Copyright © 2013 The FreeBSD Documentation Project
251258 2013-06-02 16:21:02Z hrs $
FreeBSD is a registered trademark of the FreeBSD Foundation.
IBM, AIX, EtherJet, Netfinity, OS/2, PowerPC, PS/2, S/390, and ThinkPad are trademarks of International Business Machines Corporation in the United States, other countries, or both.
IEEE, POSIX, and 802 are registered trademarks of Institute of Electrical and Electronics Engineers, Inc. in the United States.
Intel, Celeron, EtherExpress, i386, i486, Itanium, Pentium, and Xeon are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
SPARC, SPARC64, SPARCengine, and UltraSPARC are trademarks of SPARC International, Inc in the United States and other countries. SPARC International, Inc owns all of the SPARC trademarks and under licensing agreements allows the proper use of these trademarks by its members.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this document, and the FreeBSD Project was aware of the trademark claim, the designations have been followed by the “™” or the “®” symbol.
The release notes for FreeBSD 8.4-RELEASE contain a summary of the changes made to the FreeBSD base system on the 8.4-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.
This document contains the release notes for FreeBSD 8.4-RELEASE. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.
This distribution of FreeBSD 8.4-RELEASE is a release distribution. It can be found at ftp://ftp.FreeBSD.org/ or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the “Obtaining FreeBSD” appendix to the FreeBSD Handbook.
All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with “late-breaking” information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 8.4-RELEASE can be found on the FreeBSD Web site.
This section describes the most user-visible new or changed features in FreeBSD since 8.3-RELEASE.
Typical release note items document recent security advisories issued after 8.3-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.
Problems described in the following security advisories have been fixed. For more information, consult the individual advisories available from http://security.FreeBSD.org/.
|SA-12:01.openssl||03 May 2012||
OpenSSL multiple vulnerabilities
|SA-12:02.crypt||30 May 2012||
Incorrect crypt() hashing
|SA-12:03.bind||12 June 2012||
Incorrect handling of zero-length RDATA fields in named(8)
|SA-12:04.sysret||12 June 2012||
Privilege escalation when returning from kernel
|SA-12:05.bind||06 August 2012||
named(8) DNSSEC validation Denial of Service
|SA-12:06.bind||22 November 2012||
Multiple Denial of Service vulnerabilities with named(8)
|SA-12:07.hostapd||22 November 2012||
Insufficient message length validation for EAP-TLS messages
|SA-12:08.linux||22 November 2012||
Linux compatibility layer input validation error
|SA-13:02.libc||19 February 2013||
glob(3) related resource exhaustion
|SA-13:03.openssl||02 April 2013||
OpenSSL multiple vulnerabilities
|SA-13:04.bind||02 April 2013||
BIND remote denial of service
|SA-13:05.nfsserver||29 April 2013||
Insufficient input validation in the NFS server
A bug which could cause a kernel thread to have a wrong CPU affinity configuration has been fixed.[r232757]
comconsole_pcidev have been added. The former allows to set
the base address of the serial console I/O port. The later takes the string of the
format bus:device:function:[bar] as a value and uses the serial port
attached as PCI device at the specified location for console. Both variants pass
hw.uart.console variable to the
to properly hand-over the kernel console.[r245847]
The F_DUPFD_CLOEXEC command for fcntl(2) has been implemented. This is standardized in IEEE Std 1003.1-2008 (POSIX, Single UNIX Specification Version 4). In addition to this, F_DUP2FD_CLOEXEC has been implemented in analogy with F_DUP2FD.[r239860, r239861]
debug.kdb.alt_break_to_debugger have been added as
variables and loader tunables. These are disabled by default and
ALT_BREAK_TO_DEBUGGER kernel options now set them enabled.
These changes allow GENERIC kernel to support
The FreeBSD sched_ule(4) scheduler has been improved in CPU selection on systems which support SMT (Symmetric MultiThreading, also known as HyperThreading on Intel CPUs). It now prefers a logical CPU when the the other logical CPUs on the physical one are idle, and an idle CPU in an SMT CPU group always has lower priority. The CPU load calculation for load balancing has also been improved to consider highest and lowest CPU load in comparison to differentiate load in CPU groups. This change gives 10-15% performance improvement in SMT CPUs such as Core i7.[r241246]
kern.stop_scheduler_on_panic has been
added. When set to 1, only one thread runs
uninterruptedly after a system panic and the other CPUs are stopped. The
default value is 0.[r235502]
A bug that changes to a mapped file with the mmap(2) system call were not flushed properly under certain circumstances has been fixed. If a process has an NFS-backed file and adds changes to it, normally the changes are written into the backing store automatically. However, the NFS client recognized the modified parts are written successfully even when the write operation was failed for some reason such as permission denied.[r233765, r234094, r236150]
The gptboot boot block now reads the backup GPT header from the last LBA only when the primary GPT header and tables are invalid. This mitigates interoperability issues with some geom(4) providers like MIRROR which use the last LBA for the metadata.[r234694]
[sparc64] FreeBSD/sparc64 now supports booting from ZFS via the zfsboot boot block and zfsloader.[r236077]
A bug in the zfsboot boot block which could
-q option from working has been fixed.[r234680]
The zfsboot boot block and zfsloader support filesystems within a ZFS storage pool. In zfsloader, the ZFS device name format is now zfs:pool/fs and the fully qualified file path format is zfs:pool/fs:/path/to/file. The zfsboot boot block accepts the kernel/loader name in the format pool:fs:path/to/file or, as before, pool:path/to/file. In the latter case a default filesystem is used (the pool root or a filesystem with the bootfs property). The zfsboot boot block passes the GUIDs of the selected storage pool and dataset to zfsloader to be used as its defaults.[r237765]
subsystem now uses MADT to match ACPI Processor objects to CPUs and ignores
disabled cores while it is possible that MADT and DSDT/SSDTs may list CPUs in
different orders. A new loader tunable
debug.acpi.cpu_unordered has been added for buggy systems
that do not have unique ACPI IDs for MADT and Processor objects. Setting it to 1 restores the old behavior.[r237823]
[amd64] A workaround for Erratum 721 for AMD Processor Family 10h and 12h has been implemented. Under a highly specific and detailed set of internal timing conditions, the processor may incorrectly update the stack pointer after a long series of push and/or near-call instructions, or a long series of pop and/or near-return instructions.[r233799]
[amd64] The extended FPU states for native 64-bit and 32-bit ABIs have been supported. AVX instructions are also enabled on capable CPUs.[r237009]
[amd64] The pci(4) driver now supports mapping between MSI (Message Signaled Interrupt) and HyperTransport interrupt messages on HyperTransport to PCI bus briges. This change improves handling of MSIs on AMD CPUs.[r234151]
The puc(4) driver now supports Sun 1040 PCI Quad Serial, Moxa PCIe CP102E/CP102EL/CP104EL-A/CP104JU/CP114EL/CP118EL-A/CP168EL-A multiport serial boards, Advantech PCI-1602 RS-485/RS-422 serial card, and Sunix SER5437A dual serial PCI Express card.[r236651, r238775, r243009, r248041]
[amd64, i386] The
driver now supports RDRAND instruction on Intel on-chip
Digital Random Number Generator (called Bull Mountain).
RDRAND_RND kernel option has been added to GENERIC kernel.[r240994]
The uart(4) driver now supports Wacom Tablet at FuS Lifebook T, multiport serial device IrDA devices with PnP ID PNP0502, PNP0510, and PNP0511, V.34 modems based on CIR1000 Cirrus Logic chip, and MosChip MCS9904 four serial ports controller.[r242883, r243357, r244140]
The usb(4) driver now supports multi-TT mode operation, which can have one transaction translator for each downstream-facing port on a USB hub. This allows more bandwidth for isochronous FULL speed application connected through a High Speed USB HUB.[r235011]
[amd64, i386] The paravirtualized virtio(4) drivers have been added to GENERIC kernel. They include PCI fontend, net, block, balloon, and scsi drivers. The module files are virtio.ko, virtio_pci.ko, if_vtnet.ko, virtio_blk.ko, virtio_balloon.ko, and virtio_scsi.ko, respectively.[r239473, r247907, r247909]
driver now supports XHCI port routing on Intel 7 Series chipsets (Panther
Point) and Intel 8 Series chipsets (Lynx Point). A new
hw.usb.xhci.xhci_port_route has been
added for routing bitmap for switching EHCI ports to XHCI controller.[r242985]
The snd_hda(4) driver has been updated. It now supports and provides HDMI, new volume control, automatic recording source selection, runtime reconfiguration, more than 4 PCM devices on a controller, multichannel recording, additional playback/record streams, higher bandwidth, and more informative device names.[r236750, r236753]
The bce(4) network interface driver now supports remote PHYs, which allow the controller to perform MDIO type accesses to a remote transceiver by using message pages defined through MRBE (MultiRate Backplane Ethernet). This is found on machines such as the Dell PowerEdge M610 Blade.[r235819]
The fxp(4) network interface driver has been improved. It does not cause unnecessary media change in controller reconfiguration such as promiscuous mode change which leads to an extra link reestablishment.[r233502]
The igb(4) network interface driver now attempts to attach as many CPUs as possible to each queue. If the number of CPUs are greater than or equal to the number of queues, all queues are bound to different CPUs.[r235616]
The ipheth(4) driver now supports Apple iPhone 5 tethering mode.[r242279]
The u3g(4) driver now supports Qualcomm Vertex Wireless 110L modem, Qualcomm 3G modem, Qualcomm Vertex VW110L modem, SIMCom SIM5218, and Huawei K4505, K3770, E3131, E392, E3131, K3765, K4505, and ETS2055 3G modems.[r232875, r235012, r243655]
The table argument in the ipfw(4) packet filter rule syntax now supports IP address, interface name, port number, and jail ID. The following syntax is valid:
skipto tablearg ip from any to any via table(42) in
IP_RECVTOS socket option to receive for received UDP/IPv4 packets a cmsg of type IP_RECVTOS which contains the TOS byte has been implemented. This allows access to the ECN bits in a protocol on top of UDP.[r247944]
A bug in FreeBSD IPv6 stack has been fixed. It could cause a vlan(4) pseudo network interface to get the EUI64 part in an autoconfigured IPv6 address from an unrelated Ethernet interface on the system.[r233112]
FreeBSD IPv6 stack now handles fragment packets which are not actually fragments but have Fragment Header with both the Fragment Offset and the M bit set to 0 as a regular (non-fragment) packet. For more detail, see Internet Draft draft-gont-6man-ipv6-atomic-fragments.[r238495]
A bug which could cause a system panic in the multicast routing in kernel with
VIMAGE kernel option has been fixed. This option is
disabled in GENERIC kernel.[r233605]
network driver now allows the configuration of which layers are used for the load
balance hash calculation. It can be set in ifconfig
lagghash option in a comma-separated list. The default value is
lagghash l2,l3,l4. For more detail, see
The ng_netflow(4) netgraph(4) node and flowctl(8) utility now supports NetFlow version 9. A new export9 hook has been added for NetFlow v9 data. Note that data export can be done simultaneously in both version 5 and version 9.[r238619, r238620]
A loader tunable
net.fibs now supports specifying
the number of routing tables. The
kernel option can still be used to set the default number of routing tables.[r235104]
SO_PROTOCOL and SO_PROTOTYPE socket option have been added. These are socket level options to get the protocol number found in Linux or Solaris. For more detail, see setsockopt(2) manual page.[r232819]
now creates symbolic links for backward compatibility when
ATA_CAM kernel option is enabled. In a kernel with
ATA_CAM, an ATA/SATA disk is recognized as a device node with
a name ada0 instead of ad0. A symbolic link /dev/ad0 is
automatically generated for /dev/ada0 to keep backward
compatibility. This symbolic link generation can be controlled by a
kern.cam.ada.legacy_aliases (enabled by default when
ATA_CAM is set).[r234912]
tunables to set initial SATA revision for the specific device. The tunable name is
hint.ata.busnum.devdevnum.sata_rev for a device devnum on a bus busnum, or
hint.ata.busnum.sata_rev for all devices on a bus busnum. The valid values are 1, 2, and 3,
which correspond to 1.5 Gbps, 3 Gbps, and 6 Gbps.[r243124]
kern.cam.pmp.hide_special has been added.
This controls whether special PMP ports such as PMP (Port MultiPlier)
configuration or SEMB (SATA Enclosure Management Bridge) will be exposed or hidden.
The default value is 1 (hidden).[r236766]
The cam(4) driver now uses READ CAPACITY(16) SCSI command to get device information by default when possible. This enables to detect whether Logical Block Provisioning (also known as TRIM or UNMAP) in SBC-3 (SCSI Block Commands-3) Specification is supported on the device.[r232942, r236804]
The mps(4) driver has been updated to version 14.00.00.01-fbsd. This now supports Integrated RAID, WarpDrive controllers, WRITE12 and READ12 for direct I/O, SCSI protection information (EEDP), Transport Level Retries (TLR) for tape drives, and LSI's userland utility.[r237877]
The MULTIPATH geom(4) class has been updated. It now supports Active/Active mode, Active/Read mode as hybrid of Active/Active and Active/Passive, keeping a failed path without removing the geom provider, manual configuration without on-disk metadata, and add, remove, fail, restore, configure subcommands in the gmultipath(8) utility to manage the configured paths.[r234917]
The PART_LDM geom(4) class has been added. This partition scheme has support for Logical Disk Manager, which is also known as dynamic volumes in Microsoft Windows NT. Note that JBOD, RAID0, and RAID5 volumes are not supported yet.[r234407]
now supports the DDF metadata format, which is defined in the SNIA Common RAID Disk
Data Format Specification v2.0. It can read non-degraded
RAID4/5/5E/5EE/5R/6/MDF volumes. An
-o option in
can be used to specify byte order for the DDF metadata.[r235875]
The RAID geom(4) class now partially supports Intel Rapid Recover Technology (Intel RRT). It is alike to RAID1, but with dedicating master and recovery disks and providing manual control over synchronization. It allows to use recovery disk as snapshot of the master disk from the time of the last sync.[r246170]
kern.geom.raid.enable is to control on-disk metadata
recognition in a systemwide basis. When it is set to 1, it
is enabled (the default value is 1).
are similar variables to control enable/disable of specific metadata or
transformation modules. The valid keywords for
format are raid0,
raid1, raid1e, raid5, and concat.[r240554, r240556]
which could cause mounting a FAT32 filesystem to fail, create a broken directory
entry in a FAT32 filesystem, and prevent
async mount option from working, have been fixed.[r246547, r246548, r246550]
Bugs in FreeBSD NFS subsystem has been fixed. They could cause stale name cache entries on an NFS client.[r233286]
A memory leak when a ZFS volume is exported via the FreeBSD NFS (newnfs) server has been fixed. Note that oldnfs is used as the default NFS implementation in GENERIC kernel.[r236147]
FreeBSD NFS subsystem now supports a timeout parameter on positive name cache entries on the NFS client side. nametimeo mount option has been added to specify the timeout. The default value is 60 seconds, and one can disable the positive name caching by setting it to 0.[r233327]
A workaround has been implemented in FreeBSD NFS subsystem to handle a reply to an NFS create RPC which do not include file attributes under certain circumstances. This improves interoperability between non-FreeBSD NFS servers and FreeBSD NFS clients.[r235417]
A bug in exports(5) handling in FreeBSD NFS subsystem has been fixed. It could cause an unintended security configuration when there are multiple export entries with different security flavors.[r241348]
FreeBSD ZFS subsystem has been updated to support feature flags for ZFS pools
(the SPA version is 5000). Asynchronous destroy of ZFS dataset, LZ4
compression, ZIO NOP-write optimization have been implemented as new features.
vfs.zfs.nopwrite_enabled have been added.[r243717, r244088, r247310]
Note that this upgrade can cause interoperability issues when upgrading a FreeBSD 8.4 system to 9.0 or 9.1. This is because FreeBSD 9.0 and 9.1 support SPA version 28 and do not recognize version 5000. To mitigate this issue, the default SPA version for a newly created ZFS pool on FreeBSD 8.4 is set to version 28. To create a ZFS pool with version 5000, use zpool(8) upgrade command after the creation.
A bug in ZFS subsystem which could cause a system panic when importing a ZFS pool has been fixed.[r246578]
The crontab(1) utility now waits for a second before updating the spool directory's mtime. It could happen that the modified crontab updated the mtime of the spool directory, and then crontab(1) utility updated the mtime again within a second. In this case, the crontab database is not updated properly.[r239877]
ruleset=number mount option and updating
the existing mount by using
-u flag in the
utility. This new option sets the specified ruleset number as the active ruleset of
the new devfs mount and applies all its rules at mount time. If the specified
ruleset doesn't exist, a new empty ruleset is created.[r233867]
The libedit library has been updated to a NetBSD snapshot as of 28 December, 2009.[r237739]
The libpmc library has been updated to support more PMCs (Performance Monitoring Counters) in Intel Core i7 and Xeon 5500 family based on Intel documentation as of October 2011. Specifically, DTLB_MISSES.PDE_MISS and DTLB_MISSES.LARGE_WALK_COMPLETED have been added.[r234045]
A bug in the the libutil library has been fixed. It
could prevent configuration of
capability in /etc/login.conf (LOGIN_SETPRIORITY in
setusercontext(3) function) from working when the
password is not set.[r233153]
module now supports
return_prog_exit_status. When this
option is enabled, the program exit status is used as the
return code. It allows the program to tell why the step failed (user unknown, for
utility now supports a
-e flag to display PCI error
details in listing mode. When this is specified, the status of any error bits
in the PCI status register and PCI-express device status register will be displayed.
It also lists any errors indicated by version 1 of PCI-express Advanced Error
A bug in the remquo(3) functions where the quotient did not always have the correct sign when the remainder was 0, and another bug that the remainder and quotient were both off by a bit in certain cases involving subnormal remainders, have been fixed. Note that these bugs affected all platforms except amd64 and i386.[r234534]
The tcpdrop(8) utility now allows addresses and ports to be separated by a colon or period rather than a space to permit directly pasting the output of commands such as netstat and sockstat on the command line.[r247563]
The rc.d scripts now display script filename running to standard error when SIGINFO is issued. This message was sent to standard output and could prevent redirection from working.[r232549]
The rc.d/jail script now supports a
jail_parameters variable to specify extra parameters for
AWK has been updated to 20121220.[r246374]
ISC BIND has been updated to version 9.8.4-P2.[r248807]
BZIP2 has been updated to version 1.0.6.[r247448]
libexpat has been updated to version 2.1.0.[r247514]
netcat has been updated to a version as of OpenBSD 5.2.[r243819]
OpenSSH has been updated to version 6.1.[r247521]
OpenSSL has been updated to version 0.9.8y.[r248057]
sendmail has been updated to version 8.14.7.[r250167]
The timezone database has been updated to tzdata2012j release.[r243006]
XZ has been updated to version 5.0.4.[r245129]
The pkg(8) command has been added. This is used as a bootstrap tool for ports-mgmt/pkg in the Ports Collection.[r239563]
The supported version of the KDE desktop environment (x11/kde4) has been updated from 4.7.4 to 4.10.1.
[amd64, i386] Upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the freebsd-update(8) utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC kernel distributed as a part of an official FreeBSD release. The freebsd-update(8) utility requires that the host being upgraded has Internet connectivity.
An older form of binary upgrade is supported through the Upgrade option from the main sysinstall(8) menu on CDROM distribution media. This type of binary upgrade may be useful on non-i386, non-amd64 machines or on systems with no Internet connectivity.
Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in /usr/src/UPDATING.
Important: Upgrading FreeBSD should, of course, only be attempted after backing up all data and configuration files.
This file, and other release-related documents, can be downloaded from ftp://ftp.FreeBSD.org/.
For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.