FreeBSD 8.3-RELEASE Release Notes The FreeBSD Project Copyright (c) 2012 The FreeBSD Documentation Project $FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/article.sgml,v 1.1101.2.29.2.4 2012/04/09 04:44:39 hrs Exp $ FreeBSD is a registered trademark of the FreeBSD Foundation. IBM, AIX, EtherJet, Netfinity, OS/2, PowerPC, PS/2, S/390, and ThinkPad are trademarks of International Business Machines Corporation in the United States, other countries, or both. IEEE, POSIX, and 802 are registered trademarks of Institute of Electrical and Electronics Engineers, Inc. in the United States. Intel, Celeron, EtherExpress, i386, i486, Itanium, Pentium, and Xeon are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. SPARC, SPARC64, SPARCengine, and UltraSPARC are trademarks of SPARC International, Inc in the United States and other countries. SPARC International, Inc owns all of the SPARC trademarks and under licensing agreements allows the proper use of these trademarks by its members. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this document, and the FreeBSD Project was aware of the trademark claim, the designations have been followed by the "(TM)" or the "(R)" symbol. The release notes for FreeBSD 8.3-RELEASE contain a summary of the changes made to the FreeBSD base system on the 8.2-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented. -------------------------------------------------------------- Table of Contents 1 Introduction 2 What's New 2.1 Security Advisories 2.2 Kernel Changes 2.2.1 Hardware Support 2.2.2 Network Protocols 2.2.3 Disks and Storage 2.2.4 File Systems 2.3 Userland Changes 2.4 Contributed Software 2.5 Ports/Packages Collection Infrastructure 3 Upgrading from previous releases of FreeBSD 1 Introduction This document contains the release notes for FreeBSD 8.3-RELEASE. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD. This distribution of FreeBSD 8.3-RELEASE is a release distribution. It can be found at ftp://ftp.FreeBSD.org/ or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the "Obtaining FreeBSD" appendix to the FreeBSD Handbook. All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 8.3-RELEASE can be found on the FreeBSD Web site. -------------------------------------------------------------- 2 What's New This section describes the most user-visible new or changed features in FreeBSD since 8.2-RELEASE. Typical release note items document recent security advisories issued after 8.2-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. -------------------------------------------------------------- 2.1 Security Advisories Problems described in the following security advisories have been fixed. For more information, consult the individual advisories available from http://security.FreeBSD.org/. Advisory Date Topic SA-11:01.mountd 20 April 2011 Network ACL mishandling in mountd(8) BIND remote DoS with large SA-11:02.bind 28 May 2011 RRSIG RRsets and negative caching Errors handling corrupt SA-11:04.compress 28 September 2011 compress file in compress(1) and gzip(1) SA-11:05.unix 28 September 2011 Buffer overflow in handling of UNIX socket addresses Remote packet Denial of SA-11:06.bind 23 December 2011 Service against named(8) servers SA-11:07.chroot 23 December 2011 Code execution via chrooted ftpd SA-11:08.telnetd 23 December 2011 telnetd code execution vulnerability pam_ssh improperly grants SA-11:09.pam_ssh 23 December 2011 access when user account has unencrypted SSH private keys SA-11:10.pam 23 December 2011 pam_start() does not validate service names -------------------------------------------------------------- 2.2 Kernel Changes [amd64, i386] The FreeBSD dtrace(1) framework now supports systrace for system calls of linux32 and freebsd32 on FreeBSD/amd64. Two new systrace_linux32 and systrace_freebsd32 kernel modules provide support for tracing compat system calls in addition to the native system call tracing provided by the systrace module.[r219107] The hhook(9) (Helper Hook) and khelp(9) (Kernel Helpers) KPIs have been implemented. These are a kind of superset of pfil(9) framework for more general use in the kernel. The hhook(9) KPI provides a way for kernel subsystems to export hook points that khelp(9) modules can hook to provide enhanced or new functionality to the kernel. The khelp(9) KPI provides a framework for managing khelp(9) modules, which indirectly use the hhook(9) KPI to register their hook functions with hook points of interest within the kernel. These allow a structured way to dynamically extend the kernel at runtime in an ABI preserving manner.[r222406] [amd64, i386, pc98] A loader(8) tunable hw.memtest.tests has been added. This controls whether to perform memory testing at boot time or not. The default value is 1 (perform a memory test).[r230282] The open(2) and fhopen(2) system calls now support the O_CLOEXEC flag, which allows setting the FD_CLOEXEC flag for the newly created file descriptor. This is standardized in IEEE Std 1003.1-2008 (POSIX, Single UNIX Specification Version 4).[r220241] The posix_fallocate(2) system call has been implemented. This is a function in POSIX to ensure that a part of the storage for regular file data is allocated on the file system storage media.[r227573] The posix_fadvise(2) system call has been implemented. This is a function in POSIX similar to madvise(2) except that it operates on a file descriptor instead of a memory region.[r229725] -------------------------------------------------------------- 2.2.1 Hardware Support The FreeBSD usb(4) subsystem now supports USB packet filter. This allows to capture packets which go through each USB host controller. The implementation is almost based on bpf(4) code. The userland program usbdump(8) has been added.[r221174] -------------------------------------------------------------- 2.2.1.1 Network Interface Support The cxgb(4) driver has been updated to version 7.11.0.[r220340] A cxgbe(4) driver for Chelsio T4 (Terminator 4) based 10Gb/1Gb adapters has been added.[r219633] [i386] The dc(4) driver now works correctly in kernels with the PAE option.[r220072] The em(4) driver has been updated to version 7.3.2.[r230848] The igb(4) driver has been updated to version 2.3.1.[r230848] The igb(4) driver now supports Intel I350 PCIe Gigabit Ethernet controllers.[r230848] The ixgbe(4) driver has been updated to version 2.4.5.[r230924] Firmware images in the iwn(4) driver for 1000, 5000, 6000, and 6500 series cards have been updated.[r223255] The msk(4) driver now supports RX checksum offloading for Yukon EC, Yukon Ultra, Yukon FE and Yukon Ultra2. The checksum offloading for Yukon XL was still disabled due to known silicon bug.[r223394] A bug in the nfe(4) driver which could prevent reinitialization after changing the MTU has been fixed.[r218872] A rdcphy(4) driver for RDC Semiconductor R6040 10/100 PHY has been added.[r218294] The re(4) driver now supports RTL8168E/8111E-VL PCIe Gigabit Ethernet controllers and RTL8401E PCIe Fast Ethernet controllers.[r218901, r219116] The re(4) driver now supports TX interrupt moderation on RTL810xE PCIe Fast Ethernet controllers.[r218905] The re(4) driver now supports another mechanism for RX interrupt moderation because of performance problems. A sysctl(8) variable dev.re.N.int_rx_mod has been added to control amount of time to delay RX interrupt processing, in units of microsecond. Setting it to 0 completely disables RX interrupt moderation. A loader(8) tunable hw.re.intr_filter controls whether the old mechanism utilizing MSI/MSI-X capability on supported controllers is used or not. When set to a non-zero value, the re(4) driver uses the old mechanism. The default value is 0 and this tunable has no effect on controllers without MSI/MSI-X capability.[r219110] The re(4) driver now supports TSO (TCP Segmentation Offload) on RealTek RTL8168/8111 C or later controllers. Note that this is disabled by default because broken frames can be sent under certain conditions.[r218897] The re(4) driver now supports enabling TX and/or RX checksum offloading independently from each other. Note that TX IP checksum is disabled on some RTL8168C-based network interfaces because it can generate an incorrect IP checksum when the packet contains IP options.[r218899, r219114] The re(4) driver now supports RTL8105E PCIe Fast Ethernet controllers.[r229530] A vte(4) driver for RDC R6040 Fast Ethernet controllers, which are commonly found on the Vortex86 System On a Chip, has been added.[r218296] -------------------------------------------------------------- 2.2.2 Network Protocols ipfw(8) now supports the call and return actions. Upon the call number action, the current rule number is saved in the internal stack and ruleset processing continues with the first rule numbered number or higher. The return action takes the rule number saved to internal stack by the latest call action and returns ruleset processing to the first rule with number greater than that saved number.[r230575] FreeBSD's ipsec(4) support now uses half of the hash size as the authenticator hash size in Hashed Message Authentication Mode (HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512) as described in RFC 4868. This was a fixed 96-bit length in prior releases because the implementation was based on an old Internet draft draft-ietf-ipsec-ciph-sha-256-00. Note that this means 8.3-RELEASE and later are no longer interoperable with the older FreeBSD releases.[r221157] A bug in the IPV6_PKTINFO option used in sendmsg(2) has been fixed. The IPV6_USE_MIN_MTU state set by setsockopt(2) was ignored.[r232560] The FreeBSD TCP/IP network stack now supports the mod_cc(9) pluggable congestion control framework. This allows TCP congestion control algorithms to be implemented as dynamically loadable kernel modules. The following kernel modules are available as of 8.3-RELEASE: cc_chd(4) for the CAIA-Hamilton-Delay algorithm, cc_cubic(4) for the CUBIC algorithm, cc_hd(4) for the Hamilton-Delay algorithm, cc_htcp(4) for the H-TCP algorithm, cc_newreno(4) for the NewReno algorithm, and cc_vegas(4) for the Vegas algorithm. The default algorithm can be set by a new sysctl(8) variable net.inet.tcp.cc.algorithm. The value must be set to one of the names listed by net.inet.tcp.cc.available, and newreno is the default set at boot time. For more detail, see the mod_cc(4) and mod_cc(9) manual pages.[r222401, r222402, r222403, r222404, r222406, r222407, r222408, r222409, r222411, r222412, r222413, r222419, r225738] An h_ertt(4) (Enhanced Round Trip Time) khelp(9) module has been added. This module allows per-connection, low noise estimates of the instantaneous RTT in the TCP/IP network stack with a robust implementation even in the face of delayed acknowledgments and/or TSO (TCP Segmentation Offload) being in use for a connection.[r222410] A new tcp(4) socket option TCP_CONGESTION has been added. This allows to select or query the congestion control algorithm that the TCP/IP network stack will use for connections on the socket.[r222401] The ng_ipfw(4) netgraph(4) node now supports IPv6.[r225876] The ng_one2many(4) netgraph(4) node now supports the XMIT_FAILOVER transmit algorithm. This makes packets deliver out of the first active many hook.[r219660] -------------------------------------------------------------- 2.2.3 Disks and Storage The ada(4) driver now supports write cache control. A new sysctl(8) variable kern.cam.ada.write_cache determines whether the write cache of ada(4) devices is enabled or not. Setting to 1 enables and 0 disables the write cache, and -1 leaves the device default behavior. sysctl(8) variables kern.cam.ada.N.write_cache can override the configuration in a per-device basis (the default value is -1, which means to use the global setting). Note that the value can be changed at runtime, but it takes effect only after a device reset.[r220841] The arcmsr(4) driver has been updated to version 1.20.00.22.[r224991] The graid(8) GEOM class has been added. This is a replacement of the ataraid(4) driver supporting various BIOS-based software RAID.[r223177] The mxge(4) driver has been updated.[r224235] A tws(4) driver for 3ware 9750 SATA+SAS 6Gb/s RAID controllers has been added.[r226243] -------------------------------------------------------------- 2.2.4 File Systems The FreeBSD Fast File System now supports the TRIM command when freeing data blocks. A new flag -t in the newfs(8) and tunefs(8) utilities sets the TRIM-enable flag for a file system. The TRIM-enable flag makes the file system send a delete request to the underlying device for each freed block. The TRIM command is specified as a Data Set Management Command in the ATA8-ACS2 standard to carry the information related to deleted data blocks to a device, especially for a SSD (Solid-State Drive) for optimization.[r218079] A new flag -E has been added to the newfs(8) and fsck_ffs(8) utilities. This clears unallocated blocks, notifying the underlying device that they are not used and that their contents may be discarded. This is useful in fsck_ffs(8) for file systems which have been mounted on systems without TRIM support, or with TRIM support disabled, as well as filesystems which have been copied from one device to another.[r225296] The FreeBSD NFS subsystem now supports a nocto mount option. This disables the close-to-open cache coherency check at open time. This option may improve performance for read-only mounts, but should only be used only if the data on the server changes rarely. The mount_nfs(8) utility now also supports this flag keyword.[r221759] A loader(8) tunable vfs.typenumhash has been added. Setting this to 1 enables to use a hash calculation on the file system identification number internally used in the kernel. This fixes the "Stale NFS file handle" error on NFS clients when upgrading or rebuilding the kernel on the NFS server due to unexpected change of these identification number values. Note that this is set to 0 (disable) by default for backward compatibility.[r226926] The FreeBSD ZFS subsystem has been updated to the SPA (Storage Pool Allocator, also known as zpool) version 28. It now supports data deduplication, triple parity RAIDZ (raidz3), snapshot holds, log device removal, zfs diff, zpool split, zpool import -F, and read-only zpool import.[r222741] -------------------------------------------------------------- 2.3 Userland Changes The bsdtar(1) and cpio(1) utilities are now based on libarchive version 2.8.5.[r229589] The cpuset(1) utility now supports a -C flag to create a new cpuset and assign an existing process into that set, and an all keyword in the -l cpu-list option to specify all CPUs in the system.[r218033] A bug in the fetch(1) utility which could prevent the STAT FTP command from working properly has been fixed.[r221764] The gpart(8) utility now supports a -p flag to the show subcommand. This allows showing providers' names of partitions instead of the partitions' indexes.[r219861] The hastd(8) utility now drops root privileges of the worker processes to the hast user.[r220104] The hastd(8) utility now supports a checksum keyword to specify the checksum algorithm in a resource section. As of 8.3-RELEASE, none, sha256, and crc32 are supported.[r220104] The hastd(8) utility now supports a compression keyword to specify the compression algorithm in a resource section. As of 8.3-RELEASE, none, hole and lzf are supported.[r220104] The hastd(8) utility now supports a source keyword to specify the local address to bind to before connecting the remote hastd(8) daemon.[r220104] A readline(3) API set has been imported into libedit. This is based on NetBSD's implementation and BSD licensed utilities now use it instead of GNU libreadline.[r220612] The makefs(8) utility now supports the ISO 9660 format.[r224447] libmd and libcrypt now support the SHA-256 and SHA-512 algorithms.[r231588] The netstat(1) utility now does not expose the internal scope address representation used in the FreeBSD kernel, which is derived from KAME IPv6 stack, in the results of netstat -ani and netstat -nr.[r219062] The newsyslog(8) utility now supports xz(1) compression. An X flag in the optional field has been added to specify the compression.[r218911] A poweroff(8) utility has been added. This is equivalent to:[r224259] # shutdown -p now The ppp(8) utility now supports iface name name and iface description description commands. These have the same functionalities as the name and description subcommands of the ifconfig(8) utility.[r224285] The ps(1) utility now supports -o usertime and -o systime options to display accumulated system and user CPU time, respectively.[r219943] The rtadvd(8) daemon now supports a noifprefix keyword to disable gathering on-link prefixes from interfaces when no addr keyword is specified. An entry in /etc/rtadvd.conf with noifprefix and no addr generates an RA message with no prefix information option.[r231802] The rtadvd(8) daemon now supports the RDNSS and DNSSL options described in RFC 6106, "IPv6 Router Advertisement Options for DNS Configuration". A rtadvctl(8) utility to control the rtadvd(8) daemon has been added.[r231802] A bug in the tftpd(8) daemon has been fixed. It had an interoperability issue when transferring a large file.[r227083] The zpool(8): utility now supports a zpool labelclear command. This allows to wipe the label data from a drive that is not active in a pool.[r229570] -------------------------------------------------------------- 2.4 Contributed Software The awk has been updated to the 7 August 2011 release. ISC BIND has been updated to version 9.6-ESV-R5-P1. The netcat utility has been updated to version 4.9. GNU GCC and libstdc++ have been updated to rev 127959 of gcc-4_2-branch (the last GPLv2-licensed version).[r221274] The LESS program has been updated to version v444.[r223454] The OpenSSH utility has been updated to 5.4p1, and optimization for large bandwidth-delay product connection and none cipher support have been merged[r228152] sendmail has been updated to version 8.14.5.[r223315] The timezone database has been updated to the tzdata2011n release.[r226977] The unifdef(1) utility has been updated to version 2.5.6. The xz program has been updated from 5.0.0 to 5.0.1.[r219219] -------------------------------------------------------------- 2.5 Ports/Packages Collection Infrastructure The supported version of the KDE desktop environment (x11/kde4) has been updated from 4.5.5 to 4.7.4. -------------------------------------------------------------- 3 Upgrading from previous releases of FreeBSD [amd64, i386] Upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the freebsd-update(8) utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC kernel distributed as a part of an official FreeBSD release. The freebsd-update(8) utility requires that the host being upgraded has Internet connectivity. An older form of binary upgrade is supported through the Upgrade option from the main sysinstall(8) menu on CDROM distribution media. This type of binary upgrade may be useful on non-i386, non-amd64 machines or on systems with no Internet connectivity. Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in /usr/src/UPDATING. Important: Upgrading FreeBSD should, of course, only be attempted after backing up all data and configuration files. -------------------------------------------------------------- This file, and other release-related documents, can be downloaded from ftp://ftp.FreeBSD.org/. For questions about FreeBSD, read the documentation before contacting . For questions about this documentation, e-mail .