FreeBSD 8.3-RELEASE Release Notes

  The FreeBSD Project

   Copyright (c) 2012 The FreeBSD Documentation Project

   $FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/article.sgml,v
   1.1101.2.29.2.4 2012/04/09 04:44:39 hrs Exp $

   FreeBSD is a registered trademark of the FreeBSD Foundation.

   IBM, AIX, EtherJet, Netfinity, OS/2, PowerPC, PS/2, S/390, and
   ThinkPad are trademarks of International Business Machines
   Corporation in the United States, other countries, or both.

   IEEE, POSIX, and 802 are registered trademarks of Institute of
   Electrical and Electronics Engineers, Inc. in the United States.

   Intel, Celeron, EtherExpress, i386, i486, Itanium, Pentium, and
   Xeon are trademarks or registered trademarks of Intel Corporation
   or its subsidiaries in the United States and other countries.

   SPARC, SPARC64, SPARCengine, and UltraSPARC are trademarks of
   SPARC International, Inc in the United States and other countries.
   SPARC International, Inc owns all of the SPARC trademarks and
   under licensing agreements allows the proper use of these
   trademarks by its members.

   Many of the designations used by manufacturers and sellers to
   distinguish their products are claimed as trademarks. Where those
   designations appear in this document, and the FreeBSD Project was
   aware of the trademark claim, the designations have been followed
   by the "(TM)" or the "(R)" symbol.

   The release notes for FreeBSD 8.3-RELEASE contain a summary of the
   changes made to the FreeBSD base system on the 8.2-STABLE
   development line. This document lists applicable security
   advisories that were issued since the last release, as well as
   significant changes to the FreeBSD kernel and userland. Some brief
   remarks on upgrading are also presented.

     --------------------------------------------------------------

   Table of Contents

   1 Introduction

   2 What's New

                2.1 Security Advisories

                2.2 Kernel Changes

                             2.2.1 Hardware Support

                             2.2.2 Network Protocols

                             2.2.3 Disks and Storage

                             2.2.4 File Systems

                2.3 Userland Changes

                2.4 Contributed Software

                2.5 Ports/Packages Collection Infrastructure

   3 Upgrading from previous releases of FreeBSD

1 Introduction

   This document contains the release notes for FreeBSD 8.3-RELEASE.
   It describes recently added, changed, or deleted features of
   FreeBSD. It also provides some notes on upgrading from previous
   versions of FreeBSD.

   This distribution of FreeBSD 8.3-RELEASE is a release
   distribution. It can be found at ftp://ftp.FreeBSD.org/ or any of
   its mirrors. More information on obtaining this (or other) release
   distributions of FreeBSD can be found in the "Obtaining FreeBSD"
   appendix to the FreeBSD Handbook.

   All users are encouraged to consult the release errata before
   installing FreeBSD. The errata document is updated with
   "late-breaking" information discovered late in the release cycle
   or after the release. Typically, it contains information on known
   bugs, security advisories, and corrections to documentation. An
   up-to-date copy of the errata for FreeBSD 8.3-RELEASE can be found
   on the FreeBSD Web site.

     --------------------------------------------------------------

2 What's New

   This section describes the most user-visible new or changed
   features in FreeBSD since 8.2-RELEASE.

   Typical release note items document recent security advisories
   issued after 8.2-RELEASE, new drivers or hardware support, new
   commands or options, major bug fixes, or contributed software
   upgrades. They may also list changes to major ports/packages or
   release engineering practices. Clearly the release notes cannot
   list every single change made to FreeBSD between releases; this
   document focuses primarily on security advisories, user-visible
   changes, and major architectural improvements.

     --------------------------------------------------------------

  2.1 Security Advisories

   Problems described in the following security advisories have been
   fixed. For more information, consult the individual advisories
   available from http://security.FreeBSD.org/.

       Advisory            Date                    Topic              
   SA-11:01.mountd   20 April 2011     Network ACL mishandling in     
                                       mountd(8)                      
                                       BIND remote DoS with large     
   SA-11:02.bind     28 May 2011       RRSIG RRsets and negative      
                                       caching                        
                                       Errors handling corrupt        
   SA-11:04.compress 28 September 2011 compress file in compress(1)   
                                       and gzip(1)                    
   SA-11:05.unix     28 September 2011 Buffer overflow in handling of 
                                       UNIX socket addresses          
                                       Remote packet Denial of        
   SA-11:06.bind     23 December 2011  Service against named(8)       
                                       servers                        
   SA-11:07.chroot   23 December 2011  Code execution via chrooted    
                                       ftpd                           
   SA-11:08.telnetd  23 December 2011  telnetd code execution         
                                       vulnerability                  
                                       pam_ssh improperly grants      
   SA-11:09.pam_ssh  23 December 2011  access when user account has   
                                       unencrypted SSH private keys   
   SA-11:10.pam      23 December 2011  pam_start() does not validate  
                                       service names                  

     --------------------------------------------------------------

  2.2 Kernel Changes

   [amd64, i386] The FreeBSD dtrace(1) framework now supports
   systrace for system calls of linux32 and freebsd32 on
   FreeBSD/amd64. Two new systrace_linux32 and systrace_freebsd32
   kernel modules provide support for tracing compat system calls in
   addition to the native system call tracing provided by the
   systrace module.[r219107]

   The hhook(9) (Helper Hook) and khelp(9) (Kernel Helpers) KPIs have
   been implemented. These are a kind of superset of pfil(9)
   framework for more general use in the kernel. The hhook(9) KPI
   provides a way for kernel subsystems to export hook points that
   khelp(9) modules can hook to provide enhanced or new functionality
   to the kernel. The khelp(9) KPI provides a framework for managing
   khelp(9) modules, which indirectly use the hhook(9) KPI to
   register their hook functions with hook points of interest within
   the kernel. These allow a structured way to dynamically extend the
   kernel at runtime in an ABI preserving manner.[r222406]

   [amd64, i386, pc98] A loader(8) tunable hw.memtest.tests has been
   added. This controls whether to perform memory testing at boot
   time or not. The default value is 1 (perform a memory
   test).[r230282]

   The open(2) and fhopen(2) system calls now support the O_CLOEXEC
   flag, which allows setting the FD_CLOEXEC flag for the newly
   created file descriptor. This is standardized in IEEE Std
   1003.1-2008 (POSIX, Single UNIX Specification Version 4).[r220241]

   The posix_fallocate(2) system call has been implemented. This is a
   function in POSIX to ensure that a part of the storage for regular
   file data is allocated on the file system storage media.[r227573]

   The posix_fadvise(2) system call has been implemented. This is a
   function in POSIX similar to madvise(2) except that it operates on
   a file descriptor instead of a memory region.[r229725]

     --------------------------------------------------------------

    2.2.1 Hardware Support

   The FreeBSD usb(4) subsystem now supports USB packet filter. This
   allows to capture packets which go through each USB host
   controller. The implementation is almost based on bpf(4) code. The
   userland program usbdump(8) has been added.[r221174]

     --------------------------------------------------------------

      2.2.1.1 Network Interface Support

   The cxgb(4) driver has been updated to version 7.11.0.[r220340]

   A cxgbe(4) driver for Chelsio T4 (Terminator 4) based 10Gb/1Gb
   adapters has been added.[r219633]

   [i386] The dc(4) driver now works correctly in kernels with the
   PAE option.[r220072]

   The em(4) driver has been updated to version 7.3.2.[r230848]

   The igb(4) driver has been updated to version 2.3.1.[r230848]

   The igb(4) driver now supports Intel I350 PCIe Gigabit Ethernet
   controllers.[r230848]

   The ixgbe(4) driver has been updated to version 2.4.5.[r230924]

   Firmware images in the iwn(4) driver for 1000, 5000, 6000, and
   6500 series cards have been updated.[r223255]

   The msk(4) driver now supports RX checksum offloading for Yukon
   EC, Yukon Ultra, Yukon FE and Yukon Ultra2. The checksum
   offloading for Yukon XL was still disabled due to known silicon
   bug.[r223394]

   A bug in the nfe(4) driver which could prevent reinitialization
   after changing the MTU has been fixed.[r218872]

   A rdcphy(4) driver for RDC Semiconductor R6040 10/100 PHY has been
   added.[r218294]

   The re(4) driver now supports RTL8168E/8111E-VL PCIe Gigabit
   Ethernet controllers and RTL8401E PCIe Fast Ethernet
   controllers.[r218901, r219116]

   The re(4) driver now supports TX interrupt moderation on RTL810xE
   PCIe Fast Ethernet controllers.[r218905]

   The re(4) driver now supports another mechanism for RX interrupt
   moderation because of performance problems. A sysctl(8) variable
   dev.re.N.int_rx_mod has been added to control amount of time to
   delay RX interrupt processing, in units of microsecond. Setting it
   to 0 completely disables RX interrupt moderation. A loader(8)
   tunable hw.re.intr_filter controls whether the old mechanism
   utilizing MSI/MSI-X capability on supported controllers is used or
   not. When set to a non-zero value, the re(4) driver uses the old
   mechanism. The default value is 0 and this tunable has no effect
   on controllers without MSI/MSI-X capability.[r219110]

   The re(4) driver now supports TSO (TCP Segmentation Offload) on
   RealTek RTL8168/8111 C or later controllers. Note that this is
   disabled by default because broken frames can be sent under
   certain conditions.[r218897]

   The re(4) driver now supports enabling TX and/or RX checksum
   offloading independently from each other. Note that TX IP checksum
   is disabled on some RTL8168C-based network interfaces because it
   can generate an incorrect IP checksum when the packet contains IP
   options.[r218899, r219114]

   The re(4) driver now supports RTL8105E PCIe Fast Ethernet
   controllers.[r229530]

   A vte(4) driver for RDC R6040 Fast Ethernet controllers, which are
   commonly found on the Vortex86 System On a Chip, has been
   added.[r218296]

     --------------------------------------------------------------

    2.2.2 Network Protocols

   ipfw(8) now supports the call and return actions. Upon the call
   number action, the current rule number is saved in the internal
   stack and ruleset processing continues with the first rule
   numbered number or higher. The return action takes the rule number
   saved to internal stack by the latest call action and returns
   ruleset processing to the first rule with number greater than that
   saved number.[r230575]

   FreeBSD's ipsec(4) support now uses half of the hash size as the
   authenticator hash size in Hashed Message Authentication Mode
   (HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512) as described in RFC
   4868. This was a fixed 96-bit length in prior releases because the
   implementation was based on an old Internet draft
   draft-ietf-ipsec-ciph-sha-256-00. Note that this means 8.3-RELEASE
   and later are no longer interoperable with the older FreeBSD
   releases.[r221157]

   A bug in the IPV6_PKTINFO option used in sendmsg(2) has been
   fixed. The IPV6_USE_MIN_MTU state set by setsockopt(2) was
   ignored.[r232560]

   The FreeBSD TCP/IP network stack now supports the mod_cc(9)
   pluggable congestion control framework. This allows TCP congestion
   control algorithms to be implemented as dynamically loadable
   kernel modules. The following kernel modules are available as of
   8.3-RELEASE: cc_chd(4) for the CAIA-Hamilton-Delay algorithm,
   cc_cubic(4) for the CUBIC algorithm, cc_hd(4) for the
   Hamilton-Delay algorithm, cc_htcp(4) for the H-TCP algorithm,
   cc_newreno(4) for the NewReno algorithm, and cc_vegas(4) for the
   Vegas algorithm. The default algorithm can be set by a new
   sysctl(8) variable net.inet.tcp.cc.algorithm. The value must be
   set to one of the names listed by net.inet.tcp.cc.available, and
   newreno is the default set at boot time. For more detail, see the
   mod_cc(4) and mod_cc(9) manual pages.[r222401, r222402, r222403,
   r222404, r222406, r222407, r222408, r222409, r222411, r222412,
   r222413, r222419, r225738]

   An h_ertt(4) (Enhanced Round Trip Time) khelp(9) module has been
   added. This module allows per-connection, low noise estimates of
   the instantaneous RTT in the TCP/IP network stack with a robust
   implementation even in the face of delayed acknowledgments and/or
   TSO (TCP Segmentation Offload) being in use for a
   connection.[r222410]

   A new tcp(4) socket option TCP_CONGESTION has been added. This
   allows to select or query the congestion control algorithm that
   the TCP/IP network stack will use for connections on the
   socket.[r222401]

   The ng_ipfw(4) netgraph(4) node now supports IPv6.[r225876]

   The ng_one2many(4) netgraph(4) node now supports the XMIT_FAILOVER
   transmit algorithm. This makes packets deliver out of the first
   active many hook.[r219660]

     --------------------------------------------------------------

    2.2.3 Disks and Storage

   The ada(4) driver now supports write cache control. A new
   sysctl(8) variable kern.cam.ada.write_cache determines whether the
   write cache of ada(4) devices is enabled or not. Setting to 1
   enables and 0 disables the write cache, and -1 leaves the device
   default behavior. sysctl(8) variables kern.cam.ada.N.write_cache
   can override the configuration in a per-device basis (the default
   value is -1, which means to use the global setting). Note that the
   value can be changed at runtime, but it takes effect only after a
   device reset.[r220841]

   The arcmsr(4) driver has been updated to version
   1.20.00.22.[r224991]

   The graid(8) GEOM class has been added. This is a replacement of
   the ataraid(4) driver supporting various BIOS-based software
   RAID.[r223177]

   The mxge(4) driver has been updated.[r224235]

   A tws(4) driver for 3ware 9750 SATA+SAS 6Gb/s RAID controllers has
   been added.[r226243]

     --------------------------------------------------------------

    2.2.4 File Systems

   The FreeBSD Fast File System now supports the TRIM command when
   freeing data blocks. A new flag -t in the newfs(8) and tunefs(8)
   utilities sets the TRIM-enable flag for a file system. The
   TRIM-enable flag makes the file system send a delete request to
   the underlying device for each freed block. The TRIM command is
   specified as a Data Set Management Command in the ATA8-ACS2
   standard to carry the information related to deleted data blocks
   to a device, especially for a SSD (Solid-State Drive) for
   optimization.[r218079]

   A new flag -E has been added to the newfs(8) and fsck_ffs(8)
   utilities. This clears unallocated blocks, notifying the
   underlying device that they are not used and that their contents
   may be discarded. This is useful in fsck_ffs(8) for file systems
   which have been mounted on systems without TRIM support, or with
   TRIM support disabled, as well as filesystems which have been
   copied from one device to another.[r225296]

   The FreeBSD NFS subsystem now supports a nocto mount option. This
   disables the close-to-open cache coherency check at open time.
   This option may improve performance for read-only mounts, but
   should only be used only if the data on the server changes rarely.
   The mount_nfs(8) utility now also supports this flag
   keyword.[r221759]

   A loader(8) tunable vfs.typenumhash has been added. Setting this
   to 1 enables to use a hash calculation on the file system
   identification number internally used in the kernel. This fixes
   the "Stale NFS file handle" error on NFS clients when upgrading or
   rebuilding the kernel on the NFS server due to unexpected change
   of these identification number values. Note that this is set to 0
   (disable) by default for backward compatibility.[r226926]

   The FreeBSD ZFS subsystem has been updated to the SPA (Storage
   Pool Allocator, also known as zpool) version 28. It now supports
   data deduplication, triple parity RAIDZ (raidz3), snapshot holds,
   log device removal, zfs diff, zpool split, zpool import -F, and
   read-only zpool import.[r222741]

     --------------------------------------------------------------

  2.3 Userland Changes

   The bsdtar(1) and cpio(1) utilities are now based on libarchive
   version 2.8.5.[r229589]

   The cpuset(1) utility now supports a -C flag to create a new
   cpuset and assign an existing process into that set, and an all
   keyword in the -l cpu-list option to specify all CPUs in the
   system.[r218033]

   A bug in the fetch(1) utility which could prevent the STAT FTP
   command from working properly has been fixed.[r221764]

   The gpart(8) utility now supports a -p flag to the show
   subcommand. This allows showing providers' names of partitions
   instead of the partitions' indexes.[r219861]

   The hastd(8) utility now drops root privileges of the worker
   processes to the hast user.[r220104]

   The hastd(8) utility now supports a checksum keyword to specify
   the checksum algorithm in a resource section. As of 8.3-RELEASE,
   none, sha256, and crc32 are supported.[r220104]

   The hastd(8) utility now supports a compression keyword to specify
   the compression algorithm in a resource section. As of
   8.3-RELEASE, none, hole and lzf are supported.[r220104]

   The hastd(8) utility now supports a source keyword to specify the
   local address to bind to before connecting the remote hastd(8)
   daemon.[r220104]

   A readline(3) API set has been imported into libedit. This is
   based on NetBSD's implementation and BSD licensed utilities now
   use it instead of GNU libreadline.[r220612]

   The makefs(8) utility now supports the ISO 9660 format.[r224447]

   libmd and libcrypt now support the SHA-256 and SHA-512
   algorithms.[r231588]

   The netstat(1) utility now does not expose the internal scope
   address representation used in the FreeBSD kernel, which is
   derived from KAME IPv6 stack, in the results of netstat -ani and
   netstat -nr.[r219062]

   The newsyslog(8) utility now supports xz(1) compression. An X flag
   in the optional field has been added to specify the
   compression.[r218911]

   A poweroff(8) utility has been added. This is equivalent
   to:[r224259]

 # shutdown -p now

   The ppp(8) utility now supports iface name name and iface
   description description commands. These have the same
   functionalities as the name and description subcommands of the
   ifconfig(8) utility.[r224285]

   The ps(1) utility now supports -o usertime and -o systime options
   to display accumulated system and user CPU time,
   respectively.[r219943]

   The rtadvd(8) daemon now supports a noifprefix keyword to disable
   gathering on-link prefixes from interfaces when no addr keyword is
   specified. An entry in /etc/rtadvd.conf with noifprefix and no
   addr generates an RA message with no prefix information
   option.[r231802]

   The rtadvd(8) daemon now supports the RDNSS and DNSSL options
   described in RFC 6106, "IPv6 Router Advertisement Options for DNS
   Configuration". A rtadvctl(8) utility to control the rtadvd(8)
   daemon has been added.[r231802]

   A bug in the tftpd(8) daemon has been fixed. It had an
   interoperability issue when transferring a large file.[r227083]

   The zpool(8): utility now supports a zpool labelclear command.
   This allows to wipe the label data from a drive that is not active
   in a pool.[r229570]

     --------------------------------------------------------------

  2.4 Contributed Software

   The awk has been updated to the 7 August 2011 release.

   ISC BIND has been updated to version 9.6-ESV-R5-P1.

   The netcat utility has been updated to version 4.9.

   GNU GCC and libstdc++ have been updated to rev 127959 of
   gcc-4_2-branch (the last GPLv2-licensed version).[r221274]

   The LESS program has been updated to version v444.[r223454]

   The OpenSSH utility has been updated to 5.4p1, and optimization
   for large bandwidth-delay product connection and none cipher
   support have been merged[r228152]

   sendmail has been updated to version 8.14.5.[r223315]

   The timezone database has been updated to the tzdata2011n
   release.[r226977]

   The unifdef(1) utility has been updated to version 2.5.6.

   The xz program has been updated from 5.0.0 to 5.0.1.[r219219]

     --------------------------------------------------------------

  2.5 Ports/Packages Collection Infrastructure

   The supported version of the KDE desktop environment (x11/kde4)
   has been updated from 4.5.5 to 4.7.4.

     --------------------------------------------------------------

3 Upgrading from previous releases of FreeBSD

   [amd64, i386] Upgrades between RELEASE versions (and snapshots of
   the various security branches) are supported using the
   freebsd-update(8) utility. The binary upgrade procedure will
   update unmodified userland utilities, as well as unmodified
   GENERIC kernel distributed as a part of an official FreeBSD
   release. The freebsd-update(8) utility requires that the host
   being upgraded has Internet connectivity.

   An older form of binary upgrade is supported through the Upgrade
   option from the main sysinstall(8) menu on CDROM distribution
   media. This type of binary upgrade may be useful on non-i386,
   non-amd64 machines or on systems with no Internet connectivity.

   Source-based upgrades (those based on recompiling the FreeBSD base
   system from source code) from previous versions are supported,
   according to the instructions in /usr/src/UPDATING.

     Important: Upgrading FreeBSD should, of course, only be
     attempted after backing up all data and configuration files.

     --------------------------------------------------------------

 This file, and other release-related documents, can be downloaded from
                        ftp://ftp.FreeBSD.org/.

 For questions about FreeBSD, read the documentation before contacting
                        <questions@FreeBSD.org>.

   For questions about this documentation, e-mail <doc@FreeBSD.org>.