Copyright © 2012 The FreeBSD Documentation Project
$FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/article.sgml,v
1.1101.2.29.2.4 2012/04/09 04:44:39 hrs Exp $
FreeBSD is a registered trademark of the FreeBSD Foundation.
IBM, AIX, EtherJet, Netfinity, OS/2, PowerPC, PS/2, S/390, and ThinkPad are trademarks of International Business Machines Corporation in the United States, other countries, or both.
IEEE, POSIX, and 802 are registered trademarks of Institute of Electrical and Electronics Engineers, Inc. in the United States.
Intel, Celeron, EtherExpress, i386, i486, Itanium, Pentium, and Xeon are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
SPARC, SPARC64, SPARCengine, and UltraSPARC are trademarks of SPARC International, Inc in the United States and other countries. SPARC International, Inc owns all of the SPARC trademarks and under licensing agreements allows the proper use of these trademarks by its members.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this document, and the FreeBSD Project was aware of the trademark claim, the designations have been followed by the " or the ® symbol.
The release notes for FreeBSD 8.3-RELEASE contain a summary of the changes made to the FreeBSD base system on the 8.2-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.
This document contains the release notes for FreeBSD 8.3-RELEASE. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.
This distribution of FreeBSD 8.3-RELEASE is a release distribution. It can be found at ftp://ftp.FreeBSD.org/ or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the Obtaining FreeBSD appendix to the FreeBSD Handbook.
All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with late-breaking information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 8.3-RELEASE can be found on the FreeBSD Web site.
This section describes the most user-visible new or changed features in FreeBSD since 8.2-RELEASE.
Typical release note items document recent security advisories issued after 8.2-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.
Problems described in the following security advisories have been fixed. For more information, consult the individual advisories available from http://security.FreeBSD.org/.
Advisory | Date | Topic |
---|---|---|
SA-11:01.mountd | 20 April 2011 |
Network ACL mishandling in mountd(8) |
SA-11:02.bind | 28 May 2011 |
BIND remote DoS with large RRSIG RRsets and negative caching |
SA-11:04.compress | 28 September 2011 |
Errors handling corrupt compress file in compress(1) and gzip(1) |
SA-11:05.unix | 28 September 2011 |
Buffer overflow in handling of UNIX socket addresses |
SA-11:06.bind | 23 December 2011 |
Remote packet Denial of Service against named(8) servers |
SA-11:07.chroot | 23 December 2011 |
Code execution via chrooted ftpd |
SA-11:08.telnetd | 23 December 2011 |
telnetd code execution vulnerability |
SA-11:09.pam_ssh | 23 December 2011 |
pam_ssh improperly grants access when user account has unencrypted SSH private keys |
SA-11:10.pam | 23 December 2011 |
|
[amd64, i386] The FreeBSD dtrace(1) framework now supports systrace for system calls of linux32 and freebsd32 on FreeBSD/amd64. Two new systrace_linux32 and systrace_freebsd32 kernel modules provide support for tracing compat system calls in addition to the native system call tracing provided by the systrace module.[r219107]
The hhook(9) (Helper Hook) and khelp(9) (Kernel Helpers) KPIs have been implemented. These are a kind of superset of pfil(9) framework for more general use in the kernel. The hhook(9) KPI provides a way for kernel subsystems to export hook points that khelp(9) modules can hook to provide enhanced or new functionality to the kernel. The khelp(9) KPI provides a framework for managing khelp(9) modules, which indirectly use the hhook(9) KPI to register their hook functions with hook points of interest within the kernel. These allow a structured way to dynamically extend the kernel at runtime in an ABI preserving manner.[r222406]
[amd64, i386, pc98] A
loader(8)
tunable hw.memtest.tests
has been added. This controls
whether to perform memory testing at boot time or not. The default value is 1 (perform a memory test).[r230282]
The open(2) and fhopen(2) system calls now support the O_CLOEXEC flag, which allows setting the FD_CLOEXEC flag for the newly created file descriptor. This is standardized in IEEE Std 1003.1-2008 (POSIX, Single UNIX Specification Version 4).[r220241]
The posix_fallocate(2) system call has been implemented. This is a function in POSIX to ensure that a part of the storage for regular file data is allocated on the file system storage media.[r227573]
The posix_fadvise(2) system call has been implemented. This is a function in POSIX similar to madvise(2) except that it operates on a file descriptor instead of a memory region.[r229725]
The FreeBSD usb(4) subsystem now supports USB packet filter. This allows to capture packets which go through each USB host controller. The implementation is almost based on bpf(4) code. The userland program usbdump(8) has been added.[r221174]
The cxgb(4) driver has been updated to version 7.11.0.[r220340]
A cxgbe(4) driver for Chelsio T4 (Terminator 4) based 10Gb/1Gb adapters has been added.[r219633]
[i386] The
dc(4) driver
now works correctly in kernels with the PAE
option.[r220072]
The em(4) driver has been updated to version 7.3.2.[r230848]
The igb(4) driver has been updated to version 2.3.1.[r230848]
The igb(4) driver now supports Intel I350 PCIe Gigabit Ethernet controllers.[r230848]
The ixgbe(4) driver has been updated to version 2.4.5.[r230924]
Firmware images in the iwn(4) driver for 1000, 5000, 6000, and 6500 series cards have been updated.[r223255]
The msk(4) driver now supports RX checksum offloading for Yukon EC, Yukon Ultra, Yukon FE and Yukon Ultra2. The checksum offloading for Yukon XL was still disabled due to known silicon bug.[r223394]
A bug in the nfe(4) driver which could prevent reinitialization after changing the MTU has been fixed.[r218872]
A rdcphy(4) driver for RDC Semiconductor R6040 10/100 PHY has been added.[r218294]
The re(4) driver now supports RTL8168E/8111E-VL PCIe Gigabit Ethernet controllers and RTL8401E PCIe Fast Ethernet controllers.[r218901, r219116]
The re(4) driver now supports TX interrupt moderation on RTL810xE PCIe Fast Ethernet controllers.[r218905]
The
re(4) driver now
supports another mechanism for RX interrupt moderation because of performance
problems. A
sysctl(8)
variable dev.re.N.int_rx_mod
has been added to control amount of time
to delay RX interrupt processing, in units of microsecond. Setting it to 0 completely disables RX interrupt moderation. A
loader(8)
tunable hw.re.intr_filter
controls whether the old
mechanism utilizing MSI/MSI-X capability on supported controllers is used or not. When
set to a non-zero value, the
re(4) driver
uses the old mechanism. The default value is 0 and this
tunable has no effect on controllers without MSI/MSI-X capability.[r219110]
The re(4) driver now supports TSO (TCP Segmentation Offload) on RealTek RTL8168/8111 C or later controllers. Note that this is disabled by default because broken frames can be sent under certain conditions.[r218897]
The re(4) driver now supports enabling TX and/or RX checksum offloading independently from each other. Note that TX IP checksum is disabled on some RTL8168C-based network interfaces because it can generate an incorrect IP checksum when the packet contains IP options.[r218899, r219114]
The re(4) driver now supports RTL8105E PCIe Fast Ethernet controllers.[r229530]
A vte(4) driver for RDC R6040 Fast Ethernet controllers, which are commonly found on the Vortex86 System On a Chip, has been added.[r218296]
ipfw(8) now supports the call and return actions. Upon the call number action, the current rule number is saved in the internal stack and ruleset processing continues with the first rule numbered number or higher. The return action takes the rule number saved to internal stack by the latest call action and returns ruleset processing to the first rule with number greater than that saved number.[r230575]
FreeBSD's ipsec(4) support now uses half of the hash size as the authenticator hash size in Hashed Message Authentication Mode (HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512) as described in RFC 4868. This was a fixed 96-bit length in prior releases because the implementation was based on an old Internet draft draft-ietf-ipsec-ciph-sha-256-00. Note that this means 8.3-RELEASE and later are no longer interoperable with the older FreeBSD releases.[r221157]
A bug in the IPV6_PKTINFO option used in sendmsg(2) has been fixed. The IPV6_USE_MIN_MTU state set by setsockopt(2) was ignored.[r232560]
The FreeBSD TCP/IP network stack now supports the
mod_cc(9)
pluggable congestion control framework. This allows TCP congestion control algorithms
to be implemented as dynamically loadable kernel modules. The following kernel modules
are available as of 8.3-RELEASE:
cc_chd(4) for
the CAIA-Hamilton-Delay algorithm,
cc_cubic(4) for
the CUBIC algorithm,
cc_hd(4) for the
Hamilton-Delay algorithm,
cc_htcp(4) for
the H-TCP algorithm,
cc_newreno(4)
for the NewReno algorithm, and
cc_vegas(4) for
the Vegas algorithm. The default algorithm can be set by a new
sysctl(8)
variable net.inet.tcp.cc.algorithm
. The value must be set
to one of the names listed by net.inet.tcp.cc.available
,
and newreno is the default set at boot time. For more
detail, see the
mod_cc(4) and
mod_cc(9) manual
pages.[r222401, r222402, r222403, r222404, r222406, r222407, r222408, r222409, r222411, r222412, r222413, r222419, r225738]
An h_ertt(4) (Enhanced Round Trip Time) khelp(9) module has been added. This module allows per-connection, low noise estimates of the instantaneous RTT in the TCP/IP network stack with a robust implementation even in the face of delayed acknowledgments and/or TSO (TCP Segmentation Offload) being in use for a connection.[r222410]
A new tcp(4) socket option TCP_CONGESTION has been added. This allows to select or query the congestion control algorithm that the TCP/IP network stack will use for connections on the socket.[r222401]
The ng_ipfw(4) netgraph(4) node now supports IPv6.[r225876]
The ng_one2many(4) netgraph(4) node now supports the XMIT_FAILOVER transmit algorithm. This makes packets deliver out of the first active many hook.[r219660]
The
ada(4) driver
now supports write cache control. A new
sysctl(8)
variable kern.cam.ada.write_cache
determines whether the
write cache of
ada(4) devices
is enabled or not. Setting to 1 enables and 0 disables the write cache, and -1 leaves the
device default behavior.
sysctl(8)
variables kern.cam.ada.N.write_cache
can override the configuration in a
per-device basis (the default value is -1, which means to use
the global setting). Note that the value can be changed at runtime, but it takes
effect only after a device reset.[r220841]
The arcmsr(4) driver has been updated to version 1.20.00.22.[r224991]
The graid(8) GEOM class has been added. This is a replacement of the ataraid(4) driver supporting various BIOS-based software RAID.[r223177]
The mxge(4) driver has been updated.[r224235]
A tws(4) driver for 3ware 9750 SATA+SAS 6Gb/s RAID controllers has been added.[r226243]
The FreeBSD Fast File System now supports the TRIM command
when freeing data blocks. A new flag -t
in the
newfs(8) and
tunefs(8)
utilities sets the TRIM-enable flag for a file system. The TRIM-enable flag makes the
file system send a delete request to the underlying device for each freed block. The
TRIM command is specified as a Data Set Management Command in
the ATA8-ACS2 standard to carry the information related to deleted data blocks to a
device, especially for a SSD (Solid-State Drive) for optimization.[r218079]
A new flag -E
has been added to the
newfs(8) and
fsck_ffs(8)
utilities. This clears unallocated blocks, notifying the underlying device that they
are not used and that their contents may be discarded. This is useful in
fsck_ffs(8) for
file systems which have been mounted on systems without TRIM
support, or with TRIM support disabled, as well as
filesystems which have been copied from one device to another.[r225296]
The FreeBSD NFS subsystem now supports a nocto
mount
option. This disables the close-to-open cache coherency check at open time. This
option may improve performance for read-only mounts, but should only be used only if
the data on the server changes rarely. The
mount_nfs(8)
utility now also supports this flag keyword.[r221759]
A
loader(8)
tunable vfs.typenumhash
has been added. Setting this to
1 enables to use a hash calculation on the file system
identification number internally used in the kernel. This fixes the Stale NFS file
handle error on NFS clients when upgrading or rebuilding the kernel on the NFS server
due to unexpected change of these identification number values. Note that this is set
to 0 (disable) by default for backward compatibility.[r226926]
The FreeBSD ZFS subsystem has been updated to the SPA (Storage Pool Allocator, also
known as zpool) version 28. It now supports data deduplication, triple parity RAIDZ
(raidz3), snapshot holds, log device removal, zfs diff, zpool split, zpool import
-F
, and read-only zpool import.[r222741]
The bsdtar(1) and cpio(1) utilities are now based on libarchive version 2.8.5.[r229589]
The
cpuset(1)
utility now supports a -C
flag to create a new cpuset and
assign an existing process into that set, and an all keyword
in the -l cpu-list
option to specify all CPUs in the system.[r218033]
A bug in the fetch(1) utility which could prevent the STAT FTP command from working properly has been fixed.[r221764]
The
gpart(8) utility
now supports a -p
flag to the show
subcommand. This allows showing providers' names of partitions instead of the
partitions' indexes.[r219861]
The hastd(8) utility now drops root privileges of the worker processes to the hast user.[r220104]
The hastd(8) utility now supports a checksum keyword to specify the checksum algorithm in a resource section. As of 8.3-RELEASE, none, sha256, and crc32 are supported.[r220104]
The hastd(8) utility now supports a compression keyword to specify the compression algorithm in a resource section. As of 8.3-RELEASE, none, hole and lzf are supported.[r220104]
The hastd(8) utility now supports a source keyword to specify the local address to bind to before connecting the remote hastd(8) daemon.[r220104]
A readline(3) API set has been imported into libedit. This is based on NetBSD's implementation and BSD licensed utilities now use it instead of GNU libreadline.[r220612]
The makefs(8) utility now supports the ISO 9660 format.[r224447]
libmd and libcrypt now support the SHA-256 and SHA-512 algorithms.[r231588]
The netstat(1) utility now does not expose the internal scope address representation used in the FreeBSD kernel, which is derived from KAME IPv6 stack, in the results of netstat -ani and netstat -nr.[r219062]
The newsyslog(8) utility now supports xz(1) compression. An X flag in the optional field has been added to specify the compression.[r218911]
A poweroff(8) utility has been added. This is equivalent to:[r224259]
# shutdown -p now
The ppp(8) utility now supports iface name name and iface description description commands. These have the same functionalities as the name and description subcommands of the ifconfig(8) utility.[r224285]
The
ps(1) utility
now supports -o usertime
and -o
systime
options to display accumulated system and user CPU time,
respectively.[r219943]
The rtadvd(8) daemon now supports a noifprefix keyword to disable gathering on-link prefixes from interfaces when no addr keyword is specified. An entry in /etc/rtadvd.conf with noifprefix and no addr generates an RA message with no prefix information option.[r231802]
The rtadvd(8) daemon now supports the RDNSS and DNSSL options described in RFC 6106, IPv6 Router Advertisement Options for DNS Configuration. A rtadvctl(8) utility to control the rtadvd(8) daemon has been added.[r231802]
A bug in the tftpd(8) daemon has been fixed. It had an interoperability issue when transferring a large file.[r227083]
The zpool(8): utility now supports a zpool labelclear command. This allows to wipe the label data from a drive that is not active in a pool.[r229570]
The awk has been updated to the 7 August 2011 release.
ISC BIND has been updated to version 9.6-ESV-R5-P1.
The netcat utility has been updated to version 4.9.
GNU GCC and libstdc++ have been updated to rev 127959 of gcc-4_2-branch (the last GPLv2-licensed version).[r221274]
The LESS program has been updated to version v444.[r223454]
The OpenSSH utility has been updated to 5.4p1, and optimization for large bandwidth-delay product connection and none cipher support have been merged[r228152]
sendmail has been updated to version 8.14.5.[r223315]
The timezone database has been updated to the tzdata2011n release.[r226977]
The unifdef(1) utility has been updated to version 2.5.6.
The xz program has been updated from 5.0.0 to 5.0.1.[r219219]
The supported version of the KDE desktop environment (x11/kde4) has been updated from 4.5.5 to 4.7.4.
[amd64, i386] Upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the freebsd-update(8) utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC kernel distributed as a part of an official FreeBSD release. The freebsd-update(8) utility requires that the host being upgraded has Internet connectivity.
An older form of binary upgrade is supported through the Upgrade option from the main sysinstall(8) menu on CDROM distribution media. This type of binary upgrade may be useful on non-i386, non-amd64 machines or on systems with no Internet connectivity.
Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in /usr/src/UPDATING.
Important: Upgrading FreeBSD should, of course, only be attempted after backing up all data and configuration files.
This file, and other release-related documents, can be downloaded from ftp://ftp.FreeBSD.org/.
For questions about FreeBSD, read the documentation before contacting <questions@FreeBSD.org>.
For questions about this documentation, e-mail <doc@FreeBSD.org>.