FreeBSD The Power to Serve

FreeBSD 13.3-RELEASE Release Notes


The release notes for FreeBSD 13.3-RELEASE contain a summary of the changes made to the FreeBSD base system on the 13-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.


This document contains the release notes for FreeBSD 13.3-RELEASE. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.

The release distribution to which these release notes apply represents the latest point along the 13-STABLE development branch since 13-STABLE was created. Information regarding pre-built, binary release distributions along this branch can be found at

The release distribution to which these release notes apply represents a point along the 13-STABLE development branch between 13.2-RELEASE and the future 13.4-RELEASE. Information regarding pre-built, binary release distributions along this branch can be found at

This distribution of FreeBSD 13.3-RELEASE is a release distribution. It can be found at or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the Obtaining FreeBSD appendix to the FreeBSD Handbook.

All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 13.3-RELEASE can be found on the FreeBSD Web site.

This document describes the most user-visible new or changed features in FreeBSD 13-STABLE since 13.2-RELEASE. Note that some of the changes described here are also available in FreeBSD 14.0-RELEASE.

Typical release note items document recent security advisories issued after 13.2-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.

Upgrading from Previous Releases of FreeBSD

Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the freebsd-update(8) utility. See the release-specific upgrade procedure, FreeBSD 13.3-RELEASE upgrade information, with more details in the FreeBSD handbook binary upgrade procedure. This will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release. The freebsd-update(8) utility requires that the host being upgraded have Internet connectivity.

Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in /usr/src/UPDATING.

Upgrading FreeBSD should only be attempted after backing up all data and configuration files.

After installing the new userland software, running daemons are still from the previous version. After installing the user-level components with the second invocation of freebsd-update, or via an upgrade from source with installworld, the system should be rebooted to start everything with the new software. For example, older versions of sshd failed to process incoming connections correctly after the new /usr/sbin/sshd was installed; rebooting started a new sshd and other daemons.


This section covers changes and additions to userland applications, contributed software, and system utilities.

Userland Configuration Changes

The libtacplus(3) library has been improved so that tacplus.conf(5) now follows POSIX shell syntax rules. This may cause TACACS+ authentication to fail if the shared secret contains a single quote, double quote, or backslash character which isn’t already properly quoted or escaped. The library allows additional AV pairs to be configured, up to 255. 5761f8a7de9f (Sponsored by Klara, Inc.)

Programs such as login(1) that utilize setusercontext(3) will now allow the process priority to be set from the ~/.login_conf file if the credentials permit setting it. Also, the priority may be specified in login.conf(5) as inherit, indicating that the process priority is inherited from the parent process. Similarly, the umask value may now be specified as inherit. 8b359002747a e074746fec21 16e02df98ad6 (Sponsored by Kumacom SAS)

The configuration file and security output changes reported by periodic(8) that are emailed to system administrators now use reduced context to minimize unrelated content. The options passed to diff(1) to produce the daily output can be controlled by a daily_diff_flags variable in rc.conf(5); the options passed to diff(1) for the security scripts are controlled by security_status_diff_flags. 4c14a3a6aebe 6d9195b5f763

The default location for downloading leapsecond information has been updated to use the canonical source, as the previous location was no longer supported. d19b59cfe594

The powerd(8) daemon is now enabled by default in /etc/rc.conf on the arm64 RPI image for Raspberry Pi systems, allowing the system to run at full speed as needed. Users with non-default turbo settings may want to disable it. e889b5a892b6

The umask for a service may now be specified in rc.conf(5) using the variable <service>_umask, where the service is named <service>. 2d6a03dd43c7

Userland Application Changes

The head(1) and tail(1) programs now support the -q (quiet) and -v (verbose) options consistently. Numeric arguments may now use SI suffixes supported by expand_number(3). 585762c3733f

The objdump(1) utility from LLVM is now available. Some LLVM objdump options have a different output format than GNU objdump; readelf(1) is available for inspecting ELF files, and GNU objdump is available from the devel/binutils port or package.

The tftpd(8) server can be configured to allow writes to files in a chrooted environment that are not world-writable using the new -S option. b71dde1aeba2

Contributed Software

expat has been upgaded to version 2.6.0.

Several Heimdal security fixes have been applied to mitigate vulnerabilities in the Kerberos Key Distribution Center.

The libfido2 authentication token library has been updated to version 1.13.0. b27bad1e0373 079a1c2059e7 d79e0d1735e3 (Sponsored by The FreeBSD Foundation)

LLVM and the clang compiler have been upgraded to version 17.0.6.

nvi (vi(1)) has been upgraded to version 2.2.1.

sendmail has been upgraded to version 8.18.1. This version enforces stricter RFC compliance by default, especially with respect to line endings. This may cause issues with receiving messages from non-compliant MTAs; please see the first 8.18.1 release note in for mitigations. b36ddb27b3b9

OpenSSH has been updated to version 9.6p1, including a number of security fixes. The most significant are fixes for a newly-discovered weakness in the SSH transport protocol. ssh-keygen(1) now generates Ed25519 keys by default. sshd(8) now accurately preserves quoting of subsystem commands and arguments. f26eafdfafb0 221a6bc397ad 2cd20d9bc807 (Sponsored by The FreeBSD Foundation)

tzdata has been upgraded to version 2024a.

unbound has been upgraded to version 1.19.1, including security fixes. c6edb21e3763

xz has been upgraded to version 5.4.5.

The zlib(3) library has been updated to version 1.3.1. f2de7ba78a49 05e3998add1c


This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized.

General Kernel Changes

The intro(9) introduction to the kernel programming interfaces has been completely rewritten. 5a0c410787b8 (Sponsored by The FreeBSD Foundation)

Devices and Drivers

This section covers changes and additions to devices and device drivers since 13.2-RELEASE.

Device Drivers

Multiple PCI MCFG regions are now supported on x86 systems, enabling support for PCI config access for domains (segments) other than 0. 0fb0306a89ad

A problem with the graid implementation of Promise RAID1 created with 4 or more disks has been fixed. The array worked only until reboot. 394ceefc2f2f

The iwlwifi(4) driver for Intel wireless interfaces has been updated, supporting chipsets up to BE200. (Sponsored by The FreeBSD Foundation) (Sponsored by

The rtw88(4) driver for Realtek wireless PCI interfaces has been updated.

There have been many stability fixes to native and LinuxKPI-based wireless drivers. (Sponsored by The FreeBSD Foundation)

The smsc(4) driver for USB Ethernet adapters will now obtain the MAC address from bootargs on Raspberry Pi systems that pass it, and will otherwise fall back to use of ether_gen_addr(9) to generate a stable MAC address if none is provided by the hardware. 3d96ee7c7dcc


This section covers changes and additions to file systems and other storage subsystems, both local and networked.

General Storage

In the course of debugging and resolving a problem with vnode recycling in the generic file system code, sysctls for vnode-related statistics have been grouped under vfs.vnode for greater visibility. 77a8bd148796

NFS Changes

The NFS server (nfsd(8), nfsuserd(8), mountd(8), gssd(8), and rpc.tlsservd(8)) can be run in an appropriately configured vnet jail. The vnet jail must be on its own file system, have the allow.nfsd jail parameter set on it, and enforce_statfs cannot be set to 0. Use of UDP and pNFS server configurations are not permitted. See jail(8), nfsd(8), and mountd(8). b4805d577787

A new syskrb5 mount option is available that allows a Kerberized NFSv4.1/4.2 mount to be done without any Kerberos credential (TGT or keytab) at mount time. See mount_nfs(8). 0644746d5091

ZFS Changes

OpenZFS has been upgraded to version 2.1.14. 7005cd440405 e6c1e181ba7f d9a61490b098 f5eac6541278

The zfsd(8) daemon will now fault disks that generate too many I/O delay events. e2ce586899ff (Sponsored by Axcient)


This section describes changes that affect networking in FreeBSD.

General Network

The logging priority of syslog messages due to overflow of a socket listen queue can now be set using the sysctl kern.ipc.sooverprio. The default is 7, corresponding to LOG_DEBUG. A value of -1 suppresses logging. See listen(2). 773c91ccc892

The netgraph ng_ipfw(4) module no longer truncates cookies to 16 bits, allowing a full 32 bits. 0b9242dea68c

Support for IPv6 RFC 4620 nodeinfo is now disabled by default. 5c4e8a631097 (Sponsored by The FreeBSD Foundation)

pf filter rules can be optionally enabled for packets delivered locally to enable pf rdr rules for connections initiated from the host. This can change the behavior of rules which match packets delivered to lo0. To enable this feature, use the commands sysctl; service pf restart. When enabled, it is best to ensure that packets delivered locally are not filtered, e.g. by adding a set skip on lo rule. 6dfb2c2dce0f

Hardware Support

This section covers general hardware support for physical machines, hypervisors, and virtualization environments, as well as hardware changes and updates that do not fit in other sections of this document.

Hardware Architecture Support

The BeagleBone Black (armv7) is no longer supported; it does not work with the current boot files (DTB).

Virtualization Support

The Google Virtual NIC (gve(4)) is now supported. 4e846759f0a3 (Sponsored by Google)

General Notes Regarding Future FreeBSD Releases

FreeBSD 15.0 is not expected to include support for 32-bit platforms other than armv7. The armv6, i386, and powerpc platforms are deprecated and will be removed. 64-bit systems will still be able to run older 32-bit binaries.

We expect to support armv7 as a Tier 2 architecture in FreeBSD 15.0 and stable/15. However, we also anticipate that armv7 may be removed in FreeBSD 16.0. We will provide an update on the status of armv7 for both 15.x and 16.x at the time of 15.0 release.

Support for executing 32-bit binaries on 64-bit platforms via the COMPAT_FREEBSD32 option will continue for at least the stable/15 and stable/16 branches. Support for compiling individual 32-bit applications via cc -m32 will also continue for at least the stable/15 branch, which includes suitable headers in /usr/include and libraries in /usr/lib32.

Ports will not include support for deprecated 32-bit platforms for FreeBSD 15.0 and later releases. These future releases will not include binary packages or support for building packages from ports for deprecated 32-bit platforms.

The FreeBSD stable/14 and earlier branches will retain existing 32-bit kernel and world support. Ports will retain existing support for building ports and packages for 32-bit systems on stable/14 and earlier branches as long as those branches are supported by the ports system. However, all 32-bit platforms are Tier-2 or Tier-3, and support for individual ports should be expected to degrade as upstreams deprecate 32-bit platforms.

With the current support schedule, stable/14 will reach end of life (EOL) 5 years after the release of FreeBSD 14.0-RELEASE. The EOL of stable/14 will mark the end of support for deprecated 32-bit platforms, including source releases, pre-built packages, and support for building applications from ports. With the release of 14.0-RELEASE in November 2023, support for deprecated 32-bit platforms will end in November 2028.

The project may choose to alter this approach when FreeBSD 15.0 is released by extending some level of support for one or more of the deprecated platforms in 15.0 or later. Any alterations will be driven by community feedback and committed efforts to support these platforms. Use FreeBSD 14.0-RELEASE and following minor releases, or the stable/14 branch, to migrate off 32-bit platforms.

Last modified on: March 4, 2024 by Mike Karels