FreeBSD/alpha 5.1-RELEASE Release Notes The FreeBSD Project Copyright (c) 2000, 2001, 2002, 2003 by The FreeBSD Documentation Project $FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.573 2003/05/28 21:01:22 hrs Exp $ The release notes for FreeBSD 5.1-RELEASE contain a summary of recent changes made to the FreeBSD base system on the 5-CURRENT development branch. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented. ---------------------------------------------------------------------- Table of Contents 1 Introduction 2 What's New 2.1 Security Advisories 2.2 Kernel Changes 2.2.1 Processor/Motherboard Support 2.2.2 Boot Loader Changes 2.2.3 Network Interface Support 2.2.4 Network Protocols 2.2.5 Disks and Storage 2.2.6 File Systems 2.2.7 PCCARD Support 2.2.8 Multimedia Support 2.3 Userland Changes 2.4 Contributed Software 2.5 Ports/Packages Collection Infrastructure 2.6 Release Engineering and Integration 2.7 Documentation 3 Upgrading from previous releases of FreeBSD ---------------------------------------------------------------------- 1 Introduction This document contains the release notes for FreeBSD 5.1-RELEASE on the Alpha/AXP hardware platform. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD. This distribution of FreeBSD 5.1-RELEASE is a release distribution. It can be found at ftp://ftp.FreeBSD.org/ or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the ``Obtaining FreeBSD'' appendix to the FreeBSD Handbook. Users who are new to the 5-CURRENT series of FreeBSD releases should also read the ``Early Adopters Guide to FreeBSD 5.1-RELEASE''. This document can generally be found in the same location as the release notes (either as a part of a FreeBSD distribution or on the FreeBSD Web site). It contains important information regarding the advantages and disadvantages of using FreeBSD 5.1-RELEASE, as opposed to releases based on the FreeBSD 4-STABLE development branch. All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with ``late-breaking'' information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 5.1-RELEASE can be found on the FreeBSD Web site. ---------------------------------------------------------------------- 2 What's New This section describes many of the user-visible new or changed features in FreeBSD since 5.0-RELEASE. It includes items that are unique to the 5-CURRENT branch, as well as some features that may have been recently merged to other branches (after FreeBSD 5.0-RELEASE). The latter items are marked as [MERGED]. Typical release note items document recent security advisories issued after 5.0-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. ---------------------------------------------------------------------- 2.1 Security Advisories A remotely exploitable vulnerability in CVS has been corrected with the import of version 1.11.5. More details can be found in security advisory FreeBSD-SA-03:01. [MERGED] A timing-based attack on OpenSSL, which could allow a very powerful attacker access to plaintext under certain circumstances, has been prevented via an upgrade to OpenSSL 0.9.7. See security advisory FreeBSD-SA-03:02 for more details. [MERGED] The security and performance of the ``syncookies'' feature has been improved to decrease the chance of an attacker being able to spoof connections. More details are given in security advisory FreeBSD-SA-03:03. [MERGED] Remotely-exploitable buffer overflow vulnerabilities in sendmail have been fixed by updating sendmail. For more details, see security advisory FreeBSD-SA-03:04 and FreeBSD-SA-03:07. [MERGED] A bounds-checking bug in the XDR implementation, which could allow a remote attacker to cause a denial-of-service, has been fixed. For more details see security advisory FreeBSD-SA-03:05. [MERGED] Two recently-publicized flaws in OpenSSL have been corrected. For more details, see security advisory FreeBSD-SA-03:06. [MERGED] ---------------------------------------------------------------------- 2.2 Kernel Changes devfs(5) is now mandatory; the NODEVFS option has been removed from the set of possible kernel configuration options. A minor bug in the permissions handling of /dev/tty has been fixed. As a result, ssh(1) can now be used after su(1). A bug that caused fstat(2) to return 0 as the number of bytes available to read from a TCP socket has been fixed. A bug that caused kqueue(2) to report 0 as the number of bytes available to read from a TCP socket has been fixed. The NOTE_LOWAT flag for EVFILT_READ has been fixed. Linux emulation mode now supports IPv6. madvise(2) now supports a MADV_PROTECT behavior, which informs the virtual memory system that a process is critical and should not be killed when swap space has been exhausted. The process must be owned by the superuser. A second process scheduler, designed to be a general purpose scheduler with many SMP benefits, has been added to the scheduler framework. Exactly one scheduler must be specified in a kernel configuration. The original scheduler may be selected using options SCHED_4BSD. The newer (experimental) scheduler can be selected by using options SCHED_ULE. Device major numbers are now allocated dynamically by default. This change greatly decreases the need for a static, centralized table of major number assignments to device drivers (a few drivers retain their old static major numbers for compatibility), and also reduces the possibility of running out of device major numbers. ---------------------------------------------------------------------- 2.2.1 Processor/Motherboard Support ---------------------------------------------------------------------- 2.2.2 Boot Loader Changes The alpha boot loader (boot1) can now be called boot for consistency with other platforms. The /modules directory (once the default location for modules on FreeBSD 4.X) is no longer a part of the default kern.module_path. Third-party modules should be placed in /boot/modules. Note: Modules designed for use with FreeBSD 4.X are likely to panic when loaded into a FreeBSD 5.1-RELEASE kernel and should be used with extreme caution. ---------------------------------------------------------------------- 2.2.3 Network Interface Support The cm driver now supports IPX. [MERGED] A new wlan(4) module provides 802.11 link-layer support. The wi(4) and an(4) drivers now use this facility. A timing bug in the xl(4) driver, which could cause a kernel panic (or other problems) when configuring an interface, has been fixed. ---------------------------------------------------------------------- 2.2.4 Network Protocols ipfw(4) skipto rules can once again be used with the log keyword. ipfw(4) uid rules are once again working. It is now possible to build the FAST_IPSEC and INET6 options into the same kernel. (They still cannot be used together, however.) A bug in TCP NewReno, which caused premature exit from fast recovery when NewReno was enabled, has been fixed. [MERGED] TCP now has support for the ``Limited Transmit'' mechanism proposed by RFC 3042. This feature is intended to improve the effectiveness of TCP loss recovery in certain circumstances. It is off by default but can be enabled with the net.inet.tcp.rfc3042 sysctl variable. More information can be found in tcp(4). TCP now has support for increased initial congestion window sizes as described in RFC 3390. This feature can improve the throughput of short transfers, as well as high-bandwidth, large propagation-delay connections. It is off by default but can be enabled with the net.inet.tcp.rfc3390 sysctl variable. More information can be found in tcp(4). The IP fragment reassembly code behaves more gracefully when receiving a large number of packet fragments (it is designed to be more resistant to fragment-based denial of service attacks). [MERGED] TCP connections in the TIME_WAIT state now use a special protocol control block that uses less space than a full-blown TCP PCB. This allows some of the data structures and resources used by such a connection to be freed earlier. It is now possible to specify the range of ``privileged ports'' (TCP and UDP ports that require superuser access to bind(2) to). The range is now specified with the net.inet.ip.portrange.reservedlow and net.inet.ip.portrange.reservedhigh sysctl variables, defaulting to the traditional UNIX behavior. This feature is intended to help network servers bind to traditionally privileged ports without requiring superuser access. ip(4) has more details. Some bugs in the non-blocking RPC code has been fixed. As a result, amd(8) users are now able to mount volumes from a 5.1-RELEASE server. Support for XNS networking, which has not worked correctly for almost seven years, has been removed. ---------------------------------------------------------------------- 2.2.5 Disks and Storage The aac(4) driver now runs free of the Giant kernel lock. This change has given a nearly 20% performance speedup on an SMP system running multiple I/O intensive loads. The ata(4) driver now supports all known SiS chipsets. (More details can be found in the Hardware Notes.) The ata(4) driver now supports the Promise SATA150 TX2 and TX4 Serial ATA/150 controllers. The ata(4) driver now flushes devices on shutdown. This change may result in failure messages being printed on the console for devices that do not support flushing. The CAM layer now has support for devices with more than 232 blocks. (Assuming 512-byte blocks, this means support for devices larger than 2TB.) Note: For users upgrading across this change, note that all userland applications that talk to pass(4) or xpt(4) devices must be recompiled. Examples of such programs are camcontrol(8) in the base system, the sysutils/cdrtools port, and the multimedia/xmms port. A number of changes have been made to the cd(4) driver. The primary user-visible change is improved compatibility with ATAPI/USB/Firewire CDROM drives. geom(4) is now mandatory; the NO_GEOM has been removed from the set of kernel configuration options. The iir(4) driver has been updated; this update is believed to fix problems detecting attached disks during installation. A bug in the mly(4) driver that caused hangs has been corrected. Support has been added for volume labels on UFS and UFS2 file systems. These labels are strings that can be used to identify a volume, regardless of what device it appears on. Labels can be set with the -L options to newfs(8) or tunefs(8). With the GEOM_VOL module, volumes can be accessed using their labels under /dev/vol. The root file system can now be located on a vinum(4) volume. More information can be found in the vinum(4) manual page. ---------------------------------------------------------------------- 2.2.6 File Systems A new DIRECTIO kernel option enables support for read operations that bypass the buffer cache and put data directly into a userland buffer. This feature requires that the O_DIRECT flag is set on the file descriptor and that both the offset and length for the read operation are multiples of the physical media sector size. [MERGED] NETNCP and Netware File System Support (nwfs) are once again working. Bugs that could cause the unmounting of a smbfs share to fail or cause a kernel panic have been fixed. ---------------------------------------------------------------------- 2.2.7 PCCARD Support ---------------------------------------------------------------------- 2.2.8 Multimedia Support ---------------------------------------------------------------------- 2.3 Userland Changes adduser(8) now correctly handles setting user passwords containing special shell characters. adduser(8) now supports a -g option to set a user's default login group. The bsdlabel(8) utility is a replacement for the older disklabel utility. Like its predecessor, it installs, examines, or modifies the BSD label on a disk partition, and can install bootstrap code. Compared to disklabel, a number of obsolete options and parameters have been retired. A new -m option instructs bsdlabel(8) to use the layout suitable for a specific machine. The compat4x distribution now includes the libcrypto.so.2, libgmp.so.3, and libssl.so.2 libraries from FreeBSD 4.7-RELEASE. chgrp(1) and chown(8) now, when the owner/group is modified, print the old and new uid/gid if the -v option is specified more than once. config(8) now implements a nodevice kernel configuration file directive that cancels the effect of a device directive. The new nooption and nomakeoption directives cancel prior options and makeoptions directives, respectively. The diskinfo(8) utility has been added to show information about a disk device and optionally to run a naive performance test. The disklabel utility has been replaced by bsdlabel(8). On the alpha, i386, and pc98 platforms, disklabel is a link to bsdlabel(8). dump(8) now supports caching of disk blocks with the -C option. This can improve dump performance at the cost of possibly missing file system updates that occur between passes. dumpfs(8) now supports a -m flag to print file system parameters in the form of a newfs(8) command. elfdump(1), a utility to display information about elf(5) format executable files, has been added. fetch(1) uses the .netrc support in fetch(3) and also supports a -N to specify an alternate .netrc file. fetch(3) now has support for .netrc files (see ftp(1) for more details). ftpd(8) now supports a -h option to disable printing any host-specific information, such as the ftpd(8) version or hostname, in server messages. [MERGED] ftpd(8) now supports a -P option to specify a port on which to listen in daemon mode. The default data port number is now set to be one less than the control port number, rather than being hard-coded. [MERGED] ftpd(8) now supports an extended format of the /etc/ftpchroot file. Please refer to the ftpchroot(5) manpage, which is now available, for details. [MERGED] ftpd(8) now supports login directory pathnames that specify simultaneously a directory for chroot(2) and that to change to in the chrooted environment. The /./ separator is used for this purpose, like in other FTP daemons having this feature. It may be used in both ftpchroot(5) and passwd(5). [MERGED] fwcontrol(8) now supports -R and -S options for receiving and sending DV streams. [MERGED] The gstat(8) utility has been added to show the disk activity inside the geom(4) subsystem. ipfw(8) now supports enable and disable commands to control various aspects of the operation of ipfw(4) (including enabling and disabling the firewall itself). These provide a more convenient and visible interface than the existing sysctl variables. [MERGED] jail(8) now supports a -i flag to output an identifier for a newly-created jail. The jexec(8) utility has been added to execute a command inside an existing jail. The jls(8) utility has been added to list existing jails. kenv(1) has been moved from /usr/bin to /bin to make it available at times during system startup when only the root file system is mounted. killall(1) now supports a -j option to kill all processes inside a jail. The libgeom(3) library has been added to allow some userland access to the geom(4) subsystem. The mac_portacl MAC policy module has been added. It provides a simple ACL mechanism to permit users and groups to bind ports for TCP or UDP, and is intended to be used in conjunction with the recently-added net.inet.ip.portrange.reservedhigh sysctl. The MAKEDEV script is now unnecessary, due to the mandatory presence of devfs(5), and has been removed. mergemaster(8) now supports a -P option to preserve the contents of files being replaced. mixer(8) can now implement relative volume adjustments. The mksnap_ffs(8) program has been added to allow easier creation of FFS snapshots. It is a SUID-root executable designed for use by members of the operator group. mount(8) and umount(8) now accept a -F option to specify an alternate fstab(5) file. mount_nfs(8) now supports a -c flag to avoid doing a connect(2) for UDP mount points. This option must be used if the server does not reply to requests from the standard NFS port number 2049 or if it replies to requests using a different IP address (which can occur if the server is multi-homed). Setting the vfs.nfs.nfs_ip_paranoia sysctl to 0 will make this option the default. [MERGED] mount_nfs(8) now supports the noinet4 and noinet6 mount options to prevent NFS mounts from using IPv4 or IPv6 respectively. newfs(8) will now create UFS2 file systems by default, unless UFS1 is specifically requested with the -O1 option. newsyslog(8) has a number of new features. Among them: * A W flag forces previously-started compression jobs for an entry (or group of entries specified with the G flag) to finish before beginning a new one. This feature is designed to prevent system overloads caused by starting several compression jobs on big files simultaneously. [MERGED] * A ``default rotate action'', to be used for files specified for rotation but not specified in the configuration file. [MERGED] * A -s command-line flag to disable sending signals to processes when rotating files. [MERGED] * A N configuration file flag to indicate that no process needs to be signaled when rotating a file. [MERGED] * A U configuration file flag to specify that a process group (rather than a single process) should be signaled when rotating files. [MERGED] nsdispatch(3) is now thread-safe and implements support for Name Service Switch (NSS) modules. NSS modules may be statically built into libc or dynamically loaded via dlopen(3). They are loaded/initialized at configuration time (i.e. when nsdispatch(3) is called and nsswitch.conf(5) is read or re-read). A new pam_chroot(8) module has been added, which does a chroot(2) operation for users into either a predetermined directory or one derived from their home directory. pam_ssh(8) has been rewritten. One side effect of the rewrite is that it now starts a separate instance of ssh-agent(1) for each session instead of trying to connect each session to the agent started by the first session. ping(8) now supports a -D flag to set the ``Don't Fragment'' bit on outgoing packets. ping(8) now supports a -M option to use ICMP mask request or timestamp request messages instead of ICMP echo requests. ping(8) now supports a -z flag to set the Type of Service bits in outgoing packets. pw(8) can now add a user whose name ends with a $ character; this change is intended to help administration of Samba services. [MERGED] The format of the /etc/pwd.db and /etc/spwd.db password databases created by pwd_mkdb(8) is now byte-order independent. The pre-processed password databases can now be moved between machines of different architectures. The format includes version numbers on entries to ensure compatibility with old binaries. A bug in rand(3) that could cause a sequence to remain stuck at 0 has been fixed. (rand(3) remains unsuitable for all but trivial uses.) rtld(1) now has support for the dynamic mapping of shared object dependencies. This optional feature is especially useful when experimenting with different threading libraries. It is not, however, built by default. More information on enabling and using this feature can be found in libmap.conf(5). sem_open(3) now correctly handles multiple opens of the same semaphore; as a result, sem_close(3) no longer crashes calling programs. The seeding algorithm used by srandom(3) has been strengthened. sysinstall(8) will now select UFS2 as the default layout for new file systems unless specifically requested in the disk labeler. The swapoff(8) command has been added to disable paging and swapping on a device. A related swapctl(8) command has been added to provide an interface to swapon(8) and swapoff(8) similar to other BSDs. Note: The swapoff(8) feature should be considered experimental. syslogd(8) now allows multiple hosts or programs to be named in host or program specifications in syslog.conf(5) files. systat(1) now includes an -ifstat display mode that displays the network traffic going through active interfaces on the system. The usbhidaction(1) command has been added; it performs actions according to its configuration in response to USB HID controls. uudecode(1) and b64decode(1) now support a -r flag for decoding raw (or broken) files that may be missing the initial and possibly final framing lines. [MERGED] vmstat(8) has re-implemented the -f flag, which displays statistics on fork operations. xargs(1) now supports a -P option to execute multiple copies of the same utility in parallel. xargs(1) now supports a -o flag to reopen /dev/tty for the child process before executing the command. This is useful when the child process is an interactive application. The historic BSD boot scripts in /etc have been removed, in favor of the rc.d system imported from NetBSD (sometimes referred to as ``rcNG''). All functionality of the historic system has been preserved. In particular, files such as /etc/rc.conf continue to be the recommended means of configuring the system startup. The rc.d system has been the default since FreeBSD 5.0-RELEASE, so this change should be largely transparent for the vast majority of users. Users who have customized their historic-style startup scripts should be aware that the following files have been removed from /etc: rc.atm, rc.devfs, rc.diskless1, rc.diskless2, rc.i386, rc.alpha, rc.amd64, rc.ia64, rc.sparc64, rc.isdn, rc.network, rc.network6, rc.pccard, rc.serial, rc.syscons, rc.sysctl. mergemaster(8), when run, will offer to move these files out of the way for convenience. More details can be found in rc.subr(8). ---------------------------------------------------------------------- 2.4 Contributed Software The ACPI-CA code has been updated from the 20021118 snapshot to the 20030228 snapshot. awk from Bell Labs has been updated to a 14 March 2003 snapshot. BIND has been updated to version 8.3.4. [MERGED] All of the bzip2 suite of applications is now installed in the base system (in particular, bzip2recover is now built and installed). [MERGED] CVS has been updated to 1.11.5. [MERGED] FILE has been updated to 3.41. [MERGED] GCC has been updated to 3.2.2 (release version). The gdtoa library, for conversions between strings and floating point, has been imported. These sources were dated 24 March 2003. groff (and related utilities) have been updated from 1.18.1 to 1.19. IPFilter has been updated to 3.4.31. [MERGED] The ISC DHCP client has been updated to 3.0.1RC11. [MERGED] The ISC DHCP client now includes the omshell(1) utility and the dhcpctl(3) library for run-time control of the client. Kerberos IV support (in the form of KTH eBones) has been removed. Users requiring this functionality can still get it from the security/krb4 port (or package). Kerberos IV compatibility mode for Kerberos 5 has been removed, and the k5program userland utilities have been renamed to kprogram. Kerberos 5 is now built by default in buildworld operations. Setting MAKE_KERBEROS5 no longer has any effect. Disabling the base system Kerberos 5 now requires the NO_KERBEROS Makefile variable to be set. libpcap now has support for selecting among multiple data link types on an interface. lukemftpd (not built or installed by default) has been updated to a snapshot from 22 January 2003. OpenPAM has been updated from the ``Citronella'' release to the ``Dianthus'' release. OpenSSH has been updated to 3.6.1p1. OpenSSL has been updated to release 0.9.7a. Among other features, this release includes support for AES and takes advantage of crypto(4) devices. [MERGED] sendmail has been updated to version 8.12.9. [MERGED] tcpdump(1) has been updated to version 3.7.2. [MERGED] It also now supports a -L flag to list the data link types available on an interface and a -y option to specify the data link type to use while capturing packets. texinfo has been updated from 4.2 to 4.5. The timezone database has been updated from tzdata2002d to tzdata2003a. [MERGED] ---------------------------------------------------------------------- 2.5 Ports/Packages Collection Infrastructure The one-line pkg-comment files have been eliminated from each port skeleton; their contents have been moved into each port's Makefile. This change reduces the disk space and inodes used by the ports tree. [MERGED] When fetching distfiles for building a port, the FETCH_REGET Makefile variable can be used to specify the number of times to try continuing to fetch a distfile if it fails its MD5 checksum. The port infrastructure also supports re-fetching interrupted distfiles. pkg_create(1) now supports a -C option, which allows packages to register a list of other packages with which they conflict. They will refuse to install (via pkg_add(1)) if one of the listed packages is already present. The -f flag to pkg_add(1) overrides this conflict-checking. pkg_info(1) now honors the BLOCKSIZE environment variable in its output when the -b flag is given. pkg_info(1) now implements a -Q option, which is similar to the -q ``quiet'' option except that it prefixes the output with the package name. ---------------------------------------------------------------------- 2.6 Release Engineering and Integration The supported release of GNOME has been updated to 2.2.1. [MERGED] The supported release of KDE has been updated to 3.1.2. [MERGED] There is no longer a separate krb5 distribution. The Kerberos 5 libraries and utilities have been incorporated into the crypto distribution. sysinstall(8) once again supports installing individual components of XFree86. Supporting changes (not user-visible) generalize the concept of installing parts of distributions as packages. The supported release of XFree86 has been updated to 4.3.0. [MERGED] Several upgrade mechanisms designed to permit major version upgrades from FreeBSD 2.X to 3.X and from FreeBSD 3.X to 4.X have been removed. ---------------------------------------------------------------------- 2.7 Documentation The following new articles have been added to the documentation set: ``FreeBSD From Scratch'', ``The Roadmap for 5-STABLE''. A new Danish (da_DK.ISO8859-1) translation project has been started. ---------------------------------------------------------------------- 3 Upgrading from previous releases of FreeBSD Users with existing FreeBSD systems are highly encouraged to read the ``Early Adopter's Guide to FreeBSD 5.1-RELEASE''. This document generally has the filename EARLY.TXT on the distribution media, or any other place that the release notes can be found. It offers some notes on upgrading, but more importantly, also discusses some of the relative merits of upgrading to FreeBSD 5.X versus running FreeBSD 4.X. Important: Upgrading FreeBSD should, of course, only be attempted after backing up all data and configuration files. ---------------------------------------------------------------------- This file, and other release-related documents, can be downloaded from ftp://ftp.FreeBSD.org/. For questions about FreeBSD, read the documentation before contacting . All users of FreeBSD 5-CURRENT should subscribe to the mailing list. For questions about this documentation, e-mail .