MFCs noted: RLIMIT_VMEM, pam_opieaccess(8).

[FreeBSD/FreeBSD.git] / release / doc / en_US.ISO8859-1 / relnotes / common / new.sgml

<articleinfo>
  <title>&os;/&arch; &release.current; Release Notes</title>

  <corpauthor>The FreeBSD Project</corpauthor>

  <pubdate>$FreeBSD$</pubdate>

  <copyright>
    <year>2000</year>
    <year>2001</year>
    <year>2002</year>
    <holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder>
  </copyright>

  <abstract>
    <para>The release notes for &os; &release.current; contain a summary
      of
<![ %include.historic; [
      the changes made to the &os; base system since &release.prev;.
]]>
<![ %no.include.historic; [
      recent changes made to the &os; base system on the &release.branch;
      development branch.
]]>
      Both changes for kernel and userland are listed, as well as
      applicable security advisories that were issued since the last
      release.  Some brief remarks on upgrading are also presented.</para>
  </abstract>
</articleinfo>

<sect1>
  <title>Introduction</title>

  <para>This document contains the release notes for &os;
    &release.current; on the &arch.print; hardware platform.  It
    describes recently added, changed, or deleted features of &os;.
    It also provides some notes on upgrading
    from previous versions of &os;.</para>

<![ %release.type.snapshot [

  <para>The &release.type; distribution to which these release notes
    apply represents a point along the &release.branch; development
    branch between &release.prev; and the future &release.next;.  Some
    pre-built, binary &release.type; distributions along this branch
    can be found at <ulink url="&release.url;"></ulink>.</para>

]]>

<![ %release.type.release [

  <para>This distribution of &os; &release.current; is a
    &release.type; distribution.  It can be found at <ulink
    url="&release.url;"></ulink> or any of its mirrors.  More
    information on obtaining this (or other) &release.type;
    distributions of &os; can be found in the <ulink
    url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html"><quote>Obtaining
    FreeBSD</quote> appendix</ulink> to the <ulink
    url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/">FreeBSD
    Handbook</ulink>.</para>

]]>
</sect1>

<sect1>
  <title>What's New</title>

  <para>This section describes
<![ %include.historic; [
      the most user-visible new or changed features in &os;
      since &release.prev;.
      In general, changes described here are unique to the &release.branch;
      branch unless specifically marked as &merged; features.
]]>
<![ %no.include.historic; [
      many of the user-visible new or changed features in &os;
      since &release.prev;.  It includes items that are unique to the
      &release.branch; branch, as well as some features that may have been
      recently merged to
      other branches (after &os; &release.prev.historic;).  The later
      items are marked as &merged;.
]]>
  </para>

  <para>Typical release note items
    document new drivers or hardware support, new commands or options,
    major bugfixes, or contributed software upgrades.  Applicable security
    advisories issued after &release.prev; are also listed.</para>

  <para>Many additional changes were made to &os; that are not listed
    here for lack of space.  For example, documentation was corrected
    and improved, minor bugs were fixed, insecure coding practices
    were audited and corrected, and source code was cleaned up.</para>

  <sect2 id="kernel">
    <title>Kernel Changes</title>

    <para>&man.acct.2; has been changed to open the accounting file in
      append mode, so that &man.accton.8; can be used to enable
      accounting to an append-only file.</para>

    <para arch="i386" role="historic">The &man.amdpm.4; driver has been added to
      provide access to the system monitoring functions of the AMD 756
      chipset. &merged;</para>

    <para role="historic">The &man.agp.4; driver for AGP devices has been
      added. &merged;</para>

    <para>A new &man.ddb.4; command <command>show pcpu</command> lists
      some of the per-CPU data.</para>

    <para role="historic">Two new &man.ddb.4; commands, <command>hwatch</command> and
      <command>dhwatch</command>, have been introduced.  Analogous to
      <command>watch</command> and <command>dwatch</command>, they
      install hardware watchpoints (as opposed to software
      watchpoints) if supported by the architecture. &merged;</para>

    <para>&man.devfs.5;, which allows entries in the
      <filename>/dev</filename> directory to be built automatically
      and supports more flexible attachment of devices, has been
      largely reworked.  &man.devfs.5; is now enabled by default and
      can be disabled by the <literal>NODEVFS</literal> kernel
      option.</para>

    <para>The dgm driver has been removed in favor of the digi driver.</para>

    <para>A new digi driver has been added to support PCI Xr-based and
      ISA Xem Digiboard cards.  A new &man.digictl.8; program is
      (mainly) used to re-initialize cards that have external port
      modules attached such as the PC/Xem.</para>

    <para>An &man.eaccess.2; system call has been added, similar to
      &man.access.2; except that the former uses effective credentials
      rather than real credentials.</para>

    <para arch="sparc64">Support has been added for EBus-based
      devices.</para>

    <para arch="i386" role="historic">The &man.ichsmb.4; driver for the Intel 82801AA
      (ICH) SMBus controller and compatibles has been
      added. &merged;</para>

    <para>Each &man.jail.2; environment can now run under its own
      securelevel.</para>

    <para>The tunable sysctl variables for &man.jail.2; have moved
      from <varname>jail.*</varname> to the
      <varname>security.*</varname> hierarchy.  Other security-related
      sysctl variables have moved from <varname>kern.security.*</varname> to
      <varname>security.*</varname>.</para>

    <para role="historic">The <varname>kern.maxvnodes</varname> limit now properly
      limits the number of vnodes in use.  Previously only vnodes with
      no cached pages could be freed; this could allow the number of
      vnodes to grow without limit on large-memory machines accessing
      many small files.  A <literal>vnlru</literal> kernel thread
      helps to flush and reuse vnodes. &merged;</para>

    <para role="historic">The kernel message buffer is now accessible by the
      (machine-independent) <varname>kern.msgbuf</varname> sysctl
      variable; &man.dmesg.8; no longer needs to be SGID
      <groupname>kmem</groupname>. &merged;</para>

    <para>The kernel environment is now dynamic, and can be changed
      via the new &man.kenv.2; system call.</para>

    <para role="historic">The &man.kqueue.2; event notification facility was added to
      the &os; kernel.  This is a new interface which is able to
      replace &man.poll.2;/&man.select.2;, offering improved
      performance, as well as the ability to report many different
      types of events.  Support for monitoring changes in sockets,
      pipes, fifos, and files are present, as well as for signals and
      processes. &merged;</para>

    <para arch="i386,pc98" role="historic">A new <varname>KVA_SPACE</varname> kernel option
      can be used to reconfigure the size of the kernel virtual
      address space. &merged;</para>

    <para>The labpc(4) driver has been removed due to
      <quote>bitrot</quote>.</para>

    <para>The loader and kernel linker now look for files named
      <filename>linker.hints</filename> in each directory with KLDs
      for a module name and version to KLD filename mapping.  The new
      &man.kldxref.8; utility is used to generate these files.</para>

    <para role="historic">Linux emulation now supports the kernel functionality
      required by the
      <filename role="package">emulators/linux_base</filename>
      (RedHat 7.X emulation) port. &merged;</para>

    <para role="historic">Linux emulation now requires <literal>options
      SYSVSEM</literal> in the kernel configuration. &merged;</para>

    <para>&man.lomac.4;, a Low-Watermark Mandatory Access Control
      security facility, has been added as a kernel module.  It
      provides a drop-in security mechanism in addition to the
      traditional UID-based security facilities, requiring no
      additional configuration from the administrator.  Work on this
      feature was sponsored by DARPA and NAI Labs.</para>

    <para arch="ia64">Machine Check Architecture (MCA) records are now
      collected at boot time and made available through the
      <varname>hw.mca.*</varname> sysctl variables.</para>

    <para role="historic">The <varname>maxusers</varname> kernel configuration
      parameter is now a boot-time tunable variable.  The kernel
      parameters derived from <varname>maxusers</varname> are now also
      tunables and can be overridden at boot-time.  The
      <varname>hz</varname> parameter is also now a
      tunable. &merged;</para>

    <para role="historic">Specifying a value of <literal>0</literal> for the
      <varname>maxusers</varname> kernel configuration parameter will
      now cause an appropriate value to be calculated at boot-time
      (between 32 and 384, depending on the amount of memory present).
      This value is now the default for all
      <filename>GENERIC</filename> kernels. &merged;</para>

    <para arch="alpha" role="historic">A <varname>MAXMEM</varname> kernel option,
      along with the <varname>hw.physmem</varname> loader tunable, can
      be used to artificially reduce the memory size of a machine for
      testing (or other purposes). &merged;</para>

    <para role="historic">The kernel configuration parameters
      <varname>MAXTSIZ</varname>, <varname>DFLDSIZ</varname>,
      <varname>MAXDSIZ</varname>, <varname>DFLSSIZ</varname>,
      <varname>MAXSSIZ</varname>, and <varname>SGROWSIZ</varname> are
      all loader tunables (<varname>kern.maxtsiz</varname>,
      <varname>kern.maxdfldsiz</varname>, etc.). &merged;</para>

    <para>&man.mutex.9; profiling code has been added, enabled by the
      <literal>MUTEX_PROFILING</literal> kernel configuration option.
      It enables the <varname>debug.mutex.prof.*</varname> hierarchy
      of sysctl variables.</para>

    <para arch="i386,pc98" role="historic">The <literal>NCPU</literal>,
      <literal>NAPIC</literal>, <literal>NBUS</literal>, and
      <literal>NINTR</literal> kernel configuration options,
      for configuring SMP kernels, have been removed.
      <literal>NCPU</literal> is now set to a maximum of 16,
      and the other, aforementioned options are now
      dynamic. &merged;</para>

    <para role="historic">A &man.nmdm.4; null-modem terminal driver has been added.
      &merged;</para>

    <para role="historic">The <literal>O_DIRECT</literal> flag has been added to
      &man.open.2; and &man.fcntl.2;.  Specifying this flag for open
      files will attempt to minimize the cache effects of reading and
      writing. &merged;</para>

    <para role="historic">An &man.orm.4; device has been added to claim the option
      ROMs in the ISA memory I/O space, to prevent other drivers from
      mistakenly assigning addresses that conflict with these
      ROMs. &merged;</para>

    <para arch="i386,pc98">PECOFF (Win32 Execution file format) support has
      been added.</para>

    <para arch="pc98" role="historic">The pmc driver, which supports the power
      management controller of the NEC PC-98NOTE, has been
      added. &merged;</para>

    <para role="historic">POSIX.1b Shared Memory Objects are now supported.  The
      implementation uses regular files, but automatically enables the
      MAP_NOSYNC flag when they are &man.mmap.2;-ed. &merged;</para>

    <para role="historic">Replaced the <literal>PQ_*CACHE</literal> options with a
      single <literal>PQ_CACHESIZE</literal> option to be set to the
      cache size in kilobytes.  The old options are still supported
      for backwards compatibility. &merged;</para>

    <para arch="i386" role="historic">The &man.puc.4; (PCI <quote>Universal</quote>
      Communications) driver has been added, to help connect PCI-based
      serial ports to the &man.sio.4; driver. &merged;</para>

    <para>The &man.random.4; device has been rewritten to use the
      <application>Yarrow</application> algorithm.  It harvests
      entropy from a variety of interrupt sources, including the
      console devices, Ethernet and point-to-point network interfaces,
      and mass-storage devices.  Entropy from the &man.random.4;
      device is now periodically saved to files in
      <filename>/var/db/entropy</filename>, as well as at shutdown
      time.  The semantics of <filename>/dev/random</filename> have
      changed; it never blocks waiting for entropy bits but generates
      a stream of pseudo-random data and now behaves exactly as
      <filename>/dev/urandom</filename>.</para>

    <para>A new kernel option, <literal>options REGRESSION</literal>,
      enables interfaces and functionality intended for use during
      correctness and regression testing.</para>

    <para><literal>RLIMIT_VMEM</literal> support has been added.  This
      feature defines a new resource limit that covers a process's
      entire virtual memory space, including &man.mmap.2; space.  This
      limit can be configured in &man.login.conf.5; via the new
      <varname>vmemoryuse</varname> variable. &merged;</para>

    <para arch="sparc64">Support has been added for SBus-based
      devices.</para>

    <para arch="sparc64">The se driver, which supports the Siemens
      SAB82532 serial chip found on many newer Sparc Ultra machines,
      has been added.</para>

    <para role="historic">The &man.snp.4; device is no longer static and can now be
      compiled as a module. &merged;</para>

    <para arch="i386" role="historic">The &man.spic.4; driver, which provides access
      to the Jog Dial device on some Sony laptops, has been
      added.  &man.moused.8; support for this device has also been
      added. &merged;</para>

    <para>The &man.syscons.4; driver now supports keyboard-controlled
      pasting, by default bound to
      <keycap>Shift</keycap>-<keycap>Insert</keycap>.</para>

    <para role="historic">Support for USB devices was added to the
      <filename>GENERIC</filename> kernel and to the installation
      programs to support USB devices out of the box.  Note that SRM
      does not support USB devices at the moment, so you must still
      use an AT keyboard if you are not using a serial
      console. &merged;</para>

    <para arch="i386,pc98" role="historic">The &man.umodem.4; driver for USB modems
      has been added. Support is provided for the 3Com 5605 and
      Metricom Ricochet GS wireless USB modems. &merged;</para>

    <para arch="i386,pc98" role="historic">The &man.uscanner.4; driver for basic USB
      scanner support using SANE has been added. See <ulink
      url="http://www.mostang.com/sane/">the SANE home page</ulink>
      for supported scanners. The HP ScanJet 4100C, 5200C and 6300C
      are known to be working. &merged;</para>

    <para>The &man.ucom.4; device driver has been added, to support USB
      modems, serial devices, and other programs that need to look
      like a tty.  The related &man.uplcom.4; and &man.uvscom.4; drivers provide specific
      support for the Prolific PL-2303 serial adapter and the SUNTAC
      Slipper U VS-10U, respectively.</para>

    <para>To increase security, the <literal>UCONSOLE</literal> kernel
      configuration option has been removed.</para>

    <para arch="i386,pc98">The UserConfig boot-time kernel configuration
      feature, usually used to enable, disable, or configure ISA
      devices, has been removed.  Its functionality has been replaced
      by the kernel hints file in
      <filename>/boot/device.hints</filename>.</para>

    <para>The <literal>USER_LDT</literal> kernel option is now
      activated by default.</para>

    <para>A VESA S3 linear framebuffer driver has been added.</para>

    <para arch="i386" role="historic">The &man.viapm.4; driver for VIA SMBus
      power management controllers has been added. &merged;</para>

    <!-- Above this line, sort kernel changes by manpage/keyword-->

    <para role="historic">Write combining for crashdumps has been implemented.  This
      feature is useful when write caching is disabled on both SCSI
      and IDE disks, where large memory dumps could take up to an hour
      to complete. &merged;</para>

    <para>The kernel crashdump infrastructure has been revised, to
      support new platforms and in general clean up the logic in the
      code.  One implication of this change is that the on-disk format
      for kernel dumps has changed, and is now
      byte-order-agnostic.</para>

    <para>Extremely large swap areas (&gt;67 GB) no longer panic the
      system.</para>

    <para arch="alpha">Support for threads under Linux emulation has
      been added.</para>

    <para role="historic">The <maketarget>buildkernel</maketarget> target now gets the
      name of the configuration(s) to build from the
      <varname>KERNCONF</varname> variable, not
      <varname>KERNEL</varname>.  It is no longer required, in some
      cases, for a <maketarget>buildworld</maketarget> to precede a
      <maketarget>buildkernel</maketarget>.  (The
      <maketarget>buildworld</maketarget> is still required when
      upgrading across major releases, across
      <application>binutil</application> updates and when
      &man.config.8; changes version.) &merged;</para>

    <para role="historic">The out-of-swap process termination code now begins killing
      processes earlier to avoid deadlocks; it now also takes into
      account the swap space used by processes when computing the
      process sizes. &merged;</para>

    <para>Linker sets are now self-contained; gensetdefs(8) is
      unnecessary and has been removed.</para>

    <para role="historic">Network device cloning has been implemented, and the
      &man.gif.4; device has been modified to take advantage of it.
      Thus, instead of specifying how many &man.gif.4; interfaces are
      available in kernel configuration files, &man.ifconfig.8;'s
      <option>create</option> option should be used when another device
      instance is desired. &merged;</para>

    <para>It is now possible to hardwire kernel environment variables
      (such as tuneables) at compile-time using &man.config.8;'s
      <literal>ENV</literal> directive.</para>

    <para>Idle zeroing of pages can be enabled with the
      <varname>vm.idlezero_enable</varname> sysctl variable.</para>

    <para arch="i386,pc98" role="historic">The load addresses of kernels are now exported
      to the symbol table and various hard-coded constants have been
      removed so that utilities such as &man.ps.1; can work with
      kernels compiled at different addresses. &merged;</para>

    <para role="historic">Coredumps of large processes (or of a large number of
      processes) no longer lock up the machine for long periods of
      time. &merged;</para>

    <para>The &os; kernel scheduler now supports Kernel-Scheduled
      Entities (KSEs), which provides support for multiple threads of
      execution per process similar to Schedular Activations.  At this
      point, the kernel has most of the changes needed to support
      threading.  The kernel scheduler can schedule multiple threads per
      process, but only on a single CPU at a time.  Support for
      userland programs to create and utilize multiple threads is not
      yet completed.

        <note>
          <para>KSE is a work in progress.</para>
        </note>

      </para>

    <para>The kernel now has support for multiple low-level console
      devices.  The new &man.conscontrol.8; utility helps to manage
      the different consoles.</para>

    <para arch="alpha">The console driver has gained support for
      TGA-based display adapters.</para>

    <para role="historic">The kernel on the installation CDs is now separated from the
      <filename>mfsroot</filename> image.  This permits the use of a
      full kernel when installing from CD on machines that support CD
      booting (instead of the stripped-down kernel used on
      floppies). &merged;</para>

    <para role="historic">The system load average computation now adds some jitter to
      the timing of samples, in order to avoid synchronization with
      processes that run periodically. &merged;</para>

    <para role="historic">If a debugging kernel with modules is being built
      (i.e. using <literal>makeoptions DEBUG=-g</literal>), the
      modules will now be built with debugging support as well, for
      completeness.  A side effect of this change is that modules
      built and installed with debugging kernels will now occupy more
      space on disk than they did previously. &merged;</para>

    <para role="historic">The kernel dump device can now be set via the
      <varname>dumpdev</varname> loader tunable.  As a result, it is
      now possible to obtain crash dumps from panics during the late
      stages of kernel initialization (before the system enters into
      single-user mode). &merged;</para>

    <para>The kernel memory allocator is now a slab memory allocator,
      similar to that used in Solaris.  This is a SMP-safe memory
      allocator that has near-linear performance as the number of CPUs
      increases.  It also allows for reduced memory
      fragmentation.</para>

    <sect3>
      <title>Processor/Motherboard Support</title>

      <para>SMP support has been largely reworked, incorporating code
        from BSD/OS 5.0.  One of the main features of SMPng
        (<quote>SMP Next Generation</quote>) is to allow more
        processes to run in kernel, without the need for spin locks
        that can dramatically reduce the efficiency of multiple
        processors.  Interrupt handlers now have contexts associated
        with them that allow them to be blocked, which reduces the
        need to lock out interrupts.</para>

      <para arch="i386,pc98">Support for the 80386 processor has been
        removed from the <filename>GENERIC</filename> kernel, as this
        code seriously pessimizes performance on other IA32
        processors.
        The <literal>I386_CPU</literal> kernel option
        to support the 80386 processor is now mutually exclusive with
        support for other IA32 processors; this should slightly
        improve performance on the 80386 due to the elimination of
        runtime processor type checks.
        Custom kernels that will run on the 80386 can
        still be built by changing the cpu options in the kernel
        configuration file to only include
        <literal>I386_CPU</literal>.</para>

      <para arch="alpha" role="historic">AlphaServer 1200 (<quote>Tincup</quote>) has
        been tested and works OK.  Currently it does not want to boot
        from CD or floppy but a transplanted disk that was installed
        on another Alpha works well. &merged;</para>

      <para arch="alpha">The API UP1100 mainboard has been verified to
        work.</para>

      <para arch="alpha">The API CS20 1U high server has been verified
        to work.</para>

      <para arch="alpha">The DEC3000 series support has been removed
        from the mfsroot floppy image so that it fits on a 1.44 Mbyte
        floppy again. As the DEC3000 is currently only usable diskless
        this should not cause any problems.</para>

      <para arch="alpha">Support for AlphaServer 2100A
        (<quote>Lynx</quote>) has been added.</para>

      <para arch="alpha">Kernel code has been added that allows older
        generation Alpha CPUs (EV4 and EV5) to emulate instructions of
        the newer Alpha CPU generations. This enables the use of
        binary-only programs like <application>Adobe Acrobat
        4</application> on EV4 and EV5.</para>

      <para arch="alpha">SMP support for the Alpha is now operational.</para>

      <para arch="i386" role="historic">Detection for new processors, such as the
        FC-PGA2 Pentium III (Tualatin), Transmeta Crusoe, and
        Transmeta Crusoe LongRun, has been added. &merged;</para>

      <para arch="alpha">Support for the following hardware has been
        removed from the installation kernel to make it fit on a
        1.44MB floppy again: Multia, NoName, PC64, EB64, Aspen Alpine,
        sa (SCSI tape), amr, parallel port support, vx (3c590, 3c595),
        pcn (AMD Am79C97x PCI 10/100), sf (Adaptec AIC-6915), sis (SiS
        900/SiS 7016), ste (Sundance ST201 (D-Link DFE-550TX)), wb
        (Winbond W89C840F).</para>

      <para arch="i386" role="historic">Support for Streaming <acronym>SIMD</acronym>
        Extensions (<acronym>SSE</acronym>) has been introduced.  The
        <literal>CPU_ENABLE_SSE</literal> kernel option controls
        whether support is compiled into the kernel. &merged;</para>

      <para arch="i386" role="historic">The <literal>CPU_ATHLON_SSE_HACK</literal>
        kernel option has been added, which attempts to enable the SSE
        feature bit on newer Athlon CPUs if the BIOS has forgotten to
        enable it. &merged;</para>

      <para arch="sparc64">The UltraSPARC platform is now supported by
        &os;.  The following machines are supported to at least some
        degree:  Ultra 1/2/5/10/30/60, Enterprise 220R/420R, Netra T1 AC200/DC200, Netra T 105, and Blade
        100.  SMP is supported, and has been tested on the
        Ultra 2, Ultra 60, Enterprise 220R, and
        Enterprise 420R.</para>

      <para arch="i386" role="historic">On some systems, the BIOS does not activate
        the I/O ports and memory of PC devices, thus making them
        unusable.  The <literal>PCI_ENABLE_IO_MODES</literal> kernel
        option forces &os; to enable these devices so that they can be
        used. &merged;</para>

    </sect3>

    <sect3>
      <title>Bootloader Changes</title>

      <para arch="i386" role="historic"><filename>boot2</filename> now supports a
        <option>-n</option> option to disallow boot interruption by
        keypresses. &merged;</para>

      <para arch="i386" role="historic">A new <filename>cdboot</filename> bootstrap
        utility for CDROMs provides better compatability with some
        BIOS implementations that do not completely implement the El
        Torito bootable CDROM standard.  This boot loader supports
        <quote>no emulation</quote> mode booting, thus eliminating the
        need for an emulated floppy disk image on a bootable
        CDROM. &merged;</para>

      <para arch="i386,pc98" role="historic">The i386 boot loader now has support for a
        <literal>nullconsole</literal> console type, for use on
        systems with neither a video console nor a serial
        port. &merged;</para>

      <para arch="i386,pc98" role="historic">The &man.loader.8; now has optional support
        (enabled at compile-time, off by default) for loading
        <application>bzip2</application>-compressed kernels and
        modules. &merged;</para>

      <para arch="i386" role="historic">Support for Intel's Wired for Management 2.0
        (PXE) was added to the &os; boot loader.  Due to API
        differences, the older PXE versions are not supported.  This
        allow network booting using DHCP. &merged;</para>

      <!-- Above this line, order bootloader changes by keyword-->

      <para arch="i386" role="historic">The &os; boot loader now contains a workaround
        to support CDROM booting on certain IBM BIOSs that expect the
        first sector of the emulated floppy to contain a valid MS-DOS
        BPB that they can modify. &merged;</para>

      <para arch="i386,pc98" role="historic">The &os; boot loader now supports a
        <option>-p</option> flag to force the kernel to pause after
        each line of output during the probing phase. &merged;</para>

      <para arch="alpha,i386" role="historic">The &os; boot loader is now capable of
        booting from filesystems with block sizes larger than
        8K. &merged;</para>

      <para>The kernel and modules have been moved to the directory
        <filename>/boot/kernel</filename>, so they can be easily
        manipulated together.  The boot loader has been updated to
        make this change as seamless as possible.</para>
    </sect3>

    <sect3>
      <title>Network Interface Support</title>

      <para role="historic">The &man.an.4; driver for Cisco Aironet cards now supports
        Wired Equivalent Privacy (WEP) encryption, settable via
        &man.ancontrol.8;. &merged;</para>

      <para role="historic">The &man.an.4; driver now supports the Cisco Aironet 350
        series of adaptors. &merged;</para>

      <para role="historic">The &man.an.4; driver now supports <quote>monitor</quote>
        mode, settable via the <option>-M</option> option to
        &man.ancontrol.8;. &merged;</para>

      <para role="historic">The &man.an.4; driver now supports Cisco LEAP, as well as
        the <quote>Home</quote> WEP key.  The Linux Aironet utilities
        are now supported under emulation. &merged;</para>

      <para arch="i386,pc98" role="historic">Generic support for ARCNET token-based
        networks has been added. &merged;</para>

      <para arch="i386,pc98" role="historic">The &man.bge.4; driver has been added to
        support the Broadcom BCM570x family of Gigabit Ethernet
        controllers, including the 3Com 3c996-T, the SysKonnect
        SK-9D21 and SK-9D41, and the built-in Gigabit Ethernet NICs on
        Dell PowerEdge 2550 servers.  Output TCP/IP checksum offload,
        jumbo frames and VLAN tag insertion/stripping are supported,
        as well as interrupt moderation. &merged;</para>

      <para arch="i386" role="historic">The cm driver has been added to support SMC
        COM90cx6 ARCNET network adapters. &merged;</para>

      <para>The &man.dc.4; driver now supports NICs based on the Xircom
        3201 and Conexant LANfinity RS7112 chips.</para>

      <para role="historic">The &man.dc.4; driver now has support for
        VLANs. &merged;</para>

      <para role="historic">The &man.de.4; driver now performs round-robin arbitration
        between the transmit and receive units of the 21143, instead
        of giving priority to the receive unit.  This gives a
        10&ndash;15% performance improvement in the forwarding rate
        under heavy load. &merged;</para>

      <para arch="alpha">The &man.ed.4; driver is now supported.</para>

      <para arch="i386,pc98" role="historic">Linksys Fast Ethernet PCCARD cards supported
        by the &man.ed.4; driver now require the addition of flag
        <literal>0x80000</literal> to their config line in
        &man.pccard.conf.5;.  This flag is not optional.  These
        Linksys cards will not be recognized without
        it. &merged;</para>

      <para role="historic">A bug in the &man.ed.4; driver that could cause panics
        with very short packets and BPF or bridging active has been
        fixed. &merged;</para>

      <para role="historic">The &man.ed.4; driver now has support for D-Link DL10022
        chips, necessary for the NetGear FA-410TX and other cards.  As
        a result, <literal>device miibus</literal> is required in
        kernel configurations using the &man.ed.4;
        driver. &merged;</para>

      <para arch="i386">The &man.el.4; driver can now be loaded as a
        module.</para>

      <para arch="i386,pc98" role="historic">The &man.em.4; driver has been added to
        support NICs based on the Intel 82542, 82543, 82544, 82545EM,
        and 82546EB
        Gigabit Ethernet controller chips.  The driver has VLAN
        support, and also supports
        transmit/receive checksum offload and jumbo frames on 82543
        and 82544-based adapters. &merged;</para>

      <para role="historic">The &man.faith.4; device is now loadable, unloadable, and
        clonable. &merged;</para>

      <para arch="i386,pc98" role="historic">Support for Fujitsu MB86960A/MB86965A based
        Ethernet PC-Cards has been added back in the &man.fe.4;
        driver. &merged;</para>

      <para arch="alpha" role="historic">The &man.fpa.4; driver now supports Digital's
        DEFPA FDDI adaptors on the Alpha. &merged;</para>

      <para role="historic">The &man.fxp.4; driver now requires a <literal>device
        miibus</literal> entry in the kernel configuration
        file. &merged;</para>

      <para role="historic">The &man.fxp.4; driver now contains a workaround for PCI
        protocol violations caused by defects in some systems based on
        the Intel ICH2/ICH2-M chip.  The workaround is to rewrite the
        EEPROM on the interface to disable Dynamic Standby Mode; once
        the EEPROM is rewritten, the system needs to be rebooted for
        the new settings to take effect. &merged;</para>

      <para role="historic">The &man.fxp.4; driver now supports Intel's loadable
        microcode to implement receive-side interrupt coalescing and
        packet bundling, on NICs that support these features.  This
        support can be activated by the use of the
        <option>link0</option> option to
        &man.ifconfig.8;. &merged;</para>

      <para arch="sparc64">The gem driver has been added to support
        the Sun GEM Gigabit Ethernet and ERI Fast Ethernet
        adapters.</para>

      <para role="historic">The &man.gx.4; driver has been added to support NICs based
        on the Intel 82542 and 82543 Gigabit Ethernet controller
        chips.  Both fiber and copper variants of the cards are
        supported.  Both boards support VLAN tagging/insertion, and
        the 82543 additionally supports TCP/IP checksum
        offload. &merged;</para>

      <para arch="sparc64">The hme driver has been added to support
        the Sun HME Fast Ethernet adapter, onboard on many Sun Ultra
        series machines.</para>

      <para role="historic">The &man.lge.4; driver has been added to support the Level
        1 LXT1001 NetCellerator Gigabit Ethernet controller chip. This
        device is used on some fiber optic GigE cards from SMC, D-Link
        and Addtron.  Jumbograms and TCP/IP checksum offload on
        receive are supported, although hardware VLAN filtering is
        not. &merged;</para>

      <para role="historic">The my driver, which supports the Myson Fast Ethernet and
        Gigabit Ethernet adapters, has been added. &merged;</para>

      <para role="historic">Added the &man.nge.4; driver, which supports PCI Gigabit
        Ethernet adapters based on the National Semiconductor DP83820
        and DP83821 Gigabit Ethernet controller chips, including the
        D-Link DGE-500T, SMC EZ Card 1000 (SMC9462TX), Asante
        FriendlyNet GigaNIC 1000TA and 1000TPC and Addtron AEG320T.
        This driver supports transmit and receive checksum
        offloading. &merged;</para>

      <para role="historic">The &man.pcn.4; driver, which supports the AMD PCnet/FAST,
        PCnet/FAST+, PCnet/FAST III, PCnet/PRO, PCnet/Home, and
        HomePNA adapters, has been added.  Although these cards are
        already supported by the &man.lnc.4; driver, the &man.pcn.4;
        driver runs these chips in 32-bit mode and uses the RX
        alignment feature to achieve zero-copy receive.  This driver
        is also machine-independent, so it will work on the i386,
        pc98 and Alpha platforms.  The &man.lnc.4; driver is still needed
        to support non-PCI cards. &merged;</para>

      <para role="historic">The &man.ray.4; driver, which supports the Webgear Aviator
        wireless network cards, has been committed.  The operation of
        &man.ray.4; interfaces can be modified by
        &man.raycontrol.8;. &merged;</para>

      <para arch="i386,pc98">The &man.rp.4; driver has been updated to
        version 3.02 and can now be built as a module. &merged;</para>

      <para arch="i386" role="historic">The sbni driver, for supporting the Granch
        SBNI12 series of ISA and PCI point-to-point communications
        interfaces, has been added.  The <filename
        role="package">sysutils/sbniconfig</filename> port in the &os;
        Ports Collection can be used for configuring these
        devices. &merged;</para>

      <para role="historic">Added support for PCI Ethernet adapters based on the SiS
        900 and SiS 7016 Fast Ethernet controller chips (for example,
        as seen on the SiS 635 and 735 motherboard chipsets), as well
        as the National Semiconductor DP83815 chipset (including the
        NetGear FA311-TX and FA312-TX) in the form of the &man.sis.4;
        driver.  This device has support for VLANs. &merged;</para>

      <para arch="pc98" role="historic">The snc driver for the National Semiconductor
        DP8393X (SONIC) Ethernet controller has been added.
        Currently, this driver is only used on the PC-98
        architecture. &merged;</para>

      <para>The &man.stf.4; device is now clonable.</para>

      <para role="historic">The &man.tap.4; driver, a virtual Ethernet device driver
        for bridged configurations, has been added.  This device is
        clonable.  &merged;</para>

      <para role="historic">The &man.ti.4; driver now supports the Alteon AceNIC
        1000baseT Gigabit Ethernet and Netgear GA620T 1000baseT
        Gigabit cards. &merged;</para>

      <para role="historic">The &man.ti.4; driver correctly masks VLAN tags. &merged;</para>

      <para>The &man.tx.4; driver now supports true multicast
        filtering.</para>

      <para role="historic">The &man.txp.4; driver has been added to support NICs
        based on the 3Com 3XP Typhoon/Sidewinder (3CR990)
        chipset. &merged;</para>

      <para role="historic">&man.vlan.4; devices are now loadable, unloadable, and
        clonable. &merged;</para>

      <para role="historic">The &man.wi.4; driver now has support for Prism II and
        Prism 2.5-based NICs.  104/128-bit WEP now works on Prism
        cards. &merged;</para>

      <para role="historic">The &man.wi.4; driver now supports using a &os; host as
        a wireless access point.  This functionality can be enabled
        using the <literal>mediaopt hostap</literal> option of
        &man.ifconfig.8;.  This feature requires a wireless
        adapter based on the Prism II chipset. &merged;</para>

      <para role="historic">The &man.wi.4; driver now has support for
        <application>bsd-airtools</application>. &merged;</para>

      <para role="historic">The xe driver can now be built as a
        module. &merged;</para>

      <para role="historic">The &man.xl.4; driver now supports the 3Com 3C556 and
        3C556B MiniPCI adapters used on some laptops. &merged;</para>

      <para role="historic">The &man.xl.4; driver now supports reception of VLAN
        tagged frames (on the <quote>Cyclone</quote> or newer
        chipsets). &merged;</para>

      <para role="historic">The &man.xl.4; driver now supports send- and receive-side
        TCP/IP checksum offloading for NICs implementing this feature,
        such as the 3C905B, 3C905C, and 3C980C. &merged;</para>

      <para role="historic">A bug in the &man.xl.4; driver, related to statistics
        overflow interrupt handling, was causing slowdowns at medium
        to high packet rates; this has been fixed. &merged;</para>

      <para role="historic">The per-interface <varname>ifnet</varname> structure now
        has the ability to indicate a set of capabilities supported by
        a network interface, and which ones are enabled.
        &man.ifconfig.8; has support for querying these
        capabilities. &merged;</para>

      <para role="historic">Performance with hosts having a large number of IP aliases
        has been improved, by replacing the per-interface
        <varname>if_inaddr</varname> linear list with a hash table. &merged;</para>

      <para>Network devices now automatically appear as special files in
        <filename>/dev/net</filename>.  Interface hardware ioctls (not
        protocol or routing) can be performed on these devices.  The
        <varname>SIOCGIFCONF</varname> ioctl may be performed on the
        special <filename>/dev/network</filename> node.</para>

      <para role="historic">Selected network drivers now implement a semi-polling
        mode, which makes systems much more resilient to attacks and
        overloads.  To enable polling, the following options are
        required in a kernel configuration file:

      <programlisting>options DEVICE_POLLING
options HZ=1000 # not compulsory but strongly recommended</programlisting>

        The <varname>kern.polling.enable</varname> sysctl variable
        will then activate polling mode; with the
        <varname>kern.polling.user_frac</varname> sysctl indicating
        the percentage of CPU time to be reserved for userland.  The
        devices initially supporting polling are &man.dc.4;,
        &man.fxp.4;, &man.rl.4;, and &man.sis.4;.  More details can be found in
        the &man.polling.4; manual page. &merged;</para>

      <para arch="i386,pc98" role="historic">The packet-forwarding performance of certain
        network drivers (specifically &man.dc.4; and &man.sis.4;) has
        been enhanced by the elimination of unnecessary buffer
        copies. &merged;</para>

      <para><quote>Zero copy</quote> support has been added to the
        networking stack.  This feature can eliminate a copy of
        network data between the kernel and userland, which is one of
        the more significant bottlenecks in network throughput.
        The send-side code should work with almost any network
        adapter, while the receive-side code requires a network
        adapter with an MTU of at least one memory page size (for
        example, jumbo frames on Gigabit Ethernet).  For more
        information, see &man.zero.copy.9;.</para>
    </sect3>

    <sect3>
      <title>Network Protocols</title>

      <para role="historic">&man.accept.filter.9;, a kernel feature to reduce
        overheads when accepting and reading new connections on
        listening sockets, has been added. &merged;</para>

      <para role="historic">The <literal>proxy</literal> modifier to &man.arp.8;'s
        <option>-d</option> option has been renamed to
        <literal>pub</literal>, for consistency with the
        <option>-s</option> option.  The <literal>only</literal> keyword
        has been added to the <option>-s</option> and
        <option>-S</option> flags, to be used in creating
        <quote>proxy-only</quote> published entries. &merged;</para>

      <para role="historic">The read timeout feature of &man.bpf.4; now works more
        correctly with &man.select.2;/&man.poll.2;, and therefore with
        pthreads. &merged;</para>

      <para role="historic">&man.bridge.4; and &man.dummynet.4; have received some
        enhancements and bug fixes, and are now loadable
        modules. &merged;</para>

      <para role="historic">&man.bridge.4; now has better support for multiple,
        fully-independent bridging clusters, and is much more stable
        in the presence of dynamic attachments and detatchments.  Full
        support for VLANs is also supported. &merged;</para>

      <para>ICMP ECHO and TSTAMP replies are now rate limited.  TCP
        RSTs generated due to packets sent to open and unopen ports
        are now limited by separate counters.  Each rate limiting
        queue now has its own description.</para>

      <para role="historic">ICMP <literal>UNREACH_FILTER_PROHIB</literal> messages can
        now RST TCP connections in the <literal>SYN_SENT</literal>
        state if the correct sequence numbers are sent back, as
        controlled by the
        <varname>net.inet.tcp.icmp_may_rst</varname> sysctl. &merged;</para>

      <para>IP multicast now works on VLAN devices.  Several other
        bugs in the VLAN code have also been fixed.</para>

      <para role="historic">A bug in the IPsec processing for IPv4, which caused the
        inbound SPD checks to be ignored, has been fixed. &merged;</para>

      <para role="historic">&man.ipfw.4; now filters correctly in the presence of ECN
        bits in TCP segments. &merged;</para>

      <para>&man.ipfw.4 has been re-implemented.  It now uses
        variable-sized representation of rules in the kernel, similar
        to &man.bpf.4; instructions.  Most of the externally-visible
        behavior (i.e. through &man.ipfw.8;) should be unchanged.,
        although &man.ipfw.8; now supports <literal>or</literal>
        connectives between match fields.</para>

      <para role="historic">A new ng_eiface netgraph module has been added, which
        appears as an Ethernet interface but delivers its Ethernet
        frames to a Netgraph hook. &merged;</para>

      <para>A new &man.ng.device.4; netgraph node type has been added,
        which creates a device entry in <filename>/dev</filename>, to
        be used as the entry point to a networking graph.</para>

      <para role="historic">A new &man.ng.etf.4; netgraph node allows Ethernet type
        packets to be filtered to different hooks depending on
        ethertype. &merged;</para>

      <para>The &man.ng.gif.4; and &man.ng.gif.demux.4; netgraph
        nodes, for operating on &man.gif.4; devices, have been
        added.</para>

      <para>The &man.ng.ip.input.4; netgraph node, for queueing IP
        packets into the main IP input processing code, has been
        added.</para>

      <para role="historic">The &man.ng.mppc.4; and &man.ng.bridge.4; node types have
        been added to the &man.netgraph.4; subsystem.  The
        &man.ng.ether.4; node is now dynamically loadable.
        Miscellaneous bug fixes and enhancements have also been
        made. &merged;</para>

      <para role="historic">A new netgraph node type &man.ng.one2many.4; for
        multiplexing and demultiplexing packets over multiple links
        has been added.  &merged;</para>

      <para>A new ng_split node type has been added for splitting a
        bidirectional packet flow into two unidirectional flows.</para>

      <para role="historic">A new sysctl
        <varname>net.inet.ip.check_interface</varname>, which is on by
        default, causes IP to verify that an incoming packet arrives
        on an interface that has an address matching the packet's
        destination address. &merged;</para>

      <para role="historic">A new sysctl
        <varname>net.link.ether.inet.log_arp_wrong_iface</varname> has
        been added to control the suppression of logging when ARP
        replies arrive on the wrong interface. &merged;</para>

      <para role="historic">A new <literal>options RANDOM_IP_ID</literal> kernel
        option causes the ID field of IP packets to be randomized.
        This closes a minor information leak which allows a remote
        observer to determine the rate at which the machine is
        generating packets, since the default behavior is to increment
        a counter for each packet sent. &merged;</para>

      <para arch="alpha">SLIP has been removed from the
        <filename>mfsroot</filename> floppy image.</para>

      <para role="historic">TCP has received some bug fixes for its delayed ACK
        behavior. &merged;</para>

      <para role="historic">TCP now supports the NewReno modification to the TCP Fast
        Recovery algorithm.  This behavior can be controlled via the
        <varname>net.inet.tcp.newreno</varname> sysctl
        variable. &merged;</para>

      <para role="historic">TCP now uses a more aggressive timeout for initial SYN
        segments; this allows initial connection attempts to be
        dropped much faster. &merged;</para>

      <para role="historic">The <literal>TCP_COMPAT_42</literal> kernel option has
        been removed. &merged;</para>

      <para role="historic">The <literal>TCP_RESTRICT_RST</literal> kernel option has
        been removed.  Similar functionality can be achieved with the
        <varname>net.inet.tcp.blackhole</varname> sysctl
        variable. &merged;</para>

      <para role="historic">TCP now has RFC 1323 extensions enabled by default in
        &man.rc.conf.5;. &merged;</para>

      <para role="historic">RFC 1323 and RFC 1644 TCP extensions are now disabled for
        a connection in progress if no response has been received by
        the third SYN segment sent.  This behavior tries to work
        around (very old) terminal servers with buggy VJ header
        compression implementations. &merged;</para>

      <para role="historic">The TCP implementation no longer requires the allocation
        of a TCP template structure for each connection; this should
        reduce the buffer usage on large systems handling many
        connections. &merged;</para>

      <para role="historic">TCP's default buffer sizes, controlled by the
        <varname>net.inet.tcp.sendspace</varname> and
        <varname>net.inet.tcp.recvspace</varname> sysctl variables,
        have been increased to 32K and 64K respectively.  Previously,
        the default for both buffer sizes was 16K.  To try to avoid
        increasing congestion, the default value for
        <varname>net.inet.tcp.local_slowstart_flightsize</varname> has
        been changed from infinity to 4. &merged;

        <note>
          <para>On busy hosts, the new larger buffer sizes may require
            manually increasing the
            <varname>NMBCLUSTERS</varname> parameter, either in the
            kernel configuration file or via the
            <varname>kern.ipc.nmbclusters</varname> loader tunable.
            <command>netstat -mb</command> can be used to monitor the
            state of mbuf clusters.</para>
        </note>
      </para>

      <para role="historic">TCP now supports RFC 1948 (Defending Against Sequence
        Number Attacks).  The
        <varname>net.inet.tcp.isn_reseed_interval</varname> sysctl
        variable controls the reseeding of the secret data used in
        the RFC 1948 initial sequence number calculations. &merged;</para>

      <para role="historic">The TCP implementation in &os; now implements a cache of
        outstanding, received SYN segments.  Incoming SYN segments now
        cause entries to be placed in the cache until the TCP
        three-way handshake is complete, at which point, memory is
        allocated for the connection as usual.  In addition, all TCP
        Initial Sequence Numbers (ISNs) are used as cookies, allowing
        entries in the cache to be dropped, but still have their
        corresponding ACKs accepted later.  The combination of the
        so-called
        <quote>syncache</quote> and <quote>syncookies</quote> features
        makes a host much more resistant to TCP-based Denial of
        Service attacks.  Work on this feature was sponsored by DARPA
        and NAI Labs. &merged;</para>

      <para role="historic">A bug in the TCP implementation, which could cause
        connections to stall if a sender saw a zero-sized window, has
        been corrected. &merged;</para>

      <para role="historic">The TCP implementation now properly ignores packets
        addressed to IP-layer broadcast addresses. &merged;</para>

      <para>The ephemeral port range used for TCP and UDP has been
        changed to 49152&ndash;65535 (the old default was
        1024&ndash;5000).  This increases the number of concurrent
        outgoing connections/streams.</para>
    </sect3>

    <sect3>
      <title>Disks and Storage</title>

      <para arch="i386" role="historic">Support for the Adaptec FSA family of PCI-SCSI
        RAID controllers has been added, in the form of the
        &man.aac.4; driver.  This driver includes proper handling of
        commands initiated by the adapter, addition/removal of disk
        devices, crashdump functionality, and &man.ioctl.2; commands
        necessary for the management CLI, and is fully qualified and
        sanctioned by Adaptec. &merged;</para>

      <para role="historic">The &man.ahc.4; driver has received numerous updates,
        bugfixes, and enhancements.  Among various improvements are
        improved compatibility with chips in <quote>RAID Port</quote>
        mode and systems with AAA and/or ARO cards installed, as well
        as performance improvements. Some bugs were also fixed,
        including a rare hang on Ultra2/U160
        controllers. &merged;</para>

      <para arch="i386">The ahd driver, which supports the Adaptec
        AIC7902 Ultra320 PCI-X SCSI Controller chip, has been
        added.</para>

      <para arch="i386" role="historic">The &man.asr.4; driver, which provides support
        for the Adaptec SCSI RAID controller family, as well as the
        DPT SmartRAID V and VI families, has been
        added. &merged;</para>

      <para arch="i386" role="historic">The &man.asr.4; driver now supports the
        Adaptec 2000S and 2005S Zero-Channel RAID
        controllers. &merged;</para>

      <para role="historic">The &man.ata.4; driver now has support for ATA100
        controllers.  In addition, it now supports the ServerWorks
        ROSB4 ATA33 chipset, the CMD 648 ATA66 and CMD 649 ATA100
        chipsets, and the Cyrix 5530. &merged;</para>

      <para role="historic">To provide more flexible configuration, the various
        options for the &man.ata.4; driver are now boot loader
        tunables, rather than kernel configure-time
        options. &merged;</para>

      <para role="historic">The &man.ata.4; driver now has support for tagged queuing,
        which is enabled by the <varname>hw.ata.tags</varname> loader
        tunable. &merged;</para>

      <para role="historic">The &man.ata.4; driver now has support for ATA
        <quote>pseudo</quote> RAID controllers as the Promise Fasttrak
        and HighPoint HPT370 controllers. &merged;</para>

      <para role="historic">The &man.ata.4; driver now supports a wider variety of SiS
        chipsets, as listed in the Hardware Notes. &merged;</para>

      <para role="historic">The &man.ata.4; driver now has support for creating,
        deleting, querying, and rebuilding ATA RAIDs under control of
        &man.atacontrol.8;. &merged;</para>

      <para role="historic">The BurnProof(TM) feature, for applicable ATAPI CD-ROM
        burners, is now supported. &merged;</para>

      <para role="historic">The &man.ata.4; driver now has support for 48-bit
        addressing.  Devices larger than 137GB are now
        supported. &merged;</para>

      <para role="historic">The &man.ata.4; driver now contains fixes for some data
        corruption problems on systems using the VIA 82C686B
        Southbridge chip. &merged;</para>

      <para role="historic">The &man.cd.4; driver now has support for write
        operations.  This allows writing to DVD-RAM, PD and similar
        drives that probe as CD devices.  Note that change affects
        only random-access writeable devices, not sequential-only
        writeable devices such as CD-R drives, which are supported by
        &man.cdrecord.1; (a part of
        <filename role="package">sysutils/cdrtools</filename> in the
        Ports Collection. &merged;</para>

      <para arch="i386" role="historic">The ciss driver, for devices utilizing the
        Common Interface for SCSI-3 Support, has been added.  This
        driver supports the Compaq SmartRAID 5* family of RAID
        controllers (5300, 532, 5i). &merged;</para>

      <para>The &man.fdc.4; floppy disk has undergone a number of
        enhancements.  Density selection for common settings is now
        automatic; the driver is also much more flexible in setting
        the densities of various subdevices.</para>

      <para>The &man.geom.4; disk I/O request transformation framework
        has been added; this extensible framework is designed to
        support a wide variety of operations on I/O requests on their
        way from the upper kernel to the device drivers.</para>

      <para role="historic">The ida disk driver now has crashdump
        support. &merged;</para>

      <para arch="i386" role="historic">The iir driver has been added to support the
        Intel Integrated RAID controllers, as well as prior ICP Vortex
        controllers.</para>

      <para arch="alpha" role="historic">A bug that made certain CDROM drives fail to
        attach when connected to a SCSI card driven by &man.isp.4; has
        been fixed. &merged;</para>

      <para>The &man.isp.4; driver is now proactive about discovering
        Fibre Channel topology changes.</para>

      <para>The &man.isp.4; driver now supports target mode for Qlogic
        SCSI cards, including Ultra2 and Ultra3 and dual bus
        cards.</para>

      <para role="historic">The &man.isp.4; driver now supports the Qlogic 2300 and
        2312 Optical Fibre Channel PCI cards. &merged;</para>

      <para>&man.md.4;, the memory disk device, has had the
        functionality of &man.vn.4; incorporated into it.  &man.md.4;
        devices can now be configured by &man.mdconfig.8;.  &man.vn.4;
        has been removed.  The Memory Filesystem (MFS) has also been
        removed.</para>

      <para arch="i386" role="historic">The &man.mly.4; driver, for Mylex PCI to SCSI
        AccelRAID and eXtremeRAID controllers with firmware 6.X and
        later, has been added. &merged;</para>

      <para arch="i386,pc98" role="historic">The ncv, nsp, and stg drivers have been ported
        from NetBSD/pc98.  They support the NCR 53C50 / Workbit Ninja
        SCSI-3 / TMC 18C30, 18C50 based PC-Card/ISA SCSI controllers.
        All three drivers can be built and loaded as
        modules. &merged;</para>

      <para arch="powerpc">The ofw driver, a basic OpenFirmware disk
        driver, has been added.</para>

      <para>Some problems in &man.sa.4; error handling have been
        fixed, including the <quote>tape drive spinning indefinitely
        upon &man.mt.1; <option>stat</option></quote> problem.</para>

      <para arch="i386" role="historic">The &man.twe.4; 3ware ATA RAID driver has
        added. &merged;</para>

      <para role="historic">The &man.wd.4; compatibility devices were removed from the
        &man.ata.4; driver. &merged;</para>
    </sect3>

    <sect3>
      <title>Filesystems</title>

      <para>Support for named extended attributes was added to the
        &os; kernel.  This allows the kernel, and appropriately
        privileged userland processes, to tag files and directories
        with attribute data.  Extended attributes were added to
        support the TrustedBSD Project, in particular ACLs, capability
        data, and mandatory access control labels (see
        <filename>/usr/src/sys/ufs/ufs/README.extattr</filename> for
        details).</para>

      <para role="historic">Due to a licensing change, softupdates have been
        integrated into the main portion of the kernel source tree.
        As a consequence, softupdates are now available with the
        <filename>GENERIC</filename> kernel. &merged;</para>

      <para>A filesystem snapshot capability has been added to FFS.
        Details can be found in
        <filename>/usr/src/sys/ufs/ffs/README.snapshot</filename>.</para>

<!-- The following note needs to be made more specific or eliminated. -->
      <para>Softupdates for FFS have received some bug fixes and
        enhancements.</para>

      <para>When running with softupdates, &man.statfs.2; and
        &man.df.1; will track the number of blocks and files that are
        committed to being freed.</para>

      <para role="historic">A bug in FFS that could cause superblock corruption on
        very large filesystems has been corrected. &merged;</para>

      <para role="historic">The ISO-9660 filesystem now has a hook that supports a
        loadable character conversion routine.  The
        <filename role="package">sysutils/cd9660_unicode</filename>
        port contains a set of common conversions. &merged;</para>

      <para>&man.kernfs.5; is obsolete and has been retired.</para>

      <para role="historic">A bug in the NFS client that caused bogus access times with
        <literal>O_EXCL|O_CREAT</literal> opens was
        fixed. &merged;</para>

      <para role="historic">A new NFS hash function (based on the Fowler/Noll/Vo hash
        algorithm) has been implemented to improve NFS performance by
        increasing the efficiency of the <varname>nfsnode</varname>
        hash tables. &merged;</para>

      <para>Client-side NFS locks have been implemented.</para>

      <para>The client-side and server-side of the NFS code in the
        kernel used to be intertwined in various complex ways.  They
        have been split apart for ease of maintenance and further
        development.</para>

      <para>Support for filesystem Access Control Lists (ACLs) has
        been introduced, allowing more fine-grained control of
        discretionary access control on files and directories.  This
        support was integrated from the TrustedBSD Project.  More
        details can be found in
        <filename>/usr/src/sys/ufs/ufs/README.acls</filename>.</para>

      <para role="historic">The directory layout preference algorithm for FFS
        (<literal>dirprefs</literal>) has been changed.  Rather than
        scattering directory blocks across a disk, it attempts to
        group related directory blocks together.  Operations
        traversing large directory hierarchies, such as the &os; Ports
        tree, have shown marked speedups.  This change is transparent
        and automatic for new directories. &merged;</para>

      <para arch="i386,pc98" role="historic">smbfs (CIFS) support in kernel has been added.
        The userland programs &man.smbutil.1; and &man.mount.smbfs.8;
        can be used to work with SMB shares.  Note that
        &man.mount.smbfs.8; will automatically load the
        <filename>smbfs.ko</filename> module into the kernel, even if
        <literal>LIBMCHAIN</literal> and
        <literal>LIBICONV</literal> were not compiled into the kernel.
        &merged;</para>

      <para>For consistency, the fdesc, fifo, null, msdos, portal,
        umap, and union filesystems have been renamed to fdescfs,
        fifofs, msdosfs, nullfs, portalfs, umapfs, and unionfs.  Where
        applicable, modules and mount_* programs have been renamed.
        Compatibility <quote>glue</quote> has been added to
        &man.mount.8; so that <literal>msdos</literal> filesystem
        entries in &man.fstab.5; will work without changes.</para>

      <para>pseudofs, a pseudo-filesystem framework, has been added.
        &man.linprocfs.5; and &man.procfs.5; have been modified to use
        pseudofs.</para>

      <para role="historic">A simple hash-based lookup optimization for large
        directories called <literal>dirhash</literal> has been added.
        Conditional on the
        <literal>UFS_DIRHASH</literal> kernel option (enabled by
        default in the <filename>GENERIC</filename> kernel), it
        improves the speed of operations on very large directories at
        the expense of some memory. &merged;</para>

      <para role="historic">The virtual memory subsystem now backs UFS directory
        memory requirements by default (this behavior is controlled
        via the <varname>vfs.vmiodirenable</varname> sysctl
        variable). &merged;</para>

      <para role="historic">A bug that prevented the root filesystem from being
        mounted from a SCSI CDROM has been fixed (ATAPI CDROMs were
        always supported). &merged;</para>

      <para role="historic">A number of bugs in the filesystem code, discovered
        through the use of the <application>fsx</application>
        filesystem test tool, have been fixed.  Under certain
        circumstances (primarily related to use of NFS), these bugs
        could cause data corruption or kernel panics. &merged;</para>

      <para>Network filesystems (such as NFS and smbfs filesystems)
        listed in <filename>/etc/fstab</filename> can now be properly
        mounted during startup initialization; their mounts are
        deferred until after the network is initialized.</para>

      <para>Read-only support for the Universal Disk Format (UDF) has
        been added.  This format is used on packet-written CD-RWs and
        most commercial DVD-Video disks.  The &man.mount.udf.8;
        command can be used to mount these disks.</para>

      <para>Basic support has been added for the UFS2 filesystem.
        Among its features:

        <itemizedlist>
          <listitem>
            <para>The inode has been expanded to 256 bytes to make
              space for 64-bit block pointers.</para>
          </listitem>

          <listitem>
            <para>A file-creation time field has been added.</para>
          </listitem>

          <listitem>
            <para>Space has been provided for extended attributes, up
              to twice the filesystem block size.</para>
          </listitem>
        </itemizedlist>

        </para>

    </sect3>

    <sect3>
      <title>PCCARD Support</title>

      <para arch="i386,pc98" role="historic">The pccard driver and &man.pccardc.8; now
        support multiple <quote>beep types</quote> upon card insertion
        and removal. &merged;</para>

      <para role="historic">On many modern hosts, PCCARD devices can be configured to
        route their interrupts via either the ISA or PCI interrupt
        paths.  The &man.pcic.4; driver has been updated to support
        both interrupt paths (formerly, only routing via ISA was
        supported).  &merged; In most cases, configuration of PCMCIA
        devices in laptops is simpler and more flexible.  In addition,
        various Cardbus bridge PCI cards (such as those used by
        Orinoco PCI NICs) are now supported.  Some hosts may
        experience problems, such as hangs or panics, with PCI
        interrupt routing; they can frequently be made to work by
        forcing the older-style ISA interrupt routing.  The following
        lines, placed in <filename>/boot/loader.conf</filename>, may
        fix the problem:</para>

      <programlisting role="historic">hw.pcic.intr_path="1"
  hw.pcic.irq="0"</programlisting>

      <para role="historic">When installing &os; on such a system, typing the
        following lines to the boot loader may be helpful in starting
        up &os; for the first time:<para>

      <screen role="historic"><prompt>ok</prompt> <userinput>set hw.pcic.intr_path="1"</userinput>
<prompt>ok</prompt> <userinput>set hw.pcic.irq="0"</userinput></screen>

      <para arch="i386">Preliminary Cardbus support under NEWCARD has
        been added.  This code supports the TI113X, TI12XX, TI125X,
        Ricoh 5C46/5C47, Topic 95/97/100 and Cirrus Logic PD683X
        bridges.  16-bit PC Card support is not yet functional.</para>

      <para arch="i386">NEWCARD is now the default pccard/cardbus
        system in the <filename>GENERIC</filename> kernel.</para>

    </sect3>

    <sect3>
      <title>Multimedia Support</title>

      <para arch="i386" role="historic">The &man.pcm.4; driver now supports the ESS
        Solo 1, Maestro-1, Maestro-2, and Maestro-2e; Forte Media
        fm801, ESS Maestro-2e, and VIA Technologies VT82C686A sound
        card/chipsets, and has received some other updates.  Separate
        drivers for the SoundBlaster 8 and SoundBlaster 16 now replace
        an older, unified driver.  A driver for the CMedia
        CMI8338/CMI8738 sound chips has been added.  A driver for the
        CS4281 sound chip has been added.  A driver for the S3
        SonicVibes chipset has been added. &merged;</para>

      <para arch="i386" role="historic">A driver for the Avance Logic ALS4000 has been
        added. &merged;</para>

      <para arch="i386" role="historic">A driver for the ESS Maestro-3/Allegro has
        been added, however due to licensing restrictions, it cannot
        be compiled into the kernel. &merged; To use this driver, add
        the following line to
        <filename>/boot/loader.conf</filename>:</para>

      <programlisting role="historic">snd_maestro3_load="YES"</programlisting>

      <para role="historic">The &man.bktr.4; driver has been updated to 2.18.  This
        update provides a number of new features.  New tuner types
        have been added, and improvements to the KLD module and to
        memory allocation have been made.  Bugs in &man.devfs.5; when
        unloading and reloading have been fixed.  Support for new
        Hauppauge Model 44xxx WinTV Cards (the ones with no audio mux)
        has been added. &merged;</para>

      <para arch="i386,pc98" role="historic">The ufm driver, supporting the D-Link DSB-R100
        USB Radio, has been added. &merged;</para>

      <para role="historic">When sound modules are built, one can now load all the
        drivers and infrastructure by <command>kldload
        snd</command>. &merged;</para>

      <para>A new API has been added for sound cards with hardware
        volume control.</para>

      <para arch="i386" role="historic">A driver for the Intel 443MX, 810, 815, and
        815E integrated sound devices has been added. &merged;</para>

      <para arch="i386" role="historic">The via82c686 sound driver now supports the VIA
        VT8233. &merged;</para>

      <para arch="i386" role="historic">The ich sound driver now support the SiS
        7012 chipset. &merged;</para>

      <para arch="i386">Drivers have been added to support the Direct
        Rendering Infrastructure, which can used to provide 3D
        acceleration within <application>XFree86</application>.  Video
        cards supported include the 3Dlabs Oxygen GMX 2000 (gammadrm),
        AGP Matrox G200/G400/G450/G550 (mgadrm), 3dfx Voodoo
        3/4/5/Banshee (tdfxdrm), AGI ATI Rage 128 (r128drm), and AGP
        ATI Radeon (radeondrm).</para>

    </sect3>

    <sect3>
      <title>Contributed Software</title>

      <para>The Forth Inspired Command Language
        (<application>FICL</application>) used in the boot loader has
        been updated to 3.02.</para>

      <para>Support for Advanced Configuration and Power Interface
        (ACPI), a multi-vendor standard for configuration and power
        management, has been added.  This functionality has been
        provided by the <application>Intel ACPI Component
        Architecture</application> project, as of the ACPI CA 20020611
        snapshot.  Some backward compatability for applications using
        the older APM standard has been provided.</para>

      <sect4>
        <title>IPFilter</title>

        <para><application>IPFilter</application> has been updated to
          3.4.28.</para>

        <para role="historic"><application>IPFilter</application> now supports
          IPv6. &merged;</para>

      </sect4>

      <sect4 arch="i386">
        <title>isdn4bsd</title>

        <para><application>isdn4bsd</application> has been updated to
          version 1.0.2.</para>

        <para role="historic">The &man.ifpi.4; driver for supporting the AVM
          Fritz!Card PCI controller has been added. &merged;</para>

        <para role="historic">The &man.ifpi2.4; driver for supporting the AVM
          Fritz!Card PCI version 2 controller has been added. &merged;</para>

        <para role="historic">The &man.ihfc.4; driver for supporting Cologne Chip
          Designs HFC devices under
          <application>isdn4bsd</application> has been
          added. &merged;</para>

        <para role="historic">The &man.itjc.4; driver for supporting NETjet-S / Teles
          PCI-TJ devices under <application>isdn4bsd</application> has
          been added. &merged;</para>

        <para role="historic">Experimental support for the Eicon.Diehl DIVA 2.0 and
          2.02 ISA PnP ISDN cards has been added to the &man.isic.4;
          <application>isdn4bsd</application> driver. &merged;</para>

        <para role="historic">The &man.isic.4; driver now supports the Compaq Microcom
          610 ISDN ISA PnP card. &merged;</para>

        <para role="historic">Active CAPI-based ISDN cards manufactured by AVM are now
          supported using the &man.i4bcapi.4; and the &man.iavc.4;
          driver.  The supported cards are the AVM B1 PCI and AVM B1
          ISA Basic Rate cards and the AVM T1 Primary Rate
          cards. &merged;</para>

        <para role="historic">A new <literal>maxconnecttime</literal> keyword is now
          accepted in &man.isdnd.rc.5; files to limit the time a
          connection may remain open. &merged;</para>

        <para role="historic">&man.isdnphone.8; now supports a <option>-k</option>
          option for sending messages via the keypad facility to a PBX
          or exchange office. &merged;</para>

        <para><application>isdn4bsd</application> now supports Q.931
          subaddressing.</para>

      </sect4>

      <sect4 id="kame-kernel">
        <title>KAME</title>

        <para role="historic">The IPv6 stack is now based on a snapshot based on the
          KAME Project's IPv6 snapshot as of 28 May, 2001.  Most of
          the items listed in this section are a result of this
          import.  <xref linkend="kame-userland"> lists userland
          updates to the KAME IPv6 stack. &merged;</para>

        <para role="historic">&man.gif.4; is now based on RFC 2893, rather than RFC
          1933.  The <literal>IFF_LINK2</literal> interface flag can
          be used to control ingress filtering. &merged;</para>

        <para role="historic"><application>IPsec</application> has received some
          enhancements, including the ability to use the Rijndael and
          SHA2 algorithms.  IPsec RC5 support has been removed due to
          patent issues. &merged;</para>

        <para role="historic">&man.stf.4; now conforms to RFC 3056; the
          <literal>IFF_LINK2</literal> interface flag can be used to
          control ingress filtering. &merged;</para>

        <para role="historic">IPv6 has better checking of illegal addresses (such as
          loopback addresses) on physical networks. &merged;</para>

        <para role="historic">The <varname>IPV6_V6ONLY</varname> socket option is now
          completely supported.  The kernel's default behavior with
          respect to this option is controlled by the
          <varname>net.inet6.ip6.v6only</varname> sysctl
          variable. &merged;</para>

        <para role="historic">RFC 3041 (Privacy Extensions for Stateless Address
          Autoconfiguration) is now supported.  It can be enabled via
          the <varname>net.inet6.ip6.use_tempaddr</varname> sysctl
          variable. &merged;</para>
      </sect4>
    </sect3>
  </sect2>

  <sect2 id="security">
    <title>Security-Related Changes</title>

    <para role="historic">&man.sysinstall.8; now allows the user to select one of two
      <quote>security profiles</quote> at install-time.  These
      profiles enable different levels of system security by enabling
      or disabling various system services in &man.rc.conf.5; on new
      installs. &merged;</para>

    <para>A bug in which malformed ELF executable images can hang the
      system has been fixed (see security advisory
      FreeBSD-SA-00:41). &merged;</para>

    <para>A security hole in Linux emulation was fixed (see security
      advisory FreeBSD-SA-00:42). &merged;</para>

    <para role="historic">String-handling library calls in many programs were fixed to
      reduce the possibility of buffer overflow-related exploits.
      &merged;</para>

    <para>TCP now uses stronger randomness in choosing its initial
      sequence numbers (see security advisory
      FreeBSD-SA-00:52). &merged;</para>

    <para>Several buffer overflows in &man.tcpdump.1; were corrected
      (see security advisory FreeBSD-SA-00:61). &merged;</para>

    <para>A security hole in &man.top.1; was corrected (see security
      advisory FreeBSD-SA-00:62). &merged;</para>

    <para>A potential security hole caused by an off-by-one-error in
      &man.gethostbyname.3; has been fixed (see security advisory
      FreeBSD-SA-00:63). &merged;</para>

    <para>A potential buffer overflow in the &man.ncurses.3; library,
      which could cause arbitrary code to be run from within
      &man.systat.1;, has been corrected (see security advisory
      FreeBSD-SA-00:68). &merged;</para>

    <para>A vulnerability in &man.telnetd.8; that could cause it to
      consume large amounts of server resources has been fixed (see
      security advisory FreeBSD-SA-00:69). &merged;</para>

    <para>The <literal>nat deny_incoming</literal> command in
      &man.ppp.8; now works correctly (see security advisory
      FreeBSD-SA-00:70). &merged;</para>

    <para>A vulnerability in &man.csh.1;/&man.tcsh.1; temporary files
      that could allow overwriting of arbitrary user-writable files
      has been closed (see security advisory
      FreeBSD-SA-00:76). &merged;</para>

    <para role="historic">The &man.ssh.1; binary is no longer SUID root by
      default. &merged;</para>

    <para role="historic">Some fixes were applied to the Kerberos IV implementation
      related to environment variables, a possible buffer overrun, and
      overwriting ticket files. &merged;</para>

    <para role="historic">&man.telnet.1; now does a better job of sanitizing its
      environment. &merged;</para>

    <para>Several vulnerabilities in &man.procfs.5; were fixed (see
      security advisory FreeBSD-SA-00:77). &merged;</para>

    <para>A bug in <application>OpenSSH</application> in which a
      server was unable to disable &man.ssh-agent.1; or
      <literal>X11Forwarding</literal> was fixed (see security
      advisory FreeBSD-SA-01:01). &merged;</para>

    <para>A bug in &man.ipfw.8; and &man.ip6fw.8; in which inbound TCP
      segments could incorrectly be treated as being part of an
      <literal>established</literal> connection has been fixed (see
      security advisory FreeBSD-SA-01:08). &merged;</para>

    <para>A bug in &man.crontab.1; that could allow users to read any
      file on the system in valid &man.crontab.5; syntax has been
      fixed (see security advisory FreeBSD-SA-01:09). &merged;</para>

    <para>A vulnerability in &man.inetd.8; that could allow
      read-access to the initial 16 bytes of
      <groupname>wheel</groupname>-accessible files has been fixed
      (see security advisory FreeBSD-SA-01:11). &merged;</para>

    <para>A bug in &man.periodic.8; that used insecure temporary files
      has been corrected (see security advisory
      FreeBSD-SA-01:12). &merged;</para>

    <para><application>OpenSSH</application> now has code to prevent
      (instead of just mitigating through connection limits) an attack
      that can lead to guessing the server key (not host key) by
      regenerating the server key when an RSA failure is detected (see
      security advisory FreeBSD-SA-01:24). &merged;</para>

    <para role="historic">A number of programs have had output formatting strings
      corrected so as to reduce the risk of
      vulnerabilities. &merged;</para>

    <para role="historic">A number of programs that use temporary files now do so more
      securely. &merged;</para>

    <para role="historic">A bug in ICMP that could cause an attacker to disrupt TCP and UDP
      <quote>sessions</quote> has been corrected. &merged;</para>

    <para>A bug in &man.timed.8;, which caused it to crash if send
      certain malformed packets, has been corrected (see security
      advisory FreeBSD-SA-01:28). &merged;</para>

    <para>A bug in &man.rwhod.8;, which caused it to crash if send
      certain malformed packets, has been corrected (see security
      advisory FreeBSD-SA-01:29). &merged;</para>

    <para>A security hole in &os;'s FFS and EXT2FS implementations,
      which allowed a race condition that could cause users to have
      unauthorized access to data, has been fixed (see security
      advisory FreeBSD-SA-01:30). &merged;</para>

    <para>A remotely-exploitable vulnerability in &man.ntpd.8; has
      been closed (see security advisory
      FreeBSD-SA-01:31). &merged;</para>

    <para>A security hole in <application>IPFilter</application>'s
      fragment cache has been closed (see security advisory
      FreeBSD-SA-01:32). &merged;</para>

    <para>Buffer overflows in &man.glob.3;, which could cause
      arbitrary code to be run on an FTP server, have been closed.  In
      addition, to prevent some forms of DOS attacks, &man.glob.3;
      allows specification of a limit on the number of pathname
      matches it will return.  &man.ftpd.8; now uses this feature (see
      security advisory FreeBSD-SA-01:33). &merged;</para>

    <para>Initial sequence numbers in TCP are more thoroughly
      randomized (see security advisory FreeBSD-SA-01:39).  Due to
      some possible compatibility issues, the behavior of this
      security fix can be enabled or disabled via the
      <varname>net.inet.tcp.tcp_seq_genscheme</varname> sysctl
      variable.&merged;</para>

    <para>A vulnerability in the &man.fts.3; routines (used by
      applications for recursively traversing a filesystem) could
      allow a program to operate on files outside the intended
      directory hierarchy.  This bug has been fixed (see security
      advisory FreeBSD-SA-01:40). &merged;</para>

    <para role="historic"><application>OpenSSH</application> now switches to the
      user's UID before attempting to unlink the authentication
      forwarding file, nullifying the effects of a race.</para>

    <para>A flaw allowed some signal handlers to remain in effect in a
      child process after being exec-ed from its parent.  This allowed
      an attacker to execute arbitrary code in the context of a setuid
      binary.  This flaw has been corrected (see security advisory
      FreeBSD-SA-01:42). &merged;</para>

    <para>A remote buffer overflow in &man.tcpdump.1; has been fixed
      (see security advisory FreeBSD-SA-01:48). &merged;</para>

    <para>A remote buffer overflow in &man.telnetd.8; has been fixed
      (see security advisory FreeBSD-SA-01:49). &merged;</para>

    <para>The new <varname>net.inet.ip.maxfragpackets</varname> and
      <varname>net.inet.ip6.maxfragpackets</varname> sysctl variables
      limit the amount of memory that can be consumed by IPv4 and IPv6
      packet fragments, which defends against some denial of service
      attacks (see security advisory
      FreeBSD-SA-01:52). &merged;</para>

    <para role="historic">All services in <filename>inetd.conf</filename> are now
      disabled by default for new installations.  &man.sysinstall.8;
      gives the option of enabling or disabling &man.inetd.8; on new
      installations, as well as editing
      <filename>inetd.conf</filename>. &merged;</para>

    <para>A flaw in the implementation of the &man.ipfw.8;
      <literal>me</literal> rules on point-to-point links has been
      corrected.  Formerly, <literal>me</literal> filter rules would
      match the remote IP address of a point-to-point interface in
      addition to the intended local IP address (see security advisory
      FreeBSD-SA-01:53). &merged;</para>

    <para>A vulnerability in &man.procfs.5;, which could allow a
      process to read sensitive information from another process's
      memory space, has been closed (see security advisory
      FreeBSD-SA-01:55). &merged;</para>

    <para>The <literal>PARANOID</literal> hostname checking in
      <application>tcp_wrappers</application> now works as advertised
      (see security advisory FreeBSD-SA-01:56). &merged;</para>

    <para>A local root exploit in &man.sendmail.8; has been closed
      (see security advisory FreeBSD-SA-01:57). &merged;</para>

    <para>A remote root vulnerability in &man.lpd.8; has been closed
      (see security advisory FreeBSD-SA-01:58). &merged;</para>

    <para>A race condition in &man.rmuser.8; that briefly exposed a
      world-readable <filename>/etc/master.passwd</filename> has been
      fixed (see security advisory FreeBSD-SA-01:59). &merged;</para>

    <para>A vulnerability in <application>UUCP</application> has been
      closed (see security advisory FreeBSD-SA-01:62).  All
      non-<username>root</username>-owned binaries in standard system
      paths now have the <literal>schg</literal> flag set to prevent
      exploit vectors when run by &man.cron.8;, by
      <username>root</username>, or by a user other then the one owning
      the binary.  In addition, &man.uustat.1; is now run via
      <filename>/etc/periodic/daily/410.status-uucp</filename> as
      <username>uucp</username>, not <username>root</username>.  In
      &os; -CURRENT, <application>UUCP</application> has since been
      moved to the Ports Collection and no longer a part of the base
      system. &merged;</para>

    <para role="historic">A security hole in the form of a buffer overflow in the
      &man.semop.2; system call has been closed. &merged;</para>

    <para>A security hole in <application>OpenSSH</application>, which
      could allow users to execute code with arbitrary privileges if
      <literal>UseLogin yes</literal> was set, has been closed.  Note
      that the default value of this setting is
      <literal>UseLogin no</literal>.  (See security advisory
      FreeBSD-SA-01:63.) &merged;</para>

    <para>The use of an insecure temporary directory by
      &man.pkg.add.1; could permit a local attacker to modify the
      contents of binary packages while they were being installed.
      This hole has been closed.  (See security advisory
      FreeBSD-SA-02:01.) &merged;</para>

    <para>A race condition in &man.pw.8;, which could expose the
      contents of <filename>/etc/master.passwd</filename>, has been
      eliminated.  (See security advisory FreeBSD-SA-02:02.)
      &merged;</para>

    <para>A bug in &man.k5su.8; could have allowed a process that had
      given up superuser privileges to regain them.  This bug has been
      fixed.  (See security advisory FreeBSD-SA-02:07.)
      &merged;</para>

    <para>An <quote>off-by-one</quote> bug has been fixed in
      <application>OpenSSH</application>'s multiplexing code.  This bug
      could have allowed an authenticated remote user to cause
      &man.sshd.8; to execute arbitrary code with superuser
      privileges, or allowed a malicious SSH server to execute arbitrary
      code on the client system with the privileges of the client user.  (See security
      advisory <ulink
        url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh.asc">FreeBSD-SA-02:13</ulink>.)
      &merged;</para>

    <para>A programming error in <application>zlib</application> could
      result in attempts to free memory multiple times.  The
      &man.malloc.3;/&man.free.3; routines used in &os; are not
      vulnerable to this error, but applications receiving
      specially-crafted blocks of invalid compressed data could
      be made to function incorrectly or abort.  This
      <application>zlib</application> bug has been fixed.  For a
      workaround and solutions, see security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:18.zlib.v1.2.asc">FreeBSD-SA-02:18</ulink>.
      &merged;</para>

    <para>Bugs in the TCP SYN cache (<quote>syncache</quote>) and SYN
      cookie (<quote>syncookie</quote>) implementations, which could
      cause legitimate TCP/IP traffic to crash a machine, have been
      fixed.  For a workaround and patches, see security advisory
      <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:20.syncache.asc">FreeBSD-SA-02:20</ulink>.
      &merged;</para>

    <para>A routing table memory leak, which could allow a remote
      attacker to exhaust the memory of a target machine, has been
      fixed.  A workaround and patches can be found in security
      advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:21.tcpip.asc">FreeBSD-SA-02:21</ulink>.
      &merged;</para>

    <para>A bug with memory-mapped I/O, which could cause a system
      crash, has been fixed.  For more information about a solution,
      see security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:22.mmap.asc">FreeBSD-SA-02:22</ulink>.
      &merged;</para>

    <para>A security hole, in which SUID programs could be made to
      read from or write to inappropriate files through manipulation
      of their standard I/O file descriptors, has been fixed.
      Information regarding a solution can be found in security
      advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc">FreeBSD-SA-02:23</ulink>.
      &merged;</para>

    <para>Some unexpected behavior could be allowed with &man.k5su.8;
      because it does not require that an invoking user be a member of
      the <groupname>wheel</groupname> group when attempting to become
      the superuser (this is the case with &man.su.1;).  To avoid this
      situation, &man.k5su.8; is now installed non-SUID by default
      (effectively disabling it).  More information can be found in
      security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:24.k5su.asc">FreeBSD-SA-02:24</ulink>.
      &merged;</para>

    <para>Multiple vulnerabilities were found in the &man.bzip2.1;
      utility, which could allow files to be overwritten without
      warning or allow local users unintended access to files.  These
      problems have been corrected with a new import of
      <application>bzip2</application>.  For more information, see
      security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:25.bzip2.asc">FreeBSD-SA-02:25</ulink>.
      &merged;</para>

    <para>A bug has been fixed in the implementation of the TCP SYN
      cache (<quote>syncache</quote>), which could allow a remote
      attacker to deny access to a service when accept filters
      (see &man.accept.filter.9;) were in use.  This bug has been
      fixed; for more information, see security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:26.accept.asc">FreeBSD-SA-02:26</ulink>.
      &merged;</para>

    <para>Due to a bug in &man.rc.8;'s use of shell globbing, users
      may be able to remove the contents of arbitrary files if
      <filename>/tmp/.X11-unix</filename> does not exist and the
      system can be made to reboot.  This bug has been corrected (see
      security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:27.rc.asc">FreeBSD-SA-02:27</ulink>).
      &merged;</para>

    <para>A buffer overflow in the resolver, which could be exploited
      by a malicious domain name server or an attacker forging DNS
      messages, has been fixed.  See security advisory <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:28.resolv.asc">FreeBSD-SA-02:28</ulink>
      for more details. &merged;</para>

    <para>A buffer overflow in &man.tcpdump.1;, which could be triggered by
      badly-formed NFS packets, has been fixed.  See security advisory
      <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:29.tcpdump.asc">FreeBSD-SA-02:29</ulink>
      for more details. &merged;</para>

    <para>&man.ktrace.1; can no longer trace the operation of formerly
      privileged processes; this prevents the leakage of sensitive
      information that the process could have obtained before
      abandoning its privileges.  For a discussion of this issue, see
      security advisory
      <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:30.ktrace.asc">FreeBSD-SA-02:30</ulink>
      for more details. &merged;</para>

  </sect2>

  <sect2 id="userland">
    <title>Userland Changes</title>

    <para role="historic">If the first argument to &man.ancontrol.8; or
      &man.wicontrol.8; doesn't start with a <literal>-</literal>, it
      is assumed to be an interface. &merged;</para>

    <para role="historic">&man.apmd.8; now has the ability to monitor battery levels
      and execute commands based on percentage or minutes of battery
      life remaining via the <literal>apm_battery</literal>
      configuration directive.  See the commented-out examples in
      <filename>/etc/apmd.conf</filename> for the
      syntax. &merged;</para>

    <para role="historic">&man.arp.8; now prints the applicable interface name for
      each ARP entry. &merged;</para>

    <para>&man.arp.8; now prints <literal>[fddi]</literal> or
      <literal>[atm]</literal> tags for addresses on interfaces of
      those types.</para>

    <para>The &man.asa.1; utility, to interpret FORTRAN
      carriage-control characters, has been added.</para>

    <para>&man.at.1; now supports the <option>-r</option> command-line
      option to remove jobs and the <option>-t</option> option to
      specify times in POSIX time format.</para>

    <para role="historic">&man.atacontrol.8; has been added to control various aspects
      of the &man.ata.4; driver. &merged;</para>

    <para>The system &man.awk.1; now refers to
      <application>BWK awk</application>.</para>

    <para>&man.basename.1; now accept <option>-a</option> and
      <option>-s</option> flags, which allow it to perform the
      &man.basename.3; function on multiple files.</para>

    <para>&man.biff.1; now accepts a <option>b</option> argument to
      enable <quote>bell notification</quote> of new mail (which does
      not disturb the terminal contents as <command>biff y</command>
      would).</para>

    <para arch="pc98" role="historic">&man.boot98cfg.8;, a PC-98 boot manager
      installation and configuration utility, has been
      added. &merged;</para>

    <para role="historic">&man.burncd.8; now supports a <option>-m</option> option for
      multisession mode (the default behavior now is to close disks as
      single-session).  A <option>-l</option> option to take a list of
      image files from a filename was also added;
      <filename>-</filename> can be used as a filename for
      <literal>stdin</literal>. &merged;</para>

    <para>&man.burncd.8; now supports Disk At Once (DAO) mode,
      selectable via the <option>-d</option> flag.</para>

    <para>&man.burncd.8; now has the ability to write VCDs/SVCDs.</para>

    <para role="historic">&man.c89.1; has been converted from a shell script to a
      binary executable, fixing some minor bugs. &merged;</para>

    <para>&man.calendar.1; now takes a <option>-W</option> option,
      which operates similar to <option>-A</option> but without
      special treatment at weekends, and a <option>-F</option>option
      to change the notion of <quote>Friday</quote>.</para>

    <para arch="i386,pc98" role="historic">A minimalized version of &man.camcontrol.8; is
      now available on the installation floppy.  This allows it to
      rescan for devices that have been connected after booting, or to
      show the devices attached to SCSI busses (e. g. from within the
      <quote>emergency holographic shell</quote>). &merged;</para>

    <para role="historic">&man.cat.1; now has the ability to read from UNIX-domain
      sockets. &merged;</para>

    <para>&man.catman.1; is now a C program, instead of a
      Perl script.</para>

    <para role="historic">&man.cdcontrol.1; now supports a <literal>cdid</literal>
      command, which calculates and displays the CD serial number,
      using the same algorithm used by the CDDB
      database. &merged;</para>

    <para role="historic">&man.cdcontrol.1; now uses the <envar>CDROM</envar>
      environment variable to pick a default device. &merged;</para>

    <para role="historic">&man.cdcontrol.1; now supports <literal>next</literal> and
      <literal>prev</literal> commands to skip forwards or backwards a
      specified number of tracks while playing an audio
      CD. &merged;</para>

    <para>On ATAPI CDROM drives, &man.cdcontrol.1; now supports a
      <literal>speed</literal> command to set the maximum speed to be
      used by the drive. &merged;</para>

    <para>&man.chflags.1; has moved from <filename>/usr/bin</filename>
      to <filename>/bin</filename>.</para>

    <para role="historic">&man.chio.1; now has the ability to specify elements by
      volume tag instead of by their physical location as well as the
      ability to return an element to its previous
      location. &merged;</para>

    <para>&man.chmod.1; now supports a <option>-h</option> for
      changing the mode of a symbolic link.</para>

    <para role="historic">&man.chown.8; now correctly follows symbolic links named as
      command line arguments if run without
      <option>-R</option>. &merged;</para>

    <para>&man.chown.8; no longer takes <literal>.</literal> as a
      user/group delimeter.  This change was made to support usernames
      containing a <literal>.</literal>.</para>

    <para>Use of the <literal>CSMG_*</literal> macros no longer
      require inclusion of
      <filename>&lt;sys/param.h&gt;</filename></para>

    <para role="historic">&man.col.1; now takes a <option>-p</option> flag to force
      unknown control sequences to be passed through
      unchanged. &merged;</para>

    <para role="historic">The <filename>compat3x</filename> distribution has been
      updated to include libraries present in &os;
      3.5.1-RELEASE. &merged;</para>

    <para>A <filename>compat4x</filename> distribution has been added
      for compatibility with &os; 4-STABLE.</para>

    <para role="historic">&man.config.8; is now better about converting various
      warnings that should have been errors into actual fatal errors
      with an exit code.  This ensures that <literal>make
      buildkernel</literal> doesn't quietly ignore them and build a
      bogus kernel without a human to read the errors. &merged;</para>

    <para role="historic">A number of buffer overflows in &man.config.8; have been
      fixed. &merged;</para>

    <para>A new &man.csplit.1; utility, which splits files based on
      context, has been added.</para>

    <para role="historic">&man.ctags.1; no longer creates a corrupt tags file if the
      source file used <literal>//</literal> (C++-style)
      comments. &merged;</para>

    <para>The &man.daemon.8; program, a command-line interface to
      &man.daemon.3;, has been added.  It detaches itself from its
      controlling terminal and executes a program specified on the
      command line.  This allows the user to run an arbitrary program
      as if it were written to be a daemon.</para>

    <para>&man.devinfo.8;, a simple tool to print the device tree and resource
      usage by devices, has been added.</para>

    <para role="historic">&man.df.1; now takes a <option>-l</option> option to only
      display information about locally-mounted
      filesystems. &merged;</para>

    <para role="historic">&man.disklabel.8; now supports partition sizes expressed in
      kilobytes, megabytes, or gigabytes, in addition to
      sectors. &merged;</para>

    <para>diskpart(8) has been declared obsolete, and has been
      removed.</para>

    <para role="historic">&man.dmesg.8; now has a <option>-a</option> option to show
      the entire message buffer, including &man.syslogd.8; records and
      <filename>/dev/console</filename> output. &merged;</para>

    <para role="historic">&man.du.1; now takes a <option>-I</option> command-line flag
      to ignore/skip files and subdirectories matching a specified
      shell-glob mask. &merged;</para>

    <para role="historic">&man.dump.8; now supports inheritance of the
      <literal>nodump</literal> flag down a hierarchy. &merged;</para>

    <para role="historic">The <option>-T</option> option to &man.dump.8; no longer
      swallows an extra argument. &merged;</para>

    <para role="historic">&man.dump.8; has a new <option>-D</option> option, allowing
      the path to the <filename>/etc/dumpdates</filename> file to be
      changed. &merged;</para>

    <para role="historic">&man.dump.8; now supplies progress information in its
      process title, useful for monitoring automated
      backups. &merged;</para>

    <para>&man.dump.8; now supports a new <option>-S</option> flag to allow
      it to just print out the dump size estimates and exit. &merged;</para>

    <para role="historic">&man.edquota.8; now takes a <option>-f</option> option to
      allow limiting the prototype quota distribution (specified with
      <option>-p</option>) to a single filesystem. &merged;</para>

    <para role="historic"><filename>/etc/rc.firewall</filename> and
      <filename>/etc/rc.firewall6</filename> will no longer add their own
      hardcoded rules in the cases of a rules file in the
      <varname>firewall_type</varname> variable or a non-existent
      firewall type.  (The motivation for this change is to avoid
      acting on assumptions about a site's firewall policies.)  In
      addition, the <literal>closed</literal> firewall type now works
      as documented in the &man.rc.firewall.8; manual page. &merged;</para>

    <para role="historic">The functionality of <filename>/etc/security</filename> has
      been been moved into a set of scripts under the &man.periodic.8;
      framework, to make local customization easier and more
      maintainable.  These scripts now reside in
      <filename>/etc/periodic/security/</filename>. &merged;</para>

    <para>&man.expr.1; is now compliant with the POSIX Utility Syntax
      Guidelines.  Some programs depend on the old, historic behavior
      (the <filename role="package">devel/libtool</filename>
      port/package was/is a notable example).  In these situations,
      the <envar>EXPR_COMPAT</envar> environment variable can be
      defined, which causes &man.expr.1; to behave more like previous
      versions.</para>

    <para>&man.fbtab.5; now accepts glob matching patterns for target
      devices, not just individual devices and directories.</para>

    <para arch="i386">&man.fdisk.8; no longer attempts to search for a
      device if none has been specified on the command line, but
      instead tries to figure out the default device name from the
      root device.</para>

    <para>&man.fdread.1;, a program to read data from floppy disks,
      has been added.  It is a counterpart to &man.fdwrite.1; and is
      designed to provide a means of recovering at least some data
      from bad media, and to obviate for a complex invocation of
      &man.dd.1;.</para>

    <para role="historic">&man.find.1; now takes the <option>-empty</option> flag,
      which returns true if a file or directory is
      empty. &merged;</para>

    <para role="historic">&man.find.1; now takes the <option>-iname</option> and
      <option>-ipath</option> primaries for case-insensitive matches,
      and the <option>-regexp</option> and <option>-iregexp</option>
      primaries for regular-expression matches.  The
      <option>-E</option> flag now enables extended regular
      expressions. &merged;</para>

    <para role="historic">&man.find.1; now has the <option>-anewer</option>,
      <option>-cnewer</option>, <option>-mnewer</option>,
      <option>-okdir</option>, and <option>-newer[acm][acmt]</option>
      primaries for comparisons of file timestamps.  The latter
      primaries can be specified with various units of
      time. &merged;</para>

    <para role="historic">&man.finger.1; now has the ability to support fingering
      aliases, via the &man.finger.conf.5; file. &merged;</para>

    <para>&man.finger.1; now has support for a
      <filename>.pubkey</filename> file. &merged;</para>

    <para>&man.finger.1; now supports a <option>-g</option> flag to
      restrict the printing of GECOS information to the user's full
      name only. &merged;</para>

    <para role="historic">&man.fmt.1; has been rewritten; the rewrite fixes a number
      of bugs compared to its prior behavior. &merged;</para>

    <para role="historic">&man.fmtcheck.3;, a function for checking consistency of
      format string arguments, has been added. &merged;</para>

    <para>&man.fold.1; now supports a <option>-b</option> flag to
      break at byte positions and a <option>-s</option> flag to break at
      word boundaries. &merged;</para>

    <para role="historic">&man.fsdb.8; now supports a <literal>blocks</literal>
      command to list the blocks allocated by a particular
      inode. &merged;</para>

    <para>&man.fsck.8; wrappers have been imported; this feature
      provides infrastructure for &man.fsck.8; to work on different
      types of filesystems (analogous to &man.mount.8;).</para>

    <para>The behavior of &man.fsck.8; when dealing with various
      passes (a la <filename>/etc/fstab</filename>) has been modified
      to accommodate multiple-disk filesystems.</para>

    <para>&man.fsck.8; now has support for foreground
      (<option>-F</option>) and background (<option>-B</option>)
      checks.  Traditionally, &man.fsck.8; is invoked before the
      filesystems are mounted and all checks are done to completion at
      that time.  If background checking is available, &man.fsck.8; is
      invoked twice.  It is first invoked at the traditional time,
      before the filesystems are mounted, with the <option>-F</option>
      flag to do checking on all the filesystems that cannot do
      background checking.  It is then invoked a second time, after
      the system has completed going multiuser, with the
      <option>-B</option> flag to do checking on all the filesystems
      that can do background checking.  Unlike the foreground
      checking, the background checking is started asynchronously so
      that other system activity can proceed even on the filesystems
      that are being checked.  Boot-time enabling of this feature is
      controlled by the
      <varname>background_fsck</varname> option in &man.rc.conf.5;.</para>

    <para role="historic">Shortly after the receipt of a <literal>SIGINFO</literal>
      signal (normally control-T from the controlling tty),
      &man.fsck.ffs.8; will now output a line indicating the current
      phase number and progress information relevant to the current
      phase. &merged;</para>

    <para>&man.fsck.ffs.8; now supports background filesystem checks
      to mounted FFS filesystems with the <option>-B</option> option
      (softupdates must be enabled on these filesystems).  The
      <option>-F</option> flag now determines whether a specified
      filesystem needs foreground checking.</para>

    <para role="historic">A new &man.fsck.msdosfs.8; utility has been added to check
      the consistency of MS-DOS filesystems. &merged;</para>

    <para role="historic">&man.ftpd.8; now supports a <option>-r</option> flag for
      read-only mode and a <option>-E</option> flag to disable
      <literal>EPSV</literal>.  It also has some fixes to reduce
      information leakage and the ability to specify compile-time port
      ranges. &merged;</para>

    <para>&man.ftpd.8; now supports <option>-o</option> and
      <option>-O</option> options to disable the
      <literal>RETR</literal> command; the former for everybody, and
      the latter only for guest users.  Coupled with
      <option>-A</option> and appropriate file permissions, these can
      be used to create a relatively safe anonymous FTP drop box for
      others to upload to.</para>

    <para arch="i386,pc98" role="historic">&man.gdb.1; now supports hardware
      watchpoints (using the kernel's debug register + support that
      has been introduced in &os; 4.0). &merged;</para>

    <para role="historic">The &man.getprogname.3; and &man.setprogname.3; library
      functions have been added to manipulate the name of the current
      program.  They are used by error-reporting routines to produce
      consistent output. &merged;</para>

    <para>gifconfig(8) is obsolete and has been removed.  Its
      functionality is now handled by the <option>tunnel</option> and
      <option>deletetunnel</option> commands of
      &man.ifconfig.8;.</para>

    <para>&man.gprof.1; now has a <option>-K</option> option to enable
      dynamic symbol resolution from the currently-running kernel.
      With this change, properly-compiled KLD modules are now able to
      be profiled.</para>

    <para role="historic">&man.growfs.8;, a utility for growing FFS filesystems, has
      been added.  &man.ffsinfo.8;, a utility for dump all the
      meta-information of an existing filesystem, has also been
      added. &merged;</para>

    <para role="historic">The &man.groups.1; and &man.whoami.1; shell scripts are now
      unnecessary; their functionality has been completely folded into
      &man.id.1;. &merged;</para>

    <para>The ibcs(8), linux(8), osf1(8), and
      svr4(8) scripts, whose sole purpose was to load emulation
      kernel modules, have been removed.  The kernel module system
      will automatically load them as needed to fulfill
      dependencies.</para>

    <para role="historic">&man.indent.1; has gained some new formatting
      options. &merged;</para>

    <para role="historic">&man.ifconfig.8; can set the link-layer address of
      an interface using the <option>link</option> parameter.
      &merged;</para>

    <para role="historic">&man.ifconfig.8; can now accept addresses in slash/CIDR
    notation. &merged;</para>

    <para role="historic">&man.ifconfig.8; now has support for setting parameters for
      IEEE 802.11 wireless network devices.  &man.wi.4; and &man.an.4;
      devices are supported, and partial support is provided for
      &man.awi.4; devices. &merged;</para>

    <para role="historic">&man.ifconfig.8; no longer displays the list of supported
      media by default.  Instead it displays it when the
      <option>-m</option> flag is given. &merged;</para>

    <para role="historic">The syntax of &man.inetd.8;'s support for &man.faithd.8; is
      now compatible with that of other BSDs. &merged;</para>

    <para role="historic">The <literal>ident</literal> protocol support in
      &man.inetd.8; has been cleaned up and updated. &merged;</para>

    <para role="historic">&man.inetd.8; now has the ability to manage UNIX-domain
      sockets. &merged;</para>

    <para>By default, &man.inetd.8; is no longer run by &man.rc.8; at
      boot-time, although &man.sysinstall.8; gives the option of
      enabling it during binary installations.  &man.inetd.8; can also
      be enabled by adding the following line to
      <filename>/etc/rc.conf</filename>:</para>

    <programlisting>inetd_enable="YES"</programlisting>

    <para role="historic">&man.install.1; has a number of new features, including the
      <option>-b</option> and <option>-B</option> options for backing up
      existing target files and the <option>-S</option> option for
      <quote>safe</quote> (atomic copy) operation.  The
      <option>-c</option> (copy) flag is now the default, and the
      <option>-D</option> (debugging) flag has been withdrawn.
      &man.install.1; now issues a warning if <option>-d</option>
      (create directories) and <option>-C</option> (copy changed files
      only) are used together. &merged;</para>

    <para role="historic">IP Filter is now supported by the &man.rc.conf.5; boot-time
      configuration and initialization. &merged;</para>

    <para role="historic">&man.ipfstat.8; now supports the <option>-t</option> option
      to turn on a &man.top.1;-like display. &merged;</para>

    <para role="historic">&man.ipfw.8; will now avoid the display of dynamic firewall
      rules unless the <option>-d</option> flag is passed to it.  The
      <option>-e</option> option lists expired dynamic
      rules. &merged;</para>

    <para role="historic">&man.ipfw.8; has a new feature (<literal>me</literal>) that
      allows for packet matching on interfaces with
      dynamically-changing IP addresses. &merged;</para>

    <para role="historic">&man.ipfw.8; has a new <literal>limit</literal> type of
      firewall rule, which limits the number of sessions between
      address pairs. &merged;</para>

    <para>&man.ipfw.8; filter rules can now match on the value of the
      IPv4 precedence field.</para>

    <para role="historic">&man.ip6fw.8; now has the ability to use a preprocessor and
      use the <option>-q</option> (quiet) flag when reading from a
      file. &merged;</para>

    <para role="historic">&man.ispppcontrol.8; has been deleted, and its functionality
      has been folded into &man.spppcontrol.8;. &merged;</para>

    <para role="historic">&man.k5su.8; is no longer installed SUID
      <username>root</username> by default.  Users requiring this
      feature can either manually change the permissions on the
      &man.k5su.8; executable or add
      <literal>ENABLE_SUID_K5SU=yes</literal> to
      <filename>/etc/make.conf</filename> before a source
      upgrade. &merged;</para>

    <para>&man.kbdmap.1; and &man.vidfont.1; have been converted from
      Perl to C.</para>

    <para role="historic">&man.kenv.1;, a command to dump the kernel environment, has
      been added. &merged;</para>

    <para>&man.kenv.1; now has the ability to set or delete kernel
      environment variables.</para>

    <para role="historic">&man.keyinfo.1; is now a C program, rather than a Perl
      script. &merged;</para>

    <para>The kget(8) utility has been removed (it was only
      useful for UserConfig, which is not present in &os;
      &release.current;).</para>

    <para role="historic">&man.killall.1; is now a C program, rather than a Perl
      script.  As a result, its <option>-m</option> option now uses
      the regular expression syntax of &man.regex.3;, rather than that
      of Perl. &merged;</para>

    <para>&man.killall.1; no longer tries to kill zombie processes
      unless the <option>-z</option> flag is specified.</para>

    <para role="historic">The &man.kldconfig.8; utility has been added to make it
      easier to manipulate the kernel module search
      path. &merged;</para>

    <para>ktrdump, a utility to dump the ktr trace buffer from
      userland, has been added.</para>

    <para role="historic">&man.last.1; now implements a <option>-d</option> that
      provides a <quote>snapshot</quote> of who was logged in at a
      particular date and time. &merged;</para>

    <para role="historic">&man.last.1; now supports a <option>-y</option> flag, which
      causes the year to be included in the session start time. &merged;</para>

    <para role="historic">The &man.lastlogin.8; utility, which prints the last login
      time of each user, has been imported from
      NetBSD. &merged;</para>

    <para role="historic">&man.ldconfig.8; now checks directory ownerships and
      permissions for greater security; these checks can be disabled
      with the <option>-i</option> flag. &merged;</para>

    <para role="historic">&man.ldd.1; can now be used on shared libraries, in addition
      to executables. &merged;</para>

    <para>&man.ldd.1; now supports a <option>-a</option> flag to list
      all the objects that are needed by each loaded object.</para>

    <para><filename>libc</filename> is now thread-safe by default;
      <filename>libc_r</filename> contains only thread
      functions.</para>

    <para role="historic"><filename>libcrypt</filename> and
      <filename>libdescrypt</filename> have been unified to provide a
      configurable password authentication hash library.  Both the md5
      and des hash methods are provided unless the des hash is
      specifically compiled out. &merged;</para>

    <para role="historic"><filename>libcrypt</filename> now has support for Blowfish
      password hashing. &merged;</para>

    <para arch="i386" role="historic"><filename>libdisk</filename> can now do
      install-time configuration of the <filename>boot0</filename>
      boot loader. &merged;</para>

    <para role="historic"><filename>libstand</filename> now has support for
      filesystems containing
      <application>bzip2</application>-compressed
      files. &merged;</para>

    <para><filename>libstand</filename> now has support for
      overwriting the contents of a file on a UFS filesystem (it
      cannot expand or truncate files because the filesystem may be
      dirty or inconsistent).</para>

    <para role="historic"><filename>libstand</filename> now has support for loading
      large kernels and modules split across several physical
      media. &merged;</para>

    <para role="historic">The default TCP port range used by
      <filename>libfetch</filename> for passive FTP retrievals has
      changed; this affects the behavior of &man.fetch.1;, which has
      gained the <option>-U</option> option to restore the old
      behavior. &merged;</para>

    <para role="historic"><filename>libfetch</filename> now has support for an
      authentication callback. &merged;</para>

    <para role="historic"><filename>libfetch</filename> now has support for a
      <envar>HTTP_USER_AGENT</envar> environment
      variable. &merged;</para>

    <para><filename>libgmp</filename> has been superceded by
      <filename>libmp</filename>.

    <para>The functions from <filename>libposix1e</filename> have been
      integrated into <filename>libc</filename>.</para>

    <para role="historic"><filename>libusb</filename> has been renamed as
      <filename>libusbhid</filename>, following NetBSD's naming
      conventions. &merged;</para>

    <para role="historic">&man.ln.1; now takes an <option>-i</option> option to
      request user confirmation before overwriting an existing
      file. &merged;</para>

    <para role="historic">&man.ln.1; now takes a <option>-h</option> flag to avoid
      following a target that is a link, with a <option>-n</option>
      flag for compatibility with other
      implementations. &merged;</para>

    <para role="historic">&man.logger.1; can now send messages directly to a remote
      syslog. &merged;</para>

    <para role="historic">&man.login.1; now exports environment variables set by
      <application>PAM</application> modules. &merged;</para>

    <para role="historic">&man.lpc.8; has been improved; <command>lpc clean</command>
      is now somewhat safer, and a new <command>lpc tclean</command>
      command has been added to check to see what files would be
      removed by <command>lpc clean</command>. &merged;</para>

    <para role="historic">&man.lpd.8; now takes two new options: <option>-c</option>
      will log all connection errors to &man.syslogd.8;, while
      <option>-W</option> will allow connections from non-reserved
      ports. &merged;</para>

    <para role="historic">&man.lpd.8; now has some support for
      <literal>o</literal>-type print-file actions in its control
      files, which allows printing of PostScript files generated by
      <application>MacOS</application> 10.1. &merged;</para>

    <para role="historic">&man.lpd.8; now recognizes the <option>-s</option> flag as
      the preferred synonym for <option>-p</option> (these flags
      cause &man.lpd.8; not to open a socket for network print
      jobs). &merged;</para>

    <para role="historic">&man.lpd.8; now implements a new <literal>rc</literal>
      printcap option.  When specified in a print queue for a remote
      host, boolean option causes &man.lpd.8; to resend the data file
      for each copy the user requested via <command>lpr
      -#<replaceable>n</replaceable></command>. &merged;</para>

    <para role="historic">Catching up with most other network utilities in the base
      system, &man.lpr.1;, &man.lpd.8;, &man.syslogd.8;, and
      &man.logger.1; are now all IPv6-capable. &merged;</para>

    <para role="historic"><command>lprm -</command> now works for remote printer
      queues. &merged;</para>

    <para role="historic">&man.ls.1; can produce colorized listings with the
      <option>-G</option> flag (and appropriate terminal support).
      The <envar>CLICOLOR</envar> environment variable can be set to
      enable colorized listings by default. &merged;</para>

    <para role="historic">&man.ls.1; now accepts a <option>-h</option> flag, which
      when combined with the <option>-l</option> flag, causes file
      sizes to be printed with unit suffixes, such that the number of
      digits printed is fewer than four. &merged;</para>

    <para>The &man.ls.1; program now supports a <option>-m</option>
      flag to list files across a page, a <option>-p</option> flag to
      force printing of a <literal>/</literal> after directories, and
      a <option>-x</option> flag to sort filenames across a
      page.</para>

    <para role="historic">&man.m4.1; now accepts a <option>-s</option> flag to cause
      it to emit <literal>#line</literal> directives for use by
      &man.cpp.1;. &merged;</para>

    <para role="historic">&man.mail.1; now takes a <option>-E</option> flag to avoid
      sending messages with empty bodies. &merged;</para>

    <para role="historic">&man.make.1; has gained the <literal>:C///</literal>
      (regular expression substitution), <literal>:L</literal>
      (lowercase), and <literal>:U</literal> (uppercase) variable
      modifiers.  These were added to reduce the differences between
      the &os; and OpenBSD/NetBSD &man.make.1; programs.
      &merged;</para>

    <para role="historic">Bugs in &man.make.1;, among which include broken null suffix
      behavior, bad assumptions about current directory permissions,
      and potential buffer overflows, have been fixed. &merged;</para>

    <para role="historic">The new <varname>CPUTYPE</varname>
      <filename>make.conf</filename> variable controls the compilation
      of processor-specific optimizations in various pieces of code
      such as <application>OpenSSL</application>. &merged;</para>

    <para role="historic">The &os; <filename>Makefile</filename> infrastructure now
      supports the <varname>WARNS</varname> directive from NetBSD.
      This directive controls the addition of compiler warning flags
      to <varname>CFLAGS</varname> in a relatively compiler-neutral
      manner. &merged;</para>

    <para>&man.makewhatis.1; is now a C program, instead of a
      Perl script.</para>

    <para>&man.man.1; is no longer installed SUID
      <username>man</username>, in order to reduce vulnerabilities
      associated with generating <quote>catpages</quote> (preformatted
      manual pages cached for repeated viewing).  As a result,
      &man.man.1; can no longer create system catpages on a regular
      user's behalf.  It is still able to do so if the user has write
      permissions to the directory holding catpages (e.g. a user's own
      manpages) or if the running user is
      <username>root</username>.</para>

    <para>The &man.mdmfs.8; command has been added; it is a wrapper
      around &man.mdconfig.8;, &man.disklabel.8;, &man.newfs.8;, and
      &man.mount.8; that mimics the command line option set of the
      deprecated &man.mount.mfs.8;.</para>

    <para role="historic">&man.mergemaster.8; now sources an
      <filename>/etc/mergemaster.rc</filename> file and also prompts
      the user to run recommended commands (such as
      <command>newaliases</command>) as needed. &merged;</para>

    <para role="historic">&man.mergemaster.8; now supports two new flags.
      The <option>-p</option> flag enables a
      <quote>pre-<literal>buildworld</literal></quote> mode to files
      known to be essential to the success of the
      <literal>buildworld</literal> and
      <literal>installworld</literal> system updating steps.  The
      <option>-C</option> flag, used after a successful
      &man.mergemaster.8; run, compares options in
      <filename>/etc/rc.conf</filename> to the default options in
      <filename>/etc/defaults/rc.conf</filename>. &merged;</para>

    <para role="historic">mk_cmds(1) and the associated
      <filename>libss</filename> have been removed; they have been
      unused for quite some time. &merged;</para>

    <para>&man.mountd.8; and &man.nfsd.8; have moved from
      <filename>/sbin</filename> to <filename>/usr/sbin</filename>.</para>

    <para role="historic">&man.moused.8; now takes a <option>-a</option> option to
      control mouse acceleration. &merged;</para>

    <para role="historic">&man.mtree.8; now includes support for a file that lists
      pathnames to be excluded when creating and verifying prototypes.
      This makes it easier to use &man.mtree.8; as a part of an
      intrusion-detection system. &merged;</para>

    <para>&man.mv.1; now takes a (nonstandard) <option>-n</option> to
      automatically answer <quote>no</quote> when it would ask to
      overwrite a file.</para>

    <para role="historic">&man.natd.8; now supports a
      <option>-log_ipfw_denied</option> option to log packets that
      cannot be re-injected because they are blocked by &man.ipfw.8;
      rules. &merged;</para>

    <para role="historic">The <quote>in use</quote> percentage metric displayed by
      &man.netstat.1; now really reflects the percentage of network
      mbufs used. &merged;</para>

    <para role="historic">&man.netstat.1; now has a <option>-W</option> flag that
      tells it not to truncate addresses, even if they're too long for
      the column they're printed in. &merged;</para>

    <para role="historic">&man.netstat.1; now keeps track of input and output packets
      on a per-address basis for each interface. &merged;</para>

    <para role="historic">&man.netstat.1; now has a <option>-z</option> flag to reset
      statistics. &merged;</para>

    <para role="historic">&man.netstat.1; now has a <option>-S</option> flag to print
      address numerically but port names symbolically. &merged;</para>

    <para role="historic">&man.newfs.8; now implements write combining, which can make
      creation of new filesystems up to seven times
      faster. &merged;</para>

    <para role="historic">&man.newfs.8; now takes a <option>-U</option> option to
      enable softupdates on a new filesystem. &merged;</para>

    <para role="historic">The default number of cylinders per group in &man.newfs.8;
      is now computed to be the maximum allowable given the current
      filesystem parameters.  It can be overridden with the
      <option>-c</option> option.  Formerly, the default was fixed at
      16.  This change leads to better &man.fsck.8; performance and
      reduced fragmentation. &merged;</para>

    <para role="historic"><anchor id="newfs-block-frag-sizes">The default block and
      fragment sizes for new filesystems created by &man.newfs.8; are
      now 16384 and 2048 bytes, respectively (the old defaults were
      8192 and 1024 bytes).  This change generally provides increased
      performance, at the expense of some wasted disk
      space. &merged;</para>

    <para>A number of archaic features of &man.newfs.8; have been
      removed; these implement tuning features that are essentially
      useless on modern hard disks.  These features were controlled by
      the <option>-O</option>, <option>-d</option>,
      <option>-k</option>, <option>-l</option>, <option>-n</option>,
      <option>-p</option>, <option>-r</option>, <option>-t</option>,
      and <option>-x</option> flags.</para>

    <para>&man.newfs.8; now supports a <option>-O</option> flag to
      select the creation of UFS1 or UFS2 filesystems.</para>

    <para>The &man.newgrp.1; utility to change to a new group has been
      added.</para>

    <para role="historic">&man.newsyslog.8; now has the ability to compress log files
      using &man.bzip2.1;. &merged;</para>

    <para><application>NFS</application> now works over IPv6.</para>

    <para role="historic">&man.ngctl.8; now supports a <option>write</option> command
      to send a data packet down a given hook. &merged;</para>

    <para>&man.nice.1; now uses the <option>-n</option> option to
      specify the <quote>niceness</quote> of the utility being
      run. &merged;</para>

    <para role="historic">&man.nl.1;, a line numbering filter program, has been
      added. &merged;</para>

    <para><application>nsswitch</application> support has been merged
      from NetBSD.  By creating an &man.nsswitch.conf.5; file, &os;
      can be configured so that various databases such as
      &man.passwd.5; and &man.group.5; can be looked up using flat
      files, NIS, or Hesiod.  The old
      <filename>hosts.conf</filename> file is no longer used.</para>

    <para><application>PAM</application> support has been added for
      account management and sessions.</para>

    <para><application>PAM</application> configuration is now
      specified by files in <filename>/etc/pam.d/</filename>, rather
      than a single <filename>/etc/pam.conf</filename> file.
      <filename>/etc/pam.d/README</filename> has more details.</para>

    <para>A &man.pam.echo.8; echo service module has been added.</para>

    <para>A &man.pam.exec.8; program execution service module has been
      added.</para>

    <para>A &man.pam.ftp.8; module has been added to allow
      authentication of anonymous FTP users.</para>

    <para>A &man.pam.ftpusers.8; module has been added to perform
      checks against the &man.ftpusers.5; file.</para>

    <para>A &man.pam.ksu.8; module has been added to do Kerberos 5
      authentication and <filename>$HOME/.k5login</filename>
      authorization for &man.su.1;.</para>

    <para>A &man.pam.lastlog.8; module has been added to record
      sessions in the &man.utmp.5;, &man.wtmp.5;, and &man.lastlog.5;
      databases.</para>

    <para>A &man.pam.login.access.8; module has been added, to allow
      checking against <filename>/etc/login.access</filename>.</para>

    <para>The &man.pam.nologin.8; module, which can disallow logins
      using &man.nologin.5;, has been added.</para>

    <para>The &man.pam.opie.8; and &man.pam.opieaccess.8; modules have
      been added to control authentication via &man.opie.4;. &merged;</para>

    <para>A &man.pam.passwdqc.8; module has been added, to check the
      quality of passwords submitted during password changes.</para>

    <para>A &man.pam.rhosts.8; module has been added to support
      &man.rhosts.5; authentication.</para>

    <para>The &man.pam.rootok.8; module, which can be used to
      authenticate only the superuser, has been added.</para>

    <para>A &man.pam.securetty.8; module has been added to check the
      <quote>security</quote> of a TTY, as listed in &man.ttys.5;.</para>

    <para>A &man.pam.self.8; module, which allows self-authentication
      of a user, has been added.</para>

    <para role="historic">A &man.pam.ssh.8; module has been added to allow the use of
      SSH passphrases and keypairs for authentication.  This module
      also handles session management by invoking
      &man.ssh-agent.1;. &merged;</para>

    <para>A &man.pam.wheel.8; module has been added to permit
      authentication to members of a group, which defaults to
      <groupname>wheel</groupname>.</para>

    <para role="historic">&man.passwd.1; and &man.pw.8; now select the password hash
      algorithm at run time.  See the <literal>passwd_format</literal>
      attribute in
      <filename>/etc/login.conf</filename>. &merged;</para>

    <para role="historic">&man.patch.1; now accepts a <option>-i</option> command-line
      flag to read a patch from a file, rather than standard
      input. &merged;</para>

    <para>The &man.pathchk.1; utility, which checks pathnames for
      validity or portability between POSIX systems, has been
      added.</para>

    <para role="historic">&man.pax.1; has received a number of enhancements, including
      &man.cpio.1; functionality, &man.tar.1; compatibility
      enhancements, <option>-z</option> and <option>-Z</option> flags
      for &man.gzip.1; and &man.compress.1; functionality, and a
      number of bug fixes. &merged;</para>

    <para role="historic">&man.pciconf.8; now supports a <option>-v</option> option to
      display the vendor/device information of configured devices, in
      conjunction with the <option>-l</option> option.  The default
      vendor/device database can be found at
      <filename>/usr/share/misc/pci_vendors</filename>. &merged;</para>

    <para role="historic">The behavior of &man.periodic.8; is now controlled by
      <filename>/etc/defaults/periodic.conf</filename> and
      <filename>/etc/periodic.conf</filename>. &merged;</para>

    <para role="historic">&man.ping.8; now supports a <option>-m</option> option to
      set the TTL of outgoing packets. &merged;</para>

    <para role="historic">&man.ping.8; now supports a <option>-A</option> option to
      beep when packets are lost. &merged;</para>

    <para role="historic">Userland &man.ppp.8; has received a number of updates and
      bug fixes. &merged;</para>

    <para role="historic">&man.ppp.8; has gained the <literal>tcpmssfixup</literal>
      option, which adjusts outgoing and incoming TCP SYN packets so
      that the maximum receive segment size is no larger than allowed
      by the interface MTU. &merged;</para>

    <para role="historic">&man.ppp.8; now supports IPv6. &merged;</para>

    <para role="historic">&man.pppd.8; (the control program for kernel-level PPP) is
      now installed mode <literal>4550</literal> and
      <username>root</username><literal>:</literal><groupname>dialer</groupname>,
      rather than mode <literal>4555</literal> (in other words, it is
      no longer world-executable).  Users of &man.pppd.8; may need to
      change their group settings. &merged;</para>

    <para role="historic">&man.pr.1; now supports the <option>-f</option> and
      <option>-p</option> flags to pause output going to a
      terminal. &merged;</para>

    <para>prefix(8) is obsolete and has been removed.  Its
      functionality is provided by the <option>eui64</option> command
      to &man.ifconfig.8;.</para>

    <para role="historic">The <option>-W</option> option to &man.ps.1; (to extract
      information from a specified swap device) has been useless for
      some time; it has been removed. &merged;</para>

    <para>The &man.pselect.3; library function (introduced by POSIX.1
      as a slightly stronger version of &man.select.2;) has been
      added.</para>

    <para role="historic">&man.pwd.1; can now double as &man.realpath.1;, a program to
      resolve pathnames to their underlying physical
      paths. &merged;</para>

    <para>&man.pwd.1; now supports the <option>-L</option> flag to
      print the logical current working directory. &merged;</para>

    <para>The pseudo-random number generator implemented by
      &man.rand.3; has been improved to provide less biased
      results.</para>

    <para role="historic">&man.rc.8; now has an framework for handling dependencies
      between &man.rc.conf.5; variables. &merged;</para>

    <para role="historic">&man.rc.8; now deletes all non-directory files in
      <filename>/var/run</filename> and
      <filename>/var/spool/lock</filename> at boot
      time. &merged;</para>

    <para>&man.rcmd.3; now supports the use of the
      <envar>RSH</envar> environment variable to specify a program to
      use other than &man.rsh.1; for remote execution.  As a result,
      programs such as &man.dump.8;, can use &man.ssh.1; for remote
      transport.</para>

    <para>&man.rdist.1; has been retired from the base system, but is
      still available from &os; Ports Collection as
      <filename role="package">net/44bsd-rdist</filename>.</para>

    <para role="historic">&man.reboot.8; now takes a <option>-k</option> to specify
      the next kernel to boot. &merged;</para>

    <para>The &man.renice.8; command implements a <option>-n</option>
      option, which specifies an increment to be applied to the
      priority of a process. &merged;</para>

    <para role="historic">The &man.resolver.3; in &os; now implements EDNS0 support,
      which will be necessary when working with IPv6 transport-ready
      resolvers/DNS servers. &merged;</para>

    <para role="historic">The &man.rfork.thread.3; library call has been added as a
      helper function to &man.rfork.2;.  Using this function should
      avoid the need to implement complex stack swap
      code. &merged;</para>

    <para>The <option>-v</option> option to &man.rm.1; now displays
      the entire pathname of a file being removed.</para>

    <para role="historic">&man.route.8; is now more verbose when changing indirect
      routes, in the case of a gateway route that is the same route as
      the one being modified. &merged;</para>

    <para role="historic">&man.route.8; now uses
      <literal><replaceable>host</replaceable>/<replaceable>bits</replaceable></literal>
      syntax instead of
      <literal><replaceable>net</replaceable>/<replaceable>bits</replaceable></literal>
      syntax, for compatibility with &man.netstat.1;. &merged;</para>

    <para role="historic">&man.route.8; can now create <quote>proxy only</quote>
      published ARP entries. &merged;</para>

    <para role="historic">The &man.route.8; <option>add</option> command now supports
      the <option>-ifp</option> and <option>-ifa</option>
      modifiers. &merged;</para>

    <para>&man.rpcbind.8; has replaced &man.portmap.8;.</para>

    <para>&man.rpcgen.1; now uses <filename>/usr/bin/cpp</filename>
      (as on NetBSD), not
      <filename>/usr/libexec/cpp</filename>.</para>

    <para>&man.rpc.lockd.8; has been imported from NetBSD.  This
      daemon provides support for servicing client NFS locks.</para>

    <para role="historic">The performance of the ELF dynamic linker &man.rtld.1; has
      been improved. &merged;</para>

    <para role="historic">RSA Security has waived all patent rights to the
      <application>RSA</application> algorithm.  As a result, the
      native <application>OpenSSL</application> implementation of the
      RSA algorithm is now activated by default, and the <filename
      role="package">security/rsaref</filename> port and the
      <filename>librsaUSA</filename> and
      <filename>librsaINTL</filename> libraries are no longer required
      for USA and non-USA residents respectively. &merged;</para>

    <para>&man.rtld.1; will now print the names of all objects that
      cause each object to be loaded, if the
      <varname>LD_TRACE_LOADED_OBJECTS_ALL</varname> environment
      variable is defined.</para>

    <para role="historic">&man.savecore.8; now supports a <option>-k</option> option
      to prevent clearing a crash dump after saving it.  It also
      attempts to avoid writing large stretches of zeros to crash dump
      files to save space and time. &merged;</para>

    <para role="historic">&man.savecore.8; now works correctly on machines with 2 GB
      or more of RAM. &merged;</para>

    <para role="historic">&man.sed.1; now takes a <option>-E</option> option for
      extended regular expression support. &merged;</para>

    <para>&man.sed.1; now takes a <option>-i</option> option to enable
      in-place editing of files. &merged;</para>

    <para role="historic">&man.send-pr.1; now takes a <option>-a</option> option to
      include a file into the <literal>Fix:</literal> section of a
      problem report. &merged;</para>

    <para>The &man.setfacl.1; and &man.getfacl.1; commands have been
      added to manage filesystem Access Control Lists.</para>

    <para role="historic">&man.setproctitle.3; has been moved from
      <filename>libutil</filename> to
      <filename>libc</filename>. &merged;</para>

    <para role="historic">&man.sh.1; now implements <command>test</command> as a
      built-in command for improved efficiency. &merged;</para>

    <para>&man.sh.1; no longer implements <command>printf</command> as
      a built-in command because it was considered less valuable
      compared to the other built-in commands (this functionality is,
      of course, still available through the &man.printf.1;
      executable).</para>

    <para>&man.sh.1; now supports a <option>-C</option> option to
      prevent existing regular files from being overwritten by output
      redirection, and a <option>-u</option> to give an error if an
      unset variable is expanded.</para>

    <para role="historic">&man.sockstat.1; now has <option>-c</option> and
      <option>-l</option> flags for listing connected and listening
      sockets, respectively. &merged;</para>

    <para>&man.spkrtest.8; is now a &man.sh.1; script, rather than a
      Perl script.</para>

    <para role="historic">&man.split.1; now has the ability to split a file longer
      than 2GB. &merged;</para>

    <para>&man.split.1; now supports a <option>-a</option> option to
      specify the number of letters to use for the suffix of split
      files.</para>

    <para>In preparation for meeting SUSv2/POSIX
      <filename>&lt;sys/select.h&gt;</filename> requirements,
      <literal>struct selinfo</literal> and related functions have been
      moved to <filename>&lt;sys/selinfo.h&gt;</filename>.</para>

    <para role="historic">The &man.strnstr.3; and &man.strcasestr.3; variants of
      &man.strstr.3; have been implemented. &merged;</para>

    <para role="historic">&man.stty.1; now has support for an
      <literal>erase2</literal> control character, so that, for
      example, both the <keycap>Delete</keycap> and
      <keycap>Backspace</keycap> keys can be used to erase
      characters. &merged;</para>

    <para>&man.su.1; now uses <application>PAM</application> for
      authentication.</para>

    <para role="historic">Boot-time &man.syscons.4; configuration was moved to a
      machine-independent
      <filename>/etc/rc.syscons</filename>. &merged;</para>

    <para role="historic">&man.sysctl.8; now supports a <option>-N</option> option to
      print out variable names only. &merged;</para>

    <para role="historic">&man.sysctl.8; has replaced the <option>-A</option> and
      <option>-X</option> options with <option>-ao</option> and
      <option>-ax</option> respectively; the former options are now
      deprecated.  The <option>-w</option> option is deprecated as
      well; it is not needed to determine the user's
      intentions. &merged;</para>

    <para role="historic">&man.sysctl.8; now supports a <option>-e</option> option to
      separate variable names and values by <literal>=</literal>
      rather than <literal>:</literal>.  This feature is useful for
      producing output that can be fed back to
      &man.sysctl.8;. &merged;</para>

    <para>&man.sysctl.8; now accepts a <option>-d</option> flag to print
      the descriptions of variables.</para>

    <para role="historic">&man.sysinstall.8; now properly preserves
      <filename>/etc/mail</filename> during a binary
      upgrade. &merged;</para>

    <para role="historic">&man.sysinstall.8; now uses some more intuitive defaults
      thanks to some new dialog support functions. &merged;</para>

    <para>The default root partition in &man.sysinstall.8; is now
      100MB on the i386 and pc98, 120MB on the Alpha.</para>

    <para>&man.sysinstall.8; now lives in
      <filename>/usr/sbin</filename>, which simplifies the
      installation process.  The &man.sysinstall.8; manpage is also
      installed in a more consistent fashion now.</para>

    <para role="historic">&man.sysinstall.8; now has the ability to load KLDs as a
      part of the installation. &merged;</para>

    <para role="historic">When run from the installation media, &man.sysinstall.8;
      will automatically load any device drivers found in the
      <filename>/stand/modules</filename> directory of the
      <literal>mfsroot</literal> floppy or filesystem image.  Note
      that any drivers so loaded will not appear in the kernel's boot
      messages; the &man.sysinstall.8; debugging screen will provide
      additional information. &merged;</para>

    <para role="historic">&man.sysinstall.8; now enables Soft Updates by default on
      all filesystems it creates, except for the root
      filesystem. &merged;</para>

    <para role="historic">&man.sysinstall.8; has received updates for its
      <quote>auto</quote> partitioning mode which provide more
      reasonable defaults for the sizes of partitions that are
      created; auto-sized partitions can now also recover the space
      that becomes available when other partitions are
      deleted. &merged;</para>

    <para>&man.sysinstall.8; no longer mounts the &man.procfs.5;
      filesystem by default on new installs.</para>

    <para role="historic">&man.sysinstall.8; now has rudimentary support for
      retrieving packages from the correct volume of a multiple-volume
      installation (such as a multi-CD distribution). &merged;</para>

    <para role="historic">&man.syslogd.8; can take a <option>-n</option> option to
      disable DNS queries for every request. &merged;</para>

    <para role="historic">&man.syslogd.8; now supports a
      <literal>LOG_CONSOLE</literal> facility (disabled by default),
      which can be used to log <filename>/dev/console</filename>
      output. &merged;</para>

    <para role="historic">&man.syslogd.8; now has the ability to bind to a specific
      address (as opposed to using every available one) via the
      <option>-b</option> option. &merged;</para>

    <para role="historic">&man.syslogd.8; now accepts a <option>-c</option> flag to
      disable repeated line compression. &merged;</para>

    <para>&man.tabs.1;, a utility to set terminal tab stops, has been
      added.</para>

    <para role="historic">&man.tail.1; now has the ability to work on files longer
      than 2GB. &merged;</para>

    <para role="historic">&man.tar.1; now supports the <varname>TAR_RSH</varname>
      variable, principally to enable the use of &man.ssh.1; as a
      transport. &merged;</para>

    <para role="historic">&man.telnet.1; now does autologin and encryption by default;
      a new <option>-y</option> option turns off encryption. &merged;</para>

    <para role="historic">&man.telnet.1; now supports a <option>-u</option> flag to
      allow connections to UNIX-domain (<literal>AF_UNIX</literal>)
      sockets. &merged;</para>

    <para role="historic">&man.tftp.1; and &man.tftpd.8; now support IPv6. &merged;</para>

    <para role="historic">&man.tftpd.8; now takes the <option>-c</option> and
      <option>-C</option> options, which allow the server to
      &man.chroot.2; based on the IP address of the connecting client.
      &man.tftp.1; and &man.tftpd.8; can now transfer files larger
      than 65535 blocks. &merged;</para>

    <para>&man.tftpd.8; now supports RFC 2349 (TFTP Timeout Interval
      and Transfer Size Options); this feature is required by some
      firmware like EFI boot managers (at least on HP i2000 Itanium
      servers) in order to boot an image using
      <application>TFTP</application>.</para>

    <para arch="alpha">&man.timed.8; now works on the alpha.</para>

    <para>A version of Transport Independent RPC
      (<application>TI-RPC</application>) has been imported.</para>

    <para role="historic">&man.tmpnam.3; will now use the <envar>TMPDIR</envar>
      environment variable, if set, to specify the location of
      temporary files. &merged;</para>

    <para>&man.tip.1; has been updated from
      <application>OpenBSD</application>, and has the ability to act
      as a &man.cu.1; substitute.</para>

    <para>&man.top.1; will now use the full width of its tty.</para>

    <para>&man.touch.1; now takes a <option>-h</option> option to
      operate on a symbolic link, rather than what the link points
      to.</para>

    <para role="historic">The &man.truncate.1; utility, which truncates or extends the
      length of files, has been added. &merged;</para>

    <para role="historic">Ukrainian language support has been added to the &os;
      console. &merged;</para>

    <para><application>UUCP</application> has been removed from the
      base system.  It can be found in the Ports Collection, in
      <filename role="package">net/freebsd-uucp</filename>.</para>

    <para>&man.unexpand.1; now supports a <option>-t</option> to
      specify tabstabs analogous to &man.expand.1;. &merged;</para>

    <para role="historic">&man.units.1; has received some updates and
      bugfixes. &merged;</para>

    <para>&man.usbdevs.8; now supports a <option>-d</option> flag to
      show the device driver associated with each device.</para>

    <para role="historic">The &man.usbhidctl.1; utility has been added to manipulate
      USB Human Interface Devices. &merged;</para>

    <para role="historic">&man.uuencode.1; and &man.uudecode.1; now accept a <option>-o</option> option to
      set their output files.  &man.uuencode.1; can now be made to do base64 encoding
      when given the <option>-m</option> flag, while &man.uudecode.1;
      can now automatically decode base64 files. &merged;</para>

    <para>The base64 capabilities of &man.uuencode.1; and
      &man.uudecode.1; can now be automatically enabled by invoking
      these utilities as &man.b64encode.1; and &man.b64decode.1;
      respectively.</para>

    <para>The &man.uuidgen.1; utility has been added.  It uses the new
      &man.uuidgen.2; system call to generate one or more Universally
      Unique Identifiers compatible with OSF/DCE 1.1 version 1
      UUIDs.</para>

    <para role="historic">&man.vidcontrol.1; now accepts a <option>-g</option>
      parameter to select custom text geometry in the
      <literal>VESA_800x600</literal> raster text mode. &merged;</para>

    <para role="historic">&man.vidcontrol.1; now allows the user to omit the font size
      specification when loading a font, and has some better
      error-handling. &merged;</para>

    <para role="historic">&man.vidcontrol.1; now supports a <option>-p</option> option
      to take a snapshot of a &man.syscons.4; video buffer.  These
      snapshots can be manipulated by the
      <filename role="package">graphics/scr2png</filename> utility in
      the Ports Collection. &merged;</para>

    <para role="historic">&man.vidcontrol.1; now supports a <option>-C</option> option
      to clear the history buffer for a given tty, as well as a
      <option>-h</option> option to set the size of the history
      buffer. &merged;</para>

    <para>&man.vidcontrol.1; now accepts a <option>-S</option> to
      allow the user to disable VTY switching.</para>

    <para>The default stripe size in &man.vinum.8; has been changed
      from 256KB to 279KB, to spread out superblocks more evenly
      between stripes.</para>

    <para role="historic">&man.wall.1; now supports a <option>-g</option> flag to
      write a message to all users of a given group. &merged;</para>

    <para role="historic">&man.watch.8; now takes a <option>-f</option> option to
      specify a &man.snp.4; device to use. &merged;</para>

    <para>&man.wc.1; now supports a <option>-m</option> flag to
      count characters, rather than bytes.</para>

    <para>&man.which.1; is now a C program, rather than a Perl
      script.</para>

    <para>&man.who.1; now has a number of new options:
      <option>-H</option> shows column headings; <option>-T</option>
      shows &man.mesg.1; state; <option>-m</option> is an equivalent
      to <option>am i</option>; <option>-u</option> shows idle time;
      <option>-q</option> to list names in columns.</para>

    <para role="historic">&man.whois.1; now directs queries for IP addresses to ARIN.
      If a query to ARIN references APNIC or RIPE, the appropriate
      server will also be queried, provided that the
      <option>-Q</option> option is not specified. &merged;</para>

    <para role="historic">&man.whois.1; supports a <option>-c</option> option to
      specify a country code to help direct queries towards a
      particular whois server. &merged;</para>

    <para>&man.xargs.1; now supports a <option>-I</option>
      <replaceable>replstr</replaceable> option that allows the user
      to tell &man.xargs.1; to insert the data read from standard
      input at specific points in the command line arguments rather
      than at the end.  (A &os;-specific <option>-J</option> option is
      similar, but is now deprecated in favor of the more portable
      <option>-I</option> option.) &merged;</para>

    <para>&man.xargs.1; now supports a <option>-L</option> option to
      force its utility argument to be called after some number of
      lines. &merged;</para>

    <para role="historic">The compiler chain now uses the FSF-supplied C/C++ runtime
      initialization code.  This change brings about better
      compatibility with code generated from the various egcs and gcc
      ports, as well as the stock public FSF source. &merged;</para>

    <para role="historic">The threads library has gained some signal handling changes,
      bug fixes, and performance enhancements (including zero system
      call thread switching).  &man.gdb.1; thread support has been
      updated to match these changes. &merged;</para>

    <para role="historic">Significant additions have been made to internationalization
      support; &os; now has complete locale support for the
      <literal>LC_MONETARY</literal>, <literal>LC_NUMERIC</literal>,
      and <literal>LC_MESSAGES</literal> categories.  A number of
      applications have been updated to take advantage of this
      support. &merged;</para>

    <para role="historic">Locale names have been changed to improve compatibility with
      the names used by X11R6, as well as a number of other UNIX
      versions.  As an example, the
      <literal>en_US.ISO_8859-1</literal> locale name has been changed
      to
      <literal>en_US.ISO8859-1</literal>.  Entries in
      <filename>/etc/locale.alias</filename> provide backward
      compatibility. &merged;</para>

    <para role="historic"><filename>/usr/src/share/examples/BSD_daemon/</filename> now
      contains a scalable Beastie graphic. &merged;</para>

    <para role="historic">As part of an ongoing process, many manual pages were
      improved, both in terms of their formatting markup and in their
      content. &merged;</para>

    <para>A number of utilities and libraries were enhanced to improve
      their conformance with the Single UNIX Specification (SUSv3) and
      IEEE Std 1003.1-2001 (<quote>POSIX.1</quote>).  Specific
      features added have been listed in the release notes for each
      utility.  The standards conformance of each utility or library
      function is generally listed in its manual page.</para>

    <sect3>
      <title>Contributed Software</title>

      <para><application>am-utils</application> has been updated to
        6.0.7.</para>

      <para>A 10 February 2002 snapshot of <application>awk</application> from Bell Labs (variously
        known as <quote>BWK awk</quote> or <quote>The One True
        AWK</quote>) has been imported.  It is available as
        <command>awk</command> or
        <command>nawk</command>.</para>

      <para role="historic"><application>bc</application> has been updated from 1.04 to
        1.06. &merged;</para>

      <para role="historic">The ISC library from the <application>BIND</application>
        distribution is now built as
      <filename>libisc</filename>. &merged;</para>

      <para role="historic"><application>BIND</application> is now built with the
        <literal>NOADDITIONAL</literal> flag, which causes
        &man.named.8; to operate in a more consistent fashion for
        certain common misconfigurations. &merged;</para>

      <para><application>BIND</application> has been updated to
        8.3.3. &merged;</para>

      <para><application>Binutils</application> has been updated to
        2.12.1 (specifically, a post-release snapshot from 22 June 2002).</para>

      <para role="historic"><application>bzip2</application> 1.0.2 has been imported;
        this brings the &man.bzip2.1; program and the
        <filename>libbz2</filename> library to the base
        system. &merged;</para>

      <para role="historic">The &man.ee.1; <application>Easy Editor</application> has
        been updated to 1.4.2. &merged;</para>

      <para><application>file</application> has been updated to
        3.37.</para>

      <para><application>gcc</application> has been updated to
        a snapshot of <application>gcc</application> 3.1.
        <warning>
          <para>The integration of <application>gcc</application> is
            very new.  Some applications and programs in the base
            system require fixes or compiler flags to build
            correctly.  Work to address these problems is ongoing.</para>
        </warning>
        </para>

      <para role="historic">&man.gcc.1; now uses a unified <filename>libgcc</filename>
        rather than a separate one for threaded and non-threaded
        programs.  <filename>/usr/lib/libgcc_r.a</filename> can be
        removed. &merged;</para>

      <para role="historic">&man.gcc.1; now supports the environment variable
        <envar>GCC_OPTIONS</envar>, which can hold a set of default
        options for <application>GCC</application>. &merged;</para>

      <para><application>gdb</application> has been updated to a
        snapshot of <application>gdb</application> 5.2 from 27 June
        2002.</para>

      <para role="historic"><application>GNATS</application> has been updated to
        3.113. &merged;</para>

      <para><application>gperf</application> has been updated to
        2.7.2.</para>

      <para role="historic"><application>groff</application> and its related utilities
        have been updated to FSF version 1.17.2.  This import brings
        in a new &man.mdoc.7; macro package (sometimes referred to as
        <literal>mdocNG</literal>), which removes many of the
        limitations of its predecessor. &merged;</para>

      <para role="historic"><application>Heimdal Kerberos</application> has been updated to
        0.4e. &merged;</para>

      <para role="historic">The version of <application>IPFilter</application>
        provided with &os; now includes the &man.ipfs.8; program,
        which allows state information created for NAT entries and
        stateful rules to be saved to disk and restored after a
        reboot.  Boot-time configuration of these features is
        supported by &man.rc.conf.5;. &merged;</para>

      <para role="historic">The <application>ISC DHCP</application> client has been
        updated to 3.0.1RC8. &merged;</para>

      <para role="historic"><application>Kerberos IV</application> has been updated to
        1.0.5. &merged;</para>

      <para>The &man.more.1; command has been replaced by
        &man.less.1;, although it can still be run as
        <command>more</command>. &merged; Version 371 of
      <application>less</application> has been imported.</para>

      <para><application>libpcap</application> has been updated to
        0.7.1. &merged;</para>

      <para><application>libreadline</application> has been updated to
        4.2.</para>

      <para><application>libz</application> has been updated to
        1.1.4.</para>

      <para><application>lint</application> has been updated to
        snapshot of NetBSD &man.lint.1; as of 3 March 2002.</para>

      <para><application>lukemftp</application> 1.6 beta 2 (the FTP client from
        NetBSD) has replaced the &os; &man.ftp.1; program.  Among its
        new features are more automation methods, better standards
        compliance, transfer rate throttling, and a customizable
        command-line prompt.  Some environment variables and
        command-line arguments have changed.</para>

      <para>The FTP daemon from NetBSD, otherwise known as
        <application>lukemftpd</application> 1.2 beta 1, has been imported and is
        available as &man.lukemftpd.8;. &merged;</para>

      <para>&man.m4.1; has been imported from OpenBSD, as of 26 April
        2002.</para>

      <para><application>ncurses</application> has been updated to
        5.2-20020615.</para>

      <para role="historic">The <application>NTP</application> suite of programs has
        been updated to 4.1.0. &merged;</para>

      <para><application>OpenPAM</application>
        (<quote>Citronella</quote> release) has been imported,
        replacing
        <application>Linux-PAM</application>.</para>

      <para>The <application>OPIE</application> one-time-password
        suite has been updated to 2.4.  It has completely
        replaced the functionality of
        <application>S/Key</application>.</para>

      <para><application>Perl</application> has been removed from the
        &os; base system.  It can still be installed from the &os;
        Ports Collection or as a binary package; moving it out of the
        base system will make future upgrades and maintenence easier.
        To reduce the dependence of the base system on
        Perl, many utilities have been
        rewritten as shell scripts or C programs (specific notes are
        made for each affected utility).
        <filename>/usr/bin/perl</filename> is now a
        <quote>wrapper</quote> program, so that programs expecting to
        find a Perl interpreter there will
        be able to function correctly.

          <warning>
            <para>The Perl removal and
              package integration work is ongoing.</para>
          </warning>

        </para>

      <para><application>GNU ptx</application> has been removed from
        the base system.  It is not used anywhere in the base system,
        and has not been recently updated or maintained.  Users
        requiring its functionality can install this utility as a part
        of the <filename role="package">textproc/textutils</filename>
        port.</para>

      <para>The <literal>rc.d</literal> framework from NetBSD has been
        imported.  It breaks down the system startup functionality
        into a number of small, <quote>task-oriented</quote> scripts
        in <filename>/etc/rc.d</filename>, with dynamic-determined
        ordering of startup scripts performed at boot-time.

        <note>
          <para>This feature is currently disabled by default.  It can
            be enabled by setting <literal>rc_ng="YES"</literal> in
            <filename>/etc/rc.conf</filename>.</para>
        </note>

        </para>

      <para role="historic">&man.routed.8; has been updated to version
        2.22. &merged;</para>

      <para arch="i386,pc98">Version 1.4.4 of the
        <application>smbfs</application> userland utilities have been
        imported.</para>

      <para><application>GNU sort</application> has been updated to
        the version from <application>GNU textutils
        2.0.21</application>.</para>

      <para>&man.stat.1; from <application>NetBSD</application>, as of
        5 June 2002 has, been imported.</para>

      <para><application>GNU tar</application> has been updated to
        1.13.25.</para>

      <para><application>tcpdump</application> has been updated to
        3.7.1. &merged;</para>

      <para role="historic">The &man.csh.1; shell has been replaced by &man.tcsh.1;,
        although it can still be run as <command>csh</command>.
        <application>tcsh</application> has been updated to version
        6.11. &merged;</para>

      <para>The contributed version of
        <application>tcp_wrappers</application> now includes the
        &man.tcpd.8; helper daemon.  While not strictly necessary in a
        standard &os; installation (because &man.inetd.8; already
        incorporates this functionality), this may be useful for
        &man.inetd.8; replacements such as
        <application>xinetd</application>.</para>

      <para role="historic"><application>texinfo</application> has been updated to
        4.1. &merged;</para>

      <para><application>top</application> has been updated to version
        3.5b12.</para>

      <para role="historic">&man.traceroute.8; now takes its default maximum TTL value
        from the <varname>net.inet.ip.ttl</varname> sysctl
        variable. &merged;</para>

      <para role="historic">The timezone database has been updated to the
        <filename>tzdata2002c</filename> release. &merged;</para>

      <para>&man.whereis.1;, formerly a Perl script, has been
        rewritten in C.  It now supports a <option>-x</option> flag to
        suppress the run of &man.locate.1;, and a <option>-q</option>
        flag suppresses the leading name of the query.</para>

      <sect4>
        <title>CVS</title>

        <para role="historic"><application>cvs</application> has been updated to
          1.11.1p1. &merged;</para>

        <para role="historic">The default value for &man.cvs.1;'s
          <envar>CVS_RSH</envar> variable is now
          <literal>ssh</literal>, rather than
          <literal>rsh</literal>. &merged;</para>

        <para role="historic">&man.cvs.1; now supports a <option>-T</option> option to
          update a sandbox's <filename>CVS/Template</filename> file
          from the repository. &merged;</para>

        <para role="historic">&man.cvs.1; <literal>diff</literal> now supports the
          <option>-j</option> option to perform differences against a
          revision relative to a branch tag. &merged;</para>
      </sect4>

      <sect4>
        <title>CVSup</title>

        <para role="historic"><application>CVSup</application>, a frequently used
          utility in the &os; Ports Collection, was formerly
          installable using several ports and packages.  The
          <filename role="package">net/cvsup-bin</filename> and
          <filename role="package">net/cvsupd-bin</filename>
          ports/packages are no longer necessary or available; the
          <filename role="package">net/cvsup</filename> port should be
          used instead. &merged;</para>

        <para role="historic"><application>CVSup</application> has been updated to
          16.1_3, which is available in the &os; Ports Collection as
          <filename role="package">net/cvsup</filename>.  This update
          fixes a long-standing (but only recently encountered) bug
          which affects the timestamps on all files after Sun Sep 9
          01:46:40 UTC 2001 (1,000,000,000 seconds after the UNIX
          epoch). &merged;</para>
      </sect4>

      <sect4 id="kame-userland">
        <title>KAME</title>

        <para role="historic">The IPv6 stack is now based on a snapshot based on the
          KAME Project's IPv6 snapshot as of 28 May, 2001.  Most of
          the items listed in this section are a result of this
          import.
          <xref linkend="kame-kernel"> lists kernel updates to the
          KAME IPv6 stack. &merged;</para>

        <para role="historic">&man.faithd.8; now supports a configuration file for
          access control. &merged;</para>

        <para role="historic">&man.ifconfig.8; can now perform the functions of
          gifconfig(8). &merged;</para>

        <para role="historic">&man.ifconfig.8; can now perform the functions of
          prefix(8). &merged;</para>

        <para role="historic">&man.ndp.8; now implements garbage collection for stale
          NDP entries, as described in RFC 2461 (Neighbor Discovery
          for IP Version 6 (IPv6)). &merged;</para>

        <para role="historic">pim6dd(8) and pim6sd(8) have been removed due
          to restrictive licensing conditions.  These programs are
          available in the ports collection as
          <filename role="package">net/pim6dd</filename> and
          <filename role="package">net/pim6sd</filename>. &merged;</para>

        <para role="historic">&man.route6d.8; now supports an <option>-n</option> flag
          to avoid updating the kernel forwarding
          table. &merged;</para>

        <para role="historic">The <option>-R</option> (router renumbering) option to
          &man.rtadvd.8; is currently ignored. &merged;</para>
      </sect4>

      <sect4>
        <title>OpenSSH</title>

        <para role="historic"><application>OpenSSH</application> has been updated to
          2.9, which provides support for the SSH2 protocol (now the
          default) and DSA keys.  &man.ssh-add.1; and
          &man.ssh-agent.1; can now handle DSA keys, with support for
          authentication forwarding.
          <application>OpenSSH</application> users in the USA no
          longer need to rely on the restrictively-licensed RSAREF
          toolkit which is required to handle RSA keys.  Among other
          new features: A client and server for &man.sftp.1; has been added.
          &man.scp.1; can now handle files larger than 2 GBytes.  A
          limit on the number of outstanding, unauthenticated
          connections in &man.sshd.8; has been added.  Support has
          been added for the Rijndael encryption algorithm.  Rekeying
          of existing sessions is now supported, and an experimental
          <application>SOCKS4</application> proxy has been added to
          &man.ssh.1;. &merged;</para>

        <para><application>OpenSSH</application> has been updated to
          version 3.1. &merged; Among the changes:
            <itemizedlist>
              <listitem>
                <para>The <filename>*2</filename> files are obsolete
                  (for example,
                  <filename>~/.ssh/known_hosts</filename> can hold the
                  contents of
                  <filename>~/.ssh/known_hosts2</filename>).</para>
              </listitem>
              <listitem>
                <para>&man.ssh-keygen.1; can import and export keys using
                  the SECSH Public Key File Format, for key exchange
                  with several commercial SSH implementations.</para>
              </listitem>
              <listitem>
                <para>&man.ssh-add.1; now adds all three default keys.</para>
              </listitem>
              <listitem>
                <para>&man.ssh-keygen.1; no longer defaults to a
                  specific key type; one must be specified with the
                  <option>-t</option> option.</para>
              </listitem>
            </itemizedlist>
          </para>

        <para><application>OpenSSH</application> has been updated to
          3.4p1. &merged; The main changes are:
            <itemizedlist>
              <listitem>
                <para>A <quote>privilege separation</quote> feature,
                  which uses unprivileged processes to contain and
                  restrict the effects of future compromises or
                  programming errors.</para>
              </listitem>

              <listitem>
                <para>Several bugfixes, including closure of a
                  security hole that could lead to an integer overflow
                  and undesired privilege escalation.</para>
              </listitem>
            </itemizedlist>
          </para>

        <para role="historic"><application>OpenSSH</application> can now authenticate
          using <application>OPIE</application> passwords. &merged;</para>

        <para role="historic"><application>PAM</application> support for
          <application>OpenSSH</application> has been added. &merged;</para>

        <para role="historic">A long-standing bug in
          <application>OpenSSH</application>, which sometimes resulted
          in a dropped session when an X11-forwarded client was
          closed, was fixed. &merged;</para>

        <para role="historic"><application>Kerberos</application> compatibility has
          been added to
          <application>OpenSSH</application>. &merged;</para>

        <para role="historic"><application>OpenSSH</application> has been modified to
          be more resistant to traffic analysis by requiring that
          <quote>non-echoed</quote> characters are still echoed back
          in a null packet, as well as by padding passwords sent so as
          not to hint at password lengths. &merged;</para>

        <para role="historic">&man.sshd.8; is now enabled by default on new
          installs. &merged;</para>

        <para role="historic">&man.sshd.8; <literal>X11Forwarding</literal> is now
          turned on by default on the server (any risk is to the
          client, where it is already disabled by
          default). &merged;</para>

        <para role="historic">In <filename>/etc/ssh/sshd_config</filename>, the
          <literal>ConnectionsPerPeriod</literal> parameter has been
          deprecated in favor of
          <literal>MaxStartups</literal>. &merged;</para>

        <para role="historic"><application>OpenSSH</application> now has a
          <literal>VersionAddendum</literal> configuration setting for
          &man.sshd.8; to allow changing the part of the
          <application>OpenSSH</application> version string after the
          main version number. &merged;</para>
      </sect4>

      <sect4>
        <title>OpenSSL</title>

        <para><application>OpenSSL</application> has been updated to
          0.9.6c.</para>

        <para role="historic"><application>OpenSSL</application> now has support for
          machine-dependent ASM optimizations, activated by the new
          <varname>MACHINE_CPU</varname> and/or
          <varname>CPUTYPE</varname>
          <filename>make.conf</filename> variables. &merged;</para>
      </sect4>

      <sect4>
        <title>sendmail</title>

        <para><application>sendmail</application> has been updated
          from version 8.9.3 to version 8.12.5.  Important changes
          include: &man.sendmail.8; is no longer installed as a
          set-user-ID <username>root</username> binary (now set-group-ID <groupname>smmsp</groupname>); new
          default file locations (see
          <filename>/usr/src/contrib/sendmail/cf/README</filename>);
          &man.newaliases.1; is limited to <username>root</username>
          and trusted users; STARTTLS encryption; and the MSA port
          (587) is turned on by default.  See
          <filename>/usr/src/contrib/sendmail/RELEASE_NOTES</filename>
          for more information. &merged;</para>

        <para role="historic">&man.mail.local.8; is no longer installed as a
          set-user-ID binary.  If you are using a
          <filename>/etc/mail/sendmail.cf</filename> from the default
          <filename>sendmail.cf</filename> included with &os; any time
          after 3.1.0, you are fine.  If you are using a
          hand-configured <filename>sendmail.cf</filename> and
          <command>mail.local</command> for delivery, check to make sure the
          <literal>F=S</literal> flag is set on the
          <literal>Mlocal</literal> line.  Those with
          <filename>.mc</filename> files who need to add the flag can
          do so by adding the following line to their
          <filename>.mc</filename> file and regenerating the
          <filename>sendmail.cf</filename> file:</para>

        <programlisting role="historic">MODIFY_MAILER_FLAGS(`LOCAL',`+S')dnl</programlisting>

        <para role="historic">Note that <literal>FEATURE(`local_lmtp')</literal> already
          does this. &merged;</para>

        <para role="historic">The default <filename>/etc/mail/sendmail.cf</filename>
          disables the SMTP <literal>EXPN</literal> and
          <literal>VRFY</literal> commands. &merged;</para>

        <para role="historic">&man.vacation.1; has been updated to use the version
          included with <application>sendmail</application>. &merged;</para>

        <para role="historic">The <application>sendmail</application> configuration
          building tools are installed in
          <filename>/usr/share/sendmail/cf/</filename>. &merged;</para>

        <para role="historic">New <filename>make.conf</filename> options:
          <varname>SENDMAIL_MC</varname> and
          <varname>SENDMAIL_ADDITIONAL_MC</varname>.  See
          <filename>/usr/share/examples/etc/make.conf</filename> for more
          information. &merged;</para>

        <para role="historic"><filename>/etc/mail/Makefile</filename> now supports:
          the new <varname>SENDMAIL_MC</varname>
          <filename>make.conf</filename> option; the ability to build
          <filename>.cf</filename> files from
          <filename>.mc</filename> files; generalized map rebuilding;
          rebuilding the aliases file; and the ability to stop, start,
          and restart
          <application>sendmail</application>. &merged;</para>

        <para role="historic">The <username>smmsp</username> and
          <username>mailnull</username> users have been added to
          <filename>/etc/master.passwd</filename>.  In the absence of a
          <literal>confDEF_USER_ID</literal> setting, by default,
          <application>sendmail</application> will use the
          <username>mailnull</username> user for extra security.
          Previously, if the <username>mailnull</username> user did
          not exist, the <username>daemon</username> user was used.
          This change may generate some permissions issues when
          mailing to files or to programs (such as <filename
          role="package">mail/majordomo</filename>).  &merged; The
          previous behavior can be restored by adding the following
          line to a system's
          <filename><replaceable>*</replaceable>.mc</filename>
          configuration file:

          <programlisting>define(`confDEF_USER_ID', `daemon')</programlisting>
        </para>

        <para role="historic">Beginning with the import of
          <application>sendmail</application> 8.12.2, multiple
          <application>sendmail</application> daemons (some required
          to handle outgoing mail) are started by &man.rc.8;, even if
          the <varname>sendmail_enable</varname> variable is set to
          <literal>NO</literal>.  To completely disable
          <application>sendmail</application>,
          <varname>sendmail_enable</varname> must be set to
          <literal>NONE</literal>.  Alternatively, for systems using a
          different MTA, the <varname>mta_start_script</varname> variable can
          be used to point to a different startup script (more details
          can be found in &man.rc.sendmail.8;). &merged;</para>

        <para>By default, &man.rc.8; no longer enables
          <application>sendmail</application> for inbound SMTP
          connections.  Note that &man.sysinstall.8; may override this
          default for a binary installation, based on what security
          profile is selected.  This functionality can also be
          manually enabled by adding the following line to
          <filename>/etc/rc.conf</filename>:</para>

        <programlisting>sendmail_enable="YES"</programlisting>

        <para>The permissions for <application>sendmail</application>
          alias and map databases built via
          <filename>/etc/mail/Makefile</filename> now default to mode
          0640 to protect against a file locking local denial of service.
          It can be changed by setting the new
          <varname>SENDMAIL_MAP_PERMS</varname>
          <filename>make.conf</filename> option. &merged;</para>

        <para>The permissions for the <application>sendmail</application>
          statistics file, <filename>/var/log/sendmail.st</filename>, have
          been changed from mode 0644 to mode 0640 to protect against
          a file locking local denial of service. &merged;</para>

      </sect4>
    </sect3>

    <sect3>
      <title>Ports/Packages Collection Infrastructure</title>

      <para><application>BSDPAN</application>, a collection of modules
        that provides tighter integration of
        <application>Perl</application> into the &os; Ports
        Collection, has been added.</para>

      <para role="historic">&man.pkg.create.1; and &man.pkg.add.1; can now work with
        packages that have been compressed using
        &man.bzip2.1;. &man.pkg.add.1; will use the PACKAGEROOT
        environment variable to determine a mirror site for new
        packages. &merged;</para>

      <para role="historic">&man.pkg.create.1; now records dependencies in dependency
        order rather than in the order specified on the command line.
        This improves the functioning of <command>pkg_add
        -r</command>. &merged;</para>

      <para role="historic">&man.pkg.create.1; now supports a <option>-b</option> to
        create a package file from a locally-installed
        package. &merged;</para>

      <para role="historic">When requested to delete multiple packages,
        &man.pkg.delete.1; will now attempt to remove them in
        dependency order rather than the order specified on the
        command line. &merged;</para>

      <para role="historic">&man.pkg.delete.1; now can perform glob/regexp matching of
        package names.  In addition, it supports a <option>-a</option>
        option for removing all packages and a <option>-i</option>
        option for &man.rm.1;-style interactive
        confirmation. &merged;</para>

      <para role="historic">&man.pkg.delete.1; now supports a <option>-r</option>
        option for recursive package removal. &merged;</para>

      <para role="historic">&man.pkg.info.1; now supports globbing against names of
        installed packages.  The <option>-G</option> option disables
        this behavior, and the <option>-x</option> option causes
        regular expression matching instead of shell
        globbing. &merged;</para>

      <para role="historic">&man.pkg.info.1; can now accept a <option>-g</option> flag
        for verifying an installed package against its recorded
        checksums (to see if it's been modified post-installation).
        Naturally, this mechanism is only as secure as the contents of
        <filename>/var/db/pkg</filename> if it's to be used for auditing
        purposes. &merged;</para>

      <para role="historic">&man.pkg.sign.1; and &man.pkg.check.1; have been added to
        digitally sign and verify the signatures on binary package
        files. &merged;</para>

      <para>For some time, &os; 5.0-CURRENT (as well as some 4.X
        releases) included a pkg_update(1) utility to update installed
        packages, as well as their dependencies.  This utility has
        been removed; a superset of its functionality can be found in
        the <filename role="package">sysutils/portupgrade</filename>
        port.</para>

      <para role="historic">&man.pkg.version.1; now has a version number comparison
        routine that corresponds to the Porters Handbook.  It also has
        a <option>-t</option> option for testing address comparisons.
        &merged;</para>

      <para role="historic">&man.pkg.version.1; now takes a <option>-s</option> flag
        to limit its operation to ports/packages matching a given
        string. &merged;</para>

      <para>&man.pkg.version.1;, formerly a Perl script, has been
        rewritten in C.</para>

      <para role="historic">Version numbers of installed packages have a new
        (backward-compatible) syntax, which supports the
        <varname>PORTREVISION</varname> and
        <varname>PORTEPOCH</varname> variables in Ports Collection
        <filename>Makefile</filename>s.  These changes help keep track
        of changes in the ports collection entries such as security
        patches or &os;-specific updates, which aren't reflected in
        the original, third-party software distributions.
        &man.pkg.version.1; can now compare these new-style version
        numbers. &merged;</para>

      <para role="historic">To improve performance and disk utilization, the
        <quote>ports skeletons</quote> in the &os; Ports Collection
        have been restructured.  Installed ports and packages should
        not be affected. &merged;</para>

      <para role="historic">All packages and ports now contain an
        <quote>origin</quote> directive, which makes it easier for
        programs such as &man.pkg.version.1; to determine the
        directory from which a package was built. &merged;</para>

      <para role="historic">The Ports Collection infrastructure now uses
        <application>XFree86</application> 4.2.0 as the default version
        of the X Window System for the purposes of satisfying
        dependencies.  To return to using
        <application>XFree86</application> 3.3.6, add the following line
        to <filename>/etc/make.conf</filename>: &merged;</para>

      <programlisting role="historic">XFREE86_VERSION=3</programlisting>

      <para>The libraries installed by the <filename
        role="package">emulators/linux_base</filename> port (required
        for Linux emulation) have been updated; they now correspond to
        those included with <application>Red Hat Linux</application>
        7.1.</para>
    </sect3>
  </sect2>

  <sect2>
    <title>Release Engineering and Integration</title>

    <para>The <filename>bin</filename> distribution has been renamed
      <filename>base</filename>, in order to make creation of combined
      install/recovery disks easier.</para>

    <para arch="i386">ISO images and CDROMs now use the
      <filename>cdboot</filename> boot loader by default.  This
      eliminates the need for an emulated floppy disk image on
      a bootable CDROM and allows for a full
      <filename>GENERIC</filename> kernel to be used for CDROM
      installations, at the expense of compatability with some old
      BIOSs.</para>

    <para arch="i386,pc98,alpha" role="historic"><application>XFree86</application> 4.2.0
      is now the default version of the X Window System supported by
      &man.sysinstall.8;.  It installs
      <application>XFree86</application> as a set of standard binary
      packages, so the usual package utilities such as
      &man.pkg.info.1; can be used to examine/manipulate its
      components. &merged;</para>

    <para>It is now possible to make releases of &os;
      &release.current; on a &os; 4-STABLE host.  Cross-architecture
      (building a release for a target architecture on a host of a
      different architecture) releases are also possible.  See
      &man.release.7; for details.</para>

  </sect2>

  <sect2>
    <title>Documentation</title>

    <para>A number of formerly-encumbered documents from the 4.4 BSD
      Programmer's Supplementary Documents have been restored to
      <filename>/usr/share/doc/psd</filename>.  These include:</para>

    <itemizedlist>
      <listitem>
        <para><emphasis>The UNIX Time-Sharing System</emphasis>
          (<filename>01.cacm</filename>)</para>
      </listitem>

      <listitem>
        <para><emphasis>UNIX Implementation</emphasis>
          (<filename>02.implement</filename>)</para>
      </listitem>

      <listitem>
        <para><emphasis>The UNIX I/O System</emphasis>
          (<filename>03.iosys</filename>)</para>
      </listitem>

      <listitem>
        <para><emphasis>UNIX Programming &mdash; Second Edition</emphasis>
          (<filename>04.uprog</filename>)</para>
      </listitem>

      <listitem>
        <para><emphasis>The C Programming Language &mdash; Reference Manual</emphasis>
          (<filename>06.Clang</filename>)</para>
      </listitem>

      <listitem>
        <para><emphasis>Yacc: Yet Another Compiler-Compiler</emphasis>
          (<filename>15.yacc</filename>)</para>
      </listitem>

      <listitem>
        <para><emphasis>Lex &mdash; A Lexical Analyzer Generator</emphasis>
          (<filename>16.lex</filename>)</para>
      </listitem>

      <listitem>
        <para><emphasis>The M4 Macro Processor</emphasis>
          (<filename>17.m4</filename>)</para>
      </listitem>
    </itemizedlist>

    <para>Several formerly-encumbered documents from the 4.4 BSD
      User's Supplementary Documents have been restored to
      <filename>/usr/share/doc/usd</filename>.  They include:</para>

    <itemizedlist>
      <listitem>
        <para><emphasis>NROFF/TROFF User's Manual</emphasis>
          (<filename>21.troff</filename>)</para>
      </listitem>

      <listitem>
        <para><emphasis>A TROFF Tutorial</emphasis>
          (<filename>22.trofftut</filename>)</para>
      </listitem>
    </itemizedlist>
  </sect2>

</sect1>

<sect1>
  <title>Upgrading from previous releases of &os;</title>

  <para>If you're upgrading from a previous release of &os;, you
    generally will have three options:

    <itemizedlist>
      <listitem>
        <para>Using the binary upgrade option of &man.sysinstall.8;.
          This option is perhaps the quickest, although it presumes
          that your installation of &os; uses no special compilation
          options.</para>
      </listitem>
      <listitem>
        <para>Performing a complete reinstall of &os;.  Technically,
          this is not an upgrading method, and in any case is usually less
          convenient than a binary upgrade, in that it requires you to
          manually backup and restore the contents of
          <filename>/etc</filename>.  However, it may be useful in
          cases where you want (or need) to change the partitioning of
          your disks.
      </listitem>
      <listitem>
        <para>From source code in <filename>/usr/src</filename>.  This
          route is more flexible, but requires more disk space, time,
          and technical expertise.  More information can be found
          in the <ulink
          url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html"><quote>Using
          <command>make world</command></quote></ulink> section of the <ulink
          url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/">FreeBSD
          Handbook</ulink>.  Upgrading from very old
          versions of &os; may be problematic; in cases like this, it
          is usually more effective to perform a binary upgrade or a
          complete reinstall.</para>
      </listitem>
    </itemizedlist>
  </para>

  <para>Please read the <filename>INSTALL.TXT</filename> file for more
    information, preferably <emphasis>before</emphasis> beginning an
    upgrade.  If you are upgrading from source, please be sure to read
    <filename>/usr/src/UPDATING</filename> as well.</para>

  <para>Finally, if you want to use one of various means to track the
    -STABLE or -CURRENT branches of &os;, please be sure to consult
    the <ulink
    url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/current-stable.html"><quote>-CURRENT
    vs. -STABLE</quote></ulink> section of the <ulink
    url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/">FreeBSD
    Handbook</ulink>.</para>

  <important>
    <para>Upgrading &os; should, of course, only be attempted after
      backing up <emphasis>all</emphasis> data and configuration
      files.</para>
  </important>
</sect1>