FreeBSD/i386 5.2.1-RELEASE Release Notes
The FreeBSD Project
Copyright © 2000, 2001, 2002, 2003, 2004 The FreeBSD Documentation Project
1.663.2.13 2004/02/06 21:37:54 bmah Exp $
The release notes for FreeBSD 5.2.1-RELEASE contain a summary of recent changes made to the FreeBSD base system on the 5-CURRENT development branch. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.
- Table of Contents
- 1 Introduction
- 2 What's New
- 2.1 Security Advisories
- 2.2 Kernel Changes
- 2.3 Userland Changes
- 2.4 Contributed Software
- 2.5 Ports/Packages Collection Infrastructure
- 2.6 Release Engineering and Integration
- 2.7 Documentation
- 3 Upgrading from previous releases of FreeBSD
This document contains the release notes for FreeBSD 5.2.1-RELEASE on the i386 hardware platform. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.
This distribution of FreeBSD 5.2.1-RELEASE is a ``point release'', intended to address some issues (primarily bug fixes) discovered in FreeBSD 5.2-RELEASE.
Users who are new to the 5-CURRENT series of FreeBSD releases should also read the ``Early Adopters Guide to FreeBSD 5.2.1-RELEASE''. This document can generally be found in the same location as the release notes (either as a part of a FreeBSD distribution or on the FreeBSD Web site). It contains important information regarding the advantages and disadvantages of using FreeBSD 5.2.1-RELEASE, as opposed to releases based on the FreeBSD 4-STABLE development branch.
All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with ``late-breaking'' information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 5.2.1-RELEASE can be found on the FreeBSD Web site.
This section describes many of the user-visible new or changed features in FreeBSD since 5.1-RELEASE. It includes items that are unique to the 5-CURRENT branch, as well as some features that may have been recently merged to other branches (after FreeBSD 5.1-RELEASE). The latter items are marked as [MERGED].
Typical release note items document recent security advisories issued after 5.1-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.
Release note entries that describe changes specific to this point release are marked with [5.2.1].
A single-byte buffer overflow in realpath(3) was fixed. Although the fix was committed prior to FreeBSD 5.1-RELEASE (and thus 5.1-RELEASE was not affected), it was not noted in the release documentation. See security advisory FreeBSD-SA-03:08. [MERGED]
A bug that could allow the kernel to attempt delivery of invalid signals has been fixed. The bug could have led to a kernel panic or, under some circumstances, unauthorized modification of kernel memory. For more information, see security advisory FreeBSD-SA-03:09. [MERGED]
A bug in the iBCS2 emulation module, which could result in disclosing the contents of kernel memory, has been fixed. This module is not enabled in FreeBSD by default. For more information, see security advisory FreeBSD-SA-03:10. [MERGED]
A buffer management bug in OpenSSH, which could potentially cause a crash, has been fixed. More information can be found in security advisory FreeBSD-SA-03:12. [MERGED]
A buffer overflow in sendmail has been fixed. More information can be found in security advisory FreeBSD-SA-03:13. [MERGED]
A bug that could allow the kernel to cause resource starvation which eventually results in a system panic in the ARP cache code has been fixed. More information can be found in security advisory FreeBSD-SA-03:14. [MERGED]
Several errors in the OpenSSH PAM challenge/response authentication subsystem have been fixed. The impacts of these bugs vary; details can be found in security advisory FreeBSD-SA-03:15. [MERGED]
Four separate security flaws in OpenSSL, which could allow a remote attacker to crash an OpenSSL-using application or to execute arbitrary code with the privileges of the application, have been fixed. More information can be found in security advisory FreeBSD-SA-03:18. [MERGED]
A potential denial of service in BIND has been fixed. For more information, see security advisory FreeBSD-SA-03:19. [MERGED]
[5.2.1] A bug in mksnap_ffs(8) has been fixed; it caused the creation of a filesystem snapshot to reset the flags on the filesystem to their default values. The possible consequences depended on local usage, but could include disabling extended access control lists or enabling the use of setuid executables stored on an untrusted filesystem. This bug also affected the dump(8) -L option, which uses mksnap_ffs(8). Note that mksnap_ffs(8) is normally only available to the superuser and members of the operator group. For more information, see security advisory FreeBSD-SA-04:01.
[5.2.1] A bug with the System V Shared Memory interface (specifically the shmat(2) system call) has been fixed. This bug can cause a shared memory segment to reference unallocated kernel memory. In turn, this can permit a local attacker to gain unauthorized access to parts of kernel memory, possibly resulting in disclosure of sensitive information, bypass of access control mechanisms, or privilege escalation. More details can be found in security advisory FreeBSD-SA-04:02. [MERGED]
The acpi(4) driver's CPU component now supports idle states C1-C3 for both single and SMP systems, providing power/heat savings when the processor is idle, according to ACPI 2.0. Additionally, the throttling support has been updated to ACPI 2.0.
A bug that caused atkbd(4) to register an AT keyboard during console initialization, even when no AT keyboard was connected, has been fixed. kbdcontrol -k /dev/kbd1 is no longer needed when only a USB keyboard is connected. [MERGED]
[5.2.1] devfs(5) path rules now work correctly on directories.
The DRM kernel modules have been updated from DRI CVS as of 12 November 2003. Among other changes, this change includes a newly-ported SiS 300/305/540/630/730 driver and mostly-complete SMPng locking.
The dcons(4) ``dumb console'' driver has been added to provide a local and remote console. It can be accessed over FireWire using the dcons_crom(4) driver. A dconschat(8) utility provides user access to dcons(4) devices.
A multi-byte character set conversion method is now supported by the LIBICONV kernel option.
The hifn(4) driver now supports symmetric crypto for the 7955 and 7956 chipsets. [MERGED]
The safe(4) driver has been added to support SafeNet 1141- and 1741-based crypto accelerators. [MERGED]
Warning: This driver should be considered experimental and should be used with some caution.
Note: The public key support is not implemented.
The uart(4) driver has been added to support various classes of UART (Universal Asynchronous Receiver/Transmitter) devices. It is an analog of the sio(4) driver but supports a wider range of devices. This driver is necessary to support serial ports on certain architectures, such as ia64 and sparc64.
The swap pager has been revamped. Among user-visible changes are a change in the layout policy (from fixed-width striping to a round-robin across devices) for better I/O throughput, the elimination of compile-time limits on the number of swap devices, and a reduction in memory overheads.
Large changes have been made to the i386 machine-dependent code to improve interrupt routing and handling, as well as SMP support. Two major user-visible changes are that SMP kernels can run on UP systems and that SMP functionality is now enabled by default in the GENERIC kernel. Also, the options APIC_IO kernel option has been replaced by device apic.
An integer overflow that could cause kernel panics on PAE machines of certain large memory sizes has been corrected.
Floating point emulation in the kernel has been removed.
Problems with some Pentium 4 CPUs and some older Pentium Pro and Pentium II CPUs have been worked around. Typically these manifested themselves as memory corruption or unexplained crashes.
Logical CPUs (with HyperThreading) are now enabled according to BIOS settings (previously, they were disabled by default and had to be enabled explicitly).
[5.2.1] cdboot now works around a BIOS problem observed on some systems when booting from USB CDROM drives.
The bfe(4) driver has been added to support Broadcom BCM4401 based Fast Ethernet adapters.
bge(4) now supports Broadcom 5705 based Gigabit Ethernet NICs. [MERGED]
A bug in the bge(4) driver that prevented it from working correctly at 10 Mbps has been fixed.
The em(4) driver now has support for tuning the interrupt delays using sysctl tunables without recompiling the driver.
The fatm(4) driver has been added. This is a driver for NATM and NgATM that supports Fore/Marconi PCA200 ATM cards.
The harp(4) driver has been added. This is a pseudo physical interface driver for HARP, which attaches to all NetGraph ATM interfaces in the system and presents a physical interface to the HARP stack for each of these interfaces.
The hatm(4) driver has been added to support Fore/Marconi HE155 and HE622 ATM cards.
The hfa driver has been updated to firmware version 4.1.12 and now supports a limited number of CBR channels.
The patm(4) driver has been added to support IDT77252 based ATM interfaces.
The re(4) driver has been added. It provides support for the RealTek RTL8139C+, RTL8169, RTL8169S and RTL8110S PCI Fast Ethernet and Gigabit Ethernet controllers.
sk(4) now supports SK-9521 V2.0 and 3COM 3C940 based Gigabit Ethernet NICs. [MERGED]
[5.2.1] Several bugs related to multicast and promiscuous mode handling in the sk(4) driver have been fixed.
A new utopia(4) driver supports 25MBit/sec, 155MBit/sec and 622MBit/sec ATM physical layer configuration, status and statistics reporting for the most commonly used ATM-PHY chips.
The suspend/resume support for the wi(4) driver now works correctly when the device is configured down. [MERGED]
The wi(4) driver should once again work correctly with Lucent 802.11b interfaces.
The 802.11 support layer has been rewritten to allow for future growth and new features.
A number of network drivers have had their interrupt handlers marked as MPSAFE, meaning they can run without the Giant lock. Among the drivers so converted are: ath(4), em(4), ep(4), fxp(4), sn(4), wi(4), and sis(4).
The ip_flow feature in the IPv4 protocol implementation has been replaced by the ip_fastforward feature. ip_fastforward attempts to speed up simple cases of packet forwarding, processing a forwarded packet to an outgoing interface without queues or netisrs. If it cannot handle a particular packet, it passes that packet to the normal ip_input routines for processing. This feature can be enabled by setting the net.inet.ip.fastforwarding sysctl variable to 1.
The IP_ONESBCAST option has been added to enable undirected ip(4) broadcasts to be sent to specific network interfaces.
Enabling the options IPFILTER feature also requires enabling options PFIL_HOOKS.
A bug in ipfw(4) limit rule processing that could cause various panics has been fixed. [MERGED]
ipfw(4) rules now support comma-separated address lists (such as 126.96.36.199, 188.8.131.52/30, 184.108.40.206/22), and allow spaces after commas to make lists of addresses more readable. [MERGED]
ipfw(8) can now modify ipfw(4) rules in set 31, which was read-only and used for the default rules. They can be deleted by ipfw delete set 31 command but are not deleted by the ipfw flush command. This implements a flexible form of ``persistent rules''. More details can be found in ipfw(8). [MERGED]
The ng_atmpif(4) NetGraph node type has been added. It emulates a HARP physical interface, and allows one to run the HARP ATM stack without real hardware.
Kernel support has been added for Protocol Independent Multicast routing ( pim(4)). [MERGED]
The FreeBSD Bluetooth protocol stack has been updated:
libsdp has been re-implemented under a BSD style license. This is because the Linux BlueZ code is distributed under the GPL.
The hccontrol(8) utility now supports four new commands: Read/Write_Page_Scan_Mode and Read/Write_Page_Scan_Period_Mode.
The hcsecd(8) daemon now stores link keys on a disk. It is no longer required to pair devices every time.
The ng_ubt(4) module, which cannot be built on FreeBSD 5.1-RELEASE, has been fixed.
rfcomm_sppd(1) and rfcomm_pppd(8) now support to query the RFCOMM channel via SDP from the server. Specifying the RFCOMM channel manually, this behavior can be disabled and these utilities will not use SDP query.
The sdpcontrol(8) utility, which is analogous to the sdptool utility in the Linux BlueZ SDP package, has been added.
A number of fixes and updates to the IPv6 and IPSec code have been imported from the KAME Project.
[5.2.1] Some bugs in the IPsec implementation from the KAME Project have been fixed. These bugs were related to freeing memory objects before all references to them were removed, and could cause erratic behavior or kernel panics after flushing the Security Policy Database (SPD).
Support for the IPv6 Advanced Sockets API now conforms to RFC 3542 (also known as RFC 2292bis), rather than RFC 2292. Applications using this API have been updated accordingly.
[5.2.1] The PFIL_HOOKS option is now enabled by default in the GENERIC kernel. The most notable effect of this change is to make IPFilter work correctly when loaded as a kernel module.
Support for the source address selection part of RFC 3484 has been added. The ip6addrctl(8) utility can be used to configure the address selection policy.
The tcp_hostcache feature has been added to the TCP implementation. It caches measured parameters of past TCP sessions to provide better initial start values for following connections from or to the same source or destination. Similar information that used to be stored in the routing table has been removed.
The TCP implementation in FreeBSD now includes protection against a certain class of TCP MSS resource exhaustion attacks, in the form of limits on the size and rate of TCP segments. The first limit sets the minimum allowed maximum TCP segment size, and is controlled by the net.inet.tcp.minmss sysctl variable (the default value is 216 bytes). The second limit is set by the net.inet.tcp.minmssoverload variable, and controls the maximum rate of connections whose average segment size is less than net.inet.tcp.minmss. Connections exceeding this packet rate are reset and dropped. Because this feature was added late in the 5.2-RELEASE release cycle, connection rate limiting is disabled by default, but can be enabled manually by assigning a non-zero value to net.inet.tcp.minmssoverload.
The amr(4) driver now has system crashdump support. [MERGED]
A major rework of the ata(4) driver has been committed. One of the more notable changes is that the ata(4) driver is now out from under the Giant kernel lock. Note that ATA software RAID systems must now include device ataraid in their kernel configuration files, as it is no longer automatically implied by device atadisk.
[5.2.1] A number of bugs in the ata(4) driver have been fixed. Most notably, master/slave device detection should work better, and some problems with timeouts should be resolved.
The da(4) driver no longer tries to send 6-byte commands to USB and FireWire devices. The quirks for these devices (which hopefully are now unnecessary) have been disabled; to restore the old behavior, add options DA_OLD_QUIRKS to the kernel configuration. [MERGED]
Various geom(4) modules can now be loaded as kernel modules, namely: geom_apple, geom_bde, geom_bsd, geom_gpt, geom_mbr, geom_pc98, geom_sunlabel, geom_vol_ffs.
A GEOM_FOX module has been added to detect and select between multiple redundant paths to the same device.
The matcd(4) driver, which supports the Matsushita CR-562 and CR-563 CD drives, has returned.
The twe(4) driver now supports the 3ware generic API. [MERGED]
Multi-byte character conversion with the cd9660, msdosfs, ntfs, and udf filesystems is now supported by including the CD9660_ICONV, MSDOSFS_ICONV, NTFS_ICONV, and UDF_ICONV kernel options, respectively.
[5.2.1] A bug in GEOM that could result in I/O hangs in some rare cases has been fixed.
Some off-by-one errors in the smbfs that prevented it from working correctly with 15-character NetBIOS names have been fixed.
The sizes of some members of the statfs structure have changed from 32 bits to 64 bits in order to better support multi-terabyte filesystems.
Users performing source upgrades across this change must ensure that their kernel and userland bits are in sync, by following the documented source upgrade procedures.
A backward compatibility version of the statfs(2) system call exists but only if the COMPAT_FREEBSD4 kernel option is defined. Including this option in the kernel is strongly encouraged.
[5.2.1] A panic in the NFSv4 client has been fixed; this occurred when attempting operations against an NFSv3/NFSv2-only server.
The last bits of the i386-only, a.out compiler toolchain have been removed.
acpiconf(8) now supports a -i option to print battery information.
acpidb(8), an ACPI DSDT debugger, has been added.
arp(8) now supports a -i option to limit the scope of the current operation to the ARP entries on a particular interface. This option applies to the display operations only. It should be useful on routers with numerous network interfaces. [MERGED]
The atmconfig(8) program has been added for configuration of the ATM drivers and IP-over-ATM functionality.
chroot(8) now allows the optional setting of a user, primary group, or group list to use inside the chroot environment via the -u, -g, and -G options respectively. [MERGED]
The compat4x.i386 libraries have been updated to correspond to those available in FreeBSD 4.9-RELEASE.
The dev_mkdb utility is unnecessary due to the mandatory presence of devfs, and has been removed.
dhclient(8) now polls the state of network interfaces and only sends DHCP requests on interfaces that are up. The polling interval can be controlled with the -i option.
The default mode for the lost+found directory of fsck(8) is now 0700 instead of 01777. [MERGED]
fsck_ffs(8) and newfs(8) now create a .snap directory in the root directory of each filesystem, with group operator. fsck_ffs(8), mksnap_ffs(8), and dump(8) will write their filesystem snapshots to this directory. This change avoids locking access to the root directory of a filesystem during snapshot creation and also helps non-root users create snapshots.
The ffsinfo(8) utility has been updated to understand UFS2 filesystems and has been re-enabled.
The iasl(8) utility, a compiler/decompiler for ACPI Source Language (ASL) and ACPI Machine language (AML), has been added.
ifconfig(8) now supports a staticarp option for an interface, which disables the sending of ARP requests for that interface.
A fix in the initgroups(3) library function now causes logins to fail if the login process is unable to successfully set the process credentials to include all groups defined for a user. The current kernel limit is 16 groups; administrators may wish to check that users do not have more than 16 groups defined, or they will be unable to log in.
The ipfw(8) list and show commands now support ranges of rule numbers. [MERGED]
ipfw(8) now supports a -n flag to test the syntax of commands without actually changing anything. [MERGED]
kdump(1) now supports a -p option to display only the trace events corresponding to a specific process, as well as a new -E flag to display timestamps relative to the start of the dump.
last(1) now supports a -n flag to limit the number of lines in its output report.
The libalias library, natd(8), and ppp(8) now support Cisco Skinny Station protocol, which is the protocol used by Cisco IP phones to talk to Cisco Call Managers. Note that currently having the Call Manager behind the NAT gateway is not supported. [MERGED]
The libcipher DES cryptography library has been removed. All of its functionality is provided by the libcrypto library, and all base systems programs that used libcipher have been converted to use libcrypto instead.
The libkiconv library has been added to support working with loadable character set conversion tables in the kernel.
The libthr 1:1 threading library is now built by default.
libwrap and tcpdchk(8) are now configured to support the extended tcp_wrappers syntax by default.
The locale(1) utility has been re-implemented and is now POSIX-compliant. A new -m option shows all available codesets.
The mount(8) utility now supports to display the filesystem ID for each file system in addition to the normal information when a -v flag is specified, and the umount(8) utility now accepts the filesystem ID as well as the usual device and path names. This allows to unambiguously specify which file system is to be unmounted even when two or more file systems share the same device and mount point names.
The mount_cd9660(8), mount_ntfs(8), and mount_udf(8) utilities now support a -C option to specify local character sets to convert Unicode filenames. It is possible to specify multi-byte character sets using this option.
The mount_msdosfs(8) utility now supports a -M option to specify the maximum file permissions for directories in the file system. [MERGED]
The mount_msdosfs(8) utility now supports a -D option to specify MS-DOS codepages and a -L option to specify local character sets. They are used to convert character sets of filenames. The /usr/libdata/msdosfs tables have been retired.
The nologin(8) program has been reimplemented in C (it was formerly a shell script).
[5.2.1] A bugfix has been applied to NSS support, which fixes problems when using third-party NSS modules (such as net/nss_ldap) and groups with large membership lists.
The pam_guest(8) PAM module has been added to allow guest logins. It replaces the pam_ftp(8) module.
A bug that rarpd(8) does not recognize removable Ethernet NICs has been fixed.
repquota(8) now supports a -n flag to display users and groups numerically.
savecore(8) now supports a -C flag that merely indicates the existence or absence of a coredump file.
The symorder utility has been removed. It is unnecessary now that all kernels use ELF format and there is no a.out format toolchain.
sysinstall(8) now gives the ability to select an alternate MTA during installation. Currently, exim and Postfix are supported.
systat(1) now includes displays for IPv6 and ICMPv6 traffic. [MERGED]
uname(1) now supports a -i flag to return the kernel identification. This name is also available via the kern.ident sysctl variable.
A number of utilities available in /bin and /sbin are now available as a statically-linked ``crunched'' binary that lives in /rescue. This functionality is similar to the /stand directory installed by sysinstall(8), but /rescue includes more functionality and is updated as part of buildworld/installworld operations. More details can be found in rescue(8).
Many executables in /bin and /sbin are now built using dynamic, rather than static linking. This feature brings support for loadable PAM and NSS modules to base system utilities located in those directories. It also reduces the storage requirements for the root filesystem due to the use of shared libraries. This feature can be disabled in a buildworld by defining the Makefile variable NO_DYNAMICROOT. Note that statically-linked, crunched executables are available in the /rescue directory for use during system repair and recovery operations.
The ACPI-CA code has been updated from the 20030228 snapshot to the 20030619 snapshot.
amd has been updated from 6.0.7 to 6.0.9.
awk from Bell Labs has been updated from a 14 March 2003 snapshot to a 29 July 2003 snapshot.
BIND has been updated from 8.3.4 to 8.3.7. [MERGED]
[5.2.1] Security improvements from CVS 1.11.10 and 1.11.11 have been backported. Specifically, certain malformed module requests are now rejected, and when using cvs pserver mode, attempts to authenticate as root are rejected and recorded via syslog(3).
GCC has been updated from 3.2.2 to a 3.3.3 pre-release snapshot from 6 November 2003.
Note: Previous versions of GCC generated incorrect code when -march=pentium4 optimization was enabled. This problem is believed to have been fixed with this upgrade, and the earlier workaround for the case of CPUTYPE=p4 has been removed.
GNU Readline has been updated from 4.2 to 4.3.
GNU Sort has been updated from the version in textutils 2.0.21 to the version in textutils 2.1.
Heimdal Kerberos has been updated from 0.5.1 to 0.6.
The ISC DHCP client has been updated from 3.0.1rc11 to 3.0.1rc12.
lukemftp has been updated from 1.6beta2 to a 11 November 2003 snapshot from NetBSD.
OpenPAM has been updated from the ``Dianthus'' release to the ``Dogwood'' release.
OpenSSL has been updated from 0.9.7a to 0.9.7c. [MERGED]
sendmail has been updated from version 8.12.9 to version 8.12.10. [MERGED]
texinfo has been updated from 4.5 to 4.6. [MERGED]
The timezone database has been updated from the tzdata2003a release to the tzdata2003d release. [MERGED]
If GNU_CONFIGURE is defined, all instances of config.guess and config.sub found under WRKDIR are replaced with the master versions from PORTSDIR/Template. This allows old ports (which contain old versions of these scripts) to build on newer architectures like ia64 and amd64.
The supported release of GNOME has been updated from 2.2.1 to 2.4. [MERGED]
The supported release of KDE has been updated from 3.1.2 to 3.1.4. [MERGED]
[5.2.1] The sysutils/kdeadmin3 port and package have been updated to version 3.1.4_1. This update fixes a bug in the KUser application that could cause the root user to be deleted from the password file
To reduce duplication of information (and subsequent difficulty in maintaining consistency), many instances of specific devices supported in the Hardware Notes have been moved to system manual pages. This project is ongoing as of this release.
A Turkish (tr_TR.ISO8859-9) translation project has been started.
Users with existing FreeBSD systems are highly encouraged to read the ``Early Adopter's Guide to FreeBSD 5.2.1-RELEASE''. This document generally has the filename EARLY.TXT on the distribution media, or any other place that the release notes can be found. It offers some notes on upgrading, but more importantly, also discusses some of the relative merits of upgrading to FreeBSD 5.X versus running FreeBSD 4.X.
Important: Upgrading FreeBSD should, of course, only be attempted after backing up all data and configuration files.
This file, and other release-related documents, can be downloaded from ftp://ftp.FreeBSD.org/.
For questions about this documentation, e-mail <doc@FreeBSD.org>.