FreeBSD 13.3-RELEASE Release Notes

The libtacplus(3) library has been improved so that tacplus.conf(5) now follows POSIX shell syntax rules. This may cause TACACS+ authentication to fail if the shared secret contains a single quote, double quote, or backslash character which isn’t already properly quoted or escaped. The library allows additional AV pairs to be configured, up to 255. 5761f8a7de9f (Sponsored by Klara, Inc.)

Programs such as login(1) that utilize setusercontext(3) will now allow the process priority to be set from the ~/.login_conf file if the credentials permit setting it. Also, the priority may be specified in login.conf(5) as inherit, indicating that the process priority is inherited from the parent process. Similarly, the umask value may now be specified as inherit. 8b359002747a e074746fec21 16e02df98ad6 (Sponsored by Kumacom SAS)

The configuration file and security output changes reported by periodic(8) that are emailed to system administrators now use reduced context to minimize unrelated content. The options passed to diff(1) to produce the daily output can be controlled by a daily_diff_flags variable in rc.conf(5); the options passed to diff(1) for the security scripts are controlled by security_status_diff_flags. 4c14a3a6aebe 6d9195b5f763

The default location for downloading leapsecond information has been updated to use the canonical source, as the previous location was no longer supported. d19b59cfe594

The powerd(8) daemon is now enabled by default in /etc/rc.conf on the arm64 RPI image for Raspberry Pi systems, allowing the system to run at full speed as needed. Users with non-default turbo settings may want to disable it. e889b5a892b6

The umask for a service may now be specified in rc.conf(5) using the variable <service>_umask, where the service is named <service>. 2d6a03dd43c7

The head(1) and tail(1) programs now support the -q (quiet) and -v (verbose) options consistently. Numeric arguments may now use SI suffixes supported by expand_number(3). 585762c3733f

The objdump(1) utility from LLVM is now available. Some LLVM objdump options have a different output format than GNU objdump; readelf(1) is available for inspecting ELF files, and GNU objdump is available from the devel/binutils port or package.

The tftpd(8) server can be configured to allow writes to files in a chrooted environment that are not world-writable using the new -S option. b71dde1aeba2

expat has been upgaded to version 2.6.0.

Several Heimdal security fixes have been applied to mitigate vulnerabilities in the Kerberos Key Distribution Center.

The libfido2 authentication token library has been updated to version 1.13.0. b27bad1e0373 079a1c2059e7 d79e0d1735e3 (Sponsored by The FreeBSD Foundation)

LLVM and the clang compiler have been upgraded to version 17.0.6.

nvi (vi(1)) has been upgraded to version 2.2.1.

sendmail has been upgraded to version 8.18.1. This version enforces stricter RFC compliance by default, especially with respect to line endings. This may cause issues with receiving messages from non-compliant MTAs; please see the first 8.18.1 release note in https://ftp.sendmail.org/RELEASE_NOTES for mitigations. b36ddb27b3b9

OpenSSH has been updated to version 9.6p1, including a number of security fixes. The most significant are fixes for a newly-discovered weakness in the SSH transport protocol. ssh-keygen(1) now generates Ed25519 keys by default. sshd(8) now accurately preserves quoting of subsystem commands and arguments. f26eafdfafb0 221a6bc397ad 2cd20d9bc807 (Sponsored by The FreeBSD Foundation)

tzdata has been upgraded to version 2024a.

unbound has been upgraded to version 1.19.1, including security fixes. c6edb21e3763

xz has been upgraded to version 5.4.5.

The zlib(3) library has been updated to version 1.3.1. f2de7ba78a49 05e3998add1c

The intro(9) introduction to the kernel programming interfaces has been completely rewritten. 5a0c410787b8 (Sponsored by The FreeBSD Foundation)

Multiple PCI MCFG regions are now supported on x86 systems, enabling support for PCI config access for domains (segments) other than 0. 0fb0306a89ad

A problem with the graid implementation of Promise RAID1 created with 4 or more disks has been fixed. The array worked only until reboot. 394ceefc2f2f

The iwlwifi(4) driver for Intel wireless interfaces has been updated, supporting chipsets up to BE200. (Sponsored by The FreeBSD Foundation) (Sponsored by minipci.biz)

The rtw88(4) driver for Realtek wireless PCI interfaces has been updated.

There have been many stability fixes to native and LinuxKPI-based wireless drivers. (Sponsored by The FreeBSD Foundation)

The smsc(4) driver for USB Ethernet adapters will now obtain the MAC address from bootargs on Raspberry Pi systems that pass it, and will otherwise fall back to use of ether_gen_addr(9) to generate a stable MAC address if none is provided by the hardware. 3d96ee7c7dcc

In the course of debugging and resolving a problem with vnode recycling in the generic file system code, sysctls for vnode-related statistics have been grouped under vfs.vnode for greater visibility. 77a8bd148796

The NFS server (nfsd(8), nfsuserd(8), mountd(8), gssd(8), and rpc.tlsservd(8)) can be run in an appropriately configured vnet jail. The vnet jail must be on its own file system, have the allow.nfsd jail parameter set on it, and enforce_statfs cannot be set to 0. Use of UDP and pNFS server configurations are not permitted. See jail(8), nfsd(8), and mountd(8). b4805d577787

A new syskrb5 mount option is available that allows a Kerberized NFSv4.1/4.2 mount to be done without any Kerberos credential (TGT or keytab) at mount time. See mount_nfs(8). 0644746d5091

OpenZFS has been upgraded to version 2.1.14. 7005cd440405 e6c1e181ba7f d9a61490b098 f5eac6541278

The zfsd(8) daemon will now fault disks that generate too many I/O delay events. e2ce586899ff (Sponsored by Axcient)

The logging priority of syslog messages due to overflow of a socket listen queue can now be set using the sysctl kern.ipc.sooverprio. The default is 7, corresponding to LOG_DEBUG. A value of -1 suppresses logging. See listen(2). 773c91ccc892

The netgraph ng_ipfw(4) module no longer truncates cookies to 16 bits, allowing a full 32 bits. 0b9242dea68c

Support for IPv6 RFC 4620 nodeinfo is now disabled by default. 5c4e8a631097 (Sponsored by The FreeBSD Foundation)

pf filter rules can be optionally enabled for packets delivered locally to enable pf rdr rules for connections initiated from the host. This can change the behavior of rules which match packets delivered to lo0. To enable this feature, use the commands sysctl net.pf.filter_local=1; service pf restart. When enabled, it is best to ensure that packets delivered locally are not filtered, e.g. by adding a set skip on lo rule. 6dfb2c2dce0f

The BeagleBone Black (armv7) is no longer supported; it does not work with the current boot files (DTB).

The Google Virtual NIC (gve(4)) is now supported. 4e846759f0a3 (Sponsored by Google)