FreeBSD/i386 4.7-RELEASE Release Notes
The FreeBSD Project
Copyright © 2000, 2001, 2002 by The FreeBSD Documentation Project
126.96.36.1990 2002/09/30 19:03:49 dd Exp $
The release notes for FreeBSD 4.7-RELEASE contain a summary of the changes made to the FreeBSD base system since 4.6-RELEASE. Both changes for kernel and userland are listed, as well as applicable security advisories for the base system that were issued since the last release. Some brief remarks on upgrading are also presented.
- Table of Contents
- 1 Introduction
- 2 What's New
- 2.1 Kernel Changes
- 2.2 Security Advisories
- 2.3 Userland Changes
- 2.4 Release Engineering and Integration
- 3 Upgrading from previous releases of FreeBSD
This document contains the release notes for FreeBSD 4.7-RELEASE on the IA-32 hardware platform. It describes new features of FreeBSD that have been added (or changed) since 4.6-RELEASE. It also provides some notes on upgrading from previous versions of FreeBSD.
This distribution of FreeBSD 4.7-RELEASE is a release distribution. It can be found at ftp://ftp.FreeBSD.org/ or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the ``Obtaining FreeBSD'' appendix in the FreeBSD Handbook.
This section describes the most user-visible new or changed features in FreeBSD since 4.6-RELEASE. Typical release note items document new drivers or hardware support, new commands or options, major bugfixes, or contributed software upgrades. Security advisories for the base system that were issued after 4.6-RELEASE are also listed.
RLIMIT_VMEM support has been added. This feature defines a new resource limit that covers a process's entire virtual memory space, including mmap(2) space. This limit can be configured in login.conf(5) via the new vmemoryuse variable.
A bug in the sendfile(2) system call, in which headers counted against the size of the file to be sent, has been fixed.
The ucom(4) device driver has been added, to support USB modems, serial devices, and other programs that need to look like a tty. The related uplcom(4) and uvscom(4) drivers provide specific support for the Prolific PL-2303 serial adapter and the SUNTAC Slipper U VS-10U, respectively.
The uvisor(4) driver for connecting Handspring Visors via USB has been added.
Support for the AMD Élan SC520 has been added; this requires the CPU_ELAN option in the kernel configuration file.
The em(4) driver now supports the Intel 82545EM and 82545EB chips. It also has VLAN support.
The rp(4) driver has been updated to version 3.02 and can now be built as a module.
A new version of ipfw(4) (commonly referred to as ``IPFW2'') has been added as an option. It now uses variable-sized representation of rules in the kernel, similar to bpf(4) instructions. Most of the externally-visible behavior (i.e. through ipfw(8)) should be unchanged., although ipfw(8) now supports or connectives between match fields. This new version is not enabled by default. To use it:
A new ng_l2tp(4) netgraph node type, which implements the encapsulation layer of the L2TP protocol as described in RFC 2661, has been added.
The tcp(4) protocol's retransmission timer can now be manipulated with two sysctl variables, net.inet.tcp.rexmit_min and net.inet.tcp.rexmit_slop.
The tcp(4) protocol now has the ability to dynamically limit the send-side window to maximize bandwidth and minimize round trip times. The feature can be enabled via the net.inet.tcp.inflight_enable sysctl.
The ahd(4) driver, which supports the Adaptec AIC7901, AIC7901A, and AIC7902 Ultra320 PCI-X SCSI Controller chips, has been added.
A bug which sometimes prevented ata(4) tagged queueing from working correctly has been corrected.
The ata(4) driver now computes maximum transfer sizes correctly. This fixes numerous READ_BIG and other errors that occurred when accessing certain ATA devices.
The ata(4) driver now has support for the Sil 0680 and VIA 8233/8235 controllers.
The mpt driver, for supporting the LSI Logic Fusion/MP architecture Fiber Channel controllers, has been added.
The pst driver, for supporting Promise SuperTrak ATA RAID controllers, has been added.
The VT8233 audio controller now has its own driver to facilitate supporting all known revisions of the hardware. It is loadable at boot time by adding device pcm to the kernel configuration or by adding snd_via8233="YES" to /boot/loader.conf. Documentation to support this work was provided by VIA.
The ich sound driver now provides rudimentary support for ich4 audio support.
The uaudio driver, for USB audio devices, has been added.
IPFilter has been updated to 3.4.29.
The original fix for security advisory SA-02:23 (which addressed the use of file descriptors by set-user-id or set-group-id programs) contained an error. It was still possible for systems using procfs(5) or linprocfs(5) to be exploited. This error has now been corrected; a revised version of security advisory FreeBSD-SA-02:23 contains more details.
A buffer overflow in the resolver, which could be exploited by a malicious domain name server or an attacker forging DNS messages, has been fixed. See security advisory FreeBSD-SA-02:28 for more details.
ktrace(1) can no longer trace the operation of formerly privileged processes; this prevents the leakage of sensitive information that the process could have obtained before abandoning its privileges. For a discussion of this issue, see security advisory FreeBSD-SA-02:30 for more details.
Multiple buffer overflows in OpenSSL have been corrected, by way of an upgrade to the base system version of OpenSSL. More details can be found in security advisory FreeBSD-SA-02:33.
A heap buffer overflow in the XDR decoder has been fixed. For more details, see security advisory FreeBSD-SA-02:34.
A bug that could allow local users to read and write arbitrary blocks on an FFS filesystem has been corrected. More details can be found in security advisory FreeBSD-SA-02:35.
A bug in the NFS server code, which could allow a remote denial of service attack, has been fixed. Security advisory FreeBSD-SA-02:36 has more details.
Several bounds-checking bugs in system calls, which could result in some system calls returning a large portion of kernel memory, have been fixed. More information can be found in security advisory FreeBSD-SA-02:38.
A bug that could allow applications using libkvm to leak sensitive file descriptors has been corrected. (See security advisory FreeBSD-SA-02:39 for more details.)
biff(1) now accepts a b argument to enable ``bell notification'' of new mail (which does not disturb the terminal contents as biff y would).
cp(1) now takes a (nonstandard) -n option to automatically answer ``no'' when it would ask to overwrite a file.
The daemon(8) program, a command-line interface to daemon(3), has been added. It detaches itself from its controlling terminal and executes a program specified on the command line. This allows the user to run an arbitrary program as if it were written to be a daemon.
dump(8) now supports a new -S flag to allow it to just print out the dump size estimates and exit.
finger(1) now has support for a .pubkey file.
finger(1) now supports a -g flag to restrict the printing of GECOS information to the user's full name only.
finger(1) now supports the -4 and -6 flags to specify an address family for remote queries.
fold(1) now supports a -b flag to break at byte positions and a -s flag to break at word boundaries.
ftp(1) now supports the epsv4 command to switch between using the new EPSV/EPRT and plain old PASV/PORT requests when talking over IPv4. This command is intended to remedy the problem arising when running ftp(1) through IPFilter or another firewall not supporting the newer FTP requests.
ftpd(8) now supports the -m option to permit guest users to modify existing files if allowed by filesystem permissions. In particular, this enables guest users to resume uploads.
ftpd(8) now supports the -M option to prevent guest users from creating directories.
ifconfig(8) now has the ability to set promiscuous mode on an interface, via the new promisc flag.
inetd(8) now has the capability for limiting the maximum number of simultaneous invocations of each service from a single IP address.
lock(1) now accepts a -v to disable switching VTYs while the current terminal is locked. This permits locking the entire console from a single terminal.
The ls(1) program now supports a -m flag to list files across a page, a -p flag to force printing of a / after directories, and a -x flag to sort filenames across a page.
mv(1) now takes a (nonstandard) -n option to automatically answer ``no'' when it would ask to overwrite a file.
nice(1) now uses the -n option to specify the ``niceness'' of the utility being run.
od(1) now supports the -A option to specify the input address base, the -N option to specify the number of bytes to dump, the -j option to specify the number of bytes to skip, the -s option to output signed decimal shorts, and the -t option to specify output type.
pam_opie(8) no longer emits fake challenges when the no_fake_prompts variable is specified.
A pam_opieaccess(8) module has been added.
pam_unix(8) has been synchronized with the version in FreeBSD -CURRENT as of 9 March 2002 (pre-OpenPAM).
pwd(1) now supports the -L flag to print the logical current working directory.
The renice(8) command implements a -n option, which specifies an increment to be applied to the priority of a process.
sed(1) now takes a -i option to enable in-place editing of files.
sh(1) now supports a -C option to prevent existing regular files from being overwritten by output redirection, and a -u to give an error if an unset variable is expanded.
The sh(1) built-in cd command now supports -L and -P flags to invoke logical or physical modes of operation, respectively. Logical mode is the default, but the default can be changed with the physical sh(1) option.
The sh(1) built-in jobs command now supports a -s flag to output PIDs only and a -l flag to add PIDs to the output.
The sh(1) built-in export and readonly commands now support a -p flag to print their output in ``portable'' format.
sh(1) no longer accepts invalid constructs as command & && command, && command, or || command.
split(1) now supports a -a option to specify the number of letters to use for the suffix of split files.
su(1) now has support for Kerberos V authentication.
tr(1) now has basic support for equivalence classes for locales that support them.
vidcontrol(1) now accepts a -S to allow the user to disable VTY switching.
xargs(1) now supports a -I replstr option that allows the user to tell xargs(1) to insert the data read from standard input at specific points in the command line arguments rather than at the end. (A FreeBSD-specific -J option is similar, but is now deprecated in favor of the more portable -I option.)
xargs(1) now supports a -L option to force its utility argument to be called after some number of lines.
BIND has been updated to 8.3.3.
Binutils has been updated to 2.12.1 (specifically, a post-release snapshot from 20 July 2002).
gcc has been updated to a snapshot from the GCC 2.95 CVS branch from 20 March 2002. It carries the unofficial version number of 2.95.4.
Heimdal Kerberos has been updated to a pre-0.5 snapshot from 29 August 2002.
libpcap has been updated to 0.7.1.
The FTP daemon from NetBSD, otherwise known as lukemftpd 1.2 beta 1, has been imported and is available as lukemftpd(8).
m4(1) has been imported from OpenBSD, as of 26 April 2002.
The OPIE one-time-password suite has been updated to 2.4.
OpenSSH has been updated to version 3.4p1. Among the changes:
The *2 files are obsolete (for example, ~/.ssh/known_hosts can hold the contents of ~/.ssh/known_hosts2).
ssh-keygen(1) can import and export keys using the SECSH Public Key File Format, for key exchange with several commercial SSH implementations.
ssh-add(1) now adds all three default keys.
ssh-keygen(1) no longer defaults to a specific key type; one must be specified with the -t option.
A ``privilege separation'' feature, which uses unprivileged processes to contain and restrict the effects of future compromises or programming errors.
Several bugfixes, including closure of a security hole that could lead to an integer overflow and undesired privilege escalation.
The default SSH protocol to use is now Version 2 (with a fallback to Version 1), rather than Version 1 (with a fallback to Version 2).
OpenSSL has been updated to 0.9.6g.
sendmail has been updated from version 8.12.3 to version 8.12.6.
Version 1.4.5 of the smbfs userland utilities has been imported.
GNU tar has been updated to 1.13.25.
tcsh has been updated to version 6.12.
texinfo has been updated to 4.2.
The contributed version of tcp_wrappers now includes the tcpd(8) helper daemon. While not strictly necessary in a standard FreeBSD installation (because inetd(8) already incorporates this functionality), this may be useful for inetd(8) replacements such as xinetd.
tcpdump has been updated to 3.7.1.
top has been updated to version 3.5b12.
The libraries installed by the emulators/linux_base port (required for Linux emulation) have been updated; they now correspond to those included with Red Hat Linux 7.1.
XFree86 has been updated to 4.2.1. This version provides some security and bug fixes over version 4.2.0.
A bug that caused /usr/share/examples to be incompletely populated on fresh installs has been fixed.
It is now possible to make releases of FreeBSD 5-CURRENT on a FreeBSD 4-STABLE host and vice versa. Cross-architecture (building a release for a target architecture on a host of a different architecture) releases are also possible. See release(7) for details.
If you're upgrading from a previous release of FreeBSD, you generally will have three options:
Using the binary upgrade option of sysinstall(8). This option is perhaps the quickest, although it presumes that your installation of FreeBSD uses no special compilation options.
Performing a complete reinstall of FreeBSD. Technically, this is not an upgrading method, and in any case is usually less convenient than a binary upgrade, in that it requires you to manually backup and restore the contents of /etc. However, it may be useful in cases where you want (or need) to change the partitioning of your disks.
From source code in /usr/src. This route is more flexible, but requires more disk space, time, and technical expertise. More information can be found in the ``Using make world'' section of the FreeBSD Handbook. Upgrading from very old versions of FreeBSD may be problematic; in cases like this, it is usually more effective to perform a binary upgrade or a complete reinstall.
Please read the INSTALL.TXT file for more information, preferably before beginning an upgrade. If you are upgrading from source, please be sure to read /usr/src/UPDATING as well.
Important: Upgrading FreeBSD should, of course, only be attempted after backing up all data and configuration files.
This file, and other release-related documents, can be downloaded from ftp://ftp.FreeBSD.org/.
For questions about this documentation, e-mail <doc@FreeBSD.org>.