FreeBSD/amd64 5.4-RELEASE Release Notes
The FreeBSD Project
Copyright © 2000, 2001, 2002, 2003, 2004, 2005 The FreeBSD Documentation Project
1.7220.127.116.11.9 2005/05/05 17:49:08 hrs Exp $
FreeBSD is a registered trademark of the FreeBSD Foundation.
IBM, AIX, EtherJet, Netfinity, OS/2, PowerPC, PS/2, S/390, and ThinkPad are trademarks of International Business Machines Corporation in the United States, other countries, or both.
IEEE, POSIX, and 802 are registered trademarks of Institute of Electrical and Electronics Engineers, Inc. in the United States.
Intel, Celeron, EtherExpress, i386, i486, Itanium, Pentium, and Xeon are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Sparc, Sparc64, SPARCEngine, and UltraSPARC are trademarks of SPARC International, Inc in the United States and other countries. Products bearing SPARC trademarks are based upon architecture developed by Sun Microsystems, Inc.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this document, and the FreeBSD Project was aware of the trademark claim, the designations have been followed by the ``™'' or the ``®'' symbol.
The release notes for FreeBSD 5.4-RELEASE contain a summary of the changes made to the FreeBSD base system since 5.3-RELEASE. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.
- Table of Contents
- 1 Introduction
- 2 What's New
- 2.1 Security Advisories
- 2.2 Kernel Changes
- 2.3 Userland Changes
- 2.3.1 /etc/rc.d Scripts
- 2.4 Contributed Software
- 2.5 Ports/Packages Collection Infrastructure
- 2.6 Release Engineering and Integration
- 2.7 Documentation
- 3 Upgrading from previous releases of FreeBSD
This document contains the release notes for FreeBSD 5.4-RELEASE on the AMD64 hardware platform. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.
This distribution of FreeBSD 5.4-RELEASE is a release distribution. It can be found at ftp://ftp.FreeBSD.org/ or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the ``Obtaining FreeBSD'' appendix to the FreeBSD Handbook.
All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with ``late-breaking'' information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 5.4-RELEASE can be found on the FreeBSD Web site.
This section describes the most user-visible new or changed features in FreeBSD since 5.3-RELEASE. In general, changes described here are unique to the 5-STABLE branch unless specifically marked as [MERGED] features.
Typical release note items document recent security advisories issued after 5.3-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.
A bug in the fetch(1) utility, which allows a malicious HTTP server to cause arbitrary portions of the client's memory to be overwritten, has been fixed. For more information, see security advisory FreeBSD-SA-04:16.fetch.
A bug in procfs(5) and linprocfs(5) which could allow a malicious local user to read parts of kernel memory or perform a local denial of service attack by causing a system panic, has been fixed. For more information, see security advisory FreeBSD-SA-04:17.procfs.
Two buffer overflows in the TELNET client program have been corrected. They could have allowed a malicious TELNET server or an active network attacker to cause telnet(1) to execute arbitrary code with the privileges of the user running it. More information can be found in security advisory FreeBSD-SA-05:01.telnet.
A information disclosure vulnerability in the sendfile(2) system call, which could permit it to transmit random parts of kernel memory, has been fixed. More details are in security advisory FreeBSD-SA-05:02.sendfile.
A possible privilege escalation vulnerability on FreeBSD/amd64 has been fixed. This allows unprivileged users to gain direct access to some hardware which cannot be accessed without the elevated privilege level. More details are in security advisory FreeBSD-SA-05:03.amd64.
Several programming errors in cvs(1), which could potentially cause arbitrary code to be executed on CVS servers, have been corrected. Further information can be found in security advisory FreeBSD-SA-05:05.cvs.
jail(8) feature now supports a
security.jail.chflags_allowed, which controls the
chflags(1) within a jail. If set
to 0 (the default), then a jailed
root user is treated as an unprivileged
user; if set to 1, then a jailed root user
is treated the same as an unjailed root
The loader tunable
has been enabled by default.
A number of bugs have been fixed in the ULE scheduler.
A framework for flexible processor speed control has been added. It provides methods for various drivers to control CPU power utilization by adjusting the processor speed. More details can be found in the cpufreq(4) manual page.
The pcii driver has been added to support GPIB-PCIIA IEEE-488 cards.
The cdce(4) USB Communication Device Class Ethernet driver has been added.
The cp(4) driver is now MPSAFE.
The ctau(4) driver is now MPSAFE.
The cx(4) driver is now MPSAFE.
In the em(4) driver, hardware support for VLAN tagging is now disabled by default due to some interactions between this feature and promiscuous mode.
Ethernet flow control is now disabled by default in the fxp(4) driver, to prevent problems with a system panics or is left in the kernel debugger.
The hme(4) driver is now MPSAFE.
The ndis(4) device driver wrapper now supports Windows®/x86-64 binaries on amd64 systems.
Several programming errors in the sk(4) driver have been corrected. These bugs were particular to SMP systems, and could cause panics, page faults, aborted SSH connections, or corrupted file transfers. More details can be found in errata note FreeBSD-EN-05:02.sk.
The MTU feedback in IPv6 has been disabled when the sender writes data that must be fragmented.
The Common Address Redundancy Protocol (CARP) has been implemented. CARP comes from OpenBSD and allows multiple hosts to share an IP address, providing high availability and load balancing. For more information, see the carp(4) manual page.
ipfw(4) system can work with
debug.mpsafenet=1 (this tunable is 1 by
default) when the gid, jail, and/or uid rule
options are used.
The ipfw(8) ipfw fwd rule now supports the full packet destination manipulation when the kernel option options IPFIREWALL_FORWARD_EXTENDED is specified in addition to options IPFIREWALL_FORWARD. This kernel option disables all restrictions to ensure proper behavior for locally generated packets and allows redirection of packets destined to locally configured IP addresses. Note that ipfw(8) rules have to be carefully crafted to make sure that things like PMTU discovery do not break.
ipnat(8) now allows redirect rules to work for non-TCP/UDP packets.
Ongoing work is reducing the use of the Giant lock by the network protocol stack and improving the locking strategies.
A new ng_netflow(4) NetGraph node allows a router running FreeBSD to do NetFlow version 5 exports.
The sppp(4) driver now includes Frame Relay support.
A bug in TCP that sometimes caused RST packets to be ignored if the receive window was zero bytes has been fixed.
Several bugs in the TCP SACK implementation have been fixed.
The KAME IPv4 IPsec implementation integrated in FreeBSD now supports TCP-MD5.
Random ephemeral port number allocation has led to some problems
with port reuse at high connection rates. This feature is now
disabled during periods of high connection rates; whenever new
connections are created faster than
net.inet.ip.portrange.randomcps per second, port
number randomization is disabled for the next
net.inet.ip.portrange.randomtime seconds. The
default values for these two sysctl variables are 10 and 45,
The hptmv(4) driver, which supports the HighPoint RocketRAID 182x series, has been added.
The ips(4) driver now support kernel crash dumps on some modern ServeRAID models.
The matcd(4) driver has been removed.
The SHSEC GEOM class has been added. It provides for the sharing of a secret between multiple GEOM providers. All of these providers must be present in order to reveal the secret. This feature is controlled by the gshsec(8) utility.
Information about newly-mounted cd9660 file systems (such as the presence of RockRidge extensions) is now only printed if the kernel was booted in verbose mode. This change was made to reduce the amount of (generally unnecessary) kernel log messages.
Recomputing the summary information for ``dirty'' UFS and UFS2
file systems is no longer done at mount time, but is now done by
fsck(8). This change improves the
startup speed when mounting large file systems after a crash. The
prior behavior can be restored by setting the
vfs.ffs.compute_summary_at_mount sysctl variable
to a non-zero value.
A kernel panic in the NFS server has been fixed. More details can be found in errata note FreeBSD-EN-05:01.nfs.
ACPI-CA has been updated from 20040527 to 20041119.
The ftpd(8) program now uses the 212 and 213 status codes for directory and file status correctly (211 was used in the previous versions). This behavior is described in RFC 959.
The getaddrinfo(3) function now queries A DNS resource records before AAAA records when AF_UNSPEC is specified. Some broken DNS servers return NXDOMAIN against non-existent AAAA queries, even when it should return NOERROR with empty return records. This is a problem for an IPv4/IPv6 dual stack node because the NXDOMAIN returned by the first query of an AAAA record makes the querying server stop attempting to resolve the A record if any. Also, this behavior has been recognized as a potential denial-of-service attack (see http://www.kb.cert.org/vuls/id/714121 for more details). Note that although the query order has been changed, the returned result still includes AF_INET6 records before AF_INET records.
The create command of the
gpt(8) utility now supports a
-f command-line flag to force creation
of a GPT even when there is an MBR record on a disk.
The gvinum(8) utility now supports checkparity, rebuildparity, and setstate subcommands.
The libarchive library (as well as the tar(1) command that uses it) now has support for reading ISO images (with optional RockRidge extensions) and ZIP archives (with deflate and none compression).
The libgpib library has been added to
give userland access to GPIB devices (using the the pcii driver)
A number of bugfixes for libpthread have been merged from HEAD.
moused(8) daemon now supports
``virtual scrolling'', in which mouse motions made while holding
down the middle mouse button are interpreted as scrolling. This
feature is enabled with the
A separate directory has been added for named(8) dynamic zones which is owned by the bind user (for creation of the zone journal file). For more detail, see an example dynamic zone in the sample named.conf(5).
newfs(8) utility now supports a
-n flag to suppress the creation of a
.snap directory on new file systems. This
feature is intended for use on memory or vnode file systems that
will not require snapshot support.
The newfs(8) utility now emits a warning when creating a UFS or UFS2 file system that cannot support snapshots. This situation can occur in the case of very large file systems with small block sizes.
The NO_NIS compile-time knob for userland has been added. As its name implies, enabling this Makefile variable will cause NIS support to be excluded from various programs and will cause the NIS utilities to not be built.
ncal(1) utility now supports a
-m flag to generate a calendar for a
specified month in the current year.
ppp(8) program now implements an
echo parameter, which allows LCP ECHOs
to be enabled independently of LQR reports. Older versions of
ppp(8) would revert to LCP ECHO
mode on negotiation failure. It is now necessary to specify
enable echo to get this behavior.
Two bugs in the pppd(8) program have been fixed. They may result in an incorrect CBCP response, which violates the Microsoft PPP Callback Control Protocol section 3.2.
The restore(8) utility has regained the ability to read FreeBSD version 1 dump tapes.
rm(1) utility now supports an
-I option that asks for confirmation
(once) if recursively removing directories or if more than 3 files
are listed in the command line.
The strftime(3) function now supports some GNU extensions such as - (no padding), _ (use space as padding), and 0 (zero padding).
The syslog(3) function is now thread-safe.
The syslogd(8) utility now opens an additional domain socket (/var/run/logpriv by default), with 0600 permissions to be used by privileged programs. This prevents privileged programs from locking when the domain sockets run out of buffer space due to a local denial-of-service attack.
syslogd(8) now supports
-S option which allows to change the
pathname of the privileged socket. This is useful when you do not
want the daemon to receive any messages from the local sockets
(/var/run/log and /var/run/logpriv are used by default).
The syslogd(8) utility now allows : and % characters in the hostname specifications. These characters are used in IPv6 addresses and scope IDs.
-netstat display is now IPv6-aware.
-f option of
tail(1) utility now supports more
than one file at a time.
The tcpdrop(8) command, which closes a selected TCP connection, has been added. It was obtained from OpenBSD.
whois(1) now supports a
-k flag for querying whois.krnic.net (the National Internet Development
Agency of Korea), which holds details of IP address allocations
rc.conf(5) now supports changes of network interface names at boot time. For example:
ifconfig_fxp0_name="net0" ifconfig_net0="inet 10.0.0.1/16"
rc.conf(5) now supports the
varmfs_flags variables. These can be used to pass
extra options to the
mdmfs(8) utility, to customize
the finer details of the
md(4) file system creation, such
as to turn on/off softupdates, to specify a default owner for the
file system, and so on.
BIND has been updated from version 9.3.0 to version 9.3.1.
Heimdal has been updated from 0.6.1 to 0.6.3.
A snapshot of netcat from OpenBSD as of 4 February 2005 has been added. More information can be found in the nc(1) manual page.
OpenSSL has been updated from 0.9.7d to 0.9.7e.
sendmail has been updated from version 8.13.1 to version 8.13.3.
The timezone database has been updated from tzdata2004e to tzdata2004g.
The ports/INDEX* files, which kept an index of all of the entries in the ports collection, have been removed from the CVS repository. These files were generated only infrequently, and therefore were usually out-of-date and inaccurate. Users requiring an index file (such as for use by programs such as portupgrade(1)) have two alternatives for obtaining a copy:
Build an index file based on the current ports tree by running make index from the top of the ports/ tree.
Fetch an index file over the network by running make fetchindex from the top of the ports/ tree. This index file will (typically) be accurate to within a day.
In prior FreeBSD releases, the disc1 CD-ROM (or ISO image) was a bootable installation disk containing the base system, ports tree, and common packages. The disc2 CD-ROM (or ISO image) was a bootable ``fix it'' disk with a live filesystem, to be used for making emergency repairs. This layout has now changed. For all architectures except ia64, the disc1 image now contains the base system distribution files, ports tree, and the live filesystem, making it suitable for both an initial installation and repair purposes. (On the ia64, the live filesystem is on a separate disk due to its size.) Packages appear on separate disks; in particular, the disc2 image contains commonly packages such as desktop environments. Documents from the FreeBSD Documentation Project also appear on disc2.
The supported version of the GNOME desktop environment has been updated from 2.6.2 to 2.10. More information about running GNOME on FreeBSD can be found on the FreeBSD GNOME Project Web page.
Note: Users of older versions of the GNOME desktop (x11/gnome2) must take particular care in upgrading. Simply upgrading it from the FreeBSD Ports Collection with portupgrade(1) (sysutils/portupgrade) will cause serious problems. GNOME desktop users should read the instructions carefully at http://www.FreeBSD.org/gnome/docs/faq210.html and use the gnome_upgrade.sh script to properly upgrade to GNOME 2.10.
The supported version of the KDE desktop environment has been updated from 3.3.0 to 3.4.0. More information regarding running KDE on FreeBSD can be found on the KDE on FreeBSD Web page.
Note: Users of older versions of KDE should follow the upgrading procedure documented on the KDE on FreeBSD Web page or in ports/UPDATING.
The supported version of Xorg has been updated from 6.7.0 to 6.8.2.
Users with existing FreeBSD systems are highly encouraged to read the ``FreeBSD 5.4-RELEASE Migration Guide''. This document generally has the filename MIGRATE5.TXT on the distribution media, or any other place that the release notes can be found. It offers some notes on migrating from FreeBSD 4.X, but more importantly, also discusses some of the relative merits of upgrading to FreeBSD 5.X versus running FreeBSD 4.X.
Important: Upgrading FreeBSD should, of course, only be attempted after backing up all data and configuration files.
This file, and other release-related documents, can be downloaded from ftp://ftp.FreeBSD.org/.
For questions about this documentation, e-mail <doc@FreeBSD.org>.
Last modified on: May 15, 2021 by Allan Jude