2 The "What's New" section of the release notes. Within
3 each subsection (i.e. kernel, security, userland), list
4 items in chronological order, unless necessary to keep
5 related items together, such as multiple release notes
6 pertaining to a single program or module.
12 <pubdate>$FreeBSD$</pubdate>
15 <title>What's New</title>
17 <para>This section describes the most user-visible new or changed
18 features in &os; since &release.prev;. All changes
19 described here are unique to the &release.branch; branch unless
20 specifically marked as &merged; features.</para>
22 <para>Many additional changes were made to &os; that are not listed
23 here for lack of space. For example, documentation was corrected
24 and improved, minor bugs were fixed, insecure coding practices were
25 audited and corrected, and source code was cleaned up.</para>
28 <title>Kernel Changes</title>
30 <para>The &man.kqueue.2; event notification facility was added to
31 the &os; kernel. This is a new interface which is able to
32 replace &man.poll.2;/&man.select.2, offering improved performance,
33 as well as the ability to report many different types of events.
34 Support for monitoring changes in sockets, pipes, fifos, and files
35 are present, as well as for signals and processes. &merged;</para>
37 <para arch="i386">Support for Intel's Wired for Management 2.0 (PXE)
38 was added to the FreeBSD boot loader. Due to API differences, the
39 older PXE versions are not supported. This allow network booting
40 using DHCP. &merged;</para>
42 <para>Support for USB devices was added to the
43 <filename>GENERIC</filename> kernel and to the installation
44 programs to support USB devices out of the box. Note that SRM
45 does not support USB devices at the moment, so you must still use
46 an AT keyboard if you are not using a serial console. &merged;</para>
48 <para>POSIX.1b Shared Memory Objects are now supported. The
49 implementation uses regular files, but automatically enables the
50 MAP_NOSYNC flag when they are &man.mmap.2;-ed. &merged;</para>
52 <para arch="i386">A driver for AGP hardware has been added. &merged;</para>
54 <para>The kernel and modules have been moved to the directory
55 <filename>/boot/kernel</filename>, so they can be easily
56 manipulated together. The boot loader has been updated to make
57 this change as seamless as possible.</para>
59 <para arch="i386">The i386 boot loader now has support for a
60 <literal>nullconsole</literal>
61 console type, for use on systems with neither a video console nor
62 a serial port. &merged;</para>
64 <para>Replaced the <literal>PQ_*CACHE</literal> options with a
65 single <literal>PQ_CACHESIZE</literal> option to be set to
66 the cache size in kilobytes. The old options are still supported
67 for backwards compatibility. &merged;</para>
69 <para arch="i386">The <literal>NCPU</literal>, <literal>NAPIC</literal>,
70 <literal>NBUS</literal>, and <literal>NINTR</literal> kernel
71 configuration options, for configuring SMP kernels, have been
72 removed. <literal>NCPU</literal> is now set to a maximum of 16,
73 and the other, aforementioned options are now
74 dynamic. &merged;</para>
76 <para>&man.devfs.5;, which allows entries in the
77 <filename>/dev</filename> directory to be built automatically and
78 supports more flexible attachment of devices, has been largely
79 reworked. &man.devfs.5; is now enabled by default and can be
80 disabled by the <literal>NODEVFS</literal> kernel option.</para>
82 <para arch="i386">Preliminary Cardbus support under NEWCARD has been added.
83 This code supports the TI113X, TI12XX, TI125X, Ricoh 5C46/5C47, Topic
84 95/97/100 and Cirrus Logic PD683X bridges. 16-bit PC Card support
85 is not yet functional.</para>
87 <para>Write combining for crashdumps has been implemented. This
88 feature is useful when write caching is disabled on both SCSI and
89 IDE disks, where large memory dumps could take up to an hour to
90 complete. &merged;</para>
92 <para>Extremely large swap areas (>67 GB) no longer panic the
95 <para arch="i386">The &man.ichsmb.4; driver for the Intel 82801AA
96 (ICH) SMBus controller and compatibles has been
97 added. &merged;</para>
99 <para arch="i386">The &man.uscanner.4; driver for basic USB scanner support
100 using SANE has been added. See <ulink
101 url="http://www.mostang.com/sane/">the SANE home page</ulink> for
102 supported scanners. The HP ScanJet 4100C, 5200C and 6300C are
103 known to be working.</para>
105 <para arch="i386">The umodem driver for USB modems has been added.
106 Support is provided for the 3Com 5605 and Metricom Ricochet GS
107 wireless USB modems.</para>
109 <para arch="alpha">Support for threads under Linux emulation has been
112 <para arch="i386">The pccard driver and &man.pccardc.8; now support multiple
113 <quote>beep types</quote> upon card insertion and removal. &merged;</para>
115 <para>A number of cleanups and enhancements have been applied to
117 <filename>/usr/share/misc/pci_vendors</filename> now contains a
118 vendor/device database, which can be used by
119 &man.pciconf.8;.</para>
121 <para arch="i386">The &man.spic.4; driver, which provides access to the job
122 dial device on some Sony laptops, has been added.</para>
124 <para arch="i386">PECOFF (WIN32 Execution file format) support has been
127 <para>A VESA S3 linear framebuffer driver has been added.</para>
129 <para>The <maketarget>buildkernel</maketarget> target now gets the
130 name of the configuration(s) to build from the
131 <varname>KERNCONF</varname> variable, not
132 <varname>KERNEL</varname>. It is no longer required, in some
133 cases, for a <maketarget>buildworld</maketarget> to precede a
134 <maketarget>buildkernel</maketarget>. (The
135 <maketarget>buildworld</maketarget> is still required when
136 upgrading across major releases, across
137 <application>binutil</application> upgrades and when &man.config.8;
141 <para>The &man.random.4; device has been rewritten to use the
142 <application>Yarrow</application> algorithm. It harvests entropy
143 from a variety of interrupt sources, including the console
144 devices, Ethernet and point-to-point network interfaces, and
145 mass-storage devices. Entropy from the &man.random.4; device is
146 now periodically saved to files in
147 <filename>/var/db/entropy</filename>, as well as at
148 &man.shutdown.8; time.</para>
150 <para>The &man.syscons.4; driver now supports keyboard-controlled
151 pasting, by default bound to
152 <keycap>Shift</keycap>-<keycap>Insert</keycap>.</para>
154 <para>The &man.labpc.4; driver has been removed due to
155 <quote>bitrot</quote>.</para>
157 <para>A new kernel option, <literal>options REGRESSION</literal>,
158 enables interfaces and functionality intended for use during
159 correctness and regression testing.</para>
161 <para>The <literal>USER_LDT</literal> kernel option is now
162 activated by default.</para>
164 <para>A new &man.ddb.4; command <command>show pcpu</command> lists
165 some of the per-CPU data.</para>
167 <para>A new digi driver has been added to support PCI Xr-based and ISA
168 Xem Digiboard cards. A new digictl program is (mainly) used to
169 re-initialise cards that have external port modules attached such as
172 <para>The <literal>O_DIRECT</literal> flag has been added to
173 &man.open.2; and &man.fcntl.2;. Specifying this flag for open
174 files will attempt to minimize the cache effects of reading and
175 writing. &merged;</para>
177 <para><literal>OLDCARD</literal> and &man.pccardd.8; now support
180 <para>An &man.orm.4; device has been added to claim the option
181 ROMs in the ISA memory I/O space, to prevent other drivers from
182 mistakenly assigning addresses that conflict with these ROMs. &merged;</para>
184 <para>The out-of-swap process termination code now begins killing
185 processes earlier to avoid deadlocks; it now also takes into
186 account the swap space used by processes when computing the
187 process sizes. &merged;</para>
189 <para>Linker sets are now self-contained; &man.gensetdefs.8; is
190 unnecessary and has been removed.</para>
192 <para>Numerous SMP-friendly changes have been made to the kernel's
193 mbuf allocator.</para>
195 <para>The dgm driver has been removed in favor of the digi driver.</para>
197 <para>Network device cloning has been implemented, and the &man.gif.4;
198 and &man.stf.4; devices have been modified to take advantage of it.
199 Thus, instead of specifying how many &man.gif.4; or &man.stf.4; devices
200 are available in kernel configuration files, &man.ifconfig.8;'s
201 <option>create</option> option should be used when another device
202 instance is desired.</para>
204 <para>The kernel message buffer is now accessible by the
205 (machine-independent) <varname>kern.msgbuf</varname> sysctl
206 variable; &man.dmesg.8; no longer needs to be SGID
207 <groupname>kmem</groupname>.</para>
209 <para>A simple hash-based lookup optimization for large directories
210 called <literal>dirhash</literal> has been added. Conditional on the
211 <literal>UFS_DIRHASH</literal> kernel option, it improves the speed of
212 operations on very large directories at the expense of some
215 <para>Two new &man.ddb.4; commands, <command>hwatch</command> and
216 <command>dhwatch</command>, have been introduced. Analogous to
217 <command>watch</command> and <command>dwatch</command>, they install
218 hardware watchpoints (as opposed to software watchpoints) if supported
219 by the architecture.</para>
221 <para arch="i386">Support for Streaming <acronym>SIMD</acronym>
222 Extensions (<acronym>SSE</acronym>) has been introduced. The
223 <literal>CPU_ENABLE_SSE</literal> kernel option controls whether
224 support is compiled into the kernel.</para>
227 <title>Processor/Motherboard Support</title>
229 <para>SMP support has been largely reworked, incorporating code
230 from BSD/OS 5.0. One of the main features of SMPng (<quote>SMP
231 Next Generation</quote>) is to allow more processes to run in
232 kernel, without the need for spin locks that can dramatically
233 reduce the efficiency of multiple processors. Interrupt
234 handlers now have contexts associated with them that allow them
235 to be blocked, which reduces the need to lock out
238 <para arch="i386">Support for the 80386 processor has been
239 removed from the <filename>GENERIC</filename> kernel, as this
240 code seriously pessimizes performance on other ia32
243 <para arch="i386">The <literal>I386_CPU</literal> kernel option
244 to support the 80386 processor is now mutually exclusive with
245 support for other ia32 processors; this should slightly improve
246 performance on the 80386 due to the elimination of runtime
247 processor type checks.</para>
249 <para arch="i386">Custom kernels that will run on the 80386 can
250 still be built by changing the cpu options in the kernel
251 configuration file to only include
252 <literal>I386_CPU</literal>.</para>
254 <para arch="alpha">AlphaServer 1200 (<quote>Tincup</quote>) has
255 been tested and works OK. Currently it does not want to boot
256 from CD or floppy but a transplanted disk that was installed on
257 another Alpha works well. &merged;</para>
259 <para arch="alpha">The API UP1100 mainboard has been verified to work.</para>
261 <para arch="alpha">The API CS20 1U high server has been verified to work.</para>
263 <para arch="alpha">The DEC3000 series support has been removed from the mfsroot
264 floppy image so that it fits on a 1.44 Mbyte floppy again. As the
265 DEC3000 is currently only usable diskless this should not cause
268 <para arch="alpha">Support for AlphaServer 2100A (<quote>Lynx</quote>) has been
271 <para arch="alpha">Kernel code has been added that allows older generation Alpha CPUs
272 (EV4 and EV5) to emulate instructions of the newer Alpha CPU
273 generations. This enables the use of binary-only programs like Adobe
274 Acrobat 4 on EV4 and EV5.</para>
276 <para arch="alpha">SMP support for the alpha is now operational.</para>
278 <para arch="i386">Detection for new processors, such as the
279 FC-PGA2 Pentium III (Tualatin), Transmeta Crusoe, and Transmeta
280 Crusoe LongRun, has been added. &merged;</para>
285 <title>Network Interface Support</title>
287 <para>Added support for PCI Ethernet adapters based on the
288 National Semiconductor DP83815 chipset, including the NetGear
289 FA311-TX and FA312-TX, in the form of the &man.sis.4; driver.</para>
291 <para>The &man.tap.4; driver, a virtual Ethernet device driver for
292 bridged configurations, has been added. &merged;</para>
294 <para>The &man.ti.4; driver now supports the Alteon AceNIC
295 1000baseT Gigabit Ethernet and Netgear GA620T 1000baseT Gigabit
296 cards. &merged;</para>
298 <para>The &man.xl.4; driver now supports the 3Com 3C556 and 3C556B
299 MiniPCI adapters used on some laptops. &merged;</para>
301 <para arch="alpha">The &man.ed.4; driver is now supported.</para>
303 <para>The &man.pcn.4; driver, which supports the AMD PCnet/FAST,
304 PCnet/FAST+, PCnet/FAST III, PCnet/PRO, PCnet/Home, and HomePNA
305 adapters, has been added. Although these cards are already
306 supported by the &man.lnc.4; driver, the &man.pcn.4; driver runs
307 these chips in 32-bit mode and uses the RX alignment feature to
308 achieve zero-copy receive. This driver is also
309 machine-independent, so it will work on both the i386 and alpha
310 platforms. The &man.lnc.4; driver is still needed to support non-PCI
311 cards. &merged;</para>
313 <para>Support for Fujitsu MB86960A/MB86965A based Ethernet
314 PC-Cards is back. &merged;</para>
316 <para arch="i386">The snc driver for the National Semiconductor
317 DP8393X (SONIC) Ethernet controller has been added. Currently,
318 this driver is only used on the PC-98 architecture. &merged;</para>
320 <para>The &man.an.4; driver for Cisco Aironet cards now supports
321 Wired Equivalent Privacy (WEP) encryption, settable via
322 &man.ancontrol.8;. &merged;</para>
324 <para arch="i386">The &man.el.4; driver can now be loaded as a
327 <para>The &man.ray.4; driver, which supports the Webgear Aviator
328 wireless network cards, has been committed. The operation of
329 &man.ray.4; interfaces can be modified by
330 &man.raycontrol.8;. &merged;</para>
332 <para arch="alpha">The &man.fpa.4; driver now supports Digital's
333 DEFPA FDDI adaptors on the Alpha.</para>
335 <para arch="i386">Linksys Fast Ethernet PCCARD cards supported by the
336 &man.ed.4; driver now require the addition of flag
337 <literal>0x80000</literal> to their config line in
338 &man.pccard.conf.5;. This flag is not optional. These Linksys
339 cards will not be recognized without it.</para>
341 <para>A bug in the &man.ed.4; driver that could cause panics with
342 very short packets and BPF or bridging active has been
343 fixed. &merged;</para>
345 <para>The &man.fxp.4; driver now requires a <literal>device
346 miibus</literal> entry in the kernel configuration file. &merged;</para>
348 <para>The &man.wx.4; driver now supports the Intel PRO1000-F and
349 PRO1000-T (10/100/1000) adapters. &merged;</para>
351 <para>Added the &man.nge.4; driver, which supports PCI Gigabit
352 Ethernet adapters based on the National Semiconductor DP83820
353 and DP83821 Gigabit Ethernet controller chips, including the
354 D-Link DGE-500T, SMC EZ Card 1000 (SMC9462TX), Asante
355 FriendlyNet GigaNIC 1000TA and 1000TPC and Addtron
356 AEG320T. This driver supports transmit and receive checksum
357 offloading. &merged;</para>
359 <para>The &man.lge.4; driver has been added to support the Level
360 1 LXT1001 NetCellerator Gigabit Ethernet controller chip. This
361 device is used on some fiber optic GigE cards from SMC, D-Link
362 and Addtron. Jumbograms and TCP/IP checksum offload on receive
363 are supported, although hardware VLAN filtering is not. &merged;</para>
365 <para>The &man.xl.4; driver now supports reception of VLAN
366 tagged frames (on the <quote>Cyclone</quote> or newer
367 chipsets). &merged;</para>
369 <para>The &man.ti.4; driver correctly masks VLAN tags. &merged;</para>
371 <para>The &man.an.4; driver now supports the Cisco Aironet 350
372 series of adaptors.</para>
377 <title>Network Protocols</title>
379 <para>&man.accept.filter.9;, a kernel feature to reduce overheads
380 when accepting and reading new connections on listening sockets,
381 has been added. &merged;</para>
383 <para>The &man.ng.mppc.4; and &man.ng.bridge.4; node types have
384 been added to the netgraph subsystem. The &man.ng.ether.4; node
385 is now dynamically loadable. Miscellaneous bug fixes and
386 enhancements have also been made. &merged;</para>
388 <para>&man.netgraph.4; has received some updates and bugfixes.</para>
390 <para>A new netgraph node type &man.ng.one2many.4; for multiplexing
391 and demultiplexing packets over multiple links has been added.
394 <para arch="alpha">SLIP has been removed from the
395 <filename>mfsroot</filename> floppy image.</para>
397 <para>ICMP ECHO and TSTAMP replies are now rate limited. TCP RSTs
398 generated due to packets sent to open and unopen ports are now
399 limited by separate counters. Each rate limiting queue now has
400 its own description.</para>
402 <para>ICMP <literal>UNREACH_FILTER_PROHIB</literal> messages can
403 now RST TCP connections in the <literal>SYN_SENT</literal> state
404 if the correct sequence numbers are sent back, as controlled by the
405 <varname>net.inet.tcp.icmp_may_rst</varname>
408 <para>TCP has received some bug fixes for its delayed ACK
409 behavior. &merged;</para>
411 <para>TCP now supports the NewReno modification to the TCP Fast Recovery
412 algorithm. This behavior can be controlled via the
413 <varname>net.inet.tcp.newreno</varname> sysctl variable. &merged;</para>
415 <para>TCP now uses a more aggressive timeout for initial SYN segments; this
416 allows initial connection attempts to be dropped much
417 faster. &merged;</para>
419 <para>The <literal>TCP_COMPAT_42</literal> kernel option has
422 <para>The <literal>TCP_RESTRICT_RST</literal> kernel option has
423 been removed. Similar functionality can be achieved with the
424 <varname>net.inet.tcp.blackhole</varname> sysctl
425 variable. &merged;</para>
427 <para>TCP now has RFC 1323 extensions enabled by default in
428 &man.rc.conf.5;. &merged;</para>
430 <para>RFC 1323 and RFC 1644 TCP extensions are now disabled for a
431 connection in progress if no response has been received by the
432 third SYN segment sent. This behavior tries to work around
433 (very old) terminal servers with buggy VJ header compression
434 implementations. &merged;</para>
436 <para>The TCP implementation no longer requires the
437 allocation of a TCP template structure for each connection; this
438 should reduce the buffer usage on large systems handling many
439 connections. &merged;</para>
441 <para>A new sysctl <varname>net.inet.ip.check_interface</varname>,
442 which is on by default, causes IP to verify that an incoming
443 packet arrives on an interface that has an address matching the
444 packet's destination address. &merged;</para>
447 <varname>net.link.ether.inet.log_arp_wrong_iface</varname> has
448 been added to control the suppression of logging when ARP replies
449 arrive on the wrong interface. &merged;</para>
451 <para>The <literal>proxy</literal> modifier to &man.arp.8;'s
452 <option>-d</option> option has been renamed to
453 <literal>pub</literal>, for consistency with the
454 <option>-s</option> option. The <literal>only</literal> keyword
455 has been added to the <option>-s</option> and
456 <option>-S</option> flags, to be used in creating
457 <quote>proxy-only</quote> published entries.</para>
459 <para>&man.ipfw.8; now filters correctly in the presence of ECN bits in TCP
460 segments. &merged;</para>
462 <para>&man.ipfw.8; will now avoid the display of dynamic
463 firewall rules unless the <option>-d</option> flag is passed to
464 it. The <option>-e</option> lists expired dynamic rules.</para>
466 <para>&man.bridge.4; and &man.dummynet.4; have received some
467 enhancements and bug fixes.</para>
469 <para>&man.ipfw.8; has a new feature (<literal>me</literal>) that
470 allows for packet matching on interfaces with dynamically-changing
471 IP addresses. &merged;</para>
473 <para>&man.ip6fw.8; now has the ability to use a preprocessor
474 and use the <option>-q</option> (quiet) flag when reading from a
475 file. &merged;</para>
477 <para>A new <literal>options RANDOM_IP_ID</literal> kernel
478 option causes the ID field of IP packets to be randomized. This
479 closes a minor information leak which allows a remote observer
480 to determine the rate at which the machine is generating
481 packets, since the default behaviour is to increment a counter
482 for each packet sent.</para>
484 <para>IP multicast now works on VLAN devices. Several other
485 bugs in the VLAN code have also been fixed.</para>
490 <title>Disks and Storage</title>
492 <para arch="i386">The &man.twe.4; 3ware ATA RAID driver has added. &merged;</para>
494 <para>The &man.ata.4; driver now has support for ATA100
495 controllers. In addition, it now supports the ServerWorks ROSB4
496 ATA33 chipset, the CMD 648 ATA66 and CMD 649 ATA100 chipsets, and
497 the Cyrix 5530. &merged;</para>
499 <para>To provide more flexible configuration, the various options for the
500 &man.ata.4; driver are now boot loader tunables, rather than kernel
501 configure-time options. &merged;</para>
503 <para>The &man.ata.4; driver now has support for tagged queuing,
504 which is enabled by the <literal>hw.ata.tags</literal> loader
505 tunable. &merged;</para>
507 <para>The &man.ata.4; driver now has support for ATA
508 <quote>pseudo</quote> RAID controllers as the Promise Fasttrak and
509 HighPoint HPT370 controllers. &merged;</para>
511 <para arch="i386">The &man.mly.4; driver, for Mylex PCI to SCSI
512 AccelRAID and eXtremeRAID controllers with firmware 6.X and
513 later, has been added. &merged;</para>
515 <para arch="i386">The &man.asr.4; driver, which provides support
516 for the Adaptec SCSI RAID controller family, as well as the DPT
517 SmartRAID V and VI families, has been added. &merged;</para>
519 <para arch="i386">Support for the Adaptec FSA family of PCI-SCSI
520 RAID controllers has been added, in the form of the &man.aac.4;
523 <para>The &man.ahc.4; driver has received numerous updates,
524 bugfixes, and enhancements. Among various improvements are
525 improved compatibility with chips in <quote>RAID Port</quote> mode
526 and systems with AAA and/or ARO cards installed, as well as
527 performance improvements. Some bugs were also fixed, including a
528 rare hang on Ultra2/U160 controllers. &merged;</para>
530 <para arch="i386">The ncv, nsp, and stg drivers have
531 been ported from NetBSD/pc98. They support the NCR 53C50 /
532 Workbit Ninja SCSI-3 / TMC 18C30, 18C50 based PC-Card/ISA SCSI
533 controllers. &merged;</para>
535 <para>The &man.cd.4; driver now has support for write operations.
536 This allows writing to DVD-RAM, PD and similar drives that probe
537 as CD devices. Note that change affects only random-access
538 writeable devices, not sequential-only writeable devices such as
539 CD-R drives, which are supported by &man.cdrecord.1; in the Ports
540 Collection. &merged;</para>
542 <para>The &man.vinum.4; volume manager has received some bug fixes and
545 <para>&man.md.4;, the memory disk device, has had the
546 functionality of &man.vn.4; incorporated into it. &man.md.4;
547 devices can now be configured by &man.mdconfig.8;. &man.vn.4; has
548 been removed. The Memory Filesystem (MFS) has also been
551 <para>BurnProof(TM) support, for applicable ATAPI CD-ROM burners, is now
552 supported. &merged;</para>
554 <para arch="alpha">A bug that made certain CDROM drives fail to
555 attach when connected to a SCSI card driven by &man.isp.4; has
556 been fixed. &merged;</para>
558 <para>The &man.isp.4; driver is now proactive about discovering
559 Fibre Channel topology changes.</para>
561 <para>The &man.isp.4; driver now supports target mode for Qlogic
562 SCSI cards, including Ultra2 and Ultra3 and dual bus cards.</para>
564 <para>The ida disk driver now has crashdump support. &merged;</para>
566 <para>The CAM error recovery code has been updated.</para>
568 <para>Some problems in &man.sa.4; error handling have been
569 fixed, including the <quote>tape drive spinning indefinitely
570 upon mt stat</quote> problem.</para>
575 <title>Filesystems</title>
577 <para>Support for named extended attributes was added to the &os;
578 kernel. This allows the kernel, and appropriately privileged
579 userland processes, to tag files and directories with attribute
580 data. Extended attributes were added to support the TrustedBSD
581 Project, in particular ACLs, capability data, and mandatory access
583 <filename>/usr/src/sys/ufs/ufs/README.extattr</filename> for
586 <para>Due to a licensing change, softupdates have been integrated
587 into the main portion of the kernel source tree. As a
588 consequence, softupdates are now available with the
589 <filename>GENERIC</filename> kernel. &merged;</para>
591 <para>A filesystem snapshot capability has been added to FFS.
592 Details can be found in
593 <filename>/usr/src/sys/ufs/ffs/README.snapshot</filename>.</para>
595 <para>Softupdates for FFS have received some bug fixes and
598 <para>When running with softupdates, &man.statfs.2; and
599 &man.df.1; will track the number of blocks and files that are
600 committed to being freed.</para>
602 <para>A bug in FFS that could cause superblock corruption on very large
603 filesystems has been corrected. &merged;</para>
605 <para>The Inode Filesystem (IFS) has been added; more information
607 <filename>/usr/src/sys/ufs/ifs/README</filename>.</para>
609 <para>The ISO-9660 filesystem now has a hook that supports a loadable
610 character conversion routine. The
611 <filename>sysutils/cd9660_unicode</filename> port
612 contains a set of common conversions.</para>
614 <para>&man.kernfs.5; is obsolete and has been retired.</para>
616 <para>A bug in the NFS client that caused bogus access times with
617 <literal>O_EXCL|O_CREAT</literal> opens was fixed. &merged;</para>
619 <para>A new NFS hash function (based on the Fowler/Noll/Vo hash
620 algorithm) has been implemented to improve NFS performance by
621 increasing the efficiency of the <varname>nfsnode</varname> hash
622 tables. &merged;</para>
624 <para>Client-side NFS locks have been implemented.</para>
626 <para>Support for file system Access Control Lists (ACLs) has been
627 introduced, allowing more fine-grained control of discretionary
628 access control on files and directories. This support was
629 integrated from the TrustedBSD Project. More details can be found in
630 <filename>/usr/src/sys/ufs/ufs/README.acls</filename>.</para>
632 <para>The directory layout preference algorithm for FFS has been
633 changed to improve its speed on large filesystems.</para>
635 <para arch="i386">smbfs (CIFS) support in kernel has been added.
636 The corresponding userland filesystem mount utility can be found
637 in the <filename>net/smbfs</filename> port in the &os; Ports
638 Collection. &merged;</para>
640 <para>For consistency, the fdesc, fifo, null, msdos, portal,
641 umap, and union filesystems have been renamed to fdescfs,
642 fifofs, msdosfs, nullfs, portalfs, umapfs, and unionfs. Where
643 applicable, modules and mount_* programs have been
644 renamed. Compatability <quote>glue</quote> has been added to
645 &man.mount.8; so that <literal>msdos</literal> filesystem
646 entries in &man.fstab.5; will work without changes.</para>
648 <para>pseudofs, a pseudo-filesystem framework, has been added.
649 &man.linprocfs.5; has been modified to use pseudofs.</para>
654 <title>Multimedia Support</title>
656 <para arch="i386">The &man.pcm.4; driver now supports the ESS Solo 1,
657 Maestro-1, Maestro-2, and Maestro-2e; Forte Media fm801, ESS
658 Maestro-2e, and VIA Technologies VT82C686A sound card/chipsets,
659 and has received some other updates.
660 Separate drivers for the SoundBlaster 8 and Soundblaster 16 now
661 replace an older, unified driver. A driver for the CMedia
662 CMI8338/CMI8738 sound chips has been added. A driver for the
663 CS4281 sound chip has been added. A driver for the S3
664 Sonicvobes chipset has been added. &merged;</para>
666 <para arch="i386">A driver for the Advance Logic ALS4000 has
667 been added. &merged;</para>
669 <para arch="i386">A driver for the
670 ESS Maestro-3/Allegro has been added, however due to licensing
671 restrictions, it cannot be compiled into the kernel. &merged; To
672 use this driver, add the following line to
673 <filename>/boot/loader.conf</filename>:</para>
675 <programlisting>snd_maestro3_load="YES"</programlisting>
677 <para>The &man.bktr.4; driver has been updated to 2.18. This
678 update provides a number of new features: New tuner
679 types have been added, and improvements to the KLD module and to
680 memory allocation have been made. Bugs in &man.devfs.5; when
681 unloading and reloading have been fixed.
682 Support for new Hauppauge Model 44xxx WinTV Cards (the ones with
683 no audio mux) has been added.</para>
685 <para>When sound modules are built, one can now load all the
686 drivers and infrastructure by <command>kldload
687 snd</command>.</para>
689 <para>A new API has been added for sound cards with hardware
690 volume control.</para>
692 <para arch="i386">A driver for the Intel 443MX, 810, 815, and 815E
693 integrated sound devices has been added.</para>
698 <title>Contributed Software</title>
700 <para><application>IPFilter</application> has been updated to
701 3.4.16. &merged;</para>
703 <para>The Forth Inspired Command Language
704 (<application>FICL</application>) used in the boot loader has
705 been updated to 2.05.</para>
707 <para>ACPI support has been merged in from the
708 <application>Intel ACPI</application>
709 project, and updated to the ACPI CA 20010518 release.</para>
712 <title>isdn4bsd</title>
714 <para><application>isdn4bsd</application> has been updated to
715 version 0.96.00.</para>
717 <para>The &man.ihfc.4; driver for supporting Cologne Chip
718 Designs HFC devices under <application>isdn4bsd</application>
719 has been added.</para>
721 <para>The &man.itjc.4; driver for supporting NETjet-S / Teles
722 PCI-TJ devices under <application>isdn4bsd</application> has
725 <para>Experimental support for the Eicon.Diehl DIVA 2.0 and
726 2.02 ISA PnP ISDN cards has been added to the &man.isic.4;
727 <application>isdn4bsd</application> driver.</para>
729 <para>Active CAPI-based ISDN cards manufacured by AVM are now
730 supported using the &man.i4bcapi.4; and the &man.iavc.4; driver. The
731 supported cards are the AVM B1 PCI and AVM B1 ISA Basic Rate
732 cards and the AVM T1 Primary Rate cards.</para>
735 <sect4 id="kame-kernel">
738 <para>The IPv6 stack is now based on a snapshot based on the KAME
739 Project's IPv6 snapshot as of 28 May, 2001. Most of the
740 items listed in this section are a result of this import.
741 <xref linkend="kame-userland"> lists userland updates to the
742 KAME IPv6 stack. &merged;</para>
744 <para>&man.gif.4; is now based on RFC 2893, rather than RFC
745 1933. The <literal>IFF_LINK2</literal> interface flag can
746 be used to control ingress filtering. &merged;</para>
748 <para><application>IPSec</application> has received some
749 enhancements, including the ability to use the Rijndael and
750 SHA2 algorithms. IPSec RC5 support has been removed due to
751 patent issues. &merged;</para>
753 <para>&man.stf.4; now conforms to RFC 3056; the
754 <literal>IFF_LINK2</literal> interface flag can be used to
755 control ingress filtering. &merged;</para>
757 <para>IPv6 has better checking of illegal addresses (such as
758 loopback addresses) on physical networks. &merged;</para>
760 <para>The <varname>IPV6_V6ONLY</varname> socket option is
761 now completely supported. The kernel's default behavior
762 with respect to this option is controlled by the
763 <varname>net.inet6.ip6.v6only</varname> sysctl
764 variable. &merged;</para>
766 <para>RFC 3041 (Privacy Extensions for Stateless Address
767 Autoconfiguration) is now supported. It can be enabled via
768 the <varname>net.inet6.ip6.use_tempaddr</varname> sysctl
769 variable. &merged;</para>
774 <title>Security Fixes</title>
776 <para>&man.sysinstall.8; now allows the user to select one of three
777 <quote>security profiles</quote> at install-time. These profiles enable
778 different levels of system security by enabling or disabling
779 various system services in &man.rc.conf.5; on new
780 installs. &merged;</para>
782 <para>A bug in which malformed ELF executable images can hang the
783 system has been fixed (see security advisory
784 FreeBSD-SA-00:41). &merged;</para>
786 <para>A security hole in Linux emulation was fixed (see security
787 advisory FreeBSD-SA-00:42). &merged;</para>
789 <para>&man.rlogind.8;, &man.rshd.8;, and &man.fingerd.8; are now
790 disabled by default in <filename>/etc/inetd.conf</filename>. This
791 only affects new installations. &merged;</para>
793 <para>String-handling library calls in many programs were fixed to
794 reduce the possibility of buffer overflow-related exploits.
797 <para>TCP now uses stronger randomness in choosing its initial sequence
798 numbers (see security advisory FreeBSD-SA-00:52). &merged;</para>
800 <para>Several buffer overflows in &man.tcpdump.1; were corrected
801 (see security advisory FreeBSD-SA-00:61). &merged;</para>
803 <para>A security hole in &man.top.1; was corrected (see security advisory
804 FreeBSD-SA-00:62). &merged;</para>
806 <para>A potential security hole caused by an off-by-one-error in
807 &man.gethostbyname.3; has been fixed (see security advisory
808 FreeBSD-SA-00:63). &merged;</para>
810 <para>A potential buffer overflow in the &man.ncurses.3; library,
811 which could cause arbitrary code to be run from within
812 &man.systat.1;, has been corrected (see security advisory
813 FreeBSD-SA-00:68). &merged;</para>
815 <para>A vulnerability in &man.telnetd.8; that could cause it to
816 consume large amounts of server resources has been fixed (see
817 security advisory FreeBSD-SA-00:69). &merged;</para>
819 <para>The <literal>nat deny_incoming</literal> command in
820 &man.ppp.8; now works correctly (see security advisory
821 FreeBSD-SA-00:70). &merged;</para>
823 <para>A vulnerability in &man.csh.1;/&man.tcsh.1; temporary files
824 that could allow overwriting of arbitrary user-writable files has
825 been closed (see security advisory FreeBSD-SA-00:76). &merged;</para>
827 <para>The &man.ssh.1; binary is no longer SUID root by
830 <para>Some fixes were applied to the Kerberos
831 IV implementation related to environment variables, a
832 possible buffer overrun, and overwriting ticket files. &merged;</para>
834 <para>&man.telnet.1; now does a better job of sanitizing its
835 environment. &merged;</para>
837 <para>Several vulnerabilities in &man.procfs.5; were fixed (see
838 security advisory FreeBSD-SA-00:77). &merged;</para>
840 <para>A bug in <application>OpenSSH</application> in which a
841 server was unable to disable &man.ssh-agent.1; or
842 <literal>X11Forwarding</literal> was fixed (see security advisory
843 FreeBSD-SA-01:01). &merged;</para>
845 <para>A bug in &man.ipfw.8; and &man.ip6fw.8; in which inbound TCP
846 segments could incorrectly be treated as being part of an
847 <literal>established</literal> connection has been fixed (see
848 security advisory FreeBSD-SA-01:08). &merged;</para>
850 <para>A bug in &man.crontab.1; that could allow users to read any
851 file on the system in valid &man.crontab.5; syntax has been fixed
852 (see security advisory FreeBSD-SA-01:09). &merged;</para>
854 <para>A vulnerability in &man.inetd.8; that could allow
855 read-access to the initial 16 bytes of
856 <groupname>wheel</groupname>-accessible files has been fixed (see security
857 advisory FreeBSD-SA-01:11). &merged;</para>
859 <para>A bug in &man.periodic.8; that used insecure temporary files has been
860 corrected (see security advisory FreeBSD-SA-01:12). &merged;</para>
862 <para>A bug in &man.sort.1; in which an attacker might be able to
863 cause it to abort processing has been fixed (see security advisory
864 FreeBSD-SA-01:13). &merged;</para>
866 <para>To fix a remotely-exploitable buffer overflow,
867 <application>BIND</application> has been updated
868 to 8.2.3 (see security advisory FreeBSD-SA-01:18). &merged;</para>
870 <para><application>OpenSSH</application> now has code to prevent
871 (instead of just mitigating through connection limits) an attack
872 that can lead to guessing the server key (not host key) by
873 regenerating the server key when an RSA failure is detected (see
874 security advisory FreeBSD-SA-01:24). &merged;</para>
876 <para>A number of programs have had output formatting strings
877 corrected so as to reduce the risk of vulnerabilities. &merged;</para>
879 <para>A number of programs that use temporary files now do so more
880 securely. &merged;</para>
882 <para>A bug in ICMP that could cause an attacker to disrupt TCP and UDP
883 <quote>sessions</quote> has been corrected. &merged;</para>
885 <para>A bug in &man.timed.8;, which caused it to crash if send
886 certain malformed packets, has been corrected (see security
887 advisory FreeBSD-SA-01:28). &merged;</para>
889 <para>A bug in &man.rwhod.8;, which caused it to crash if send
890 certain malformed packets, has been corrected (see security
891 advisory FreeBSD-SA-01:29). &merged;</para>
893 <para>A security hole in FreeBSD's FFS and EXT2FS implementations,
894 which allowed a race condition that could cause users to have
895 unauthorized access to data, has been fixed (see security advisory
896 FreeBSD-SA-01:30). &merged;</para>
898 <para>A remotely-exploitable vulnerability in &man.ntpd.8; has
899 been closed (see security advisory FreeBSD-SA-01:31). &merged;</para>
901 <para>A security hole in <application>IPFilter</application>'s
902 fragment cache has been closed (see
903 security advisory FreeBSD-SA-01:32). &merged;</para>
905 <para>Buffer overflows in &man.glob.3;, which could cause
906 arbitrary code to be run on an FTP server, have been closed. In
907 addition, to prevent some forms of DOS attacks, &man.glob.3;
908 allows specification of a limit on the number of pathname matches
909 it will return. &man.ftpd.8; now uses this feature (see security
910 advisory FreeBSD-SA-01:33). &merged;</para>
912 <para>Initial sequence numbers in TCP are more thoroughly
913 randomized (see security advisory FreeBSD-SA-01:39). Due to some
914 possible compatability issues, the behavior of this security fix
915 can be enabled or disabled via the
916 <varname>net.inet.tcp.tcp_seq_genscheme</varname> sysctl
917 variable.&merged;</para>
919 <para>The new <varname>net.inet.ip.maxfragpackets</varname>
920 and <varname>net.inet.ip.maxfragpackets</varname> sysctl
921 variables limit the amount of memory that can be consumed by IPv4
922 and IPv6 packet fragments, which defends against some denial of service
923 attacks. &merged;</para>
925 <para>A vulnerability in the &man.fts.3; routines (used by
926 applications for recursively traversing a filesystem) could
927 allow a program to operate on files outside the intended directory
928 hierarchy. This bug has been fixed (see security advisory
929 FreeBSD-SA-01:40). &merged;</para>
931 <para>&os;'s TCP implementation has been made more resistant to
932 SYN floods, by eliminating the RST segment normally sent when
933 removing a connection from the listen queue.</para>
935 <para><application>OpenSSH</application> now switches to the
936 user's UID before attempting to unlink the authentication
937 forwarding file, nullifying the effects of a race.</para>
939 <para>A flaw allowed some signal handlers to remain in effect in a
940 child process after being exec-ed from its parent. This allowed
941 an attacker to execute arbitrary code in the context of a setuid
942 binary. This flaw has been corrected (see security advisory
943 FreeBSD-SA-01:42). &merged;</para>
946 <title>Userland Changes</title>
948 <para>&man.cdcontrol.1; now supports a <literal>cdid</literal>
949 command, which calculates and displays the CD serial number, using
950 the same algorithm used by the CDDB database. &merged;</para>
952 <para>&man.mtree.8; now includes support for a file that lists
953 pathnames to be excluded when creating and verifying prototypes.
954 This makes it easier to use &man.mtree.8; as a part of an
955 intrusion-detection system. &merged;</para>
957 <para>&man.ls.1; can produce colorized listings with the
958 <option>-G</option> flag (and appropriate terminal
959 support). &merged;</para>
961 <para>&man.sysinstall.8; now properly preserves
962 <filename>/etc/mail</filename> during a binary upgrade. &merged;</para>
964 <para>The &man.truncate.1; utility, which truncates or extends the length
965 of files, has been added. &merged;</para>
967 <para>&man.syslogd.8; can take a <option>-n</option> option to
968 disable DNS queries for every request. &merged;</para>
970 <para>&man.kenv.1;, a command to dump the kernel environment, has
971 been added. &merged;</para>
973 <para>The behavior of &man.periodic.8; is now controlled by
974 <filename>/etc/defaults/periodic.conf</filename> and
975 <filename>/etc/periodic.conf</filename>. &merged;</para>
977 <para arch="i386">&man.boot98cfg.8;, a PC-98 boot manager installation and
978 configuration utility, has been added. &merged;</para>
980 <para>&man.logger.1; can now send messages directly to a remote
981 syslog. &merged;</para>
983 <para arch="i386">&man.gdb.1; now supports hardware watchpoints (using the
984 kernel's debug register + support that has been introduced in
985 &os; 4.0). &merged;</para>
987 <para>&man.which.1; is now a C program, rather than a Perl
990 <para>&man.killall.1; is now a C program, rather than a Perl
991 script. As a result, its <option>-m</option> option now uses the
992 regular expression syntax of &man.regex.3;, rather than that of
993 &man.perl.1;. &merged;</para>
995 <para>&man.killall.1; now allows non-root users to kill SUID root
996 processes that they started, the same as the Perl version did.</para>
998 <para>&man.finger.1; now has the ability to support fingering
999 aliases, via the &man.finger.conf.5; file. &merged;</para>
1001 <para>&man.finger.1; now has support for a
1002 <filename>.pubkey</filename> file.</para>
1004 <para>nsswitch support has been merged from NetBSD. By creating
1005 an &man.nsswitch.conf.5; file, FreeBSD can be configured so that
1006 various databases such as &man.passwd.5; and &man.group.5; can be
1007 looked up using flat files, NIS, or Hesiod. The old
1008 <filename>hosts.conf</filename> file is no longer used.</para>
1010 <para>RSA Security has waived all patent rights to the RSA
1012 result, the native <application>OpenSSL</application>
1013 implementation of the RSA algorithm is now activated by default,
1014 and the <filename>rsaref</filename> port and
1015 <filename>librsaUSA</filename> are no longer required for USA
1016 residents. &merged;</para>
1018 <para>&man.ifconfig.8; command can set the link-layer address
1019 of an interface. &merged;</para>
1021 <para>&man.ifconfig.8; can now accept addresses in slash/CIDR
1022 notation. &merged;</para>
1024 <para>&man.ifconfig.8; now has support for setting parameters for
1025 IEEE 802.11 wireless network devices. &man.wi.4; and
1026 &man.an.4; devices are supported, and partial support is provided
1027 for &man.awi.4; devices. &merged;</para>
1029 <para>&man.ifconfig.8; no longer displays the list of supported
1030 media by default. Instead it displays it when the
1031 <option>-m</option> is given. &merged;</para>
1033 <para>&man.setproctitle.3; has been moved from
1034 <filename>libutil</filename> to
1035 <filename>libc</filename>. &merged;</para>
1037 <para>&man.chio.1; now has the ability to specify elements by
1038 volume tag instead of by their physical location as well as the
1039 ability to return an element to its previous location. &merged;</para>
1041 <para>&man.sed.1; now takes a <option>-E</option> option for
1042 extended regular expression support. &merged;</para>
1044 <para>&man.ln.1; now takes an <option>-i</option> option to
1045 request user confirmation before overwriting an existing
1046 file. &merged;</para>
1048 <para>&man.ln.1; now takes a <option>-h</option> flag to avoid
1049 following a target that is a link, with a <option>-n</option> flag
1050 for compatability with other implementations. &merged;</para>
1052 <para>Userland &man.ppp.8; has received a number of updates and
1053 bug fixes. &merged;</para>
1055 <para>&man.make.1; has gained the <literal>:C///</literal>
1056 (regular expression substitution), <literal>:L</literal>
1057 (lowercase), and <literal>:U</literal> (uppercase) variable
1058 modifiers. These were added to reduce the differences between the
1061 &man.make.1 programs. &merged; </para>
1063 <para>Bugs in &man.make.1;, among which include broken null suffix
1064 behavior, bad assumptions about current directory permissions, and
1065 potential buffer overflows, have been fixed. &merged;</para>
1067 <para>The &os; <filename>Makefile</filename> infrastructure now
1068 supports the <varname>WARNS</varname> directive from NetBSD. This
1069 directive controls the addition of compiler warning flags to
1070 <varname>CFLAGS</varname> in a relatively compiler-neutral
1073 <para>&man.fsck.8; wrappers have been imported; this feature
1074 provides infrastructure for &man.fsck.8; to work on different
1075 types of filesystems (analogous to &man.mount.8;).</para>
1077 <para>The behavior of &man.fsck.8; when dealing with various
1078 passes (a la <filename>/etc/fstab</filename>) has been modified to
1079 accomodate multiple-disk filesystems.</para>
1081 <para>&man.style.perl.7;, a style guide for Perl code in the &os;
1082 base system, has been added.</para>
1084 <para>The <quote>in use</quote> percentage metric displayed by
1085 &man.netstat.1; now really reflects the percentage of network
1086 mbufs used. &merged;</para>
1088 <para>&man.netstat.1; now has a <option>-W</option> flag that
1089 tells it not to truncate addresses, even if they're too long for
1090 the column they're printed in. &merged;</para>
1092 <para>&man.netstat.1; now keeps track of input and output packets
1093 on a per-address basis for each interface. &merged;</para>
1095 <para>&man.netstat.1; now has a <option>-z</option> flag to reset
1098 <para>&man.sockstat.1; now has <option>-c</option> and
1099 <option>-l</option> flags for listing connected and listening
1100 sockets, respectively. &merged;</para>
1102 <para>&man.mergemaster.8; has gained some new features, has been
1103 cleaned up somewhat, and is now more cross-platform friendly.</para>
1105 <para>&man.mergemaster.8; now sources an
1106 <filename>/etc/mergemaster.rc</filename> file and also prompts the
1107 user to run recommended commands (such as
1108 <command>newaliases</command>) as needed. &merged;</para>
1110 <para>The compiler chain now uses the FSF-supplied C/C++ runtime
1111 initialization code. This change brings about better
1112 compatibility with code generated from the various egcs and gcc
1113 ports, as well as the stock public FSF source. &merged;</para>
1115 <para>The threads library has gained some signal handling changes,
1116 bug fixes, and performance enhancements (including zero system
1117 call thread switching). &man.gdb.1; thread support has been
1118 updated to match these changes. &merged;</para>
1120 <para>&man.chflags.1; has moved from <filename>/usr/bin</filename>
1121 to <filename>/bin</filename>.</para>
1123 <para>Use of the <literal>CSMG_*</literal> macros no longer
1124 require inclusion of
1125 <filename><sys/param.h></filename></para>
1127 <para>IP Filter is now supported by the
1128 &man.rc.conf.5; boot-time configuration and
1129 initialization. &merged;</para>
1131 <para>The &man.lastlogin.8; utility, which prints the last login
1132 time of each user, has been imported from
1133 NetBSD. &merged;</para>
1135 <para>&man.last.1; now implements a <option>-d</option> that
1136 provides a <quote>snapshot</quote> of who was logged in at a
1137 particular date and time</para>
1139 <para>&man.newfs.8; now implements write combining, which can make
1140 creation of new filesystems up to seven times
1141 faster. &merged;</para>
1143 <para>&man.newfs.8; now takes a <option>-U</option> option to
1144 enable softupdates on a new filesystem. &merged;</para>
1146 <para>The default number of cylinders per group in &man.newfs.8;
1147 is now 22, up from 16.</para>
1149 <para>A number of buffer overflows in &man.config.8; have been
1150 fixed. &merged;</para>
1152 <para>&man.pwd.1; can now double as &man.realpath.1;, a program to
1153 resolve pathnames to their underlying physical paths. &merged;</para>
1155 <para>&man.stty.1; now has support for an
1156 <literal>erase2</literal> control character, so that, for example,
1157 both the <keycap>Delete</keycap> and <keycap>Backspace</keycap>
1158 keys can be used to erase characters. &merged;</para>
1160 <para>The &man.ibcs2.8;, &man.linux.8;, &man.osf1.8;, and &man.svr4.8;
1161 scripts, whose sole purpose was to load emulation
1162 kernel modules, have been removed. The kernel module system will
1163 automatically load them as needed to fulfill dependencies.</para>
1165 <para>&man.top.1; will now use the full width of its tty.</para>
1167 <para>&man.growfs.8;, a utility for growing FFS filesystems, has
1168 been added. &man.ffsinfo.8;, a utility for dump all the
1169 meta-information of an existing filesystem, has also been
1172 <para>&man.indent.1; has gained some new formatting
1173 options. &merged;</para>
1175 <para>&man.sysinstall.8; now uses some more intuitive defaults
1176 thanks to some new dialog support functions. &merged;</para>
1178 <para>The default root partition in &man.sysinstall.8; is now
1179 100MB on the i386 and 120MB on the alpha.</para>
1181 <para>&man.xargs.1; gained a <option>-J</option> option which allows
1182 the user to specify exactly where in the command line the input should
1183 be retrofitted. &merged;</para>
1185 <para>Shortly after the receipt of a <literal>SIGINFO</literal>
1186 signal (normally control-T from the controlling tty), &man.fsck.ffs.8;
1187 will now output a line indicating the current phase number and
1188 progress information relevant to the current phase. &merged;</para>
1190 <para>&man.fsck.ffs.8; now supports background filesystem checks
1191 to mounted FFS filesystems with the <option>-B</option> option
1192 (softupdates must be enabled on these filesystems). The
1193 <option>-F</option> flag now determines whether a specified
1194 filesystem needs foreground checking.</para>
1196 <para>&man.fsck.8; now has support for foreground
1197 (<option>-F</option>) and background (<option>-B</option>) checks.
1198 Traditionally, &man.fsck.8; is invoked before the filesystems are
1199 mounted and all checks are done to completion at that time. If
1200 background checking is available, &man.fsck.8; is invoked twice.
1201 It is first invoked at the traditional time, before the
1202 filesystems are mounted, with the <option>-F</option> flag to do
1203 checking on all the filesystems that cannot do background
1204 checking. It is then invoked a second time, after the system has
1205 completed going multiuser, with the <option>-B</option> flag to do
1206 checking on all the filesystems that can do background checking.
1207 Unlike the foreground checking, the background checking is started
1208 asynchronously so that other system activity can proceed even on
1209 the filesystems that are being checked. Boot-time enabling of
1210 this feature is controlled by the
1211 <varname>background_fsck</varname> option in &man.rc.conf.5;.</para>
1213 <para>A new &man.fsck.msdosfs.8; utility has been added to check
1214 the consistency of MS-DOS filesystems.</para>
1216 <para>Catching up with most other network utilities in the base
1217 system, &man.lpr.1;, &man.lpd.8;, &man.syslogd.8;, and
1218 &man.logger.1; are now all IPv6-capable. &merged;</para>
1220 <para arch="i386"><filename>libdisk</filename> can now do
1221 install-time configuration of the &arch; <filename>boot0</filename>
1222 boot loader. &merged;</para>
1224 <para>The <option>-v</option> option to &man.rm.1; now displays
1225 the entire pathname of a file being removed.</para>
1227 <para>&man.lpr.1;, &man.lpq.1;, and &man.lpd.8; have received a
1228 few minor enhancements. &merged;</para>
1230 <para>&man.lpd.8; now takes two new options: <option>-c</option>
1231 will log all connection errors to &man.syslogd.8;, while
1232 <option>-w</option> will allow connections from non-reserved
1233 ports. &merged;</para>
1235 <para>&man.lpc.8; has been improved; <command>lpc clean</command>
1236 is now somewhat safer, and a new <command>lpc tclean</command>
1237 command has been added to check to see what files would be removed
1238 by <command>lpc clean</command>. &merged;</para>
1240 <para>If the first argument to &man.ancontrol.8; or
1241 &man.wicontrol.8; doesn't start with a <literal>-</literal>, it is
1242 assumed to be an interface.</para>
1244 <para>&man.rdist.1; has been retired.</para>
1246 <para>&man.ppp.8; has gained the <literal>tcpmssfixup</literal>
1247 option, which adjusts outgoing TCP SYN packets so that the maximum
1248 receive segment size is no larger than allowed by the interface
1251 <para><filename>libcrypt</filename> and
1252 <filename>libdescrypt</filename> have been unified to provide a
1253 configurable password authentication hash library. Both the md5
1254 and des hash methods are provided unless the des hash is
1255 specifically compiled out.</para>
1257 <para>&man.passwd.1; and &man.pw.8; now select the password hash
1258 algorithm at run time. See the <literal>passwd_format</literal>
1259 attribute in <filename>/etc/login.conf</filename>.</para>
1261 <para>In preparation for meeting SUSv2/POSIX
1262 <filename><sys/select.h></filename> requirements,
1263 <literal>struct selinfo</literal> and related functions have been
1264 moved to <filename><sys/selinfo.h></filename>.</para>
1266 <para>&man.syslogd.8; now supports a <literal>LOG_CONSOLE</literal>
1267 facility (disabled by
1268 default), which can be used to log <filename>/dev/console</filename>
1269 output. &merged;</para>
1271 <para>&man.rpcgen.1; now uses <filename>/usr/bin/cpp</filename>
1272 (as on NetBSD), not <filename>/usr/libexec/cpp</filename>.</para>
1274 <para>Boot-time &man.syscons.4; configuration was moved to a
1275 machine-independent <filename>/etc/rc.syscons</filename>. &merged;</para>
1277 <para>&man.burncd.8; now supports a <option>-m</option> option for
1278 multisession mode (the default behavior now is to close disks as
1279 single-session). A <option>-l</option> option to take a list of
1280 image files from a filename was also added; <filename>-</filename>
1281 can be used as a filename for <literal>stdin</literal>. &merged;</para>
1283 <para>&man.dmesg.8; now has a <option>-a</option> option to show
1284 the entire message buffer, including &man.syslogd.8; records and
1285 <filename>/dev/console</filename> output. &merged;</para>
1287 <para>&man.cdcontrol.1; now uses the <literal>CDROM</literal>
1288 environment variable to pick a default device. &merged;</para>
1290 <para>&man.cdcontrol.1; now supports <literal>next</literal> and
1291 <literal>prev</literal> commands to skip forwards or backwards a
1292 specified number of tracks while playing an audio CD.</para>
1294 <para>&man.sysctl.8; now supports a <option>-N</option> option to
1295 print out variable names only.</para>
1297 <para>&man.sysctl.8; has replaced the <option>-A</option> and
1298 <option>-X</option> options with <option>-ao</option> and
1299 <option>-ax</option> respectively; the former options are now
1300 deprecated. The <option>-w</option> is deprecated as well; it is
1301 not needed to determine the user's intentions.</para>
1303 <para>&man.sysinstall.8; now lives in <filename>/usr/sbin</filename>,
1304 which simplifies the installation process. The &man.sysinstall.8;
1305 manpage is also installed in a more consistent fashion now.</para>
1307 <para>&man.config.8; is now better about converting various
1308 warnings that should
1309 have been errors into actual fatal errors with an exit code. This
1310 ensures that <literal>make buildkernel</literal>
1311 doesn't quietly ignore them and
1312 build a bogus kernel without a human to read the errors. &merged;</para>
1314 <para><filename>libc</filename> is now thread-safe by default;
1315 <filename>libc_r</filename> contains only thread functions.</para>
1317 <para>&man.find.1; now takes the <option>-empty</option> flag,
1318 which returns true if a file or directory is empty. &merged;</para>
1320 <para>&man.find.1; now takes the <option>-iname</option> and
1321 <option>-ipath</option> primaries for case-insensitive matches,
1322 and the <option>-regexp</option> and <option>-iregexp</option>
1323 primaries for regular-expression matches. The <option>-E</option>
1324 flag now enables extended regular expressions. &merged;</para>
1326 <para>&man.find.1; now has the <option>-anewer</option>,
1327 <option>-cnewer</option>, <option>-mnewer</option>,
1328 <option>-okdir</option>, and <option>-newer[acm][acmt]</option>
1329 primaries for comparisons of file timestamps. &merged;</para>
1331 <para>&man.tftpd.8; now takes the <option>-c</option> and
1332 <option>-C</option> options, which allow the server to
1333 &man.chroot.2; based on the IP address of the connecting client.
1334 &man.tftp.1; and &man.tftpd.8; can now transfer files larger than
1335 65535 blocks. &merged;</para>
1337 <para>&man.vidcontrol.1; now accepts a <option>-g</option>
1338 parameter to select custom text geometry in the
1339 <literal>VESA_800x600</literal> raster text mode. &merged;</para>
1341 <para>&man.ldconfig.8; now checks directory ownerships and
1342 permissions for greater security; these checks can be disabled
1343 with the <option>-i</option> flag. &merged;</para>
1345 <para>The &man.rfork.thread.3; library call has been added as a
1346 helper function to &man.rfork.2;. Using this function should
1347 avoid the need to implement complex stack swap
1348 code. &merged;</para>
1350 <para>Significant additions have been made to internationalization
1351 support; &os; now has complete locale support for the
1352 <literal>LC_MONETARY</literal>, <literal>LC_NUMERIC</literal>, and
1353 <literal>LC_MESSAGES</literal> categories. A number of
1354 applications have been updated to take advantage of this
1357 <para>Locale names have been changed to improve compatability with
1358 the names used by X11R6, as well as a number of other UNIX
1359 versions. As an example, the <literal>en_US.ISO_8859-1</literal>
1360 locale name has been changed to
1361 <literal>en_US.ISO8859-1</literal>. Entries in
1362 <filename>/etc/locale.alias</filename> provide backward
1363 compatability.</para>
1365 <para>A <filename>compat4x</filename> distribution has been added
1366 for compatibility with &os; 4-STABLE.</para>
1369 <filename>compat3x</filename> distribution has been updated to
1370 include libraries present in &os; 3.5.1-RELEASE. &merged;</para>
1372 <para>&man.savecore.8; now supports a <option>-k</option> option
1373 to prevent clearing a crash dump after saving it. It also
1374 attempts to avoid writing large stretches of zeros to crash dump
1375 files to save space and time. &merged;</para>
1377 <para>&man.savecore.8; now works correctly on machines with 2 GB
1378 or more of RAM. &merged;</para>
1380 <para>&man.tar.1; now supports the <varname>TAR_RSH</varname>
1381 variable, principally to enable the use of &man.ssh.1; as a
1382 transport. &merged;</para>
1384 <para>&man.disklabel.8; now supports partition sizes expressed in
1385 kilobytes, megabytes, or gigabytes, in addition to sectors. &merged;</para>
1387 <para>The pseudo-random number generator implemented by
1388 &man.rand.3; has been improved to provide less biased results.</para>
1390 <para>&man.login.1; now exports environment variables set by
1391 <application>PAM</application> modules. &merged;</para>
1393 <para><application>PAM</application> support has been added for
1394 account management and sessions.</para>
1396 <para>&man.su.1; now uses <application>PAM</application> for
1397 authentication.</para>
1399 <para>&man.wall.1; now supports a <option>-g</option> flag to
1400 write a message to all users of a given group.</para>
1402 <para>The new <varname>CPUTYPE</varname>
1403 <filename>make.conf</filename> variable controls the compilation
1404 of processor-specific optimizations in various pieces of code such
1405 as <application>OpenSSL</application>. &merged;</para>
1407 <para>The default value for &man.cvs.1;'s
1408 <varname>CVS_RSH</varname> variable is now <literal>ssh</literal>,
1409 rather than <literal>rsh</literal>. &merged;</para>
1411 <para>&man.ipfstat.8; now supports the <option>-t</option> option
1412 to turn on a &man.top.1;-like display. &merged;<para>
1414 <para><filename>/usr/src/share/examples/BSD_daemon/</filename> now
1415 contains a scalable Beastie graphic. &merged;</para>
1417 <para>&man.dump.8; now supports inheritance of the
1418 <literal>nodump</literal> flag down a hierarchy. &merged;</para>
1420 <para>The <option>-T</option> to &man.dump.8; no longer swallows
1421 an extra argument. &merged;</para>
1423 <para>&man.dump.8; has a new <option>-D</option> option, allowing
1424 the path to the <filename>/etc/dumpdates</filename> file to be
1425 changed. &merged;</para>
1427 <para>&man.split.1; now has the ability to split a file longer
1428 than 2GB. &merged;</para>
1430 <para>&man.tail.1; now has the ability to work on files longer
1431 than 2GB. &merged;</para>
1433 <para>&man.units.1; has received some updates and bugfixes. &merged;</para>
1435 <para>As part of an ongoing process, many manual pages were
1436 improved, both in terms of their formatting markup and in their
1437 content. &merged;</para>
1439 <para><command>lprm -</command> now works for remote printer
1440 queues. &merged;</para>
1442 <para>&man.ftpd.8; now supports a <option>-r</option> flag for
1443 read-only mode and a <option>-E</option> flag to disable
1444 <literal>EPSV</literal>. It also has some fixes to reduce
1445 information leakage and the ability to specify compile-time port
1446 ranges. &merged;</para>
1448 <para>&man.ping.8; now supports a <option>-m</option> option to
1449 set the TTL of outgoing packets. &merged;</para>
1451 <para>&man.ping.8; now supports a <option>-A</option> option to
1452 beep when packets are lost.</para>
1454 <para>A version of Transport Independent RPC
1455 (<application>TI-RPC</application>) has been imported.</para>
1457 <para>&man.rpcbind.8; has replaced &man.portmap.8;.</para>
1459 <para>NFS now works over IPv6.</para>
1461 <para>&man.rpc.lockd.8; has been imported from NetBSD.</para>
1463 <para>&man.rc.8; now has an framework for handling dependencies between
1464 &man.rc.conf.5; variables. &merged;</para>
1466 <para>&man.rc.8; now deletes all non-directory files in
1467 <filename>/var/run</filename> and
1468 <filename>/var/spool/lock</filename> at boot time.</para>
1470 <para>The &man.setfacl.1; and &man.getfacl.1; commands have been
1471 added to manage file system Access Control Lists.</para>
1473 <para>The default TCP port range used by
1474 <filename>libfetch</filename> for passive FTP retrievals has
1475 changed; this affects the behavior of &man.fetch.1;, which has
1476 gained the <option>-U</option> option to restore the old
1477 behavior. &merged;</para>
1479 <para><filename>libfetch</filename> now has support for an
1480 authentication callback.
1482 <para><filename>libfetch</filename> now has support for a
1483 <varname>HTTP_USER_AGENT</varname> environment variable. &merged;</para>
1485 <para>&man.atacontrol.8; has been added to control various aspects
1486 of the &man.ata.4; driver.</para>
1488 <para><filename>libcrypt</filename> now has support for Blowfish
1489 password hashing. &merged;</para>
1491 <para>The functions from <filename>libposix1e</filename> have been
1492 integrated into <filename>libc</filename>.</para>
1494 <para>&man.vidcontrol.1; now allows the user to omit the font size
1495 specification when loading a font, and has some better
1496 error-handling. &merged;</para>
1498 <para>&man.vidcontrol.1; now supports a <option>-p</option> to
1499 take a snapshot of a &man.syscons.4; video buffer. These
1500 snapshots can be manipulated by some of the
1501 <filename>scr2*</filename> utilities in the Ports
1502 Collection. &merged;</para>
1504 <para>&man.vidcontrol.1; now supports a <option>-H</option> option
1505 to clear the history buffer for a given tty.</para>
1507 <para>devinfo, a simple tool to print the device tree and resource usage by
1508 devices, has been added.</para>
1510 <para>&man.fmtcheck.3;, a function for checking consistency of
1511 format string arguments, has been added.</para>
1513 <para>&man.nl.1;, a line numbering filter program, has been added.</para>
1515 <para>&man.c89.1; has been converted from a shell script to a
1516 binary executable, fixing some minor bugs. &merged;</para>
1518 <para>&man.pax.1; has received a number of enhancements, including
1519 &man.cpio.1; functionality, &man.tar.1; compatability
1520 enhancements, <option>-z</option> and <option>-Z</option> flags
1521 for &man.gzip.1; and &man.compress.1; functionality, and a number
1522 of bug fixes.</para>
1524 <para>Ukranian language support has been added to the &os;
1525 console. &merged;</para>
1527 <para>The performance of the ELF dynamic linker &man.rtld.1; has
1528 been improved. &merged;</para>
1530 <para>&man.fdread.1;, a program to read data from floppy disks,
1531 has been added. It is a counterpart to &man.fdwrite.1; and is
1532 designed to provide a means of recovering at least some data from
1533 bad media, and to obviate for a complex invocation of
1536 <para>&man.xargs.1; now supports a <option>-J</option>
1537 <replaceable>replstr</replaceable> option that allows the user to
1538 tell &man.xargs.1; to insert the data read from standard input at
1539 a specific point in the command line arguments rather than at the
1542 <para>&man.apmd.8; now supports monitoring of the battery state via the
1543 <literal>apm_battery</literal> configuration directive.</para>
1545 <para>&man.telnet.1; now does autologin and encryption by default;
1546 a new <option>-y</option> option turns off encryption.</para>
1548 <para>&man.telnet.1; now supports a <option>-u</option> flag to
1549 allow connections to UNIX-domain (<literal>AF_UNIX</literal>)
1550 sockets. &merged;</para>
1552 <para>The default stripe size in &man.vinum.8; has been changed
1553 from 256KB to 279KB, to spread out superblocks more evenly between
1556 <para>&man.chown.8; now correctly follows symbolic links named as
1557 command line arguments if run without <option>-R</option>.</para>
1559 <para>&man.chown.8; no longer takes <literal>.</literal> as a
1560 user/group delimeter. This change was made to support usernames
1561 containing a <literal>.</literal>.</para>
1563 <para>&man.chmod.1; now supports a <option>-h</option> for
1564 changing the mode of a symbolic link.</para>
1566 <para>&man.install.1; has a number of new features, including the
1567 <option>-b</option> and <option>-B</option> options for backing up
1568 existing target files and the <option>-S</option> option for
1569 <quote>safe</quote> (atomic copy) operation. The
1570 <option>-c</option> (copy) flag is now the default, and the
1571 <option>-D</option> (debugging) flag has been withdrawn.
1572 &man.install.1; now issues a warning if <option>-d</option>
1573 (create directories) and <option>-C</option> (copy changed files
1574 only) are used together.</para>
1576 <para>&man.whois.1; now directs queries for IP addresses to
1577 ARIN. &merged; If a query to ARIN references APNIC or RIPE, the
1578 appropriate server will also be queried, provided that the
1579 <option>-Q</option> is not specified.</para>
1581 <para>A new utility &man.diskcheckd.8; has been added; it is a
1582 daemon which runs in the background, reading entire disks to find
1583 any read errors on those disks. Its behavior at startup time can
1584 be controlled by the <varname>diskcheckd_enable</varname> variable
1585 in &man.rc.conf.5;.</para>
1587 <para>&man.fmt.1; has been rewritten; the rewrite fixes a number
1588 of bugs compared to its prior behavior.</para>
1590 <para>&man.df.1; now takes a <option>-l</option> option to only
1591 display information about locally-mounted filesystems. &merged;</para>
1593 <para>The syntax of &man.inetd.8;'s support for &man.faithd.8; is
1594 now compatable with that of other BSDs. &merged;</para>
1596 <para>The <literal>ident</literal> protocol support in &man.inetd.8; has
1597 been cleaned up and updated.</para>
1599 <para>&man.inetd.8; now has the ability to manage UNIX-domain
1602 <para>&man.du.1; now takes a <option>-I</option> command-line flag
1603 to ignore/skip files and subdirectories matching a specified
1604 shell-glob mask. &merged;</para>
1606 <para>The &man.resolver.3; in &os; now implements EDNS0 support,
1607 which will be necessary when working with IPv6 transport-ready
1608 resolvers/DNS servers. &merged;</para>
1610 <para>&man.col.1; now takes a <option>-p</option> to force unknown
1611 control sequences to be passed through unchanged.</para>
1613 <para>The &man.mdmfs.8; command has been added; it is a wrapper
1614 around &man.mdconfig.8;, &man.disklabel.8;, &man.newfs.8;, and
1615 &man.mount.8; that mimics the command line option set of the
1616 deprecated &man.mount.mfs.8;.</para>
1618 <para>The &man.getprogname.3; and &man.setprogname.3; library
1619 functions have been added to manipulate the name of the current
1620 program. They are used by error-reporting routines to produce
1621 consistent output. &merged;</para>
1623 <para>The &man.kldconfig.8; utility has been added to make it easier to
1624 manipulate the kernel module search path.</para>
1626 <para>&man.moused.8; now takes a <option>-a</option> to control
1627 mouse acceleration.</para>
1629 <para arch="i386">&man.fdisk.8; no longer attempts to search for
1630 a device if none has been specified on the command line, but
1631 instead tries to figure out the default device name from the
1635 <title>Contributed Software</title>
1637 <para><application>bc</application> has been updated from 1.04 to
1638 1.06. &merged;</para>
1640 <para>The ISC library from the <application>BIND</application>
1641 distribution is now built as
1642 <filename>libisc</filename>. &merged;</para>
1644 <para><application>Binutils</application> have been upgraded to
1647 <para><application>bzip2</application> 1.0.1 has been imported; this
1648 brings the &man.bzip2.1; program and the <filename>libbz2</filename>
1649 library to the base system.</para>
1651 <para><application>cvs</application> has been updated to
1652 1.11. &merged;</para>
1654 <para>The &man.ee.1; <application>Easy Editor</application> has
1655 been updated to 1.4.2. &merged;</para>
1657 <para>&man.file.1; has been contribify-ed, and updated to version
1660 <para>&man.awk.1;, in the form of
1661 <application>gawk</application>, has been upgraded from 3.0.4 to 3.0.6.
1662 This fixes a number of non-critical bugs and includes a few
1663 performance tweaks. &merged;</para>
1665 <para><application>gcc</application> has been updated to 2.95.3. &merged;</para>
1667 <para>&man.gcc.1; now uses a unified <filename>libgcc</filename>
1668 rather than a separate one for threaded and non-threaded programs.
1669 <filename>/usr/lib/libgcc_r.a</filename> can be removed.
1672 <para>&man.gcc.1; now supports the environment variable
1673 <varname>GCC_OPTIONS</varname>, which can hold a set of default
1674 options for <application>GCC</application>.</para>
1676 <para><application>GNATS</application> has been updated to
1679 <para><application>gperf</application> has been updated to 2.7.2.</para>
1681 <para><application>groff</application> and its related utilities
1682 have been updated to FSF version 1.17.2. This import brings in a
1683 new &man.mdoc.7; macro package (sometimes referred to as
1684 <literal>mdocNG</literal>), which removes many of the
1685 limitations of its predecessor. &merged;</para>
1687 <para><application>Heimdal</application> has been updated to
1690 <para>The <application>ISC DHCP</application> client has been
1691 updated to 2.0pl5. &merged;</para>
1693 <para><application>Kerberos IV</application> has been updated to
1694 1.0.5. &merged;</para>
1696 <para>The &man.more.1; command has been replaced by &man.less.1;,
1697 although it can still be run as
1698 <command>more</command>. <application>less</application> has
1699 been imported at 3.5.8. &merged;</para>
1701 <para><application>libpcap</application> has been updated to
1704 <para><application>libreadline</application> has been upgraded to
1707 <para><application>Linux-PAM</application> has been updated to
1708 0.75. &merged;</para>
1710 <para>A number of new <application>Linux-PAM</application> modules
1711 have been added, including: <filename>pam_ftp</filename>,
1712 <filename>pam_krb5</filename>,
1713 <filename>pam_nologin</filename>,
1714 <filename>pam_rootok</filename>,
1715 <filename>pam_securetty</filename>,
1716 <filename>pam_wheel</filename>.
1718 <para><application>ncurses</application> has been updated to
1719 5.2-20010512.</para>
1721 <para>The <application>OPIE</application> one-time-password suite
1722 has been updated to 2.32. &merged; It has completely replaced
1723 the functionality of <application>S/Key</application>.</para>
1725 <para><application>Perl</application> has been updated to version
1728 <para>&man.route.8; is now more verbose when changing indirect
1729 routes, in the case of a gateway route that is the same route as
1730 the one being modified.</para>
1732 <para>&man.route.8; now uses
1733 <literal><replaceable>host</replaceable>/<replaceable>bits</replaceable></literal>
1735 <literal><replaceable>net</replaceable>/<replaceable>bits</replaceable></literal>
1736 syntax, for compatability with &man.netstat.1;.</para>
1738 <para>&man.route.8; can now create <quote>proxy only</quote>
1739 published ARP entries.</para>
1741 <para>&man.routed.8; has been updated to version 2.22. &merged;</para>
1743 <para><application>tcpdump</application> has been updated to
1746 <para>The &man.csh.1; shell has been replaced by &man.tcsh.1;,
1747 although it can still be run as <command>csh</command>.
1748 <application>tcsh</application> has been updated to version
1749 6.10. &merged;</para>
1751 <para>&man.traceroute.8; now takes its default maximum TTL value
1752 from the <varname>net.inet.ip.ttl</varname> sysctl
1753 variable. &merged;</para>
1755 <sect4 id="kame-userland">
1758 <para>The IPv6 stack is now based on a snapshot based on the KAME
1759 Project's IPv6 snapshot as of 28 May, 2001. Most of the
1760 items listed in this section are a result of this import.
1761 <xref linkend="kame-kernel"> lists kernel updates to the KAME
1762 IPv6 stack. &merged;</para>
1764 <para>&man.faithd.8; now supports a configuration file for
1765 access control. &merged;</para>
1767 <para>&man.ifconfig.8; can now perform the functions of
1768 &man.gifconfig.8;. &merged;</para>
1770 <para>&man.ifconfig.8; can now perform the functions of
1771 &man.prefix.8;. &man.prefix.8; is now a shell script for
1772 partial backwards compatability. &merged;</para>
1774 <para>&man.ndp.8; now implements garbage collection for stale
1775 NDP entries, as described in RFC 2461 (Neighbor Discovery for
1776 IP Version 6 (IPv6)). &merged;</para>
1778 <para>&man.pim6dd.8; and &man.pim6sd.8; have been removed due to
1779 restrictive licensing conditions. These programs are available
1780 in the ports collection as <filename>net/pim6dd</filename> and
1781 <filename>net/pim6dd</filename>. &merged;</para>
1783 <para>&man.route6d.8; now supports a <option>-n</option> flag
1784 to avoid updating the kernel forwarding table. &merged;</para>
1786 <para>The <option>-R</option> (router renumbering) option to
1787 &man.rtadvd.8; is currently ignored. &merged;</para>
1791 <title>OpenSSH</title>
1793 <para><application>OpenSSH</application> has been upgraded to
1794 2.1.0, which provides support for the SSH2 protocol, including DSA
1795 keys. Therefore, <application>OpenSSH</application> users in the
1796 US no longer need to rely on the restrictively-licensed
1797 RSAREF toolkit which is required to
1798 handle RSA keys. <application>OpenSSH</application> 2.1 interoperates well with other SSH2
1799 clients and servers, including the <filename>ssh2</filename> port.
1800 See the <ulink url="http://www.openssh.com/">OpenSSH Web
1801 site</ulink> for more details. &merged;</para>
1803 <para><application>OpenSSH</application> can now authenticate
1804 using OPIE passwords in SSH1 mode. Support is not yet available
1805 in SSH2 mode. &merged;</para>
1807 <para><application>OpenSSH</application> has been upgraded to
1808 2.2.0. &man.ssh-add.1; and &man.ssh-agent.1; can now handle DSA
1809 keys. A server for sftp, interoperable with ssh.com
1810 clients and others has been added. &man.scp.1; can now handle
1811 files larger than 2 GBytes. Interoperability with other SSH2
1812 clients/servers has been improved. A new feature to limit the
1813 number of outstanding unauthenticated ssh connections in
1814 &man.sshd.8; has been added. &merged;</para>
1816 <para><application>OpenSSH</application> has been upgraded to
1817 2.3.0. This version adds support for the Rijndael encryption
1818 algorithm. &merged;</para>
1820 <para><application>PAM</application> support for
1821 <application>OpenSSH</application> has been added.</para>
1823 <para>A long-standing bug in <application>OpenSSH</application>,
1824 which sometimes resulted in a dropped session when an
1825 X11-forwarded client was closed, was fixed.</para>
1827 <para><application>Kerberos</application> compatability has been
1828 added to <application>OpenSSH</application>. &merged;</para>
1830 <para><application>OpenSSH</application> has been modified to be
1831 more resistant to traffic analysis by requiring that
1832 <quote>non-echoed</quote> characters are still echoed back in a
1833 null packet, as well as by padding passwords sent so as not to
1834 hint at password lengths. &merged;</para>
1836 <para>&man.sshd.8; is now enabled by default on new
1837 installs. &merged;</para>
1839 <para>&man.sshd.8; <literal>X11Forwarding</literal> is now turned
1840 on by default on the server (any risk is to the client, where it
1841 is already disabled by default).</para>
1843 <para>In <filename>/etc/ssh/sshd_config</filename>, the
1844 <literal>ConnectionsPerPeriod</literal> parameter has been
1845 deprecated in favor of <literal>MaxStartups</literal>.</para>
1847 <para><application>OpenSSH</application> now has a
1848 <literal>VersionAddendum</literal> configuration setting for
1849 &man.sshd.8; to allow changing the part of the
1850 <application>OpenSSH</application> version string after the
1851 main version number.</para>
1853 <para><application>OpenSSH</application> has been updated to
1854 version 2.9, which adds two new programs, &man.sftp.1; and
1855 &man.ssh-keyscan.1;. Among the various enhancements: The
1856 default protocol is now v2, rekeying of existing SSH sessions
1857 is now supported, and an experimental
1858 <application>SOCKS4</application> proxy has been added to
1863 <title>OpenSSL</title>
1865 <para><application>OpenSSL</application> has been upgraded to
1866 0.9.6a. &merged;</para>
1868 <para><application>OpenSSL</application> now has support for
1869 machine-dependent ASM optimizations, activated by the new
1870 <varname>MACHINE_CPU</varname> and/or <varname>CPUTYPE</varname>
1871 <filename>make.conf</filename> variables. &merged;</para>
1875 <title>sendmail</title>
1877 <para><application>sendmail</application> has been upgraded from
1878 version 8.9.3 to version 8.11.4. Important changes include: new
1879 default file locations (see
1880 <filename>/usr/src/contrib/sendmail/cf/README</filename>);
1881 &man.newaliases.1; is limited to <username>root</username> and
1882 trusted users; STARTTLS encryption; and the MSA port (587) is
1883 turned on by default. See
1884 <filename>/usr/src/contrib/sendmail/RELEASE_NOTES</filename> for
1885 more information. &merged;</para>
1887 <para>&man.mail.local.8; is no longer installed as a SUID binary.
1888 If you are using a <filename>/etc/mail/sendmail.cf</filename> from
1889 the default <filename>sendmail.cf</filename> included with &os;
1890 any time after 3.1.0, you are fine. If you are using a
1891 hand-configured <filename>sendmail.cf</filename> and
1892 <command>mail.local</command> for delivery, check to make sure the
1893 <literal>F=S</literal> flag is set on the
1894 <literal>Mlocal</literal> line. Those with
1895 <filename>.mc</filename> files who need to add the flag can do so
1896 by adding the following line to their <filename>.mc</filename>
1897 file and regenerating the <filename>sendmail.cf</filename>
1900 <programlisting>MODIFY_MAILER_FLAGS(`LOCAL',`+S')dnl</programlisting>
1902 <para>Note that <literal>FEATURE(`local_lmtp')</literal> already
1903 does this. &merged;</para>
1905 <para>The default <filename>/etc/mail/sendmail.cf</filename>
1906 disables the SMTP <literal>EXPN</literal> and
1907 <literal>VRFY</literal> commands. &merged;</para>
1909 <para>&man.vacation.1; has been updated to use the version included with
1910 <application>sendmail</application>. &merged;</para>
1912 <para>The <application>sendmail</application> configuration
1913 building tools are installed in
1914 <filename>/usr/share/sendmail/cf/</filename>. &merged;</para>
1916 <para>New <filename>make.conf</filename> options:
1917 <varname>SENDMAIL_MC</varname> and
1918 <varname>SENDMAIL_ADDITIONAL_MC</varname>. See
1919 <filename>/etc/defaults/make.conf</filename> for more
1920 information. &merged;</para>
1922 <para><filename>/etc/mail/Makefile</filename> now supports: the
1923 new <varname>SENDMAIL_MC</varname> <filename>make.conf</filename>
1924 option; the ability to build <filename>.cf</filename> files from
1925 <filename>.mc</filename> files; generalized map rebuilding;
1926 rebuilding the aliases file; and the ability to stop, start, and
1927 restart <application>sendmail</application>. &merged;</para>
1932 <title>Ports/Packages Collection</title>
1934 <para>Version numbers of installed packages have a new
1935 (backward-compatible) syntax, which supports the
1936 <varname>PORTREVISION</varname> and <varname>PORTEPOCH</varname>
1937 variables in Ports Collection <filename>Makefile</filename>s.
1938 These changes help keep track of changes in the ports collection
1939 entries such as security patches or &os;-specific updates, which
1940 aren't reflected in the original, third-party software
1941 distributions. &man.pkg.version.1; can now compare these
1942 new-style version numbers. &merged;</para>
1944 <para>To improve performance and disk utilization, the <quote>ports
1945 skeletons</quote> in the FreeBSD Ports Collection have been restructured.
1946 Installed ports and packages should not be affected. &merged;</para>
1948 <para>All packages and ports now contain an <quote>origin</quote>
1949 directive, which makes it easier for programs such as
1950 &man.pkg.version.1; to determine the directory from which a
1951 package was built. &merged;</para>
1953 <para>&man.pkg.update.1;, a utility to update installed packages
1954 and update their dependencies, has been added. &merged;</para>
1956 <para>&man.pkg.info.1; now supports globbing against names of
1957 installed packages. The <option>-G</option> option disables this
1958 behavior, and the <option>-x</option> option causes regular
1959 expression matching instead of shell globbing. &merged;</para>
1961 <para>&man.pkg.info.1; can now accept a <option>-g</option> flag for
1962 verifying an installed package against its recorded checksums (to
1963 see if it's been modified post-installation). Naturally, this
1964 mechanism is only as secure as the contents of
1965 <filename>/var/db/pkg</filename> if it's to be used for auditing
1966 purposes. &merged;</para>
1968 <para>&man.pkg.create.1; and &man.pkg.add.1; can now work with
1969 packages that have been compressed using
1970 &man.bzip2.1;. &man.pkg.add.1; will use the PACKAGEROOT
1971 environment variable to determine a mirror site for new
1972 packages. &merged;</para>
1974 <para>&man.pkg.create.1; now records dependencies in dependency
1975 order rather than in the order specified on the command line.
1976 This improves the functioning of <command>pkg_add
1977 -r</command>. &merged;</para>
1979 <para>&man.pkg.version.1; now has a version number comparison
1980 routine that corresponds to the Porters Handbook. It also has a
1981 <option>-t</option> option for testing address comparisons.
1984 <para>&man.pkg.version.1; now takes a <option>-s</option> flag
1985 to limit its operation to ports/packages matching a given
1986 string. &merged;</para>
1988 <para>When requested to delete multiple packages,
1989 &man.pkg.delete.1; will now attempt to remove them in dependency
1990 order rather than the order specified on the command
1991 line. &merged;</para>
1993 <para>&man.pkg.delete.1; now can perform glob/regexp matching of
1994 package names. In addition, it supports a <option>-a</option>
1995 option for removing all packages and a <option>-i</option> option
1996 for &man.rm.1;-style interactive confirmation. &merged;</para>
1998 <para>&man.pkg.sign.1; and &man.pkg.check.1; have been added to
1999 digitally sign and verify the signatures on binary package
2000 files. &merged;</para>
2002 <para><application>BSDPAN</application>, a collection of modules
2003 that provides tighter integration of
2004 <application>Perl</application> into the &os; Ports
2005 Collection, has been added.</para>