FreeBSD/i386 4.8-RELEASE Release Notes The FreeBSD Project Copyright (c) 2000, 2001, 2002, 2003 by The FreeBSD Documentation Project $FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.22.2.346 2003/03/22 00:12:50 bmah Exp $ The release notes for FreeBSD 4.8-RELEASE contain a summary of the changes made to the FreeBSD base system since 4.7-RELEASE. Both changes for kernel and userland are listed, as well as applicable security advisories for the base system that were issued since the last release. Some brief remarks on upgrading are also presented. ---------------------------------------------------------------------- Table of Contents 1 Introduction 2 What's New 2.1 Kernel Changes 2.1.1 Processor/Motherboard Support 2.1.2 Boot Loaders 2.1.3 Network Interface Support 2.1.4 Network Protocols 2.1.5 Disks and Storage 2.1.6 Filesystems 2.1.7 PCCARD Support 2.1.8 Multimedia Support 2.1.9 Contributed Software 2.2 Security Advisories 2.3 Userland Changes 2.3.1 Contributed Software 2.3.2 Ports/Packages Collection 2.4 Release Engineering and Integration 3 Upgrading from previous releases of FreeBSD ---------------------------------------------------------------------- 1 Introduction This document contains the release notes for FreeBSD 4.8-RELEASE on the i386 hardware platform. It describes new features of FreeBSD that have been added (or changed) since 4.7-RELEASE. It also provides some notes on upgrading from previous versions of FreeBSD. This distribution of FreeBSD 4.8-RELEASE is a release distribution. It can be found at ftp://ftp.FreeBSD.org/ or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the ``Obtaining FreeBSD'' appendix in the FreeBSD Handbook. ---------------------------------------------------------------------- 2 What's New This section describes the most user-visible new or changed features in FreeBSD since 4.7-RELEASE. Typical release note items document new drivers or hardware support, new commands or options, major bugfixes, or contributed software upgrades. Security advisories for the base system that were issued after 4.7-RELEASE are also listed. ---------------------------------------------------------------------- 2.1 Kernel Changes A new in-kernel cryptographic framework (see crypto(4) and crypto(9)) has been imported from OpenBSD. It provides a consistent interface to hardware and software implementations of cryptographic algorithms for use by the kernel and access to cryptographic hardware for user-mode applications. Hardware device drivers are provided to support hifn-based cards (hifn(4)) and Broadcom-based cards (ubsec(4)). Initial support has been added for FireWire devices (see firewire(4)). Support for the CanBe power management controller has been added. The ubsa driver has been added to support the Belkin F5U103 (and compatible) USB-to-serial adaptors. The uftdi(4) driver, to support FTDI USB-to-serial devices, has been added. ---------------------------------------------------------------------- 2.1.1 Processor/Motherboard Support FreeBSD now has rudimentary support for HyperThreading (HTT). SMP kernels with the HTT kernel option will detect and start up the logical processors on HTT-capable machines. The logical processors will be treated like additional physical processors for the purposes of process scheduling. ---------------------------------------------------------------------- 2.1.2 Boot Loaders The PC98 bootloader now has support for booting from SCSI MO media. ---------------------------------------------------------------------- 2.1.3 Network Interface Support The cm driver now supports IPX. The nge(4) driver now supports network device polling(4). ---------------------------------------------------------------------- 2.1.4 Network Protocols A FAST_IPSEC kernel option now allows the IPsec implementation to use the kernel crypto(4) framework, along with its support for hardware cryptographic acceleration. More information can be found in the fast_ipsec(4) manual page. Note: The FAST_IPSEC and IPSEC options are mutually exclusive. Note: The FAST_IPSEC option is, at the moment, not compatible with IPv6 or the INET6 option. A gre(4) driver, which can encapsulate IP packets using GRE (RFC 1701) or minimal IP encapsulation for Mobile IP (RFC 2004), has been added. A bug in TCP NewReno, which caused premature exit from fast recovery with NewReno enabled, has been fixed. The IP fragment reassembly code behaves more gracefully when receiving a large number of packet fragments (it is designed to be more resistant to fragment-based denial of service attacks). ---------------------------------------------------------------------- 2.1.5 Disks and Storage The ata(4) driver now supports accessing ATA devices as SCSI devices via the CAM layer and drivers (cd(4), da(4), st(4), and pass(4)). This feature requires device atapicam in the kernel configuration. More information can be found in atapicam(4). The matcd(4) driver has been removed due to concerns over its licensing terms. These issues are being addressed and this driver may reappear in a future release of FreeBSD. (This removal actually occurred in 4.7-RELEASE, but was not mentioned in the release notes.) The targ(4) driver has been rewritten and a new usermode has been added to /usr/share/examples/scsi_target that emulates a direct access device. The trm driver has been added to support SCSI adapters using the Tekram TRM-S1040 SCSI chipset. ---------------------------------------------------------------------- 2.1.6 Filesystems ---------------------------------------------------------------------- 2.1.7 PCCARD Support ---------------------------------------------------------------------- 2.1.8 Multimedia Support ---------------------------------------------------------------------- 2.1.9 Contributed Software IPFilter has been updated to 3.4.31. ---------------------------------------------------------------------- 2.2 Security Advisories Buffer overflows in kadmind(8) and k5admin have been corrected. More details can be found in security advisory FreeBSD-SA-02:40. Multiple vulnerabilities in BIND have been fixed, as described in FreeBSD-SA-02:43. A file descriptor leak in the fpathconf(2) system call, which could allow a local user to crash the system or cause a privilege escalation, has been fixed. More details can be found in security advisory FreeBSD-SA-02:44. A remotely exploitable vulnerability in CVS has been corrected with the import of version 1.11.5. More details can be found in security advisory FreeBSD-SA-03:01. A timing-based attack on OpenSSL, which could allow a very powerful attacker access to plaintext under certain circumstances, has been prevented via an upgrade to OpenSSL 0.9.7. See security advisory FreeBSD-SA-03:02 for more details. The security and performance of the ``syncookies'' feature has been improved to decrease the chance of an attacker being able to spoof connections. More details are given in security advisory FreeBSD-SA-03:03. A remotely-exploitable buffer overflow vulnerability in sendmail has been fixed by updating sendmail to version 8.12.8. For more details, see security advisory FreeBSD-SA-03:04. A bounds-checking bug in the XDR implementation, which could allow a remote attacker to cause a denial-of-service, has been fixed. For more details see security advisory FreeBSD-SA-03:05. Two recently-publicized flaws in OpenSSL have been corrected. For more details, see security advisory FreeBSD-SA-03:06. ---------------------------------------------------------------------- 2.3 Userland Changes burncd(8) now accepts a value of max for its -s option to set the drive's maximum write speed. cdcontrol(1) now supports a speed command to set the maximum speed to be used by the drive (the maximum possible speed can be selected setting the speed to max). The compat4x distribution now includes the libcrypto.so.2 and libssl.so.2 libraries from FreeBSD 4.7-RELEASE. The fwcontrol(8) utility has been added to help users access and control the FireWire subsystem. ftpd(8) now supports a -h option to disable printing any host-specific information, such as the ftpd(8) version or hostname, in server messages. ftpd(8) now supports a -P option to specify a port on which to listen in daemon mode. The default data port number is now set to be one less than the control port number, rather than being hard-coded. ftpd(8) now supports an extended format of the /etc/ftpchroot file. Please refer to the ftpchroot(5) manpage, which is now available, for details. ftpd(8) now supports login directory pathnames that specify simultaneously a directory for chroot(2) and that to change to in the chrooted environment. The /./ separator is used for this purpose, like in other FTP daemons having this feature. It may be used in both ftpchroot(5) and passwd(5). The getconf(1) utility has been added. It prints the values of POSIX or X/Open path or system configuration variables. ipfw(8) now supports enable and disable commands to control various aspects of the operation of ipfw(4) (including enabling and disabling the firewall itself). These provide a more convenient and visible interface than the existing sysctl variables. make(1) now supports a -C flag to change to a given directory before building its target(s). mount_nfs(8) now supports a -c to avoid doing a connect(2) for UDP mount points. This option must be used if the server does not reply to requests from the standard NFS port number 2049 or if it replies to requests using a different IP address (which can occur if the server is multi-homed). Setting the vfs.nfs.nfs_ip_paranoia sysctl to 0 will make this option the default. newsyslog(8) now supports a W flag to force previously-started compression jobs for an entry (or group of entries specified with the G flag) to finish before beginning a new one. This feature is designed to prevent system overloads caused by starting several compression jobs on big files simultaneously. The pathchk(1) utility, which checks pathnames for validity or portability between POSIX systems, has been added. pw(8) can now add a user whose name ends with a $ character; this change is intended to help administration of Samba services. rarpd(8) now accepts a -t flag to specify an alternative directory to /tftpboot. The base64 capabilities of uuencode(1) and uudecode(1) can now be automatically enabled by invoking these utilities as b64encode(1) and b64decode(1) respectively. The definitions of the standard file streams (stdin, stdout, and stderr) have changed so that they are no longer compile-time constants. Some older binaries may require updated 3.X compatability libraries (for example, by setting COMPAT3X=yes for a buildworld/installworld). ---------------------------------------------------------------------- 2.3.1 Contributed Software BIND has been updated to version 8.3.4. All of the bzip2 suite of applications is now installed in the base system (in particular, bzip2recover is now built and installed). CVS has been updated to 1.11.5. FILE has been updated to 3.41. groff and its related utilities have been updated to FSF version 1.18.1. Heimdal Kerberos has been updated to 0.5.1. The ISC DHCP client has been updated to 3.0.1RC11. libz has been updated to 1.1.4. OpenSSH has been updated to 3.5p1. OpenSSL has been updated to release 0.9.7a. Among other features, this release includes support for AES and takes advantage of crypto(4) devices. sendmail has been updated to version 8.12.8. tcpdump has been updated to version 3.7.2. The timezone database has been updated to the tzdata2002d release. ---------------------------------------------------------------------- 2.3.2 Ports/Packages Collection The one-line pkg-comment files have been eliminated from each port skeleton; their contents have been moved into each port's Makefile. This change reduces the disk space and inodes used by the ports tree. ---------------------------------------------------------------------- 2.4 Release Engineering and Integration The supported release of GNOME has been updated to 2.2. The supported release of KDE has been updated to 3.1. The supported release of XFree86 has been updated to 4.3.0. ---------------------------------------------------------------------- 3 Upgrading from previous releases of FreeBSD If you're upgrading from a previous release of FreeBSD, you generally will have three options: * Using the binary upgrade option of sysinstall(8). This option is perhaps the quickest, although it presumes that your installation of FreeBSD uses no special compilation options. * Performing a complete reinstall of FreeBSD. Technically, this is not an upgrading method, and in any case is usually less convenient than a binary upgrade, in that it requires you to manually backup and restore the contents of /etc. However, it may be useful in cases where you want (or need) to change the partitioning of your disks. * From source code in /usr/src. This route is more flexible, but requires more disk space, time, and technical expertise. More information can be found in the ``Using make world'' section of the FreeBSD Handbook. Upgrading from very old versions of FreeBSD may be problematic; in cases like this, it is usually more effective to perform a binary upgrade or a complete reinstall. Please read the INSTALL.TXT file for more information, preferably before beginning an upgrade. If you are upgrading from source, please be sure to read /usr/src/UPDATING as well. Finally, if you want to use one of various means to track the -STABLE or -CURRENT branches of FreeBSD, please be sure to consult the ``-CURRENT vs. -STABLE'' section of the FreeBSD Handbook. Important: Upgrading FreeBSD should, of course, only be attempted after backing up all data and configuration files. ---------------------------------------------------------------------- This file, and other release-related documents, can be downloaded from ftp://ftp.FreeBSD.org/. For questions about FreeBSD, read the documentation before contacting . All users of FreeBSD 4-STABLE should subscribe to the mailing list. For questions about this documentation, e-mail .