Date: Thu, 26 Nov 2009 20:55:44 +0000 (UTC) From: Hiroki Sato <hrs@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org Subject: svn commit: r199847 - in stable/8/release/doc: en_US.ISO8859-1/relnotes en_US.ISO8859-1/share/sgml share/sgml Message-ID: <200911262055.nAQKtijU092885@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hrs Date: Thu Nov 26 20:55:44 2009 New Revision: 199847 URL: http://svn.freebsd.org/changeset/base/199847 Log: Add entries of Release Notes for 8.0R temporarily. Reviewed by: thompsa, linimon, and brd. Modified: stable/8/release/doc/en_US.ISO8859-1/relnotes/article.sgml stable/8/release/doc/en_US.ISO8859-1/share/sgml/release.dsl stable/8/release/doc/share/sgml/release.dsl stable/8/release/doc/share/sgml/release.ent Modified: stable/8/release/doc/en_US.ISO8859-1/relnotes/article.sgml ============================================================================== --- stable/8/release/doc/en_US.ISO8859-1/relnotes/article.sgml Thu Nov 26 20:25:57 2009 (r199846) +++ stable/8/release/doc/en_US.ISO8859-1/relnotes/article.sgml Thu Nov 26 20:55:44 2009 (r199847) @@ -4,11 +4,6 @@ <!ENTITY % release PUBLIC "-//FreeBSD//ENTITIES Release Specification//EN"> %release; - -<!-- Text constants which probably don't need to be changed.--> - -<!ENTITY % include.historic "IGNORE"> -<!ENTITY % no.include.historic "IGNORE"> ]> <article> @@ -57,7 +52,7 @@ <title>Introduction</title> <para>This document contains the release notes for &os; - &release.current;. It + &release.current;. It describes recently added, changed, or deleted features of &os;. It also provides some notes on upgrading from previous versions of &os;.</para> @@ -66,7 +61,7 @@ <para>The &release.type; distribution to which these release notes apply represents the latest point along the &release.branch; development - branch since &release.branch; was created. Information regarding pre-built, binary + branch since &release.branch; was created. Information regarding pre-built, binary &release.type; distributions along this branch can be found at <ulink url="&release.url;"></ulink>.</para> @@ -87,7 +82,7 @@ <para>This distribution of &os; &release.current; is a &release.type; distribution. It can be found at <ulink - url="&release.url;"></ulink> or any of its mirrors. More + url="&release.url;"></ulink> or any of its mirrors. More information on obtaining this (or other) &release.type; distributions of &os; can be found in the <ulink url="&url.books.handbook;/mirrors.html"><quote>Obtaining @@ -100,455 +95,2340 @@ <para>All users are encouraged to consult the release errata before installing &os;. The errata document is updated with <quote>late-breaking</quote> information discovered late in the - release cycle or after the release. Typically, it contains + release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for &os; &release.current; can be found on the &os; Web site.</para> </sect1> -<sect1 id="new"> - <title>What's New</title> - - <para>This section describes - the most user-visible new or changed features in &os; - since &release.prev;. - In general, changes described here are unique to the &release.branch; - branch unless specifically marked as &merged; features. - </para> - - <para>Typical release note items - document recent security advisories issued after - &release.prev;, - new drivers or hardware support, new commands or options, - major bug fixes, or contributed software upgrades. They may also - list changes to major ports/packages or release engineering - practices. Clearly the release notes cannot list every single - change made to &os; between releases; this document focuses - primarily on security advisories, user-visible changes, and major - architectural improvements.</para> - - <sect2 id="security"> - <title>Security Advisories</title> - - <para></para> - - </sect2> - - <sect2 id="kernel"> - <title>Kernel Changes</title> - - <para>A new &man.cpuset.2; API has been added - for thread to CPU binding and CPU resource grouping and - assignment. The &man.cpuset.1; userland utility has been added - to allow manipulation of processor sets.</para> - - <para role="merged">The &man.ddb.4; kernel debugger now has an output capture - facility. Input and output from &man.ddb.4; can now be captured - to a memory buffer for later inspection using &man.sysctl.8; or - a textdump. The new <command>capture</command> command controls - this feature.</para> - - <para role="merged">The &man.ddb.4; debugger now supports a simple scripting - facility, which supports a set of named scripts consisting of a - set of &man.ddb.4; commands. These commands can be managed from - within &man.ddb.4; or with the use of the new &man.ddb.8; - utility. More details can be found in the &man.ddb.4; manual - page.</para> - - <para role="merged">The kernel now supports a new textdump format of kernel - dumps. A textdump provides higher-level information via - mechanically generated/extracted debugging output, rather than a - simple memory dump. This facility can be used to generate brief - kernel bug reports that are rich in debugging information, but - are not dependent on kernel symbol tables or precisely - synchronized source code. More information can be found in the - &man.textdump.4; manual page.</para> - - <para>Kernel support for M:N threading has been removed. While - the KSE (Kernel Scheduled Entities) project was quite successful - in bringing threading to FreeBSD, the M:N approach taken by the - KSE library was never developed to its full potential. - Backwards compatibility for applications using KSE threading - will be provided via &man.libmap.conf.5; for dynamically linked - binaries. The &os; Project greatly appreciates the work of - &a.julian;, &a.deischen;, and &a.davidxu; on KSE support.</para> - - <para>The &os; kernel now exports information about certain kernel - features via the <varname>kern.features</varname> sysctl tree. - The &man.feature.present.3; library call provides a convenient - interface for user applications to test the presence of - features.</para> - - <para arch="amd64">The &os; kernel now has support for large - memory page mappings (<quote>superpages</quote>).</para> - - <para arch="amd64,i386,ia64,powerpc" role="merged">The ULE - scheduler is now the default process scheduler - in <filename>GENERIC</filename> kernels.</para> - - <sect3 id="boot"> - <title>Boot Loader Changes</title> - - <para arch="amd64,i386" role="merged">The BTX kernel used by the boot - loader has been changed to invoke BIOS routines from real - mode. This change makes it possible to boot &os; from USB - devices.</para> - - <para arch="amd64,i386" role="merged">A new gptboot boot loader has - been added to support booting from a GPT labeled disk. A - new <command>boot</command> command has been added to - &man.gpt.8;, which makes a GPT disk bootable by writing the - required bits of the boot loader, creating a new boot - partition if required.</para> - - </sect3> - - <sect3 id="proc"> - <title>Hardware Support</title> - - <para role="merged">The &man.cmx.4; driver, a driver for Omnikey CardMan 4040 - PCMCIA smartcard readers, has been added.</para> - - <para>The &man.syscons.4; driver now supports Colemak keyboard layout.</para> - - <para role="merged">The &man.uslcom.4; driver, a driver for Silicon - Laboratories CP2101/CP2102-based USB serial adapters, has been - imported from OpenBSD.</para> - - <sect4 id="mm"> - <title>Multimedia Support</title> - - <para></para> - - </sect4> - - <sect4 id="net-if"> - <title>Network Interface Support</title> - - <para>The &man.ale.4; driver has been added to provide support - for Atheros AR8121/AR8113/AR8114 Gigabit/Fast Ethernet controllers.</para> - - <para>The &man.em.4; driver has been split into two drivers - with some common parts. The &man.em.4; driver will continue - to support adapters up to the 82575, as well as new - client/desktop adapters. A new &man.igb.4; driver - will support new server adapters.</para> - - <para>The &man.jme.4; driver has been added to provide support - for PCIe network adapters based on JMicron JMC250 Gigabit - Ethernet and JMC260 Fast Ethernet controllers.</para> - - <para>The &man.malo.4; driver has been added to provide - support for Marvell Libertas 88W8335 based PCI network - adapters.</para> - - <para>The firmware for the &man.mxge.4; driver has been - updated from 1.4.25 to 1.4.29.</para> - - <para>The &man.sf.4; driver has been overhauled to improve its - performance and to add support for checksum offloading. It - should also work on all architectures.</para> - - <para>The &man.re.4; driver has been overhauled to fix a - number of issues. This driver now has Wake On LAN (WOL) - support.</para> - - <para>The &man.vr.4; driver has been overhauled to fix a - number of outstanding issues. It also now works on all - architectures.</para> - - <para arch="amd64,i386" role="merged">The &man.wpi.4; driver has - been updated to include a number of stability fixes.</para> - - </sect4> - </sect3> - - <sect3 id="net-proto"> - <title>Network Protocols</title> - - <para>The &man.bpf.4; packet filter and capture facility now - supports a zero-copy mode of operation, in which buffers are - loaned from a user process to the kernel. This feature can - be enabled by setting - the <varname>net.bpf.zerocopy_enable</varname> sysctl - variable to <literal>1</literal>.</para> - - <para>ISDN4BSD(I4B), <filename>netatm</filename>, and all - related subsystems have been removed due to lack of - multi-processor support.</para> - - <para role="merged">A bug in TCP options padding, where the wrong padding - bytes were used, has been fixed.</para> - - </sect3> - - <sect3 id="disks"> - <title>Disks and Storage</title> - - <para role="merged">The &man.aac.4; driver now supports volumes larger than - 2TB in size.</para> - - <para>The &man.ata.4; driver now supports a spindown command for - disks; after a configurable amount of time, if no requests - have been received for a disk, the disk will be spun down - until the next request. The &man.atacontrol.8; utility now - supports a <command>spindown</command> command to configure - this feature.</para> - - <para role="merged">The &man.hptrr.4; driver has been updated to version 1.2 - from Highpoint.</para> - - </sect3> - - <sect3 id="fs"> - <title>File Systems</title> - - <para>A problem with using &man.mmap.2; on ZFS filesystems has - been fixed.</para> - - <para>A new kernel-mode NFS lock manager has been added, - improving performance and behavior of NFS locking. A new - &man.clear.locks.8; command has been added to clear locks held - on behalf of an NFS client.</para> - - </sect3> - </sect2> - - <sect2 id="userland"> - <title>Userland Changes</title> - - <para role="merged">The &man.adduser.8; utility now supports - a <option>-M</option> option to set the mode of a new user's - home directory.</para> - - <para>BSD-licensed versions of &man.ar.1; and &man.ranlib.1;, - based on <filename>libarchive</filename>, have replaced the GNU - Binutils versions of these utilities.</para> - - <para role="merged">&man.chflags.1; now supports a <option>-v</option> flag for - verbose output and a <option>-f</option> flag to ignore errors - with the same semantics as (for example) - &man.chmod.1;.</para> - - <para>For compatiblity with other implementations, &man.cp.1; now - supports a <option>-a</option> flag, which is equivalent to - specifying the <option>-RrP</option> flags.</para> - - <para>BSD-licensed version of &man.cpio.1; based on - <filename>libarchive</filename>, has replaced the GNU cpio. - Note that the GNU cpio is still installed as - <filename>gcpio</filename>.</para> - - <para>The &man.env.1; program now supports <option>-u - <replaceable>name</replaceable></option> - which will completely unset the given variable - <replaceable>name</replaceable> by removing it from the environment, - instead of just setting it to a null value.</para> - - <para>The &man.fdopendir.3; library function has been added.</para> - - <para role="merged">The &man.fetch.3; library now support HTTP 1.1 - If-Modified-Since behavior. The &man.fetch.1; program now - supports <option>-i <replaceable>filename</replaceable></option> - which will only download the specified HTTP URL if the content - is newer than <replaceable>filename</replaceable>.</para> - - <para>&man.find.1; has been enhanced by the addition of a number - of primaries that were present in GNU find but not &os; - &man.find.1;.</para> - - <para>&man.jexec.8; now supports <option>-h - <replaceable>hostname</replaceable></option> option to specify the - jail where the command will be executed.</para> - - <para>&man.kgdb.1; now supports a new <command>add-kld</command> - command to make it easier to debug crash dumps with kernel - modules.</para> - - <para>The &man.ls.1; program now supports a <option>-D</option> - option to specify a date format string to be used with the long - format (<option>-l</option>) output.</para> - - <para>&man.nc.1; now supports a <option>-O</option> switch to - disable the use of TCP options.</para> - - <para>The &man.ping6.8; utility now returns <literal>2</literal> - when the packet transmission was successful but no responses - were received (this is the same behavior as &man.ping.8;). - It returned a non-zero value before this change.</para> - - <para>The &man.procstat.1; utility has been added to display - detailed information about processes.</para> - - <para role="merged">The &man.realpath.1; utility now supports - a <option>-q</option> flag to suppress warnings; it now also - accepts multiple paths on its command line.</para> - - <para>The &man.split.1; utility now supports a <option>-n</option> - flag to split a file into a certain number of chunks.</para> - - <para>The &man.tar.1; utility now supports a <option>-Z</option> - flag to enable &man.compress.1;-style - compression/decompression.</para> - - <para>The &man.tar.1; utility now supports a - <option>--numeric-owner</option> flag to ignore user/group names - on create and extract.</para> - - <para>The &man.tar.1; utility now supports an - <option>-S</option> flag to sparsify files on extraction.</para> - - <para>The &man.tar.1; utility now supports a <option>-s</option> - flag to substitute filenames based on the specified regular - expression.</para> - - <para>The &man.tcgetsid.3; library function has been added to - return the process group ID for the session leader for the - controlling terminal. It is defined in IEEE Std 1003.1-2001 - (POSIX).</para> - - <para>&man.top.1; now supports a <option>-P</option> flag to - provide per-CPU usage statistics.</para> - - <para>&man.zdump.8; is now working properly on 64 bit architectures. - </para> - - <para>&man.traceroute.8; now has the ability to print the AS - number for each hop with the new <option>-a</option> switch; a - new <option>-A</option> option allows selecting a particular - WHOIS server.</para> - - <para>&man.traceroute6.8; now supports a <option>-U</option> flag - to send probe packets with no upper-layer protocol, rather than - the usual UDP probe packets.</para> - - <sect3 id="rc-scripts"> - <title><filename>/etc/rc.d</filename> Scripts</title> - - <para></para> - - </sect3> - </sect2> - - <sect2 id="contrib"> - <title>Contributed Software</title> - - <para role="merged"><application>AMD</application> has been updated from 6.0.10 - to 6.1.5.</para> - - <para role="merged"><application>awk</application> has been updated from 1 May - 2007 release to the 23 October 2007 release.</para> - - <para role="merged"><application>bzip2</application> has been updated from 1.0.4 - to 1.0.5.</para> - - <para><application>CVS</application> has been updated from 1.11.17 - to a post-1.11.22 snapshot from 10 March 2008.</para> - - <para><application>FILE</application> has been updated from 4.23 - to 5.03.</para> - - <para><application>hostapd</application> has been - updated from 0.5.8 to 0.5.10.</para> - - <para><application>IPFilter</application> has been updated from - 4.1.23 to 4.1.28.</para> - - <para><application>less</application> has been updated from - v408 to v429.</para> - - <para><application>ncurses</application> has been updated from - 5.6-20061217 to 5.6-20080503.</para> - - <para role="merged"><application>OpenSSH</application> has been updated - from 4.5p1 to 5.1p1.</para> - - <para role="merged"><application>OpenPAM</application> has been updated from the - Figwort release to the Hydrangea release.</para> - - <para role="merged"><application>sendmail</application> has been updated from - 8.14.1 to 8.14.3.</para> - - <para role="merged">The timezone database has been updated from - the <application>tzdata2008h</application> release to - the <application>tzdata2009j</application> release.</para> - - <para>The stdtime part of libc, &man.zdump.8 and &man.zic.8 - have been updated from the <application>tzcode2004a</application> - release to the <application>tzcode2009h</application> release. - If you have upgraded from source or via the &man.freebsd-update.8, - then please run &man.tzsetup.8 to install a new /etc/localtime. - </para> - - <para><application>WPA Supplicant</application> has been - updated from 0.5.8 to 0.5.10.</para> - - </sect2> - - <sect2 id="ports"> - <title>Ports/Packages Collection Infrastructure</title> - - <para>The &man.pkg.create.1; utility now supports - <option>-n</option>. When this option is specified and a - package tarball exists, it will not be overwritten. This is - useful when multiple packages are saved with several consecutive - runs of &man.pkg.create.1; with the <option>-Rb</option> - options.</para> - - <para>The pkg_sign and pkg_check utilities for cryptographically - signing &os; packages have been removed. They were only useful - for packages compressed using &man.gzip.1;; however - &man.bzip2.1; compression has been the norm for some time - now.</para> - - </sect2> - - <sect2 id="releng"> - <title>Release Engineering and Integration</title> - - <para role="merged">The supported version of - the <application>GNOME</application> desktop environment - (<filename role="package">x11/gnome2</filename>) has been - updated from 2.20.1 to 2.22.</para> - - </sect2> - - <sect2 id="doc"> - <title>Documentation</title> - - <para></para> - - </sect2> -</sect1> - -<sect1 id="upgrade"> - <title>Upgrading from previous releases of &os;</title> + <sect1 id="new"> + <title>What's New</title> - <para arch="amd64,i386">Beginning with &os; 6.2-RELEASE, - binary upgrades between RELEASE versions (and snapshots of the - various security branches) are supported using the - &man.freebsd-update.8; utility. The binary upgrade procedure will - update unmodified userland utilities, as well as unmodified GENERIC or - SMP kernels distributed as a part of an official &os; release. - The &man.freebsd-update.8; utility requires that the host being - upgraded have Internet connectivity.</para> - - <para>An older form of binary upgrade is supported through the - <command>Upgrade</command> option from the main &man.sysinstall.8; - menu on CDROM distribution media. This type of binary upgrade - may be useful on non-&arch.i386;, non-&arch.amd64; machines - or on systems with no Internet connectivity.</para> - - <para>Source-based upgrades (those based on recompiling the &os; - base system from source code) from previous versions are - supported, according to the instructions in - <filename>/usr/src/UPDATING</filename>.</para> - - <important> - <para>Upgrading &os; should, of course, only be attempted after - backing up <emphasis>all</emphasis> data and configuration - files.</para> - </important> -</sect1> + <para>This section describes the most user-visible new or changed + features in &os; since &release.prev;, and changes shown in + Release Notes for the previous releases are marked as + <literal>[7.1R]</literal> and <literal>[7.2R]</literal>.</para> + + <para>Typical release note items document recent security + advisories issued after &release.prev;, new drivers or hardware + support, new commands or options, major bug fixes, or + contributed software upgrades. They may also list changes to + major ports/packages or release engineering practices. Clearly + the release notes cannot list every single change made to &os; + between releases; this document focuses primarily on security + advisories, user-visible changes, and major architectural + improvements.</para> + + <sect2 id="security"> + <title>Security Advisories</title> + + <para>Problems described in the following security advisories have + been fixed. For more information, consult the individual + advisories available from + <ulink url="http://security.FreeBSD.org/"></ulink>.</para>; + + <informaltable frame="none" pgwide="0"> + <tgroup cols="3"> + <colspec colwidth="1*"> + <colspec colwidth="1*"> + <colspec colwidth="3*"> + <thead> + <row> + <entry>Advisory</entry> + <entry>Date</entry> + <entry>Topic</entry> + </row> + </thead> + + <tbody> + <row role="7.1"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:05.openssh.asc" + >SA-08:05.openssh</ulink></entry> + <entry>17 April 2008</entry> + <entry><para>OpenSSH X11-forwarding privilege escalation</para></entry> + </row> + + <row role="7.1"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:06.bind.asc" + >SA-08:06.bind</ulink></entry> + <entry>13 July 2008</entry> + <entry><para>DNS cache poisoning</para></entry> + </row> + + <row role="7.1"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:07.amd64.asc" + >SA-08:07.amd64</ulink></entry> + <entry>3 September 2008</entry> + <entry><para>amd64 swapgs local privilege escalation</para></entry> + </row> + + <row role="7.1"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:08.nmount.asc" + >SA-08:08.nmount</ulink></entry> + <entry>3 September 2008</entry> + <entry><para>&man.nmount.2; local arbitrary code execution</para></entry> + </row> + + <row role="7.1"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:09.icmp6.asc" + >SA-08:09.icmp6</ulink></entry> + <entry>3 September 2008</entry> + <entry><para>Remote kernel panics on IPv6 connections</para></entry> + </row> + + <row role="7.1"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:10.nd6.asc" + >SA-08:10.nd6</ulink></entry> + <entry>1 October 2008</entry> + <entry><para>IPv6 Neighbor Discovery Protocol routing vulnerability</para></entry> + </row> + + <row role="7.1"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:11.arc4random.asc" + >SA-08:11.arc4random</ulink></entry> + <entry>24 November 2008</entry> + <entry><para>&man.arc4random.9; predictable sequence vulnerability</para></entry> + </row> + + <row role="7.1"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:12.ftpd.asc" + >SA-08:12.ftpd</ulink></entry> + <entry>23 December 2008</entry> + <entry><para>Cross-site request forgery in &man.ftpd.8;</para></entry> + </row> + + <row role="7.1"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc" + >SA-08:13.protosw</ulink></entry> + <entry>23 December 2008</entry> + <entry><para>netgraph / bluetooth privilege escalation</para></entry> + </row> + + <row role="7.2"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:01.lukemftpd.asc" + >SA-09:01.lukemftpd</ulink></entry> + <entry>07 January 2009</entry> + <entry><para>Cross-site request forgery in + &man.lukemftpd.8;</para></entry> + </row> + + <row role="7.2"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:02.openssl.asc" + >SA-09:02.openssl</ulink></entry> + <entry>07 January 2009</entry> + <entry><para>OpenSSL incorrectly checks for malformed + signatures</para></entry> + </row> + + <row role="7.2"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:03.ntpd.asc" + >SA-09:03.ntpd</ulink></entry> + <entry>13 January 2009</entry> + <entry><para>ntpd cryptographic signature + bypass</para></entry> + </row> + + <row role="7.2"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:04.bind.asc" + >SA-09:04.bind</ulink></entry> + <entry>13 January 2009</entry> + <entry><para>BIND DNSSEC incorrect checks for + malformed signatures</para></entry> + </row> + + <row role="7.2"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:05.telnetd.asc" + >SA-09:05.telnetd</ulink></entry> + <entry>16 February 2009</entry> + <entry><para>telnetd code execution + vulnerability</para></entry> + </row> + + <row role="7.2"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:06.ktimer.asc" + >SA-09:06.ktimer</ulink></entry> + <entry>23 March 2009</entry> + <entry><para>Local privilege escalation</para></entry> + </row> + + <row role="7.2"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:07.libc.asc" + >SA-09:07.libc</ulink></entry> + <entry>04 April 2009</entry> + <entry><para>Information leak in &man.db.3;</para></entry> + </row> + + <row role="7.2"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:08.openssl.asc" + >SA-09:08.openssl</ulink></entry> + <entry>22 April 2009</entry> + <entry><para>Remotely exploitable crash in + OpenSSL</para></entry> + </row> + + <row role="8.0"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc" + >SA-09:09.pipe</ulink></entry> + <entry>10 June 2009</entry> + <entry><para>Local information disclosure via direct pipe writes</para></entry> + </row> + + <row role="8.0"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc" + >SA-09:10.ipv6</ulink></entry> + <entry>10 June 2009</entry> + <entry><para>Missing permission check on SIOCSIFINFO_IN6 ioctl</para></entry> + </row> + + <row role="8.0"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:11.ntpd.asc" + >SA-09:11.ntpd</ulink></entry> + <entry>10 June 2009</entry> + <entry><para>ntpd stack-based buffer-overflow vulnerability</para></entry> + </row> + + <row role="8.0"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:12.bind.asc" + >SA-09:12.bind</ulink></entry> + <entry>29 July 2009</entry> + <entry><para>BIND &man.named.8; dynamic update message remote DoS</para></entry> + </row> + <row role="8.0"> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:14.devfs.asc" + >SA-09:14.devfs</ulink></entry> + <entry>2 Oct 2009</entry> + <entry><para>Devfs / VFS NULL pointer race condition</para></entry> + </row> + </tbody> + </tgroup> + </informaltable> + </sect2> + + <sect2 id="kernel"> + <title>Kernel Changes</title> + + <para role="8.0">The &os; <filename>GENERIC</filename> kernel now + includes Trusted BSD MAC (Mandatory Access Control) support. + No MAC policy module is loaded by default.</para> + + <para role="8.0" arch="i386">A loader + tunable <varname>hw.clflush_disable</varname> has been added + to avoid panic (trap 9) + at <function>map_invalidate_cache_range()</function> even if + Intel CPU is used. This tunable can be set + to <literal>-1</literal> (default), <literal>0</literal> and + <literal>1</literal>. The <literal>-1</literal> is same as + the current behavior, which automatically + disables <literal>CLFLUSH</literal> on Intel CPUs without + <literal>CPUID_SS</literal> (this should occurr on Xen + only). You can specify <literal>1</literal> when this panic + happens on non-Intel CPUs (such as AMD's). Because disabling + <literal>CLFLUSH</literal> can reduce performance, you can try + with setting <literal>0</literal> on Intel CPUs + without <literal>SS</literal> to + use <literal>CLFLUSH</literal> feature.</para> + + <para role="8.0">The &os; newbus subsystem is now MPSAFE.</para> + + <para role="8.0">The &man.jail.8; subsystem has been updated. Changes include:</para> + + <itemizedlist role="7.2"> + <listitem> + <para role="8.0">A new virtualization container + named <quote>vimage</quote> has been implemented. This is + not enabled by default. To enable this, add the following + kernel options to your kernel configuration file and + rebuild the kernel:</para> + + <programlisting>options VIMAGE</programlisting> + + <para>Note that <literal>options SCTP</literal> in the + <filename>GENERIC</filename> kernel is not compatible with + <literal>options VIMAGE</literal>. This limitation will + be fixed in the next release.</para> + + <para>The vimage is a jail with a virtualized instance of + the &os; network stack. It can be created by using + &man.jail.8; command like this:</para> + + <screen>&prompt.root; jail -c vnet name=<replaceable>vnet1</replaceable> host.hostname=<replaceable>vnet1.example.net</replaceable> path=/ persist</screen> + + <para>The vimage has own loopback interface and a separated + network stack including the L3 routing tables. Network + interfaces on the system can be moved by using + &man.ifconfig.8; <option>vnet</option> option between the + different vimage jails and outside of them.</para> + + <para>Furthermore, the &man.epair.4; pseudo-interface driver + has been added to help communication between vimage jails. + It emulates a pair of back-to-back connected Ethernet + interfaces. For example, the following commands create an + interface pair of &man.epair.4;:</para> + + <screen>&prompt.root; ifconfig epair0 create +epair0a +&prompt.root; ifconfig epair0a +epair0a: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 + ether 02:c0:64:00:07:0a +&prompt.root; ifconfig epair0b +epair0b: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 + ether 02:c0:64:00:08:0b</screen> + + <para>The &man.epair.4; pseudo-interfaces and any physical + interfaces on the system can be moved between vimage jails + by using &man.ifconfig.8; <option>vnet</option> option as + described above. Even after half of an &man.epair.4; pair + is moved, the back-to-back connection still valid and can + be used for inter-jail communication.</para> + + <para>Note that vimage is still considered as an + experimental feature.</para> + </listitem> + + <listitem> + <para>A jail can now have arbitrary named parameters similar + to environmental variables and the fixed jail parameters + in the previous releases have been replaced with them. + The jail name can now be used for identifying the jail in + &man.jexec.8; and &man.killall.1;.</para> + </listitem> + + <listitem> + <para>Multiple IPv4 and/or IPv6 addresses per jail are now + supported. It is even possible to have jails without + an IP address at all, which basically gives one a chrooted + environment with restricted process view and no + networking.</para> + </listitem> + + <listitem> + <para>SCTP (&man.sctp.4;) with IPv6 in jails has been + implemented.</para> + </listitem> + + <listitem> + <para>Specific CPU binding by using &man.cpuset.1; has been + implemented. Note that the current implementation allows + the superuser inside of the jail to change the CPU + bindings specified.</para> + </listitem> + + <listitem> + <para>A &man.jail.8; can start with a specific route + FIB now.</para> + </listitem> + + <listitem> + <para>The &man.ddb.8; kernel debugger now supports a + <literal>show jails</literal> subcommand.</para> + </listitem> + + <listitem> + <para>Compatibility support which permits 32-bit jail + binaries to be used on 64-bit systems to manage jails has + been added.</para> + </listitem> + + <listitem> + <para>Note that both version numbers of + <literal>jail</literal> and <literal>prison</literal> in + the &man.jail.8; have been updated for the new + features.</para> + </listitem> + </itemizedlist> + + <para role="8.0">The &man.ksyms.4;, kernel symbol table + interface driver has been added. It creates a character + device <filename>/dev/ksyms</filename> and provides + read-only access to a snapshot of the kernel symbol + table.</para> + + <para role="8.0" arch="amd64,i386">The &os; Linux emulation + layer has been updated to version 2.6.16 and the default Linux + infrastructure port is + <filename>emulators/linux_base-f10</filename> (Fedora + 10).</para> + + <para role="8.0" arch="amd64,i386">The &os; virtual memory + subsystem now supports fully transparent use of + <application>superpages</application> for application memory; + application memory pages are dynamically promoted to or + demoted from superpages without any modification to + application code. This change offers the benefit of large + page sizes such as improved virtual memory efficiency and + reduced TLB (translation lookaside buffer) misses without + downsides like application changes and virtual memory + inflexibility. This can be enabled by setting a loader tunable + <varname>vm.pmap.pg_ps_enabled</varname> to + <literal>1</literal> and is enabled by default on + &arch.amd64;.</para> + + <para role="7.2">The &man.ddb.8; kernel debugger now supports a + <command>show mount</command> subcommand.</para> + + <para role="7.2">The &os; DTrace subsystem now supports a probe for + process execution.</para> + + <para role="7.2" arch="amd64">The &os; kernel virtual address + space has been increased to 6GB. This allows subsystems to use + larger virtual memory space than before. For example, the + &man.zfs.8; adaptive replacement cache (ARC) requires large + kernel memory space to cache file system data, so it benefits + from the increased address space. Note that the ceiling on + the kernel map size is now 60% of the size of physical memory + rather than an absolute quantity.</para> + + <para role="7.2">The &man.kld.4; now supports installing 32-bit + system calls to the &os; syscall translation layer from kernel + modules.</para> + + <para role="7.2">The &man.ktr.4; now supports a new KTR tracepoint in the + <literal>KTR_CALLOUT</literal> class to note when a callout + routine finishes executing.</para> + + <para role="7.2">Types of variables used to track the amount of allocated + System V shared memory have been changed from + <literal>int</literal> to <literal>size_t</literal>. This + makes it possible to use more than 2 GB of memory for shared + memory segments on 64-bit architectures. Please note the new + BUGS section in &man.shmctl.2; and + <filename>/usr/src/UPDATING</filename> for limitations of this + temporary solution.</para> + + <para role="7.2">The &man.sysctl.3; leaf nodes have a flag to tag + themselves as MPSAFE now.</para> + + <para role="7.2">The &os; 32-bit system call translation layer now + supports installing 32-bit system calls for + <literal>VFS_AIO</literal>.</para> + + <para role="7.1">The &man.clock.gettime.2; and the related system calls now + support a clock ID <literal>CLOCK_THREAD_CPUTIME_ID</literal>, + as defined in POSIX.</para> + + <para role="7.1">The &man.cpuset.2; system call has been added. This is an + API for thread to CPU binding and CPU resource grouping and + assignment.</para> + + <para role="7.1">The DTrace, a comprehensive dynamic tracing framework and + &man.dtrace.1; userland utility have been imported from + OpenSolaris. DTrace provides a powerful infrastructure to + permit administrators, developers, and service personnel to + concisely answer arbitrary questions about the behavior of the + operating system and user programs.</para> + + <para role="7.1">The &man.ddb.4; kernel debugger now has an output capture + facility. Input and output from &man.ddb.4; can now be captured + to a memory buffer for later inspection using &man.sysctl.8; or + a textdump. The new <command>capture</command> command controls + this feature.</para> + + <para role="7.1">The &man.ddb.4; debugger now supports a simple scripting + facility, which supports a set of named scripts consisting of a + set of &man.ddb.4; commands. These commands can be managed from + within &man.ddb.4; or with the use of the new &man.ddb.8; + utility. More details can be found in the &man.ddb.4; manual + page.</para> + + <para role="7.1">The &man.ddb.4; <command>ex</command> command now supports + an <option>/S</option> mode which interprets and prints the + value at the requested address as a symbol. For example, + <userinput>ex /S <replaceable>aio_swake</replaceable></userinput> + prints the name of the function currently registered in + via <replaceable>aio_swake</replaceable> hook.</para> + + <para role="7.1">The &man.ddb.4; <command>show conifhk</command> command has + been added. This lists hooks currently waiting for completion + in <function>run_interrupt_driven_config_hooks()</function>.</para> + + <para role="7.1">The &man.fcntl.2; system call now supports + <literal>F_DUP2FD</literal> command. This is equivalent to + &man.dup.2;, and compatible with the Sun Solaris and the IBM + AIX.</para> + + <para role="7.1">The &os;'s &man.linux.4; ABI support now implements + <function>sched_setaffinity()</function> and + <function>sched_getaffinity()</function> using real CPU affinity + setting primitives.</para> + + <para role="7.1">The &man.procstat.1; utility has been added. This is a + process inspection utility which provides some of the missing + functionality from &man.procfs.5; and new functionality for monitoring + and debugging specific processes.</para> + + <para role="7.1">The client side functionality of &man.rpc.lockd.8; has been + implemented in the &os; kernel. This implementation provides the + correct semantics for &man.flock.2; style locks which are used + by the &man.lockf.1; command line tool and the &man.pidfile.3; + library. It also implements recovery from server restarts and + ensures that dirty cache blocks are written to the server before + obtaining locks (allowing multiple clients to use file locking + to safely share data). Also, a new kernel option + <literal>options NFSLOCKD</literal> has been added and enabled + by default. If the kernel support is enabled, &man.rpc.lockd.8; + automatically detects and uses the functionality.</para> + + <para role="7.1">The &os; kernel now supports a new textdump format of kernel + dumps. A textdump provides higher-level information via + mechanically generated/extracted debugging output, rather than a + simple memory dump. This facility can be used to generate brief + kernel bug reports that are rich in debugging information, but + are not dependent on kernel symbol tables or precisely + synchronized source code. More information can be found in the + &man.textdump.4; manual page.</para> + + <para role="7.1">The &man.wait4.2; system call now supports + <option>WNOWAIT</option> flag to keep the process whose status + is returned in a waitable state and <option>WSTOPPED</option> + which is equivalent to <option>WUNTRACED</option>.</para> + + <para role="7.1" arch="amd64,i386,sparc64">The &os; kernel now has + initial support of binding interrupts to CPUs.</para> + + <para role="7.1" arch="amd64,i386"> The &man.sched.ule.4; scheduler is now the default + process scheduler in <filename>GENERIC</filename> + kernels.</para> + + <para role="7.1">The sysctl + variables <varname>kern.features.compat_freebsd[456]</varname> + have been added. These are corresponding to the kernel options + <literal>COMPAT_FREEBSD[456]</literal>.</para> + + <sect3 id="boot"> + <title>Boot Loader Changes</title> + + <para role="8.0">The <application>boot0</application> boot + loader now preserves volume ID at offset + 0x1b8 used in other operating systems </para> + + <para role="8.0">The &man.boot0cfg.8; utility now supports a + new <option>-i</option> option to set the volume ID.</para> + + <para role="7.2">The &man.boot.8; now supports 4-byte volume ID that *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200911262055.nAQKtijU092885>