.8; now prints the applicable interface name for
1340 each ARP entry. &merged</para>
1342 <para>&man.arp.8; now prints <literal>[fddi]</literal> or
1343 <literal>[atm]</literal> tags for addresses on interfaces of those
1346 <para>&man.atacontrol.8; has been added to control various aspects
1347 of the &man.ata.4; driver.</para>
1349 <para arch="i386">&man.boot98cfg.8;, a PC-98 boot manager installation and
1350 configuration utility, has been added. &merged;</para>
1352 <para>&man.burncd.8; now supports a <option>-m</option> option for
1353 multisession mode (the default behavior now is to close disks as
1354 single-session). A <option>-l</option> option to take a list of
1355 image files from a filename was also added; <filename>-</filename>
1356 can be used as a filename for <literal>stdin</literal>. &merged;</para>
1358 <para>&man.burncd.8; now supports Disk At Once (DAO) mode,
1359 selectable via the <option>-d</option> flag.</para>
1361 <para>&man.c89.1; has been converted from a shell script to a
1362 binary executable, fixing some minor bugs. &merged;</para>
1364 <para>&man.cat.1; now has the ability to read from UNIX-domain
1365 sockets. &merged;</para>
1367 <para>&man.cdcontrol.1; now supports a <literal>cdid</literal>
1368 command, which calculates and displays the CD serial number, using
1369 the same algorithm used by the CDDB database. &merged;</para>
1371 <para>&man.cdcontrol.1; now uses the <envar>CDROM</envar>
1372 environment variable to pick a default device. &merged;</para>
1374 <para>&man.cdcontrol.1; now supports <literal>next</literal> and
1375 <literal>prev</literal> commands to skip forwards or backwards a
1376 specified number of tracks while playing an audio CD. &merged;</para>
1378 <para>&man.chflags.1; has moved from <filename>/usr/bin</filename>
1379 to <filename>/bin</filename>.</para>
1381 <para>&man.chio.1; now has the ability to specify elements by
1382 volume tag instead of by their physical location as well as the
1383 ability to return an element to its previous location. &merged;</para>
1385 <para>&man.chmod.1; now supports a <option>-h</option> for
1386 changing the mode of a symbolic link.</para>
1388 <para>&man.chown.8; now correctly follows symbolic links named as
1389 command line arguments if run without <option>-R</option>.</para>
1391 <para>&man.chown.8; no longer takes <literal>.</literal> as a
1392 user/group delimeter. This change was made to support usernames
1393 containing a <literal>.</literal>.</para>
1395 <para>Use of the <literal>CSMG_*</literal> macros no longer
1396 require inclusion of
1397 <filename><sys/param.h></filename></para>
1399 <para>&man.col.1; now takes a <option>-p</option> flag to force unknown
1400 control sequences to be passed through unchanged. &merged;</para>
1403 <filename>compat3x</filename> distribution has been updated to
1404 include libraries present in &os; 3.5.1-RELEASE. &merged;</para>
1406 <para>A <filename>compat4x</filename> distribution has been added
1407 for compatibility with &os; 4-STABLE.</para>
1409 <para>&man.config.8; is now better about converting various
1410 warnings that should
1411 have been errors into actual fatal errors with an exit code. This
1412 ensures that <literal>make buildkernel</literal>
1413 doesn't quietly ignore them and
1414 build a bogus kernel without a human to read the errors. &merged;</para>
1416 <para>A number of buffer overflows in &man.config.8; have been
1417 fixed. &merged;</para>
1419 <para>The &man.daemon.8; program, a command-line interface to
1420 &man.daemon.3;, has been added. It detaches itself from its
1421 controlling terminal and executes a program specified on the command
1422 line. This allows the user to run an arbitrary program as if it were
1423 written to be a daemon.</para>
1425 <para>devinfo, a simple tool to print the device tree and resource usage by
1426 devices, has been added.</para>
1428 <para>&man.df.1; now takes a <option>-l</option> option to only
1429 display information about locally-mounted filesystems. &merged;</para>
1431 <para>&man.disklabel.8; now supports partition sizes expressed in
1432 kilobytes, megabytes, or gigabytes, in addition to sectors. &merged;</para>
1434 <para>&man.dmesg.8; now has a <option>-a</option> option to show
1435 the entire message buffer, including &man.syslogd.8; records and
1436 <filename>/dev/console</filename> output. &merged;</para>
1438 <para>&man.du.1; now takes a <option>-I</option> command-line flag
1439 to ignore/skip files and subdirectories matching a specified
1440 shell-glob mask. &merged;</para>
1442 <para>&man.dump.8; now supports inheritance of the
1443 <literal>nodump</literal> flag down a hierarchy. &merged;</para>
1445 <para>The <option>-T</option> option to &man.dump.8; no longer swallows
1446 an extra argument. &merged;</para>
1448 <para>&man.dump.8; has a new <option>-D</option> option, allowing
1449 the path to the <filename>/etc/dumpdates</filename> file to be
1450 changed. &merged;</para>
1452 <para>&man.edquota.8; now takes a <option>-f</option> option to
1453 allow limiting the prototype quota distribution (specified with
1454 <option>-p</option>) to a single filesystem. &merged;</para>
1456 <para>&man.fbtab.5; now accepts glob matching patterns for target
1457 devices, not just individual devices and directories.</para>
1459 <para arch="i386">&man.fdisk.8; no longer attempts to search for
1460 a device if none has been specified on the command line, but
1461 instead tries to figure out the default device name from the
1464 <para>&man.fdread.1;, a program to read data from floppy disks,
1465 has been added. It is a counterpart to &man.fdwrite.1; and is
1466 designed to provide a means of recovering at least some data from
1467 bad media, and to obviate for a complex invocation of
1470 <para>&man.find.1; now takes the <option>-empty</option> flag,
1471 which returns true if a file or directory is empty. &merged;</para>
1473 <para>&man.find.1; now takes the <option>-iname</option> and
1474 <option>-ipath</option> primaries for case-insensitive matches,
1475 and the <option>-regexp</option> and <option>-iregexp</option>
1476 primaries for regular-expression matches. The <option>-E</option>
1477 flag now enables extended regular expressions. &merged;</para>
1479 <para>&man.find.1; now has the <option>-anewer</option>,
1480 <option>-cnewer</option>, <option>-mnewer</option>,
1481 <option>-okdir</option>, and <option>-newer[acm][acmt]</option>
1482 primaries for comparisons of file timestamps. The latter
1483 primaries can be specified with various units of time. &merged;</para>
1485 <para>&man.finger.1; now has the ability to support fingering
1486 aliases, via the &man.finger.conf.5; file. &merged;</para>
1488 <para>&man.finger.1; now has support for a
1489 <filename>.pubkey</filename> file.</para>
1491 <para>&man.fmt.1; has been rewritten; the rewrite fixes a number
1492 of bugs compared to its prior behavior. &merged;</para>
1494 <para>&man.fmtcheck.3;, a function for checking consistency of
1495 format string arguments, has been added. &merged;</para>
1497 <para>&man.fsck.8; wrappers have been imported; this feature
1498 provides infrastructure for &man.fsck.8; to work on different
1499 types of filesystems (analogous to &man.mount.8;).</para>
1501 <para>The behavior of &man.fsck.8; when dealing with various
1502 passes (a la <filename>/etc/fstab</filename>) has been modified to
1503 accommodate multiple-disk filesystems.</para>
1505 <para>&man.fsck.8; now has support for foreground
1506 (<option>-F</option>) and background (<option>-B</option>) checks.
1507 Traditionally, &man.fsck.8; is invoked before the filesystems are
1508 mounted and all checks are done to completion at that time. If
1509 background checking is available, &man.fsck.8; is invoked twice.
1510 It is first invoked at the traditional time, before the
1511 filesystems are mounted, with the <option>-F</option> flag to do
1512 checking on all the filesystems that cannot do background
1513 checking. It is then invoked a second time, after the system has
1514 completed going multiuser, with the <option>-B</option> flag to do
1515 checking on all the filesystems that can do background checking.
1516 Unlike the foreground checking, the background checking is started
1517 asynchronously so that other system activity can proceed even on
1518 the filesystems that are being checked. Boot-time enabling of
1519 this feature is controlled by the
1520 <varname>background_fsck</varname> option in &man.rc.conf.5;.</para>
1522 <para>Shortly after the receipt of a <literal>SIGINFO</literal>
1523 signal (normally control-T from the controlling tty), &man.fsck.ffs.8;
1524 will now output a line indicating the current phase number and
1525 progress information relevant to the current phase. &merged;</para>
1527 <para>&man.fsck.ffs.8; now supports background filesystem checks
1528 to mounted FFS filesystems with the <option>-B</option> option
1529 (softupdates must be enabled on these filesystems). The
1530 <option>-F</option> flag now determines whether a specified
1531 filesystem needs foreground checking.</para>
1533 <para>A new &man.fsck.msdosfs.8; utility has been added to check
1534 the consistency of MS-DOS filesystems. &merged;</para>
1536 <para>&man.ftpd.8; now supports a <option>-r</option> flag for
1537 read-only mode and a <option>-E</option> flag to disable
1538 <literal>EPSV</literal>. It also has some fixes to reduce
1539 information leakage and the ability to specify compile-time port
1540 ranges. &merged;</para>
1542 <para>&man.ftpd.8; now supports <option>-o</option> and
1543 <option>-O</option> options to disable the <literal>RETR</literal>
1544 command; the former for everybody, and the latter only for guest users.
1545 Coupled with <option>-A</option> and appropriate file permissions,
1546 these can be used to create a relatively safe anonymous FTP drop box
1547 for others to upload to.</para>
1549 <para arch="i386">&man.gdb.1; now supports hardware watchpoints (using the
1550 kernel's debug register + support that has been introduced in
1551 &os; 4.0). &merged;</para>
1553 <para>The &man.getprogname.3; and &man.setprogname.3; library
1554 functions have been added to manipulate the name of the current
1555 program. They are used by error-reporting routines to produce
1556 consistent output. &merged;</para>
1558 <para>&man.gprof.1; now has a <option>-K</option> option to enable
1559 dynamic symbol resolution from the currently-running kernel. With
1560 this change, properly-compiled KLD modules are now able to be
1563 <para>&man.growfs.8;, a utility for growing FFS filesystems, has
1564 been added. &man.ffsinfo.8;, a utility for dump all the
1565 meta-information of an existing filesystem, has also been
1566 added. &merged;</para>
1568 <para>The &man.groups.1; and &man.whoami.1; shell scripts are now
1569 unnecessary; their functionality has been completely folded into
1572 <para>The &man.ibcs2.8;, &man.linux.8;, &man.osf1.8;, and &man.svr4.8;
1573 scripts, whose sole purpose was to load emulation
1574 kernel modules, have been removed. The kernel module system will
1575 automatically load them as needed to fulfill dependencies.</para>
1577 <para>&man.indent.1; has gained some new formatting
1578 options. &merged;</para>
1580 <para>&man.ifconfig.8; command can set the link-layer address
1581 of an interface using the <option>lladdr</option> parameter.
1584 <para>&man.ifconfig.8; can now accept addresses in slash/CIDR
1585 notation. &merged;</para>
1587 <para>&man.ifconfig.8; now has support for setting parameters for
1588 IEEE 802.11 wireless network devices. &man.wi.4; and
1589 &man.an.4; devices are supported, and partial support is provided
1590 for &man.awi.4; devices. &merged;</para>
1592 <para>&man.ifconfig.8; no longer displays the list of supported
1593 media by default. Instead it displays it when the
1594 <option>-m</option> flag is given. &merged;</para>
1596 <para>The syntax of &man.inetd.8;'s support for &man.faithd.8; is
1597 now compatible with that of other BSDs. &merged;</para>
1599 <para>The <literal>ident</literal> protocol support in &man.inetd.8; has
1600 been cleaned up and updated. &merged;</para>
1602 <para>&man.inetd.8; now has the ability to manage UNIX-domain
1603 sockets. &merged;</para>
1605 <para>&man.install.1; has a number of new features, including the
1606 <option>-b</option> and <option>-B</option> options for backing up
1607 existing target files and the <option>-S</option> option for
1608 <quote>safe</quote> (atomic copy) operation. The
1609 <option>-c</option> (copy) flag is now the default, and the
1610 <option>-D</option> (debugging) flag has been withdrawn.
1611 &man.install.1; now issues a warning if <option>-d</option>
1612 (create directories) and <option>-C</option> (copy changed files
1613 only) are used together. &merged;</para>
1615 <para>IP Filter is now supported by the
1616 &man.rc.conf.5; boot-time configuration and
1617 initialization. &merged;</para>
1619 <para>&man.ipfstat.8; now supports the <option>-t</option> option
1620 to turn on a &man.top.1;-like display. &merged;</para>
1622 <para>&man.ipfw.8; will now avoid the display of dynamic
1623 firewall rules unless the <option>-d</option> flag is passed to
1624 it. The <option>-e</option> option lists expired dynamic
1625 rules. &merged;</para>
1627 <para>&man.ipfw.8; has a new feature (<literal>me</literal>) that
1628 allows for packet matching on interfaces with dynamically-changing
1629 IP addresses. &merged;</para>
1631 <para>&man.ipfw.8; has a new <literal>limit</literal> type of
1632 firewall rule, which limits the number of sessions between address
1633 pairs. &merged;</para>
1635 <para>&man.ip6fw.8; now has the ability to use a preprocessor
1636 and use the <option>-q</option> (quiet) flag when reading from a
1637 file. &merged;</para>
1639 <para>&man.kenv.1;, a command to dump the kernel environment, has
1640 been added. &merged;</para>
1642 <para>&man.keyinfo.1; is now a C program, rather than a Perl
1643 script. &merged;</para>
1645 <para>&man.killall.1; is now a C program, rather than a Perl
1646 script. As a result, its <option>-m</option> option now uses the
1647 regular expression syntax of &man.regex.3;, rather than that of
1648 &man.perl.1;. &merged;</para>
1650 <para>&man.killall.1; now allows non-root users to kill SUID root
1651 processes that they started, the same as the Perl version did.</para>
1653 <para>The &man.kldconfig.8; utility has been added to make it easier to
1654 manipulate the kernel module search path. &merged;</para>
1656 <para>&man.last.1; now implements a <option>-d</option> that
1657 provides a <quote>snapshot</quote> of who was logged in at a
1658 particular date and time. &merged;</para>
1660 <para>The &man.lastlogin.8; utility, which prints the last login
1661 time of each user, has been imported from
1662 NetBSD. &merged;</para>
1664 <para>&man.ldconfig.8; now checks directory ownerships and
1665 permissions for greater security; these checks can be disabled
1666 with the <option>-i</option> flag. &merged;</para>
1668 <para><filename>libc</filename> is now thread-safe by default;
1669 <filename>libc_r</filename> contains only thread functions.</para>
1671 <para><filename>libcrypt</filename> and
1672 <filename>libdescrypt</filename> have been unified to provide a
1673 configurable password authentication hash library. Both the md5
1674 and des hash methods are provided unless the des hash is
1675 specifically compiled out. &merged;</para>
1677 <para><filename>libcrypt</filename> now has support for Blowfish
1678 password hashing. &merged;</para>
1680 <para arch="i386"><filename>libdisk</filename> can now do
1681 install-time configuration of the <filename>boot0</filename>
1682 boot loader. &merged;</para>
1684 <para><filename>libstand</filename> now has support for
1685 filesystems containing <application>bzip2</application>-compressed
1686 files. &merged;</para>
1688 <para>The default TCP port range used by
1689 <filename>libfetch</filename> for passive FTP retrievals has
1690 changed; this affects the behavior of &man.fetch.1;, which has
1691 gained the <option>-U</option> option to restore the old
1692 behavior. &merged;</para>
1694 <para><filename>libfetch</filename> now has support for an
1695 authentication callback.</para>
1697 <para><filename>libfetch</filename> now has support for a
1698 <envar>HTTP_USER_AGENT</envar> environment variable. &merged;</para>
1700 <para><filename>libgmp</filename> has been superceded by
1701 <filename>libmp</filename>.
1703 <para>The functions from <filename>libposix1e</filename> have been
1704 integrated into <filename>libc</filename>.</para>
1706 <para>&man.ln.1; now takes an <option>-i</option> option to
1707 request user confirmation before overwriting an existing
1708 file. &merged;</para>
1710 <para>&man.ln.1; now takes a <option>-h</option> flag to avoid
1711 following a target that is a link, with a <option>-n</option> flag
1712 for compatibility with other implementations. &merged;</para>
1714 <para>&man.logger.1; can now send messages directly to a remote
1715 syslog. &merged;</para>
1717 <para>&man.login.1; now exports environment variables set by
1718 <application>PAM</application> modules. &merged;</para>
1720 <para>&man.lpc.8; has been improved; <command>lpc clean</command>
1721 is now somewhat safer, and a new <command>lpc tclean</command>
1722 command has been added to check to see what files would be removed
1723 by <command>lpc clean</command>. &merged;</para>
1725 <para>&man.lpd.8; now takes two new options: <option>-c</option>
1726 will log all connection errors to &man.syslogd.8;, while
1727 <option>-W</option> will allow connections from non-reserved
1728 ports. &merged;</para>
1730 <para>&man.lpd.8; now has some support for
1731 <literal>o</literal>-type print-file actions in its control files,
1732 which allows printing of PostScript files generated by
1733 <application>MacOS</application> 10.1. &merged;</para>
1735 <para>&man.lpr.1;, &man.lpq.1;, and &man.lpd.8; have received a
1736 few minor enhancements. &merged;</para>
1738 <para>Catching up with most other network utilities in the base
1739 system, &man.lpr.1;, &man.lpd.8;, &man.syslogd.8;, and
1740 &man.logger.1; are now all IPv6-capable. &merged;</para>
1742 <para><command>lprm -</command> now works for remote printer
1743 queues. &merged;</para>
1745 <para>&man.ls.1; can produce colorized listings with the
1746 <option>-G</option> flag (and appropriate terminal
1747 support). The <envar>CLICOLOR</envar> environment variable can be set
1748 to enable colorized listings by default. &merged;</para>
1750 <para>&man.mail.1; now takes a <option>-E</option> flag to avoid
1751 sending messages with empty bodies. &merged;</para>
1753 <para>&man.make.1; has gained the <literal>:C///</literal>
1754 (regular expression substitution), <literal>:L</literal>
1755 (lowercase), and <literal>:U</literal> (uppercase) variable
1756 modifiers. These were added to reduce the differences between the
1759 &man.make.1; programs. &merged; </para>
1761 <para>Bugs in &man.make.1;, among which include broken null suffix
1762 behavior, bad assumptions about current directory permissions, and
1763 potential buffer overflows, have been fixed. &merged;</para>
1765 <para>The new <varname>CPUTYPE</varname>
1766 <filename>make.conf</filename> variable controls the compilation
1767 of processor-specific optimizations in various pieces of code such
1768 as <application>OpenSSL</application>. &merged;</para>
1770 <para>The &os; <filename>Makefile</filename> infrastructure now
1771 supports the <varname>WARNS</varname> directive from NetBSD. This
1772 directive controls the addition of compiler warning flags to
1773 <varname>CFLAGS</varname> in a relatively compiler-neutral
1774 manner. &merged;</para>
1776 <para>The &man.mdmfs.8; command has been added; it is a wrapper
1777 around &man.mdconfig.8;, &man.disklabel.8;, &man.newfs.8;, and
1778 &man.mount.8; that mimics the command line option set of the
1779 deprecated &man.mount.mfs.8;.</para>
1781 <para>&man.mergemaster.8; has gained some new features, has been
1782 cleaned up somewhat, and is now more cross-platform friendly.</para>
1784 <para>&man.mergemaster.8; now sources an
1785 <filename>/etc/mergemaster.rc</filename> file and also prompts the
1786 user to run recommended commands (such as
1787 <command>newaliases</command>) as needed. &merged;</para>
1789 <para>&man.moused.8; now takes a <option>-a</option> option to control
1790 mouse acceleration. &merged;</para>
1792 <para>&man.mtree.8; now includes support for a file that lists
1793 pathnames to be excluded when creating and verifying prototypes.
1794 This makes it easier to use &man.mtree.8; as a part of an
1795 intrusion-detection system. &merged;</para>
1797 <para>The <quote>in use</quote> percentage metric displayed by
1798 &man.netstat.1; now really reflects the percentage of network
1799 mbufs used. &merged;</para>
1801 <para>&man.netstat.1; now has a <option>-W</option> flag that
1802 tells it not to truncate addresses, even if they're too long for
1803 the column they're printed in. &merged;</para>
1805 <para>&man.netstat.1; now keeps track of input and output packets
1806 on a per-address basis for each interface. &merged;</para>
1808 <para>&man.netstat.1; now has a <option>-z</option> flag to reset
1809 statistics. &merged;</para>
1811 <para>&man.netstat.1; now has a <option>-S</option> flag to print
1812 address numerically but port names symbolically. &merged;</para>
1814 <para>&man.newfs.8; now implements write combining, which can make
1815 creation of new filesystems up to seven times
1816 faster. &merged;</para>
1818 <para>&man.newfs.8; now takes a <option>-U</option> option to
1819 enable softupdates on a new filesystem. &merged;</para>
1821 <para>The default number of cylinders per group in &man.newfs.8;
1822 is now computed to be the maximum allowable given the current
1823 filesystem parameters. It can be overridden with the
1824 <option>-c</option>. Formerly, the default was fixed at 16. This
1825 change leads to better &man.fsck.8; performance and reduced
1826 fragmentation. &merged;</para>
1828 <para>&man.newsyslog.8; now has the ability to ability to compress
1829 log files using &man.bzip2.1;. &merged;</para>
1831 <para><application>NFS</application> now works over IPv6.</para>
1833 <para>&man.nl.1;, a line numbering filter program, has been
1834 added. &merged;</para>
1836 <para><application>nsswitch</application> support has been merged from NetBSD. By creating
1837 an &man.nsswitch.conf.5; file, &os; can be configured so that
1838 various databases such as &man.passwd.5; and &man.group.5; can be
1839 looked up using flat files, NIS, or Hesiod. The old
1840 <filename>hosts.conf</filename> file is no longer used.</para>
1842 <para><application>PAM</application> support has been added for
1843 account management and sessions.</para>
1845 <para>&man.passwd.1; and &man.pw.8; now select the password hash
1846 algorithm at run time. See the <literal>passwd_format</literal>
1847 attribute in <filename>/etc/login.conf</filename>. &merged;</para>
1849 <para>&man.pax.1; has received a number of enhancements, including
1850 &man.cpio.1; functionality, &man.tar.1; compatibility
1851 enhancements, <option>-z</option> and <option>-Z</option> flags
1852 for &man.gzip.1; and &man.compress.1; functionality, and a number
1853 of bug fixes.</para>
1855 <para>The behavior of &man.periodic.8; is now controlled by
1856 <filename>/etc/defaults/periodic.conf</filename> and
1857 <filename>/etc/periodic.conf</filename>. &merged;</para>
1859 <para>&man.ping.8; now supports a <option>-m</option> option to
1860 set the TTL of outgoing packets. &merged;</para>
1862 <para>&man.ping.8; now supports a <option>-A</option> option to
1863 beep when packets are lost. &merged;</para>
1865 <para>Userland &man.ppp.8; has received a number of updates and
1866 bug fixes. &merged;</para>
1868 <para>&man.ppp.8; has gained the <literal>tcpmssfixup</literal>
1869 option, which adjusts outgoing and incoming TCP SYN packets so that the maximum
1870 receive segment size is no larger than allowed by the interface
1871 MTU. &merged;</para>
1873 <para>&man.ppp.8; now supports IPv6.</para>
1875 <para>&man.pppd.8; (the control program for kernel-level PPP) is
1876 now installed mode <literal>4550</literal> and
1877 <username>root</username><literal>:</literal><groupname>dialer</groupname>,
1878 rather than mode <literal>4555</literal> (in other words, it is no
1879 longer world-executable). Users of &man.pppd.8; may need to
1880 change their group settings. &merged;</para>
1882 <para>&man.pwd.1; can now double as &man.realpath.1;, a program to
1883 resolve pathnames to their underlying physical paths. &merged;</para>
1885 <para>The pseudo-random number generator implemented by
1886 &man.rand.3; has been improved to provide less biased results.</para>
1888 <para>&man.rc.8; now has an framework for handling dependencies between
1889 &man.rc.conf.5; variables. &merged;</para>
1891 <para>&man.rc.8; now deletes all non-directory files in
1892 <filename>/var/run</filename> and
1893 <filename>/var/spool/lock</filename> at boot time. &merged;</para>
1895 <para>&man.rcmd.3; now supports the use of the
1896 <envar>RSH</envar> environment variable to specify a program to
1897 use other than &man.rsh.1; for remote execution. As a result,
1898 programs such as &man.dump.8;, can use &man.ssh.1; for remote
1901 <para>&man.rdist.1; has been retired from the base system, but is still
1902 available from &os; Ports Collection as
1903 <port>net/44bsd-rdist</port>.</para>
1905 <para>The &man.resolver.3; in &os; now implements EDNS0 support,
1906 which will be necessary when working with IPv6 transport-ready
1907 resolvers/DNS servers. &merged;</para>
1909 <para>The &man.rfork.thread.3; library call has been added as a
1910 helper function to &man.rfork.2;. Using this function should
1911 avoid the need to implement complex stack swap
1912 code. &merged;</para>
1914 <para>The <option>-v</option> option to &man.rm.1; now displays
1915 the entire pathname of a file being removed.</para>
1917 <para>&man.route.8; is now more verbose when changing indirect
1918 routes, in the case of a gateway route that is the same route as
1919 the one being modified. &merged;</para>
1921 <para>&man.route.8; now uses
1922 <literal><replaceable>host</replaceable>/<replaceable>bits</replaceable></literal>
1924 <literal><replaceable>net</replaceable>/<replaceable>bits</replaceable></literal>
1925 syntax, for compatibility with &man.netstat.1;. &merged;</para>
1927 <para>&man.route.8; can now create <quote>proxy only</quote>
1928 published ARP entries. &merged;</para>
1930 <para>The &man.route.8; <option>add</option> command now supports
1931 the <option>-ifp</option> and <option>-ifa</option>
1934 <para>&man.rpcbind.8; has replaced &man.portmap.8;.</para>
1936 <para>&man.rpcgen.1; now uses <filename>/usr/bin/cpp</filename>
1937 (as on NetBSD), not <filename>/usr/libexec/cpp</filename>.</para>
1939 <para>&man.rpc.lockd.8; has been imported from NetBSD. This
1940 daemon enables locking on NFS filesystems.</para>
1942 <para>The performance of the ELF dynamic linker &man.rtld.1; has
1943 been improved. &merged;</para>
1945 <para>RSA Security has waived all patent rights to the <application>RSA</application>
1947 result, the native <application>OpenSSL</application>
1948 implementation of the RSA algorithm is now activated by default,
1949 and the <port>security/rsaref</port> port and the
1950 <filename>librsaUSA</filename> and <filename>librsaINTL</filename>
1952 no longer required for USA and non-USA residents respectively. &merged;</para>
1954 <para>&man.savecore.8; now supports a <option>-k</option> option
1955 to prevent clearing a crash dump after saving it. It also
1956 attempts to avoid writing large stretches of zeros to crash dump
1957 files to save space and time. &merged;</para>
1959 <para>&man.savecore.8; now works correctly on machines with 2 GB
1960 or more of RAM. &merged;</para>
1962 <para>&man.sed.1; now takes a <option>-E</option> option for
1963 extended regular expression support. &merged;</para>
1965 <para>The &man.setfacl.1; and &man.getfacl.1; commands have been
1966 added to manage file system Access Control Lists.</para>
1968 <para>&man.setproctitle.3; has been moved from
1969 <filename>libutil</filename> to
1970 <filename>libc</filename>. &merged;</para>
1972 <para>&man.sh.1; now implements <command>test</command> as a
1973 built-in command for improved efficiency. &man.sh.1; no longer
1974 implements <command>printf</command> as a built-in command because
1975 it was considered less valuable compared to the other built-in
1976 commands (this functionality is, of course, still available
1977 through the &man.printf.1; executable).</para>
1979 <para>&man.sockstat.1; now has <option>-c</option> and
1980 <option>-l</option> flags for listing connected and listening
1981 sockets, respectively. &merged;</para>
1983 <para>&man.split.1; now has the ability to split a file longer
1984 than 2GB. &merged;</para>
1986 <para>In preparation for meeting SUSv2/POSIX
1987 <filename><sys/select.h></filename> requirements,
1988 <literal>struct selinfo</literal> and related functions have been
1989 moved to <filename><sys/selinfo.h></filename>.</para>
1991 <para>The &man.strnstr.3; and &man.strcasestr.3; variants of
1992 &man.strstr.3; have been implemented.</para>
1994 <para>&man.stty.1; now has support for an
1995 <literal>erase2</literal> control character, so that, for example,
1996 both the <keycap>Delete</keycap> and <keycap>Backspace</keycap>
1997 keys can be used to erase characters. &merged;</para>
1999 <para>&man.style.perl.7;, a style guide for Perl code in the &os;
2000 base system, has been added.</para>
2002 <para>&man.su.1; now uses <application>PAM</application> for
2003 authentication.</para>
2005 <para>Boot-time &man.syscons.4; configuration was moved to a
2006 machine-independent <filename>/etc/rc.syscons</filename>. &merged;</para>
2008 <para>&man.sysctl.8; now supports a <option>-N</option> option to
2009 print out variable names only. &merged;</para>
2011 <para>&man.sysctl.8; has replaced the <option>-A</option> and
2012 <option>-X</option> options with <option>-ao</option> and
2013 <option>-ax</option> respectively; the former options are now
2014 deprecated. The <option>-w</option> option is deprecated as well; it is
2015 not needed to determine the user's intentions. &merged;</para>
2017 <para>&man.sysctl.8; now supports a <option>-e</option> option to
2018 separate variable names and values by <literal>=</literal> rather
2019 than <literal>:</literal>. This feature is useful for producing
2020 output that can be fed back to &man.sysctl.8;.</para>
2022 <para>&man.sysinstall.8; now properly preserves
2023 <filename>/etc/mail</filename> during a binary upgrade. &merged;</para>
2025 <para>&man.sysinstall.8; now uses some more intuitive defaults
2026 thanks to some new dialog support functions. &merged;</para>
2028 <para>The default root partition in &man.sysinstall.8; is now
2029 100MB on the i386 and 120MB on the Alpha.</para>
2031 <para>&man.sysinstall.8; now lives in <filename>/usr/sbin</filename>,
2032 which simplifies the installation process. The &man.sysinstall.8;
2033 manpage is also installed in a more consistent fashion now.</para>
2035 <para>&man.sysinstall.8; now has the ability to load KLDs as a
2036 part of the installation. &merged;</para>
2038 <para>&man.syslogd.8; can take a <option>-n</option> option to
2039 disable DNS queries for every request. &merged;</para>
2041 <para>&man.syslogd.8; now supports a <literal>LOG_CONSOLE</literal>
2042 facility (disabled by
2043 default), which can be used to log <filename>/dev/console</filename>
2044 output. &merged;</para>
2046 <para>&man.syslogd.8; now has the ability to bind to a specific
2047 address--as opposed to using every available one--via the
2048 <option>-b</option> option. &merged;</para>
2050 <para>&man.tail.1; now has the ability to work on files longer
2051 than 2GB. &merged;</para>
2053 <para>&man.tar.1; now supports the <varname>TAR_RSH</varname>
2054 variable, principally to enable the use of &man.ssh.1; as a
2055 transport. &merged;</para>
2057 <para>&man.telnet.1; now does autologin and encryption by default;
2058 a new <option>-y</option> option turns off encryption.</para>
2060 <para>&man.telnet.1; now supports a <option>-u</option> flag to
2061 allow connections to UNIX-domain (<literal>AF_UNIX</literal>)
2062 sockets. &merged;</para>
2064 <para>&man.tftpd.8; now takes the <option>-c</option> and
2065 <option>-C</option> options, which allow the server to
2066 &man.chroot.2; based on the IP address of the connecting client.
2067 &man.tftp.1; and &man.tftpd.8; can now transfer files larger than
2068 65535 blocks. &merged;</para>
2070 <para>&man.tftpd.8; now supports RFC 2349 (TFTP Timeout Interval
2071 and Transfer Size Options); this feature is required by some
2072 firmware like EFI boot managers (at least on HP i2000 Itanium
2073 servers) in order to boot an image using
2074 <application>TFTP</application>.</para>
2076 <para arch="alpha">&man.timed.8; now works on the alpha.</para>
2078 <para>A version of Transport Independent RPC
2079 (<application>TI-RPC</application>) has been imported.</para>
2081 <para>&man.tmpnam.3; will now use the <envar>TMPDIR</envar>
2082 environment variable, if set, to specify the location of temporary
2083 files. &merged;</para>
2085 <para>&man.tip.1; has been updated from
2086 <application>OpenBSD</application>, and has the ability to act as
2087 a &man.cu.1; substitute.</para>
2089 <para>&man.top.1; will now use the full width of its tty.</para>
2091 <para>&man.touch.1; now takes a <option>-h</option> option to
2092 operate on a symbolic link, rather than what the link points
2095 <para>The &man.truncate.1; utility, which truncates or extends the length
2096 of files, has been added. &merged;</para>
2098 <para>Ukrainian language support has been added to the &os;
2099 console. &merged;</para>
2101 <para><application>UUCP</application> has been removed from the
2102 base system. It can be found in
2103 the Ports Collection, in <port>net/freebsd-uucp</port>.</para>
2105 <para>&man.units.1; has received some updates and bugfixes. &merged;</para>
2107 <para>&man.vidcontrol.1; now accepts a <option>-g</option>
2108 parameter to select custom text geometry in the
2109 <literal>VESA_800x600</literal> raster text mode. &merged;</para>
2111 <para>&man.vidcontrol.1; now allows the user to omit the font size
2112 specification when loading a font, and has some better
2113 error-handling. &merged;</para>
2115 <para>&man.vidcontrol.1; now supports a <option>-p</option> option to
2116 take a snapshot of a &man.syscons.4; video buffer. These
2117 snapshots can be manipulated by the
2118 <port>graphics/scr2png</port> utility in the Ports
2119 Collection. &merged;</para>
2121 <para>&man.vidcontrol.1; now supports a <option>-C</option> option
2122 to clear the history buffer for a given tty, as well as a
2123 <option>-h</option> option to set the size of the history buffer. &merged;</para>
2125 <para>The default stripe size in &man.vinum.8; has been changed
2126 from 256KB to 279KB, to spread out superblocks more evenly between
2129 <para>&man.wall.1; now supports a <option>-g</option> flag to
2130 write a message to all users of a given group. &merged;</para>
2132 <para>&man.which.1; is now a C program, rather than a Perl
2135 <para>&man.whois.1; now directs queries for IP addresses to
2136 ARIN. If a query to ARIN references APNIC or RIPE, the
2137 appropriate server will also be queried, provided that the
2138 <option>-Q</option> option is not specified. &merged;</para>
2140 <para>&man.xargs.1; now supports a <option>-J</option>
2141 <replaceable>replstr</replaceable> option that allows the user to
2142 tell &man.xargs.1; to insert the data read from standard input at
2143 a specific point in the command line arguments rather than at the
2144 end. &merged;</para>
2146 <para>The compiler chain now uses the FSF-supplied C/C++ runtime
2147 initialization code. This change brings about better
2148 compatibility with code generated from the various egcs and gcc
2149 ports, as well as the stock public FSF source. &merged;</para>
2151 <para>The threads library has gained some signal handling changes,
2152 bug fixes, and performance enhancements (including zero system
2153 call thread switching). &man.gdb.1; thread support has been
2154 updated to match these changes. &merged;</para>
2156 <para>Significant additions have been made to internationalization
2157 support; &os; now has complete locale support for the
2158 <literal>LC_MONETARY</literal>, <literal>LC_NUMERIC</literal>, and
2159 <literal>LC_MESSAGES</literal> categories. A number of
2160 applications have been updated to take advantage of this
2163 <para>Locale names have been changed to improve compatibility with
2164 the names used by X11R6, as well as a number of other UNIX
2165 versions. As an example, the <literal>en_US.ISO_8859-1</literal>
2166 locale name has been changed to
2167 <literal>en_US.ISO8859-1</literal>. Entries in
2168 <filename>/etc/locale.alias</filename> provide backward
2169 compatibility.</para>
2171 <para><filename>/usr/src/share/examples/BSD_daemon/</filename> now
2172 contains a scalable Beastie graphic. &merged;</para>
2174 <para>As part of an ongoing process, many manual pages were
2175 improved, both in terms of their formatting markup and in their
2176 content. &merged;</para>
2179 <title>Contributed Software</title>
2181 <para><application>am-utils</application> has been updated to
2184 <para><application>bc</application> has been updated from 1.04 to
2185 1.06. &merged;</para>
2187 <para>The ISC library from the <application>BIND</application>
2188 distribution is now built as
2189 <filename>libisc</filename>. &merged;</para>
2191 <para><application>BIND</application> is now built with the
2192 <literal>NOADDITIONAL</literal> flag, which causes &man.named.8;
2193 to operate in a more consistent fashion for certain common
2194 misconfigurations. &merged;</para>
2196 <para><application>BIND</application> has been updated to
2197 8.2.4-REL. &merged;</para>
2199 <para><application>Binutils</application> have been updated to
2200 a 31 October 2001 snapshot from the FSF 2.11 branch.</para>
2202 <para><application>bzip2</application> 1.0.1 has been imported; this
2203 brings the &man.bzip2.1; program and the <filename>libbz2</filename>
2204 library to the base system. &merged;</para>
2206 <para>The &man.ee.1; <application>Easy Editor</application> has
2207 been updated to 1.4.2. &merged;</para>
2209 <para><application>file</application> has been updated to 3.37.</para>
2211 <para><application>gcc</application> has been updated to 2.95.3. &merged;</para>
2213 <para>&man.gcc.1; now uses a unified <filename>libgcc</filename>
2214 rather than a separate one for threaded and non-threaded programs.
2215 <filename>/usr/lib/libgcc_r.a</filename> can be removed.
2218 <para>&man.gcc.1; now supports the environment variable
2219 <envar>GCC_OPTIONS</envar>, which can hold a set of default
2220 options for <application>GCC</application>. &merged;</para>
2222 <para><application>GNATS</application> has been updated to
2223 3.113. &merged;</para>
2225 <para><application>GNU awk</application> has been updated to
2228 <para><application>gperf</application> has been updated to 2.7.2.</para>
2230 <para><application>groff</application> and its related utilities
2231 have been updated to FSF version 1.17.2. This import brings in a
2232 new &man.mdoc.7; macro package (sometimes referred to as
2233 <literal>mdocNG</literal>), which removes many of the
2234 limitations of its predecessor. &merged;</para>
2236 <para><application>Heimdal</application> has been updated to
2239 <para>The version of <application>IPFilter</application>
2240 provided with &os; now includes the &man.ipfs.8; program, which
2241 allows state information created for NAT entries and stateful
2242 rules to be saved to disk and restored after a reboot. &merged;</para>
2244 <para>The <application>ISC DHCP</application> client has been
2245 updated to 2.0pl5. &merged;</para>
2247 <para><application>Kerberos IV</application> has been updated to
2248 1.0.5. &merged;</para>
2250 <para>The &man.more.1; command has been replaced by &man.less.1;,
2251 although it can still be run as
2252 <command>more</command>. <application>less</application> has
2253 been imported at 3.5.8. &merged;</para>
2255 <para><application>libpcap</application> has been updated to
2256 0.6.2. &merged;</para>
2258 <para><application>libreadline</application> has been updated to
2261 <para><application>Linux-PAM</application> has been updated to
2262 0.75. &merged;</para>
2264 <para>A number of new <application>Linux-PAM</application> modules
2265 have been added, including: <filename>pam_ftp</filename>,
2266 <filename>pam_krb5</filename>,
2267 <filename>pam_nologin</filename>,
2268 <filename>pam_rootok</filename>,
2269 <filename>pam_securetty</filename>,
2270 <filename>pam_wheel</filename>.</para>
2272 <para><application>ncurses</application> has been updated to
2273 5.2-20010512.</para>
2275 <para>The <application>NTP</application> suite of programs has been
2276 updated to 4.1.0.</para>
2278 <para>The <application>OPIE</application> one-time-password suite
2279 has been updated to 2.32. &merged; It has completely replaced
2280 the functionality of <application>S/Key</application>.</para>
2282 <para><application>Perl</application> has been updated to version
2285 <para>&man.routed.8; has been updated to version 2.22. &merged;</para>
2287 <para><application>tcpdump</application> has been updated to
2288 3.6.3. &merged;</para>
2290 <para>The &man.csh.1; shell has been replaced by &man.tcsh.1;,
2291 although it can still be run as <command>csh</command>.
2292 <application>tcsh</application> has been updated to version
2293 6.11. &merged;</para>
2295 <para>&man.traceroute.8; now takes its default maximum TTL value
2296 from the <varname>net.inet.ip.ttl</varname> sysctl
2297 variable. &merged;</para>
2299 <para>The timezone database has been updated to the
2300 <filename>tzdata2001d</filename> release. &merged;</para>
2305 <para><application>cvs</application> has been updated to
2306 1.11.1p1. &merged;</para>
2308 <para>The default value for &man.cvs.1;'s
2309 <envar>CVS_RSH</envar> variable is now <literal>ssh</literal>,
2310 rather than <literal>rsh</literal>. &merged;</para>
2312 <para>&man.cvs.1; now supports a <option>-T</option> option to
2313 update a sandbox's <filename>CVS/Template</filename> file from
2314 the repository. &merged;</para>
2316 <para>&man.cvs.1; <literal>diff</literal> now supports the
2317 <option>-j</option> option to perform differences against a
2318 revision relative to a branch tag. &merged;</para>
2322 <title>CVSup</title>
2324 <para><application>CVSup</application>, a frequently used
2325 utility in the &os; Ports Collection, was formerly installable
2326 using several ports and packages. The
2327 <port>net/cvsup-bin</port> and <port>net/cvsupd-bin</port>
2328 ports/packages are no longer necessary or available; the
2329 <port>net/cvsup</port> port should be used instead. &merged;</para>
2331 <para><application>CVSup</application> has been updated to
2332 16.1_3, which is available in the &os; Ports Collection as
2333 <port>net/cvsup</port>. This update fixes a long-standing
2334 (but only recently encountered) bug which affects the
2335 timestamps on all files after Sun Sep 9 01:46:40 UTC 2001
2336 (1,000,000,000 seconds after the UNIX epoch). &merged;</para>
2339 <sect4 id="kame-userland">
2342 <para>The IPv6 stack is now based on a snapshot based on the KAME
2343 Project's IPv6 snapshot as of 28 May, 2001. Most of the
2344 items listed in this section are a result of this import.
2345 <xref linkend="kame-kernel"> lists kernel updates to the KAME
2346 IPv6 stack. &merged;</para>
2348 <para>&man.faithd.8; now supports a configuration file for
2349 access control. &merged;</para>
2351 <para>&man.ifconfig.8; can now perform the functions of
2352 &man.gifconfig.8;. &merged;</para>
2354 <para>&man.ifconfig.8; can now perform the functions of
2355 &man.prefix.8;. &man.prefix.8; is now a shell script for
2356 partial backwards compatibility. &merged;</para>
2358 <para>&man.ndp.8; now implements garbage collection for stale
2359 NDP entries, as described in RFC 2461 (Neighbor Discovery for
2360 IP Version 6 (IPv6)). &merged;</para>
2362 <para>&man.pim6dd.8; and &man.pim6sd.8; have been removed due to
2363 restrictive licensing conditions. These programs are available
2364 in the ports collection as <port>net/pim6dd</port> and
2365 <port>net/pim6sd</port>. &merged;</para>
2367 <para>&man.route6d.8; now supports an <option>-n</option> flag
2368 to avoid updating the kernel forwarding table. &merged;</para>
2370 <para>The <option>-R</option> (router renumbering) option to
2371 &man.rtadvd.8; is currently ignored. &merged;</para>
2375 <title>OpenSSH</title>
2377 <para><application>OpenSSH</application> has been updated to
2378 2.9, which provides support for the SSH2 protocol (now the
2379 default) and DSA keys. &man.ssh-add.1; and &man.ssh-agent.1;
2380 can now handle DSA keys, with support for authentication
2381 forwarding. <application>OpenSSH</application> users in the
2382 USA no longer need to rely on the restrictively-licensed
2383 RSAREF toolkit which is required to handle RSA keys. Among
2384 other new features: A client and server for sftp has been
2385 added. &man.scp.1; can now handle files larger than 2 GBytes.
2386 A limit on the number of outstanding, unauthenticated
2387 connections in &man.sshd.8; has been added. Support has been
2388 added for the Rijndael encryption algorithm. Rekeying of
2389 existing sessions is now supported, and an experimental
2390 <application>SOCKS4</application> proxy has been added to
2393 <para><application>OpenSSH</application> can now authenticate
2394 using OPIE passwords in SSH1 mode. Support is not yet available
2395 in SSH2 mode. &merged;</para>
2397 <para><application>PAM</application> support for
2398 <application>OpenSSH</application> has been added.</para>
2400 <para>A long-standing bug in <application>OpenSSH</application>,
2401 which sometimes resulted in a dropped session when an
2402 X11-forwarded client was closed, was fixed.</para>
2404 <para><application>Kerberos</application> compatibility has been
2405 added to <application>OpenSSH</application>. &merged;</para>
2407 <para><application>OpenSSH</application> has been modified to be
2408 more resistant to traffic analysis by requiring that
2409 <quote>non-echoed</quote> characters are still echoed back in a
2410 null packet, as well as by padding passwords sent so as not to
2411 hint at password lengths. &merged;</para>
2413 <para>&man.sshd.8; is now enabled by default on new
2414 installs. &merged;</para>
2416 <para>&man.sshd.8; <literal>X11Forwarding</literal> is now turned
2417 on by default on the server (any risk is to the client, where it
2418 is already disabled by default). &merged;</para>
2420 <para>In <filename>/etc/ssh/sshd_config</filename>, the
2421 <literal>ConnectionsPerPeriod</literal> parameter has been
2422 deprecated in favor of <literal>MaxStartups</literal>. &merged;</para>
2424 <para><application>OpenSSH</application> now has a
2425 <literal>VersionAddendum</literal> configuration setting for
2426 &man.sshd.8; to allow changing the part of the
2427 <application>OpenSSH</application> version string after the
2428 main version number.</para>
2432 <title>OpenSSL</title>
2434 <para><application>OpenSSL</application> has been updated to
2437 <para><application>OpenSSL</application> now has support for
2438 machine-dependent ASM optimizations, activated by the new
2439 <varname>MACHINE_CPU</varname> and/or <varname>CPUTYPE</varname>
2440 <filename>make.conf</filename> variables. &merged;</para>
2444 <title>sendmail</title>
2446 <para><application>sendmail</application> has been updated from
2447 version 8.9.3 to version 8.11.6. Important changes include: new
2448 default file locations (see
2449 <filename>/usr/src/contrib/sendmail/cf/README</filename>);
2450 &man.newaliases.1; is limited to <username>root</username> and
2451 trusted users; STARTTLS encryption; and the MSA port (587) is
2452 turned on by default. See
2453 <filename>/usr/src/contrib/sendmail/RELEASE_NOTES</filename> for
2454 more information. &merged;</para>
2456 <para>&man.mail.local.8; is no longer installed as a SUID binary.
2457 If you are using a <filename>/etc/mail/sendmail.cf</filename> from
2458 the default <filename>sendmail.cf</filename> included with &os;
2459 any time after 3.1.0, you are fine. If you are using a
2460 hand-configured <filename>sendmail.cf</filename> and
2461 <command>mail.local</command> for delivery, check to make sure the
2462 <literal>F=S</literal> flag is set on the
2463 <literal>Mlocal</literal> line. Those with
2464 <filename>.mc</filename> files who need to add the flag can do so
2465 by adding the following line to their <filename>.mc</filename>
2466 file and regenerating the <filename>sendmail.cf</filename>
2469 <programlisting>MODIFY_MAILER_FLAGS(`LOCAL',`+S')dnl</programlisting>
2471 <para>Note that <literal>FEATURE(`local_lmtp')</literal> already
2472 does this. &merged;</para>
2474 <para>The default <filename>/etc/mail/sendmail.cf</filename>
2475 disables the SMTP <literal>EXPN</literal> and
2476 <literal>VRFY</literal> commands. &merged;</para>
2478 <para>&man.vacation.1; has been updated to use the version included with
2479 <application>sendmail</application>. &merged;</para>
2481 <para>The <application>sendmail</application> configuration
2482 building tools are installed in
2483 <filename>/usr/share/sendmail/cf/</filename>. &merged;</para>
2485 <para>New <filename>make.conf</filename> options:
2486 <varname>SENDMAIL_MC</varname> and
2487 <varname>SENDMAIL_ADDITIONAL_MC</varname>. See
2488 <filename>/usr/share/examples/etc/make.conf</filename> for more
2489 information. &merged;</para>
2491 <para><filename>/etc/mail/Makefile</filename> now supports: the
2492 new <varname>SENDMAIL_MC</varname> <filename>make.conf</filename>
2493 option; the ability to build <filename>.cf</filename> files from
2494 <filename>.mc</filename> files; generalized map rebuilding;
2495 rebuilding the aliases file; and the ability to stop, start, and
2496 restart <application>sendmail</application>. &merged;</para>
2501 <title>Ports/Packages Collection</title>
2503 <para><application>BSDPAN</application>, a collection of modules
2504 that provides tighter integration of
2505 <application>Perl</application> into the &os; Ports
2506 Collection, has been added.</para>
2508 <para>&man.pkg.create.1; and &man.pkg.add.1; can now work with
2509 packages that have been compressed using
2510 &man.bzip2.1;. &man.pkg.add.1; will use the PACKAGEROOT
2511 environment variable to determine a mirror site for new
2512 packages. &merged;</para>
2514 <para>&man.pkg.create.1; now records dependencies in dependency
2515 order rather than in the order specified on the command line.
2516 This improves the functioning of <command>pkg_add
2517 -r</command>. &merged;</para>
2519 <para>&man.pkg.create.1; now supports a <option>-b</option> to
2520 create a package file from a locally-installed
2521 package. &merged;</para>
2523 <para>When requested to delete multiple packages,
2524 &man.pkg.delete.1; will now attempt to remove them in dependency
2525 order rather than the order specified on the command
2526 line. &merged;</para>
2528 <para>&man.pkg.delete.1; now can perform glob/regexp matching of
2529 package names. In addition, it supports a <option>-a</option>
2530 option for removing all packages and a <option>-i</option> option
2531 for &man.rm.1;-style interactive confirmation. &merged;</para>
2533 <para>&man.pkg.info.1; now supports globbing against names of
2534 installed packages. The <option>-G</option> option disables this
2535 behavior, and the <option>-x</option> option causes regular
2536 expression matching instead of shell globbing. &merged;</para>
2538 <para>&man.pkg.info.1; can now accept a <option>-g</option> flag for
2539 verifying an installed package against its recorded checksums (to
2540 see if it's been modified post-installation). Naturally, this
2541 mechanism is only as secure as the contents of
2542 <filename>/var/db/pkg</filename> if it's to be used for auditing
2543 purposes. &merged;</para>
2545 <para>&man.pkg.sign.1; and &man.pkg.check.1; have been added to
2546 digitally sign and verify the signatures on binary package
2547 files. &merged;</para>
2549 <para>&man.pkg.update.1;, a utility to update installed packages
2550 and update their dependencies, has been added. &merged;</para>
2552 <para>&man.pkg.version.1; now has a version number comparison
2553 routine that corresponds to the Porters Handbook. It also has a
2554 <option>-t</option> option for testing address comparisons.
2557 <para>&man.pkg.version.1; now takes a <option>-s</option> flag
2558 to limit its operation to ports/packages matching a given
2559 string. &merged;</para>
2561 <para>Version numbers of installed packages have a new
2562 (backward-compatible) syntax, which supports the
2563 <varname>PORTREVISION</varname> and <varname>PORTEPOCH</varname>
2564 variables in Ports Collection <filename>Makefile</filename>s.
2565 These changes help keep track of changes in the ports collection
2566 entries such as security patches or &os;-specific updates, which
2567 aren't reflected in the original, third-party software
2568 distributions. &man.pkg.version.1; can now compare these
2569 new-style version numbers. &merged;</para>
2571 <para>To improve performance and disk utilization, the <quote>ports
2572 skeletons</quote> in the &os; Ports Collection have been restructured.
2573 Installed ports and packages should not be affected. &merged;</para>
2575 <para>All packages and ports now contain an <quote>origin</quote>
2576 directive, which makes it easier for programs such as
2577 &man.pkg.version.1; to determine the directory from which a
2578 package was built. &merged;</para>
2584 <title>Upgrading from previous releases of &os;</title>
2586 <para>If you're upgrading from a previous release of &os;, you
2587 generally will have three options:
2591 <para>Using the binary upgrade option of &man.sysinstall.8;.
2592 This option is perhaps the quickest, although it presumes
2593 that your installation of &os; uses no special compilation
2597 <para>Performing a complete reinstall of &os;. Technically,
2598 this is not an upgrading method, and in any case is usually less
2599 convenient than a binary upgrade, in that it requires you to
2600 manually backup and restore the contents of
2601 <filename>/etc</filename>. However, it may be useful in
2602 cases where you want (or need) to change the partitioning of
2606 <para>From source code in <filename>/usr/src</filename>. This
2607 route is more flexible, but requires more disk space, time,
2608 and more technical expertise. Upgrading from very old
2609 versions of &os; may be problematic; in cases like this, it
2610 is usually more effective to perform a binary upgrade or a
2611 complete reinstall.</para>
2616 <para>Please read the <filename>INSTALL.TXT</filename> file for more
2617 information, preferably <emphasis>before</emphasis> beginning an
2618 upgrade. If you are upgrading from source, please be sure to read
2619 <filename>/usr/src/UPDATING</filename> as well.</para>
2621 <para>Finally, if you want to use one of various means to track the
2622 -STABLE or -CURRENT branches of &os;, please be sure to consult the
2624 url="http://www.FreeBSD.org/handbook/current-stable.html"><quote>-CURRENT
2625 vs. -STABLE</quote></ulink> section of the <ulink
2626 url="http://www.FreeBSD.org/handbook/">FreeBSD
2627 Handbook</ulink>.</para>
2630 <para>Upgrading &os; should, of course, only be attempted after
2631 backing up <emphasis>all</emphasis> data and configuration