The &os; Project $FreeBSD$ 2010 The &os; Documentation Project &tm-attrib.freebsd; &tm-attrib.ibm; &tm-attrib.ieee; &tm-attrib.intel; &tm-attrib.sparc; &tm-attrib.general; The release notes for &os; &release.current; contain a summary of the changes made to the &os; base system on the &release.branch; development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the &os; kernel and userland. Some brief remarks on upgrading are also presented. This document contains the release notes for &os; &release.current;. It describes recently added, changed, or deleted features of &os;. It also provides some notes on upgrading from previous versions of &os;. The &release.type; distribution to which these release notes apply represents the latest point along the &release.branch; development branch since &release.branch; was created. Information regarding pre-built, binary &release.type; distributions along this branch can be found at . ]]> The &release.type; distribution to which these release notes apply represents a point along the &release.branch; development branch between &release.prev; and the future &release.next;. Information regarding pre-built, binary &release.type; distributions along this branch can be found at . ]]> This distribution of &os; &release.current; is a &release.type; distribution. It can be found at or any of its mirrors. More information on obtaining this (or other) &release.type; distributions of &os; can be found in the Obtaining &os; appendix to the &os; Handbook. ]]> All users are encouraged to consult the release errata before installing &os;. The errata document is updated with late-breaking information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for &os; &release.current; can be found on the &os; Web site. This section describes the most user-visible new or changed features in &os; since &release.prev;. Typical release note items document recent security advisories issued after &release.prev;, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to &os; between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. Problems described in the following security advisories have been fixed. For more information, consult the individual advisories available from . Advisory Date Topic SA-09:15.ssl 3 Dec 2009 SSL protocol flaw SA-09:16.rtld 3 Dec 2009 Improper environment sanitization in &man.rtld.1; SA-09:17.freebsd-update 3 Dec 2009 Inappropriate directory permissions in &man.freebsd-update.8; SA-10:01.bind 6 Jan 2010 BIND &man.named.8; cache poisoning with DNSSEC validation SA-10:02.ntpd 6 Jan 2010 ntpd mode 7 denial of service SA-10:03.zfs 6 Jan 2010 ZFS ZIL playback with insecure permissions SA-10:04.jail 27 May 2010 Insufficient environment sanitization in &man.jail.8; SA-10:05.opie 27 May 2010 OPIE off-by-one stack overflow SA-10:06.nfsclient 27 May 2010 Unvalidated input in nfsclient SA-10:07.mbuf 13 July 2010 Lost mbuf flag resulting in data corruption The show mount command in the &man.ddb.4; debugger now prints active string mount options. The default &man.devfs.5; rules now expose the upper 256 of &man.pty.4; device nodes. A new kernel thread called deadlock resolver has been added. This can be used to detect possible deadlock by using information of thread state and heuristical analysis. This is not enabled by default. To enable this, an option option DEADLKRES in kernel configuration file and recompilation of the kernel. Two commands to enable/disable read-ahead has been added to &man.fcntl.2; system call: F_READAHEAD specifies the amount for sequential access. The amount is specified in bytes and is rounded up to nearest block size. F_RDAHEAD is a Darwin compatible version that use 128KB as the sequential access size. Note that the read-ahead amount is also constrainted by sysctl variable vfs.read_max, which may need to be raised in order to better utilize this feature. The &man.lindev.4; driver has been added. This is for supporting various linux-specific pseudo devices such as /dev/full. Note that this is not included in GENERIC kernel. A POSIX function pselect(3) has been reimplemented as a system call &man.pselect.2; to eliminate race condition. A kernel option option INCLUDE_CONFIG_FILE has been added to GENERIC kernel by default. New SDT (Statically Defined Tracing) probes such as ones for opencrypto have been added to &os; &man.dtrace.1; subsystem. &os; now supports SMP in PowerPC G5 systems. Note that SMP support is disabled by default in GENERIC kernel. A bug in the &man.tty.4; driver that TIOCSTI did not work has been fixed. This affects applications like &man.mail.1;. A bug in the &man.sched.4bsd.4; scheduler that the timestamp for the sleeping operation is not cleaned up on the wakeup has been fixed. A bug in the &man.sched.ule.4; scheduler which prevented process usage (%CPU) from working correctly has been fixed. The VIMAGE &man.jail.8; virtualization container can work with &man.sctp.4; now. Note that the VIMAGE is not enabled by default in GENERIC kernel. The VIMAGE &man.jail.8; now supports ip4.saddrsel, ip4.nosaddrsel, ip6.saddrsel, and ip6.nosaddrsel to control whether to use source address selection or the primary jail address for unbound outgoing connections. The default value is to use source address selection. The boot2 bootcode has been reimplemented based on the &arch.i386 counterpart. It now supports ELF binary, UFS2 file system, and larger number of slices. The EFI loader program now supports a command-line option -dev currdev to specify the default value of currdev. This option can be set by the EFI boot manager. A kernel environment variable vfs.root.mountfrom now supports multiple elements for root file system in a space-separated list. Each list element will be tried in order and the first available one will be mounted. The algorithm the &man.loader.8; uses has been improved to choose a memory range for its heap when using a range above 1MB. This fixes a symptom that the loader fails to load a kernel. The zfsloader has been added. This is a separate &man.zfs.8; enabled loader. Note that a ZFS bootcode (zfsboot or gptzfsboot) need to be installed to use this new loader. The zfsboot and gptzfsboot bootcode now fully support 64-bit LBAs for disk addresses. This allows booting from large volumes. The adb driver now supports for interpreting taps on ADB touchpads as a button click. The amdsbwd(4) driver for AMD SB600/SB7xx watchdog timer has been added. The apt driver for the Apple Touchpad present on MacBook has been added to GENERIC kernel. The epic(4) driver for the front panel LEDs in Sun Fire V215/V245 has been added. A bug in the &man.ipmi.4; driver that caused incorrect watchdog timer setting has been fixed. The &man.pci.4; driver now supports a JBus to PCIe bridge (called as Fire) found in the Sun Fire V215/V245 and Sun Ultra 25/45 machines. The &man.uart.4; driver now supports NetMos NM9865 family of Serial/Parallel ports. A bug in the &man.uftdi.4; driver that can allow to send a zero length packet has been fixed. The &man.agp.4; driver has been improved. It includes a fix for aparture size calculation issue which prevents some graphics cards from working. The &man.snd.hda.4; driver now allows AD1981HD codecs to use playback mixer. The &man.snd.hda.4; driver now supports multichannel (4.0 and 7.1) playback support. The 5.1 mode support is disabled now due to unidentified synchonization problem. Devices which supports the 7.1 mode can handle the 5.1 operation via software upmix done by &man.sound.4;. Note that stereo stream is no longer duplicated to all ports. The &man.bge.4; driver now supports BCM5761, BCM5784, and BCM57780-based devices. The &man.bge.4; driver now supports TSO (TCP segmentation offloading) on BCM5755 or newer contollers. A long-standing stability issue of the &man.bce.4; and &man.bge.4; driver due to a hardware bug in its DMA handling when the system has more than 4GB memory has been fixed. This applies to BCM5714, BCM5715, and BCM5708 controllers. A bug in the &man.bge.4; driver that incorrectly enabled TSO on BCM5754/BCM5754M controllers has been fixed. The &man.cxgb.4; driver has been updated to T3 firmware 7.8.0. The et(4) driver now supports MSI and Tx checksum offloading of IPv4, TCP, and UDP. The &man.iwn.4; driver has been updated. This includes various improvements and bugfixes regarding RF switch, bgscan support, suspend/resume support, locking issue, and more. The line device iwnfw in the kernel configuration file will include all firmware images. The &man.msk.4; driver now supports Marvell Yukon 88E8042, 88E8057 devices and DGE-560SX (Yukon XL). The &man.mxge.4; driver has been updated to firmware 1.4.48b. The &man.re.4; driver no longer performs an unnecessary interface up/down during getting IP address via DHCP. The &man.ste.4; driver has been improved: The DMA handling has been improved. Wake-On-LAN is now supported. Unnecessary reinitialization of the interfaces has been eliminated. RX interrupt moderation with single shot timer has been implemented. The default parameter of the moderation time is 150us and this can be changed via sysctl variable dev.ste.0.int_rx_mod. Setting it 0 effectively disables the RX interrupt moderation feature. The tsec(4) driver now supports &man.altq.4;. The &man.u3g.4; driver has been improved and now works with ZTE MF636, Option Gi0322, Globetrotter GE40x, and Novatel MC950D. The &man.uhso.4; driver for Option HSDPA USB devices has been added. A new &man.uhsoctl.1; userland utility can be used to initiate and close the WAN connection. The &man.vge.4; driver has been improved: The DMA handling has been improved. Wake-On-LAN is now supported. Unnecessary reinitialization of the interfaces has been eliminated. Hardware MAC statistics are now supported via sysctl variables dev.vge.0.stats. Interrupt moderation with single shot timer and scheme supported by VT61xx controllers have been implemented. The default parameters are tuned to generate interrupt less than 8k per second, and these parameters can be changed via sysctl variables dev.vge.0.int_holdoff, dev.vge.0.rx_coal_pkt, and dev.vge.0.tx_coal_pkt. Note that an up/down cycle is needed to make a parameter change take effect. The &man.urtw.4; driver has been improved and now supports RTL8187B-based devices. IPcomp (IP Payload Compression Protocol defined in RFC 2393) protocol is now enabled by default. Note that this requires option IPSEC in the kernel configuration file and GENERIC kernel does not include it. This functionality can be disabled by using a sysctl variable net.inet.ipcomp.ipcomp_enable. A bug in the &man.ipfw.4; subsystem that keep-alive rule did not work for IPv6 packets has been fixed. The &man.pf.4; subsystem now supports sloppy keyword to enable a TCP state machine for tracking TCP connections with no sequence number check. This feature is in the latest version of pf. A bug that proxy ARP entries cannot be added over point-to-point link types has been fixed. The &man.vlan.4; pseudo interface has been added to GENERIC kernel. The &man.vlan.4; pseudo interface for IEEE 802.1Q VLAN now ignore renaming of the parent's interface name. The configured VLAN interfaces continue to work with the new name while previously the configurations were removed as the renaming happens. The &man.ada.4; driver now supports BIO_DELETE. For SSDs this uses TRIM feature of DATA SET MANAGEMENT command, as defined by ACS-2 specification working draft. For Compact Flash use CFA ERASE command, same as &man.ad.4; does. This change realizes restoring write speed of SSDs which supports TRIM command by doing newfs -E /dev/ada1, for example. A bug in the &man.fdc.4; driver which prevents the kernel module from unloading has been fixed. &man.geom.8; providers including complex ones such as &man.gconcat.8;, &man.gmirror.8;, &man.graid3.8, &man.gstripe.8;, and some hardware RAID device drivers like &man.twa.4; now inform its optimal access block size to the upper layer. The &man.gmirror.8; utility now supports configure -p priority command to change the providers priority. The balancing mode algorithm load used in the &man.gmirror.8; utility has been changed and it is now the default one instead of split: Instead of measuring last request execution time for each drive and choosing one with smallest time, use averaged number of requests, running on each drive. This information is more accurate and timely. It allows to distribute load between drives in more even and predictable way. For each drive track offset of the last submitted request. If new request offset matches previous one or close for some drive, prefer that drive. It allows to significantly speedup simultaneous sequential reads. A bug in the &man.graid3.8; which causes a panic when a large request arrives has been fixed. This happens when MAXPHYS is set as larger than 128k. The default block size of &man.gstripe.8; has been increased from 4k to 64k. A new kernel option option ATA_CAM has been added. This turns &man.ata.4; controller drivers into &man.cam.4; interface modules. When enabled, this option deprecates all &man.ata.4; peripheral drivers and interfaces such as ad and acd, and allows &man.cam.4; drivers ada, and cd and interfaces to be natively used instead. Note that this is not enabled by default in the GENERIC kernel. A bug in the &man.ata.4; driver which can lead to interrupt storms and command timeouts has been fixed. USB mass storage device support in the &man.ata.4; driver has been removed. Note that this was not used in GENERIC kernel and the &man.umass.4; driver supports such devices for a long time. The &man.ahd.4; driver now supports three separated error counters for correctable, uncorrectable, and fatal, in &man.sysctl.8; MIB. SATA and PATA support of &os; &man.cam.3; SCSI framework has been improved and it now recognizes more detail device capabilities. For example, the &man.ahci.4; and &man.siis.4; driver now reports maximum tag number to the framework to optimize the NCQ handling. &os; NFS subsystem now supports a timeout for the negative name cache entries in the client. This avoids a bogus negative name cache entry from persisting forever when another client creates an entry with the same name within the same NFS server time of day clock tick. The mount option negnametimeo can be used to override the default timeout interval (60 seconds) on a per-mount-point basis. a Setting negnametimeo to 0 disables negative name caching for the mount point. &os; &man.VFS.9; subsystem now supports a new sysctl variable vfs.vlru_allow_cache_src. This allow vnlru kernel thread to reclaim of the directory vnodes that are source of the namecache records. This is not enabled by default because for typical workload it would make namecache unusable, but large nested directory tree easily puts any process that accesses file system into one second wait for vnlru kernel thread. The ZFS file system now supports NFSv4 ACL. The zpool version of ZFS subsystem has been updated to version 14. It is now possible to use zpools created on OpenSolaris 2009.06. Bugs in the ZFS file system that zfs snapshot -r fails when the file system is busy, and zfs receive can fail with an E2BIG error, have been fixed. A bug in &man.bsnmpd.1; program which leads to high CPU consumption on a loaded system has been fixed. A bug in &man.bzip2.1; utility which prevented it from working with multi-session bzip2 files. The &man.camcontrol.8; utility now supports a -v flag in the subcommand identify. It displays whole of identify data block. The &man.cp.1;, &man.find.1;, &man.getfacl.1;, &man.mv.1;, and &man.setfacl.1; utilities now support NFSv4 ACL. The &man.diskinfo.8; now supports reporting disk stripe size and offset. This helps users to make file systems optimally aligned and tuned for better performance. A bug in &man.ee.1; utility which can crash the program has been fixed. A bug in &man.factor.6; utility which leads to performance degradation has been fixed. The &man.fetch.1; utility now supports HTTP digest authentication. A bug in &man.fetch.1; utility which incorrectly evaluates a variable NO_PROXY has been fixed. The &man.gcore.1; utility now recognizes threads in the process and handles dumps on a thread scope. The &man.ifconfig.8; utility now supports manipulation of NDP flags handled by &man.ndp.8;. The &man.netstat.1; utility now supports ARP information in statistics shown by the -s flag. The &man.newsyslog.8; utility does not consider non-existence of a PID file as an error now. A new flag -P reverts it to the old behavior. The &man.ntpd.8; program no longer tries to bind to an IPv6 anycast address. The &man.pwait.1; utility has been added. This is similar to the Solaris utility of the same name, and waits for any process to terminate. The &man.scandir.3; and &man.alphasort.3; functions has been updated to conform POSIX.1-2008 (IEEE Std 1003.1-2008). The &man.sighold.2;, &man.sigignore.2;, &man.sigpause.2;, &man.sigrelse.2;, and &man.sigset.2; functions have been implemented for making porting software from System V-like systems easy. Note that these are defined in POSIX.1-2008 XSI (IEEE Std 1003.1-2008, X/Open System Interface) but now obsolete. Since &os; already has another sigpause(3) function derived from 4.2BSD, a version of the XSI interface is implemented as xsi_sigpause(). The &man.sshd.8;, &man.cron.8;, &man.inetd.8;, and &man.syslogd.8; programs now set MADV_PROTECT memory flag onto themselves to protect from being terminated by the &os; kernel when available memory becomes short. This kind of process termination happens in a swap-intensive workload. The &man.traceroute.8; utility now performs source address selection correctly even in a VIMAGE &man.jail.8; environment. The &man.unifdef.1; utility has been updated to version 1.188. It now supports a new -B flag to compress blank lines around a deleted section to prevent blank lines around paragraphs of code from getting doubled. The &man.usbconfig.8; utility now supports a new flag -d to specify the &man.ugen.4; device, and add_quirk and remove_quirk commands. The &man.whois.1; utility now supports searching IPv6 addresses just like IPv4 without specifying the ARIN server. A -d flag has been removed becuase it is now obsolete. A new errno ENOTCAPABLE has been added. This is to be returned when a process requests an operation on a file descriptor that is not authorized by the descriptor's capability flags. The &man.zfs.8; command now supports a new flag receive -u to specify that the received ZFS should not be mounted automatically. The &man.service.8; command has been added. This provides an easy command-line interface to the rc.d system. A new rc.d script static_arp has been added. This allows the administrator to statically define mappings of MAC address to IPv4 at boot time. See also the &man.rc.conf.5; manual page for more details. The &man.rc.conf.5; now supports configuring &man.vlan.4; interfaces as child devices similar to &man.wlan.4; interfaces. &man.vlan.4; interfaces are listed via a new vlans_IF variable. If a VLAN interface is a number, then that number is treated as the VLAN tag for the interface and the interface will be named IF.tag. Otherwise, the VLAN tag must be provided via a VLAN parameter in a create_args_IF variable. The ACPI-CA has been updated to 20100121. The awk has been updated from the 23 October 2007 release to the 26 November 2009 release. ISC BIND has been updated to version 9.6.1-P2. netcat has been updated to version 4.6. sendmail has been updated to version 8.14.4. The timezone database has been updated to the tzdata2010b release. The filename of ISO images for &os; releases now has a FreeBSD- at the beginning. The supported version of the GNOME desktop environment (x11/gnome2) has been updated to 2.28.2. The supported version of the KDE desktop environment (x11/kde4) has been updated to 4.4.3. Upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the &man.freebsd-update.8; utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC kernel distributed as a part of an official &os; release. The &man.freebsd-update.8; utility requires that the host being upgraded has Internet connectivity. An older form of binary upgrade is supported through the Upgrade option from the main &man.sysinstall.8; menu on CDROM distribution media. This type of binary upgrade may be useful on non-&arch.i386;, non-&arch.amd64; machines or on systems with no Internet connectivity. Source-based upgrades (those based on recompiling the &os; base system from source code) from previous versions are supported, according to the instructions in /usr/src/UPDATING. Upgrading &os; should, of course, only be attempted after backing up all data and configuration files.