FreeBSD 12.3-RELEASE Release Notes
Abstract
The release notes for FreeBSD 12.3-RELEASE contain a summary of the changes made to the FreeBSD base system on the 12-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.
Introduction
This document contains the release notes for FreeBSD 12.3-RELEASE. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.
The release distribution to which these release notes apply represents the latest point along the 12-STABLE development branch since 12-STABLE was created. Information regarding pre-built, binary release distributions along this branch can be found at https://www.FreeBSD.org/releases/.
The release distribution to which these release notes apply represents a point along the 12-STABLE development branch between 12.2-RELEASE and the future 12.4-RELEASE. Information regarding pre-built, binary release distributions along this branch can be found at https://www.FreeBSD.org/releases/.
This distribution of FreeBSD 12.3-RELEASE is a release distribution. It can be found at https://www.FreeBSD.org/releases/ or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the Obtaining FreeBSD appendix to the FreeBSD Handbook.
All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 12.3-RELEASE can be found on the FreeBSD Web site.
This document describes the most user-visible new or changed features in FreeBSD since 12.2-RELEASE. In general, changes described here are unique to the 12-STABLE branch unless specifically marked as MERGED features.
Typical release note items document recent security advisories issued after 12.2-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.
Upgrading from Previous Releases of FreeBSD
Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the freebsd-update(8) utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release. The freebsd-update(8) utility requires that the host being upgraded have Internet connectivity.
Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in /usr/src/UPDATING.
Upgrading FreeBSD should only be attempted after backing up all data and configuration files. |
Security and Errata
This section lists the various Security Advisories and Errata Notices since 12.2-RELEASE.
Security Advisories
Advisory | Date | Topic |
---|---|---|
1 December 2020 |
Use-after-free in error message handling |
|
1 December 2020 |
Multiple vulnerabilities |
|
8 December 2020 |
NULL pointer de-reference |
|
29 January 2021 |
Kernel stack disclosure |
|
29 January 2021 |
Kernel panic |
|
24 February 2021 |
Privilege escalation |
|
24 February 2021 |
Privilege escalation |
|
24 February 2021 |
Privilege escalation |
|
24 February 2021 |
Resource leaks |
|
25 March 2021 |
Multiple vulnerabilities |
|
6 April 2021 |
Kernel memory disclosure |
|
6 April 2021 |
Privilege escalation or memory disclosure |
|
6 April 2021 |
Privilege escalation |
|
26 May 2021 |
Mitigation bypass |
|
26 May 2021 |
Denial of service |
|
24 August 2021 |
Missing error handling in bhyve(8) device models |
|
24 August 2021 |
Remote code execution in ggatec(8) |
|
24 August 2021 |
libfetch out of bounds read |
|
24 August 2021 |
Multiple vulnerabilities in OpenSSL |
|
24 August 2021 |
Multiple vulnerabilities in OpenSSL |
Errata Notices
Errata | Date | Topic |
---|---|---|
1 December 2020 |
execve/fexecve system call auditing |
|
1 December 2020 |
Timezone database information update |
|
1 December 2020 |
Uninitialized variable |
|
1 December 2020 |
Race condition in callout CPU migration |
|
29 January 2021 |
Timezone database information update |
|
29 January 2021 |
Panic when destroying VNET and epair simultaneously |
|
29 January 2021 |
zfs recv fails to propagate snapshot deletion |
|
24 February 2021 |
Boot-time microcode loading causes a boot hang |
|
24 February 2021 |
Root certificate bundle update |
|
24 February 2021 |
freebsd-update passwd regeneration |
|
6 April 2021 |
net.pf.request_maxcount not settable from loader.conf(5) |
|
6 April 2021 |
lldb abort on print command |
|
26 May 2021 |
Race condition in aesni(4) encrypt-then-auth operations |
|
26 May 2021 |
Kernel double free when transmitting on a divert socket |
|
26 May 2021 |
pms(4) data corruption |
|
26 May 2021 |
dc update |
|
1 June 2021 |
Incorrect validation in rad_get_attr(3) |
|
30 June 2021 |
libcasper assertion failure |
|
30 June 2021 |
Linux compatibility layer futex(2) system call vulnerability |
|
24 August 2021 |
OpenSSL 1.1.1e API functions not exported |
|
24 August 2021 |
Fix NVMe iovec construction for large IOs |
|
4 November 2021 |
Root certificate bundle update |
|
4 November 2021 |
Fix kernel panic in vmci driver initialization |
|
4 November 2021 |
Timezone database information update |
Userland
This section covers changes and additions to userland applications, contributed software, and system utilities.
Userland Configuration Changes
An update to the caroot
CA bundle processor to
support certificates marked with a DISTRUST_AFTER entry.
The /etc/rc.final rc(8) script will now be run after all user processes have terminated.
Userland Application Changes
The
automount(8) utility will now explicitly set the root path to
/
before performing an automatic mount.
The bectl(8) utility will now throw an error to prevent the creation of a boot environment with spaces.
The
cmp(1) utility received the -i
,
--ignore-initial
flags as an alternative to
skip1/skip2.
The cmp(1) utility now accepts SI suffixes for skip1/skip2.
The
cmp(1) utility received the -n
,
--bytes
flags to limit number of bytes to compare.
The cpuset(1) utility can now be used by a jail to modify the roots of a child jail.
The cron(8) utility will now pull in the user or login class environment variables.
The
daemon(8) utility now has a -H
flag allowing it to
catch a SIGHUP
and re-open output file. This was added
to support
newsyslog(8) operations.
The
diff(1) utility will now honor other flags, such as
-w
when -q
is specified.
The
elfctl(1) utility has received a -l
flag to ignore
unknown variables, allowing it to work across multiple versions of
FreeBSD by ignoring features which are not implemented.
The etcupdate(8) utility now supports a revert mode to restore one or more files.
The
etcupdate(8) utility has received a -D
flag to
specify a destination directory.
The
etcupdate(8) will now always extract to a temporary tree and
gracefully handle a SIGINT
.
The
freebsd-update(8) utility received a -j
flag to
support jails.
The
freebsd-version(1) utility received -j
flag to
support jails.
The
fstyp(8) utility will now detect and show exFAT filesystems
with the -l
flag.
The
geli(8) utility will no longer report an error when performing
a resize
to the same size.
The
grep(1) utility will now disable -w
if
-x
is also specified.
The
growfs(8) utility will now function on RW
mounted
filesystems.
The
kldxref(8) utility will no longer error out if the directory
specified with the -d
flag is not actually a
directory.
The mergemaster(8) utility will now handle symbolic links during the update process.
The
mksnap_ffs(8) utility received a fix for a crash which
triggered a Panic: snapacct_ufs2: bad block
panic.
The
mount(8) utility will now properly show with
quotas
when quotas are enabled.
The
mountd(8) utility will now generate a
syslog(3) message when the V4:
line is missing
from /etc/exports.
The
newsyslog(8) utility received a new E
flag to
prevent rotation of empty log files.
The
pkg(7) utility received a -r
flag used to specify
a reponame
for bootstrap and add
.
The pkg(7) utility will now use environment variables specified in pkg.conf.
The rc.d/jail rc(8) script had a keyword change to fix jails within jails support.
The
service(8) utility will now set the environment of the
daemon
class before invoking.
The tcpdump(8) utility will now decode packets on pfsync interfaces.
The
top(1) command received the /
filter on command
option for displaying processes or arguments that match a specified
string (imported from OpenBSD).
A segmentation fault in unzip(1) has been fixed when a target archive contains a buggy name.
The unzip(1) utility now supports password protected archives.
The
zgrep(1) utility will now properly print version information
when the --version
parameter is specified.
The wpl_cli(8) utility now has an action file event where an event may be passed to a file.
Contributed Software
The
awk(1) metamode
fixes have been merged in addition
to a code synchronization with upstream (to version 20210221).
Fixes for SHA256
were merged into apr (Apache
Portable Runtime) from upstream (see r1889604, r1807975
upstream).
The bc(1) contributed software has been updated to 5.0.0.
The less(1) utility was updated to version v581.2.
The libarchive(3) library had a bugfix for symlink processing imported.
Libarchive version 3.5.1 was imported.
OpenPAM was upgraded to OpenPAM Tabebuia.
OpenSSL 1.1.1l was imported into the tree.
SQLite3 3.35.5 was imported into the tree.
TCSH 6.22.04 was imported into the tree.
Subversion was updated to version 1.14.1 LTS.
The vi(1) utility was updated to nvi 2.2.0-3bbdfe4.
The contrib/tzdata information was updated to correct DST (Daylight Savings Time) in Jordan and Samoa.
The tzdata 2021a was imported into the tree.
The unzip(1) utility was synced with the upstream NetBSD version.
Runtime Libraries and API
The internal KAPI between the krpc and nfsd modules was updated (see UPDATING).
The powf(3) library received a fix to prevent an incorrect result with x near 1 and |y| much larger than 1 and a test kit imported from NetBSD.
Kernel
This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized.
General Kernel Changes
The ipfw(8) firewall was provided a dnctl(8) to manage dummynet(4) configurations.
An opencrypto kern.crypto
sysctl(8) node was added.
A new
sysctl(8), debug.uma_reclaim
, was added.
The kern.timecounter.hardware
OID
was
converted into a tuneable.
New PCI
ID
information was added for
ASMedia® ASM116x PCIe 3.0 AHCI controllers and Intel® Gemini Lake
I2C controllers.
The GENERIC
kernel for amd64
now
includes options COMPAT_LINUXKPI
and the
mlx5en(4) device driver.
Devices and Drivers
This section covers changes and additions to devices and device drivers since 12.2-RELEASE.
Device Drivers
The alc(4) device driver now supports the Mikrotik® 10/25G Network device.
The amdtemp(4) device driver has learned about family 17h models: M20h (Dali, Zen1), M60H (Renoir, Zen2), and M90H (Van Gogh, Zen2).
The amdtemp(4) device driver received support for Zen 3 "Vermeer" and Ryzen® 4000 APU (Zen 2, "Renoir").
The amdsmn(4) device driver received support for Zen 3 "Vermeer" and Ryzen® 4000 APU (Zen 2, "Renoir").
The cam(4) driver had quick unplug and replug SCSI fixed.
The
bnxt(4) device driver will now report if WOL
(Wake
On Lan) support is supported on the hardware and show an enabled
status if a filter was applied on system initialization.
The em(4) device driver now supports the flashless i211 PBA.
The em(4) device driver received several updates to shared code.
The ena(4) device driver was updated to 2.4.1.
The ice(4) device driver was updated to 0.28.1-k with an updated ice_ddp package file of version 1.3.19.0.
A new driver, igc(4) was added to support the Intel® I225 Ethernet controller and supports 2.5G/1G/100MB/10MB.
The ixgbe(4) device driver received a shared code update.
The ixgbe(4) device driver received a fix for the x550em 10G NIC link status where the auto-negotiation feature was not reported correctly.
The ixl(4) device driver was given the hw.ix.flow_control tuneable.
The ixl(4) device driver had an update in shared code and fixes for 2.5G and 5G speeds.
The iwm(4) device driver now supports the Intel® Killer® Wireless-AC 1550i.
The msdosfs(5) filesystem driver received a fix for msdosfs suspension.
The
ng_bridge(4) netgraph node is now SMP
aware.
The
ng_nat(4) netgraph node received support for RFC
6598/Carrier Grade NAT
support.
The ng_source(4) netgraph node may now be injected into any netgraph network.
The nvme(4) device driver received support for MSI and single MSI-X support.
The nvme(4) device driver received several merged bugfixes.
The pf(4) firewall has received several bugfixes and updates.
The
rctl(4) resource limits driver now supports throttling resource
usage to 0 for rate-based resources that support throttling. These
resources will respect the duration set by the
kern.racct.rctl.throttle_max
sysctl(8).
The rsu(4) device driver now supports the ASUS® WL-167G V3 device.
The rtwn_usb(4) device driver now supports the Mercusys® MW150US (N150 Nano), TP-Link® Archer T2U v3, and D-Link® DWA-121 (N150 Nano) devices.
The run(4) device driver now supports the D-Link® DWA-130 rev F1 wireless adapter and the ASUS® USB-N14 wireless adapter.
The
tcp(4) protocol will now tolerate the missing of timestamps
(RFC 1323/RFC 7323) via the use of the
net.inet.tcp.tolerate_missing_ts
sysctl(8).
The uart(4) device driver now supports the Intel® 100 Series/C230 Series AMT.
The
vlan(4) interface can now support ALTQ
.
Storage
This section covers changes and additions to file systems and other storage subsystems, both local and networked.
General Storage
A fix for handling of embedded symbolic links in
UFS/FFS
was merged.
A fix for NFSv4.1 Linux client mount getting stuck in
CLOSE_WAIT
status was merged.
A fix for NFSv4.1/4.2 mount recovery from an expired lease was merged.
Boot Loader Changes
This section covers the boot loader, boot menu, and other boot-related changes.
Boot Loader Changes
The boot loader will now support booting an OS from a memory disk.
The boot loader will now support pools without features.
The boot loader will now accept the zfs features
com.delphix:bookmark_written
and
com.datto:bookmark_v2
.
A new OID, hint.dev.X.disabled
was added to lua
loader prevent device attachment during boot.
Networking
This section describes changes that affect networking in FreeBSD.
General Network
Several fixes for NFSv4 were merged.
A segmentation fault during wpa
EAP/PEAP MSCHAPv2
authentication was fixed.
The
fetch(3) library now supports proxying FTP
over
HTTPS
.
General Notes Regarding Future FreeBSD Releases
FreeBSD EC2 AMI Ids
Support for recording EC2 AMI Ids in SSM was added to
release/Makefile.ec2 to allow SSM
Parameter names to look like
/aws/service/freebsd/amd64/base/ufs/12.3/RELEASE
using
the public prefix /aws/service/freebsd
.
Default CPUTYPE
Change
Starting with FreeBSD-13.0, the default CPUTYPE
for
the i386 architecture will change from 486
to
686
.
This means that, by default, binaries produced will require a 686-class CPU, including but not limited to binaries provided by the FreeBSD Release Engineering team. FreeBSD 13.0 will continue to support older CPUs, however users needing this functionality will need to build their own releases for official support.
As the primary use for i486 and i586 CPUs is generally in the embedded market, the general end-user impact is expected to be minimal, as new hardware with these CPU types has long faded, and much of the deployed base of such systems is nearing retirement age, statistically.
There were several factors taken into account for this change. For example, i486 does not have 64-bit atomics, and while they can be emulated in the kernel, they cannot be emulated in the userland. Additionally, the 32-bit amd64 libraries have been i686 since their inception.
As the majority of 32-bit testing is done by developers using
the lib32 libraries on 64-bit hardware with the
COMPAT_FREEBSD32
option in the kernel, this change
ensures better coverage and user experience. This also aligns with
what the majority of Linux® distributions have been doing for quite
some time.
This is expected to be the final bump of the default
CPUTYPE
in i386.
This change does not affect the FreeBSD 12.x series of releases. |
Last modified on: December 7, 2021 by Glen Barber