FreeBSD 8.3-RELEASE Release Notes
The FreeBSD Project
Copyright © 2012 The FreeBSD Documentation Project
2012-04-09 04:44:39Z hrs $
FreeBSD is a registered trademark of the FreeBSD Foundation.
IBM, AIX, EtherJet, Netfinity, OS/2, PowerPC, PS/2, S/390, and ThinkPad are trademarks of International Business Machines Corporation in the United States, other countries, or both.
IEEE, POSIX, and 802 are registered trademarks of Institute of Electrical and Electronics Engineers, Inc. in the United States.
Intel, Celeron, EtherExpress, i386, i486, Itanium, Pentium, and Xeon are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
SPARC, SPARC64, SPARCengine, and UltraSPARC are trademarks of SPARC International, Inc in the United States and other countries. SPARC International, Inc owns all of the SPARC trademarks and under licensing agreements allows the proper use of these trademarks by its members.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this document, and the FreeBSD Project was aware of the trademark claim, the designations have been followed by the “™” or the “®” symbol.
The release notes for FreeBSD 8.3-RELEASE contain a summary of the changes made to the FreeBSD base system on the 8.3-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.
- Table of Contents
- 1 Introduction
- 2 What's New
- 3 Upgrading from previous releases of FreeBSD
This document contains the release notes for FreeBSD 8.3-RELEASE. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.
This distribution of FreeBSD 8.3-RELEASE is a release distribution. It can be found at ftp://ftp.FreeBSD.org/ or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the “Obtaining FreeBSD” appendix to the FreeBSD Handbook.
All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with “late-breaking” information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 8.3-RELEASE can be found on the FreeBSD Web site.
This section describes the most user-visible new or changed features in FreeBSD since 8.2-RELEASE.
Typical release note items document recent security advisories issued after 8.2-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.
Problems described in the following security advisories have been fixed. For more information, consult the individual advisories available from http://security.FreeBSD.org/.
|SA-11:01.mountd||20 April 2011||
Network ACL mishandling in mountd(8)
|SA-11:02.bind||28 May 2011||
BIND remote DoS with large RRSIG RRsets and negative caching
|SA-11:04.compress||28 September 2011|
|SA-11:05.unix||28 September 2011||
Buffer overflow in handling of UNIX socket addresses
|SA-11:06.bind||23 December 2011||
Remote packet Denial of Service against named(8) servers
|SA-11:07.chroot||23 December 2011||
Code execution via chrooted ftpd
|SA-11:08.telnetd||23 December 2011||
telnetd code execution vulnerability
|SA-11:09.pam_ssh||23 December 2011||
pam_ssh improperly grants access when user account has unencrypted SSH private keys
|SA-11:10.pam||23 December 2011||
[amd64, i386] The FreeBSD dtrace(1) framework now supports systrace for system calls of linux32 and freebsd32 on FreeBSD/amd64. Two new systrace_linux32 and systrace_freebsd32 kernel modules provide support for tracing compat system calls in addition to the native system call tracing provided by the systrace module.[r219107]
The hhook(9) (Helper Hook) and khelp(9) (Kernel Helpers) KPIs have been implemented. These are a kind of superset of pfil(9) framework for more general use in the kernel. The hhook(9) KPI provides a way for kernel subsystems to export hook points that khelp(9) modules can hook to provide enhanced or new functionality to the kernel. The khelp(9) KPI provides a framework for managing khelp(9) modules, which indirectly use the hhook(9) KPI to register their hook functions with hook points of interest within the kernel. These allow a structured way to dynamically extend the kernel at runtime in an ABI preserving manner.[r222406]
The open(2) and fhopen(2) system calls now support the O_CLOEXEC flag, which allows setting the FD_CLOEXEC flag for the newly created file descriptor. This is standardized in IEEE Std 1003.1-2008 (POSIX, Single UNIX Specification Version 4).[r220241]
The FreeBSD usb(4) subsystem now supports USB packet filter. This allows to capture packets which go through each USB host controller. The implementation is almost based on bpf(4) code. The userland program usbdump(8) has been added.[r221174]
A rdcphy(4) driver for RDC Semiconductor R6040 10/100 PHY has been added.[r218294]
re(4) driver now supports another
mechanism for RX interrupt moderation because of performance
dev.re.N.int_rx_mod has been added to
control amount of time to delay RX interrupt processing, in units
of microsecond. Setting it to 0 completely
disables RX interrupt moderation. A
hw.re.intr_filter controls whether the old
mechanism utilizing MSI/MSI-X capability on supported controllers
is used or not. When set to a non-zero value, the
re(4) driver uses the old
mechanism. The default value is 0 and this
tunable has no effect on controllers without MSI/MSI-X
The re(4) driver now supports TSO (TCP Segmentation Offload) on RealTek RTL8168/8111 C or later controllers. Note that this is disabled by default because broken frames can be sent under certain conditions.[r218897]
The re(4) driver now supports enabling TX and/or RX checksum offloading independently from each other. Note that TX IP checksum is disabled on some RTL8168C-based network interfaces because it can generate an incorrect IP checksum when the packet contains IP options.[r218899, r219114]
ipfw(8) now supports the call and return actions. Upon the call number action, the current rule number is saved in the internal stack and ruleset processing continues with the first rule numbered number or higher. The return action takes the rule number saved to internal stack by the latest call action and returns ruleset processing to the first rule with number greater than that saved number.[r230575]
FreeBSD's ipsec(4) support now uses half of the hash size as the authenticator hash size in Hashed Message Authentication Mode (HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512) as described in RFC 4868. This was a fixed 96-bit length in prior releases because the implementation was based on an old Internet draft draft-ietf-ipsec-ciph-sha-256-00. Note that this means 8.3-RELEASE and later are no longer interoperable with the older FreeBSD releases.[r221157]
The FreeBSD TCP/IP network stack now supports the
mod_cc(9) pluggable congestion
control framework. This allows TCP congestion control algorithms to
be implemented as dynamically loadable kernel modules. The
following kernel modules are available as of 8.3-RELEASE:
cc_chd(4) for the
cc_cubic(4) for the CUBIC
cc_hd(4) for the Hamilton-Delay
cc_htcp(4) for the H-TCP
cc_newreno(4) for the NewReno
cc_vegas(4) for the Vegas
algorithm. The default algorithm can be set by a new
net.inet.tcp.cc.algorithm. The value must be set
to one of the names listed by
net.inet.tcp.cc.available, and newreno is the default set at boot time. For more
detail, see the
mod_cc(9) manual pages.[r222401, r222402, r222403, r222404, r222406, r222407, r222408, r222409, r222411, r222412, r222413, r222419, r225738]
An h_ertt(4) (Enhanced Round Trip Time) khelp(9) module has been added. This module allows per-connection, low noise estimates of the instantaneous RTT in the TCP/IP network stack with a robust implementation even in the face of delayed acknowledgments and/or TSO (TCP Segmentation Offload) being in use for a connection.[r222410]
A new tcp(4) socket option TCP_CONGESTION has been added. This allows to select or query the congestion control algorithm that the TCP/IP network stack will use for connections on the socket.[r222401]
ada(4) driver now supports write
cache control. A new
kern.cam.ada.write_cache determines whether the
write cache of
ada(4) devices is enabled or not.
Setting to 1 enables and 0 disables the write cache, and -1 leaves the device default behavior.
kern.cam.ada.N.write_cache can override the
configuration in a per-device basis (the default value is
-1, which means to use the global
setting). Note that the value can be changed at runtime, but it
takes effect only after a device reset.[r220841]
The FreeBSD Fast File System now supports the TRIM command when freeing data blocks. A new flag
-t in the
tunefs(8) utilities sets the
TRIM-enable flag for a file system. The TRIM-enable flag makes the
file system send a delete request to the underlying device for each
freed block. The TRIM command is specified
as a Data Set Management Command in the ATA8-ACS2 standard to carry
the information related to deleted data blocks to a device,
especially for a SSD (Solid-State Drive) for optimization.[r218079]
A new flag
-E has been added to the
fsck_ffs(8) utilities. This
clears unallocated blocks, notifying the underlying device that
they are not used and that their contents may be discarded. This is
fsck_ffs(8) for file systems
which have been mounted on systems without TRIM support, or with TRIM
support disabled, as well as filesystems which have been copied
from one device to another.[r225296]
The FreeBSD NFS subsystem now supports a
nocto mount option. This disables the close-to-open
cache coherency check at open time. This option may improve
performance for read-only mounts, but should only be used only if
the data on the server changes rarely. The
mount_nfs(8) utility now also
supports this flag keyword.[r221759]
vfs.typenumhash has been added. Setting this to
1 enables to use a hash calculation on the
file system identification number internally used in the kernel.
This fixes the “Stale NFS file handle” error on NFS clients when
upgrading or rebuilding the kernel on the NFS server due to
unexpected change of these identification number values. Note that
this is set to 0 (disable) by default for
The FreeBSD ZFS subsystem has been updated to the SPA (Storage
Pool Allocator, also known as zpool) version 28. It now supports
data deduplication, triple parity RAIDZ (raidz3), snapshot holds,
log device removal, zfs diff, zpool split, zpool import
-F, and read-only zpool
cpuset(1) utility now supports a
-C flag to create a new cpuset and
assign an existing process into that set, and an all keyword in the
cpu-list option to
specify all CPUs in the system.[r218033]
libmd and libcrypt now support the SHA-256 and SHA-512 algorithms.[r231588]
The netstat(1) utility now does not expose the internal scope address representation used in the FreeBSD kernel, which is derived from KAME IPv6 stack, in the results of netstat -ani and netstat -nr.[r219062]
# shutdown -p now
The ppp(8) utility now supports iface name name and iface description description commands. These have the same functionalities as the name and description subcommands of the ifconfig(8) utility.[r224285]
The rtadvd(8) daemon now supports a noifprefix keyword to disable gathering on-link prefixes from interfaces when no addr keyword is specified. An entry in /etc/rtadvd.conf with noifprefix and no addr generates an RA message with no prefix information option.[r231802]
The rtadvd(8) daemon now supports the RDNSS and DNSSL options described in RFC 6106, “IPv6 Router Advertisement Options for DNS Configuration”. A rtadvctl(8) utility to control the rtadvd(8) daemon has been added.[r231802]
The awk has been updated to the 7 August 2011 release.
ISC BIND has been updated to version 9.6-ESV-R5-P1.
The netcat utility has been updated to version 4.9.
GNU GCC and libstdc++ have been updated to rev 127959 of gcc-4_2-branch (the last GPLv2-licensed version).[r221274]
The LESS program has been updated to version v444.[r223454]
The OpenSSH utility has been updated to 5.4p1, and optimization for large bandwidth-delay product connection and none cipher support have been merged[r228152]
sendmail has been updated to version 8.14.5.[r223315]
The timezone database has been updated to the tzdata2011n release.[r226977]
The unifdef(1) utility has been updated to version 2.5.6.
The xz program has been updated from 5.0.0 to 5.0.1.[r219219]
[amd64, i386] Upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the freebsd-update(8) utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC kernel distributed as a part of an official FreeBSD release. The freebsd-update(8) utility requires that the host being upgraded has Internet connectivity.
An older form of binary upgrade is supported through the Upgrade option from the main sysinstall(8) menu on CDROM distribution media. This type of binary upgrade may be useful on non-i386, non-amd64 machines or on systems with no Internet connectivity.
Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in /usr/src/UPDATING.
Important: Upgrading FreeBSD should, of course, only be attempted after backing up all data and configuration files.
This file, and other release-related documents, can be downloaded from ftp://ftp.FreeBSD.org/.
For questions about this documentation, e-mail <doc@FreeBSD.org>.