Expand the "KAME import" release note item into two sections with more

[FreeBSD/FreeBSD.git] / release / doc / en_US.ISO8859-1 / relnotes / common / new.sgml

<!--
        The "What's New" section of the release notes.  Within
        each subsection (i.e. kernel, security, userland), list
        items in chronological order, unless necessary to keep
        related items together, such as multiple release notes
        pertaining to a single program or module.

-->

<sect1>
  <sect1info>
    <pubdate>$FreeBSD$</pubdate>
  </sect1info>

  <title>What's New</title>

  <para>This section describes the most user-visible new or changed
  features in &os; since &release.prev;.  All changes
  described here are unique to the &release.branch; branch unless
  specifically marked as &merged; features.</para>

  <para>Many additional changes were made to &os; that are not listed
  here for lack of space.  For example, documentation was corrected
  and improved, minor bugs were fixed, insecure coding practices were
  audited and corrected, and source code was cleaned up.</para>

  <sect2>
    <title>Kernel Changes</title>

    <para>The &man.kqueue.2; event notification facility was added to
    the &os; kernel.  This is a new interface which is able to
    replace &man.poll.2;/&man.select.2, offering improved performance,
    as well as the ability to report many different types of events.
    Support for monitoring changes in sockets, pipes, fifos, and files
    are present, as well as for signals and processes. &merged;</para>

    <para arch="i386">Support for Intel's Wired for Management 2.0 (PXE)
    was added to the FreeBSD boot loader.  Due to API differences, the
    older PXE versions are not supported.  This allow network booting
    using DHCP. &merged;</para>

    <para>Support for USB devices was added to the
    <filename>GENERIC</filename> kernel and to the installation
    programs to support USB devices out of the box.  Note that SRM
    does not support USB devices at the moment, so you must still use
    an AT keyboard if you are not using a serial console. &merged;</para>

    <para>POSIX.1b Shared Memory Objects are now supported.  The
    implementation uses regular files, but automatically enables the
    MAP_NOSYNC flag when they are &man.mmap.2;-ed. &merged;</para>

    <para arch="i386">A driver for AGP hardware has been added. &merged;</para>

    <para>The kernel and modules have been moved to the directory
    <filename>/boot/kernel</filename>, so they can be easily
    manipulated together.  The boot loader has been updated to make
    this change as seamless as possible.</para>

    <para arch="i386">The i386 boot loader now has support for a 
    <literal>nullconsole</literal>
    console type, for use on systems with neither a video console nor
    a serial port. &merged;</para>

    <para>Replaced the <literal>PQ_*CACHE</literal> options with a
    single <literal>PQ_CACHESIZE</literal> option to be set to
    the cache size in kilobytes.  The old options are still supported
    for backwards compatibility. &merged;</para>

    <para arch="i386">The <literal>NCPU</literal>, <literal>NAPIC</literal>,
    <literal>NBUS</literal>, and <literal>NINTR</literal> kernel
    configuration options, for configuring SMP kernels, have been
    removed.  <literal>NCPU</literal> is now set to a maximum of 16,
    and the other, aforementioned options are now
    dynamic. &merged;</para>

    <para>&man.devfs.5;, which allows entries in the
    <filename>/dev</filename> directory to be built automatically and
    supports more flexible attachment of devices, has been largely
    reworked.  &man.devfs.5; is now enabled by default and can be
    disabled by the <literal>NODEVFS</literal> kernel option.</para>

    <para arch="i386">Preliminary Cardbus support under NEWCARD has been added.
    This code supports the TI113X, TI12XX, TI125X, Ricoh 5C46/5C47, Topic
    95/97/100 and Cirrus Logic PD683X bridges.  16-bit PC Card support
    is not yet functional.</para>

    <para>Write combining for crashdumps has been implemented.  This
    feature is useful when write caching is disabled on both SCSI and
    IDE disks, where large memory dumps could take up to an hour to
    complete. &merged;</para>

    <para>Extremely large swap areas (&gt;67 GB) no longer panic the
    system.</para>

    <para arch="i386">The &man.ichsmb.4; driver for the Intel 82801AA
    (ICH) SMBus controller and compatibles has been
    added. &merged;</para>

    <para arch="i386">The &man.uscanner.4; driver for basic USB scanner support
    using SANE has been added. See <ulink
    url="http://www.mostang.com/sane/">the SANE home page</ulink> for
    supported scanners. The HP ScanJet 4100C, 5200C and 6300C are
    known to be working.</para>

    <para arch="i386">The umodem driver for USB modems has been added.
    Support is provided for the 3Com 5605 and Metricom Ricochet GS
    wireless USB modems.</para>

    <para arch="alpha">Support for threads under Linux emulation has been
    added.</para>

    <para arch="i386">The pccard driver and &man.pccardc.8; now support multiple
    <quote>beep types</quote> upon card insertion and removal. &merged;</para>

    <para>A number of cleanups and enhancements have been applied to
    the PCI subsystem.
    <filename>/usr/share/misc/pci_vendors</filename> now contains a
    vendor/device database, which can be used by
    &man.pciconf.8;.</para>

    <para arch="i386">The &man.spic.4; driver, which provides access to the job
    dial device on some Sony laptops, has been added.</para>

    <para arch="i386">PECOFF (WIN32 Execution file format) support has been
    added.</para>

    <para>A VESA S3 linear framebuffer driver has been added.</para>

    <para>The <maketarget>buildkernel</maketarget> target now gets the
    name of the configuration(s) to build from the
    <varname>KERNCONF</varname> variable, not
    <varname>KERNEL</varname>.  It is no longer required, in some
    cases, for a <maketarget>buildworld</maketarget> to precede a
    <maketarget>buildkernel</maketarget>.  (The
    <maketarget>buildworld</maketarget> is still required when
    upgrading across major releases, across
    <application>binutil</application> upgrades and when &man.config.8;
    changes version.)
    </para>

    <para>The &man.random.4; device has been rewritten to use the
    <application>Yarrow</application> algorithm.  It harvests entropy
    from a variety of interrupt sources, including the console
    devices, Ethernet and point-to-point network interfaces, and
    mass-storage devices.  Entropy from the &man.random.4; device is
    now periodically saved to files in
    <filename>/var/db/entropy</filename>, as well as at
    &man.shutdown.8; time.</para>

    <para>The &man.syscons.4; driver now supports keyboard-controlled
    pasting, by default bound to
    <keycap>Shift</keycap>-<keycap>Insert</keycap>.</para>

    <para>The &man.labpc.4; driver has been removed due to
    <quote>bitrot</quote>.</para>

    <para>A new kernel option, <literal>options REGRESSION</literal>,
    enables interfaces and functionality intended for use during
    correctness and regression testing.</para>

    <para>The <literal>USER_LDT</literal> kernel option is now
    activated by default.</para>

    <para>A new &man.ddb.4; command <command>show pcpu</command> lists
    some of the per-CPU data.</para>

    <para>A new digi driver has been added to support PCI Xr-based and ISA
    Xem Digiboard cards.  A new digictl program is (mainly) used to
    re-initialise cards that have external port modules attached such as
    the PC/Xem.<para>

    <para>The <literal>O_DIRECT</literal> flag has been added to
    &man.open.2; and &man.fcntl.2;.  Specifying this flag for open
    files will attempt to minimize the cache effects of reading and
    writing. &merged;</para>

    <para><literal>OLDCARD</literal> and &man.pccardd.8; now support
    PCI cards.</para>

    <para>An &man.orm.4; device has been added to claim the option
    ROMs in the ISA memory I/O space, to prevent other drivers from
    mistakenly assigning addresses that conflict with these ROMs. &merged;</para>

    <para>The out-of-swap process termination code now begins killing
    processes earlier to avoid deadlocks; it now also takes into
    account the swap space used by processes when computing the
    process sizes. &merged;</para>

    <para>Linker sets are now self-contained; &man.gensetdefs.8; is
    unnecessary and has been removed.</para>

    <para>Numerous SMP-friendly changes have been made to the kernel's
    mbuf allocator.</para>

    <para>The dgm driver has been removed in favor of the digi driver.</para>

    <para>Network device cloning has been implemented, and the &man.gif.4;
    and &man.stf.4; devices have been modified to take advantage of it.
    Thus, instead of specifying how many &man.gif.4; or &man.stf.4; devices
    are available in kernel configuration files, &man.ifconfig.8;'s
    <option>create</option> option should be used when another device
    instance is desired.</para>

    <para>The kernel message buffer is now accessible by the
    (machine-independent) <varname>kern.msgbuf</varname> sysctl
    variable; &man.dmesg.8; no longer needs to be SGID
    <groupname>kmem</groupname>.</para>

    <para>A simple hash-based lookup optimization for large directories
    called <literal>dirhash</literal> has been added.  Conditional on the
    <literal>UFS_DIRHASH</literal> kernel option, it improves the speed of
    operations on very large directories at the expense of some
    memory.</para>

    <para>Two new &man.ddb.4; commands, <command>hwatch</command> and
    <command>dhwatch</command>, have been introduced.  Analogous to
    <command>watch</command> and <command>dwatch</command>, they install
    hardware watchpoints (as opposed to software watchpoints) if supported
    by the architecture.</para>

    <para arch="i386">Support for Streaming <acronym>SIMD</acronym>
    Extensions (<acronym>SSE</acronym>) has been introduced.  The
    <literal>CPU_ENABLE_SSE</literal> kernel option controls whether
    support is compiled into the kernel.</para>

    <sect3>
      <title>Processor/Motherboard Support</title>

      <para>SMP support has been largely reworked, incorporating code
      from BSD/OS 5.0.  One of the main features of SMPng (<quote>SMP
      Next Generation</quote>) is to allow more processes to run in
      kernel, without the need for spin locks that can dramatically
      reduce the efficiency of multiple processors.  Interrupt
      handlers now have contexts associated with them that allow them
      to be blocked, which reduces the need to lock out
      interrupts.</para>

      <para arch="i386">Support for the 80386 processor has been
      removed from the <filename>GENERIC</filename> kernel, as this
      code seriously pessimizes performance on other ia32
      processors.</para>

      <para arch="i386">The <literal>I386_CPU</literal> kernel option
      to support the 80386 processor is now mutually exclusive with
      support for other ia32 processors; this should slightly improve
      performance on the 80386 due to the elimination of runtime
      processor type checks.</para>

      <para arch="i386">Custom kernels that will run on the 80386 can
      still be built by changing the cpu options in the kernel
      configuration file to only include
      <literal>I386_CPU</literal>.</para>

      <para arch="alpha">AlphaServer 1200 (<quote>Tincup</quote>) has
      been tested and works OK.  Currently it does not want to boot
      from CD or floppy but a transplanted disk that was installed on
      another Alpha works well. &merged;</para>

      <para arch="alpha">The API UP1100 mainboard has been verified to work.</para>

      <para arch="alpha">The API CS20 1U high server has been verified to work.</para>

      <para arch="alpha">The DEC3000 series support has been removed from the mfsroot
      floppy image so that it fits on a 1.44 Mbyte floppy again. As the 
      DEC3000 is currently only usable diskless this should not cause
      any problems.</para>

      <para arch="alpha">Support for AlphaServer 2100A (<quote>Lynx</quote>) has been
      added.</para>

      <para arch="alpha">Kernel code has been added that allows older generation Alpha CPUs
      (EV4 and EV5) to emulate instructions of the newer Alpha CPU 
      generations. This enables the use of binary-only programs like Adobe
      Acrobat 4 on EV4 and EV5.</para>

      <para arch="alpha">SMP support for the alpha is now operational.</para>

      <para arch="i386">Detection for new processors, such as the
      FC-PGA2 Pentium III (Tualatin), Transmeta Crusoe, and Transmeta
      Crusoe LongRun, has been added. &merged;</para>

    </sect3>

    <sect3>
      <title>Network Interface Support</title>

      <para>Added support for PCI Ethernet adapters based on the
      National Semiconductor DP83815 chipset, including the NetGear
      FA311-TX and FA312-TX, in the form of the &man.sis.4; driver.</para>

      <para>The &man.tap.4; driver, a virtual Ethernet device driver for
      bridged configurations, has been added. &merged;</para>

      <para>The &man.ti.4; driver now supports the Alteon AceNIC
      1000baseT Gigabit Ethernet and Netgear GA620T 1000baseT Gigabit
      cards. &merged;</para>

      <para>The &man.xl.4; driver now supports the 3Com 3C556 and 3C556B
      MiniPCI adapters used on some laptops. &merged;</para>

      <para arch="alpha">The &man.ed.4; driver is now supported.</para>

      <para>The &man.pcn.4; driver, which supports the AMD PCnet/FAST,
      PCnet/FAST+, PCnet/FAST III, PCnet/PRO, PCnet/Home, and HomePNA
      adapters, has been added.  Although these cards are already
      supported by the &man.lnc.4; driver, the &man.pcn.4; driver runs
      these chips in 32-bit mode and uses the RX alignment feature to
      achieve zero-copy receive.  This driver is also
      machine-independent, so it will work on both the i386 and alpha
      platforms.  The &man.lnc.4; driver is still needed to support non-PCI
      cards. &merged;</para>

      <para>Support for Fujitsu MB86960A/MB86965A based Ethernet
      PC-Cards is back. &merged;</para>

      <para arch="i386">The snc driver for the National Semiconductor
      DP8393X (SONIC) Ethernet controller has been added.  Currently,
      this driver is only used on the PC-98 architecture. &merged;</para>

      <para>The &man.an.4; driver for Cisco Aironet cards now supports
      Wired Equivalent Privacy (WEP) encryption, settable via
      &man.ancontrol.8;. &merged;</para>

      <para arch="i386">The &man.el.4; driver can now be loaded as a
      module.</para>

      <para>The &man.ray.4; driver, which supports the Webgear Aviator
      wireless network cards, has been committed.  The operation of
      &man.ray.4; interfaces can be modified by
      &man.raycontrol.8;. &merged;</para>

      <para arch="alpha">The &man.fpa.4; driver now supports Digital's
      DEFPA FDDI adaptors on the Alpha.</para>

      <para arch="i386">Linksys Fast Ethernet PCCARD cards supported by the
      &man.ed.4; driver now require the addition of flag
      <literal>0x80000</literal> to their config line in
      &man.pccard.conf.5;.  This flag is not optional.  These Linksys
      cards will not be recognized without it.</para>

      <para>A bug in the &man.ed.4; driver that could cause panics with
      very short packets and BPF or bridging active has been
      fixed. &merged;</para>

      <para>The &man.fxp.4; driver now requires a <literal>device
      miibus</literal> entry in the kernel configuration file. &merged;</para>

      <para>The &man.wx.4; driver now supports the Intel PRO1000-F and
      PRO1000-T (10/100/1000) adapters. &merged;</para>

      <para>Added the &man.nge.4; driver, which supports PCI Gigabit
      Ethernet adapters based on the National Semiconductor DP83820
      and DP83821 Gigabit Ethernet controller chips, including the
      D-Link DGE-500T, SMC EZ Card 1000 (SMC9462TX), Asante
      FriendlyNet GigaNIC 1000TA and 1000TPC and Addtron
      AEG320T.  This driver supports transmit and receive checksum
      offloading. &merged;</para>

      <para>The &man.lge.4; driver has been added to support the Level
      1 LXT1001 NetCellerator Gigabit Ethernet controller chip. This
      device is used on some fiber optic GigE cards from SMC, D-Link
      and Addtron.  Jumbograms and TCP/IP checksum offload on receive
      are supported, although hardware VLAN filtering is not. &merged;</para>

      <para>The &man.xl.4; driver now supports reception of VLAN
      tagged frames (on the <quote>Cyclone</quote> or newer
      chipsets). &merged;</para>

      <para>The &man.ti.4; driver correctly masks VLAN tags. &merged;</para>

      <para>The &man.an.4; driver now supports the Cisco Aironet 350
      series of adaptors.</para>

    </sect3>

    <sect3>
      <title>Network Protocols</title>

      <para>&man.accept.filter.9;, a kernel feature to reduce overheads
      when accepting and reading new connections on listening sockets,
      has been added. &merged;</para>

      <para>The &man.ng.mppc.4; and &man.ng.bridge.4; node types have
      been added to the netgraph subsystem.  The &man.ng.ether.4; node
      is now dynamically loadable.  Miscellaneous bug fixes and
      enhancements have also been made. &merged;</para>

      <para>&man.netgraph.4; has received some updates and bugfixes.</para>

      <para>A new netgraph node type &man.ng.one2many.4; for multiplexing
      and demultiplexing packets over multiple links has been added.
      &merged;</para>

      <para arch="alpha">SLIP has been removed from the
      <filename>mfsroot</filename> floppy image.</para>

      <para>ICMP ECHO and TSTAMP replies are now rate limited.  TCP RSTs
      generated due to packets sent to open and unopen ports are now
      limited by separate counters.  Each rate limiting queue now has
      its own description.</para>

      <para>ICMP <literal>UNREACH_FILTER_PROHIB</literal> messages can
      now RST TCP connections in the <literal>SYN_SENT</literal> state
      if the correct sequence numbers are sent back, as controlled by the
      <varname>net.inet.tcp.icmp_may_rst</varname>
      sysctl.</para>

      <para>TCP has received some bug fixes for its delayed ACK
      behavior. &merged;</para>

      <para>TCP now supports the NewReno modification to the TCP Fast Recovery
      algorithm.  This behavior can be controlled via the
      <varname>net.inet.tcp.newreno</varname> sysctl variable. &merged;</para>

      <para>TCP now uses a more aggressive timeout for initial SYN segments; this
      allows initial connection attempts to be dropped much
      faster. &merged;</para>

      <para>The <literal>TCP_COMPAT_42</literal> kernel option has
      been removed.</para>

      <para>The <literal>TCP_RESTRICT_RST</literal> kernel option has
      been removed.  Similar functionality can be achieved with the
      <varname>net.inet.tcp.blackhole</varname> sysctl
      variable. &merged;</para>

      <para>TCP now has RFC 1323 extensions enabled by default in
      &man.rc.conf.5;. &merged;</para>

      <para>RFC 1323 and RFC 1644 TCP extensions are now disabled for a
      connection in progress if no response has been received by the
      third SYN segment sent.  This behavior tries to work around
      (very old) terminal servers with buggy VJ header compression
      implementations. &merged;</para>

      <para>The TCP implementation no longer requires the
      allocation of a TCP template structure for each connection; this
      should reduce the buffer usage on large systems handling many
      connections. &merged;</para>

      <para>A new sysctl <varname>net.inet.ip.check_interface</varname>,
      which is on by default, causes IP to verify that an incoming
      packet arrives on an interface that has an address matching the
      packet's destination address. &merged;</para>

      <para>A new sysctl
      <varname>net.link.ether.inet.log_arp_wrong_iface</varname> has
      been added to control the suppression of logging when ARP replies
      arrive on the wrong interface. &merged;</para>

      <para>The <literal>proxy</literal> modifier to &man.arp.8;'s
      <option>-d</option> option has been renamed to
      <literal>pub</literal>, for consistency with the
      <option>-s</option> option.  The <literal>only</literal> keyword
      has been added to the <option>-s</option> and
      <option>-S</option> flags, to be used in creating
      <quote>proxy-only</quote> published entries.</para>

      <para>&man.ipfw.8; now filters correctly in the presence of ECN bits in TCP
      segments. &merged;</para>

      <para>&man.ipfw.8; will now avoid the display of dynamic
      firewall rules unless the <option>-d</option> flag is passed to
      it.  The <option>-e</option> lists expired dynamic rules.</para>

      <para>&man.bridge.4; and &man.dummynet.4; have received some
      enhancements and bug fixes.</para>

      <para>&man.ipfw.8; has a new feature (<literal>me</literal>) that
      allows for packet matching on interfaces with dynamically-changing
      IP addresses. &merged;</para>

      <para>&man.ip6fw.8; now has the ability to use a preprocessor
      and use the <option>-q</option> (quiet) flag when reading from a
      file. &merged;</para>

      <para>A new <literal>options RANDOM_IP_ID</literal> kernel
      option causes the ID field of IP packets to be randomized.  This
      closes a minor information leak which allows a remote observer
      to determine the rate at which the machine is generating
      packets, since the default behaviour is to increment a counter
      for each packet sent.</para>

      <para>IP multicast now works on VLAN devices.  Several other
      bugs in the VLAN code have also been fixed.</para>

    </sect3>

    <sect3>
      <title>Disks and Storage</title>

      <para arch="i386">The &man.twe.4; 3ware ATA RAID driver has added. &merged;</para>

      <para>The &man.ata.4; driver now has support for ATA100
      controllers.  In addition, it now supports the ServerWorks ROSB4
      ATA33 chipset, the CMD 648 ATA66 and CMD 649 ATA100 chipsets, and
      the Cyrix 5530. &merged;</para>

      <para>To provide more flexible configuration, the various options for the
      &man.ata.4; driver are now boot loader tunables, rather than kernel
      configure-time options. &merged;</para>

      <para>The &man.ata.4; driver now has support for tagged queuing,
      which is enabled by the <literal>hw.ata.tags</literal> loader
      tunable. &merged;</para>

      <para>The &man.ata.4; driver now has support for ATA
      <quote>pseudo</quote> RAID controllers as the Promise Fasttrak and
      HighPoint HPT370 controllers. &merged;</para>

      <para arch="i386">The &man.mly.4; driver, for Mylex PCI to SCSI
      AccelRAID and eXtremeRAID controllers with firmware 6.X and
      later, has been added. &merged;</para>

      <para arch="i386">The &man.asr.4; driver, which provides support
      for the Adaptec SCSI RAID controller family, as well as the DPT
      SmartRAID V and VI families, has been added. &merged;</para>

      <para arch="i386">Support for the Adaptec FSA family of PCI-SCSI
      RAID controllers has been added, in the form of the &man.aac.4;
      driver.</para>

      <para>The &man.ahc.4; driver has received numerous updates,
      bugfixes, and enhancements.  Among various improvements are
      improved compatibility with chips in <quote>RAID Port</quote> mode
      and systems with AAA and/or ARO cards installed, as well as
      performance improvements. Some bugs were also fixed, including a
      rare hang on Ultra2/U160 controllers. &merged;</para>

      <para arch="i386">The ncv, nsp, and stg drivers have
      been ported from NetBSD/pc98.  They support the NCR 53C50 /
      Workbit Ninja SCSI-3 / TMC 18C30, 18C50 based PC-Card/ISA SCSI
      controllers. &merged;</para>

      <para>The &man.cd.4; driver now has support for write operations.
      This allows writing to DVD-RAM, PD and similar drives that probe
      as CD devices.  Note that change affects only random-access
      writeable devices, not sequential-only writeable devices such as
      CD-R drives, which are supported by &man.cdrecord.1; in the Ports
      Collection. &merged;</para>

      <para>The &man.vinum.4; volume manager has received some bug fixes and
      enhancements.</para>

      <para>&man.md.4;, the memory disk device, has had the
      functionality of &man.vn.4; incorporated into it.  &man.md.4;
      devices can now be configured by &man.mdconfig.8;.  &man.vn.4; has
      been removed.  The Memory Filesystem (MFS) has also been
      removed.</para>

      <para>BurnProof(TM) support, for applicable ATAPI CD-ROM burners, is now
      supported. &merged;</para>

      <para arch="alpha">A bug that made certain CDROM drives fail to
      attach when connected to a SCSI card driven by &man.isp.4; has
      been fixed. &merged;</para>

      <para>The &man.isp.4; driver is now proactive about discovering
      Fibre Channel topology changes.</para>

      <para>The &man.isp.4; driver now supports target mode for Qlogic
      SCSI cards, including Ultra2 and Ultra3 and dual bus cards.</para>

      <para>The ida disk driver now has crashdump support. &merged;</para>

      <para>The CAM error recovery code has been updated.</para>

      <para>Some problems in &man.sa.4; error handling have been
      fixed, including the <quote>tape drive spinning indefinitely
      upon mt stat</quote> problem.</para>

    </sect3>

    <sect3>
      <title>Filesystems</title>

      <para>Support for named extended attributes was added to the &os;
      kernel.  This allows the kernel, and appropriately privileged
      userland processes, to tag files and directories with attribute
      data.  Extended attributes were added to support the TrustedBSD
      Project, in particular ACLs, capability data, and mandatory access
      control labels (see
      <filename>/usr/src/sys/ufs/ufs/README.extattr</filename> for
      details).</para>

      <para>Due to a licensing change, softupdates have been integrated
      into the main portion of the kernel source tree.  As a
      consequence, softupdates are now available with the
      <filename>GENERIC</filename> kernel. &merged;</para>

      <para>A filesystem snapshot capability has been added to FFS.
      Details can be found in
      <filename>/usr/src/sys/ufs/ffs/README.snapshot</filename>.</para>

      <para>Softupdates for FFS have received some bug fixes and
      enhancements.</para>

      <para>When running with softupdates, &man.statfs.2; and
      &man.df.1; will track the number of blocks and files that are
      committed to being freed.</para>

      <para>A bug in FFS that could cause superblock corruption on very large
      filesystems has been corrected. &merged;</para>

      <para>The Inode Filesystem (IFS) has been added; more information
      can be found in
      <filename>/usr/src/sys/ufs/ifs/README</filename>.</para>

      <para>The ISO-9660 filesystem now has a hook that supports a loadable
      character conversion routine.  The
      <filename>sysutils/cd9660_unicode</filename> port
      contains a set of common conversions.</para>

      <para>&man.kernfs.5; is obsolete and has been retired.</para>

      <para>A bug in the NFS client that caused bogus access times with
      <literal>O_EXCL|O_CREAT</literal> opens was fixed. &merged;</para>

      <para>A new NFS hash function (based on the Fowler/Noll/Vo hash
      algorithm) has been implemented to improve NFS performance by
      increasing the efficiency of the <varname>nfsnode</varname> hash
      tables. &merged;</para>

      <para>Client-side NFS locks have been implemented.</para>

      <para>Support for file system Access Control Lists (ACLs) has been
      introduced, allowing more fine-grained control of discretionary
      access control on files and directories.  This support was
      integrated from the TrustedBSD Project.  More details can be found in
      <filename>/usr/src/sys/ufs/ufs/README.acls</filename>.</para>

      <para>The directory layout preference algorithm for FFS has been
      changed to improve its speed on large filesystems.</para>

      <para arch="i386">smbfs (CIFS) support in kernel has been added.
      The corresponding userland filesystem mount utility can be found 
      in the <filename>net/smbfs</filename> port in the &os; Ports 
      Collection. &merged;</para>

      <para>For consistency, the fdesc, fifo, null, msdos, portal,
      umap, and union filesystems have been renamed to fdescfs,
      fifofs, msdosfs, nullfs, portalfs, umapfs, and unionfs.  Where
      applicable, modules and mount_* programs have been
      renamed.  Compatability <quote>glue</quote> has been added to
      &man.mount.8; so that <literal>msdos</literal> filesystem
      entries in &man.fstab.5; will work without changes.</para>

      <para>pseudofs, a pseudo-filesystem framework, has been added.
      &man.linprocfs.5; has been modified to use pseudofs.</para>

    </sect3>

    <sect3>
      <title>Multimedia Support</title>

      <para arch="i386">The &man.pcm.4; driver now supports the ESS Solo 1,
      Maestro-1, Maestro-2, and Maestro-2e; Forte Media fm801, ESS
      Maestro-2e, and VIA Technologies VT82C686A sound card/chipsets,
      and has received some other updates. 
      Separate drivers for the SoundBlaster 8 and Soundblaster 16 now
      replace an older, unified driver.  A driver for the CMedia
      CMI8338/CMI8738 sound chips has been added.  A driver for the
      CS4281 sound chip has been added.  A driver for the S3
      Sonicvobes chipset has been added. &merged;</para>

      <para arch="i386">A driver for the Advance Logic ALS4000 has
      been added. &merged;</para>

      <para arch="i386">A driver for the
      ESS Maestro-3/Allegro has been added, however due to licensing
      restrictions, it cannot be compiled into the kernel. &merged; To
      use this driver, add the following line to
      <filename>/boot/loader.conf</filename>:</para>

      <programlisting>snd_maestro3_load="YES"</programlisting>

      <para>The &man.bktr.4; driver has been updated to 2.18.  This
      update provides a number of new features:  New tuner
      types have been added, and improvements to the KLD module and to
      memory allocation have been made.  Bugs in &man.devfs.5; when
      unloading and reloading have been fixed.
      Support for new Hauppauge Model 44xxx WinTV Cards (the ones with
      no audio mux) has been added.</para>

      <para>When sound modules are built, one can now load all the
      drivers and infrastructure by <command>kldload
      snd</command>.</para>

      <para>A new API has been added for sound cards with hardware
      volume control.</para>

      <para arch="i386">A driver for the Intel 443MX, 810, 815, and 815E
      integrated sound devices has been added.</para>

    </sect3>

    <sect3>
      <title>Contributed Software</title>

      <para><application>IPFilter</application> has been updated to
      3.4.16. &merged;</para>

      <para>The Forth Inspired Command Language
      (<application>FICL</application>) used in the boot loader has
      been updated to 2.05.</para>

      <para>ACPI support has been merged in from the
      <application>Intel ACPI</application>
      project, and updated to the ACPI CA 20010518 release.</para>

      <sect4 arch="i386">
        <title>isdn4bsd</title>

        <para><application>isdn4bsd</application> has been updated to
        version 0.96.00.</para>

        <para>The &man.ihfc.4; driver for supporting Cologne Chip
        Designs HFC devices under <application>isdn4bsd</application>
        has been added.</para>

        <para>The &man.itjc.4; driver for supporting NETjet-S / Teles
        PCI-TJ devices under <application>isdn4bsd</application> has
        been added.</para>

        <para>Experimental support for the Eicon.Diehl DIVA 2.0 and
        2.02 ISA PnP ISDN cards has been added to the &man.isic.4;
        <application>isdn4bsd</application> driver.</para> 

        <para>Active CAPI-based ISDN cards manufacured by AVM are now
        supported using the &man.i4bcapi.4; and the &man.iavc.4; driver. The
        supported cards are the AVM B1 PCI and AVM B1 ISA Basic Rate
        cards and the AVM T1 Primary Rate cards.</para>
      </sect4>

      <sect4 id="kame-kernel">
        <title>KAME</title>

        <para>The IPv6 stack is now based on a snapshot based on the KAME
        Project's IPv6 snapshot as of 28 May, 2001.  Most of the
        items listed in this section are a result of this import.
        <xref linkend="kame-userland"> lists userland updates to the
        KAME IPv6 stack. &merged;</para>

        <para>&man.gif.4; is now based on RFC 2893, rather than RFC
        1933.  The <literal>IFF_LINK2</literal> interface flag can
        be used to control ingress filtering. &merged;</para>

        <para><application>IPSec</application> has received some
        enhancements, including the ability to use the Rijndael and
        SHA2 algorithms.  IPSec RC5 support has been removed due to
        patent issues. &merged;</para>

        <para>&man.stf.4; now conforms to RFC 3056; the
        <literal>IFF_LINK2</literal> interface flag can be used to
        control ingress filtering. &merged;</para>

        <para>IPv6 has better checking of illegal addresses (such as
        loopback addresses) on physical networks. &merged;</para>

        <para>The <varname>IPV6_V6ONLY</varname> socket option is
        now completely supported.  The kernel's default behavior
        with respect to this option is controlled by the
        <varname>net.inet6.ip6.v6only</varname> sysctl
        variable. &merged;</para>

        <para>RFC 3041 (Privacy Extensions for Stateless Address
        Autoconfiguration) is now supported.  It can be enabled via
        the <varname>net.inet6.ip6.use_tempaddr</varname> sysctl
        variable. &merged;</para>
      </sect4>
    </sect3>
  </sect2>
  <sect2>
    <title>Security Fixes</title>

    <para>&man.sysinstall.8; now allows the user to select one of three
    <quote>security profiles</quote> at install-time.  These profiles enable
    different levels of system security by enabling or disabling
    various system services in &man.rc.conf.5; on new
    installs. &merged;</para>

    <para>A bug in which malformed ELF executable images can hang the
    system has been fixed (see security advisory
    FreeBSD-SA-00:41). &merged;</para>

    <para>A security hole in Linux emulation was fixed (see security
    advisory FreeBSD-SA-00:42). &merged;</para>

    <para>&man.rlogind.8;, &man.rshd.8;, and &man.fingerd.8; are now
    disabled by default in <filename>/etc/inetd.conf</filename>.  This
    only affects new installations. &merged;</para>

    <para>String-handling library calls in many programs were fixed to
    reduce the possibility of buffer overflow-related exploits.
    &merged;</para>

    <para>TCP now uses stronger randomness in choosing its initial sequence 
    numbers (see security advisory FreeBSD-SA-00:52). &merged;</para>

    <para>Several buffer overflows in &man.tcpdump.1; were corrected
    (see security advisory FreeBSD-SA-00:61). &merged;</para>

    <para>A security hole in &man.top.1; was corrected (see security advisory
    FreeBSD-SA-00:62). &merged;</para>

    <para>A potential security hole caused by an off-by-one-error in
    &man.gethostbyname.3; has been fixed (see security advisory
    FreeBSD-SA-00:63). &merged;</para>

    <para>A potential buffer overflow in the &man.ncurses.3; library,
    which could cause arbitrary code to be run from within
    &man.systat.1;, has been corrected (see security advisory
    FreeBSD-SA-00:68). &merged;</para>

    <para>A vulnerability in &man.telnetd.8; that could cause it to
    consume large amounts of server resources has been fixed (see
    security advisory FreeBSD-SA-00:69). &merged;</para>

    <para>The <literal>nat deny_incoming</literal> command in
    &man.ppp.8; now works correctly (see security advisory
    FreeBSD-SA-00:70). &merged;</para>

    <para>A vulnerability in &man.csh.1;/&man.tcsh.1; temporary files
    that could allow overwriting of arbitrary user-writable files has
    been closed (see security advisory FreeBSD-SA-00:76). &merged;</para>

    <para>The &man.ssh.1; binary is no longer SUID root by
    default.</para>

    <para>Some fixes were applied to the Kerberos
    IV implementation related to environment variables, a
    possible buffer overrun, and overwriting ticket files. &merged;</para>

    <para>&man.telnet.1; now does a better job of sanitizing its
    environment. &merged;</para>

    <para>Several vulnerabilities in &man.procfs.5; were fixed (see
    security advisory FreeBSD-SA-00:77). &merged;</para>

    <para>A bug in <application>OpenSSH</application> in which a
    server was unable to disable &man.ssh-agent.1; or
    <literal>X11Forwarding</literal> was fixed (see security advisory
    FreeBSD-SA-01:01). &merged;</para>

    <para>A bug in &man.ipfw.8; and &man.ip6fw.8; in which inbound TCP
    segments could incorrectly be treated as being part of an
    <literal>established</literal> connection has been fixed (see
    security advisory FreeBSD-SA-01:08). &merged;</para>
 
    <para>A bug in &man.crontab.1; that could allow users to read any
    file on the system in valid &man.crontab.5; syntax has been fixed
    (see security advisory FreeBSD-SA-01:09). &merged;</para>

    <para>A vulnerability in &man.inetd.8; that could allow
    read-access to the initial 16 bytes of
    <groupname>wheel</groupname>-accessible files has been fixed (see security
    advisory FreeBSD-SA-01:11). &merged;</para>

    <para>A bug in &man.periodic.8; that used insecure temporary files has been
    corrected (see security advisory FreeBSD-SA-01:12). &merged;</para>

    <para>A bug in &man.sort.1; in which an attacker might be able to
    cause it to abort processing has been fixed (see security advisory
    FreeBSD-SA-01:13). &merged;</para>

    <para>To fix a remotely-exploitable buffer overflow,
    <application>BIND</application> has been updated
    to 8.2.3 (see security advisory FreeBSD-SA-01:18). &merged;</para>

    <para><application>OpenSSH</application> now has code to prevent
    (instead of just mitigating through connection limits) an attack
    that can lead to guessing the server key (not host key) by
    regenerating the server key when an RSA failure is detected (see
    security advisory FreeBSD-SA-01:24). &merged;</para>

    <para>A number of programs have had output formatting strings
    corrected so as to reduce the risk of vulnerabilities. &merged;</para>

    <para>A number of programs that use temporary files now do so more
    securely. &merged;</para>

    <para>A bug in ICMP that could cause an attacker to disrupt TCP and UDP
    <quote>sessions</quote> has been corrected. &merged;</para>

    <para>A bug in &man.timed.8;, which caused it to crash if send
    certain malformed packets, has been corrected (see security
    advisory FreeBSD-SA-01:28). &merged;</para>

    <para>A bug in &man.rwhod.8;, which caused it to crash if send
    certain malformed packets, has been corrected (see security
    advisory FreeBSD-SA-01:29). &merged;</para>

    <para>A security hole in FreeBSD's FFS and EXT2FS implementations,
    which allowed a race condition that could cause users to have
    unauthorized access to data, has been fixed (see security advisory
    FreeBSD-SA-01:30). &merged;</para>

    <para>A remotely-exploitable vulnerability in &man.ntpd.8; has
    been closed (see security advisory FreeBSD-SA-01:31). &merged;</para>

    <para>A security hole in <application>IPFilter</application>'s 
    fragment cache has been closed (see
    security advisory FreeBSD-SA-01:32). &merged;</para>

    <para>Buffer overflows in &man.glob.3;, which could cause
    arbitrary code to be run on an FTP server, have been closed.  In
    addition, to prevent some forms of DOS attacks, &man.glob.3;
    allows specification of a limit on the number of pathname matches
    it will return.  &man.ftpd.8; now uses this feature (see security
    advisory FreeBSD-SA-01:33). &merged;</para>

    <para>Initial sequence numbers in TCP are more thoroughly
    randomized (see security advisory FreeBSD-SA-01:39).  Due to some
    possible compatability issues, the behavior of this security fix
    can be enabled or disabled via the 
    <varname>net.inet.tcp.tcp_seq_genscheme</varname> sysctl 
    variable.&merged;</para>

    <para>The new <varname>net.inet.ip.maxfragpackets</varname> 
    and <varname>net.inet.ip.maxfragpackets</varname> sysctl
    variables limit the amount of memory that can be consumed by IPv4
    and IPv6 packet fragments, which defends against some denial of service
    attacks. &merged;</para>

    <para>A vulnerability in the &man.fts.3; routines (used by
    applications for recursively traversing a filesystem) could
    allow a program to operate on files outside the intended directory
    hierarchy.  This bug has been fixed (see security advisory
    FreeBSD-SA-01:40). &merged;</para>

    <para>&os;'s TCP implementation has been made more resistant to
    SYN floods, by eliminating the RST segment normally sent when
    removing a connection from the listen queue.</para>

    <para><application>OpenSSH</application> now switches to the
    user's UID before attempting to unlink the authentication
    forwarding file, nullifying the effects of a race.</para>

    <para>A flaw allowed some signal handlers to remain in effect in a
    child process after being exec-ed from its parent.  This allowed
    an attacker to execute arbitrary code in the context of a setuid
    binary.  This flaw has been corrected (see security advisory
    FreeBSD-SA-01:42). &merged;</para>
  </sect2>
  <sect2>
    <title>Userland Changes</title>

    <para>&man.cdcontrol.1; now supports a <literal>cdid</literal>
    command, which calculates and displays the CD serial number, using
    the same algorithm used by the CDDB database. &merged;</para>

    <para>&man.mtree.8; now includes support for a file that lists
    pathnames to be excluded when creating and verifying prototypes.
    This makes it easier to use &man.mtree.8; as a part of an
    intrusion-detection system. &merged;</para>

    <para>&man.ls.1; can produce colorized listings with the
    <option>-G</option> flag (and appropriate terminal
    support). &merged;</para>

    <para>&man.sysinstall.8; now properly preserves
    <filename>/etc/mail</filename> during a binary upgrade. &merged;</para>

    <para>The &man.truncate.1; utility, which truncates or extends the length
    of files, has been added. &merged;</para>

    <para>&man.syslogd.8; can take a <option>-n</option> option to
    disable DNS queries for every request. &merged;</para>

    <para>&man.kenv.1;, a command to dump the kernel environment, has
    been added. &merged;</para>

    <para>The behavior of &man.periodic.8; is now controlled by
    <filename>/etc/defaults/periodic.conf</filename> and
    <filename>/etc/periodic.conf</filename>. &merged;</para>

    <para arch="i386">&man.boot98cfg.8;, a PC-98 boot manager installation and
    configuration utility, has been added. &merged;</para>

    <para>&man.logger.1; can now send messages directly to a remote
    syslog. &merged;</para>

    <para arch="i386">&man.gdb.1; now supports hardware watchpoints (using the
    kernel's debug register + support that has been introduced in
    &os; 4.0). &merged;</para>

    <para>&man.which.1; is now a C program, rather than a Perl
    script.</para>

    <para>&man.killall.1; is now a C program, rather than a Perl
    script.  As a result, its <option>-m</option> option now uses the
    regular expression syntax of &man.regex.3;, rather than that of
    &man.perl.1;. &merged;</para>

    <para>&man.killall.1; now allows non-root users to kill SUID root
    processes that they started, the same as the Perl version did.</para>

    <para>&man.finger.1; now has the ability to support fingering
    aliases, via the &man.finger.conf.5; file. &merged;</para>

    <para>&man.finger.1; now has support for a
    <filename>.pubkey</filename> file.</para>

    <para>nsswitch support has been merged from NetBSD.  By creating
    an &man.nsswitch.conf.5; file, FreeBSD can be configured so that
    various databases such as &man.passwd.5; and &man.group.5; can be
    looked up using flat files, NIS, or Hesiod.  The old
    <filename>hosts.conf</filename> file is no longer used.</para>

    <para>RSA Security has waived all patent rights to the RSA
    algorithm.  As a
    result, the native <application>OpenSSL</application>
    implementation of the RSA algorithm is now activated by default,
    and the <filename>rsaref</filename> port and
    <filename>librsaUSA</filename> are no longer required for USA
    residents. &merged;</para>

    <para>&man.ifconfig.8; command can set the link-layer address
    of an interface. &merged;</para>

    <para>&man.ifconfig.8; can now accept addresses in slash/CIDR
    notation. &merged;</para>

    <para>&man.ifconfig.8; now has support for setting parameters for
    IEEE 802.11 wireless network devices.  &man.wi.4; and
    &man.an.4; devices are supported, and partial support is provided
    for &man.awi.4; devices. &merged;</para>

    <para>&man.ifconfig.8; no longer displays the list of supported
    media by default.  Instead it displays it when the
    <option>-m</option> is given. &merged;</para>

    <para>&man.setproctitle.3; has been moved from
    <filename>libutil</filename> to
    <filename>libc</filename>. &merged;</para>

    <para>&man.chio.1; now has the ability to specify elements by
    volume tag instead of by their physical location as well as the
    ability to return an element to its previous location. &merged;</para>

    <para>&man.sed.1; now takes a <option>-E</option> option for
    extended regular expression support. &merged;</para>

    <para>&man.ln.1; now takes an <option>-i</option> option to
    request user confirmation before overwriting an existing
    file. &merged;</para>

    <para>&man.ln.1; now takes a <option>-h</option> flag to avoid
    following a target that is a link, with a <option>-n</option> flag
    for compatability with other implementations. &merged;</para>

    <para>Userland &man.ppp.8; has received a number of updates and
    bug fixes. &merged;</para>

    <para>&man.make.1; has gained the <literal>:C///</literal>
    (regular expression substitution), <literal>:L</literal>
    (lowercase), and <literal>:U</literal> (uppercase) variable
    modifiers.  These were added to reduce the differences between the
    &os; and
    OpenBSD/NetBSD
    &man.make.1 programs. &merged; </para>

    <para>Bugs in &man.make.1;, among which include broken null suffix
    behavior, bad assumptions about current directory permissions, and
    potential buffer overflows, have been fixed. &merged;</para>

    <para>The &os; <filename>Makefile</filename> infrastructure now
    supports the <varname>WARNS</varname> directive from NetBSD.  This
    directive controls the addition of compiler warning flags to
    <varname>CFLAGS</varname> in a relatively compiler-neutral
    manner.</para>

    <para>&man.fsck.8; wrappers have been imported; this feature
    provides infrastructure for &man.fsck.8; to work on different
    types of filesystems (analogous to &man.mount.8;).</para>

    <para>The behavior of &man.fsck.8; when dealing with various
    passes (a la <filename>/etc/fstab</filename>) has been modified to
    accomodate multiple-disk filesystems.</para>

    <para>&man.style.perl.7;, a style guide for Perl code in the &os;
    base system, has been added.</para>

    <para>The <quote>in use</quote> percentage metric displayed by
    &man.netstat.1; now really reflects the percentage of network
    mbufs used. &merged;</para>

    <para>&man.netstat.1; now has a <option>-W</option> flag that
    tells it not to truncate addresses, even if they're too long for
    the column they're printed in. &merged;</para>

    <para>&man.netstat.1; now keeps track of input and output packets
    on a per-address basis for each interface. &merged;</para>

    <para>&man.netstat.1; now has a <option>-z</option> flag to reset
    statistics.</para>

    <para>&man.sockstat.1; now has <option>-c</option> and
    <option>-l</option> flags for listing connected and listening
    sockets, respectively. &merged;</para>

    <para>&man.mergemaster.8; has gained some new features, has been
    cleaned up somewhat, and is now more cross-platform friendly.</para>

    <para>&man.mergemaster.8; now sources an
    <filename>/etc/mergemaster.rc</filename> file and also prompts the
    user to run recommended commands (such as
    <command>newaliases</command>) as needed. &merged;</para>

    <para>The compiler chain now uses the FSF-supplied C/C++ runtime
    initialization code.  This change brings about better
    compatibility with code generated from the various egcs and gcc
    ports, as well as the stock public FSF source. &merged;</para>

    <para>The threads library has gained some signal handling changes,
    bug fixes, and performance enhancements (including zero system
    call thread switching).  &man.gdb.1; thread support has been
    updated to match these changes. &merged;</para>

    <para>&man.chflags.1; has moved from <filename>/usr/bin</filename>
    to <filename>/bin</filename>.</para>

    <para>Use of the <literal>CSMG_*</literal> macros no longer
    require inclusion of
    <filename>&lt;sys/param.h&gt;</filename></para>

    <para>IP Filter is now supported by the
    &man.rc.conf.5; boot-time configuration and
    initialization. &merged;</para>

    <para>The &man.lastlogin.8; utility, which prints the last login
    time of each user, has been imported from
    NetBSD. &merged;</para>

    <para>&man.last.1; now implements a <option>-d</option> that
    provides a <quote>snapshot</quote> of who was logged in at a
    particular date and time</para>

    <para>&man.newfs.8; now implements write combining, which can make
    creation of new filesystems up to seven times
    faster. &merged;</para>

    <para>&man.newfs.8; now takes a <option>-U</option> option to
    enable softupdates on a new filesystem. &merged;</para>

    <para>The default number of cylinders per group in &man.newfs.8;
    is now 22, up from 16.</para>

    <para>A number of buffer overflows in &man.config.8; have been
    fixed. &merged;</para>

    <para>&man.pwd.1; can now double as &man.realpath.1;, a program to
    resolve pathnames to their underlying physical paths. &merged;</para>

    <para>&man.stty.1; now has support for an
    <literal>erase2</literal> control character, so that, for example,
    both the <keycap>Delete</keycap> and <keycap>Backspace</keycap>
    keys can be used to erase characters. &merged;</para>

    <para>The &man.ibcs2.8;, &man.linux.8;, &man.osf1.8;, and &man.svr4.8;
    scripts, whose sole purpose was to load emulation
    kernel modules, have been removed.  The kernel module system will
    automatically load them as needed to fulfill dependencies.</para>

    <para>&man.top.1; will now use the full width of its tty.</para>

    <para>&man.growfs.8;, a utility for growing FFS filesystems, has
    been added.  &man.ffsinfo.8;, a utility for dump all the
    meta-information of an existing filesystem, has also been
    added.</para>

    <para>&man.indent.1; has gained some new formatting
    options. &merged;</para>

    <para>&man.sysinstall.8; now uses some more intuitive defaults
    thanks to some new dialog support functions. &merged;</para>

    <para>The default root partition in &man.sysinstall.8; is now
    100MB on the i386 and 120MB on the alpha.</para>

    <para>&man.xargs.1; gained a <option>-J</option> option which allows
    the user to specify exactly where in the command line the input should
    be retrofitted. &merged;</para>

    <para>Shortly after the receipt of a <literal>SIGINFO</literal>
    signal (normally control-T from the controlling tty), &man.fsck.ffs.8;
    will now output a line indicating the current phase number and
    progress information relevant to the current phase. &merged;</para>

    <para>&man.fsck.ffs.8; now supports background filesystem checks
    to mounted FFS filesystems with the <option>-B</option> option
    (softupdates must be enabled on these filesystems).  The
    <option>-F</option> flag now determines whether a specified
    filesystem needs foreground checking.</para>

    <para>&man.fsck.8; now has support for foreground
    (<option>-F</option>) and background (<option>-B</option>) checks.
    Traditionally, &man.fsck.8; is invoked before the filesystems are
    mounted and all checks are done to completion at that time.  If
    background checking is available, &man.fsck.8; is invoked twice.
    It is first invoked at the traditional time, before the
    filesystems are mounted, with the <option>-F</option> flag to do
    checking on all the filesystems that cannot do background
    checking.  It is then invoked a second time, after the system has
    completed going multiuser, with the <option>-B</option> flag to do
    checking on all the filesystems that can do background checking.
    Unlike the foreground checking, the background checking is started
    asynchronously so that other system activity can proceed even on
    the filesystems that are being checked.  Boot-time enabling of
    this feature is controlled by the
    <varname>background_fsck</varname> option in &man.rc.conf.5;.</para>

    <para>A new &man.fsck.msdosfs.8; utility has been added to check
    the consistency of MS-DOS filesystems.</para>

    <para>Catching up with most other network utilities in the base
    system, &man.lpr.1;, &man.lpd.8;, &man.syslogd.8;, and
    &man.logger.1; are now all IPv6-capable. &merged;</para>

    <para arch="i386"><filename>libdisk</filename> can now do
    install-time configuration of the &arch; <filename>boot0</filename>
    boot loader. &merged;</para>

    <para>The <option>-v</option> option to &man.rm.1; now displays
    the entire pathname of a file being removed.</para>

    <para>&man.lpr.1;, &man.lpq.1;, and &man.lpd.8; have received a
    few minor enhancements. &merged;</para>

    <para>&man.lpd.8; now takes two new options:  <option>-c</option>
    will log all connection errors to &man.syslogd.8;, while
    <option>-w</option> will allow connections from non-reserved
    ports. &merged;</para>

    <para>&man.lpc.8; has been improved; <command>lpc clean</command>
    is now somewhat safer, and a new <command>lpc tclean</command>
    command has been added to check to see what files would be removed
    by <command>lpc clean</command>. &merged;</para>

    <para>If the first argument to &man.ancontrol.8; or
    &man.wicontrol.8; doesn't start with a <literal>-</literal>, it is
    assumed to be an interface.</para>

    <para>&man.rdist.1; has been retired.</para>

    <para>&man.ppp.8; has gained the <literal>tcpmssfixup</literal>
    option, which adjusts outgoing TCP SYN packets so that the maximum
    receive segment size is no larger than allowed by the interface
    MTU.</para>

    <para><filename>libcrypt</filename> and
    <filename>libdescrypt</filename> have been unified to provide a
    configurable password authentication hash library.  Both the md5
    and des hash methods are provided unless the des hash is
    specifically compiled out.</para>

    <para>&man.passwd.1; and &man.pw.8; now select the password hash
    algorithm at run time.  See the <literal>passwd_format</literal>
    attribute in <filename>/etc/login.conf</filename>.</para>

    <para>In preparation for meeting SUSv2/POSIX
    <filename>&lt;sys/select.h&gt;</filename> requirements,
    <literal>struct selinfo</literal> and related functions have been
    moved to <filename>&lt;sys/selinfo.h&gt;</filename>.</para>

    <para>&man.syslogd.8; now supports a <literal>LOG_CONSOLE</literal>
    facility (disabled by
    default), which can be used to log <filename>/dev/console</filename> 
    output. &merged;</para>

    <para>&man.rpcgen.1; now uses <filename>/usr/bin/cpp</filename>
    (as on NetBSD), not <filename>/usr/libexec/cpp</filename>.</para>

    <para>Boot-time &man.syscons.4; configuration was moved to a
    machine-independent <filename>/etc/rc.syscons</filename>. &merged;</para>

    <para>&man.burncd.8; now supports a <option>-m</option> option for
    multisession mode (the default behavior now is to close disks as
    single-session).  A <option>-l</option> option to take a list of
    image files from a filename was also added; <filename>-</filename>
    can be used as a filename for <literal>stdin</literal>. &merged;</para>

    <para>&man.dmesg.8; now has a <option>-a</option> option to show
    the entire message buffer, including &man.syslogd.8; records and
    <filename>/dev/console</filename> output. &merged;</para>

    <para>&man.cdcontrol.1; now uses the <literal>CDROM</literal>
    environment variable to pick a default device. &merged;</para>

    <para>&man.cdcontrol.1; now supports <literal>next</literal> and
    <literal>prev</literal> commands to skip forwards or backwards a
    specified number of tracks while playing an audio CD.</para>

    <para>&man.sysctl.8; now supports a <option>-N</option> option to
    print out variable names only.</para>

    <para>&man.sysctl.8; has replaced the <option>-A</option> and
    <option>-X</option> options with <option>-ao</option> and
    <option>-ax</option> respectively; the former options are now
    deprecated.  The <option>-w</option> is deprecated as well; it is
    not needed to determine the user's intentions.</para>

    <para>&man.sysinstall.8; now lives in <filename>/usr/sbin</filename>,
    which simplifies the installation process.  The &man.sysinstall.8;
    manpage is also installed in a more consistent fashion now.</para>

    <para>&man.config.8; is now better about converting various 
    warnings that should
    have been errors into actual fatal errors with an exit code.  This
    ensures that <literal>make buildkernel</literal> 
    doesn't quietly ignore them and
    build a bogus kernel without a human to read the errors. &merged;</para>

    <para><filename>libc</filename> is now thread-safe by default;
    <filename>libc_r</filename> contains only thread functions.</para>

    <para>&man.find.1; now takes the <option>-empty</option> flag,
    which returns true if a file or directory is empty. &merged;</para>

    <para>&man.find.1; now takes the <option>-iname</option> and
    <option>-ipath</option> primaries for case-insensitive matches,
    and the <option>-regexp</option> and <option>-iregexp</option>
    primaries for regular-expression matches.  The <option>-E</option>
    flag now enables extended regular expressions. &merged;</para>

    <para>&man.find.1; now has the <option>-anewer</option>,
    <option>-cnewer</option>, <option>-mnewer</option>,
    <option>-okdir</option>, and <option>-newer[acm][acmt]</option>
    primaries for comparisons of file timestamps. &merged;</para>

    <para>&man.tftpd.8; now takes the <option>-c</option> and
    <option>-C</option> options, which allow the server to
    &man.chroot.2; based on the IP address of the connecting client.
    &man.tftp.1; and &man.tftpd.8; can now transfer files larger than
    65535 blocks. &merged;</para>

    <para>&man.vidcontrol.1; now accepts a <option>-g</option>
    parameter to select custom text geometry in the
    <literal>VESA_800x600</literal> raster text mode. &merged;</para>

    <para>&man.ldconfig.8; now checks directory ownerships and
    permissions for greater security; these checks can be disabled
    with the <option>-i</option> flag. &merged;</para>

    <para>The &man.rfork.thread.3; library call has been added as a
    helper function to &man.rfork.2;.  Using this function should
    avoid the need to implement complex stack swap
    code. &merged;</para>

    <para>Significant additions have been made to internationalization
    support; &os; now has complete locale support for the
    <literal>LC_MONETARY</literal>, <literal>LC_NUMERIC</literal>, and
    <literal>LC_MESSAGES</literal> categories.  A number of
    applications have been updated to take advantage of this
    support.</para>

    <para>Locale names have been changed to improve compatability with
    the names used by X11R6, as well as a number of other UNIX
    versions.  As an example, the <literal>en_US.ISO_8859-1</literal>
    locale name has been changed to
    <literal>en_US.ISO8859-1</literal>.  Entries in
    <filename>/etc/locale.alias</filename> provide backward
    compatability.</para>

    <para>A <filename>compat4x</filename> distribution has been added
    for compatibility with &os; 4-STABLE.</para>

    <para>The
    <filename>compat3x</filename> distribution has been updated to
    include libraries present in &os; 3.5.1-RELEASE. &merged;</para>

    <para>&man.savecore.8; now supports a <option>-k</option> option
    to prevent clearing a crash dump after saving it.  It also
    attempts to avoid writing large stretches of zeros to crash dump
    files to save space and time. &merged;</para>

    <para>&man.savecore.8; now works correctly on machines with 2 GB
    or more of RAM. &merged;</para>

    <para>&man.tar.1; now supports the <varname>TAR_RSH</varname>
    variable, principally to enable the use of &man.ssh.1; as a
    transport. &merged;</para>

    <para>&man.disklabel.8; now supports partition sizes expressed in
    kilobytes, megabytes, or gigabytes, in addition to sectors. &merged;</para>

    <para>The pseudo-random number generator implemented by
    &man.rand.3; has been improved to provide less biased results.</para>

    <para>&man.login.1; now exports environment variables set by
    <application>PAM</application> modules. &merged;</para>

    <para><application>PAM</application> support has been added for
    account management and sessions.</para>

    <para>&man.su.1; now uses <application>PAM</application> for
    authentication.</para>

    <para>&man.wall.1; now supports a <option>-g</option> flag to
    write a message to all users of a given group.</para>

    <para>The new <varname>CPUTYPE</varname>
    <filename>make.conf</filename> variable controls the compilation
    of processor-specific optimizations in various pieces of code such
    as <application>OpenSSL</application>. &merged;</para>

    <para>The default value for &man.cvs.1;'s
    <varname>CVS_RSH</varname> variable is now <literal>ssh</literal>,
    rather than <literal>rsh</literal>. &merged;</para>

    <para>&man.ipfstat.8; now supports the <option>-t</option> option
    to turn on a &man.top.1;-like display. &merged;<para>

    <para><filename>/usr/src/share/examples/BSD_daemon/</filename> now
    contains a scalable Beastie graphic. &merged;</para>

    <para>&man.dump.8; now supports inheritance of the
    <literal>nodump</literal> flag down a hierarchy. &merged;</para>

    <para>The <option>-T</option> to &man.dump.8; no longer swallows
    an extra argument. &merged;</para>

    <para>&man.dump.8; has a new <option>-D</option> option, allowing
    the path to the <filename>/etc/dumpdates</filename> file to be
    changed. &merged;</para>

    <para>&man.split.1; now has the ability to split a file longer
    than 2GB. &merged;</para>

    <para>&man.tail.1; now has the ability to work on files longer
    than 2GB. &merged;</para>

    <para>&man.units.1; has received some updates and bugfixes. &merged;</para>

    <para>As part of an ongoing process, many manual pages were
    improved, both in terms of their formatting markup and in their
    content. &merged;</para>

    <para><command>lprm -</command> now works for remote printer
    queues. &merged;</para>

    <para>&man.ftpd.8; now supports a <option>-r</option> flag for
    read-only mode and a <option>-E</option> flag to disable
    <literal>EPSV</literal>.  It also has some fixes to reduce
    information leakage and the ability to specify compile-time port
    ranges. &merged;</para>

    <para>&man.ping.8; now supports a <option>-m</option> option to
    set the TTL of outgoing packets. &merged;</para>

    <para>&man.ping.8; now supports a <option>-A</option> option to
    beep when packets are lost.</para>

    <para>A version of Transport Independent RPC
    (<application>TI-RPC</application>) has been imported.</para>

    <para>&man.rpcbind.8; has replaced &man.portmap.8;.</para>

    <para>NFS now works over IPv6.</para>

    <para>&man.rpc.lockd.8; has been imported from NetBSD.</para>

    <para>&man.rc.8; now has an framework for handling dependencies between
    &man.rc.conf.5; variables. &merged;</para>

    <para>&man.rc.8; now deletes all non-directory files in
    <filename>/var/run</filename> and
    <filename>/var/spool/lock</filename> at boot time.</para>

    <para>The &man.setfacl.1; and &man.getfacl.1; commands have been
    added to manage file system Access Control Lists.</para>

    <para>The default TCP port range used by
    <filename>libfetch</filename> for passive FTP retrievals has
    changed; this affects the behavior of &man.fetch.1;, which has
    gained the <option>-U</option> option to restore the old
    behavior. &merged;</para>

    <para><filename>libfetch</filename> now has support for an
    authentication callback.

    <para><filename>libfetch</filename> now has support for a
    <varname>HTTP_USER_AGENT</varname> environment variable. &merged;</para>

    <para>&man.atacontrol.8; has been added to control various aspects
    of the &man.ata.4; driver.</para>

    <para><filename>libcrypt</filename> now has support for Blowfish
    password hashing. &merged;</para>

    <para>The functions from <filename>libposix1e</filename> have been 
    integrated into <filename>libc</filename>.</para>

    <para>&man.vidcontrol.1; now allows the user to omit the font size
    specification when loading a font, and has some better
    error-handling. &merged;</para>

    <para>&man.vidcontrol.1; now supports a <option>-p</option> to
    take a snapshot of a &man.syscons.4; video buffer.  These
    snapshots can be manipulated by some of the
    <filename>scr2*</filename> utilities in the Ports
    Collection. &merged;</para>

    <para>&man.vidcontrol.1; now supports a <option>-H</option> option
    to clear the history buffer for a given tty.</para>

    <para>devinfo, a simple tool to print the device tree and resource usage by
    devices, has been added.</para>

    <para>&man.fmtcheck.3;, a function for checking consistency of
    format string arguments, has been added.</para>

    <para>&man.nl.1;, a line numbering filter program, has been added.</para>

    <para>&man.c89.1; has been converted from a shell script to a
    binary executable, fixing some minor bugs. &merged;</para>

    <para>&man.pax.1; has received a number of enhancements, including
    &man.cpio.1; functionality, &man.tar.1; compatability
    enhancements, <option>-z</option> and <option>-Z</option> flags
    for &man.gzip.1; and &man.compress.1; functionality, and a number
    of bug fixes.</para>

    <para>Ukranian language support has been added to the &os;
    console. &merged;</para>

    <para>The performance of the ELF dynamic linker &man.rtld.1; has
    been improved. &merged;</para>

    <para>&man.fdread.1;, a program to read data from floppy disks,
    has been added.  It is a counterpart to &man.fdwrite.1; and is
    designed to provide a means of recovering at least some data from
    bad media, and to obviate for a complex invocation of
    &man.dd.1;.</para>

    <para>&man.xargs.1; now supports a <option>-J</option>
    <replaceable>replstr</replaceable> option that allows the user to
    tell &man.xargs.1; to insert the data read from standard input at
    a specific point in the command line arguments rather than at the
    end.</para>

    <para>&man.apmd.8; now supports monitoring of the battery state via the
    <literal>apm_battery</literal> configuration directive.</para>

    <para>&man.telnet.1; now does autologin and encryption by default;
    a new <option>-y</option> option turns off encryption.</para>

    <para>&man.telnet.1; now supports a <option>-u</option> flag to
    allow connections to UNIX-domain (<literal>AF_UNIX</literal>)
    sockets. &merged;</para>

    <para>The default stripe size in &man.vinum.8; has been changed
    from 256KB to 279KB, to spread out superblocks more evenly between
    stripes.</para>

    <para>&man.chown.8; now correctly follows symbolic links named as
    command line arguments if run without <option>-R</option>.</para>

    <para>&man.chown.8; no longer takes <literal>.</literal> as a
    user/group delimeter.  This change was made to support usernames
    containing a <literal>.</literal>.</para>

    <para>&man.chmod.1; now supports a <option>-h</option> for
    changing the mode of a symbolic link.</para>

    <para>&man.install.1; has a number of new features, including the
    <option>-b</option> and <option>-B</option> options for backing up
    existing target files and the <option>-S</option> option for
    <quote>safe</quote> (atomic copy) operation.  The
    <option>-c</option> (copy) flag is now the default, and the
    <option>-D</option> (debugging) flag has been withdrawn.
    &man.install.1; now issues a warning if <option>-d</option>
    (create directories) and <option>-C</option> (copy changed files
    only) are used together.</para>

    <para>&man.whois.1; now directs queries for IP addresses to
    ARIN. &merged;  If a query to ARIN references APNIC or RIPE, the
    appropriate server will also be queried, provided that the
    <option>-Q</option> is not specified.</para>

    <para>A new utility &man.diskcheckd.8; has been added; it is a
    daemon which runs in the background, reading entire disks to find
    any read errors on those disks.  Its behavior at startup time can
    be controlled by the <varname>diskcheckd_enable</varname> variable
    in &man.rc.conf.5;.</para>

    <para>&man.fmt.1; has been rewritten; the rewrite fixes a number
    of bugs compared to its prior behavior.</para>

    <para>&man.df.1; now takes a <option>-l</option> option to only
    display information about locally-mounted filesystems. &merged;</para>

    <para>The syntax of &man.inetd.8;'s support for &man.faithd.8; is
    now compatable with that of other BSDs. &merged;</para>

    <para>The <literal>ident</literal> protocol support in &man.inetd.8; has
    been cleaned up and updated.</para>

    <para>&man.inetd.8; now has the ability to manage UNIX-domain
    sockets.</para>

    <para>&man.du.1; now takes a <option>-I</option> command-line flag
    to ignore/skip files and subdirectories matching a specified
    shell-glob mask. &merged;</para>

    <para>The &man.resolver.3; in &os; now implements EDNS0 support,
    which will be necessary when working with IPv6 transport-ready
    resolvers/DNS servers. &merged;</para>

    <para>&man.col.1; now takes a <option>-p</option> to force unknown
    control sequences to be passed through unchanged.</para>

    <para>The &man.mdmfs.8; command has been added; it is a wrapper
    around &man.mdconfig.8;, &man.disklabel.8;, &man.newfs.8;, and
    &man.mount.8; that mimics the command line option set of the
    deprecated &man.mount.mfs.8;.</para>

    <para>The &man.getprogname.3; and &man.setprogname.3; library
    functions have been added to manipulate the name of the current
    program.  They are used by error-reporting routines to produce
    consistent output. &merged;</para>

    <para>The &man.kldconfig.8; utility has been added to make it easier to
    manipulate the kernel module search path.</para>

    <para>&man.moused.8; now takes a <option>-a</option> to control
    mouse acceleration.</para>

    <para arch="i386">&man.fdisk.8; no longer attempts to search for
    a device if none has been specified on the command line, but
    instead tries to figure out the default device name from the
    root device.</para>

    <sect3>
      <title>Contributed Software</title>

      <para><application>bc</application> has been updated from 1.04 to
      1.06. &merged;</para>

      <para>The ISC library from the <application>BIND</application>
      distribution is now built as
      <filename>libisc</filename>. &merged;</para>

      <para><application>Binutils</application> have been upgraded to
      2.11.2.</para>

      <para><application>bzip2</application> 1.0.1 has been imported; this
      brings the &man.bzip2.1; program and the <filename>libbz2</filename>
      library to the base system.</para>

      <para><application>cvs</application> has been updated to
      1.11. &merged;</para>

      <para>The &man.ee.1; <application>Easy Editor</application> has
      been updated to 1.4.2. &merged;</para>

      <para>&man.file.1; has been contribify-ed, and updated to version
      3.35.</para>

      <para>&man.awk.1;, in the form of
      <application>gawk</application>, has been upgraded from 3.0.4 to 3.0.6.
      This fixes a number of non-critical bugs and includes a few
      performance tweaks. &merged;</para>

      <para><application>gcc</application> has been updated to 2.95.3. &merged;</para>

      <para>&man.gcc.1; now uses a unified <filename>libgcc</filename>
      rather than a separate one for threaded and non-threaded programs.
      <filename>/usr/lib/libgcc_r.a</filename> can be removed.
      &merged;</para>

      <para>&man.gcc.1; now supports the environment variable
      <varname>GCC_OPTIONS</varname>, which can hold a set of default
      options for <application>GCC</application>.</para>

      <para><application>GNATS</application> has been updated to
      3.113.</para>
      
      <para><application>gperf</application> has been updated to 2.7.2.</para>

      <para><application>groff</application> and its related utilities
      have been updated to FSF version 1.17.2.  This import brings in a
      new &man.mdoc.7; macro package (sometimes referred to as
      <literal>mdocNG</literal>), which removes many of the
      limitations of its predecessor. &merged;</para>

      <para><application>Heimdal</application> has been updated to
      0.3f.</para>

      <para>The <application>ISC DHCP</application> client has been
      updated to 2.0pl5. &merged;</para>

      <para><application>Kerberos IV</application> has been updated to
      1.0.5. &merged;</para>

      <para>The &man.more.1; command has been replaced by &man.less.1;,
      although it can still be run as
      <command>more</command>.  <application>less</application> has
      been imported at 3.5.8. &merged;</para>

      <para><application>libpcap</application> has been updated to
      0.6.2.</para>

      <para><application>libreadline</application> has been upgraded to
      4.2.</para>

      <para><application>Linux-PAM</application> has been updated to
      0.75. &merged;</para>

      <para>A number of new <application>Linux-PAM</application> modules
      have been added, including:  <filename>pam_ftp</filename>,
      <filename>pam_krb5</filename>,
      <filename>pam_nologin</filename>,
      <filename>pam_rootok</filename>,
      <filename>pam_securetty</filename>,
      <filename>pam_wheel</filename>.

      <para><application>ncurses</application> has been updated to
      5.2-20010512.</para>

      <para>The <application>OPIE</application> one-time-password suite
      has been updated to 2.32. &merged;  It has completely replaced
      the functionality of <application>S/Key</application>.</para>

      <para><application>Perl</application> has been updated to version
      5.6.0.</para>

      <para>&man.route.8; is now more verbose when changing indirect
      routes, in the case of a gateway route that is the same route as
      the one being modified.</para>

      <para>&man.route.8; now uses
      <literal><replaceable>host</replaceable>/<replaceable>bits</replaceable></literal>
      syntax instead of 
      <literal><replaceable>net</replaceable>/<replaceable>bits</replaceable></literal>
      syntax, for compatability with &man.netstat.1;.</para>

      <para>&man.route.8; can now create <quote>proxy only</quote>
      published ARP entries.</para>

      <para>&man.routed.8; has been updated to version 2.22. &merged;</para>

      <para><application>tcpdump</application> has been updated to
      3.6.2.</para>

      <para>The &man.csh.1; shell has been replaced by &man.tcsh.1;,
      although it can still be run as <command>csh</command>.
      <application>tcsh</application> has been updated to version
      6.10. &merged;</para>

      <para>&man.traceroute.8; now takes its default maximum TTL value
      from the <varname>net.inet.ip.ttl</varname> sysctl
      variable. &merged;</para>

      <sect4 id="kame-userland">
        <title>KAME</title>

        <para>The IPv6 stack is now based on a snapshot based on the KAME
        Project's IPv6 snapshot as of 28 May, 2001.  Most of the
        items listed in this section are a result of this import.
        <xref linkend="kame-kernel"> lists kernel updates to the KAME
        IPv6 stack. &merged;</para>

        <para>&man.faithd.8; now supports a configuration file for
        access control. &merged;</para>

        <para>&man.ifconfig.8; can now perform the functions of
        &man.gifconfig.8;. &merged;</para>

        <para>&man.ifconfig.8; can now perform the functions of
        &man.prefix.8;.  &man.prefix.8; is now a shell script for
        partial backwards compatability. &merged;</para>

        <para>&man.ndp.8; now implements garbage collection for stale
        NDP entries, as described in RFC 2461 (Neighbor Discovery for
        IP Version 6 (IPv6)). &merged;</para>

        <para>&man.pim6dd.8; and &man.pim6sd.8; have been removed due to
        restrictive licensing conditions.  These programs are available
        in the ports collection as <filename>net/pim6dd</filename> and
        <filename>net/pim6dd</filename>. &merged;</para>

        <para>&man.route6d.8; now supports a <option>-n</option> flag
        to avoid updating the kernel forwarding table. &merged;</para>

        <para>The <option>-R</option> (router renumbering) option to
        &man.rtadvd.8; is currently ignored. &merged;</para>
      </sect4>

      <sect4>
        <title>OpenSSH</title>

        <para><application>OpenSSH</application> has been upgraded to
        2.1.0, which provides support for the SSH2 protocol, including DSA
        keys.  Therefore, <application>OpenSSH</application> users in the
        US no longer need to rely on the restrictively-licensed
        RSAREF toolkit which is required to
        handle RSA keys.  <application>OpenSSH</application> 2.1 interoperates well with other SSH2
        clients and servers, including the <filename>ssh2</filename> port.
        See the <ulink url="http://www.openssh.com/">OpenSSH Web
        site</ulink> for more details. &merged;</para>

        <para><application>OpenSSH</application> can now authenticate
        using OPIE passwords in SSH1 mode.  Support is not yet available
        in SSH2 mode. &merged;</para>

        <para><application>OpenSSH</application> has been upgraded to
        2.2.0.  &man.ssh-add.1; and &man.ssh-agent.1; can now handle DSA
        keys.  A server for sftp, interoperable with ssh.com
        clients and others has been added.  &man.scp.1; can now handle
        files larger than 2 GBytes.  Interoperability with other SSH2
        clients/servers has been improved.  A new feature to limit the
        number of outstanding unauthenticated ssh connections in
        &man.sshd.8; has been added. &merged;</para>

        <para><application>OpenSSH</application> has been upgraded to
        2.3.0.  This version adds support for the Rijndael encryption
        algorithm. &merged;</para>

        <para><application>PAM</application> support for
        <application>OpenSSH</application> has been added.</para>

        <para>A long-standing bug in <application>OpenSSH</application>,
        which sometimes resulted in a dropped session when an
        X11-forwarded client was closed, was fixed.</para>

        <para><application>Kerberos</application> compatability has been
        added to <application>OpenSSH</application>. &merged;</para>

        <para><application>OpenSSH</application> has been modified to be
        more resistant to traffic analysis by requiring that
        <quote>non-echoed</quote> characters are still echoed back in a
        null packet, as well as by padding passwords sent so as not to
        hint at password lengths. &merged;</para>

        <para>&man.sshd.8; is now enabled by default on new
        installs. &merged;</para>

        <para>&man.sshd.8; <literal>X11Forwarding</literal> is now turned
        on by default on the server (any risk is to the client, where it
        is already disabled by default).</para>

        <para>In <filename>/etc/ssh/sshd_config</filename>, the
        <literal>ConnectionsPerPeriod</literal> parameter has been
        deprecated in favor of <literal>MaxStartups</literal>.</para>

        <para><application>OpenSSH</application> now has a
        <literal>VersionAddendum</literal> configuration setting for
        &man.sshd.8; to allow changing the part of the
        <application>OpenSSH</application> version string after the
        main version number.</para>

        <para><application>OpenSSH</application> has been updated to
        version 2.9, which adds two new programs, &man.sftp.1; and
        &man.ssh-keyscan.1;.  Among the various enhancements: The
        default protocol is now v2, rekeying of existing SSH sessions
        is now supported, and an experimental
        <application>SOCKS4</application> proxy has been added to
        &man.ssh.1;.</para>
      </sect4>

      <sect4>
        <title>OpenSSL</title>

        <para><application>OpenSSL</application> has been upgraded to
        0.9.6a. &merged;</para>

        <para><application>OpenSSL</application> now has support for
        machine-dependent ASM optimizations, activated by the new
        <varname>MACHINE_CPU</varname> and/or <varname>CPUTYPE</varname>
        <filename>make.conf</filename> variables. &merged;</para>
      </sect4>

      <sect4>
        <title>sendmail</title>

        <para><application>sendmail</application> has been upgraded from
        version 8.9.3 to version 8.11.4.  Important changes include: new
        default file locations (see
        <filename>/usr/src/contrib/sendmail/cf/README</filename>);
        &man.newaliases.1; is limited to <username>root</username> and
        trusted users; STARTTLS encryption; and the MSA port (587) is
        turned on by default.  See
        <filename>/usr/src/contrib/sendmail/RELEASE_NOTES</filename> for
        more information. &merged;</para>

        <para>&man.mail.local.8; is no longer installed as a SUID binary.
        If you are using a <filename>/etc/mail/sendmail.cf</filename> from
        the default <filename>sendmail.cf</filename> included with &os;
        any time after 3.1.0, you are fine.  If you are using a
        hand-configured <filename>sendmail.cf</filename> and
        <command>mail.local</command> for delivery, check to make sure the
        <literal>F=S</literal> flag is set on the
        <literal>Mlocal</literal> line.  Those with
        <filename>.mc</filename> files who need to add the flag can do so
        by adding the following line to their <filename>.mc</filename>
        file and regenerating the <filename>sendmail.cf</filename>
        file:</para>

        <programlisting>MODIFY_MAILER_FLAGS(`LOCAL',`+S')dnl</programlisting>

        <para>Note that <literal>FEATURE(`local_lmtp')</literal> already
        does this. &merged;</para>

        <para>The default <filename>/etc/mail/sendmail.cf</filename>
        disables the SMTP <literal>EXPN</literal> and
        <literal>VRFY</literal> commands. &merged;</para>

        <para>&man.vacation.1; has been updated to use the version included with
        <application>sendmail</application>. &merged;</para>

        <para>The <application>sendmail</application> configuration
        building tools are installed in
        <filename>/usr/share/sendmail/cf/</filename>. &merged;</para>

        <para>New <filename>make.conf</filename> options:
        <varname>SENDMAIL_MC</varname> and
        <varname>SENDMAIL_ADDITIONAL_MC</varname>.  See
        <filename>/etc/defaults/make.conf</filename> for more
        information. &merged;</para>

        <para><filename>/etc/mail/Makefile</filename> now supports: the
        new <varname>SENDMAIL_MC</varname> <filename>make.conf</filename>
        option; the ability to build <filename>.cf</filename> files from
        <filename>.mc</filename> files; generalized map rebuilding;
        rebuilding the aliases file; and the ability to stop, start, and
        restart <application>sendmail</application>. &merged;</para>
      </sect4>
    </sect3>

    <sect3>
      <title>Ports/Packages Collection</title>

      <para>Version numbers of installed packages have a new
      (backward-compatible) syntax, which supports the
      <varname>PORTREVISION</varname> and <varname>PORTEPOCH</varname>
      variables in Ports Collection <filename>Makefile</filename>s.
      These changes help keep track of changes in the ports collection
      entries such as security patches or &os;-specific updates, which
      aren't reflected in the original, third-party software
      distributions.  &man.pkg.version.1; can now compare these
      new-style version numbers. &merged;</para>

      <para>To improve performance and disk utilization, the <quote>ports
      skeletons</quote> in the FreeBSD Ports Collection have been restructured.
      Installed ports and packages should not be affected. &merged;</para>

      <para>All packages and ports now contain an <quote>origin</quote>
      directive, which makes it easier for programs such as
      &man.pkg.version.1; to determine the directory from which a
      package was built. &merged;</para>

      <para>&man.pkg.update.1;, a utility to update installed packages
      and update their dependencies, has been added. &merged;</para>

      <para>&man.pkg.info.1; now supports globbing against names of
      installed packages.  The <option>-G</option> option disables this
      behavior, and the <option>-x</option> option causes regular
      expression matching instead of shell globbing. &merged;</para>

      <para>&man.pkg.info.1; can now accept a <option>-g</option> flag for
      verifying an installed package against its recorded checksums (to
      see if it's been modified post-installation).  Naturally, this
      mechanism is only as secure as the contents of
      <filename>/var/db/pkg</filename> if it's to be used for auditing
      purposes. &merged;</para>

      <para>&man.pkg.create.1; and &man.pkg.add.1; can now work with
      packages that have been compressed using
      &man.bzip2.1;. &man.pkg.add.1; will use the PACKAGEROOT
      environment variable to determine a mirror site for new
      packages. &merged;</para>

      <para>&man.pkg.create.1; now records dependencies in dependency
      order rather than in the order specified on the command line.
      This improves the functioning of <command>pkg_add
      -r</command>. &merged;</para>

      <para>&man.pkg.version.1; now has a version number comparison
      routine that corresponds to the Porters Handbook.  It also has a
      <option>-t</option> option for testing address comparisons. 
      &merged;</para>

      <para>&man.pkg.version.1; now takes a <option>-s</option> flag
      to limit its operation to ports/packages matching a given
      string. &merged;</para>

      <para>When requested to delete multiple packages,
      &man.pkg.delete.1; will now attempt to remove them in dependency
      order rather than the order specified on the command
      line. &merged;</para>

      <para>&man.pkg.delete.1; now can perform glob/regexp matching of
      package names.  In addition, it supports a <option>-a</option>
      option for removing all packages and a <option>-i</option> option
      for &man.rm.1;-style interactive confirmation. &merged;</para>

      <para>&man.pkg.sign.1; and &man.pkg.check.1; have been added to
      digitally sign and verify the signatures on binary package
      files. &merged;</para>

      <para><application>BSDPAN</application>, a collection of modules
      that provides tighter integration of
      <application>Perl</application> into the &os; Ports
      Collection, has been added.</para>
    </sect3>
  </sect2>
</sect1>