1 <!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook V4.1-Based Extension//EN" [
2 <!ENTITY % articles.ent PUBLIC "-//FreeBSD//ENTITIES DocBook FreeBSD Articles Entity Set//EN">
5 <!ENTITY % release PUBLIC "-//FreeBSD//ENTITIES Release Specification//EN">
11 <title>&os; &release.current; Release Notes</title>
13 <corpauthor>The &os; Project</corpauthor>
15 <pubdate>$FreeBSD$</pubdate>
28 <holder role="mailto:doc@FreeBSD.org">The &os; Documentation Project</holder>
31 <legalnotice id="trademarks" role="trademarks">
42 <para>The release notes for &os; &release.current; contain a summary
43 of the changes made to the &os; base system on the
44 &release.branch; development line.
45 This document lists applicable security advisories that were issued since
46 the last release, as well as significant changes to the &os;
48 Some brief remarks on upgrading are also presented.</para>
53 <title>Introduction</title>
55 <para>This document contains the release notes for &os;
57 describes recently added, changed, or deleted features of &os;.
58 It also provides some notes on upgrading
59 from previous versions of &os;.</para>
61 <![ %release.type.current [
63 <para>The &release.type; distribution to which these release notes
64 apply represents the latest point along the &release.branch; development
65 branch since &release.branch; was created. Information regarding pre-built, binary
66 &release.type; distributions along this branch
67 can be found at <ulink url="&release.url;"></ulink>.</para>
71 <![ %release.type.snapshot [
73 <para>The &release.type; distribution to which these release notes
74 apply represents a point along the &release.branch; development
75 branch between &release.prev; and the future &release.next;.
77 pre-built, binary &release.type; distributions along this branch
78 can be found at <ulink url="&release.url;"></ulink>.</para>
82 <![ %release.type.release [
84 <para>This distribution of &os; &release.current; is a
85 &release.type; distribution. It can be found at <ulink
86 url="&release.url;"></ulink> or any of its mirrors. More
87 information on obtaining this (or other) &release.type;
88 distributions of &os; can be found in the <ulink
89 url="&url.books.handbook;/mirrors.html"><quote>Obtaining
90 &os;</quote> appendix</ulink> to the <ulink
91 url="&url.books.handbook;/">&os; Handbook</ulink>.</para>
95 <para>All users are encouraged to consult the release errata before
96 installing &os;. The errata document is updated with
97 <quote>late-breaking</quote> information discovered late in the
98 release cycle or after the release. Typically, it contains
99 information on known bugs, security advisories, and corrections to
100 documentation. An up-to-date copy of the errata for &os;
101 &release.current; can be found on the &os; Web site.</para>
105 <title>What's New</title>
107 <para>This section describes the most user-visible new or changed
108 features in &os; since &release.prev;.</para>
110 <para>Typical release note items document recent security
111 advisories issued after &release.prev;, new drivers or hardware
112 support, new commands or options, major bug fixes, or
113 contributed software upgrades. They may also list changes to
114 major ports/packages or release engineering practices. Clearly
115 the release notes cannot list every single change made to &os;
116 between releases; this document focuses primarily on security
117 advisories, user-visible changes, and major architectural
120 <sect2 id="security">
121 <title>Security Advisories</title>
123 <para>Problems described in the following security advisories have
124 been fixed. For more information, consult the individual
125 advisories available from
126 <ulink url="http://security.FreeBSD.org/"></ulink>.</para>
128 <informaltable frame="none" pgwide="0">
130 <colspec colwidth="1*">
131 <colspec colwidth="1*">
132 <colspec colwidth="3*">
135 <entry>Advisory</entry>
143 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:01.lukemftpd.asc"
144 >SA-09:01.lukemftpd</ulink></entry>
145 <entry>07 January 2009</entry>
146 <entry><para>Cross-site request forgery in
147 &man.lukemftpd.8;</para></entry>
151 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:02.openssl.asc"
152 >SA-09:02.openssl</ulink></entry>
153 <entry>07 January 2009</entry>
154 <entry><para>OpenSSL incorrectly checks for malformed
155 signatures</para></entry>
159 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:03.ntpd.asc"
160 >SA-09:03.ntpd</ulink></entry>
161 <entry>13 January 2009</entry>
162 <entry><para>ntpd cryptographic signature
163 bypass</para></entry>
167 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:04.bind.asc"
168 >SA-09:04.bind</ulink></entry>
169 <entry>13 January 2009</entry>
170 <entry><para>BIND DNSSEC incorrect checks for
171 malformed signatures</para></entry>
175 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:05.telnetd.asc"
176 >SA-09:05.telnetd</ulink></entry>
177 <entry>16 February 2009</entry>
178 <entry><para>telnetd code execution
179 vulnerability</para></entry>
183 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:06.ktimer.asc"
184 >SA-09:06.ktimer</ulink></entry>
185 <entry>23 March 2009</entry>
186 <entry><para>Local privilege escalation</para></entry>
190 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:07.libc.asc"
191 >SA-09:07.libc</ulink></entry>
192 <entry>04 April 2009</entry>
193 <entry><para>Information leak in &man.db.3;</para></entry>
197 <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:08.openssl.asc"
198 >SA-09:08.openssl</ulink></entry>
199 <entry>22 April 2009</entry>
200 <entry><para>Remotely exploitable crash in
201 OpenSSL</para></entry>
209 <title>Kernel Changes</title>
211 <para>The &os; DTrace subsystem now supports a probe for
212 process execution.</para>
214 <para arch="amd64">The &os; kernel virtual address space has
215 been increased to 6GB and the ceiling on the kmem map size
216 to 3.6GB. Note that the ceiling as a fraction of the kernel
217 map size rather than an absolute quantity.</para>
219 <para>The &man.jail.8; subsystem has been updated. Changes include:</para>
223 <para>Multiple addresses of both IPv4 and IPv6 per jail has
224 been supported. It is even possible to have jails without
225 an IP address at all, which basically gives one a chrooted
226 environment with restricted process view and no
231 <para>SCTP (&man.sctp.4;) with IPv6 in jails has been supported.</para>
235 <para>Specific CPU binding by using &man.cpuset.1; has been supported.</para>
239 <para>A <literal>show jails</literal> subcommand in
240 &man.ddb.8; has been added.</para>
244 <para>Compatibility support which permits 32bit jail
245 binaries to be used on 64bit systems to manage jails has
250 <para>Note that both version numbers of
251 <literal>jail</literal> and <literal>prison</literal> in
252 the &man.jail.8; have been updated for the new
257 <para>The &man.jail.8; subsystem now supports SCTP(&man.sctp.4;)
258 with IPv6 in jails.</para>
260 <para>The &man.kld.4; now supports installing 32-bit system
261 call to the &os; system call translation layer from kernel
264 <para>The &man.ktr.4; now supports a new KTR tracepoint in the
265 <literal>KTR_CALLOUT</literal> class to note when a callout
266 routine finishes executing.</para>
268 <para>The &os; 32-bit system call translation layer now
269 supports installing 32-bit system calls for
270 <literal>VFS_AIO</literal>.</para>
272 <para arch="amd64,i386">The &os; virtual memory subsystem now
273 supports Superpages. The Superpages is a feature in modern
274 CPUs that enables each entry in the TLB (translation lookaside
275 buffer) to map a large physical memory region into a virtual
276 address space. This provides possible memory savings for
277 applications that share large amounts of memory between the
278 address spaces and performance improvements due to fewer TLB
282 <title>Boot Loader Changes</title>
284 <para>The &man.boot.8; now supports 4-byte volume ID that
285 certain versions of &windows; put into the MBR and invoking
286 PXE by pressing F6 key on some supported BIOSes.</para>
288 <para>The &man.loader.8; is now able to obtain DHCP options
289 via &man.kenv.2; variables in the case of network boot.</para>
291 <para>A bug in the &man.loader.8; has been fixed. Now the
292 following line works as expected:</para>
294 <programlisting>loader_conf_files="<replaceable>foo</replaceable> <replaceable>bar</replaceable> ${<replaceable>variable</replaceable>}"</programlisting>
298 <title>Hardware Support</title>
300 <para>The &man.acpi.4; subsystem now supports a &man.sysctl.8;
301 variable <varname>debug.batt.batt_sleep_ms</varname>. On
302 some laptops with smart batteries, enabling battery
303 monitoring software causes keystrokes from &man.atkbd.4; to
304 be lost. This sysctl variable adds a delay in millisecond
305 to the status checking code as a workaround.</para>
307 <para>The &man.acpi.asus.4; driver now supports Asus A8Sr
310 <para>The &man.cpuctl.4; driver, which provides a special
311 device <filename>/dev/cpuctl</filename> as an interface to
312 the system CPU and functionality to retrieve CPUID
313 information, read/write machine specific registers (MSR) and
314 perform CPU firmware updates.</para>
316 <para>The &man.cpufreq.4; driver now supports a
317 <varname>hw.est.msr_info</varname> loader tunable. When
318 this set to <literal>1</literal>, it attempts to build a
319 simple list containing just the high and low frequencies if
320 it cannot obtain a frequency list from either ACPI or the
321 static tables. This is disabled by default.</para>
323 <para arch="amd64,i386">CPU frequency change notifiers are now
324 disabled when the TSC is P-state invariant. Also, a new
326 <varname>kern.timecounter.invariant_tsc</varname> has been
327 added to force this behavior by setting it to
331 <title>Multimedia Support</title>
333 <para>The &man.agp.4; now supports Intel G4X series graphics
336 <para>The DRM, a kernel module named Direct Rendering
337 Manager that gives direct hardware access to DRI clients,
338 has been updated. Support for AMD/ATI r500 and IGP based
339 chips, XGI V3XE/V5/V8, and Intel i915 chipsets has been
342 <para>The snd_au88x0(4) driver for Aureal Vortex
343 1/2/Advantage PCI has been removed because this was
344 broken for a long time.</para>
346 <para>The &man.snd.hda.4; driver has been updated. Changes
347 include: multiple codec per HDA bus, multiple functional
348 groups per codec, multiple audio devices per functional
349 group, digital (SPDIF/HDMI) audio input/output,
350 suspend/resume, and part of multichannel audio.</para>
352 <para>Note that due to added HDMI audio and logical audio
353 devices support, updated driver often provides several PCM
354 devices. In some cases it can make system default audio
355 device no longer corresponding to the users's habitual
356 audio connectors. In such cases the default device can be
357 specified in audio application setup or defined globally
358 via <varname>hw.snd.default_unit sysctl</varname>
359 as described in the &man.sound.4; manual page.</para>
363 <title>Network Interface Support</title>
365 <para>The &man.axe.4; driver has been improved in
366 performance by eliminating extra context switch and now
367 supports Apple USB Ethernet adapter.</para>
369 <para>The ciphy(4) driver now supports Vitesse VSC8211
372 <para>The &man.fxp.4; driver has been improved. Changes include:</para>
376 <para>The checksum offload feature can be controlled by
377 &man.ifconfig.8;.</para>
381 <para>Rx checksum offload support for 82559 or later
382 controllers has been added.</para>
386 <para>TSO (TCP Segmentation Offload) support for 82550
387 and 82551 controllers has been added.</para>
391 <para>WoL (Wake on LAN) support for 82550, 82551, 82558,
392 and 82559-based controllers has been added. Note that
393 ICH based controllers are treated as 82559, and 82557,
394 earlier revision of 82558, and 82559ER have no WOL
399 <para>VLAN hardware tag insertion/stripping support and
400 Tx/Rx checksum offload for VLAN frames support have
401 been added. Note that the VLAN hardware assistance is
402 available only on 82550 or 82551-based
407 <para>A bug in &man.igb.4; driver which prevents a tunable
408 <varname>hw.igb.ave_latency</varname> from working has
411 <para>The &man.jme.4; driver now supports newer JMicron
412 JMC250/JMC260 revisions.</para>
414 <para>The &man.msk.4; driver has been improved. An issue
415 which makes it hang up in a certain condition has been
418 <para>The &man.mxge.4; driver now supports some newer
419 revisions and 10GBASE-LRM and 10GBASE-Twinax* media
422 <para>The &man.re.4; driver has been improved. It now
423 detects the link status.</para>
425 <para>The &man.rl.4; driver has been improved. It now
426 detects the link status and a bug which prevents it from
427 working on systems with more than 4GB memory has been
432 <sect3 id="net-proto">
433 <title>Network Protocols</title>
435 <para>IPv4 source address selection for unbound sockets has
436 been implemented as follows:</para>
440 <para>If we found a route, use the address corresponding
441 to the outgoing interface.</para>
445 <para>Otherwise we assume the foreign address is reachable
446 on a directly connected network and try to find a
447 corresponding interface to take the source address
452 <para>As a last resort use the default jail address.</para>
456 <para>This also changes the semantics of selecting the IP for
457 processes within a &man.jail.8; as it now uses the same
458 logic as outside the &man.jail.8;.</para>
460 <para>The &man.jail.8; subsystem now supports start with a
461 specific route FIB.</para>
463 <para>The &man.ng.netflow.4; Netgraph node now supports
464 ability to generate egress netflow instead or in addition to
465 ingress. A <literal>NGM_NETFLOW_SETCONFIG</literal> control
466 message has been added to control the new functionality.</para>
468 <para>The &man.tap.4;, Ethernet tunnel software network
469 interface now supports <literal>TAPGIFNAME</literal>
470 character device ioctl. This is a convenient shortcut to
471 obtain network interface name using file descriptor for
472 character device.</para>
474 <para>The domains list for handling the list of supported
475 domains in the &man.unix.4; (UNIX domain protocol family)
476 subsystem is now MPSAFE.</para>
480 <title>Disks and Storage</title>
482 <para>The &man.ata.4; driver now supports Marvell PATA M88SX6121.</para>
484 <para>An issue in the &man.gvinum.8; with access permissions
485 to underlying disks used by a gvinum plex has been fixed.
486 If the plex is a raid5 plex and is being written to, parity data might
487 have to be read from the underlying disks, requiring them to be opened for
488 reading as well as writing.</para>
490 <para>The &man.mmc.4; and &man.mmcsd.4; driver now support MMC
491 and SDHC cards, high speed timing, wide bus, and multiblock
494 <para>The &man.sdhci.4; driver has been added. This supports
495 PCI devices with class 8 and subclass 5 according to SD Host
496 Controller Specification.</para>
498 <para>The &man.sdhci.4; driver now supports kernel dumping and
499 a sysctl variable <varname>hw.sdhci.debug</varname> for debug
502 <para>The &man.mmc.4; &man.mmcsd.4;, and &man.sdhci.4; driver
503 are now included as a kernel module.</para>
507 <title>File Systems</title>
509 <para>The semantics of &man.acl.3; extended access control
510 list has been changed as follows:</para>
514 <para>The inode modification time (mtime) is not updated
515 when extended attribute are added, modified, or removed.</para>
519 <para>The inode access time (atime) is not updated
520 when extended attribute are queried.</para>
524 <para>The shared vnode locking for pathname lookups in
525 &man.VFS.9; subsystem has been improved. This is disabled
526 by default. Setting a sysctl variable
527 <varname>vfs.lookup_shared</varname> to <literal>1</literal>
528 enables it for better performance. Note that the
529 <literal>LOOKUP_SHARED</literal> equivalent to the sysctl
530 variable kernel option has been removed.</para>
534 <sect2 id="userland">
535 <title>Userland Changes</title>
537 <para>A bug in the &man.atacontrol.8; utility which prevents it
538 from working when <filename>/usr</filename> is not mounted or
539 invoked from <filename>/rescue</filename>, has been
542 <para>The &man.config.8; utility now supports
543 multiple <varname>makeoption</varname> lines.</para>
545 <para>The &man.dirname.1; utility now accepts multiple arguments
546 in the same way that &man.basename.1; does.</para>
548 <para>The &man.du.1; utility now supports an <option>-l</option>
549 flag. When specified, the &man.du.1; counts a file with
550 multiple hard links as multiple different files.</para>
552 <para>The &man.dumpfs.8; utility now supports an
553 <option>-f</option> flag, which causes it to list all free
554 fragments in the file system by fragment (block) number. This
555 new mode does the necessary arithmetic to generate absolute
556 fragment numbers rather than than the cg-relative numbers
557 printed in the default mode.</para>
559 <para>If <option>-f</option> is passed once, contiguous fragment
560 ranges are collapsed into an X-Y format as free block lists are
561 currently printed in regular dumpfs output, but if specified twice,
562 all block numbers are printed individually, allowing both compact
563 and more script-friendly representation.</para>
565 <para>The &man.fetch.1; utility now supports an
566 <option>-i</option> flag which supports If-Modified-Since HTTP
569 <para>The &man.fsck.8; utility now supports a
570 <option>-D</option> flag for damaged recovery mode, which
571 will enable certain aggressive operations that can make
572 &man.fsck.8; to survive with file systems that has very
573 serious data damage, which is an useful last resort when on
574 disk data damage is very serious and causes &man.fsck.8; to
575 crash otherwise.</para>
577 <para>A bug in the &man.ipfw.8; utility which displays extra
578 messages for a NAT rule even when a <option>-q</option> flag
581 <para>The &man.ln.1; utility now supports a <option>-w</option>
582 flag to check if the source file actually exists. When the
583 flag is specified and the file does not exist, the &man.ln.1;
584 will put a warning message.</para>
586 <para>The &man.netstat.1; utility now reports &man.unix.4;
587 sockets listen queue statistics when an <option>-L</option>
590 <para>A bug in the &man.netstat.1; utility has been fixed. It
591 crashed with the following options in the previous
594 <screen>&prompt.user; netstat -m -N foo</screen>
596 <para>A bug in the &man.netstat.1; utility has been fixed. The
597 <option>-ss</option> now works in the icmp6 section as
600 <para>The &man.pciconf.8; utility now supports a
601 <option>-b</option> flag, which lists any base address
602 registers (BAR) that are assigned resources for each
605 <para>The &man.powerd.8; program has been improved. Changes
606 include reasonable CPU load estimation on SMP systems and a
607 new mode named as <literal>hiadaptive</literal> for AC-powered
608 systems which rises frequency twice faster, drops it 4 times
609 slower, prefers twice lower CPU load and has additional delay
610 before leaving the highest frequency after the period of
613 <para>The &man.stat.1; utility now displays an octal
614 representation of suid, sgid and sticky bits when an
615 <option>-x</option> flag is specified.</para>
617 <para>The &man.strndup.3; function has been added.</para>
619 <para>The &man.wc.1; utility now supports an <option>-L</option>
620 flag to output the number of characters in the longest input
623 <para>A bug in the &man.rpc.yppasswdd.8; program which leaves a
624 zombie process when a password or default shell is changed has
627 <sect3 id="rc-scripts">
628 <title><filename>/etc/rc.d</filename> Scripts</title>
635 <title>Contributed Software</title>
637 <para><application>ISC BIND</application> has been updated to
638 version 9.4.3-P2.</para>
640 <para>The timezone database has been updated from
641 the <application>tzdata2008h</application> release to
642 the <application>tzdata2009f</application> release.</para>
646 <title>Ports/Packages Collection Infrastructure</title>
648 <para>A bug in the &man.pkg.create.1; which prevents the
649 <option>-n</option> flag from working has been fixed.</para>
653 <title>Release Engineering and Integration</title>
655 <para>The supported version of
656 the <application>GNOME</application> desktop environment
657 (<filename role="package">x11/gnome2</filename>) has been
658 updated from 2.22 to 2.26.</para>
660 <para>The supported version of
661 the <application>KDE</application> desktop environment has
662 been updated from 3.5.10 (<filename
663 role="package">x11/kde3</filename>) to 4.2.2 (<filename
664 role="package">x11/kde4</filename>).</para>
668 <title>Documentation</title>
675 <title>Upgrading from previous releases of &os;</title>
677 <para arch="amd64,i386">Beginning with &os; 6.2-RELEASE, binary
678 upgrades between RELEASE versions (and snapshots of the various
679 security branches) are supported using the
680 &man.freebsd-update.8; utility. The binary upgrade procedure
681 will update unmodified userland utilities, as well as unmodified
682 GENERIC or SMP kernels distributed as a part of an official &os;
683 release. The &man.freebsd-update.8; utility requires that the
684 host being upgraded have Internet connectivity.</para>
686 <para>An older form of binary upgrade is supported through the
687 <command>Upgrade</command> option from the main
688 &man.sysinstall.8; menu on CDROM distribution media. This type
689 of binary upgrade may be useful on non-&arch.i386;,
690 non-&arch.amd64; machines or on systems with no Internet
693 <para>Source-based upgrades (those based on recompiling the &os;
694 base system from source code) from previous versions are
695 supported, according to the instructions in
696 <filename>/usr/src/UPDATING</filename>.</para>
699 <para>Upgrading &os; should, of course, only be attempted after
700 backing up <emphasis>all</emphasis> data and configuration