- Remove bge(4) item [*].

[FreeBSD/stable/8.git] / release / doc / en_US.ISO8859-1 / errata / article.xml

<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE article PUBLIC "-//FreeBSD//DTD DocBook XML V4.5-Based Extension//EN"
        "../../../share/xml/freebsd45.dtd" [
<!ENTITY % release PUBLIC "-//FreeBSD//ENTITIES Release Specification//EN" "release.ent">
%release;
]>

<article>
  <articleinfo>
    <title>&os; &release; Errata </title>

    <corpauthor>
    The &os; Project
    </corpauthor>

    <pubdate>$FreeBSD$</pubdate>

    <copyright>
      <year>2013</year>
      <holder role="mailto:doc@FreeBSD.org">The &os; Documentation Project</holder>
    </copyright>

    <legalnotice id="trademarks" role="trademarks">
      &tm-attrib.freebsd;
      &tm-attrib.intel;
      &tm-attrib.sparc;
      &tm-attrib.general;
    </legalnotice>
  </articleinfo>

  <abstract>
    <para>This document lists errata items for &os; &release;,
      containing significant information discovered after the release
      or too late in the release cycle to be otherwise included in the
      release documentation.
      This information includes security advisories, as well as news
      relating to the software or documentation that could affect its
      operation or usability.  An up-to-date version of this document
      should always be consulted before installing this version of
      &os;.</para>

    <para>This errata document for &os; &release;
      will be maintained until the release of &os; &release.next;.</para>
  </abstract>

  <sect1 id="intro">
    <title>Introduction</title>

    <para>This errata document contains <quote>late-breaking news</quote>
      about &os; &release;
      Before installing this version, it is important to consult this
      document to learn about any post-release discoveries or problems
      that may already have been found and fixed.</para>

    <para>Any version of this errata document actually distributed
      with the release (for example, on a CDROM distribution) will be
      out of date by definition, but other copies are kept updated on
      the Internet and should be consulted as the <quote>current
      errata</quote> for this release.  These other copies of the
      errata are located at <ulink
      url="http://www.FreeBSD.org/releases/"></ulink>, plus any sites
      which keep up-to-date mirrors of this location.</para>

    <para>Source and binary snapshots of &os; &release.branch; also
      contain up-to-date copies of this document (as of the time of
      the snapshot).</para>

    <para>For a list of all &os; CERT security advisories, see <ulink
      url="http://www.FreeBSD.org/security/"></ulink> or <ulink
      url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/"></ulink>.</para>
  </sect1>

  <sect1 id="security">
    <title>Security Advisories</title>

    <para>The following security advisories pertain to &os; &release;.
      For more information, consult the individual advisories available from
      <ulink url="http://security.FreeBSD.org/"></ulink>.</para>

    <informaltable frame="none" pgwide="1">
      <tgroup cols="3">
        <colspec colwidth="1*" />
        <colspec colwidth="1*" />
        <colspec colwidth="3*" />
        <thead>
          <row>
            <entry>Advisory</entry>
            <entry>Date</entry>
            <entry>Topic</entry>
          </row>
        </thead>

        <tbody>
          <row>
            <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:01.openssl.asc"
                >SA-12:01.openssl</ulink></entry>

            <entry>03&nbsp;May&nbsp;2012</entry>

            <entry><para>OpenSSL multiple vulnerabilities</para></entry>
          </row>

          <row>
            <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:02.crypt.asc"
                >SA-12:02.crypt</ulink></entry>

            <entry>30&nbsp;May&nbsp;2012</entry>

            <entry><para>Incorrect crypt() hashing</para></entry>
          </row>

          <row>
            <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:03.bind.asc"
                >SA-12:03.bind</ulink></entry>

            <entry>12&nbsp;June&nbsp;2012</entry>

            <entry><para>Incorrect handling of zero-length RDATA fields in named(8)</para></entry>
          </row>

          <row>
            <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:04.sysret.asc"
                >SA-12:04.sysret</ulink></entry>

            <entry>12&nbsp;June&nbsp;2012</entry>

            <entry><para>Privilege escalation when returning from kernel</para></entry>
          </row>

          <row>
            <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:05.bind.asc"
                >SA-12:05.bind</ulink></entry>

            <entry>06&nbsp;August&nbsp;2012</entry>

            <entry><para>named(8) DNSSEC validation Denial of Service</para></entry>
          </row>

          <row>
            <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:06.bind.asc"
                >SA-12:06.bind</ulink></entry>

            <entry>22&nbsp;November&nbsp;2012</entry>

            <entry><para>Multiple Denial of Service vulnerabilities with named(8)</para></entry>
          </row>

          <row>
            <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:07.hostapd.asc"
                >SA-12:07.hostapd</ulink></entry>

            <entry>22&nbsp;November&nbsp;2012</entry>

            <entry><para>Insufficient message length validation for EAP-TLS messages</para></entry>
          </row>

          <row>
            <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-12:08.linux.asc"
                >SA-12:08.linux</ulink></entry>

            <entry>22&nbsp;November&nbsp;2012</entry>

            <entry><para>Linux compatibility layer input validation error</para></entry>
          </row>

          <row>
            <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-13:02.libc.asc"
                >SA-13:02.libc</ulink></entry>

            <entry>19&nbsp;February&nbsp;2013</entry>

            <entry><para>glob(3) related resource exhaustion</para></entry>
          </row>

          <row>
            <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-13:03.openssl.asc"
                >SA-13:03.openssl</ulink></entry>

            <entry>02&nbsp;April&nbsp;2013</entry>

            <entry><para>OpenSSL multiple vulnerabilities</para></entry>
          </row>

          <row>
            <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-13:04.bind.asc"
                >SA-13:04.bind</ulink></entry>

            <entry>02&nbsp;April&nbsp;2013</entry>

            <entry><para>BIND remote denial of service</para></entry>
          </row>

          <row>
            <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-13:05.nfsserver.asc"
                >SA-13:05.nfsserver</ulink></entry>

            <entry>29&nbsp;April&nbsp;2013</entry>

            <entry><para>Insufficient input validation in the NFS server</para></entry>
          </row>
        </tbody>
      </tgroup>
    </informaltable>
  </sect1>

  <sect1 id="open-issues">
    <title>Open Issues</title>

    <para>[20130609] There is incompatibility in &man.jail.8;
      configuration because the &man.jail.8; utility and
      <filename>rc.d/jail</filename> script has been changed.  More
      specifically, the following &man.sysctl.8; variables cannot be
      used to set the default parameters for jails:</para>

    <programlisting>security.jail.mount_zfs_allowed
security.jail.mount_procfs_allowed
security.jail.mount_nullfs_allowed
security.jail.mount_devfs_allowed
security.jail.mount_allowed
security.jail.chflags_allowed
security.jail.allow_raw_sockets
security.jail.sysvipc_allowed
security.jail.socket_unixiproute_only
security.jail.set_hostname_allowed</programlisting>

    <para>These could be set by manually using &man.sysctl.8; utility,
      the &man.sysctl.conf.5; file, or for some of them the following
      variables in &man.rc.conf.5;:</para>

    <programlisting>jail_set_hostname_allow="yes"
jail_socket_unixiproute_only="yes"
jail_sysvipc_allow="yes"</programlisting>

    <para>These parameters must now be specified in
      <varname>jail_parameters</varname> (or
      <varname>jail_<replaceable>jailname</replaceable>_parameters</varname>
      for per-jail configuration) in &man.rc.conf.5;.  For
      example:</para>

    <programlisting>jail_parameters="allow.sysvipc allow.raw_sockets"</programlisting>

    <para>The valid keywords are the following.  For more detail, see
      &man.jail.8; manual page.</para>

    <programlisting>allow.set_hostname
allow.sysvipc
allow.raw_sockets
allow.chflags
allow.mount
allow.mount.devfs
allow.mount.nullfs
allow.mount.procfs
allow.mount.zfs
allow.quotas
allow.socket_af</programlisting>

    <para>[20130608] &os; &release; no longer supports &os; CVS
      repository.  Some documents mistakenly refer to
      <literal>RELENG_8_4_0_RELEASE</literal> as CVS tag for the release and
      <literal>RELENG_8_4</literal> as CVS branch tag for the
      &release; security branch.  However, &os; Project no longer
      supports &os; CVS repository and &release; has been released by
      using &os; subversion repository instead.
      <literal>RELENG_8_4</literal> corresponds to
      <literal>svn://svn.FreeBSD.org/base/releng/8.4</literal>, and
      <literal>RELENG_8_4_0_RELEASE</literal> corresponds to
      <literal>svn://svn.FreeBSD.org/base/release/8.4.0</literal>.
      Please note that &os; source tree for &release; and its security
      branch cannot be updated by using official CVSup servers.</para>

    <para>[20130607] (removed about a &man.bge.4; network interface
        driver issue because it was incorrect)</para>

    <para>[20130606] The &man.fxp.4; network interface driver may not
      work well with the &man.dhclient.8; utility.  More specifically,
      if the <filename>/etc/rc.conf</filename> has the following
      line:</para>

    <programlisting>ifconfig_fxp0="DHCP"</programlisting>

    <para>to activate a DHCP client to configure the network
      interface, the following notification messages are displayed and
      the &man.dhclient.8; utility keeps trying to initialize the
      network interface forever.</para>

    <screen>kernel: fxp0: link state changed to UP
kernel: fxp0: link state changed to DOWN</screen>

    <para>A patch to fix this issue will be released as an Errata
      Notice.</para>
  </sect1>

  <sect1 id="late-news">
    <title>Late-Breaking News and Corrections</title>

    <para>[20130606] As described in &os; &release; Release Notes,
      &os; ZFS subsystem has been updated to support feature flags for
      ZFS pools.  However, the default version number of a newly
      created ZFS pool is still <literal>28</literal>.</para>

    <para>This is because &os; 9.0 and 9.1 do not support the feature
      flags.  This means ZFS pools with feature flag support cannot be
      used on &os; 9.0 and 9.1.  An 8.X system with v28 ZFS pools can
      be upgraded to 9.X with no problem.  Note that &man.zfs.8;
      <command>send</command> and <command>receive</command> commands
      do not work between pools with different versions.  Once a ZFS
      pool is upgraded from v28, there is no way to upgrade the system
      to &os; 9.0 and 9.1.  &os; 9.2 and later will support ZFS pools
      with feature flags.</para>

    <para>To create a ZFS pool with feature flag support, use the
      &man.zpool.8; <command>create</command> command and then the
      &man.zpool.8; <command>upgrade</command> command.</para>
  </sect1>
</article>