The &os; Project $FreeBSD$ 2014 The &os; Documentation Project &tm-attrib.freebsd; &tm-attrib.ibm; &tm-attrib.ieee; &tm-attrib.intel; &tm-attrib.sparc; &tm-attrib.general; The release notes for &os; &release.current; contain a summary of the changes made to the &os; base system on the &release.branch; development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the &os; kernel and userland. Some brief remarks on upgrading are also presented. This document contains the release notes for &os; &release.current;. It describes recently added, changed, or deleted features of &os;. It also provides some notes on upgrading from previous versions of &os;. This distribution of &os; &release.current; is a &release.type; distribution. It can be found at &release.url; or any of its mirrors. More information on obtaining this (or other) &release.type; distributions of &os; can be found in the Obtaining &os; appendix to the &os; Handbook. All users are encouraged to consult the release errata before installing &os;. The errata document is updated with late-breaking information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for &os; &release.current; can be found on the &os; Web site. This section describes the most user-visible new or changed features in &os; since &release.prev;. Typical release note items document recent security advisories issued after &release.prev;, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to &os; between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. Problems described in the following security advisories have been fixed. For more information, consult the individual advisories available from http://security.FreeBSD.org/. Advisory Date Topic FreeBSD-SA-14:01.bsnmpd 14 January 2014 Fix &man.bsnmpd.1; remote denial of service vulnerability FreeBSD-SA-14:02.ntpd 14 January 2014 Disable monitor feature in &man.ntpd.8; by default FreeBSD-SA-14:04.bind 14 January 2014 Remote denial of service vulnerability FreeBSD-SA-14:05.nfsserver 8 April 2014 Deadlock in the NFS server FreeBSD-SA-14:06.openssl 8 April 2014 ECDSA side channel leak FreeBSD-SA-14:08.tcp 30 April 2014 TCP reassembly vulnerability FreeBSD-SA-14:11.sendmail 26 May 2014 Sendmail improper close-on-exec flag handling FreeBSD-SA-14:12.ktrace 3 June 2014 &man.ktrace.1; kernel memory disclosure FreeBSD-SA-14:13.pam 3 June 2014 Incorrect error handling in PAM policy parser FreeBSD-SA-14:14.openssl 5 June 2014 Multiple vulnerabilities FreeBSD-SA-14:16.file 24 June 2014 Multiple vulnerabilities The &man.arcmsr.4; driver has been updated to version 1.20.00.28. The &man.isci.4; driver is now loadable via &man.kldload.8;. System-level &man.sysctl.8; values are now exposed to the system for the &man.ixgbe.4; device. The &man.mfi.4; driver has been updated to support MegaRAID Invader controllers. A kernel panic triggered in zfs_root() after a failed rollback has been fixed. A new &man.sysctl.8;, debug.devfs_iosize_max_clamp has been added which enables and disables SSIZE_MAX-sized I/O requests on &man.devfs.5; files. A new &man.sysctl.8;, kern.disallow_high_osrel, has been added which disables executing the images compiled on a userland with a higher major version number than the major version number of the running kernel. A kernel panic triggered by unmounting a busy &man.zfs.8; filesystem has been fixed. A deadlock triggered by powering off a USB device has been fixed. The &man.ichsmb.4; driver has been updated to support Intel Lynx Point PCH SMBus devices. The &man.ata.4; driver has been updated to support Coleto Creek devices. The &man.ahci.4; driver has been updated to support the PCI-express solid state drive in the &apple; MacBook Air (model A1465). The &man.sysctl.8; vfs.zfs.arc_meta_limit can now be changed at runtime. The &man.mmap.2; system call has been updated to more optimally use superpages and provide support for tweaking the alignment of virtual mappings. A workaround has been implemented in the &man.bge.4; driver for hung transmission on BCM5719 and BCM5720 chipsets. A kernel panic when listing sysctls on a system with INVARIANTS enabled has been fixed. A new &man.sysctl.8;, kern.supported_archs has been added, which will list the MACHINE_ARCH values whose binaries can be run on the system. Several problems that could trigger kernel panic on &man.kldload.8; and &man.kldunload.8; have been fixed. A kernel panic triggered by some multi-threaded applications has been fixed. The &man.runfw.4; firmware has been renamed from runfw to run.fw for consistency with other firmware files. A new &man.sysctl.8;, kern.panic_reboot_wait_time, has been added. This allows tuning the amount of time the system will wait before rebooting after &man.panic.9;. The kern.panic_reboot_wait_time value defaults to the kernel configuration option, PANIC_REBOOT_WAIT_TIME. Hardware Random Number Generators have been disabled by default. Support for GPS ports has been added to the &man.uhso.4; driver. A memory leak of compressed buffers has been fixed in l2arc_write_done(). The &man.netmap.4; framework has been updated to match the version in head/, which includes netmap pipes, kqueue support, and enhanced VALE switch port. A deadlock triggered by sending a mounted &man.zfs.8; snapshot has been fixed. Support for SIIG X1 PCI-e has been added to &man.ppc.4;. Support for the ext4 filesystem has been enabled, supporting read-only mounts. A kernel panic triggered by inserting a USB ethernet device on VIMAGE-enabled systems has been fixed. TTM, a memory manager used by video drivers, has been merged. Support for /sys/kernel/random/uuid has been added to &man.linprocfs.5;. A memory leak in the zpool_in_use() function has been fixed. The extensible_dataset &man.zpool.8; feature has been added. See &man.zpool-features.7; for more information. A memory leak has been fixed in libzfs. The &man.vt.4; driver has been merged from head/. The &man.mpr.4; device has been added, providing support for LSI Fusion-MPT 3 12Gb SCSI/SATA controllers. A kernel bug that inhibited proper functionality of the dev.cpu.0.freq &man.sysctl.8; on &intel; processors with Turbo Boost ™ enabled has been fixed. Support for &man.xen.4; hardware-assisted virtualization, XENHVM, is now available as a loadable module, xenhvm.ko. Trackpad support for &apple; MacBook products has been added. The &man.nve.4; driver has been deprecated, and the &man.nfe.4; driver should be used instead. The &man.mfi.4; driver has been updated to support MegaRAID Fury cards. The Radeon KMS driver has been added. The &man.aacraid.4; driver has been updated to version 3.2.5. The &man.re.4; driver has been updated to add preliminary support for the RTL8106E chipset. The &man.re.4; driver has been updated to support the RTL8168G, RTL8168GU and RTL8411B chipsets. The &man.re.4; driver has been updated to add preliminary support for the RTL8168EP chipset. The &man.oce.4; driver has been updated to version 10.0.664.0. The &man.qlxgbe.4; driver has been imported from head/. The &man.qlxge.4; driver has been imported from head/. The &man.bge.4; driver has been updated to support the BCM5725 chipset. The &man.bge.4; driver has been updated to support the BCM57764, BCM57767, BCM57782, BCM57786 and BCM57787 chipsets. The &man.run.4; driver has been updated to support MediaTek/Ralink chipsets RT5370 and RT5372. The &man.usb.4; wireless radiotap headers have been realigned, allowing wireless adapters to work on &arch.arm;, &arch.mips;, and other similar platforms where alignment is important. The &man.run.4; firmware has been updated to version 0.33. The &man.bxe.4; driver has been merged from head/, providing support for Broadcom NetXtreme II 10Gb PCIe adapters. The &man.run.4; driver has been updated to include support for the MediaTek/Ralink RT3593 chipset. The &man.run.4; driver has been updated to include support for the DLINK DWA-127 wireless adapter. The &man.axge.4; driver has been added. The &man.urndis.4; driver has been imported from OpenBSD. The &man.bxe.4; driver has been updated to version 1.78.78. The &man.zfs.8; filesystem has been updated to support the bookmarks feature. A new flag -c, has been added to &man.pgrep.1; and &man.pkill.1;, which restricts the process lookup to the specified login class. The &man.ddb.8; utility has been updated to add show ioapic and show all ioapics. Setting nmbcluster values to their current value will now be ignored, instead of failing with an error. The /var/cache directory is now created with mode 0755 instead of mode 0750, since this directory is used by many third-party applications, which makes dropping group privileges impossible. The &man.uname.1; utility has been updated to include the -U and -K flags, which print the __FreeBSD_version for the running userland and kernel, respectively. The &man.fetch.3; library has been updated to support SNI (Server Name Identification), allowing to use virtual hosts on HTTPS. A segmentation fault and internal compiler error bug in &man.gcc.1; triggered by throwing a warning before parsing any tokens has been fixed. Several updates to &man.gcc.1; have been imported from Google. A byte-order bug in the Heimdal gss_pseudo_random() function which would prevent interoperability with other Kerberos implementations has been fixed. In particular, this would prevent interoperability with the MIT implementation. The &man.hastctl.8; utility has been updated to output the current queue sizes. The &man.ps.1; utility will no longer truncate the command output column. The &man.protect.1; command has been added, which allows exempting processes from being killed when swap is exhausted. The &man.gmirror.8; utility now prevents deactivating the last component of a mirror. A new &man.gmirror.8; command, gmirror destroy, has been added, which will destroy the &man.geom.8; and erase the &man.gmirror.8; metadata. The &man.etcupdate.8; utility, a tool for managing updates to files in /etc, has been merged from head/. The &man.find.1; utility has been updated to fix incorrect behavior with the -lname and -ilname flags. The hw.uart.console is now always updated when the comconsole setup changes. The &man.kldload.8; utility has been updated to display a message directing to &man.dmesg.8;, instead of the cryptic message Exec format error. A bug that could trigger an infinite loop in KDE and X has been fixed. The &man.newsyslog.8; utility has been changed to use the size of the file, instead of the blocks the file takes on the disk to match the behavior documented in &man.newsyslog.conf.5;. A bug in &man.zdb.8; which would cause numeric parameters to a flag as being treated as additional flags has been fixed. The default number of &man.nfsd.8; threads has been increased from 4 to (8 * N), where N is the number of CPUs as reported by sysctl -n hw.ncpu. The &man.pciconf.8; utility now has a -V flag, which lists information such as serial numbers for each device. A bug that would allow creating a &man.zfs.8; snapshot of an inconsistent dataset has been fixed. Receiving a &man.zfs.8; dataset with zfs recv -F now properly destroys any snapshots that were created since the incremental source snapshot. Installation from a read-only .OBJDIR has been fixed. A new shared library directory, /usr/lib/private, has been added for internal-use shared libraries. A default libmap32.conf has been added, for 32-bit applications. The libucl library, a JSON-compatible configuration file parsing library, has been imported. The &man.pkg.7; package management utility has been syncronized with head/. This implements binary package signature verification when bootstrapping the system with pkg bootstrap. The system timezone data files have been updated to version tzdata2014a. The NetBSD &man.make.1; utility, bmake has been imported for compatibility with the &os; Ports Collection. It is installed as bmake, and the make remains the &os; version. The &man.fetch.3; library now supports Last-Modified timestamps which return UTC instead of GMT. Aliases for the &man.zfs.8; commands list -t snap and snap have been added to match &oracle; Solaris 11. A new flag, -p, has been added to the &man.zfs.8; list command, providing output in a parseable form. OpenPAM has been updated to Nummularia (20130907), which incorporates several bug fixes and documentation improvements. The &man.openpam.ttyconv.3; library has been completely rewritten. The &man.sh.1; command interpreter has been updated to expand assignments after export, local, and readonly differently. As result of this change, variable assignment such as local v=$1 will assign the first positional parameter to v, even if $1 contains spaces, and local w=~/myfile will expand the tilde (~). The &man.find.1; utility has been updated to implement -ignore_readdir_race. Prior to this change, -ignore_readdir_race existed as an option for GNU &man.find.1; compatibility, and was ignored if specified. A counter primary, -noignore_readdir_race now also exists, and is the default behavior. The &man.ps.1; utility has been updated to include the -J flag, used to filter output by matching &man.jail.8; IDs and names. Additionally, argument 0 can be used to -J to only list processes running on the host system. The &man.top.1; utility has been updated to filter by &man.jail.8; ID or name, in followup to the &man.ps.1; change in r265229. The Blowfish &man.crypt.3; default format has been changed to $2b$. The default &man.newsyslog.conf.5; now includes files in the /etc/newsyslog.conf.d/ and /usr/local/etc/newsyslog.conf.d/ directories by default for &man.newsyslog.8;. A new flag, onifconsole has been added to /etc/ttys. This allows the system to provide a login prompt via serial console if the device is an active kernel console, otherwise it is equivalent to off. The &man.arc4random.3; library has been updated to match that of &os;-CURRENT. The &man.pmcstat.8; utility has been updated to include a new flag, -l, which ends event collection after the specified number of seconds. The &os; Project has migrated from the GNATS bug tracking system to Bugzilla. The &man.send-pr.1; utility used for submitting problem reports has been replaced with a stub shell script that instructs to use the Bugzilla web interface. The /etc/periodic/security/800.loginfail &man.periodic.8; script has been refined to catch more authentication failures and reduce false positives. Support for first boot scripts has been added to &man.rc.8;. See &man.rc.8; and &man.rc.conf.5; for implementation details. The &man.rc.8; system will now re-source &man.rc.conf.5; on receipt of SIGALRM. The &man.readline.3; library has been updated to version 1.104. Sendmail has been updated to version 8.14.9. BIND has been updated to version 9.9.5. The &man.xz.1; utility has been updated to a post-5.0.5 snapshot. OpenSSH has been updated to version 6.6p1. OpenSSL has been updated to version 0.9.8za. Note to &os; desktop users: please read this section carefully, especially before upgrading ports that depend on Xorg. In April 2014, the &os; Ports collection switched to a newer version of Xorg that supports KMS (Kernel Mode Setting). Users upgrading from earlier versions of &os; 9.x or &os; 8.x should be aware of several things regarding Xorg: When applications are built from the &os; Ports Collection or installed from the new_xorg &man.pkg.8; repository, the newer, KMS-aware version of Xorg is used. The KMS version of Xorg does not switch back to text mode after leaving the X desktop environment, and the system console will not be visible. The new &man.vt.4; console driver supports graphic consoles and keeps the console visible after X has exited. The &man.vt.4; driver must be compiled into the kernel. A VT kernel configuration example file is included in &release.current;, but is not compiled or enabled by default. See &man.vt.4; and the vt(4) wiki page for additional information. The older Xorg that does not support KMS can still be installed from the latest upstream &man.pkg.8; repository and the packages included on the &release.current; DVD. However, it is important to note that some newer applications require the newer Xorg, and will not work with the old version. The newer Xorg is recommended, and should be used unless not compatible with legacy graphics cards. To continue using the old version of Xorg when building from the &os; Ports Collection, set WITHOUT_NEW_XORG=yes in &man.make.conf.5;. Packages for KDE4 are not available in the default (latest) &man.pkg.8; repository, however are available in the new_xorg repository. See the announcement email for details on how to use the new_xorg repository. As part of the release build, the &man.etcupdate.8; utility will bootstrap the system, allowing &man.etcupdate.8; to work after the first upgrade of a system. The release.sh script and release Makefile have been updated to use &man.pkg.7; to populate the dvd installation medium. The &man.services.mkdb.8; utility has been updated to support multiple byte orders. Similar to &man.cap.mkdb.1;, the services.db will be created with proper endinanness as part of cross-architecture release builds. Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the &man.freebsd-update.8; utility. The binary upgrade procedure will update unmodified userland utilities, as well as an unmodified GENERIC kernel, distributed as a part of an official &os; release. The &man.freebsd-update.8; utility requires that the host being upgraded have Internet connectivity. Source-based upgrades (those based on recompiling the &os; base system from source code) from previous versions are supported using to the instructions in /usr/src/UPDATING. For more specific information about upgrading instructions, see http://www.FreeBSD.org/releases/9.3R/installation.html. Upgrading &os; should only be attempted after backing up all data and configuration files. &os; 9.0 and later versions have several configuration incompatibilities with earlier versions of &os;. These differences are best understood before upgrading. Please read this section and the Upgrading Section in 9.0-RELEASE Release Notes carefully before submitting a problem report and/or posting a question to the &os; mailing lists.