2 <title>&os;/&arch; &release.current; Release Notes</title>
4 <corpauthor>The FreeBSD Project</corpauthor>
6 <pubdate>$FreeBSD$</pubdate>
14 <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder>
18 <para>The release notes for &os; &release.current; contain a summary
20 <![ %include.historic; [
21 the changes made to the &os; base system since &release.prev;.
23 <![ %no.include.historic; [
24 recent changes made to the &os; base system on the &release.branch;
27 This document lists applicable security advisories that were issued since
28 the last release, as well as significant changes to the &os;
30 Some brief remarks on upgrading are also presented.</para>
35 <title>Introduction</title>
37 <para>This document contains the release notes for &os;
38 &release.current; on the &arch.print; hardware platform. It
39 describes recently added, changed, or deleted features of &os;.
40 It also provides some notes on upgrading
41 from previous versions of &os;.</para>
43 <![ %release.type.snapshot [
45 <para>The &release.type; distribution to which these release notes
46 apply represents a point along the &release.branch; development
47 branch between &release.prev; and the future &release.next;. Some
48 pre-built, binary &release.type; distributions along this branch
49 can be found at <ulink url="&release.url;"></ulink>.</para>
53 <![ %release.type.release [
55 <para>This distribution of &os; &release.current; is a
56 &release.type; distribution. It can be found at <ulink
57 url="&release.url;"></ulink> or any of its mirrors. More
58 information on obtaining this (or other) &release.type;
59 distributions of &os; can be found in the <ulink
60 url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html"><quote>Obtaining
61 FreeBSD</quote> appendix</ulink> to the <ulink
62 url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/">FreeBSD
63 Handbook</ulink>.</para>
67 <para>Users who are new to the &release.branch; series of &os;
68 &release.type;s should also read the <quote>Early Adopters Guide
69 to &os; &release.current;</quote>. This document can generally be
70 found in the same location as the release notes (either as a part of a
71 &os; distribution or on the &os; Web site). It contains important
72 information regarding the advantages and disadvantages of using
73 &os; &release.current;, as opposed to releases based on the &os;
74 4-STABLE development branch.</para>
76 <para>All users are encouraged to consult the release errata before
77 installing &os;. The errata document is updated with
78 <quote>late-breaking</quote> information discovered late in the
79 release cycle or after the release. Typically, it contains
80 information on known bugs, security advisories, and corrections to
81 documentation. An up-to-date copy of the errata for &os;
82 &release.current; can be found on the &os; Web site.</para>
87 <title>What's New</title>
89 <para>This section describes
90 <![ %include.historic; [
91 the most user-visible new or changed features in &os;
93 In general, changes described here are unique to the &release.branch;
94 branch unless specifically marked as &merged; features.
96 <![ %no.include.historic; [
97 many of the user-visible new or changed features in &os;
98 since &release.prev;. It includes items that are unique to the
99 &release.branch; branch, as well as some features that may have been
101 other branches (after &os; &release.prev.historic;). The latter
102 items are marked as &merged;.
106 <para>Typical release note items
107 document recent security advisories issued after
108 &release.prev.historic;,
109 new drivers or hardware support, new commands or options,
110 major bug fixes, or contributed software upgrades. They may also
111 list changes to major ports/packages or release engineering
112 practices. Clearly the release notes cannot list every single
113 change made to &os; between releases; this document focuses
114 primarily on security advisories, user-visible changes, and major
115 architectural improvements.</para>
117 <sect2 id="security">
118 <title>Security Advisories</title>
120 <para>A bug in &man.mksnap.ffs.8; has been fixed; it caused the creation of a
121 filesystem snapshot to reset the flags on the filesystem to
122 their default values. The possible consequences depended on local
123 usage, but could include disabling extended access control lists
124 or enabling the use of setuid executables stored on an untrusted
125 filesystem. This bug also affected the &man.dump.8;
126 <option>-L</option> option, which uses &man.mksnap.ffs.8;. Note
127 that &man.mksnap.ffs.8; is normally only available to the
128 superuser and members of the <groupname>operator</groupname>
129 group. For more information, see security advisory <ulink
130 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:01.mksnap_ffs.asc">FreeBSD-SA-04:01</ulink>.</para>
132 <para>A bug with the System V Shared Memory interface
133 (specifically the &man.shmat.2; system call) has been fixed.
134 This bug can cause a shared memory segment to reference
135 unallocated kernel memory. In turn, this can permit a local
136 attacker to gain unauthorized access to parts of kernel memory,
137 possibly resulting in disclosure of sensitive information,
138 bypass of access control mechanisms, or privilege escalation.
139 More details can be found in security advisory <ulink
140 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:02.shmat.asc">FreeBSD-SA-04:02</ulink>.
143 <para>A programming error in the &man.jail.attach.2; system call
144 has been fixed. This error could allow a process with superuser
145 privileges inside a &man.jail.8; environment to change its root
146 directory to that of a different jail, and thus gain full read
147 and write access to files and directories within the target
148 jail. More information can be found in security advisory <ulink
149 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:03.jail.asc">FreeBSD-SA-04:03</ulink>.</para>
151 <para>A potential low-bandwidth denial-of-service attack against
152 the &os; TCP stack has been prevented by limiting the number of
153 out-of-sequence TCP segments that can be held at one time. More
154 details can be found in security advisory <ulink
155 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:04.tcp.asc">FreeBSD-SA-04:04</ulink>.
161 <title>Kernel Changes</title>
163 <para>&man.devfs.5; path rules now work correctly on
166 <para arch="i386,pc98">The dgb (DigiBoard intelligent serial card) driver has been
167 removed due to breakage. Its replacement is the &man.digi.4; driver,
168 which supports all the hardware of the dgb driver.</para>
170 <para arch="i386">The loran (Loran-C receiver) driver has been removed due to
171 breakage and lack of maintainership.</para>
173 <para>The ULE scheduler is now the default scheduler in the
174 <filename>GENERIC</filename> kernel. For the average user,
175 interactivity is reported to be better in many cases. This
176 means less <quote>skipping</quote> and <quote>jerking</quote> in
177 interactive applications while the machine is very busy. This
178 will not prevent problems due to overloaded disk subsystems, but
179 it does help with overloaded CPUs. On SMP machines, ULE has
180 per-CPU run queues which allow for CPU affinity, CPU binding,
181 and advanced HyperThreading support, as well as providing a
182 framework for more optimizations in the future. As fine-grained
183 kernel locking continues, the scheduler will be able to make
184 more efficient use of the available parallel resources.</para>
186 <para>The device driver infrastructure (as well as many drivers)
187 have been updated. Among the changes: Many more drivers now use
188 automatically-assigned major numbers (instead of the old static
189 major numbers). Enhanced functions to support cloning of
190 pseudodevices. Several changes to the driver API, including a
191 new <varname>d_version</varname> field in <varname>struct
192 cdevsw</varname>. Note that third-party device drivers will
193 require recompiling after this change.</para>
195 <para>The kernel's file descriptor allocation code has been
196 updated, and is now derived from similar code in OpenBSD.</para>
198 <!-- Above this line, sort kernel changes by manpage/keyword-->
201 <title>Platform-Specific Hardware Support</title>
208 <title>Boot Loader Changes</title>
210 <para arch="i386">A serial console-capable version of
211 <filename>boot0</filename> has been added. It can be written
212 to a disk using &man.boot0cfg.8; and specifying
213 <filename>/boot/boot0sio</filename> as the argument to the
214 <option>-b</option> option.</para>
216 <para arch="i386"><filename>cdboot</filename> now works around a
217 BIOS problem observed on some systems when booting from USB
220 <!-- Above this line, order boot loader changes by keyword-->
225 <title>Network Interface Support</title>
227 <para arch="sparc64">The &man.dc.4; driver now supports sparc64
228 Davicom cards that store their MAC address in
231 <para arch="i386,pc98">The hea (Efficient Networks, Inc. ENI-155p ATM adapter)
232 driver has been removed due to breakage. Its functionality
233 has been subsumed into the &man.en.4; driver.</para>
235 <para arch="i386">The lmc (LAN Media Corp. PCI WAN adapter) driver has been
236 removed due to breakage and lack of maintainership.</para>
238 <para arch="i386">&os; now provides a binary compatibility layer
239 for using µsoft.windows; NDIS drivers for network
240 adapters under &os;/i386. It includes a relocator/linker for
241 &windows; <filename>.SYS</filename> files to interface with
242 the &os; kernel and emulates various parts of the NDIS API
243 using native &os; kernel functions. This system supports PCI
244 and CardBus network devices, and is designed principally for
245 Ethernet and wireless network interfaces.
246 For more information, see the &man.ndis.4; and
247 &man.ndiscvt.8; manual pages.</para>
249 <para>Several bugs related to multicast and promiscuous mode
250 handling in the &man.sk.4; driver have been fixed.</para>
252 <para>The &man.udav.4; driver has been added. It provides
253 support for USB Ethernet adapters based on the Davicom DM9601
258 <sect3 id="net-proto">
259 <title>Network Protocols</title>
261 <para>The &man.gre.4; tunnel driver now supports WCCP version
264 <para>Some bugs in the IPsec implementation from the KAME
265 Project have been fixed. These bugs were related to freeing
266 memory objects before all references to them were removed, and
267 could cause erratic behavior or kernel panics after flushing
268 the Security Policy Database (SPD).</para>
270 <para>The <literal>PFIL_HOOKS</literal> option is now enabled by
271 default in the <filename>GENERIC</filename> kernel. The most
272 notable effect of this change is to make
273 <application>IPFilter</application> work correctly when loaded
274 as a kernel module.</para>
276 <para>The following TCP features are now enabled by default: RFC
277 3042 (Limited Retransmit), RFC 3390 (increased initial
278 congestion window sizes), TCP bandwidth-delay product
279 limiting. More information can be found in &man.tcp.4;.</para>
281 <para>&os;'s TCP implementation now includes support for a
282 minimum MSS (settable via the
283 <varname>net.inet.tcp.minmss</varname> sysctl variable) and a
284 rate limit on connections that send many small TCP segments
285 within a short period of time (via the
286 <varname>net.inet.tcp.minmssoverload</varname> sysctl
287 variable). Connections exceeding this limit may be reset and
288 dropped. This feature provides protection against a class of
289 resource exhaustion attacks.</para>
291 <para>The TCP implementation now includes partial (output-only)
292 support for RFC 2385 (TCP-MD5) digest support. This feature,
293 enabled with the <literal>TCP_SIGNATURE</literal> and
294 <literal>FAST_IPSEC</literal> kernel options, is a TCP option
295 for authenticating TCP sessions. &man.setkey.8; now includes
296 support for the TCP-MD5 class of security associations.
302 <title>Disks and Storage</title>
304 <para>A number of bugs in the &man.ata.4; driver have been
305 fixed. Most notably, master/slave device detection should
306 work better, and some problems with timeouts should be
312 <title>File Systems</title>
314 <para>The EXT2FS file system code now includes partial support
315 for large (> 4GB) files. This support is partial in that
316 it will refuse to create large files on filesystems that have
317 not been upgraded to <literal>EXT2_DYN_REV</literal> or that
319 <literal>EXT2_FEATURE_RO_COMPAT_LARGE_FILE</literal> flag set
320 in the superblock.</para>
322 <para>A bug in GEOM that could result in I/O hangs in some rare
323 cases has been fixed.</para>
325 <para>A new geom_concat class has been added to concatenate
326 multiple disks to appear as a single larger disk. The
327 &man.gconcat.8; utility is used for configurating concatenated
330 <para>A panic in the NFSv4 client has been fixed; this occurred
331 when attempting operations against an NFSv3/NFSv2-only
334 <para>The SMBFS client now has support for SMB request signing,
335 which prevents <quote>man in the middle</quote> attacks and is
336 required in order to connect to Windows 2003 servers in their
337 default configuration. As signing each message imposes a
338 significant performance penalty, this feature is only enabled
339 if the server requires it; this may eventually become an
340 option to &man.mount.smbfs.8;.</para>
345 <title>Multimedia Support</title>
347 <para>The meteor (video capture) driver has been removed due to
348 breakage and lack of maintainership.</para>
354 <sect2 id="userland">
355 <title>Userland Changes</title>
357 <para>&man.indent.1; now supports a <option>-ldi</option> option
358 to control indentation of local variables. A number of other
359 tunings were made to this utility.</para>
361 <para>&man.ifconfig.8; now supports renaming of network interfaces
362 at run-time using the <option>name</option> parameter.</para>
364 <para>&man.ip6fw.8; now supports a <option>-n</option> flag to
365 stop it from making any changes to the rules in the kernel</para>
367 <para>&man.ipfw.8; now supports a <option>-b</option> flag to
368 print only the action and comment for each rule, thus omitting
369 the rule body.</para>
371 <para>&man.killall.1; now supports a <option>-e</option> flag to
372 make the <option>-u</option> operate on effective, rather than
373 real, user ids. &merged;</para>
375 <para>&man.libalias.3; now has support (and a new API) for
376 multiple aliasing instances in a single process. The existing
377 API has been reimplemented in terms of the new one to preserve
378 compatibility.</para>
380 <para>A <filename>libarchive</filename> library for manipulation
381 of compressed and uncompressed archive files has been
382 added. More details can be found in &man.libarchive.3;.</para>
384 <para arch="pc98"><filename>libdisk</filename> now uses the
385 correct PC98 disk partition value for &os;. This permits the
386 &man.sysinstall.8; disk partition editor to correctly create a
387 single &os; partition covering the entire disk. &merged;</para>
389 <para arch="i386,pc98,amd64,ia64">The library formerly known as
390 <filename>libkse</filename> has been renamed
391 <filename>libpthread</filename> and is now the default threading
392 library on the i386, amd64, and ia64 platforms.
393 <application>GCC</application>'s <option>-pthread</option>
394 option has been changed to use <filename>libpthread</filename>
395 rather than <filename>libc_r</filename>.
398 <para>Users with older binaries (for example, ports compiled
399 before this change was made) should use &man.libmap.conf.5;
400 to map <filename>libc_r</filename> and/or
401 <filename>libkse</filename> to
402 <filename>libpthread</filename>.</para>
406 <para>Users with NVIDIA-supplied drivers and libraries may
407 need to use a &man.libmap.conf.5; that maps
408 <filename>libpthread</filename> references to the older
409 <filename>libc_r</filename> since these drivers and
410 utilities do not work with
411 <filename>libpthread</filename>.</para>
415 <para>&man.newfs.8; and &man.mdmfs.8; now support a
416 <option>-l</option> flag to enable them to set the MAC
417 multilabel flag on new filesystems without requiring the use of
418 &man.tunefs.8;.</para>
420 <para>A bugfix has been applied to NSS support, which fixes
421 problems when using third-party NSS modules (such as <filename
422 role="package">net/nss_ldap</filename>) and groups with large
423 membership lists.</para>
425 <para>&man.pw.8; now supports a <option>-H</option> option, which
426 accepts an encrypted password on a file descriptor. &merged;</para>
428 <para>The configuration files used by the &man.resolver.3; now
429 support the <literal>timeout:</literal> and
430 <literal>attempts:</literal> keywords.</para>
432 <para>The &man.resolver.3; and associated interfaces are now much
433 more reentrant and thread-safe. Multiple DNS lookups can now be
434 run at the same time, showing major improvements in the
435 performance of some multi-threaded applications. Some
436 multi-threaded programs need to be recompiled; examples from the
437 Ports Collection are <filename
438 role="package">www/mozilla</filename> and variants, <filename
439 role="package">mail/evolution</filename>, <filename
440 role="package">devel/gnomevfs</filename>, and <filename
441 role="package">devel/gnomevfs2</filename>.</para>
443 <para>&man.savecore.8; now works correctly for dump files larger
446 <para>A bug in &man.script.1; has been fixed so that it now works
447 correctly if its stdin is closed. This fix prevents a
448 potentially dangerous interaction with the <filename
449 role="package">sysutils/portupgrade</filename> package; if it was
450 run non-interactively, it could remove all out-of-date
451 ports without reinstalling them.</para>
453 <para>The &man.sdpd.8; Bluetooth Service Discovery Protocol daemon
454 has been added.</para>
456 <para>Many userland utilities in the base system (mostly GNU
457 contributed utilities) now use the system version of
458 &man.getopt.long.3;, rather than the GNU version.</para>
463 <title>Contributed Software</title>
465 <para>The <application>ACPI-CA</application> code has been updated
466 from the 20030619 snapshot to the 20040220 snapshot.</para>
468 <para><application>awk</application> from Bell Labs has been
469 updated from the 29 July 2003 release to the 7 February 2004
472 <para>Security improvements from <application>CVS</application>
473 1.11.10 and 1.11.11 have been backported. Specifically, certain
474 malformed module requests are now rejected, and when using
475 <command>cvs pserver</command> mode, attempts to authenticate as
476 <username>root</username> are rejected and recorded via
477 &man.syslog.3;.</para>
479 <para><application>gdtoa</application> (a library that performs
480 conversions of numbers between binary and decimal form) has been
481 updated from version 20030324 to version 20040118.</para>
483 <para><application>GNU readline</application> 4.3 has been updated
484 with official patches 001 through 005.</para>
486 <para>The <application>GNU regex</application> library has been
487 updated to the version included with <application>GNU
488 grep</application> 2.4.2.</para>
490 <para>The <application>GNU tar</application> implementation in the
491 base system is now called <filename>gtar</filename>, with
492 <filename>tar</filename> being a link to
493 <filename>gtar</filename>.</para>
495 <para><application>OpenPAM</application> has been updated from the
496 Dogwood release to the Eelgrass release.</para>
498 <para><application>OpenSSH</application> has been updated from
502 <para>The configuration defaults for &man.sshd.8; have been
503 changed. SSH protocol version 1 is no longer enabled by
504 default. In addition, password authentication over SSH is
505 disabled by default if PAM is enabled.</para>
510 <para><application>routed</application> has been updated from
511 release 2.22 to release 2.27 from rhyolite.com. Note that for
512 users relying on RIP's MD5 authentication feature,
513 &man.routed.8; routed is now incompatible with previous versions
514 of &os;; however it is now compatible with implementations from
515 Sun, Cisco and other vendors.</para>
517 <para><application>sendmail</application> has been updated from
518 version 8.12.10 to version 8.12.11. &merged;</para>
523 <title>Ports/Packages Collection Infrastructure</title>
530 <title>Release Engineering and Integration</title>
532 <para arch="i386,pc98">The building process for boot floppy images
533 has been completely overhauled. The most significant change is
534 that the loader now boots a stock <filename>GENERIC</filename>
535 kernel split across multiple disks (two at the time of this
536 writing). This greatly improves installations that begin with a
537 boot from floppy disk, because they now use exactly the same
538 kernel (and thus support the same hardware) as CDROM
539 installations. The stripped-down <filename>MFSROOT</filename>
540 kernel is no longer needed, and the <filename>mfsroot</filename>
541 image no longer requires kernel modules. The
542 <filename>boot.flp</filename> and
543 <filename>driver.flp</filename> images are also obsolete and no
549 <title>Documentation</title>
558 <title>Upgrading from previous releases of &os;</title>
560 <para>Users with existing &os; systems are
561 <emphasis>highly</emphasis> encouraged to read the <quote>Early
562 Adopter's Guide to &os; &release.current;</quote>. This document generally has
563 the filename <filename>EARLY.TXT</filename> on the distribution
564 media, or any other place that the release notes can be found. It
565 offers some notes on upgrading, but more importantly, also
566 discusses some of the relative merits of upgrading to &os;
567 5.<replaceable>X</replaceable> versus running &os;
568 4.<replaceable>X</replaceable>.</para>
571 <para>Upgrading &os; should, of course, only be attempted after
572 backing up <emphasis>all</emphasis> data and configuration