The &os; Project $FreeBSD$ 2014 The &os; Documentation Project &tm-attrib.freebsd; &tm-attrib.ibm; &tm-attrib.ieee; &tm-attrib.intel; &tm-attrib.sparc; &tm-attrib.general; The release notes for &os; &release.current; contain a summary of the changes made to the &os; base system on the &release.branch; development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the &os; kernel and userland. Some brief remarks on upgrading are also presented. This document contains the release notes for &os; &release.current;. It describes recently added, changed, or deleted features of &os;. It also provides some notes on upgrading from previous versions of &os;. This distribution of &os; &release.current; is a &release.type; distribution. It can be found at &release.url; or any of its mirrors. More information on obtaining this (or other) &release.type; distributions of &os; can be found in the Obtaining &os; appendix to the &os; Handbook. All users are encouraged to consult the release errata before installing &os;. The errata document is updated with late-breaking information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for &os; &release.current; can be found on the &os; Web site. This section describes the most user-visible new or changed features in &os; since &release.prev;. Typical release note items document recent security advisories issued after &release.prev;, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to &os; between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. Problems described in the following security advisories have been fixed. For more information, consult the individual advisories available from http://security.FreeBSD.org/. Advisory Date Topic FreeBSD-SA-14:01.bsnmpd 14 January 2014 Fix &man.bsnmpd.1; remote denial of service vulnerability FreeBSD-SA-14:02.ntpd 14 January 2014 Disable monitor feature in &man.ntpd.8; by default FreeBSD-SA-14:04.bind 14 January 2014 Remote denial of service vulnerability FreeBSD-SA-14:05.nfsserver 8 April 2014 Deadlock in the NFS server FreeBSD-SA-14:06.openssl 8 April 2014 ECDSA side channel leak FreeBSD-SA-14:08.tcp 30 April 2014 TCP reassembly vulnerability FreeBSD-SA-14:11.sendmail 26 May 2014 Sendmail improper close-on-exec flag handling FreeBSD-SA-14:12.ktrace 3 June 2014 &man.ktrace.1; kernel memory disclosure FreeBSD-SA-14:13.pam 3 June 2014 Incorrect error handling in PAM policy parser FreeBSD-SA-14:14.openssl 5 June 2014 Multiple vulnerabilities The &man.arcmsr.4; driver has been updated to version 1.20.00.28. The &man.isci.4; driver is now loadable via &man.kldload.8;. System-level &man.sysctl.8; values are now exposed to the system for the &man.ixgbe.4; device. The &man.mfi.4; driver has been updated to support MegaRAID Invader controllers. A kernel panic triggered in zfs_root() after a failed rollback has been fixed. A new &man.sysctl.8;, debug.devfs_iosize_max_clamp has been added which enables and disables SSIZE_MAX-sized I/O requests on &man.devfs.5; files. A new &man.sysctl.8;, kern.disallow_high_osrel, has been added which disables executing the images compiled on a userland with a higher major version number than the major version number of the running kernel. A kernel panic triggered by unmounting a busy &man.zfs.8; filesystem has been fixed. A deadlock triggered by powering off a USB device has been fixed. The &man.ata.4; driver has been updated to support Intel Lynx Point PCH SMBus devices. The &man.ata.4; driver has been updated to support Coleto Creek devices. The &man.ahci.4; driver has been updated to support the PCI-express solid state drive in the &apple; MacBook Air (model A1465). The &man.sysctl.8; vfs.zfs.arc_meta_limit can now be changed at runtime. The &man.mmap.2; system call has been updated to more optimally use superpages and provide support for tweaking the alignment of virtual mappings. A workaround has been implemented in the &man.bge.4; driver for hung transmission on BCM5719 and BCM5720 chipsets. A kernel panic when listing sysctls on a system with INVARIANTS enabled has been fixed. A new &man.sysctl.8;, kern.supported_archs has been added, which will list the MACHINE_ARCH values whose binaries can be run on the system. Several problems that could trigger kernel panic on &man.kldload.8; and &man.kldunload.8; have been fixed. A kernel panic triggered by some multi-threaded applications has been fixed. The &man.runfw.4; firmware has been renamed from runfw to run.fw for consistency with other firmware files. A new &man.sysctl.8;, kern.panic_reboot_wait_time, has been added. This allows tuning the amount of time the system will wait before rebooting after &man.panic.9;. The kern.panic_reboot_wait_time value defaults to the kernel configuration option, PANIC_REBOOT_WAIT_TIME. Hardware Random Number Generators have been disabled by default. Support for GPS ports has been added to the &man.uhso.4; driver. A memory leak of compressed buffers has been fixed in l2arc_write_done(). The &man.netmap.4; framework has been updated to match the version in head/, which includes netmap pipes, kqueue support, and enhanced VALE switch port. A deadlock triggered by sending a mounted &man.zfs.8; snapshot has been fixed. Support for SIIG X1 PCI-e has been added to &man.ppc.4;. Support for the ext4 filesystem has been enabled, supporting read-only mounts. A kernel panic triggered by inserting a USB ethernet device on VIMAGE-enabled systems has been fixed. TTM, a memory manager used by video drivers, has been merged. Support for /sys/kernel/random/uuid has been added to &man.linprocfs.5;. A memory leak in the zpool_in_use() function has been fixed. The extensible_dataset &man.zpool.8; feature has been added. See &man.zpool-features.7; for more information. A memory leak has been fixed in libzfs. The vt driver has been merged from head/. The &man.mpr.4; device has been added, providing support for LSI Fusion-MPT 3 12Gb SCSI/SATA controllers. A kernel bug that inhibited proper functionality of the dev.cpu.0.freq &man.sysctl.8; on &intel; processors with Turbo Boost ™ enabled has been fixed. Support for &man.xen.4; hardware-assisted virtualization, XENHVM, is now available as a loadable module, xenhvm.ko. Trackpad support for &apple; MacBook products has been added. The &man.nve.4; driver has been deprecated, and the &man.nfe.4; driver should be used instead. The &man.mfi.4; driver has been updated to support MegaRAID Fury cards. The Radeon KMS driver has been added. The &man.aacraid.4; driver has been updated to version 3.2.5. The &man.re.4; driver has been updated to add preliminary support for the RTL8106E chipset. The &man.re.4; driver has been updated to support the RTL8168G, RTL8168GU and RTL8411B chipsets. The &man.re.4; driver has been updated to add preliminary support for the RTL8168EP chipset. The &man.oce.4; driver has been updated to version 10.0.664.0. The &man.qlxgbe.4; driver has been imported from head/. The &man.qlxge.4; driver has been imported from head/. The &man.bge.4; driver has been updated to support the BCM5725 chipset. The &man.bge.4; driver has been updated to support the BCM57764, BCM57767, BCM57782, BCM57786 and BCM57787 chipsets. The &man.run.4; driver has been updated to support MediaTek/Ralink chipsets RT5370 and RT5372. The &man.usb.4; wireless radiotap headers have been realigned, allowing wireless adapters to work on &arch.arm;, &arch.mips;, and other similar platforms where alignment is important. The &man.run.4; firmware has been updated to version 0.33. The &man.bxe.4; driver has been merged from head/, providing support for Broadcom NetXtreme II 10Gb PCIe adapters. The &man.run.4; driver has been updated to include support for the MediaTek/Ralink RT3593 chipset. The &man.run.4; driver has been updated to include support for the DLINK DWA-127 wireless adapter. The &man.axge.4; driver has been added. The &man.urndis.4; driver has been imported from OpenBSD. The &man.bxe.4; driver has been updated to version 1.78.78. The &man.zfs.8; filesystem has been updated to support the bookmarks feature. A new flag -c, has been added to &man.pgrep.1; and &man.pkill.1;, which restricts the process lookup to the specified login class. The &man.ddb.8; utility has been updated to add show ioapic and show all ioapics. Setting nmbcluster values to their current value will now be ignored, instead of failing with an error. The /var/cache directory is now created with mode 0755 instead of mode 0750, since this directory is used by many third-party applications, which makes dropping group privileges impossible. The &man.uname.1; utility has been updated to include the -U and -K flags, which print the __FreeBSD_version for the running userland and kernel, respectively. The &man.fetch.3; library has been updated to support SNI (Server Name Identification), allowing to use virtual hosts on HTTPS. A segmentation fault and internal compiler error bug in &man.gcc.1; triggered by throwing a warning before parsing any tokens has been fixed. Several updates to &man.gcc.1; have been imported from Google. A byte-order bug in the Heimdal gss_pseudo_random() function which would prevent interoperability with other Kerberos implementations has been fixed. In particular, this would prevent interoperability with the MIT implementation. The &man.hastctl.8; utility has been updated to output the current queue sizes. The &man.ps.1; utility will no longer truncate the command output column. The &man.protect.1; command has been added, which allows exempting processes from being killed when swap is exhausted. The &man.gmirror.8; utility now prevents deactivating the last component of a mirror. A new &man.gmirror.8; command, gmirror destroy, has been added, which will destroy the &man.geom.8; and erase the &man.gmirror.8; metadata. The &man.etcupdate.8; utility, a tool for managing updates to files in /etc, has been merged from head/. The &man.find.1; utility has been updated to fix incorrect behavior with the -lname and -ilname flags. The hw.uart.console is now always updated when the comconsole setup changes. The &man.kldload.8; utility has been updated to display a message directing to &man.dmesg.8;, instead of the cryptic message Exec format error. A bug that could trigger an infinite loop in KDE and X has been fixed. The &man.newsyslog.8; utility has been changed to use the size of the file, instead of the blocks the file takes on the disk to match the behavior documented in &man.newsyslog.conf.5;. A bug in &man.zdb.8; which would cause numeric parameters to a flag as being treated as additional flags has been fixed. The default number of &man.nfsd.8; threads has been increased from 4 to (8 * N), where N is the number of CPUs as reported by sysctl -n hw.ncpu. The &man.pciconf.8; utility now has a -V flag, which lists information such as serial numbers for each device. A bug that would allow creating a &man.zfs.8; snapshot of an inconsistent dataset has been fixed. Receiving a &man.zfs.8; dataset with zfs recv -F now properly destroys any snapshots that were created since the incremental source snapshot. Installation from a read-only .OBJDIR has been fixed. A new shared library directory, /usr/lib/private, has been added for internal-use shared libraries. A default libmap32.conf has been added, for 32-bit applications. The libucl library, a JSON-compatible configuration file parsing library, has been imported. The &man.pkg.7; package management utility has been syncronized with head/. This implements binary package signature verification when bootstrapping the system with pkg bootstrap. The system timezone data files have been updated to version tzdata2014a. The NetBSD &man.make.1; utility, bmake has been imported for compatibility with the &os; Ports Collection. It is installed as bmake, and the make remains the &os; version. The &man.fetch.3; library now supports Last-Modified timestamps which return UTC instead of GMT. Aliases for the &man.zfs.8; commands list -t snap and snap have been added to match &oracle; Solaris 11. A new flag, -p, has been added to the &man.zfs.8; list command, providing output in a parseable form. OpenPAM has been updated to Nummularia (20130907), which incorporates several bug fixes and documentation improvements. The &man.openpam.ttyconv.3; library has been completely rewritten. The &man.sh.1; command interpreter has been updated to expand assignments after export, local, and readonly differently. As result of this change, variable assignment such as local v=$1 will assign the first positional parameter to v, even if $1 contains spaces, and local w=~/myfile will expand the tilde (~). The &man.find.1; utility has been updated to implement -ignore_readdir_race. Prior to this change, -ignore_readdir_race existed as an option for GNU &man.find.1; compatibility, and was ignored if specified. A counter primary, -noignore_readdir_race now also exists, and is the default behavior. The &man.ps.1; utility has been updated to include the -J flag, used to filter output by matching &man.jail.8; IDs and names. Additionally, argument 0 can be used to -J to only list processes running on the host system. The &man.top.1; utility has been updated to filter by &man.jail.8; ID or name, in followup to the &man.ps.1; change in r265229. The Blowfish &man.crypt.3; default format has been changed to $2b$. The default &man.newsyslog.conf.5; now includes files in the /etc/newsyslog.conf.d/ and /usr/local/etc/newsyslog.conf.d/ directories by default for &man.newsyslog.8;. A new flag, onifconsole has been added to /etc/ttys. This allows the system to provide a login prompt via serial console if the device is an active kernel console, otherwise it is equivalent to off. The &man.arc4random.3; library has been updated to match that of &os;-CURRENT. The &man.pmcstat.8; utility has been updated to include a new flag, -l, which ends event collection after the specified number of seconds. The /etc/periodic/security/800.loginfail &man.periodic.8; script has been refined to catch more authentication failures and reduce false positives. Support for first boot scripts has been added to &man.rc.8;. See &man.rc.8; and &man.rc.conf.5; for implementation details. The &man.rc.8; system will now re-source &man.rc.conf.5; on receipt of SIGALRM. The &man.readline.3; library has been updated to version 1.104. Sendmail has been updated to version 8.14.9. BIND has been updated to version 9.9.5. The &man.xz.1; utility has been updated to a post-5.0.5 snapshot. OpenSSH has been updated to version 6.6p1. OpenSSL has been updated to version 0.9.8za. As part of the release build, the &man.etcupdate.8; utility will bootstrap the system, allowing &man.etcupdate.8; to work after the first upgrade of a system. The release.sh script and release Makefile have been updated to use &man.pkg.7; to populate the dvd installation medium. The &man.services.mkdb.8; utility has been updated to support multiple byte orders. Similar to &man.cap.mkdb.1;, the services.db will be created with proper endinanness as part of cross-architecture release builds. Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the &man.freebsd-update.8; utility. The binary upgrade procedure will update unmodified userland utilities, as well as an unmodified GENERIC kernel, distributed as a part of an official &os; release. The &man.freebsd-update.8; utility requires that the host being upgraded have Internet connectivity. Source-based upgrades (those based on recompiling the &os; base system from source code) from previous versions are supported using to the instructions in /usr/src/UPDATING. For more specific information about upgrading instructions, see http://www.FreeBSD.org/releases/9.3R/installation.html. Upgrading &os; should only be attempted after backing up all data and configuration files. &os; 9.0 and later have several incompatibilities in system configuration which you might want to know before upgrading your system. Please read this section and the Upgrading Section in 9.0-RELEASE Release Notes carefully before submitting a problem report and/or posting a question to the &os; mailing lists.