2 <title>&os;/&arch; &release.current; Release Notes</title>
4 <corpauthor>The FreeBSD Project</corpauthor>
6 <pubdate>$FreeBSD$</pubdate>
12 <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder>
16 <para>The release notes for &os; &release.current; contain a summary
18 <![ %include.historic; [
19 the changes made in the &os; base system since &release.prev;.
21 <![ %no.include.historic; [
22 recent changes made to the &os; base system on the &release.branch;
25 Both changes for kernel and userland are listed, as well as
26 applicable security advisories that were issued since the last
27 release. Some brief remarks on upgrading are also presented.</para>
32 <title>Introduction</title>
34 <para>This document contains the release notes for &os;
35 &release.current; on the &arch.print; hardware platform. It
36 describes recently added, changed, or deleted features of &os;.
37 It also provides some notes on upgrading
38 from previous versions of &os;.</para>
40 <![ %release.type.snapshot [
42 <para>The &release.type; distribution to which these release notes
43 apply represents a point along the &release.branch; development
44 branch between &release.prev; and the future &release.next;. Some
45 pre-built, binary &release.type; distributions along this branch
46 can be found at <ulink url="&release.url;"></ulink>.</para>
50 <![ %release.type.release [
52 <para>This distribution of &os; &release.current; is a
53 &release.type; distribution. It can be found at <ulink
54 url="&release.url;"></ulink> or any of its mirrors. More
55 information on obtaining this (or other) &release.type;
56 distributions of &os; can be found in the <ulink
57 url="http://www.FreeBSD.org/handbook/mirrors.html"><quote>Obtaining
58 FreeBSD</quote> appendix</ulink> to the <ulink
59 url="http://www.FreeBSD.org/handbook/">FreeBSD
60 Handbook</ulink>.</para>
66 <title>What's New</title>
68 <para>This section describes
69 <![ %include.historic; [
70 the most user-visible new or changed features in &os;
72 In general, changes described here are unique to the &release.branch;
73 branch unless specifically marked as &merged; features.
75 <![ %no.include.historic; [
76 many of the user-visible new or changed features in &os;
77 since &release.prev;. It includes items that are unique to the
78 &release.branch; branch, as well as some features that may have been
80 other branches (after &os; &release.prev.historic;). The later
81 items are marked as &merged;.
85 <para>Typical release note items
86 document new drivers or hardware support, new commands or options,
87 major bugfixes, or contributed software upgrades. Applicable security
88 advisories issued after &release.prev; are also listed.</para>
90 <para>Many additional changes were made to &os; that are not listed
91 here for lack of space. For example, documentation was corrected
92 and improved, minor bugs were fixed, insecure coding practices
93 were audited and corrected, and source code was cleaned up.</para>
96 <title>Kernel Changes</title>
98 <para arch="i386" role="historic">The &man.amdpm.4; driver has been added to
99 provide access to the system monitoring functions of the AMD 756
100 chipset. &merged;</para>
102 <para role="historic">The &man.agp.4; driver for AGP devices has been
103 added. &merged;</para>
105 <para>A new &man.ddb.4; command <command>show pcpu</command> lists
106 some of the per-CPU data.</para>
108 <para role="historic">Two new &man.ddb.4; commands, <command>hwatch</command> and
109 <command>dhwatch</command>, have been introduced. Analogous to
110 <command>watch</command> and <command>dwatch</command>, they
111 install hardware watchpoints (as opposed to software
112 watchpoints) if supported by the architecture. &merged;</para>
114 <para>&man.devfs.5;, which allows entries in the
115 <filename>/dev</filename> directory to be built automatically
116 and supports more flexible attachment of devices, has been
117 largely reworked. &man.devfs.5; is now enabled by default and
118 can be disabled by the <literal>NODEVFS</literal> kernel
121 <para>The dgm driver has been removed in favor of the digi driver.</para>
123 <para>A new digi driver has been added to support PCI Xr-based and
124 ISA Xem Digiboard cards. A new &man.digictl.8; program is
125 (mainly) used to re-initialize cards that have external port
126 modules attached such as the PC/Xem.</para>
128 <para>An &man.eaccess.2; system call has been added, similar to
129 &man.access.2; except that the former uses effective credentials
130 rather than real credentials.</para>
132 <para arch="sparc64">Support has been added for EBus-based
135 <para arch="i386" role="historic">The &man.ichsmb.4; driver for the Intel 82801AA
136 (ICH) SMBus controller and compatibles has been
137 added. &merged;</para>
139 <para>Each &man.jail.2; environment can now run under its own
142 <para>The tunable sysctl variables for &man.jail.2; have moved
143 from <varname>jail.*</varname> to the
144 <varname>security.*</varname> hierarchy. Other security-related
145 sysctl variables have moved from <varname>kern.security.*</varname> to
146 <varname>security.*</varname>.</para>
148 <para role="historic">The <varname>kern.maxvnodes</varname> limit now properly
149 limits the number of vnodes in use. Previously only vnodes with
150 no cached pages could be freed; this could allow the number of
151 vnodes to grow without limit on large-memory machines accessing
152 many small files. A <literal>vnlru</literal> kernel thread
153 helps to flush and reuse vnodes. &merged;</para>
155 <para role="historic">The kernel message buffer is now accessible by the
156 (machine-independent) <varname>kern.msgbuf</varname> sysctl
157 variable; &man.dmesg.8; no longer needs to be SGID
158 <groupname>kmem</groupname>. &merged;</para>
160 <para>The kernel environment is now dynamic, and can be changed
161 via the new &man.kenv.2; system call.</para>
163 <para role="historic">The &man.kqueue.2; event notification facility was added to
164 the &os; kernel. This is a new interface which is able to
165 replace &man.poll.2;/&man.select.2;, offering improved
166 performance, as well as the ability to report many different
167 types of events. Support for monitoring changes in sockets,
168 pipes, fifos, and files are present, as well as for signals and
169 processes. &merged;</para>
171 <para arch="i386,pc98" role="historic">A new <varname>KVA_SPACE</varname> kernel option
172 can be used to reconfigure the size of the kernel virtual
173 address space. &merged;</para>
175 <para>The labpc(4) driver has been removed due to
176 <quote>bitrot</quote>.</para>
178 <para>The loader and kernel linker now look for files named
179 <filename>linker.hints</filename> in each directory with KLDs
180 for a module name and version to KLD filename mapping. The new
181 &man.kldxref.8; utility is used to generate these files.</para>
183 <para role="historic">Linux emulation now supports the kernel functionality
185 <filename role="package">emulators/linux_base</filename>
186 (RedHat 7.X emulation) port. &merged;</para>
188 <para role="historic">Linux emulation now requires <literal>options
189 SYSVSEM</literal> in the kernel configuration. &merged;</para>
191 <para>&man.lomac.4;, a Low-Watermark Mandatory Access Control
192 security facility, has been added as a kernel module. It
193 provides a drop-in security mechanism in addition to the
194 traditional UID-based security facilities, requiring no
195 additional configuration from the administrator. Work on this
196 feature was sponsored by DARPA and NAI Labs.</para>
198 <para role="historic">The <varname>maxusers</varname> kernel configuration
199 parameter is now a boot-time tunable variable. The kernel
200 parameters derived from <varname>maxusers</varname> are now also
201 tunables and can be overridden at boot-time. The
202 <varname>hz</varname> parameter is also now a
203 tunable. &merged;</para>
205 <para role="historic">Specifying a value of <literal>0</literal> for the
206 <varname>maxusers</varname> kernel configuration parameter will
207 now cause an appropriate value to be calculated at boot-time
208 (between 32 and 384, depending on the amount of memory present).
209 This value is now the default for all
210 <filename>GENERIC</filename> kernels. &merged;</para>
212 <para arch="alpha" role="historic">A <varname>MAXMEM</varname> kernel option,
213 along with the <varname>hw.physmem</varname> loader tunable, can
214 be used to artificially reduce the memory size of a machine for
215 testing (or other purposes). &merged;</para>
217 <para role="historic">The kernel configuration parameters
218 <varname>MAXTSIZ</varname>, <varname>DFLDSIZ</varname>,
219 <varname>MAXDSIZ</varname>, <varname>DFLSSIZ</varname>,
220 <varname>MAXSSIZ</varname>, and <varname>SGROWSIZ</varname> are
221 all loader tunables (<varname>kern.maxtsiz</varname>,
222 <varname>kern.maxdfldsiz</varname>, etc.). &merged;</para>
224 <para>&man.mutex.9; profiling code has been added, enabled by the
225 <literal>MUTEX_PROFILING</literal> kernel configuration option.
226 It enables the <varname>debug.mutex.prof.*</varname> hierarchy
227 of sysctl variables.</para>
229 <para arch="i386,pc98" role="historic">The <literal>NCPU</literal>,
230 <literal>NAPIC</literal>, <literal>NBUS</literal>, and
231 <literal>NINTR</literal> kernel configuration options,
232 for configuring SMP kernels, have been removed.
233 <literal>NCPU</literal> is now set to a maximum of 16,
234 and the other, aforementioned options are now
235 dynamic. &merged;</para>
237 <para role="historic">A &man.nmdm.4; null-modem terminal driver has been added.
240 <para role="historic">The <literal>O_DIRECT</literal> flag has been added to
241 &man.open.2; and &man.fcntl.2;. Specifying this flag for open
242 files will attempt to minimize the cache effects of reading and
243 writing. &merged;</para>
245 <para role="historic">An &man.orm.4; device has been added to claim the option
246 ROMs in the ISA memory I/O space, to prevent other drivers from
247 mistakenly assigning addresses that conflict with these
248 ROMs. &merged;</para>
250 <para arch="i386,pc98">PECOFF (Win32 Execution file format) support has
253 <para arch="pc98" role="historic">The pmc driver, which supports the power
254 management controller of the NEC PC-98NOTE, has been
255 added. &merged;</para>
257 <para role="historic">POSIX.1b Shared Memory Objects are now supported. The
258 implementation uses regular files, but automatically enables the
259 MAP_NOSYNC flag when they are &man.mmap.2;-ed. &merged;</para>
261 <para role="historic">Replaced the <literal>PQ_*CACHE</literal> options with a
262 single <literal>PQ_CACHESIZE</literal> option to be set to the
263 cache size in kilobytes. The old options are still supported
264 for backwards compatibility. &merged;</para>
266 <para arch="i386" role="historic">The &man.puc.4; (PCI <quote>Universal</quote>
267 Communications) driver has been added, to help connect PCI-based
268 serial ports to the &man.sio.4; driver. &merged;</para>
270 <para>The &man.random.4; device has been rewritten to use the
271 <application>Yarrow</application> algorithm. It harvests
272 entropy from a variety of interrupt sources, including the
273 console devices, Ethernet and point-to-point network interfaces,
274 and mass-storage devices. Entropy from the &man.random.4;
275 device is now periodically saved to files in
276 <filename>/var/db/entropy</filename>, as well as at shutdown
277 time. The semantics of <filename>/dev/random</filename> have
278 changed; it never blocks waiting for entropy bits but generates
279 a stream of pseudo-random data and now behaves exactly as
280 <filename>/dev/urandom</filename>.</para>
282 <para>A new kernel option, <literal>options REGRESSION</literal>,
283 enables interfaces and functionality intended for use during
284 correctness and regression testing.</para>
286 <para arch="sparc64">Support has been added for SBus-based
289 <para arch="sparc64">The se driver, which supports the Siemens
290 SAB82532 serial chip found on many newer Sparc Ultra machines,
291 has been added.</para>
293 <para role="historic">The &man.snp.4; device is no longer static and can now be
294 compiled as a module. &merged;</para>
296 <para arch="i386" role="historic">The &man.spic.4; driver, which provides access
297 to the Jog Dial device on some Sony laptops, has been
298 added. &man.moused.8; support for this device has also been
299 added. &merged;</para>
301 <para>The &man.syscons.4; driver now supports keyboard-controlled
302 pasting, by default bound to
303 <keycap>Shift</keycap>-<keycap>Insert</keycap>.</para>
305 <para role="historic">Support for USB devices was added to the
306 <filename>GENERIC</filename> kernel and to the installation
307 programs to support USB devices out of the box. Note that SRM
308 does not support USB devices at the moment, so you must still
309 use an AT keyboard if you are not using a serial
310 console. &merged;</para>
312 <para arch="i386,pc98" role="historic">The &man.umodem.4; driver for USB modems
313 has been added. Support is provided for the 3Com 5605 and
314 Metricom Ricochet GS wireless USB modems. &merged;</para>
316 <para arch="i386,pc98" role="historic">The &man.uscanner.4; driver for basic USB
317 scanner support using SANE has been added. See <ulink
318 url="http://www.mostang.com/sane/">the SANE home page</ulink>
319 for supported scanners. The HP ScanJet 4100C, 5200C and 6300C
320 are known to be working. &merged;</para>
322 <para>The &man.ucom.4; device driver has been added, to support USB
323 modems, serial devices, and other programs that need to look
324 like a tty. The related &man.uplcom.4; and &man.uvscom.4; drivers provide specific
325 support for the Prolific PL-2303 serial adapter and the SUNTAC
326 Slipper U VS-10U, respectively.</para>
328 <para>To increase security, the <literal>UCONSOLE</literal> kernel
329 configuration option has been removed.</para>
331 <para arch="i386,pc98">The UserConfig boot-time kernel configuration
332 feature, usually used to enable, disable, or configure ISA
333 devices, has been removed. Its functionality has been replaced
334 by the kernel hints file in
335 <filename>/boot/device.hints</filename>.</para>
337 <para>The <literal>USER_LDT</literal> kernel option is now
338 activated by default.</para>
340 <para>A VESA S3 linear framebuffer driver has been added.</para>
342 <para arch="i386" role="historic">The &man.viapm.4; driver for VIA SMBus
343 power management controllers has been added. &merged;</para>
345 <!-- Above this line, sort kernel changes by manpage/keyword-->
347 <para role="historic">Write combining for crashdumps has been implemented. This
348 feature is useful when write caching is disabled on both SCSI
349 and IDE disks, where large memory dumps could take up to an hour
350 to complete. &merged;</para>
352 <para>The kernel crashdump infrastructure has been revised, to
353 support new platforms and in general clean up the logic in the
354 code. One implication of this change is that the on-disk format
355 for kernel dumps has changed, and is now
356 byte-order-agnostic.</para>
358 <para>Extremely large swap areas (>67 GB) no longer panic the
361 <para arch="alpha">Support for threads under Linux emulation has
364 <para role="historic">The <maketarget>buildkernel</maketarget> target now gets the
365 name of the configuration(s) to build from the
366 <varname>KERNCONF</varname> variable, not
367 <varname>KERNEL</varname>. It is no longer required, in some
368 cases, for a <maketarget>buildworld</maketarget> to precede a
369 <maketarget>buildkernel</maketarget>. (The
370 <maketarget>buildworld</maketarget> is still required when
371 upgrading across major releases, across
372 <application>binutil</application> updates and when
373 &man.config.8; changes version.) &merged;</para>
375 <para role="historic">The out-of-swap process termination code now begins killing
376 processes earlier to avoid deadlocks; it now also takes into
377 account the swap space used by processes when computing the
378 process sizes. &merged;</para>
380 <para>Linker sets are now self-contained; gensetdefs(8) is
381 unnecessary and has been removed.</para>
383 <para role="historic">Network device cloning has been implemented, and the
384 &man.gif.4; device has been modified to take advantage of it.
385 Thus, instead of specifying how many &man.gif.4; interfaces are
386 available in kernel configuration files, &man.ifconfig.8;'s
387 <option>create</option> option should be used when another device
388 instance is desired. &merged;</para>
390 <para>It is now possible to hardwire kernel environment variables
391 (such as tuneables) at compile-time using &man.config.8;'s
392 <literal>ENV</literal> directive.</para>
394 <para>Idle zeroing of pages can be enabled with the
395 <varname>vm.idlezero_enable</varname> sysctl variable.</para>
397 <para arch="i386,pc98" role="historic">The load addresses of kernels are now exported
398 to the symbol table and various hard-coded constants have been
399 removed so that utilities such as &man.ps.1; can work with
400 kernels compiled at different addresses. &merged;</para>
402 <para role="historic">Coredumps of large processes (or of a large number of
403 processes) no longer lock up the machine for long periods of
404 time. &merged;</para>
406 <para>The Kernel-Scheduled Entity project has made changes to the
407 kernel scheduler to more efficiently handle multi-threaded
410 <para>The kernel now has support for multiple low-level console
411 devices. The new &man.conscontrol.8; utility helps to manage
412 the different consoles.</para>
414 <para arch="alpha">The console driver has gained support for
415 TGA-based display adapters.</para>
417 <para role="historic">The kernel on the installation CDs is now separated from the
418 <filename>mfsroot</filename> image. This permits the use of a
419 full kernel when installing from CD on machines that support CD
420 booting (instead of the stripped-down kernel used on
421 floppies). &merged;</para>
423 <para role="historic">The system load average computation now adds some jitter to
424 the timing of samples, in order to avoid synchronization with
425 processes that run periodically. &merged;</para>
427 <para role="historic">If a debugging kernel with modules is being built
428 (i.e. using <literal>makeoptions DEBUG=-g</literal>), the
429 modules will now be built with debugging support as well, for
430 completeness. A side effect of this change is that modules
431 built and installed with debugging kernels will now occupy more
432 space on disk than they did previously. &merged;</para>
434 <para role="historic">The kernel dump device can now be set via the
435 <varname>dumpdev</varname> loader tunable. As a result, it is
436 now possible to obtain crash dumps from panics during the late
437 stages of kernel initialization (before the system enters into
438 single-user mode). &merged;</para>
440 <para>The kernel memory allocator is now a slab memory allocator,
441 similar to that used in Solaris. This is a SMP-safe memory
442 allocator that has near-linear performance as the number of CPUs
443 increases. It also allows for reduced memory
444 fragmentation.</para>
447 <title>Processor/Motherboard Support</title>
449 <para>SMP support has been largely reworked, incorporating code
450 from BSD/OS 5.0. One of the main features of SMPng
451 (<quote>SMP Next Generation</quote>) is to allow more
452 processes to run in kernel, without the need for spin locks
453 that can dramatically reduce the efficiency of multiple
454 processors. Interrupt handlers now have contexts associated
455 with them that allow them to be blocked, which reduces the
456 need to lock out interrupts.</para>
458 <para arch="i386,pc98">Support for the 80386 processor has been
459 removed from the <filename>GENERIC</filename> kernel, as this
460 code seriously pessimizes performance on other IA32
462 The <literal>I386_CPU</literal> kernel option
463 to support the 80386 processor is now mutually exclusive with
464 support for other IA32 processors; this should slightly
465 improve performance on the 80386 due to the elimination of
466 runtime processor type checks.
467 Custom kernels that will run on the 80386 can
468 still be built by changing the cpu options in the kernel
469 configuration file to only include
470 <literal>I386_CPU</literal>.</para>
472 <para arch="alpha" role="historic">AlphaServer 1200 (<quote>Tincup</quote>) has
473 been tested and works OK. Currently it does not want to boot
474 from CD or floppy but a transplanted disk that was installed
475 on another Alpha works well. &merged;</para>
477 <para arch="alpha">The API UP1100 mainboard has been verified to
480 <para arch="alpha">The API CS20 1U high server has been verified
483 <para arch="alpha">The DEC3000 series support has been removed
484 from the mfsroot floppy image so that it fits on a 1.44 Mbyte
485 floppy again. As the DEC3000 is currently only usable diskless
486 this should not cause any problems.</para>
488 <para arch="alpha">Support for AlphaServer 2100A
489 (<quote>Lynx</quote>) has been added.</para>
491 <para arch="alpha">Kernel code has been added that allows older
492 generation Alpha CPUs (EV4 and EV5) to emulate instructions of
493 the newer Alpha CPU generations. This enables the use of
494 binary-only programs like <application>Adobe Acrobat
495 4</application> on EV4 and EV5.</para>
497 <para arch="alpha">SMP support for the Alpha is now operational.</para>
499 <para arch="i386" role="historic">Detection for new processors, such as the
500 FC-PGA2 Pentium III (Tualatin), Transmeta Crusoe, and
501 Transmeta Crusoe LongRun, has been added. &merged;</para>
503 <para arch="alpha">Support for the following hardware has been
504 removed from the installation kernel to make it fit on a
505 1.44MB floppy again: Multia, NoName, PC64, EB64, Aspen Alpine,
506 sa (SCSI tape), amr, parallel port support, vx (3c590, 3c595),
507 pcn (AMD Am79C97x PCI 10/100), sf (Adaptec AIC-6915), sis (SiS
508 900/SiS 7016), ste (Sundance ST201 (D-Link DFE-550TX)), wb
509 (Winbond W89C840F).</para>
511 <para arch="i386" role="historic">Support for Streaming <acronym>SIMD</acronym>
512 Extensions (<acronym>SSE</acronym>) has been introduced. The
513 <literal>CPU_ENABLE_SSE</literal> kernel option controls
514 whether support is compiled into the kernel. &merged;</para>
516 <para arch="i386" role="historic">The <literal>CPU_ATHLON_SSE_HACK</literal>
517 kernel option has been added, which attempts to enable the SSE
518 feature bit on newer Athlon CPUs if the BIOS has forgotten to
519 enable it. &merged;</para>
521 <para arch="sparc64">The UltraSPARC platform is now supported by
522 &os;. The following machines are supported to at least some
523 degree: Ultra 1/2/5/10/30/60, Enterprise 220R/420R, Netra T1 AC200/DC200, Netra T 105, and Blade
524 100. SMP is supported, and has been tested on the
525 Ultra 2, Ultra 60, Enterprise 220R, and
526 Enterprise 420R.</para>
528 <para arch="i386" role="historic">On some systems, the BIOS does not activate
529 the I/O ports and memory of PC devices, thus making them
530 unusable. The <literal>PCI_ENABLE_IO_MODES</literal> kernel
531 option forces &os; to enable these devices so that they can be
532 used. &merged;</para>
537 <title>Bootloader Changes</title>
539 <para arch="i386" role="historic"><filename>boot2</filename> now supports a
540 <option>-n</option> option to disallow boot interruption by
541 keypresses. &merged;</para>
543 <para arch="i386" role="historic">A new <filename>cdboot</filename> bootstrap
544 utility for CDROMs provides better compatability with some
545 BIOS implementations that do not completely implement the El
546 Torito bootable CDROM standard. This boot loader supports
547 <quote>no emulation</quote> mode booting, thus eliminating the
548 need for an emulated floppy disk image on a bootable
549 CDROM. &merged;</para>
551 <para arch="i386,pc98" role="historic">The i386 boot loader now has support for a
552 <literal>nullconsole</literal> console type, for use on
553 systems with neither a video console nor a serial
554 port. &merged;</para>
556 <para arch="i386,pc98" role="historic">The &man.loader.8; now has optional support
557 (enabled at compile-time, off by default) for loading
558 <application>bzip2</application>-compressed kernels and
559 modules. &merged;</para>
561 <para arch="i386" role="historic">Support for Intel's Wired for Management 2.0
562 (PXE) was added to the &os; boot loader. Due to API
563 differences, the older PXE versions are not supported. This
564 allow network booting using DHCP. &merged;</para>
566 <!-- Above this line, order bootloader changes by keyword-->
568 <para arch="i386" role="historic">The &os; boot loader now contains a workaround
569 to support CDROM booting on certain IBM BIOSs that expect the
570 first sector of the emulated floppy to contain a valid MS-DOS
571 BPB that they can modify. &merged;</para>
573 <para arch="i386,pc98" role="historic">The &os; boot loader now supports a
574 <option>-p</option> flag to force the kernel to pause after
575 each line of output during the probing phase. &merged;</para>
577 <para arch="alpha,i386" role="historic">The &os; boot loader is now capable of
578 booting from filesystems with block sizes larger than
581 <para>The kernel and modules have been moved to the directory
582 <filename>/boot/kernel</filename>, so they can be easily
583 manipulated together. The boot loader has been updated to
584 make this change as seamless as possible.</para>
588 <title>Network Interface Support</title>
590 <para role="historic">The &man.an.4; driver for Cisco Aironet cards now supports
591 Wired Equivalent Privacy (WEP) encryption, settable via
592 &man.ancontrol.8;. &merged;</para>
594 <para role="historic">The &man.an.4; driver now supports the Cisco Aironet 350
595 series of adaptors. &merged;</para>
597 <para role="historic">The &man.an.4; driver now supports <quote>monitor</quote>
598 mode, settable via the <option>-M</option> option to
599 &man.ancontrol.8;. &merged;</para>
601 <para role="historic">The &man.an.4; driver now supports Cisco LEAP, as well as
602 the <quote>Home</quote> WEP key. The Linux Aironet utilities
603 are now supported under emulation. &merged;</para>
605 <para arch="i386,pc98" role="historic">Generic support for ARCNET token-based
606 networks has been added. &merged;</para>
608 <para arch="i386,pc98" role="historic">The &man.bge.4; driver has been added to
609 support the Broadcom BCM570x family of Gigabit Ethernet
610 controllers, including the 3Com 3c996-T, the SysKonnect
611 SK-9D21 and SK-9D41, and the built-in Gigabit Ethernet NICs on
612 Dell PowerEdge 2550 servers. Output TCP/IP checksum offload,
613 jumbo frames and VLAN tag insertion/stripping are supported,
614 as well as interrupt moderation. &merged;</para>
616 <para arch="i386" role="historic">The cm driver has been added to support SMC
617 COM90cx6 ARCNET network adapters. &merged;</para>
619 <para>The &man.dc.4; driver now supports NICs based on the Xircom
620 3201 and Conexant LANfinity RS7112 chips.</para>
622 <para role="historic">The &man.dc.4; driver now has support for
623 VLANs. &merged;</para>
625 <para role="historic">The &man.de.4; driver now performs round-robin arbitration
626 between the transmit and receive units of the 21143, instead
627 of giving priority to the receive unit. This gives a
628 10–15% performance improvement in the forwarding rate
629 under heavy load. &merged;</para>
631 <para arch="alpha">The &man.ed.4; driver is now supported.</para>
633 <para arch="i386,pc98" role="historic">Linksys Fast Ethernet PCCARD cards supported
634 by the &man.ed.4; driver now require the addition of flag
635 <literal>0x80000</literal> to their config line in
636 &man.pccard.conf.5;. This flag is not optional. These
637 Linksys cards will not be recognized without
640 <para role="historic">A bug in the &man.ed.4; driver that could cause panics
641 with very short packets and BPF or bridging active has been
642 fixed. &merged;</para>
644 <para role="historic">The &man.ed.4; driver now has support for D-Link DL10022
645 chips, necessary for the NetGear FA-410TX and other cards. As
646 a result, <literal>device miibus</literal> is required in
647 kernel configurations using the &man.ed.4;
648 driver. &merged;</para>
650 <para arch="i386">The &man.el.4; driver can now be loaded as a
653 <para arch="i386,pc98" role="historic">The &man.em.4; driver has been added to
654 support NICs based on the Intel 82542, 82543, and 82544
655 Gigabit Ethernet controller chips. The driver supports
656 transmit/receive checksum offload and jumbo frames on 82543
657 and 82544-based adapters. &merged;</para>
659 <para role="historic">The &man.faith.4; device is now loadable, unloadable, and
660 clonable. &merged;</para>
662 <para arch="i386,pc98" role="historic">Support for Fujitsu MB86960A/MB86965A based
663 Ethernet PC-Cards has been added back in the &man.fe.4;
664 driver. &merged;</para>
666 <para arch="alpha" role="historic">The &man.fpa.4; driver now supports Digital's
667 DEFPA FDDI adaptors on the Alpha. &merged;</para>
669 <para role="historic">The &man.fxp.4; driver now requires a <literal>device
670 miibus</literal> entry in the kernel configuration
671 file. &merged;</para>
673 <para role="historic">The &man.fxp.4; driver now contains a workaround for PCI
674 protocol violations caused by defects in some systems based on
675 the Intel ICH2/ICH2-M chip. The workaround is to rewrite the
676 EEPROM on the interface to disable Dynamic Standby Mode; once
677 the EEPROM is rewritten, the system needs to be rebooted for
678 the new settings to take effect. &merged;</para>
680 <para role="historic">The &man.fxp.4; driver now supports Intel's loadable
681 microcode to implement receive-side interrupt coalescing and
682 packet bundling, on NICs that support these features. This
683 support can be activated by the use of the
684 <option>link0</option> option to
685 &man.ifconfig.8;. &merged;</para>
687 <para arch="sparc64">The gem driver has been added to support
688 the Sun GEM Gigabit Ethernet and ERI Fast Ethernet
691 <para role="historic">The &man.gx.4; driver has been added to support NICs based
692 on the Intel 82542 and 82543 Gigabit Ethernet controller
693 chips. Both fiber and copper variants of the cards are
694 supported. Both boards support VLAN tagging/insertion, and
695 the 82543 additionally supports TCP/IP checksum
696 offload. &merged;</para>
698 <para arch="sparc64">The hme driver has been added to support
699 the Sun HME Fast Ethernet adapter, onboard on many Sun Ultra
700 series machines.</para>
702 <para role="historic">The &man.lge.4; driver has been added to support the Level
703 1 LXT1001 NetCellerator Gigabit Ethernet controller chip. This
704 device is used on some fiber optic GigE cards from SMC, D-Link
705 and Addtron. Jumbograms and TCP/IP checksum offload on
706 receive are supported, although hardware VLAN filtering is
709 <para role="historic">The my driver, which supports the Myson Fast Ethernet and
710 Gigabit Ethernet adapters, has been added. &merged;</para>
712 <para role="historic">Added the &man.nge.4; driver, which supports PCI Gigabit
713 Ethernet adapters based on the National Semiconductor DP83820
714 and DP83821 Gigabit Ethernet controller chips, including the
715 D-Link DGE-500T, SMC EZ Card 1000 (SMC9462TX), Asante
716 FriendlyNet GigaNIC 1000TA and 1000TPC and Addtron AEG320T.
717 This driver supports transmit and receive checksum
718 offloading. &merged;</para>
720 <para role="historic">The &man.pcn.4; driver, which supports the AMD PCnet/FAST,
721 PCnet/FAST+, PCnet/FAST III, PCnet/PRO, PCnet/Home, and
722 HomePNA adapters, has been added. Although these cards are
723 already supported by the &man.lnc.4; driver, the &man.pcn.4;
724 driver runs these chips in 32-bit mode and uses the RX
725 alignment feature to achieve zero-copy receive. This driver
726 is also machine-independent, so it will work on the i386,
727 pc98 and Alpha platforms. The &man.lnc.4; driver is still needed
728 to support non-PCI cards. &merged;</para>
730 <para role="historic">The &man.ray.4; driver, which supports the Webgear Aviator
731 wireless network cards, has been committed. The operation of
732 &man.ray.4; interfaces can be modified by
733 &man.raycontrol.8;. &merged;</para>
735 <para arch="i386" role="historic">The sbni driver, for supporting the Granch
736 SBNI12 series of ISA and PCI point-to-point communications
737 interfaces, has been added. The <filename
738 role="package">sysutils/sbniconfig</filename> port in the &os;
739 Ports Collection can be used for configuring these
740 devices. &merged;</para>
742 <para role="historic">Added support for PCI Ethernet adapters based on the SiS
743 900 and SiS 7016 Fast Ethernet controller chips (for example,
744 as seen on the SiS 635 and 735 motherboard chipsets), as well
745 as the National Semiconductor DP83815 chipset (including the
746 NetGear FA311-TX and FA312-TX) in the form of the &man.sis.4;
747 driver. This device has support for VLANs. &merged;</para>
749 <para arch="pc98" role="historic">The snc driver for the National Semiconductor
750 DP8393X (SONIC) Ethernet controller has been added.
751 Currently, this driver is only used on the PC-98
752 architecture. &merged;</para>
754 <para>The &man.stf.4; device is now clonable.</para>
756 <para role="historic">The &man.tap.4; driver, a virtual Ethernet device driver
757 for bridged configurations, has been added. This device is
758 clonable. &merged;</para>
760 <para role="historic">The &man.ti.4; driver now supports the Alteon AceNIC
761 1000baseT Gigabit Ethernet and Netgear GA620T 1000baseT
762 Gigabit cards. &merged;</para>
764 <para role="historic">The &man.ti.4; driver correctly masks VLAN tags. &merged;</para>
766 <para role="historic">The &man.txp.4; driver has been added to support NICs
767 based on the 3Com 3XP Typhoon/Sidewinder (3CR990)
768 chipset. &merged;</para>
770 <para role="historic">&man.vlan.4; devices are now loadable, unloadable, and
771 clonable. &merged;</para>
773 <para role="historic">The &man.wi.4; driver now has support for Prism II and
774 Prism 2.5-based NICs. 104/128-bit WEP now works on Prism
775 cards. &merged;</para>
777 <para role="historic">The &man.wi.4; driver now supports using a &os; host as
778 a wireless access point. This functionality can be enabled
779 using the <literal>mediaopt hostap</literal> option of
780 &man.ifconfig.8;. This feature requires a wireless
781 adapter based on the Prism II chipset. &merged;</para>
783 <para role="historic">The &man.wi.4; driver now has support for
784 <application>bsd-airtools</application>. &merged;</para>
786 <para role="historic">The xe driver can now be built as a
787 module. &merged;</para>
789 <para role="historic">The &man.xl.4; driver now supports the 3Com 3C556 and
790 3C556B MiniPCI adapters used on some laptops. &merged;</para>
792 <para role="historic">The &man.xl.4; driver now supports reception of VLAN
793 tagged frames (on the <quote>Cyclone</quote> or newer
794 chipsets). &merged;</para>
796 <para role="historic">The &man.xl.4; driver now supports send- and receive-side
797 TCP/IP checksum offloading for NICs implementing this feature,
798 such as the 3C905B, 3C905C, and 3C980C. &merged;</para>
800 <para role="historic">A bug in the &man.xl.4; driver, related to statistics
801 overflow interrupt handling, was causing slowdowns at medium
802 to high packet rates; this has been fixed. &merged;</para>
804 <para role="historic">The per-interface <varname>ifnet</varname> structure now
805 has the ability to indicate a set of capabilities supported by
806 a network interface, and which ones are enabled.
807 &man.ifconfig.8; has support for querying these
808 capabilities. &merged;</para>
810 <para role="historic">Performance with hosts having a large number of IP aliases
811 has been improved, by replacing the per-interface
812 <varname>if_inaddr</varname> linear list with a hash table. &merged;</para>
814 <para>Network devices now automatically appear as special files in
815 <filename>/dev/net</filename>. Interface hardware ioctls (not
816 protocol or routing) can be performed on these devices. The
817 <varname>SIOCGIFCONF</varname> ioctl may be performed on the
818 special <filename>/dev/network</filename> node.</para>
820 <para role="historic">Selected network drivers now implement a semi-polling
821 mode, which makes systems much more resilient to attacks and
822 overloads. To enable polling, the following options are
823 required in a kernel configuration file:
825 <programlisting>options DEVICE_POLLING
826 options HZ=1000 # not compulsory but strongly recommended</programlisting>
828 The <varname>kern.polling.enable</varname> sysctl variable
829 will then activate polling mode; with the
830 <varname>kern.polling.user_frac</varname> sysctl indicating
831 the percentage of CPU time to be reserved for userland. The
832 devices initially supporting polling are &man.dc.4;,
833 &man.fxp.4;, &man.rl.4;, and &man.sis.4;. More details can be found in
834 the &man.polling.4; manual page. &merged;</para>
836 <para arch="i386,pc98" role="historic">The packet-forwarding performance of certain
837 network drivers (specifically &man.dc.4; and &man.sis.4;) has
838 been enhanced by the elimination of unnecessary buffer
839 copies. &merged;</para>
843 <title>Network Protocols</title>
845 <para role="historic">&man.accept.filter.9;, a kernel feature to reduce
846 overheads when accepting and reading new connections on
847 listening sockets, has been added. &merged;</para>
849 <para role="historic">The <literal>proxy</literal> modifier to &man.arp.8;'s
850 <option>-d</option> option has been renamed to
851 <literal>pub</literal>, for consistency with the
852 <option>-s</option> option. The <literal>only</literal> keyword
853 has been added to the <option>-s</option> and
854 <option>-S</option> flags, to be used in creating
855 <quote>proxy-only</quote> published entries. &merged;</para>
857 <para role="historic">The read timeout feature of &man.bpf.4; now works more
858 correctly with &man.select.2;/&man.poll.2;, and therefore with
859 pthreads. &merged;</para>
861 <para role="historic">&man.bridge.4; and &man.dummynet.4; have received some
862 enhancements and bug fixes, and are now loadable
863 modules. &merged;</para>
865 <para role="historic">&man.bridge.4; now has better support for multiple,
866 fully-independent bridging clusters, and is much more stable
867 in the presence of dynamic attachments and detatchments. Full
868 support for VLANs is also supported. &merged;</para>
870 <para>ICMP ECHO and TSTAMP replies are now rate limited. TCP
871 RSTs generated due to packets sent to open and unopen ports
872 are now limited by separate counters. Each rate limiting
873 queue now has its own description.</para>
875 <para role="historic">ICMP <literal>UNREACH_FILTER_PROHIB</literal> messages can
876 now RST TCP connections in the <literal>SYN_SENT</literal>
877 state if the correct sequence numbers are sent back, as
879 <varname>net.inet.tcp.icmp_may_rst</varname> sysctl. &merged;</para>
881 <para>IP multicast now works on VLAN devices. Several other
882 bugs in the VLAN code have also been fixed.</para>
884 <para role="historic">A bug in the IPsec processing for IPv4, which caused the
885 inbound SPD checks to be ignored, has been fixed. &merged;</para>
887 <para role="historic">&man.ipfw.4; now filters correctly in the presence of ECN
888 bits in TCP segments. &merged;</para>
890 <para role="historic">A new ng_eiface netgraph module has been added, which
891 appears as an Ethernet interface but delivers its Ethernet
892 frames to a Netgraph hook. &merged;</para>
894 <para role="historic">A new &man.ng.etf.4; netgraph node allows Ethernet type
895 packets to be filtered to different hooks depending on
896 ethertype. &merged;</para>
898 <para>The &man.ng.gif.4; and &man.ng.gif.demux.4; netgraph
899 nodes, for operating on &man.gif.4; devices, have been
902 <para>The &man.ng.ip.input.4; netgraph node, for queueing IP
903 packets into the main IP input processing code, has been
906 <para role="historic">The &man.ng.mppc.4; and &man.ng.bridge.4; node types have
907 been added to the &man.netgraph.4; subsystem. The
908 &man.ng.ether.4; node is now dynamically loadable.
909 Miscellaneous bug fixes and enhancements have also been
910 made. &merged;</para>
912 <para role="historic">A new netgraph node type &man.ng.one2many.4; for
913 multiplexing and demultiplexing packets over multiple links
914 has been added. &merged;</para>
916 <para>A new ng_split node type has been added for splitting a
917 bidirectional packet flow into two unidirectional flows.</para>
919 <para role="historic">A new sysctl
920 <varname>net.inet.ip.check_interface</varname>, which is on by
921 default, causes IP to verify that an incoming packet arrives
922 on an interface that has an address matching the packet's
923 destination address. &merged;</para>
925 <para role="historic">A new sysctl
926 <varname>net.link.ether.inet.log_arp_wrong_iface</varname> has
927 been added to control the suppression of logging when ARP
928 replies arrive on the wrong interface. &merged;</para>
930 <para role="historic">A new <literal>options RANDOM_IP_ID</literal> kernel
931 option causes the ID field of IP packets to be randomized.
932 This closes a minor information leak which allows a remote
933 observer to determine the rate at which the machine is
934 generating packets, since the default behavior is to increment
935 a counter for each packet sent. &merged;</para>
937 <para arch="alpha">SLIP has been removed from the
938 <filename>mfsroot</filename> floppy image.</para>
940 <para role="historic">TCP has received some bug fixes for its delayed ACK
941 behavior. &merged;</para>
943 <para role="historic">TCP now supports the NewReno modification to the TCP Fast
944 Recovery algorithm. This behavior can be controlled via the
945 <varname>net.inet.tcp.newreno</varname> sysctl
946 variable. &merged;</para>
948 <para role="historic">TCP now uses a more aggressive timeout for initial SYN
949 segments; this allows initial connection attempts to be
950 dropped much faster. &merged;</para>
952 <para role="historic">The <literal>TCP_COMPAT_42</literal> kernel option has
953 been removed. &merged;</para>
955 <para role="historic">The <literal>TCP_RESTRICT_RST</literal> kernel option has
956 been removed. Similar functionality can be achieved with the
957 <varname>net.inet.tcp.blackhole</varname> sysctl
958 variable. &merged;</para>
960 <para role="historic">TCP now has RFC 1323 extensions enabled by default in
961 &man.rc.conf.5;. &merged;</para>
963 <para role="historic">RFC 1323 and RFC 1644 TCP extensions are now disabled for
964 a connection in progress if no response has been received by
965 the third SYN segment sent. This behavior tries to work
966 around (very old) terminal servers with buggy VJ header
967 compression implementations. &merged;</para>
969 <para role="historic">The TCP implementation no longer requires the allocation
970 of a TCP template structure for each connection; this should
971 reduce the buffer usage on large systems handling many
972 connections. &merged;</para>
974 <para role="historic">TCP's default buffer sizes, controlled by the
975 <varname>net.inet.tcp.sendspace</varname> and
976 <varname>net.inet.tcp.recvspace</varname> sysctl variables,
977 have been increased to 32K and 64K respectively. Previously,
978 the default for both buffer sizes was 16K. To try to avoid
979 increasing congestion, the default value for
980 <varname>net.inet.tcp.local_slowstart_flightsize</varname> has
981 been changed from infinity to 4. &merged;
984 <para>On busy hosts, the new larger buffer sizes may require
985 manually increasing the
986 <varname>NMBCLUSTERS</varname> parameter, either in the
987 kernel configuration file or via the
988 <varname>kern.ipc.nmbclusters</varname> loader tunable.
989 <command>netstat -mb</command> can be used to monitor the
990 state of mbuf clusters.</para>
994 <para role="historic">TCP now supports RFC 1948 (Defending Against Sequence
996 <varname>net.inet.tcp.isn_reseed_interval</varname> sysctl
997 variable controls the reseeding of the secret data used in
998 the RFC 1948 initial sequence number calculations. &merged;</para>
1000 <para role="historic">The TCP implementation in &os; now implements a cache of
1001 outstanding, received SYN segments. Incoming SYN segments now
1002 cause entries to be placed in the cache until the TCP
1003 three-way handshake is complete, at which point, memory is
1004 allocated for the connection as usual. In addition, all TCP
1005 Initial Sequence Numbers (ISNs) are used as cookies, allowing
1006 entries in the cache to be dropped, but still have their
1007 corresponding ACKs accepted later. The combination of the
1009 <quote>syncache</quote> and <quote>syncookies</quote> features
1010 makes a host much more resistant to TCP-based Denial of
1011 Service attacks. Work on this feature was sponsored by DARPA
1012 and NAI Labs. &merged;</para>
1014 <para role="historic">A bug in the TCP implementation, which could cause
1015 connections to stall if a sender saw a zero-sized window, has
1016 been corrected. &merged;</para>
1018 <para role="historic">The TCP implementation now properly ignores packets
1019 addressed to IP-layer broadcast addresses. &merged;</para>
1021 <para>The ephemeral port range used for TCP and UDP has been
1022 changed to 49152–65535 (the old default was
1023 1024–5000). This increases the number of concurrent
1024 outgoing connections/streams.</para>
1028 <title>Disks and Storage</title>
1030 <para arch="i386" role="historic">Support for the Adaptec FSA family of PCI-SCSI
1031 RAID controllers has been added, in the form of the
1032 &man.aac.4; driver. This driver includes proper handling of
1033 commands initiated by the adapter, addition/removal of disk
1034 devices, crashdump functionality, and &man.ioctl.2; commands
1035 necessary for the management CLI, and is fully qualified and
1036 sanctioned by Adaptec. &merged;</para>
1038 <para role="historic">The &man.ahc.4; driver has received numerous updates,
1039 bugfixes, and enhancements. Among various improvements are
1040 improved compatibility with chips in <quote>RAID Port</quote>
1041 mode and systems with AAA and/or ARO cards installed, as well
1042 as performance improvements. Some bugs were also fixed,
1043 including a rare hang on Ultra2/U160
1044 controllers. &merged;</para>
1046 <para arch="i386" role="historic">The &man.asr.4; driver, which provides support
1047 for the Adaptec SCSI RAID controller family, as well as the
1048 DPT SmartRAID V and VI families, has been
1049 added. &merged;</para>
1051 <para arch="i386" role="historic">The &man.asr.4; driver now supports the
1052 Adaptec 2000S and 2005S Zero-Channel RAID
1053 controllers. &merged;</para>
1055 <para role="historic">The &man.ata.4; driver now has support for ATA100
1056 controllers. In addition, it now supports the ServerWorks
1057 ROSB4 ATA33 chipset, the CMD 648 ATA66 and CMD 649 ATA100
1058 chipsets, and the Cyrix 5530. &merged;</para>
1060 <para role="historic">To provide more flexible configuration, the various
1061 options for the &man.ata.4; driver are now boot loader
1062 tunables, rather than kernel configure-time
1063 options. &merged;</para>
1065 <para role="historic">The &man.ata.4; driver now has support for tagged queuing,
1066 which is enabled by the <varname>hw.ata.tags</varname> loader
1067 tunable. &merged;</para>
1069 <para role="historic">The &man.ata.4; driver now has support for ATA
1070 <quote>pseudo</quote> RAID controllers as the Promise Fasttrak
1071 and HighPoint HPT370 controllers. &merged;</para>
1073 <para role="historic">The &man.ata.4; driver now supports a wider variety of SiS
1074 chipsets, as listed in the Hardware Notes. &merged;</para>
1076 <para role="historic">The &man.ata.4; driver now has support for creating,
1077 deleting, querying, and rebuilding ATA RAIDs under control of
1078 &man.atacontrol.8;. &merged;</para>
1080 <para role="historic">The BurnProof(TM) feature, for applicable ATAPI CD-ROM
1081 burners, is now supported. &merged;</para>
1083 <para role="historic">The &man.ata.4; driver now has support for 48-bit
1084 addressing. Devices larger than 137GB are now
1085 supported. &merged;</para>
1087 <para role="historic">The &man.ata.4; driver now contains fixes for some data
1088 corruption problems on systems using the VIA 82C686B
1089 Southbridge chip. &merged;</para>
1091 <para role="historic">The &man.cd.4; driver now has support for write
1092 operations. This allows writing to DVD-RAM, PD and similar
1093 drives that probe as CD devices. Note that change affects
1094 only random-access writeable devices, not sequential-only
1095 writeable devices such as CD-R drives, which are supported by
1096 &man.cdrecord.1; (a part of
1097 <filename role="package">sysutils/cdrtools</filename> in the
1098 Ports Collection. &merged;</para>
1100 <para arch="i386" role="historic">The ciss driver, for devices utilizing the
1101 Common Interface for SCSI-3 Support, has been added. This
1102 driver supports the Compaq SmartRAID 5* family of RAID
1103 controllers (5300, 532, 5i). &merged;</para>
1105 <para>The &man.fdc.4; floppy disk has undergone a number of
1106 enhancements. Density selection for common settings is now
1107 automatic; the driver is also much more flexible in setting
1108 the densities of various subdevices.</para>
1110 <para>The &man.geom.4; disk I/O request transformation framework
1111 has been added; this extensible framework is designed to
1112 support a wide variety of operations on I/O requests on their
1113 way from the upper kernel to the device drivers.</para>
1115 <para role="historic">The ida disk driver now has crashdump
1116 support. &merged;</para>
1118 <para arch="i386" role="historic">The iir driver has been added to support the
1119 Intel Integrated RAID controllers, as well as prior ICP Vortex
1122 <para arch="alpha" role="historic">A bug that made certain CDROM drives fail to
1123 attach when connected to a SCSI card driven by &man.isp.4; has
1124 been fixed. &merged;</para>
1126 <para>The &man.isp.4; driver is now proactive about discovering
1127 Fibre Channel topology changes.</para>
1129 <para>The &man.isp.4; driver now supports target mode for Qlogic
1130 SCSI cards, including Ultra2 and Ultra3 and dual bus
1133 <para role="historic">The &man.isp.4; driver now supports the Qlogic 2300 and
1134 2312 Optical Fibre Channel PCI cards. &merged;</para>
1136 <para>&man.md.4;, the memory disk device, has had the
1137 functionality of &man.vn.4; incorporated into it. &man.md.4;
1138 devices can now be configured by &man.mdconfig.8;. &man.vn.4;
1139 has been removed. The Memory Filesystem (MFS) has also been
1142 <para arch="i386" role="historic">The &man.mly.4; driver, for Mylex PCI to SCSI
1143 AccelRAID and eXtremeRAID controllers with firmware 6.X and
1144 later, has been added. &merged;</para>
1146 <para arch="i386,pc98" role="historic">The ncv, nsp, and stg drivers have been ported
1147 from NetBSD/pc98. They support the NCR 53C50 / Workbit Ninja
1148 SCSI-3 / TMC 18C30, 18C50 based PC-Card/ISA SCSI controllers.
1149 All three drivers can be built and loaded as
1150 modules. &merged;</para>
1152 <para arch="powerpc">The ofw driver, a basic OpenFirmware disk
1153 driver, has been added.</para>
1155 <para>Some problems in &man.sa.4; error handling have been
1156 fixed, including the <quote>tape drive spinning indefinitely
1157 upon &man.mt.1; <option>stat</option></quote> problem.</para>
1159 <para arch="i386" role="historic">The &man.twe.4; 3ware ATA RAID driver has
1160 added. &merged;</para>
1162 <para role="historic">The &man.wd.4; compatibility devices were removed from the
1163 &man.ata.4; driver. &merged;</para>
1167 <title>Filesystems</title>
1169 <para>Support for named extended attributes was added to the
1170 &os; kernel. This allows the kernel, and appropriately
1171 privileged userland processes, to tag files and directories
1172 with attribute data. Extended attributes were added to
1173 support the TrustedBSD Project, in particular ACLs, capability
1174 data, and mandatory access control labels (see
1175 <filename>/usr/src/sys/ufs/ufs/README.extattr</filename> for
1178 <para role="historic">Due to a licensing change, softupdates have been
1179 integrated into the main portion of the kernel source tree.
1180 As a consequence, softupdates are now available with the
1181 <filename>GENERIC</filename> kernel. &merged;</para>
1183 <para>A filesystem snapshot capability has been added to FFS.
1184 Details can be found in
1185 <filename>/usr/src/sys/ufs/ffs/README.snapshot</filename>.</para>
1187 <!-- The following note needs to be made more specific or eliminated. -->
1188 <para>Softupdates for FFS have received some bug fixes and
1189 enhancements.</para>
1191 <para>When running with softupdates, &man.statfs.2; and
1192 &man.df.1; will track the number of blocks and files that are
1193 committed to being freed.</para>
1195 <para role="historic">A bug in FFS that could cause superblock corruption on
1196 very large filesystems has been corrected. &merged;</para>
1198 <para role="historic">The ISO-9660 filesystem now has a hook that supports a
1199 loadable character conversion routine. The
1200 <filename role="package">sysutils/cd9660_unicode</filename>
1201 port contains a set of common conversions. &merged;</para>
1203 <para>&man.kernfs.5; is obsolete and has been retired.</para>
1205 <para role="historic">A bug in the NFS client that caused bogus access times with
1206 <literal>O_EXCL|O_CREAT</literal> opens was
1207 fixed. &merged;</para>
1209 <para role="historic">A new NFS hash function (based on the Fowler/Noll/Vo hash
1210 algorithm) has been implemented to improve NFS performance by
1211 increasing the efficiency of the <varname>nfsnode</varname>
1212 hash tables. &merged;</para>
1214 <para>Client-side NFS locks have been implemented.</para>
1216 <para>The client-side and server-side of the NFS code in the
1217 kernel used to be intertwined in various complex ways. They
1218 have been split apart for ease of maintenance and further
1221 <para>Support for filesystem Access Control Lists (ACLs) has
1222 been introduced, allowing more fine-grained control of
1223 discretionary access control on files and directories. This
1224 support was integrated from the TrustedBSD Project. More
1225 details can be found in
1226 <filename>/usr/src/sys/ufs/ufs/README.acls</filename>.</para>
1228 <para role="historic">The directory layout preference algorithm for FFS
1229 (<literal>dirprefs</literal>) has been changed. Rather than
1230 scattering directory blocks across a disk, it attempts to
1231 group related directory blocks together. Operations
1232 traversing large directory hierarchies, such as the &os; Ports
1233 tree, have shown marked speedups. This change is transparent
1234 and automatic for new directories. &merged;</para>
1236 <para arch="i386,pc98" role="historic">smbfs (CIFS) support in kernel has been added.
1237 The userland programs &man.smbutil.1; and &man.mount.smbfs.8;
1238 can be used to work with SMB shares. Note that
1239 &man.mount.smbfs.8; will automatically load the
1240 <filename>smbfs.ko</filename> module into the kernel, even if
1241 <literal>LIBMCHAIN</literal> and
1242 <literal>LIBICONV</literal> were not compiled into the kernel.
1245 <para>For consistency, the fdesc, fifo, null, msdos, portal,
1246 umap, and union filesystems have been renamed to fdescfs,
1247 fifofs, msdosfs, nullfs, portalfs, umapfs, and unionfs. Where
1248 applicable, modules and mount_* programs have been renamed.
1249 Compatibility <quote>glue</quote> has been added to
1250 &man.mount.8; so that <literal>msdos</literal> filesystem
1251 entries in &man.fstab.5; will work without changes.</para>
1253 <para>pseudofs, a pseudo-filesystem framework, has been added.
1254 &man.linprocfs.5; and &man.procfs.5; have been modified to use
1257 <para role="historic">A simple hash-based lookup optimization for large
1258 directories called <literal>dirhash</literal> has been added.
1260 <literal>UFS_DIRHASH</literal> kernel option (enabled by
1261 default in the <filename>GENERIC</filename> kernel), it
1262 improves the speed of operations on very large directories at
1263 the expense of some memory. &merged;</para>
1265 <para role="historic">The virtual memory subsystem now backs UFS directory
1266 memory requirements by default (this behavior is controlled
1267 via the <varname>vfs.vmiodirenable</varname> sysctl
1268 variable). &merged;</para>
1270 <para role="historic">A bug that prevented the root filesystem from being
1271 mounted from a SCSI CDROM has been fixed (ATAPI CDROMs were
1272 always supported). &merged;</para>
1274 <para role="historic">A number of bugs in the filesystem code, discovered
1275 through the use of the <application>fsx</application>
1276 filesystem test tool, have been fixed. Under certain
1277 circumstances (primarily related to use of NFS), these bugs
1278 could cause data corruption or kernel panics. &merged;</para>
1280 <para>Network filesystems (such as NFS and smbfs filesystems)
1281 listed in <filename>/etc/fstab</filename> can now be properly
1282 mounted during startup initialization; their mounts are
1283 deferred until after the network is initialized.</para>
1285 <para>Read-only support for the Universal Disk Format (UDF) has
1286 been added. This format is used on packet-written CD-RWs and
1287 most commercial DVD-Video disks. The &man.mount.udf.8;
1288 command can be used to mount these disks.</para>
1292 <title>PCCARD Support</title>
1294 <para arch="i386,pc98" role="historic">The pccard driver and &man.pccardc.8; now
1295 support multiple <quote>beep types</quote> upon card insertion
1296 and removal. &merged;</para>
1298 <para role="historic">On many modern hosts, PCCARD devices can be configured to
1299 route their interrupts via either the ISA or PCI interrupt
1300 paths. The &man.pcic.4; driver has been updated to support
1301 both interrupt paths (formerly, only routing via ISA was
1302 supported). &merged; In most cases, configuration of PCMCIA
1303 devices in laptops is simpler and more flexible. In addition,
1304 various Cardbus bridge PCI cards (such as those used by
1305 Orinoco PCI NICs) are now supported. Some hosts may
1306 experience problems, such as hangs or panics, with PCI
1307 interrupt routing; they can frequently be made to work by
1308 forcing the older-style ISA interrupt routing. The following
1309 lines, placed in <filename>/boot/loader.conf</filename>, may
1310 fix the problem:</para>
1312 <programlisting role="historic">hw.pcic.intr_path="1"
1313 hw.pcic.irq="0"</programlisting>
1315 <para role="historic">When installing &os; on such a system, typing the
1316 following lines to the boot loader may be helpful in starting
1317 up &os; for the first time:<para>
1319 <screen role="historic"><prompt>ok</prompt> <userinput>set hw.pcic.intr_path="1"</userinput>
1320 <prompt>ok</prompt> <userinput>set hw.pcic.irq="0"</userinput></screen>
1322 <para arch="i386">Preliminary Cardbus support under NEWCARD has
1323 been added. This code supports the TI113X, TI12XX, TI125X,
1324 Ricoh 5C46/5C47, Topic 95/97/100 and Cirrus Logic PD683X
1325 bridges. 16-bit PC Card support is not yet functional.</para>
1329 <title>Multimedia Support</title>
1331 <para arch="i386" role="historic">The &man.pcm.4; driver now supports the ESS
1332 Solo 1, Maestro-1, Maestro-2, and Maestro-2e; Forte Media
1333 fm801, ESS Maestro-2e, and VIA Technologies VT82C686A sound
1334 card/chipsets, and has received some other updates. Separate
1335 drivers for the SoundBlaster 8 and SoundBlaster 16 now replace
1336 an older, unified driver. A driver for the CMedia
1337 CMI8338/CMI8738 sound chips has been added. A driver for the
1338 CS4281 sound chip has been added. A driver for the S3
1339 SonicVibes chipset has been added. &merged;</para>
1341 <para arch="i386" role="historic">A driver for the Avance Logic ALS4000 has been
1342 added. &merged;</para>
1344 <para arch="i386" role="historic">A driver for the ESS Maestro-3/Allegro has
1345 been added, however due to licensing restrictions, it cannot
1346 be compiled into the kernel. &merged; To use this driver, add
1347 the following line to
1348 <filename>/boot/loader.conf</filename>:</para>
1350 <programlisting role="historic">snd_maestro3_load="YES"</programlisting>
1352 <para role="historic">The &man.bktr.4; driver has been updated to 2.18. This
1353 update provides a number of new features. New tuner types
1354 have been added, and improvements to the KLD module and to
1355 memory allocation have been made. Bugs in &man.devfs.5; when
1356 unloading and reloading have been fixed. Support for new
1357 Hauppauge Model 44xxx WinTV Cards (the ones with no audio mux)
1358 has been added. &merged;</para>
1360 <para arch="i386,pc98" role="historic">The ufm driver, supporting the D-Link DSB-R100
1361 USB Radio, has been added. &merged;</para>
1363 <para role="historic">When sound modules are built, one can now load all the
1364 drivers and infrastructure by <command>kldload
1365 snd</command>. &merged;</para>
1367 <para>A new API has been added for sound cards with hardware
1368 volume control.</para>
1370 <para arch="i386" role="historic">A driver for the Intel 443MX, 810, 815, and
1371 815E integrated sound devices has been added. &merged;</para>
1373 <para arch="i386" role="historic">The via82c686 sound driver now supports the VIA
1374 VT8233. &merged;</para>
1376 <para arch="i386" role="historic">The ich sound driver now support the SiS
1377 7012 chipset. &merged;</para>
1379 <para arch="i386">Drivers have been added to support the Direct
1380 Rendering Infrastructure, which can used to provide 3D
1381 acceleration within <application>XFree86</application>. Video
1382 cards supported include the 3Dlabs Oxygen GMX 2000 (gammadrm),
1383 AGP Matrox G200/G400/G450/G550 (mgadrm), 3dfx Voodoo
1384 3/4/5/Banshee (tdfxdrm), AGI ATI Rage 128 (r128drm), and AGP
1385 ATI Radeon (radeondrm).</para>
1390 <title>Contributed Software</title>
1392 <para>The Forth Inspired Command Language
1393 (<application>FICL</application>) used in the boot loader has
1394 been updated to 3.02.</para>
1396 <para>Support for Advanced Configuration and Power Interface
1397 (ACPI), a multi-vendor standard for configuration and power
1398 management, has been added. This functionality has been
1399 provided by the <application>Intel ACPI Component
1400 Architecture</application> project, as of the ACPI CA 20020308
1401 snapshot. Some backward compatability for applications using
1402 the older APM standard has been provided.</para>
1405 <title>IPFilter</title>
1407 <para><application>IPFilter</application> has been updated to
1410 <para role="historic"><application>IPFilter</application> now supports
1411 IPv6. &merged;</para>
1416 <title>isdn4bsd</title>
1418 <para><application>isdn4bsd</application> has been updated to
1419 version 1.0.2.</para>
1421 <para role="historic">The &man.ifpi.4; driver for supporting the AVM
1422 Fritz!Card PCI controller has been added. &merged;</para>
1424 <para role="historic">The &man.ifpi2.4; driver for supporting the AVM
1425 Fritz!Card PCI version 2 controller has been added. &merged;</para>
1427 <para role="historic">The &man.ihfc.4; driver for supporting Cologne Chip
1428 Designs HFC devices under
1429 <application>isdn4bsd</application> has been
1430 added. &merged;</para>
1432 <para role="historic">The &man.itjc.4; driver for supporting NETjet-S / Teles
1433 PCI-TJ devices under <application>isdn4bsd</application> has
1434 been added. &merged;</para>
1436 <para role="historic">Experimental support for the Eicon.Diehl DIVA 2.0 and
1437 2.02 ISA PnP ISDN cards has been added to the &man.isic.4;
1438 <application>isdn4bsd</application> driver. &merged;</para>
1440 <para role="historic">The &man.isic.4; driver now supports the Compaq Microcom
1441 610 ISDN ISA PnP card. &merged;</para>
1443 <para role="historic">Active CAPI-based ISDN cards manufactured by AVM are now
1444 supported using the &man.i4bcapi.4; and the &man.iavc.4;
1445 driver. The supported cards are the AVM B1 PCI and AVM B1
1446 ISA Basic Rate cards and the AVM T1 Primary Rate
1447 cards. &merged;</para>
1449 <para role="historic">A new <literal>maxconnecttime</literal> keyword is now
1450 accepted in &man.isdnd.rc.5; files to limit the time a
1451 connection may remain open. &merged;</para>
1453 <para role="historic">&man.isdnphone.8; now supports a <option>-k</option>
1454 option for sending messages via the keypad facility to a PBX
1455 or exchange office. &merged;</para>
1457 <para><application>isdn4bsd</application> now supports Q.931
1458 subaddressing.</para>
1462 <sect4 id="kame-kernel">
1465 <para role="historic">The IPv6 stack is now based on a snapshot based on the
1466 KAME Project's IPv6 snapshot as of 28 May, 2001. Most of
1467 the items listed in this section are a result of this
1468 import. <xref linkend="kame-userland"> lists userland
1469 updates to the KAME IPv6 stack. &merged;</para>
1471 <para role="historic">&man.gif.4; is now based on RFC 2893, rather than RFC
1472 1933. The <literal>IFF_LINK2</literal> interface flag can
1473 be used to control ingress filtering. &merged;</para>
1475 <para role="historic"><application>IPsec</application> has received some
1476 enhancements, including the ability to use the Rijndael and
1477 SHA2 algorithms. IPsec RC5 support has been removed due to
1478 patent issues. &merged;</para>
1480 <para role="historic">&man.stf.4; now conforms to RFC 3056; the
1481 <literal>IFF_LINK2</literal> interface flag can be used to
1482 control ingress filtering. &merged;</para>
1484 <para role="historic">IPv6 has better checking of illegal addresses (such as
1485 loopback addresses) on physical networks. &merged;</para>
1487 <para role="historic">The <varname>IPV6_V6ONLY</varname> socket option is now
1488 completely supported. The kernel's default behavior with
1489 respect to this option is controlled by the
1490 <varname>net.inet6.ip6.v6only</varname> sysctl
1491 variable. &merged;</para>
1493 <para role="historic">RFC 3041 (Privacy Extensions for Stateless Address
1494 Autoconfiguration) is now supported. It can be enabled via
1495 the <varname>net.inet6.ip6.use_tempaddr</varname> sysctl
1496 variable. &merged;</para>
1501 <sect2 id="security">
1502 <title>Security-Related Changes</title>
1504 <para role="historic">&man.sysinstall.8; now allows the user to select one of two
1505 <quote>security profiles</quote> at install-time. These
1506 profiles enable different levels of system security by enabling
1507 or disabling various system services in &man.rc.conf.5; on new
1508 installs. &merged;</para>
1510 <para>A bug in which malformed ELF executable images can hang the
1511 system has been fixed (see security advisory
1512 FreeBSD-SA-00:41). &merged;</para>
1514 <para>A security hole in Linux emulation was fixed (see security
1515 advisory FreeBSD-SA-00:42). &merged;</para>
1517 <para role="historic">String-handling library calls in many programs were fixed to
1518 reduce the possibility of buffer overflow-related exploits.
1521 <para>TCP now uses stronger randomness in choosing its initial
1522 sequence numbers (see security advisory
1523 FreeBSD-SA-00:52). &merged;</para>
1525 <para>Several buffer overflows in &man.tcpdump.1; were corrected
1526 (see security advisory FreeBSD-SA-00:61). &merged;</para>
1528 <para>A security hole in &man.top.1; was corrected (see security
1529 advisory FreeBSD-SA-00:62). &merged;</para>
1531 <para>A potential security hole caused by an off-by-one-error in
1532 &man.gethostbyname.3; has been fixed (see security advisory
1533 FreeBSD-SA-00:63). &merged;</para>
1535 <para>A potential buffer overflow in the &man.ncurses.3; library,
1536 which could cause arbitrary code to be run from within
1537 &man.systat.1;, has been corrected (see security advisory
1538 FreeBSD-SA-00:68). &merged;</para>
1540 <para>A vulnerability in &man.telnetd.8; that could cause it to
1541 consume large amounts of server resources has been fixed (see
1542 security advisory FreeBSD-SA-00:69). &merged;</para>
1544 <para>The <literal>nat deny_incoming</literal> command in
1545 &man.ppp.8; now works correctly (see security advisory
1546 FreeBSD-SA-00:70). &merged;</para>
1548 <para>A vulnerability in &man.csh.1;/&man.tcsh.1; temporary files
1549 that could allow overwriting of arbitrary user-writable files
1550 has been closed (see security advisory
1551 FreeBSD-SA-00:76). &merged;</para>
1553 <para role="historic">The &man.ssh.1; binary is no longer SUID root by
1554 default. &merged;</para>
1556 <para role="historic">Some fixes were applied to the Kerberos IV implementation
1557 related to environment variables, a possible buffer overrun, and
1558 overwriting ticket files. &merged;</para>
1560 <para role="historic">&man.telnet.1; now does a better job of sanitizing its
1561 environment. &merged;</para>
1563 <para>Several vulnerabilities in &man.procfs.5; were fixed (see
1564 security advisory FreeBSD-SA-00:77). &merged;</para>
1566 <para>A bug in <application>OpenSSH</application> in which a
1567 server was unable to disable &man.ssh-agent.1; or
1568 <literal>X11Forwarding</literal> was fixed (see security
1569 advisory FreeBSD-SA-01:01). &merged;</para>
1571 <para>A bug in &man.ipfw.8; and &man.ip6fw.8; in which inbound TCP
1572 segments could incorrectly be treated as being part of an
1573 <literal>established</literal> connection has been fixed (see
1574 security advisory FreeBSD-SA-01:08). &merged;</para>
1576 <para>A bug in &man.crontab.1; that could allow users to read any
1577 file on the system in valid &man.crontab.5; syntax has been
1578 fixed (see security advisory FreeBSD-SA-01:09). &merged;</para>
1580 <para>A vulnerability in &man.inetd.8; that could allow
1581 read-access to the initial 16 bytes of
1582 <groupname>wheel</groupname>-accessible files has been fixed
1583 (see security advisory FreeBSD-SA-01:11). &merged;</para>
1585 <para>A bug in &man.periodic.8; that used insecure temporary files
1586 has been corrected (see security advisory
1587 FreeBSD-SA-01:12). &merged;</para>
1589 <para><application>OpenSSH</application> now has code to prevent
1590 (instead of just mitigating through connection limits) an attack
1591 that can lead to guessing the server key (not host key) by
1592 regenerating the server key when an RSA failure is detected (see
1593 security advisory FreeBSD-SA-01:24). &merged;</para>
1595 <para role="historic">A number of programs have had output formatting strings
1596 corrected so as to reduce the risk of
1597 vulnerabilities. &merged;</para>
1599 <para role="historic">A number of programs that use temporary files now do so more
1600 securely. &merged;</para>
1602 <para role="historic">A bug in ICMP that could cause an attacker to disrupt TCP and UDP
1603 <quote>sessions</quote> has been corrected. &merged;</para>
1605 <para>A bug in &man.timed.8;, which caused it to crash if send
1606 certain malformed packets, has been corrected (see security
1607 advisory FreeBSD-SA-01:28). &merged;</para>
1609 <para>A bug in &man.rwhod.8;, which caused it to crash if send
1610 certain malformed packets, has been corrected (see security
1611 advisory FreeBSD-SA-01:29). &merged;</para>
1613 <para>A security hole in &os;'s FFS and EXT2FS implementations,
1614 which allowed a race condition that could cause users to have
1615 unauthorized access to data, has been fixed (see security
1616 advisory FreeBSD-SA-01:30). &merged;</para>
1618 <para>A remotely-exploitable vulnerability in &man.ntpd.8; has
1619 been closed (see security advisory
1620 FreeBSD-SA-01:31). &merged;</para>
1622 <para>A security hole in <application>IPFilter</application>'s
1623 fragment cache has been closed (see security advisory
1624 FreeBSD-SA-01:32). &merged;</para>
1626 <para>Buffer overflows in &man.glob.3;, which could cause
1627 arbitrary code to be run on an FTP server, have been closed. In
1628 addition, to prevent some forms of DOS attacks, &man.glob.3;
1629 allows specification of a limit on the number of pathname
1630 matches it will return. &man.ftpd.8; now uses this feature (see
1631 security advisory FreeBSD-SA-01:33). &merged;</para>
1633 <para>Initial sequence numbers in TCP are more thoroughly
1634 randomized (see security advisory FreeBSD-SA-01:39). Due to
1635 some possible compatibility issues, the behavior of this
1636 security fix can be enabled or disabled via the
1637 <varname>net.inet.tcp.tcp_seq_genscheme</varname> sysctl
1638 variable.&merged;</para>
1640 <para>A vulnerability in the &man.fts.3; routines (used by
1641 applications for recursively traversing a filesystem) could
1642 allow a program to operate on files outside the intended
1643 directory hierarchy. This bug has been fixed (see security
1644 advisory FreeBSD-SA-01:40). &merged;</para>
1646 <para role="historic"><application>OpenSSH</application> now switches to the
1647 user's UID before attempting to unlink the authentication
1648 forwarding file, nullifying the effects of a race.</para>
1650 <para>A flaw allowed some signal handlers to remain in effect in a
1651 child process after being exec-ed from its parent. This allowed
1652 an attacker to execute arbitrary code in the context of a setuid
1653 binary. This flaw has been corrected (see security advisory
1654 FreeBSD-SA-01:42). &merged;</para>
1656 <para>A remote buffer overflow in &man.tcpdump.1; has been fixed
1657 (see security advisory FreeBSD-SA-01:48). &merged;</para>
1659 <para>A remote buffer overflow in &man.telnetd.8; has been fixed
1660 (see security advisory FreeBSD-SA-01:49). &merged;</para>
1662 <para>The new <varname>net.inet.ip.maxfragpackets</varname> and
1663 <varname>net.inet.ip6.maxfragpackets</varname> sysctl variables
1664 limit the amount of memory that can be consumed by IPv4 and IPv6
1665 packet fragments, which defends against some denial of service
1666 attacks (see security advisory
1667 FreeBSD-SA-01:52). &merged;</para>
1669 <para role="historic">All services in <filename>inetd.conf</filename> are now
1670 disabled by default for new installations. &man.sysinstall.8;
1671 gives the option of enabling or disabling &man.inetd.8; on new
1672 installations, as well as editing
1673 <filename>inetd.conf</filename>. &merged;</para>
1675 <para>A flaw in the implementation of the &man.ipfw.8;
1676 <literal>me</literal> rules on point-to-point links has been
1677 corrected. Formerly, <literal>me</literal> filter rules would
1678 match the remote IP address of a point-to-point interface in
1679 addition to the intended local IP address (see security advisory
1680 FreeBSD-SA-01:53). &merged;</para>
1682 <para>A vulnerability in &man.procfs.5;, which could allow a
1683 process to read sensitive information from another process's
1684 memory space, has been closed (see security advisory
1685 FreeBSD-SA-01:55). &merged;</para>
1687 <para>The <literal>PARANOID</literal> hostname checking in
1688 <application>tcp_wrappers</application> now works as advertised
1689 (see security advisory FreeBSD-SA-01:56). &merged;</para>
1691 <para>A local root exploit in &man.sendmail.8; has been closed
1692 (see security advisory FreeBSD-SA-01:57). &merged;</para>
1694 <para>A remote root vulnerability in &man.lpd.8; has been closed
1695 (see security advisory FreeBSD-SA-01:58). &merged;</para>
1697 <para>A race condition in &man.rmuser.8; that briefly exposed a
1698 world-readable <filename>/etc/master.passwd</filename> has been
1699 fixed (see security advisory FreeBSD-SA-01:59). &merged;</para>
1701 <para>A vulnerability in <application>UUCP</application> has been
1702 closed (see security advisory FreeBSD-SA-01:62). All
1703 non-<username>root</username>-owned binaries in standard system
1704 paths now have the <literal>schg</literal> flag set to prevent
1705 exploit vectors when run by &man.cron.8;, by
1706 <username>root</username>, or by a user other then the one owning
1707 the binary. In addition, &man.uustat.1; is now run via
1708 <filename>/etc/periodic/daily/410.status-uucp</filename> as
1709 <username>uucp</username>, not <username>root</username>. In
1710 &os; -CURRENT, <application>UUCP</application> has since been
1711 moved to the Ports Collection and no longer a part of the base
1712 system. &merged;</para>
1714 <para role="historic">A security hole in the form of a buffer overflow in the
1715 &man.semop.2; system call has been closed. &merged;</para>
1717 <para>A security hole in <application>OpenSSH</application>, which
1718 could allow users to execute code with arbitrary privileges if
1719 <literal>UseLogin yes</literal> was set, has been closed. Note
1720 that the default value of this setting is
1721 <literal>UseLogin no</literal>. (See security advisory
1722 FreeBSD-SA-01:63.) &merged;</para>
1724 <para>The use of an insecure temporary directory by
1725 &man.pkg.add.1; could permit a local attacker to modify the
1726 contents of binary packages while they were being installed.
1727 This hole has been closed. (See security advisory
1728 FreeBSD-SA-02:01.) &merged;</para>
1730 <para>A race condition in &man.pw.8;, which could expose the
1731 contents of <filename>/etc/master.passwd</filename>, has been
1732 eliminated. (See security advisory FreeBSD-SA-02:02.)
1735 <para>A bug in &man.k5su.8; could have allowed a process that had
1736 given up superuser privileges to regain them. This bug has been
1737 fixed. (See security advisory FreeBSD-SA-02:07.)
1740 <para>An <quote>off-by-one</quote> bug has been fixed in
1741 <application>OpenSSH</application>'s multiplexing code. This bug
1742 could have allowed an authenticated remote user to cause
1743 &man.sshd.8; to execute arbitrary code with superuser
1744 privileges, or allowed a malicious SSH server to execute arbitrary
1745 code on the client system with the privileges of the client user. (See security
1747 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc">FreeBSD-SA-02:13</ulink>.)
1750 <para>A programming error in <application>zlib</application> could
1751 result in attempts to free memory multiple times. The
1752 &man.malloc.3;/&man.free.3; routines used in &os; are not
1753 vulnerable to this error, but applications receiving
1754 specially-crafted blocks of invalid compressed data could
1755 be made to function incorrectly or abort. This
1756 <application>zlib</application> bug has been fixed. For a
1757 workaround and solutions, see security advisory <ulink
1758 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:18.zlib.v1.2.asc">FreeBSD-SA-02:18</ulink>.
1761 <para>Bugs in the TCP SYN cache (<quote>syncache</quote>) and SYN
1762 cookie (<quote>syncookie</quote>) implementations, which could
1763 cause legitimate TCP/IP traffic to crash a machine, have been
1764 fixed. For a workaround and patches, see security advisory
1766 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:20.syncache.asc">FreeBSD-SA-02:20</ulink>.
1769 <para>A routing table memory leak, which could allow a remote
1770 attacker to exhaust the memory of a target machine, has been
1771 fixed. A workaround and patches can be found in security
1773 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:21.tcpip.asc">FreeBSD-SA-02:21</ulink>.
1776 <para>A bug with memory-mapped I/O, which could cause a system
1777 crash, has been fixed. For more information about a solution,
1778 see security advisory <ulink
1779 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:22.mmap.asc">FreeBSD-SA-02:22</ulink>.
1782 <para>A security hole, in which SUID programs could be made to
1783 read from or write to inappropriate files through manipulation
1784 of their standard I/O file descriptors, has been fixed.
1785 Information regarding a solution can be found in security
1787 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc">FreeBSD-SA-02:23</ulink>.
1790 <para>Some unexpected behavior could be allowed with &man.k5su.8;
1791 because it does not require that an invoking user be a member of
1792 the <groupname>wheel</groupname> group when attempting to become
1793 the superuser (this is the case with &man.su.1;). To avoid this
1794 situation, &man.k5su.8; is now installed non-SUID by default
1795 (effectively disabling it). More information can be found in
1796 security advisory <ulink
1797 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:24.k5su.asc">FreeBSD-SA-02:24</ulink>.
1800 <para>Multiple vulnerabilities were found in the &man.bzip2.1;
1801 utility, which could allow files to be overwritten without
1802 warning or allow local users unintended access to files. These
1803 problems have been corrected with a new import of
1804 <application>bzip2</application>. For more information, see
1805 security advisory <ulink
1806 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:25.bzip2.asc">FreeBSD-SA-02:25</ulink>.
1809 <para>A bug has been fixed in the implementation of the TCP SYN
1810 cache (<quote>syncache</quote>), which could allow a remote
1811 attacker to deny access to a service when accept filters
1812 (see &man.accept.filter.9;) were in use. This bug has been
1813 fixed; for more information, see security advisory <ulink
1814 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:26.accept.asc">FreeBSD-SA-02:26</ulink>.
1817 <para>Due to a bug in &man.rc.8;'s use of shell globbing, users
1818 may be able to remove the contents of arbitrary files if
1819 <filename>/tmp/.X11-unix</filename> does not exist and the
1820 system can be made to reboot. This bug has been corrected (see
1821 security advisory <ulink
1822 url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:27.rc.asc">FreeBSD-SA-02:27</ulink>).
1827 <sect2 id="userland">
1828 <title>Userland Changes</title>
1830 <para role="historic">If the first argument to &man.ancontrol.8; or
1831 &man.wicontrol.8; doesn't start with a <literal>-</literal>, it
1832 is assumed to be an interface. &merged;</para>
1834 <para role="historic">&man.apmd.8; now has the ability to monitor battery levels
1835 and execute commands based on percentage or minutes of battery
1836 life remaining via the <literal>apm_battery</literal>
1837 configuration directive. See the commented-out examples in
1838 <filename>/etc/apmd.conf</filename> for the
1839 syntax. &merged;</para>
1841 <para role="historic">&man.arp.8; now prints the applicable interface name for
1842 each ARP entry. &merged;</para>
1844 <para>&man.arp.8; now prints <literal>[fddi]</literal> or
1845 <literal>[atm]</literal> tags for addresses on interfaces of
1848 <para>The &man.asa.1; utility, to interpret FORTRAN
1849 carriage-control characters, has been added.</para>
1851 <para>&man.at.1; now supports the <option>-r</option> command-line
1852 option to remove jobs and the <option>-t</option> option to
1853 specify times in POSIX time format.</para>
1855 <para role="historic">&man.atacontrol.8; has been added to control various aspects
1856 of the &man.ata.4; driver. &merged;</para>
1858 <para>The system &man.awk.1; now refers to
1859 <application>BWK awk</application>.</para>
1861 <para arch="pc98" role="historic">&man.boot98cfg.8;, a PC-98 boot manager
1862 installation and configuration utility, has been
1863 added. &merged;</para>
1865 <para role="historic">&man.burncd.8; now supports a <option>-m</option> option for
1866 multisession mode (the default behavior now is to close disks as
1867 single-session). A <option>-l</option> option to take a list of
1868 image files from a filename was also added;
1869 <filename>-</filename> can be used as a filename for
1870 <literal>stdin</literal>. &merged;</para>
1872 <para>&man.burncd.8; now supports Disk At Once (DAO) mode,
1873 selectable via the <option>-d</option> flag.</para>
1875 <para>&man.burncd.8; now has the ability to write VCDs/SVCDs.</para>
1877 <para role="historic">&man.c89.1; has been converted from a shell script to a
1878 binary executable, fixing some minor bugs. &merged;</para>
1880 <para arch="i386,pc98" role="historic">A minimalized version of &man.camcontrol.8; is
1881 now available on the installation floppy. This allows it to
1882 rescan for devices that have been connected after booting, or to
1883 show the devices attached to SCSI busses (e. g. from within the
1884 <quote>emergency holographic shell</quote>). &merged;</para>
1886 <para role="historic">&man.cat.1; now has the ability to read from UNIX-domain
1887 sockets. &merged;</para>
1889 <para>&man.catman.1; is now a C program, instead of a
1892 <para role="historic">&man.cdcontrol.1; now supports a <literal>cdid</literal>
1893 command, which calculates and displays the CD serial number,
1894 using the same algorithm used by the CDDB
1895 database. &merged;</para>
1897 <para role="historic">&man.cdcontrol.1; now uses the <envar>CDROM</envar>
1898 environment variable to pick a default device. &merged;</para>
1900 <para role="historic">&man.cdcontrol.1; now supports <literal>next</literal> and
1901 <literal>prev</literal> commands to skip forwards or backwards a
1902 specified number of tracks while playing an audio
1905 <para>On ATAPI CDROM drives, &man.cdcontrol.1; now supports a
1906 <literal>speed</literal> command to set the maximum speed to be
1907 used by the drive. &merged;</para>
1909 <para>&man.chflags.1; has moved from <filename>/usr/bin</filename>
1910 to <filename>/bin</filename>.</para>
1912 <para role="historic">&man.chio.1; now has the ability to specify elements by
1913 volume tag instead of by their physical location as well as the
1914 ability to return an element to its previous
1915 location. &merged;</para>
1917 <para>&man.chmod.1; now supports a <option>-h</option> for
1918 changing the mode of a symbolic link.</para>
1920 <para role="historic">&man.chown.8; now correctly follows symbolic links named as
1921 command line arguments if run without
1922 <option>-R</option>. &merged;</para>
1924 <para>&man.chown.8; no longer takes <literal>.</literal> as a
1925 user/group delimeter. This change was made to support usernames
1926 containing a <literal>.</literal>.</para>
1928 <para>Use of the <literal>CSMG_*</literal> macros no longer
1929 require inclusion of
1930 <filename><sys/param.h></filename></para>
1932 <para role="historic">&man.col.1; now takes a <option>-p</option> flag to force
1933 unknown control sequences to be passed through
1934 unchanged. &merged;</para>
1936 <para role="historic">The <filename>compat3x</filename> distribution has been
1937 updated to include libraries present in &os;
1938 3.5.1-RELEASE. &merged;</para>
1940 <para>A <filename>compat4x</filename> distribution has been added
1941 for compatibility with &os; 4-STABLE.</para>
1943 <para role="historic">&man.config.8; is now better about converting various
1944 warnings that should have been errors into actual fatal errors
1945 with an exit code. This ensures that <literal>make
1946 buildkernel</literal> doesn't quietly ignore them and build a
1947 bogus kernel without a human to read the errors. &merged;</para>
1949 <para role="historic">A number of buffer overflows in &man.config.8; have been
1950 fixed. &merged;</para>
1952 <para>A new &man.csplit.1; utility, which splits files based on
1953 context, has been added.</para>
1955 <para role="historic">&man.ctags.1; no longer creates a corrupt tags file if the
1956 source file used <literal>//</literal> (C++-style)
1957 comments. &merged;</para>
1959 <para>The &man.daemon.8; program, a command-line interface to
1960 &man.daemon.3;, has been added. It detaches itself from its
1961 controlling terminal and executes a program specified on the
1962 command line. This allows the user to run an arbitrary program
1963 as if it were written to be a daemon.</para>
1965 <para>&man.devinfo.8;, a simple tool to print the device tree and resource
1966 usage by devices, has been added.</para>
1968 <para role="historic">&man.df.1; now takes a <option>-l</option> option to only
1969 display information about locally-mounted
1970 filesystems. &merged;</para>
1972 <para role="historic">&man.disklabel.8; now supports partition sizes expressed in
1973 kilobytes, megabytes, or gigabytes, in addition to
1974 sectors. &merged;</para>
1976 <para>diskpart(8) has been declared obsolete, and has been
1979 <para role="historic">&man.dmesg.8; now has a <option>-a</option> option to show
1980 the entire message buffer, including &man.syslogd.8; records and
1981 <filename>/dev/console</filename> output. &merged;</para>
1983 <para role="historic">&man.du.1; now takes a <option>-I</option> command-line flag
1984 to ignore/skip files and subdirectories matching a specified
1985 shell-glob mask. &merged;</para>
1987 <para role="historic">&man.dump.8; now supports inheritance of the
1988 <literal>nodump</literal> flag down a hierarchy. &merged;</para>
1990 <para role="historic">The <option>-T</option> option to &man.dump.8; no longer
1991 swallows an extra argument. &merged;</para>
1993 <para role="historic">&man.dump.8; has a new <option>-D</option> option, allowing
1994 the path to the <filename>/etc/dumpdates</filename> file to be
1995 changed. &merged;</para>
1997 <para role="historic">&man.dump.8; now supplies progress information in its
1998 process title, useful for monitoring automated
1999 backups. &merged;</para>
2001 <para>&man.dump.8; now supports a new <option>-S</option> flag to allow
2002 it to just print out the dump size estimates and exit.</para>
2004 <para role="historic">&man.edquota.8; now takes a <option>-f</option> option to
2005 allow limiting the prototype quota distribution (specified with
2006 <option>-p</option>) to a single filesystem. &merged;</para>
2008 <para role="historic"><filename>/etc/rc.firewall</filename> and
2009 <filename>/etc/rc.firewall6</filename> will no longer add their own
2010 hardcoded rules in the cases of a rules file in the
2011 <varname>firewall_type</varname> variable or a non-existent
2012 firewall type. (The motivation for this change is to avoid
2013 acting on assumptions about a site's firewall policies.) In
2014 addition, the <literal>closed</literal> firewall type now works
2015 as documented in the &man.rc.firewall.8; manual page. &merged;</para>
2017 <para role="historic">The functionality of <filename>/etc/security</filename> has
2018 been been moved into a set of scripts under the &man.periodic.8;
2019 framework, to make local customization easier and more
2020 maintainable. These scripts now reside in
2021 <filename>/etc/periodic/security/</filename>. &merged;</para>
2023 <para>&man.expr.1; is now compliant with the POSIX Utility Syntax
2024 Guidelines. Some programs depend on the old, historic behavior
2025 (the <filename role="package">devel/libtool</filename>
2026 port/package was/is a notable example). In these situations,
2027 the <envar>EXPR_COMPAT</envar> environment variable can be
2028 defined, which causes &man.expr.1; to behave more like previous
2031 <para>&man.fbtab.5; now accepts glob matching patterns for target
2032 devices, not just individual devices and directories.</para>
2034 <para arch="i386">&man.fdisk.8; no longer attempts to search for a
2035 device if none has been specified on the command line, but
2036 instead tries to figure out the default device name from the
2039 <para>&man.fdread.1;, a program to read data from floppy disks,
2040 has been added. It is a counterpart to &man.fdwrite.1; and is
2041 designed to provide a means of recovering at least some data
2042 from bad media, and to obviate for a complex invocation of
2045 <para role="historic">&man.find.1; now takes the <option>-empty</option> flag,
2046 which returns true if a file or directory is
2047 empty. &merged;</para>
2049 <para role="historic">&man.find.1; now takes the <option>-iname</option> and
2050 <option>-ipath</option> primaries for case-insensitive matches,
2051 and the <option>-regexp</option> and <option>-iregexp</option>
2052 primaries for regular-expression matches. The
2053 <option>-E</option> flag now enables extended regular
2054 expressions. &merged;</para>
2056 <para role="historic">&man.find.1; now has the <option>-anewer</option>,
2057 <option>-cnewer</option>, <option>-mnewer</option>,
2058 <option>-okdir</option>, and <option>-newer[acm][acmt]</option>
2059 primaries for comparisons of file timestamps. The latter
2060 primaries can be specified with various units of
2061 time. &merged;</para>
2063 <para role="historic">&man.finger.1; now has the ability to support fingering
2064 aliases, via the &man.finger.conf.5; file. &merged;</para>
2066 <para>&man.finger.1; now has support for a
2067 <filename>.pubkey</filename> file.</para>
2069 <para role="historic">&man.fmt.1; has been rewritten; the rewrite fixes a number
2070 of bugs compared to its prior behavior. &merged;</para>
2072 <para role="historic">&man.fmtcheck.3;, a function for checking consistency of
2073 format string arguments, has been added. &merged;</para>
2075 <para>&man.fold.1; now supports a <option>-b</option> flag to
2076 break at byte positions and a <option>-s</option> flag to break at
2077 word boundaries. &merged;</para>
2079 <para role="historic">&man.fsdb.8; now supports a <literal>blocks</literal>
2080 command to list the blocks allocated by a particular
2081 inode. &merged;</para>
2083 <para>&man.fsck.8; wrappers have been imported; this feature
2084 provides infrastructure for &man.fsck.8; to work on different
2085 types of filesystems (analogous to &man.mount.8;).</para>
2087 <para>The behavior of &man.fsck.8; when dealing with various
2088 passes (a la <filename>/etc/fstab</filename>) has been modified
2089 to accommodate multiple-disk filesystems.</para>
2091 <para>&man.fsck.8; now has support for foreground
2092 (<option>-F</option>) and background (<option>-B</option>)
2093 checks. Traditionally, &man.fsck.8; is invoked before the
2094 filesystems are mounted and all checks are done to completion at
2095 that time. If background checking is available, &man.fsck.8; is
2096 invoked twice. It is first invoked at the traditional time,
2097 before the filesystems are mounted, with the <option>-F</option>
2098 flag to do checking on all the filesystems that cannot do
2099 background checking. It is then invoked a second time, after
2100 the system has completed going multiuser, with the
2101 <option>-B</option> flag to do checking on all the filesystems
2102 that can do background checking. Unlike the foreground
2103 checking, the background checking is started asynchronously so
2104 that other system activity can proceed even on the filesystems
2105 that are being checked. Boot-time enabling of this feature is
2107 <varname>background_fsck</varname> option in &man.rc.conf.5;.</para>
2109 <para role="historic">Shortly after the receipt of a <literal>SIGINFO</literal>
2110 signal (normally control-T from the controlling tty),
2111 &man.fsck.ffs.8; will now output a line indicating the current
2112 phase number and progress information relevant to the current
2113 phase. &merged;</para>
2115 <para>&man.fsck.ffs.8; now supports background filesystem checks
2116 to mounted FFS filesystems with the <option>-B</option> option
2117 (softupdates must be enabled on these filesystems). The
2118 <option>-F</option> flag now determines whether a specified
2119 filesystem needs foreground checking.</para>
2121 <para role="historic">A new &man.fsck.msdosfs.8; utility has been added to check
2122 the consistency of MS-DOS filesystems. &merged;</para>
2124 <para role="historic">&man.ftpd.8; now supports a <option>-r</option> flag for
2125 read-only mode and a <option>-E</option> flag to disable
2126 <literal>EPSV</literal>. It also has some fixes to reduce
2127 information leakage and the ability to specify compile-time port
2128 ranges. &merged;</para>
2130 <para>&man.ftpd.8; now supports <option>-o</option> and
2131 <option>-O</option> options to disable the
2132 <literal>RETR</literal> command; the former for everybody, and
2133 the latter only for guest users. Coupled with
2134 <option>-A</option> and appropriate file permissions, these can
2135 be used to create a relatively safe anonymous FTP drop box for
2136 others to upload to.</para>
2138 <para arch="i386,pc98" role="historic">&man.gdb.1; now supports hardware
2139 watchpoints (using the kernel's debug register + support that
2140 has been introduced in &os; 4.0). &merged;</para>
2142 <para role="historic">The &man.getprogname.3; and &man.setprogname.3; library
2143 functions have been added to manipulate the name of the current
2144 program. They are used by error-reporting routines to produce
2145 consistent output. &merged;</para>
2147 <para>&man.gprof.1; now has a <option>-K</option> option to enable
2148 dynamic symbol resolution from the currently-running kernel.
2149 With this change, properly-compiled KLD modules are now able to
2152 <para role="historic">&man.growfs.8;, a utility for growing FFS filesystems, has
2153 been added. &man.ffsinfo.8;, a utility for dump all the
2154 meta-information of an existing filesystem, has also been
2155 added. &merged;</para>
2157 <para role="historic">The &man.groups.1; and &man.whoami.1; shell scripts are now
2158 unnecessary; their functionality has been completely folded into
2159 &man.id.1;. &merged;</para>
2161 <para>The ibcs(8), linux(8), osf1(8), and
2162 svr4(8) scripts, whose sole purpose was to load emulation
2163 kernel modules, have been removed. The kernel module system
2164 will automatically load them as needed to fulfill
2165 dependencies.</para>
2167 <para role="historic">&man.indent.1; has gained some new formatting
2168 options. &merged;</para>
2170 <para role="historic">&man.ifconfig.8; can set the link-layer address of
2171 an interface using the <option>link</option> parameter.
2174 <para role="historic">&man.ifconfig.8; can now accept addresses in slash/CIDR
2175 notation. &merged;</para>
2177 <para role="historic">&man.ifconfig.8; now has support for setting parameters for
2178 IEEE 802.11 wireless network devices. &man.wi.4; and &man.an.4;
2179 devices are supported, and partial support is provided for
2180 &man.awi.4; devices. &merged;</para>
2182 <para role="historic">&man.ifconfig.8; no longer displays the list of supported
2183 media by default. Instead it displays it when the
2184 <option>-m</option> flag is given. &merged;</para>
2186 <para role="historic">The syntax of &man.inetd.8;'s support for &man.faithd.8; is
2187 now compatible with that of other BSDs. &merged;</para>
2189 <para role="historic">The <literal>ident</literal> protocol support in
2190 &man.inetd.8; has been cleaned up and updated. &merged;</para>
2192 <para role="historic">&man.inetd.8; now has the ability to manage UNIX-domain
2193 sockets. &merged;</para>
2195 <para>By default, &man.inetd.8; is no longer run by &man.rc.8; at
2196 boot-time, although &man.sysinstall.8; gives the option of
2197 enabling it during binary installations. &man.inetd.8; can also
2198 be enabled by adding the following line to
2199 <filename>/etc/rc.conf</filename>:</para>
2201 <programlisting>inetd_enable="YES"</programlisting>
2203 <para role="historic">&man.install.1; has a number of new features, including the
2204 <option>-b</option> and <option>-B</option> options for backing up
2205 existing target files and the <option>-S</option> option for
2206 <quote>safe</quote> (atomic copy) operation. The
2207 <option>-c</option> (copy) flag is now the default, and the
2208 <option>-D</option> (debugging) flag has been withdrawn.
2209 &man.install.1; now issues a warning if <option>-d</option>
2210 (create directories) and <option>-C</option> (copy changed files
2211 only) are used together. &merged;</para>
2213 <para role="historic">IP Filter is now supported by the &man.rc.conf.5; boot-time
2214 configuration and initialization. &merged;</para>
2216 <para role="historic">&man.ipfstat.8; now supports the <option>-t</option> option
2217 to turn on a &man.top.1;-like display. &merged;</para>
2219 <para role="historic">&man.ipfw.8; will now avoid the display of dynamic firewall
2220 rules unless the <option>-d</option> flag is passed to it. The
2221 <option>-e</option> option lists expired dynamic
2222 rules. &merged;</para>
2224 <para role="historic">&man.ipfw.8; has a new feature (<literal>me</literal>) that
2225 allows for packet matching on interfaces with
2226 dynamically-changing IP addresses. &merged;</para>
2228 <para role="historic">&man.ipfw.8; has a new <literal>limit</literal> type of
2229 firewall rule, which limits the number of sessions between
2230 address pairs. &merged;</para>
2232 <para>&man.ipfw.8; filter rules can now match on the value of the
2233 IPv4 precedence field.</para>
2235 <para role="historic">&man.ip6fw.8; now has the ability to use a preprocessor and
2236 use the <option>-q</option> (quiet) flag when reading from a
2237 file. &merged;</para>
2239 <para role="historic">&man.ispppcontrol.8; has been deleted, and its functionality
2240 has been folded into &man.spppcontrol.8;. &merged;</para>
2242 <para role="historic">&man.k5su.8; is no longer installed SUID
2243 <username>root</username> by default. Users requiring this
2244 feature can either manually change the permissions on the
2245 &man.k5su.8; executable or add
2246 <literal>ENABLE_SUID_K5SU=yes</literal> to
2247 <filename>/etc/make.conf</filename> before a source
2248 upgrade. &merged;</para>
2250 <para role="historic">&man.kenv.1;, a command to dump the kernel environment, has
2251 been added. &merged;</para>
2253 <para>&man.kenv.1; now has the ability to set or delete kernel
2254 environment variables.</para>
2256 <para role="historic">&man.keyinfo.1; is now a C program, rather than a Perl
2257 script. &merged;</para>
2259 <para>The kget(8) utility has been removed (it was only
2260 useful for UserConfig, which is not present in &os;
2261 &release.current;).</para>
2263 <para role="historic">&man.killall.1; is now a C program, rather than a Perl
2264 script. As a result, its <option>-m</option> option now uses
2265 the regular expression syntax of &man.regex.3;, rather than that
2266 of Perl. &merged;</para>
2268 <para>&man.killall.1; no longer tries to kill zombie processes
2269 unless the <option>-z</option> flag is specified.</para>
2271 <para role="historic">The &man.kldconfig.8; utility has been added to make it
2272 easier to manipulate the kernel module search
2273 path. &merged;</para>
2275 <para>ktrdump, a utility to dump the ktr trace buffer from
2276 userland, has been added.</para>
2278 <para role="historic">&man.last.1; now implements a <option>-d</option> that
2279 provides a <quote>snapshot</quote> of who was logged in at a
2280 particular date and time. &merged;</para>
2282 <para role="historic">&man.last.1; now supports a <option>-y</option> flag, which
2283 causes the year to be included in the session start time. &merged;</para>
2285 <para role="historic">The &man.lastlogin.8; utility, which prints the last login
2286 time of each user, has been imported from
2287 NetBSD. &merged;</para>
2289 <para role="historic">&man.ldconfig.8; now checks directory ownerships and
2290 permissions for greater security; these checks can be disabled
2291 with the <option>-i</option> flag. &merged;</para>
2293 <para role="historic">&man.ldd.1; can now be used on shared libraries, in addition
2294 to executables. &merged;</para>
2296 <para>&man.ldd.1; now supports a <option>-a</option> flag to list
2297 all the objects that are needed by each loaded object.</para>
2299 <para><filename>libc</filename> is now thread-safe by default;
2300 <filename>libc_r</filename> contains only thread
2303 <para role="historic"><filename>libcrypt</filename> and
2304 <filename>libdescrypt</filename> have been unified to provide a
2305 configurable password authentication hash library. Both the md5
2306 and des hash methods are provided unless the des hash is
2307 specifically compiled out. &merged;</para>
2309 <para role="historic"><filename>libcrypt</filename> now has support for Blowfish
2310 password hashing. &merged;</para>
2312 <para arch="i386" role="historic"><filename>libdisk</filename> can now do
2313 install-time configuration of the <filename>boot0</filename>
2314 boot loader. &merged;</para>
2316 <para role="historic"><filename>libstand</filename> now has support for
2317 filesystems containing
2318 <application>bzip2</application>-compressed
2319 files. &merged;</para>
2321 <para><filename>libstand</filename> now has support for
2322 overwriting the contents of a file on a UFS filesystem (it
2323 cannot expand or truncate files because the filesystem may be
2324 dirty or inconsistent).</para>
2326 <para role="historic"><filename>libstand</filename> now has support for loading
2327 large kernels and modules split across several physical
2328 media. &merged;</para>
2330 <para role="historic">The default TCP port range used by
2331 <filename>libfetch</filename> for passive FTP retrievals has
2332 changed; this affects the behavior of &man.fetch.1;, which has
2333 gained the <option>-U</option> option to restore the old
2334 behavior. &merged;</para>
2336 <para role="historic"><filename>libfetch</filename> now has support for an
2337 authentication callback. &merged;</para>
2339 <para role="historic"><filename>libfetch</filename> now has support for a
2340 <envar>HTTP_USER_AGENT</envar> environment
2341 variable. &merged;</para>
2343 <para><filename>libgmp</filename> has been superceded by
2344 <filename>libmp</filename>.
2346 <para>The functions from <filename>libposix1e</filename> have been
2347 integrated into <filename>libc</filename>.</para>
2349 <para role="historic"><filename>libusb</filename> has been renamed as
2350 <filename>libusbhid</filename>, following NetBSD's naming
2351 conventions. &merged;</para>
2353 <para role="historic">&man.ln.1; now takes an <option>-i</option> option to
2354 request user confirmation before overwriting an existing
2355 file. &merged;</para>
2357 <para role="historic">&man.ln.1; now takes a <option>-h</option> flag to avoid
2358 following a target that is a link, with a <option>-n</option>
2359 flag for compatibility with other
2360 implementations. &merged;</para>
2362 <para role="historic">&man.logger.1; can now send messages directly to a remote
2363 syslog. &merged;</para>
2365 <para role="historic">&man.login.1; now exports environment variables set by
2366 <application>PAM</application> modules. &merged;</para>
2368 <para role="historic">&man.lpc.8; has been improved; <command>lpc clean</command>
2369 is now somewhat safer, and a new <command>lpc tclean</command>
2370 command has been added to check to see what files would be
2371 removed by <command>lpc clean</command>. &merged;</para>
2373 <para role="historic">&man.lpd.8; now takes two new options: <option>-c</option>
2374 will log all connection errors to &man.syslogd.8;, while
2375 <option>-W</option> will allow connections from non-reserved
2376 ports. &merged;</para>
2378 <para role="historic">&man.lpd.8; now has some support for
2379 <literal>o</literal>-type print-file actions in its control
2380 files, which allows printing of PostScript files generated by
2381 <application>MacOS</application> 10.1. &merged;</para>
2383 <para role="historic">&man.lpd.8; now recognizes the <option>-s</option> flag as
2384 the preferred synonym for <option>-p</option> (these flags
2385 cause &man.lpd.8; not to open a socket for network print
2386 jobs). &merged;</para>
2388 <para role="historic">&man.lpd.8; now implements a new <literal>rc</literal>
2389 printcap option. When specified in a print queue for a remote
2390 host, boolean option causes &man.lpd.8; to resend the data file
2391 for each copy the user requested via <command>lpr
2392 -#<replaceable>n</replaceable></command>. &merged;</para>
2394 <para role="historic">Catching up with most other network utilities in the base
2395 system, &man.lpr.1;, &man.lpd.8;, &man.syslogd.8;, and
2396 &man.logger.1; are now all IPv6-capable. &merged;</para>
2398 <para role="historic"><command>lprm -</command> now works for remote printer
2399 queues. &merged;</para>
2401 <para role="historic">&man.ls.1; can produce colorized listings with the
2402 <option>-G</option> flag (and appropriate terminal support).
2403 The <envar>CLICOLOR</envar> environment variable can be set to
2404 enable colorized listings by default. &merged;</para>
2406 <para role="historic">&man.ls.1; now accepts a <option>-h</option> flag, which
2407 when combined with the <option>-l</option> flag, causes file
2408 sizes to be printed with unit suffixes, such that the number of
2409 digits printed is fewer than four. &merged;</para>
2411 <para>The &man.ls.1; program now supports a <option>-m</option>
2412 flag to list files across a page, a <option>-p</option> flag to
2413 force printing of a <literal>/</literal> after directories, and
2414 a <option>-x</option> flag to sort filenames across a
2417 <para role="historic">&man.m4.1; now accepts a <option>-s</option> flag to cause
2418 it to emit <literal>#line</literal> directives for use by
2419 &man.cpp.1;. &merged;</para>
2421 <para role="historic">&man.mail.1; now takes a <option>-E</option> flag to avoid
2422 sending messages with empty bodies. &merged;</para>
2424 <para role="historic">&man.make.1; has gained the <literal>:C///</literal>
2425 (regular expression substitution), <literal>:L</literal>
2426 (lowercase), and <literal>:U</literal> (uppercase) variable
2427 modifiers. These were added to reduce the differences between
2428 the &os; and OpenBSD/NetBSD &man.make.1; programs.
2431 <para role="historic">Bugs in &man.make.1;, among which include broken null suffix
2432 behavior, bad assumptions about current directory permissions,
2433 and potential buffer overflows, have been fixed. &merged;</para>
2435 <para role="historic">The new <varname>CPUTYPE</varname>
2436 <filename>make.conf</filename> variable controls the compilation
2437 of processor-specific optimizations in various pieces of code
2438 such as <application>OpenSSL</application>. &merged;</para>
2440 <para role="historic">The &os; <filename>Makefile</filename> infrastructure now
2441 supports the <varname>WARNS</varname> directive from NetBSD.
2442 This directive controls the addition of compiler warning flags
2443 to <varname>CFLAGS</varname> in a relatively compiler-neutral
2444 manner. &merged;</para>
2446 <para>&man.makewhatis.1; is now a C program, instead of a
2449 <para>&man.man.1; is no longer installed SUID
2450 <username>man</username>, in order to reduce vulnerabilities
2451 associated with generating <quote>catpages</quote> (preformatted
2452 manual pages cached for repeated viewing). As a result,
2453 &man.man.1; can no longer create system catpages on a regular
2454 user's behalf. It is still able to do so if the user has write
2455 permissions to the directory holding catpages (e.g. a user's own
2456 manpages) or if the running user is
2457 <username>root</username>.</para>
2459 <para>The &man.mdmfs.8; command has been added; it is a wrapper
2460 around &man.mdconfig.8;, &man.disklabel.8;, &man.newfs.8;, and
2461 &man.mount.8; that mimics the command line option set of the
2462 deprecated &man.mount.mfs.8;.</para>
2464 <para role="historic">&man.mergemaster.8; now sources an
2465 <filename>/etc/mergemaster.rc</filename> file and also prompts
2466 the user to run recommended commands (such as
2467 <command>newaliases</command>) as needed. &merged;</para>
2469 <para role="historic">&man.mergemaster.8; now supports two new flags.
2470 The <option>-p</option> flag enables a
2471 <quote>pre-<literal>buildworld</literal></quote> mode to files
2472 known to be essential to the success of the
2473 <literal>buildworld</literal> and
2474 <literal>installworld</literal> system updating steps. The
2475 <option>-C</option> flag, used after a successful
2476 &man.mergemaster.8; run, compares options in
2477 <filename>/etc/rc.conf</filename> to the default options in
2478 <filename>/etc/defaults/rc.conf</filename>. &merged;</para>
2480 <para role="historic">mk_cmds(1) and the associated
2481 <filename>libss</filename> have been removed; they have been
2482 unused for quite some time. &merged;</para>
2484 <para role="historic">&man.moused.8; now takes a <option>-a</option> option to
2485 control mouse acceleration. &merged;</para>
2487 <para role="historic">&man.mtree.8; now includes support for a file that lists
2488 pathnames to be excluded when creating and verifying prototypes.
2489 This makes it easier to use &man.mtree.8; as a part of an
2490 intrusion-detection system. &merged;</para>
2492 <para>&man.mv.1; now takes a (nonstandard) <option>-n</option> to
2493 automatically answer <quote>no</quote> when it would ask to
2494 overwrite a file.</para>
2496 <para role="historic">&man.natd.8; now supports a
2497 <option>-log_ipfw_denied</option> option to log packets that
2498 cannot be re-injected because they are blocked by &man.ipfw.8;
2499 rules. &merged;</para>
2501 <para role="historic">The <quote>in use</quote> percentage metric displayed by
2502 &man.netstat.1; now really reflects the percentage of network
2503 mbufs used. &merged;</para>
2505 <para role="historic">&man.netstat.1; now has a <option>-W</option> flag that
2506 tells it not to truncate addresses, even if they're too long for
2507 the column they're printed in. &merged;</para>
2509 <para role="historic">&man.netstat.1; now keeps track of input and output packets
2510 on a per-address basis for each interface. &merged;</para>
2512 <para role="historic">&man.netstat.1; now has a <option>-z</option> flag to reset
2513 statistics. &merged;</para>
2515 <para role="historic">&man.netstat.1; now has a <option>-S</option> flag to print
2516 address numerically but port names symbolically. &merged;</para>
2518 <para role="historic">&man.newfs.8; now implements write combining, which can make
2519 creation of new filesystems up to seven times
2520 faster. &merged;</para>
2522 <para role="historic">&man.newfs.8; now takes a <option>-U</option> option to
2523 enable softupdates on a new filesystem. &merged;</para>
2525 <para role="historic">The default number of cylinders per group in &man.newfs.8;
2526 is now computed to be the maximum allowable given the current
2527 filesystem parameters. It can be overridden with the
2528 <option>-c</option> option. Formerly, the default was fixed at
2529 16. This change leads to better &man.fsck.8; performance and
2530 reduced fragmentation. &merged;</para>
2532 <para role="historic"><anchor id="newfs-block-frag-sizes">The default block and
2533 fragment sizes for new filesystems created by &man.newfs.8; are
2534 now 16384 and 2048 bytes, respectively (the old defaults were
2535 8192 and 1024 bytes). This change generally provides increased
2536 performance, at the expense of some wasted disk
2537 space. &merged;</para>
2539 <para>A number of archaic features of &man.newfs.8; have been
2540 removed; these implement tuning features that are essentially
2541 useless on modern hard disks. These features were controlled by
2542 the <option>-O</option>, <option>-d</option>,
2543 <option>-k</option>, <option>-l</option>, <option>-n</option>,
2544 <option>-p</option>, <option>-r</option>, <option>-t</option>,
2545 and <option>-x</option> flags.</para>
2547 <para role="historic">&man.newsyslog.8; now has the ability to compress log files
2548 using &man.bzip2.1;. &merged;</para>
2550 <para><application>NFS</application> now works over IPv6.</para>
2552 <para role="historic">&man.ngctl.8; now supports a <option>write</option> command
2553 to send a data packet down a given hook. &merged;</para>
2555 <para role="historic">&man.nl.1;, a line numbering filter program, has been
2556 added. &merged;</para>
2558 <para><application>nsswitch</application> support has been merged
2559 from NetBSD. By creating an &man.nsswitch.conf.5; file, &os;
2560 can be configured so that various databases such as
2561 &man.passwd.5; and &man.group.5; can be looked up using flat
2562 files, NIS, or Hesiod. The old
2563 <filename>hosts.conf</filename> file is no longer used.</para>
2565 <para><application>PAM</application> support has been added for
2566 account management and sessions.</para>
2568 <para><application>PAM</application> configuration is now
2569 specified by files in <filename>/etc/pam.d/</filename>, rather
2570 than a single <filename>/etc/pam.conf</filename> file.
2571 <filename>/etc/pam.d/README</filename> has more details.</para>
2573 <para>A &man.pam.ftp.8; module has been added to allow
2574 authentication of anonymous FTP users.</para>
2576 <para>A &man.pam.ftpusers.8; module has been added to perform
2577 checks against the &man.ftpusers.5; file.</para>
2579 <para>A &man.pam.lastlog.8; module has been added to record
2580 sessions in the &man.utmp.5;, &man.wtmp.5;, and &man.lastlog.5;
2583 <para>A &man.pam.login.access.8; module has been added, to allow
2584 checking against <filename>/etc/login.access</filename>.</para>
2586 <para>The &man.pam.nologin.8; module, which can disallow logins
2587 using &man.nologin.5;, has been added.</para>
2589 <para>The &man.pam.opie.8; and &man.pam.opieaccess.8; modules have
2590 been added to control authentication via &man.opie.4;.</para>
2592 <para>A &man.pam.passwdqc.8; module has been added, to check the
2593 quality of passwords submitted during password changes.</para>
2595 <para>A &man.pam.rhosts.8; module has been added to support
2596 &man.rhosts.5; authentication.</para>
2598 <para>The &man.pam.rootok.8; module, which can be used to
2599 authenticate only the superuser, has been added.</para>
2601 <para>A &man.pam.securetty.8; module has been added to check the
2602 <quote>security</quote> of a TTY, as listed in &man.ttys.5;.</para>
2604 <para>A &man.pam.self.8; module, which allows self-authentication
2605 of a user, has been added.</para>
2607 <para role="historic">A &man.pam.ssh.8; module has been added to allow the use of
2608 SSH passphrases and keypairs for authentication. This module
2609 also handles session management by invoking
2610 &man.ssh-agent.1;. &merged;</para>
2612 <para>A &man.pam.wheel.8; module has been added to permit
2613 authentication to members of a group, which defaults to
2614 <groupname>wheel</groupname>.</para>
2616 <para role="historic">&man.passwd.1; and &man.pw.8; now select the password hash
2617 algorithm at run time. See the <literal>passwd_format</literal>
2619 <filename>/etc/login.conf</filename>. &merged;</para>
2621 <para role="historic">&man.patch.1; now accepts a <option>-i</option> command-line
2622 flag to read a patch from a file, rather than standard
2623 input. &merged;</para>
2625 <para>The &man.pathchk.1; utility, which checks pathnames for
2626 validity or portability between POSIX systems, has been
2629 <para role="historic">&man.pax.1; has received a number of enhancements, including
2630 &man.cpio.1; functionality, &man.tar.1; compatibility
2631 enhancements, <option>-z</option> and <option>-Z</option> flags
2632 for &man.gzip.1; and &man.compress.1; functionality, and a
2633 number of bug fixes. &merged;</para>
2635 <para role="historic">&man.pciconf.8; now supports a <option>-v</option> option to
2636 display the vendor/device information of configured devices, in
2637 conjunction with the <option>-l</option> option. The default
2638 vendor/device database can be found at
2639 <filename>/usr/share/misc/pci_vendors</filename>. &merged;</para>
2641 <para role="historic">The behavior of &man.periodic.8; is now controlled by
2642 <filename>/etc/defaults/periodic.conf</filename> and
2643 <filename>/etc/periodic.conf</filename>. &merged;</para>
2645 <para role="historic">&man.ping.8; now supports a <option>-m</option> option to
2646 set the TTL of outgoing packets. &merged;</para>
2648 <para role="historic">&man.ping.8; now supports a <option>-A</option> option to
2649 beep when packets are lost. &merged;</para>
2651 <para role="historic">Userland &man.ppp.8; has received a number of updates and
2652 bug fixes. &merged;</para>
2654 <para role="historic">&man.ppp.8; has gained the <literal>tcpmssfixup</literal>
2655 option, which adjusts outgoing and incoming TCP SYN packets so
2656 that the maximum receive segment size is no larger than allowed
2657 by the interface MTU. &merged;</para>
2659 <para role="historic">&man.ppp.8; now supports IPv6. &merged;</para>
2661 <para role="historic">&man.pppd.8; (the control program for kernel-level PPP) is
2662 now installed mode <literal>4550</literal> and
2663 <username>root</username><literal>:</literal><groupname>dialer</groupname>,
2664 rather than mode <literal>4555</literal> (in other words, it is
2665 no longer world-executable). Users of &man.pppd.8; may need to
2666 change their group settings. &merged;</para>
2668 <para role="historic">&man.pr.1; now supports the <option>-f</option> and
2669 <option>-p</option> flags to pause output going to a
2670 terminal. &merged;</para>
2672 <para role="historic">The <option>-W</option> option to &man.ps.1; (to extract
2673 information from a specified swap device) has been useless for
2674 some time; it has been removed. &merged;</para>
2676 <para role="historic">&man.pwd.1; can now double as &man.realpath.1;, a program to
2677 resolve pathnames to their underlying physical
2678 paths. &merged;</para>
2680 <para>&man.pwd.1; now supports the <option>-L</option> flag to
2681 print the logical current working directory. &merged;</para>
2683 <para>The pseudo-random number generator implemented by
2684 &man.rand.3; has been improved to provide less biased
2687 <para role="historic">&man.rc.8; now has an framework for handling dependencies
2688 between &man.rc.conf.5; variables. &merged;</para>
2690 <para role="historic">&man.rc.8; now deletes all non-directory files in
2691 <filename>/var/run</filename> and
2692 <filename>/var/spool/lock</filename> at boot
2693 time. &merged;</para>
2695 <para>&man.rcmd.3; now supports the use of the
2696 <envar>RSH</envar> environment variable to specify a program to
2697 use other than &man.rsh.1; for remote execution. As a result,
2698 programs such as &man.dump.8;, can use &man.ssh.1; for remote
2701 <para>&man.rdist.1; has been retired from the base system, but is
2702 still available from &os; Ports Collection as
2703 <filename role="package">net/44bsd-rdist</filename>.</para>
2705 <para role="historic">&man.reboot.8; now takes a <option>-k</option> to specify
2706 the next kernel to boot. &merged;</para>
2708 <para>The &man.renice.8; command implements a <option>-n</option>
2709 option, which specifies an increment to be applied to the
2710 priority of a process. &merged;</para>
2712 <para role="historic">The &man.resolver.3; in &os; now implements EDNS0 support,
2713 which will be necessary when working with IPv6 transport-ready
2714 resolvers/DNS servers. &merged;</para>
2716 <para role="historic">The &man.rfork.thread.3; library call has been added as a
2717 helper function to &man.rfork.2;. Using this function should
2718 avoid the need to implement complex stack swap
2719 code. &merged;</para>
2721 <para>The <option>-v</option> option to &man.rm.1; now displays
2722 the entire pathname of a file being removed.</para>
2724 <para role="historic">&man.route.8; is now more verbose when changing indirect
2725 routes, in the case of a gateway route that is the same route as
2726 the one being modified. &merged;</para>
2728 <para role="historic">&man.route.8; now uses
2729 <literal><replaceable>host</replaceable>/<replaceable>bits</replaceable></literal>
2731 <literal><replaceable>net</replaceable>/<replaceable>bits</replaceable></literal>
2732 syntax, for compatibility with &man.netstat.1;. &merged;</para>
2734 <para role="historic">&man.route.8; can now create <quote>proxy only</quote>
2735 published ARP entries. &merged;</para>
2737 <para role="historic">The &man.route.8; <option>add</option> command now supports
2738 the <option>-ifp</option> and <option>-ifa</option>
2739 modifiers. &merged;</para>
2741 <para>&man.rpcbind.8; has replaced &man.portmap.8;.</para>
2743 <para>&man.rpcgen.1; now uses <filename>/usr/bin/cpp</filename>
2745 <filename>/usr/libexec/cpp</filename>.</para>
2747 <para>&man.rpc.lockd.8; has been imported from NetBSD. This
2748 daemon provides support for servicing client NFS locks.</para>
2750 <para role="historic">The performance of the ELF dynamic linker &man.rtld.1; has
2751 been improved. &merged;</para>
2753 <para role="historic">RSA Security has waived all patent rights to the
2754 <application>RSA</application> algorithm. As a result, the
2755 native <application>OpenSSL</application> implementation of the
2756 RSA algorithm is now activated by default, and the <filename
2757 role="package">security/rsaref</filename> port and the
2758 <filename>librsaUSA</filename> and
2759 <filename>librsaINTL</filename> libraries are no longer required
2760 for USA and non-USA residents respectively. &merged;</para>
2762 <para>&man.rtld.1; will now print the names of all objects that
2763 cause each object to be loaded, if the
2764 <varname>LD_TRACE_LOADED_OBJECTS_ALL</varname> environment
2765 variable is defined.</para>
2767 <para role="historic">&man.savecore.8; now supports a <option>-k</option> option
2768 to prevent clearing a crash dump after saving it. It also
2769 attempts to avoid writing large stretches of zeros to crash dump
2770 files to save space and time. &merged;</para>
2772 <para role="historic">&man.savecore.8; now works correctly on machines with 2 GB
2773 or more of RAM. &merged;</para>
2775 <para>The &man.sccs.1; front-end to the Source Code Control System
2776 has been revived.</para>
2778 <para role="historic">&man.sed.1; now takes a <option>-E</option> option for
2779 extended regular expression support. &merged;</para>
2781 <para>&man.sed.1; now takes a <option>-i</option> option to enable
2782 in-place editing of files.</para>
2784 <para role="historic">&man.send-pr.1; now takes a <option>-a</option> option to
2785 include a file into the <literal>Fix:</literal> section of a
2786 problem report. &merged;</para>
2788 <para>The &man.setfacl.1; and &man.getfacl.1; commands have been
2789 added to manage filesystem Access Control Lists.</para>
2791 <para role="historic">&man.setproctitle.3; has been moved from
2792 <filename>libutil</filename> to
2793 <filename>libc</filename>. &merged;</para>
2795 <para role="historic">&man.sh.1; now implements <command>test</command> as a
2796 built-in command for improved efficiency. &merged;</para>
2798 <para>&man.sh.1; no longer implements <command>printf</command> as
2799 a built-in command because it was considered less valuable
2800 compared to the other built-in commands (this functionality is,
2801 of course, still available through the &man.printf.1;
2804 <para>&man.sh.1; now supports a <option>-C</option> option to
2805 prevent existing regular files from being overwritten by output
2806 redirection, and a <option>-u</option> to give an error if an
2807 unset variable is expanded.</para>
2809 <para role="historic">&man.sockstat.1; now has <option>-c</option> and
2810 <option>-l</option> flags for listing connected and listening
2811 sockets, respectively. &merged;</para>
2813 <para>&man.spkrtest.8; is now a &man.sh.1; script, rather than a
2816 <para role="historic">&man.split.1; now has the ability to split a file longer
2817 than 2GB. &merged;</para>
2819 <para>&man.split.1; now supports a <option>-a</option> option to
2820 specify the number of letters to use for the suffix of split
2823 <para>In preparation for meeting SUSv2/POSIX
2824 <filename><sys/select.h></filename> requirements,
2825 <literal>struct selinfo</literal> and related functions have been
2826 moved to <filename><sys/selinfo.h></filename>.</para>
2828 <para role="historic">The &man.strnstr.3; and &man.strcasestr.3; variants of
2829 &man.strstr.3; have been implemented. &merged;</para>
2831 <para role="historic">&man.stty.1; now has support for an
2832 <literal>erase2</literal> control character, so that, for
2833 example, both the <keycap>Delete</keycap> and
2834 <keycap>Backspace</keycap> keys can be used to erase
2835 characters. &merged;</para>
2837 <para>&man.su.1; now uses <application>PAM</application> for
2838 authentication.</para>
2840 <para role="historic">Boot-time &man.syscons.4; configuration was moved to a
2842 <filename>/etc/rc.syscons</filename>. &merged;</para>
2844 <para role="historic">&man.sysctl.8; now supports a <option>-N</option> option to
2845 print out variable names only. &merged;</para>
2847 <para role="historic">&man.sysctl.8; has replaced the <option>-A</option> and
2848 <option>-X</option> options with <option>-ao</option> and
2849 <option>-ax</option> respectively; the former options are now
2850 deprecated. The <option>-w</option> option is deprecated as
2851 well; it is not needed to determine the user's
2852 intentions. &merged;</para>
2854 <para role="historic">&man.sysctl.8; now supports a <option>-e</option> option to
2855 separate variable names and values by <literal>=</literal>
2856 rather than <literal>:</literal>. This feature is useful for
2857 producing output that can be fed back to
2858 &man.sysctl.8;. &merged;</para>
2860 <para>&man.sysctl.8; now accepts a <option>-d</option> flag to print
2861 the descriptions of variables.</para>
2863 <para role="historic">&man.sysinstall.8; now properly preserves
2864 <filename>/etc/mail</filename> during a binary
2865 upgrade. &merged;</para>
2867 <para role="historic">&man.sysinstall.8; now uses some more intuitive defaults
2868 thanks to some new dialog support functions. &merged;</para>
2870 <para>The default root partition in &man.sysinstall.8; is now
2871 100MB on the i386 and pc98, 120MB on the Alpha.</para>
2873 <para>&man.sysinstall.8; now lives in
2874 <filename>/usr/sbin</filename>, which simplifies the
2875 installation process. The &man.sysinstall.8; manpage is also
2876 installed in a more consistent fashion now.</para>
2878 <para role="historic">&man.sysinstall.8; now has the ability to load KLDs as a
2879 part of the installation. &merged;</para>
2881 <para role="historic">When run from the installation media, &man.sysinstall.8;
2882 will automatically load any device drivers found in the
2883 <filename>/stand/modules</filename> directory of the
2884 <literal>mfsroot</literal> floppy or filesystem image. Note
2885 that any drivers so loaded will not appear in the kernel's boot
2886 messages; the &man.sysinstall.8; debugging screen will provide
2887 additional information. &merged;</para>
2889 <para role="historic">&man.sysinstall.8; now enables Soft Updates by default on
2890 all filesystems it creates, except for the root
2891 filesystem. &merged;</para>
2893 <para role="historic">&man.sysinstall.8; has received updates for its
2894 <quote>auto</quote> partitioning mode which provide more
2895 reasonable defaults for the sizes of partitions that are
2896 created; auto-sized partitions can now also recover the space
2897 that becomes available when other partitions are
2898 deleted. &merged;</para>
2900 <para>&man.sysinstall.8; no longer mounts the &man.procfs.5;
2901 filesystem by default on new installs.</para>
2903 <para role="historic">&man.sysinstall.8; now has rudimentary support for
2904 retrieving packages from the correct volume of a multiple-volume
2905 installation (such as a multi-CD distribution). &merged;</para>
2907 <para role="historic">&man.syslogd.8; can take a <option>-n</option> option to
2908 disable DNS queries for every request. &merged;</para>
2910 <para role="historic">&man.syslogd.8; now supports a
2911 <literal>LOG_CONSOLE</literal> facility (disabled by default),
2912 which can be used to log <filename>/dev/console</filename>
2913 output. &merged;</para>
2915 <para role="historic">&man.syslogd.8; now has the ability to bind to a specific
2916 address (as opposed to using every available one) via the
2917 <option>-b</option> option. &merged;</para>
2919 <para role="historic">&man.syslogd.8; now accepts a <option>-c</option> flag to
2920 disable repeated line compression. &merged;</para>
2922 <para>&man.tabs.1;, a utility to set terminal tab stops, has been
2925 <para role="historic">&man.tail.1; now has the ability to work on files longer
2926 than 2GB. &merged;</para>
2928 <para role="historic">&man.tar.1; now supports the <varname>TAR_RSH</varname>
2929 variable, principally to enable the use of &man.ssh.1; as a
2930 transport. &merged;</para>
2932 <para role="historic">&man.telnet.1; now does autologin and encryption by default;
2933 a new <option>-y</option> option turns off encryption. &merged;</para>
2935 <para role="historic">&man.telnet.1; now supports a <option>-u</option> flag to
2936 allow connections to UNIX-domain (<literal>AF_UNIX</literal>)
2937 sockets. &merged;</para>
2939 <para role="historic">&man.tftp.1; and &man.tftpd.8; now support IPv6. &merged;</para>
2941 <para role="historic">&man.tftpd.8; now takes the <option>-c</option> and
2942 <option>-C</option> options, which allow the server to
2943 &man.chroot.2; based on the IP address of the connecting client.
2944 &man.tftp.1; and &man.tftpd.8; can now transfer files larger
2945 than 65535 blocks. &merged;</para>
2947 <para>&man.tftpd.8; now supports RFC 2349 (TFTP Timeout Interval
2948 and Transfer Size Options); this feature is required by some
2949 firmware like EFI boot managers (at least on HP i2000 Itanium
2950 servers) in order to boot an image using
2951 <application>TFTP</application>.</para>
2953 <para arch="alpha">&man.timed.8; now works on the alpha.</para>
2955 <para>A version of Transport Independent RPC
2956 (<application>TI-RPC</application>) has been imported.</para>
2958 <para role="historic">&man.tmpnam.3; will now use the <envar>TMPDIR</envar>
2959 environment variable, if set, to specify the location of
2960 temporary files. &merged;</para>
2962 <para>&man.tip.1; has been updated from
2963 <application>OpenBSD</application>, and has the ability to act
2964 as a &man.cu.1; substitute.</para>
2966 <para>&man.top.1; will now use the full width of its tty.</para>
2968 <para>&man.touch.1; now takes a <option>-h</option> option to
2969 operate on a symbolic link, rather than what the link points
2972 <para role="historic">The &man.truncate.1; utility, which truncates or extends the
2973 length of files, has been added. &merged;</para>
2975 <para role="historic">Ukrainian language support has been added to the &os;
2976 console. &merged;</para>
2978 <para><application>UUCP</application> has been removed from the
2979 base system. It can be found in the Ports Collection, in
2980 <filename role="package">net/freebsd-uucp</filename>.</para>
2982 <para>&man.unexpand.1; now supports a <option>-t</option> to
2983 specify tabstabs analogous to &man.expand.1;. &merged;</para>
2985 <para role="historic">&man.units.1; has received some updates and
2986 bugfixes. &merged;</para>
2988 <para>&man.usbdevs.8; now supports a <option>-d</option> flag to
2989 show the device driver associated with each device.</para>
2991 <para role="historic">The &man.usbhidctl.1; utility has been added to manipulate
2992 USB Human Interface Devices. &merged;</para>
2994 <para role="historic">&man.uuencode.1; and &man.uudecode.1; now accept a <option>-o</option> option to
2995 set their output files. &man.uuencode.1; can now be made to do base64 encoding
2996 when given the <option>-m</option> flag, while &man.uudecode.1;
2997 can now automatically decode base64 files. &merged;</para>
2999 <para>The base64 capabilities of &man.uuencode.1; and
3000 &man.uudecode.1; can now be automatically enabled by invoking
3001 these utilities as &man.b64encode.1; and &man.b64decode.1;
3002 respectively.</para>
3004 <para role="historic">&man.vidcontrol.1; now accepts a <option>-g</option>
3005 parameter to select custom text geometry in the
3006 <literal>VESA_800x600</literal> raster text mode. &merged;</para>
3008 <para role="historic">&man.vidcontrol.1; now allows the user to omit the font size
3009 specification when loading a font, and has some better
3010 error-handling. &merged;</para>
3012 <para role="historic">&man.vidcontrol.1; now supports a <option>-p</option> option
3013 to take a snapshot of a &man.syscons.4; video buffer. These
3014 snapshots can be manipulated by the
3015 <filename role="package">graphics/scr2png</filename> utility in
3016 the Ports Collection. &merged;</para>
3018 <para role="historic">&man.vidcontrol.1; now supports a <option>-C</option> option
3019 to clear the history buffer for a given tty, as well as a
3020 <option>-h</option> option to set the size of the history
3021 buffer. &merged;</para>
3023 <para>The default stripe size in &man.vinum.8; has been changed
3024 from 256KB to 279KB, to spread out superblocks more evenly
3025 between stripes.</para>
3027 <para role="historic">&man.wall.1; now supports a <option>-g</option> flag to
3028 write a message to all users of a given group. &merged;</para>
3030 <para role="historic">&man.watch.8; now takes a <option>-f</option> option to
3031 specify a &man.snp.4; device to use. &merged;</para>
3033 <para>&man.which.1; is now a C program, rather than a Perl
3036 <para>&man.who.1; now has a number of new options:
3037 <option>-H</option> shows column headings; <option>-T</option>
3038 shows &man.mesg.1; state; <option>-m</option> is an equivalent
3039 to <option>am i</option>; <option>-u</option> shows idle time;
3040 <option>-q</option> to list names in columns.</para>
3042 <para role="historic">&man.whois.1; now directs queries for IP addresses to ARIN.
3043 If a query to ARIN references APNIC or RIPE, the appropriate
3044 server will also be queried, provided that the
3045 <option>-Q</option> option is not specified. &merged;</para>
3047 <para role="historic">&man.whois.1; supports a <option>-c</option> option to
3048 specify a country code to help direct queries towards a
3049 particular whois server. &merged;</para>
3051 <para>&man.xargs.1; now supports a <option>-I</option>
3052 <replaceable>replstr</replaceable> option that allows the user
3053 to tell &man.xargs.1; to insert the data read from standard
3054 input at specific points in the command line arguments rather
3055 than at the end. (A &os;-specific <option>-J</option> option is
3056 similar, but is now deprecated in favor of the more portable
3057 <option>-I</option> option.) &merged;</para>
3059 <para>&man.xargs.1; now supports a <option>-L</option> option to
3060 force its utility argument to be called after some number of
3061 lines. &merged;</para>
3063 <para role="historic">The compiler chain now uses the FSF-supplied C/C++ runtime
3064 initialization code. This change brings about better
3065 compatibility with code generated from the various egcs and gcc
3066 ports, as well as the stock public FSF source. &merged;</para>
3068 <para role="historic">The threads library has gained some signal handling changes,
3069 bug fixes, and performance enhancements (including zero system
3070 call thread switching). &man.gdb.1; thread support has been
3071 updated to match these changes. &merged;</para>
3073 <para role="historic">Significant additions have been made to internationalization
3074 support; &os; now has complete locale support for the
3075 <literal>LC_MONETARY</literal>, <literal>LC_NUMERIC</literal>,
3076 and <literal>LC_MESSAGES</literal> categories. A number of
3077 applications have been updated to take advantage of this
3078 support. &merged;</para>
3080 <para role="historic">Locale names have been changed to improve compatibility with
3081 the names used by X11R6, as well as a number of other UNIX
3082 versions. As an example, the
3083 <literal>en_US.ISO_8859-1</literal> locale name has been changed
3085 <literal>en_US.ISO8859-1</literal>. Entries in
3086 <filename>/etc/locale.alias</filename> provide backward
3087 compatibility. &merged;</para>
3089 <para role="historic"><filename>/usr/src/share/examples/BSD_daemon/</filename> now
3090 contains a scalable Beastie graphic. &merged;</para>
3092 <para role="historic">As part of an ongoing process, many manual pages were
3093 improved, both in terms of their formatting markup and in their
3094 content. &merged;</para>
3096 <para>A number of utilities and libraries were enhanced to improve
3097 their conformance with the Single UNIX Specification (SUSv3) and
3098 IEEE Std 1003.1-2001 (<quote>POSIX.1</quote>). Specific
3099 features added have been listed in the release notes for each
3100 utility. The standards conformance of each utility or library
3101 function is generally listed in its manual page.</para>
3104 <title>Contributed Software</title>
3106 <para><application>am-utils</application> has been updated to
3109 <para>A 10 February 2002 snapshot of <application>awk</application> from Bell Labs (variously
3110 known as <quote>BWK awk</quote> or <quote>The One True
3111 AWK</quote>) has been imported. It is available as
3112 <command>awk</command> or
3113 <command>nawk</command>.</para>
3115 <para role="historic"><application>bc</application> has been updated from 1.04 to
3116 1.06. &merged;</para>
3118 <para role="historic">The ISC library from the <application>BIND</application>
3119 distribution is now built as
3120 <filename>libisc</filename>. &merged;</para>
3122 <para role="historic"><application>BIND</application> is now built with the
3123 <literal>NOADDITIONAL</literal> flag, which causes
3124 &man.named.8; to operate in a more consistent fashion for
3125 certain common misconfigurations. &merged;</para>
3127 <para role="historic"><application>BIND</application> has been updated to
3128 8.3.2-T1B. &merged;</para>
3130 <para><application>Binutils</application> has been updated to
3133 <para role="historic"><application>bzip2</application> 1.0.2 has been imported;
3134 this brings the &man.bzip2.1; program and the
3135 <filename>libbz2</filename> library to the base
3136 system. &merged;</para>
3138 <para role="historic">The &man.ee.1; <application>Easy Editor</application> has
3139 been updated to 1.4.2. &merged;</para>
3141 <para><application>file</application> has been updated to
3144 <para><application>gcc</application> has been updated to
3145 a snapshot of <application>gcc</application> 3.1.
3147 <para>The integration of <application>gcc</application> is
3148 very new. Some applications and programs in the base
3149 system require fixes or compiler flags to build
3150 correctly. Work to address these problems is ongoing.</para>
3154 <para role="historic">&man.gcc.1; now uses a unified <filename>libgcc</filename>
3155 rather than a separate one for threaded and non-threaded
3156 programs. <filename>/usr/lib/libgcc_r.a</filename> can be
3157 removed. &merged;</para>
3159 <para role="historic">&man.gcc.1; now supports the environment variable
3160 <envar>GCC_OPTIONS</envar>, which can hold a set of default
3161 options for <application>GCC</application>. &merged;</para>
3163 <para role="historic"><application>GNATS</application> has been updated to
3164 3.113. &merged;</para>
3166 <para><application>gperf</application> has been updated to
3169 <para role="historic"><application>groff</application> and its related utilities
3170 have been updated to FSF version 1.17.2. This import brings
3171 in a new &man.mdoc.7; macro package (sometimes referred to as
3172 <literal>mdocNG</literal>), which removes many of the
3173 limitations of its predecessor. &merged;</para>
3175 <para role="historic"><application>Heimdal Kerberos</application> has been updated to
3176 0.4e. &merged;</para>
3178 <para role="historic">The version of <application>IPFilter</application>
3179 provided with &os; now includes the &man.ipfs.8; program,
3180 which allows state information created for NAT entries and
3181 stateful rules to be saved to disk and restored after a
3182 reboot. Boot-time configuration of these features is
3183 supported by &man.rc.conf.5;. &merged;</para>
3185 <para role="historic">The <application>ISC DHCP</application> client has been
3186 updated to 3.0.1RC8. &merged;</para>
3188 <para role="historic"><application>Kerberos IV</application> has been updated to
3189 1.0.5. &merged;</para>
3191 <para>The &man.more.1; command has been replaced by
3192 &man.less.1;, although it can still be run as
3193 <command>more</command>. &merged; Version 371 of
3194 <application>less</application> has been imported.</para>
3196 <para role="historic"><application>libpcap</application> has been updated to
3197 0.6.2. &merged;</para>
3199 <para><application>libreadline</application> has been updated to
3202 <para><application>libz</application> has been updated to
3205 <para><application>lint</application> has been updated to
3206 snapshot of NetBSD &man.lint.1; as of 3 March 2002.</para>
3208 <para><application>lukemftp</application> 1.6 beta 2 (the FTP client from
3209 NetBSD) has replaced the &os; &man.ftp.1; program. Among its
3210 new features are more automation methods, better standards
3211 compliance, transfer rate throttling, and a customizable
3212 command-line prompt. Some environment variables and
3213 command-line arguments have changed.</para>
3215 <para>The FTP daemon from NetBSD, otherwise known as
3216 <application>lukemftpd</application> 1.2 beta 1, has been imported and is
3217 available as &man.lukemftpd.8;. &merged;</para>
3219 <para>&man.m4.1; has been imported from OpenBSD, as of 26 April
3222 <para><application>ncurses</application> has been updated to
3223 5.2-20020615.</para>
3225 <para role="historic">The <application>NTP</application> suite of programs has
3226 been updated to 4.1.0. &merged;</para>
3228 <para><application>OpenPAM</application>
3229 (<quote>Cinnamon</quote> release) has been imported,
3231 <application>Linux-PAM</application>.</para>
3233 <para>The <application>OPIE</application> one-time-password
3234 suite has been updated to 2.4. It has completely
3235 replaced the functionality of
3236 <application>S/Key</application>.</para>
3238 <para><application>Perl</application> has been removed from the
3239 &os; base system. It can still be installed from the &os;
3240 Ports Collection or as a binary package; moving it out of the
3241 base system will make future upgrades and maintenence easier.
3242 To reduce the dependence of the base system on
3243 Perl, many utilities have been
3244 rewritten as shell scripts or C programs (specific notes are
3245 made for each affected utility).
3246 <filename>/usr/bin/perl</filename> is now a
3247 <quote>wrapper</quote> program, so that programs expecting to
3248 find a Perl interpreter there will
3249 be able to function correctly.
3252 <para>The Perl removal and
3253 package integration work is ongoing.</para>
3258 <para><application>GNU ptx</application> has been removed from
3259 the base system. It is not used anywhere in the base system,
3260 and has not been recently updated or maintained. Users
3261 requiring its functionality can install this utility as a part
3262 of the <filename role="package">textproc/textutils</filename>
3265 <para>The <literal>rc.d</literal> framework from NetBSD has been
3266 imported. It breaks down the system startup functionality
3267 into a number of small, <quote>task-oriented</quote> scripts
3268 in <filename>/etc/rc.d</filename>, with dynamic-determined
3269 ordering of startup scripts performed at boot-time.
3272 <para>This feature is currently disabled by default. It can
3273 be enabled by setting <literal>rc_ng="YES"</literal> in
3274 <filename>/etc/rc.conf</filename>.</para>
3279 <para role="historic">&man.routed.8; has been updated to version
3280 2.22. &merged;</para>
3282 <para arch="i386,pc98">Version 1.4.4 of the
3283 <application>smbfs</application> userland utilities have been
3286 <para><application>GNU sort</application> has been updated to
3287 the version from <application>GNU textutils
3288 2.0.21</application>.</para>
3290 <para>&man.stat.1; from <application>NetBSD</application>, as of
3291 5 June 2002 has, been imported.</para>
3293 <para><application>GNU tar</application> has been updated to
3296 <para role="historic"><application>tcpdump</application> has been updated to
3297 3.6.3. &merged;</para>
3299 <para role="historic">The &man.csh.1; shell has been replaced by &man.tcsh.1;,
3300 although it can still be run as <command>csh</command>.
3301 <application>tcsh</application> has been updated to version
3302 6.11. &merged;</para>
3304 <para>The contributed version of
3305 <application>tcp_wrappers</application> now includes the
3306 &man.tcpd.8; helper daemon. While not strictly necessary in a
3307 standard &os; installation (because &man.inetd.8; already
3308 incorporates this functionality), this may be useful for
3309 &man.inetd.8; replacements such as
3310 <application>xinetd</application>.</para>
3312 <para role="historic"><application>texinfo</application> has been updated to
3313 4.1. &merged;</para>
3315 <para><application>top</application> has been updated to version
3318 <para role="historic">&man.traceroute.8; now takes its default maximum TTL value
3319 from the <varname>net.inet.ip.ttl</varname> sysctl
3320 variable. &merged;</para>
3322 <para role="historic">The timezone database has been updated to the
3323 <filename>tzdata2002c</filename> release. &merged;</para>
3328 <para role="historic"><application>cvs</application> has been updated to
3329 1.11.1p1. &merged;</para>
3331 <para role="historic">The default value for &man.cvs.1;'s
3332 <envar>CVS_RSH</envar> variable is now
3333 <literal>ssh</literal>, rather than
3334 <literal>rsh</literal>. &merged;</para>
3336 <para role="historic">&man.cvs.1; now supports a <option>-T</option> option to
3337 update a sandbox's <filename>CVS/Template</filename> file
3338 from the repository. &merged;</para>
3340 <para role="historic">&man.cvs.1; <literal>diff</literal> now supports the
3341 <option>-j</option> option to perform differences against a
3342 revision relative to a branch tag. &merged;</para>
3346 <title>CVSup</title>
3348 <para role="historic"><application>CVSup</application>, a frequently used
3349 utility in the &os; Ports Collection, was formerly
3350 installable using several ports and packages. The
3351 <filename role="package">net/cvsup-bin</filename> and
3352 <filename role="package">net/cvsupd-bin</filename>
3353 ports/packages are no longer necessary or available; the
3354 <filename role="package">net/cvsup</filename> port should be
3355 used instead. &merged;</para>
3357 <para role="historic"><application>CVSup</application> has been updated to
3358 16.1_3, which is available in the &os; Ports Collection as
3359 <filename role="package">net/cvsup</filename>. This update
3360 fixes a long-standing (but only recently encountered) bug
3361 which affects the timestamps on all files after Sun Sep 9
3362 01:46:40 UTC 2001 (1,000,000,000 seconds after the UNIX
3363 epoch). &merged;</para>
3366 <sect4 id="kame-userland">
3369 <para role="historic">The IPv6 stack is now based on a snapshot based on the
3370 KAME Project's IPv6 snapshot as of 28 May, 2001. Most of
3371 the items listed in this section are a result of this
3373 <xref linkend="kame-kernel"> lists kernel updates to the
3374 KAME IPv6 stack. &merged;</para>
3376 <para role="historic">&man.faithd.8; now supports a configuration file for
3377 access control. &merged;</para>
3379 <para role="historic">&man.ifconfig.8; can now perform the functions of
3380 &man.gifconfig.8;. &merged;</para>
3382 <para role="historic">&man.ifconfig.8; can now perform the functions of
3383 &man.prefix.8;. &man.prefix.8; is now a shell script for
3384 partial backwards compatibility. &merged;</para>
3386 <para role="historic">&man.ndp.8; now implements garbage collection for stale
3387 NDP entries, as described in RFC 2461 (Neighbor Discovery
3388 for IP Version 6 (IPv6)). &merged;</para>
3390 <para role="historic">pim6dd(8) and pim6sd(8) have been removed due
3391 to restrictive licensing conditions. These programs are
3392 available in the ports collection as
3393 <filename role="package">net/pim6dd</filename> and
3394 <filename role="package">net/pim6sd</filename>. &merged;</para>
3396 <para role="historic">&man.route6d.8; now supports an <option>-n</option> flag
3397 to avoid updating the kernel forwarding
3398 table. &merged;</para>
3400 <para role="historic">The <option>-R</option> (router renumbering) option to
3401 &man.rtadvd.8; is currently ignored. &merged;</para>
3405 <title>OpenSSH</title>
3407 <para role="historic"><application>OpenSSH</application> has been updated to
3408 2.9, which provides support for the SSH2 protocol (now the
3409 default) and DSA keys. &man.ssh-add.1; and
3410 &man.ssh-agent.1; can now handle DSA keys, with support for
3411 authentication forwarding.
3412 <application>OpenSSH</application> users in the USA no
3413 longer need to rely on the restrictively-licensed RSAREF
3414 toolkit which is required to handle RSA keys. Among other
3415 new features: A client and server for &man.sftp.1; has been added.
3416 &man.scp.1; can now handle files larger than 2 GBytes. A
3417 limit on the number of outstanding, unauthenticated
3418 connections in &man.sshd.8; has been added. Support has
3419 been added for the Rijndael encryption algorithm. Rekeying
3420 of existing sessions is now supported, and an experimental
3421 <application>SOCKS4</application> proxy has been added to
3422 &man.ssh.1;. &merged;</para>
3424 <para><application>OpenSSH</application> has been updated to
3425 version 3.1. Among the changes:
3428 <para>The <filename>*2</filename> files are obsolete
3430 <filename>~/.ssh/known_hosts</filename> can hold the
3432 <filename>~/.ssh/known_hosts2</filename>).</para>
3435 <para>&man.ssh-keygen.1; can import and export keys using
3436 the SECSH Public Key File Format, for key exchange
3437 with several commercial SSH implementations.</para>
3440 <para>&man.ssh-add.1; now adds all three default keys.</para>
3443 <para>&man.ssh-keygen.1; no longer defaults to a
3444 specific key type; one must be specified with the
3445 <option>-t</option> option.</para>
3450 <para><application>OpenSSH</application> can now authenticate
3451 using <application>OPIE</application> passwords.</para>
3453 <para><application>PAM</application> support for
3454 <application>OpenSSH</application> has been added.</para>
3456 <para>A long-standing bug in
3457 <application>OpenSSH</application>, which sometimes resulted
3458 in a dropped session when an X11-forwarded client was
3459 closed, was fixed.</para>
3461 <para role="historic"><application>Kerberos</application> compatibility has
3463 <application>OpenSSH</application>. &merged;</para>
3465 <para role="historic"><application>OpenSSH</application> has been modified to
3466 be more resistant to traffic analysis by requiring that
3467 <quote>non-echoed</quote> characters are still echoed back
3468 in a null packet, as well as by padding passwords sent so as
3469 not to hint at password lengths. &merged;</para>
3471 <para role="historic">&man.sshd.8; is now enabled by default on new
3472 installs. &merged;</para>
3474 <para role="historic">&man.sshd.8; <literal>X11Forwarding</literal> is now
3475 turned on by default on the server (any risk is to the
3476 client, where it is already disabled by
3477 default). &merged;</para>
3479 <para role="historic">In <filename>/etc/ssh/sshd_config</filename>, the
3480 <literal>ConnectionsPerPeriod</literal> parameter has been
3481 deprecated in favor of
3482 <literal>MaxStartups</literal>. &merged;</para>
3484 <para role="historic"><application>OpenSSH</application> now has a
3485 <literal>VersionAddendum</literal> configuration setting for
3486 &man.sshd.8; to allow changing the part of the
3487 <application>OpenSSH</application> version string after the
3488 main version number. &merged;</para>
3492 <title>OpenSSL</title>
3494 <para><application>OpenSSL</application> has been updated to
3497 <para role="historic"><application>OpenSSL</application> now has support for
3498 machine-dependent ASM optimizations, activated by the new
3499 <varname>MACHINE_CPU</varname> and/or
3500 <varname>CPUTYPE</varname>
3501 <filename>make.conf</filename> variables. &merged;</para>
3505 <title>sendmail</title>
3507 <para><application>sendmail</application> has been updated
3508 from version 8.9.3 to version 8.12.4. Important changes
3509 include: &man.sendmail.8; is no longer installed as a
3510 set-user-ID <username>root</username> binary (now set-group-ID <groupname>smmsp</groupname>); new
3511 default file locations (see
3512 <filename>/usr/src/contrib/sendmail/cf/README</filename>);
3513 &man.newaliases.1; is limited to <username>root</username>
3514 and trusted users; STARTTLS encryption; and the MSA port
3515 (587) is turned on by default. See
3516 <filename>/usr/src/contrib/sendmail/RELEASE_NOTES</filename>
3517 for more information. &merged;</para>
3519 <para role="historic">&man.mail.local.8; is no longer installed as a
3520 set-user-ID binary. If you are using a
3521 <filename>/etc/mail/sendmail.cf</filename> from the default
3522 <filename>sendmail.cf</filename> included with &os; any time
3523 after 3.1.0, you are fine. If you are using a
3524 hand-configured <filename>sendmail.cf</filename> and
3525 <command>mail.local</command> for delivery, check to make sure the
3526 <literal>F=S</literal> flag is set on the
3527 <literal>Mlocal</literal> line. Those with
3528 <filename>.mc</filename> files who need to add the flag can
3529 do so by adding the following line to their
3530 <filename>.mc</filename> file and regenerating the
3531 <filename>sendmail.cf</filename> file:</para>
3533 <programlisting role="historic">MODIFY_MAILER_FLAGS(`LOCAL',`+S')dnl</programlisting>
3535 <para role="historic">Note that <literal>FEATURE(`local_lmtp')</literal> already
3536 does this. &merged;</para>
3538 <para role="historic">The default <filename>/etc/mail/sendmail.cf</filename>
3539 disables the SMTP <literal>EXPN</literal> and
3540 <literal>VRFY</literal> commands. &merged;</para>
3542 <para role="historic">&man.vacation.1; has been updated to use the version
3543 included with <application>sendmail</application>. &merged;</para>
3545 <para role="historic">The <application>sendmail</application> configuration
3546 building tools are installed in
3547 <filename>/usr/share/sendmail/cf/</filename>. &merged;</para>
3549 <para role="historic">New <filename>make.conf</filename> options:
3550 <varname>SENDMAIL_MC</varname> and
3551 <varname>SENDMAIL_ADDITIONAL_MC</varname>. See
3552 <filename>/usr/share/examples/etc/make.conf</filename> for more
3553 information. &merged;</para>
3555 <para role="historic"><filename>/etc/mail/Makefile</filename> now supports:
3556 the new <varname>SENDMAIL_MC</varname>
3557 <filename>make.conf</filename> option; the ability to build
3558 <filename>.cf</filename> files from
3559 <filename>.mc</filename> files; generalized map rebuilding;
3560 rebuilding the aliases file; and the ability to stop, start,
3562 <application>sendmail</application>. &merged;</para>
3564 <para role="historic">The <username>smmsp</username> and
3565 <username>mailnull</username> users have been added to
3566 <filename>/etc/master.passwd</filename>. In the absence of a
3567 <literal>confDEF_USER_ID</literal> setting, by default,
3568 <application>sendmail</application> will use the
3569 <username>mailnull</username> user for extra security.
3570 Previously, if the <username>mailnull</username> user did
3571 not exist, the <username>daemon</username> user was used.
3572 This change may generate some permissions issues when
3573 mailing to files or to programs (such as <filename
3574 role="package">mail/majordomo</filename>). &merged; The
3575 previous behavior can be restored by adding the following
3577 <filename><replaceable>*</replaceable>.mc</filename>
3580 <programlisting>define(`confDEF_USER_ID', `daemon')</programlisting>
3583 <para role="historic">Beginning with the import of
3584 <application>sendmail</application> 8.12.2, multiple
3585 <application>sendmail</application> daemons (some required
3586 to handle outgoing mail) are started by &man.rc.8;, even if
3587 the <varname>sendmail_enable</varname> variable is set to
3588 <literal>NO</literal>. To completely disable
3589 <application>sendmail</application>,
3590 <varname>sendmail_enable</varname> must be set to
3591 <literal>NONE</literal>. Alternatively, for systems using a
3592 different MTA, the <varname>mta_start_script</varname> variable can
3593 be used to point to a different startup script (more details
3594 can be found in &man.rc.sendmail.8;). &merged;</para>
3596 <para>By default, &man.rc.8; no longer enables
3597 <application>sendmail</application> for inbound SMTP
3598 connections. Note that &man.sysinstall.8; may override this
3599 default for a binary installation, based on what security
3600 profile is selected. This functionality can also be
3601 manually enabled by adding the following line to
3602 <filename>/etc/rc.conf</filename>:</para>
3604 <programlisting>sendmail_enable="YES"</programlisting>
3606 <para>The permissions for <application>sendmail</application>
3607 alias and map databases built via
3608 <filename>/etc/mail/Makefile</filename> now default to mode
3609 0640 to protect against a file locking local denial of service.
3610 It can be changed by setting the new
3611 <varname>SENDMAIL_MAP_PERMS</varname>
3612 <filename>make.conf</filename> option. &merged;</para>
3614 <para>The permissions for the <application>sendmail</application>
3615 statistics file, <filename>/var/log/sendmail.st</filename>, have
3616 been changed from mode 0644 to mode 0640 to protect against
3617 a file locking local denial of service. &merged;</para>
3623 <title>Ports/Packages Collection Infrastructure</title>
3625 <para><application>BSDPAN</application>, a collection of modules
3626 that provides tighter integration of
3627 <application>Perl</application> into the &os; Ports
3628 Collection, has been added.</para>
3630 <para role="historic">&man.pkg.create.1; and &man.pkg.add.1; can now work with
3631 packages that have been compressed using
3632 &man.bzip2.1;. &man.pkg.add.1; will use the PACKAGEROOT
3633 environment variable to determine a mirror site for new
3634 packages. &merged;</para>
3636 <para role="historic">&man.pkg.create.1; now records dependencies in dependency
3637 order rather than in the order specified on the command line.
3638 This improves the functioning of <command>pkg_add
3639 -r</command>. &merged;</para>
3641 <para role="historic">&man.pkg.create.1; now supports a <option>-b</option> to
3642 create a package file from a locally-installed
3643 package. &merged;</para>
3645 <para role="historic">When requested to delete multiple packages,
3646 &man.pkg.delete.1; will now attempt to remove them in
3647 dependency order rather than the order specified on the
3648 command line. &merged;</para>
3650 <para role="historic">&man.pkg.delete.1; now can perform glob/regexp matching of
3651 package names. In addition, it supports a <option>-a</option>
3652 option for removing all packages and a <option>-i</option>
3653 option for &man.rm.1;-style interactive
3654 confirmation. &merged;</para>
3656 <para role="historic">&man.pkg.delete.1; now supports a <option>-r</option>
3657 option for recursive package removal. &merged;</para>
3659 <para role="historic">&man.pkg.info.1; now supports globbing against names of
3660 installed packages. The <option>-G</option> option disables
3661 this behavior, and the <option>-x</option> option causes
3662 regular expression matching instead of shell
3663 globbing. &merged;</para>
3665 <para role="historic">&man.pkg.info.1; can now accept a <option>-g</option> flag
3666 for verifying an installed package against its recorded
3667 checksums (to see if it's been modified post-installation).
3668 Naturally, this mechanism is only as secure as the contents of
3669 <filename>/var/db/pkg</filename> if it's to be used for auditing
3670 purposes. &merged;</para>
3672 <para role="historic">&man.pkg.sign.1; and &man.pkg.check.1; have been added to
3673 digitally sign and verify the signatures on binary package
3674 files. &merged;</para>
3676 <para>For some time, &os; 5.0-CURRENT (as well as some 4.X
3677 releases) included a pkg_update(1) utility to update installed
3678 packages, as well as their dependencies. This utility has
3679 been removed; a superset of its functionality can be found in
3680 the <filename role="package">sysutils/portupgrade</filename>
3683 <para role="historic">&man.pkg.version.1; now has a version number comparison
3684 routine that corresponds to the Porters Handbook. It also has
3685 a <option>-t</option> option for testing address comparisons.
3688 <para role="historic">&man.pkg.version.1; now takes a <option>-s</option> flag
3689 to limit its operation to ports/packages matching a given
3690 string. &merged;</para>
3692 <para role="historic">Version numbers of installed packages have a new
3693 (backward-compatible) syntax, which supports the
3694 <varname>PORTREVISION</varname> and
3695 <varname>PORTEPOCH</varname> variables in Ports Collection
3696 <filename>Makefile</filename>s. These changes help keep track
3697 of changes in the ports collection entries such as security
3698 patches or &os;-specific updates, which aren't reflected in
3699 the original, third-party software distributions.
3700 &man.pkg.version.1; can now compare these new-style version
3701 numbers. &merged;</para>
3703 <para role="historic">To improve performance and disk utilization, the
3704 <quote>ports skeletons</quote> in the &os; Ports Collection
3705 have been restructured. Installed ports and packages should
3706 not be affected. &merged;</para>
3708 <para role="historic">All packages and ports now contain an
3709 <quote>origin</quote> directive, which makes it easier for
3710 programs such as &man.pkg.version.1; to determine the
3711 directory from which a package was built. &merged;</para>
3713 <para role="historic">The Ports Collection infrastructure now uses
3714 <application>XFree86</application> 4.2.0 as the default version
3715 of the X Window System for the purposes of satisfying
3716 dependencies. To return to using
3717 <application>XFree86</application> 3.3.6, add the following line
3718 to <filename>/etc/make.conf</filename>: &merged;</para>
3720 <programlisting role="historic">XFREE86_VERSION=3</programlisting>
3722 <para>The libraries installed by the <filename
3723 role="package">emulators/linux_base</filename> port (required
3724 for Linux emulation) have been updated; they now correspond to
3725 those included with <application>Red Hat Linux</application>
3731 <title>Release Engineering and Integration</title>
3733 <para>The <filename>bin</filename> distribution has been renamed
3734 <filename>base</filename>, in order to make creation of combined
3735 install/recovery disks easier.</para>
3737 <para arch="i386">ISO images and CDROMs now use the
3738 <filename>cdboot</filename> boot loader by default. This
3739 eliminates the need for an emulated floppy disk image on
3740 a bootable CDROM and allows for a full
3741 <filename>GENERIC</filename> kernel to be used for CDROM
3742 installations, at the expense of compatability with some old
3745 <para arch="i386,pc98,alpha" role="historic"><application>XFree86</application> 4.2.0
3746 is now the default version of the X Window System supported by
3747 &man.sysinstall.8;. It installs
3748 <application>XFree86</application> as a set of standard binary
3749 packages, so the usual package utilities such as
3750 &man.pkg.info.1; can be used to examine/manipulate its
3751 components. &merged;</para>
3753 <para>It is now possible to make releases of &os;
3754 &release.current; on a &os; 4-STABLE host. Cross-architecture
3755 (building a release for a target architecture on a host of a
3756 different architecture) releases are also possible. See
3757 &man.release.7; for details.</para>
3763 <title>Upgrading from previous releases of &os;</title>
3765 <para>If you're upgrading from a previous release of &os;, you
3766 generally will have three options:
3770 <para>Using the binary upgrade option of &man.sysinstall.8;.
3771 This option is perhaps the quickest, although it presumes
3772 that your installation of &os; uses no special compilation
3776 <para>Performing a complete reinstall of &os;. Technically,
3777 this is not an upgrading method, and in any case is usually less
3778 convenient than a binary upgrade, in that it requires you to
3779 manually backup and restore the contents of
3780 <filename>/etc</filename>. However, it may be useful in
3781 cases where you want (or need) to change the partitioning of
3785 <para>From source code in <filename>/usr/src</filename>. This
3786 route is more flexible, but requires more disk space, time,
3787 and more technical expertise. Upgrading from very old
3788 versions of &os; may be problematic; in cases like this, it
3789 is usually more effective to perform a binary upgrade or a
3790 complete reinstall.</para>
3795 <para>Please read the <filename>INSTALL.TXT</filename> file for more
3796 information, preferably <emphasis>before</emphasis> beginning an
3797 upgrade. If you are upgrading from source, please be sure to read
3798 <filename>/usr/src/UPDATING</filename> as well.</para>
3800 <para>Finally, if you want to use one of various means to track the
3801 -STABLE or -CURRENT branches of &os;, please be sure to consult
3803 url="http://www.FreeBSD.org/handbook/current-stable.html"><quote>-CURRENT
3804 vs. -STABLE</quote></ulink> section of the <ulink
3805 url="http://www.FreeBSD.org/handbook/">FreeBSD
3806 Handbook</ulink>.</para>
3809 <para>Upgrading &os; should, of course, only be attempted after
3810 backing up <emphasis>all</emphasis> data and configuration
projects / FreeBSD / FreeBSD.git / blob