Fix a typo (s/acecss/access/).

[FreeBSD/FreeBSD.git] / release / doc / en_US.ISO8859-1 / relnotes / article.sgml

<articleinfo>
  <title>&os;/&arch; &release.current; Release Notes</title>

  <corpauthor>The FreeBSD Project</corpauthor>

  <pubdate>$FreeBSD$</pubdate>

  <copyright>
    <year>2000</year>
    <year>2001</year>
    <year>2002</year>
    <year>2003</year>
    <year>2004</year>
    <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder>
  </copyright>

  <abstract>
    <para>The release notes for &os; &release.current; contain a summary
      of
<![ %include.historic; [
      the changes made to the &os; base system since &release.prev;.
]]>
<![ %no.include.historic; [
      recent changes made to the &os; base system on the &release.branch;
      development branch.
]]>
      This document lists applicable security advisories that were issued since
      the last release, as well as significant changes to the &os;
      kernel and userland.
      Some brief remarks on upgrading are also presented.</para>
  </abstract>
</articleinfo>

<sect1 id="intro">
  <title>Introduction</title>

  <para>This document contains the release notes for &os;
    &release.current; on the &arch.print; hardware platform.  It
    describes recently added, changed, or deleted features of &os;.
    It also provides some notes on upgrading
    from previous versions of &os;.</para>

<![ %release.type.snapshot [

  <para>The &release.type; distribution to which these release notes
    apply represents a point along the &release.branch; development
    branch between &release.prev; and the future &release.next;.  Some
    pre-built, binary &release.type; distributions along this branch
    can be found at <ulink url="&release.url;"></ulink>.</para>

]]>

<![ %release.type.release [

  <para>This distribution of &os; &release.current; is a
    &release.type; distribution.  It can be found at <ulink
    url="&release.url;"></ulink> or any of its mirrors.  More
    information on obtaining this (or other) &release.type;
    distributions of &os; can be found in the <ulink
    url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html"><quote>Obtaining
    FreeBSD</quote> appendix</ulink> to the <ulink
    url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/">FreeBSD
    Handbook</ulink>.</para>

]]>

  <para>Users who are new to the &release.branch; series of &os;
    &release.type;s should also read the <quote>Early Adopters Guide
    to &os; &release.current;</quote>.  This document can generally be
    found in the same location as the release notes (either as a part of a
    &os; distribution or on the &os; Web site).  It contains important
    information regarding the advantages and disadvantages of using
    &os; &release.current;, as opposed to releases based on the &os;
    4-STABLE development branch.</para>

  <para>All users are encouraged to consult the release errata before
    installing &os;.  The errata document is updated with
    <quote>late-breaking</quote> information discovered late in the
    release cycle or after the release.  Typically, it contains
    information on known bugs, security advisories, and corrections to
    documentation.  An up-to-date copy of the errata for &os;
    &release.current; can be found on the &os; Web site.</para>

</sect1>

<sect1 id="new">
  <title>What's New</title>

  <para>This section describes
<![ %include.historic; [
      the most user-visible new or changed features in &os;
      since &release.prev;.
      In general, changes described here are unique to the &release.branch;
      branch unless specifically marked as &merged; features.
]]>
<![ %no.include.historic; [
      many of the user-visible new or changed features in &os;
      since &release.prev;.  It includes items that are unique to the
      &release.branch; branch, as well as some features that may have been
      recently merged to
      other branches (after &os; &release.prev.historic;).  The latter
      items are marked as &merged;.
]]>
  </para>

  <para>Typical release note items
    document recent security advisories issued after
    &release.prev.historic;,
    new drivers or hardware support, new commands or options,
    major bug fixes, or contributed software upgrades.  They may also
    list changes to major ports/packages or release engineering
    practices.  Clearly the release notes cannot list every single
    change made to &os; between releases; this document focuses
    primarily on security advisories, user-visible changes, and major
    architectural improvements.</para>

  <sect2 id="security">
    <title>Security Advisories</title>

    <para>A bug in &man.mksnap.ffs.8; has been fixed; it caused the creation of a
      filesystem snapshot to reset the flags on the filesystem to
      their default values.  The possible consequences depended on local
      usage, but could include disabling extended access control lists
      or enabling the use of setuid executables stored on an untrusted
      filesystem.  This bug also affected the &man.dump.8;
      <option>-L</option> option, which uses &man.mksnap.ffs.8;.  Note
      that &man.mksnap.ffs.8; is normally only available to the
      superuser and members of the <groupname>operator</groupname>
      group.  For more information, see security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:01.mksnap_ffs.asc">FreeBSD-SA-04:01</ulink>.</para>

    <para>A bug with the System V Shared Memory interface
      (specifically the &man.shmat.2; system call) has been fixed.
      This bug can cause a shared memory segment to reference
      unallocated kernel memory.  In turn, this can permit a local
      attacker to gain unauthorized access to parts of kernel memory,
      possibly resulting in disclosure of sensitive information,
      bypass of access control mechanisms, or privilege escalation.
      More details can be found in security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:02.shmat.asc">FreeBSD-SA-04:02</ulink>.
      &merged;</para>

    <para>A programming error in the &man.jail.attach.2; system call
      has been fixed.  This error could allow a process with superuser
      privileges inside a &man.jail.8; environment to change its root
      directory to that of a different jail, and thus gain full read
      and write access to files and directories within the target
      jail.  More information can be found in security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:03.jail.asc">FreeBSD-SA-04:03</ulink>.</para>

    <para>A potential low-bandwidth denial-of-service attack against
      the &os; TCP stack has been prevented by limiting the number of
      out-of-sequence TCP segments that can be held at one time.  More
      details can be found in security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:04.tcp.asc">FreeBSD-SA-04:04</ulink>.
      &merged;</para>

  </sect2>

  <sect2 id="kernel">
    <title>Kernel Changes</title>

    <para>&man.devfs.5; path rules now work correctly on
      directories.</para>

    <para arch="i386,pc98">The dgb (DigiBoard intelligent serial card) driver has been
      removed due to breakage.  Its replacement is the &man.digi.4; driver,
      which supports all the hardware of the dgb driver.</para>

    <para arch="i386">The loran (Loran-C receiver) driver has been removed due to
      breakage and lack of maintainership.</para>

    <para>The ULE scheduler is now the default scheduler in the
      <filename>GENERIC</filename> kernel.  For the average user,
      interactivity is reported to be better in many cases.  This
      means less <quote>skipping</quote> and <quote>jerking</quote> in
      interactive applications while the machine is very busy.  This
      will not prevent problems due to overloaded disk subsystems, but
      it does help with overloaded CPUs.  On SMP machines, ULE has
      per-CPU run queues which allow for CPU affinity, CPU binding,
      and advanced HyperThreading support, as well as providing a
      framework for more optimizations in the future.  As fine-grained
      kernel locking continues, the scheduler will be able to make
      more efficient use of the available parallel resources.</para>

    <para>The device driver infrastructure (as well as many drivers)
      have been updated.  Among the changes: Many more drivers now use
      automatically-assigned major numbers (instead of the old static
      major numbers).  Enhanced functions to support cloning of
      pseudodevices.  Several changes to the driver API, including a
      new <varname>d_version</varname> field in <varname>struct
      cdevsw</varname>.  Note that third-party device drivers will
      require recompiling after this change.</para>

    <para>The kernel's file descriptor allocation code has been
      updated, and is now derived from similar code in OpenBSD.</para>

    <!-- Above this line, sort kernel changes by manpage/keyword-->

    <sect3 id="proc">
      <title>Platform-Specific Hardware Support</title>

      <para></para>

    </sect3>

    <sect3 id="boot">
      <title>Boot Loader Changes</title>

      <para arch="i386">A serial console-capable version of
        <filename>boot0</filename> has been added.  It can be written
        to a disk using &man.boot0cfg.8; and specifying
        <filename>/boot/boot0sio</filename> as the argument to the
        <option>-b</option> option.</para>

      <para arch="i386"><filename>cdboot</filename> now works around a
        BIOS problem observed on some systems when booting from USB
        CDROM drives.</para>

      <!-- Above this line, order boot loader changes by keyword-->

    </sect3>

    <sect3 id="net-if">
      <title>Network Interface Support</title>

      <para arch="sparc64">The &man.dc.4; driver now supports sparc64
        Davicom cards that store their MAC address in
        OpenFirmware.</para>

      <para arch="i386,pc98">The hea (Efficient Networks, Inc. ENI-155p ATM adapter)
        driver has been removed due to breakage.  Its functionality
        has been subsumed into the &man.en.4; driver.</para>

      <para arch="i386">The lmc (LAN Media Corp. PCI WAN adapter) driver has been
        removed due to breakage and lack of maintainership.</para>

      <para arch="i386">&os; now provides a binary compatibility layer
        for using &microsoft.windows; NDIS drivers for network
        adapters under &os;/i386.  It includes a relocator/linker for
        &windows; <filename>.SYS</filename> files to interface with
        the &os; kernel and emulates various parts of the NDIS API
        using native &os; kernel functions.  This system supports PCI
        and CardBus network devices, and is designed principally for
        Ethernet and wireless network interfaces.
        For more information, see the &man.ndis.4; and
        &man.ndiscvt.8; manual pages.</para>

      <para>Several bugs related to multicast and promiscuous mode
        handling in the &man.sk.4; driver have been fixed.</para>

      <para>The &man.udav.4; driver has been added.  It provides
        support for USB Ethernet adapters based on the Davicom DM9601
        chipset.</para>

    </sect3>

    <sect3 id="net-proto">
      <title>Network Protocols</title>

      <para>The &man.gre.4; tunnel driver now supports WCCP version
        2.</para>

      <para>Some bugs in the IPsec implementation from the KAME
        Project have been fixed.  These bugs were related to freeing
        memory objects before all references to them were removed, and
        could cause erratic behavior or kernel panics after flushing
        the Security Policy Database (SPD).</para>

      <para>The <literal>PFIL_HOOKS</literal> option is now enabled by
        default in the <filename>GENERIC</filename> kernel.  The most
        notable effect of this change is to make
        <application>IPFilter</application> work correctly when loaded
        as a kernel module.</para>

      <para>The following TCP features are now enabled by default: RFC
        3042 (Limited Retransmit), RFC 3390 (increased initial
        congestion window sizes), TCP bandwidth-delay product
        limiting.  More information can be found in &man.tcp.4;.</para>

      <para>&os;'s TCP implementation now includes support for a
        minimum MSS (settable via the
        <varname>net.inet.tcp.minmss</varname> sysctl variable) and a
        rate limit on connections that send many small TCP segments
        within a short period of time (via the
        <varname>net.inet.tcp.minmssoverload</varname> sysctl
        variable).  Connections exceeding this limit may be reset and
        dropped.  This feature provides protection against a class of
        resource exhaustion attacks.</para>

      <para>The TCP implementation now includes partial (output-only)
        support for RFC 2385 (TCP-MD5) digest support.  This feature,
        enabled with the <literal>TCP_SIGNATURE</literal> and
        <literal>FAST_IPSEC</literal> kernel options, is a TCP option
        for authenticating TCP sessions.  &man.setkey.8; now includes
        support for the TCP-MD5 class of security associations.
        &merged;</para>

    </sect3>

    <sect3 id="disks">
      <title>Disks and Storage</title>

      <para>A number of bugs in the &man.ata.4; driver have been
        fixed.  Most notably, master/slave device detection should
        work better, and some problems with timeouts should be
        resolved.</para>

    </sect3>

    <sect3 id="fs">
      <title>File Systems</title>

      <para>The EXT2FS file system code now includes partial support
        for large (&gt; 4GB) files.  This support is partial in that
        it will refuse to create large files on filesystems that have
        not been upgraded to <literal>EXT2_DYN_REV</literal> or that
        don not have the
        <literal>EXT2_FEATURE_RO_COMPAT_LARGE_FILE</literal> flag set
        in the superblock.</para>

      <para>A bug in GEOM that could result in I/O hangs in some rare
        cases has been fixed.</para>

      <para>A new geom_concat class has been added to concatenate
        multiple disks to appear as a single larger disk.  The
        &man.gconcat.8; utility is used for configurating concatenated
        disks.</para>

      <para>A panic in the NFSv4 client has been fixed; this occurred
        when attempting operations against an NFSv3/NFSv2-only
        server.</para>

      <para>The SMBFS client now has support for SMB request signing,
        which prevents <quote>man in the middle</quote> attacks and is
        required in order to connect to Windows 2003 servers in their
        default configuration.  As signing each message imposes a
        significant performance penalty, this feature is only enabled
        if the server requires it; this may eventually become an
        option to &man.mount.smbfs.8;.</para>

    </sect3>

    <sect3 id="mm">
      <title>Multimedia Support</title>

      <para>The meteor (video capture) driver has been removed due to
        breakage and lack of maintainership.</para>

    </sect3>

  </sect2>

  <sect2 id="userland">
    <title>Userland Changes</title>

    <para>&man.indent.1; now supports a <option>-ldi</option> option
      to control indentation of local variables.  A number of other
      tunings were made to this utility.</para>

    <para>&man.ifconfig.8; now supports renaming of network interfaces
      at run-time using the <option>name</option> parameter.</para>

    <para>&man.ip6fw.8; now supports a <option>-n</option> flag to
      stop it from making any changes to the rules in the kernel</para>

    <para>&man.ipfw.8; now supports a <option>-b</option> flag to
      print only the action and comment for each rule, thus omitting
      the rule body.</para>

    <para>&man.killall.1; now supports a <option>-e</option> flag to
      make the <option>-u</option> operate on effective, rather than
      real, user ids. &merged;</para>

    <para>&man.libalias.3; now has support (and a new API) for
      multiple aliasing instances in a single process.  The existing
      API has been reimplemented in terms of the new one to preserve
      compatibility.</para>

    <para>A <filename>libarchive</filename> library for manipulation
      of compressed and uncompressed archive files has been
      added.  More details can be found in &man.libarchive.3;.</para>

    <para arch="pc98"><filename>libdisk</filename> now uses the
      correct PC98 disk partition value for &os;.  This permits the
      &man.sysinstall.8; disk partition editor to correctly create a
      single &os; partition covering the entire disk. &merged;</para>

    <para arch="i386,pc98,amd64,ia64">The library formerly known as
      <filename>libkse</filename> has been renamed
      <filename>libpthread</filename> and is now the default threading
      library on the i386, amd64, and ia64 platforms.
      <application>GCC</application>'s <option>-pthread</option>
      option has been changed to use <filename>libpthread</filename>
      rather than <filename>libc_r</filename>.

      <note>
        <para>Users with older binaries (for example, ports compiled
          before this change was made) should use &man.libmap.conf.5;
          to map <filename>libc_r</filename> and/or
          <filename>libkse</filename> to
          <filename>libpthread</filename>.</para>
      </note>

      <note>
        <para>Users with NVIDIA-supplied drivers and libraries may
          need to use a &man.libmap.conf.5; that maps
          <filename>libpthread</filename> references to the older
          <filename>libc_r</filename> since these drivers and
          utilities do not work with
          <filename>libpthread</filename>.</para>
      </note>
    <para>

    <para>&man.newfs.8; and &man.mdmfs.8; now support a
      <option>-l</option> flag to enable them to set the MAC
      multilabel flag on new filesystems without requiring the use of
      &man.tunefs.8;.</para>

    <para>A bugfix has been applied to NSS support, which fixes
      problems when using third-party NSS modules (such as <filename
      role="package">net/nss_ldap</filename>) and groups with large
      membership lists.</para>

    <para>&man.pw.8; now supports a <option>-H</option> option, which
      accepts an encrypted password on a file descriptor. &merged;</para>

    <para>The configuration files used by the &man.resolver.3; now
      support the <literal>timeout:</literal> and
      <literal>attempts:</literal> keywords.</para>

    <para>The &man.resolver.3; and associated interfaces are now much
      more reentrant and thread-safe.  Multiple DNS lookups can now be
      run at the same time, showing major improvements in the
      performance of some multi-threaded applications.  Some
      multi-threaded programs need to be recompiled; examples from the
      Ports Collection are <filename
      role="package">www/mozilla</filename> and variants, <filename
      role="package">mail/evolution</filename>, <filename
      role="package">devel/gnomevfs</filename>, and <filename
      role="package">devel/gnomevfs2</filename>.</para>

    <para>&man.savecore.8; now works correctly for dump files larger
      than 2GB.</para>

    <para>A bug in &man.script.1; has been fixed so that it now works
      correctly if its stdin is closed.  This fix prevents a
      potentially dangerous interaction with the <filename
      role="package">sysutils/portupgrade</filename> package; if it was
      run non-interactively, it could remove all out-of-date
      ports without reinstalling them.</para>

    <para>The &man.sdpd.8; Bluetooth Service Discovery Protocol daemon
      has been added.</para>

    <para>Many userland utilities in the base system (mostly GNU
      contributed utilities) now use the system version of
      &man.getopt.long.3;, rather than the GNU version.</para>

  </sect2>

  <sect2 id="contrib">
    <title>Contributed Software</title>

    <para>The <application>ACPI-CA</application> code has been updated
      from the 20030619 snapshot to the 20040220 snapshot.</para>

    <para><application>awk</application> from Bell Labs has been
      updated from the 29 July 2003 release to the 7 February 2004
      release.</para>

    <para>Security improvements from <application>CVS</application>
      1.11.10 and 1.11.11 have been backported.  Specifically, certain
      malformed module requests are now rejected, and when using
      <command>cvs pserver</command> mode, attempts to authenticate as
      <username>root</username> are rejected and recorded via
      &man.syslog.3;.</para>

    <para><application>gdtoa</application> (a library that performs
      conversions of numbers between binary and decimal form) has been
      updated from version 20030324 to version 20040118.</para>

    <para><application>GNU readline</application> 4.3 has been updated
      with official patches 001 through 005.</para>

    <para>The <application>GNU regex</application> library has been
      updated to the version included with <application>GNU
      grep</application> 2.4.2.</para>

    <para>The <application>GNU tar</application> implementation in the
      base system is now called <filename>gtar</filename>, with
      <filename>tar</filename> being a link to
      <filename>gtar</filename>.</para>

    <para><application>OpenPAM</application> has been updated from the
      Dogwood release to the Eelgrass release.</para>

    <para><application>OpenSSH</application> has been updated from
      3.6.1p1 to 3.8p1.

      <note>
        <para>The configuration defaults for &man.sshd.8; have been
          changed.  SSH protocol version 1 is no longer enabled by
          default.  In addition, password authentication over SSH is
          disabled by default if PAM is enabled.</para>
      </note>

      </para>

    <para><application>routed</application> has been updated from
      release 2.22 to release 2.27 from rhyolite.com.  Note that for
      users relying on RIP's MD5 authentication feature,
      &man.routed.8; routed is now incompatible with previous versions
      of &os;; however it is now compatible with implementations from
      Sun, Cisco and other vendors.</para>

    <para><application>sendmail</application> has been updated from
      version 8.12.10 to version 8.12.11. &merged;</para>

  </sect2>

  <sect2 id="ports">
    <title>Ports/Packages Collection Infrastructure</title>

    <para></para>

  </sect2>

  <sect2 id="releng">
    <title>Release Engineering and Integration</title>

    <para arch="i386,pc98">The building process for boot floppy images
      has been completely overhauled.  The most significant change is
      that the loader now boots a stock <filename>GENERIC</filename>
      kernel split across multiple disks (two at the time of this
      writing).  This greatly improves installations that begin with a
      boot from floppy disk, because they now use exactly the same
      kernel (and thus support the same hardware) as CDROM
      installations.  The stripped-down <filename>MFSROOT</filename>
      kernel is no longer needed, and the <filename>mfsroot</filename>
      image no longer requires kernel modules.  The
      <filename>boot.flp</filename> and
      <filename>driver.flp</filename> images are also obsolete and no
      longer built.</para>

  </sect2>

  <sect2 id="doc">
    <title>Documentation</title>

    <para></para>

  </sect2>

</sect1>

<sect1 id="upgrade">
  <title>Upgrading from previous releases of &os;</title>

  <para>Users with existing &os; systems are
    <emphasis>highly</emphasis> encouraged to read the <quote>Early
    Adopter's Guide to &os; &release.current;</quote>.  This document generally has
    the filename <filename>EARLY.TXT</filename> on the distribution
    media, or any other place that the release notes can be found.  It
    offers some notes on upgrading, but more importantly, also
    discusses some of the relative merits of upgrading to &os;
    5.<replaceable>X</replaceable> versus running &os;
    4.<replaceable>X</replaceable>.</para>

  <important>
    <para>Upgrading &os; should, of course, only be attempted after
      backing up <emphasis>all</emphasis> data and configuration
      files.</para>
  </important>
</sect1>