svn commit: r199847 - in stable/8/release/doc:
en_US.ISO8859-1/relnotes en_US.ISO8859-1/share/sgml share/sgml
Hiroki Sato
hrs at FreeBSD.org
Thu Nov 26 20:55:45 UTC 2009
Author: hrs
Date: Thu Nov 26 20:55:44 2009
New Revision: 199847
URL: http://svn.freebsd.org/changeset/base/199847
Log:
Add entries of Release Notes for 8.0R temporarily.
Reviewed by: thompsa, linimon, and brd.
Modified:
stable/8/release/doc/en_US.ISO8859-1/relnotes/article.sgml
stable/8/release/doc/en_US.ISO8859-1/share/sgml/release.dsl
stable/8/release/doc/share/sgml/release.dsl
stable/8/release/doc/share/sgml/release.ent
Modified: stable/8/release/doc/en_US.ISO8859-1/relnotes/article.sgml
==============================================================================
--- stable/8/release/doc/en_US.ISO8859-1/relnotes/article.sgml Thu Nov 26 20:25:57 2009 (r199846)
+++ stable/8/release/doc/en_US.ISO8859-1/relnotes/article.sgml Thu Nov 26 20:55:44 2009 (r199847)
@@ -4,11 +4,6 @@
<!ENTITY % release PUBLIC "-//FreeBSD//ENTITIES Release Specification//EN">
%release;
-
-<!-- Text constants which probably don't need to be changed.-->
-
-<!ENTITY % include.historic "IGNORE">
-<!ENTITY % no.include.historic "IGNORE">
]>
<article>
@@ -57,7 +52,7 @@
<title>Introduction</title>
<para>This document contains the release notes for &os;
- &release.current;. It
+ &release.current;. It
describes recently added, changed, or deleted features of &os;.
It also provides some notes on upgrading
from previous versions of &os;.</para>
@@ -66,7 +61,7 @@
<para>The &release.type; distribution to which these release notes
apply represents the latest point along the &release.branch; development
- branch since &release.branch; was created. Information regarding pre-built, binary
+ branch since &release.branch; was created. Information regarding pre-built, binary
&release.type; distributions along this branch
can be found at <ulink url="&release.url;"></ulink>.</para>
@@ -87,7 +82,7 @@
<para>This distribution of &os; &release.current; is a
&release.type; distribution. It can be found at <ulink
- url="&release.url;"></ulink> or any of its mirrors. More
+ url="&release.url;"></ulink> or any of its mirrors. More
information on obtaining this (or other) &release.type;
distributions of &os; can be found in the <ulink
url="&url.books.handbook;/mirrors.html"><quote>Obtaining
@@ -100,455 +95,2340 @@
<para>All users are encouraged to consult the release errata before
installing &os;. The errata document is updated with
<quote>late-breaking</quote> information discovered late in the
- release cycle or after the release. Typically, it contains
+ release cycle or after the release. Typically, it contains
information on known bugs, security advisories, and corrections to
documentation. An up-to-date copy of the errata for &os;
&release.current; can be found on the &os; Web site.</para>
</sect1>
-<sect1 id="new">
- <title>What's New</title>
-
- <para>This section describes
- the most user-visible new or changed features in &os;
- since &release.prev;.
- In general, changes described here are unique to the &release.branch;
- branch unless specifically marked as &merged; features.
- </para>
-
- <para>Typical release note items
- document recent security advisories issued after
- &release.prev;,
- new drivers or hardware support, new commands or options,
- major bug fixes, or contributed software upgrades. They may also
- list changes to major ports/packages or release engineering
- practices. Clearly the release notes cannot list every single
- change made to &os; between releases; this document focuses
- primarily on security advisories, user-visible changes, and major
- architectural improvements.</para>
-
- <sect2 id="security">
- <title>Security Advisories</title>
-
- <para></para>
-
- </sect2>
-
- <sect2 id="kernel">
- <title>Kernel Changes</title>
-
- <para>A new &man.cpuset.2; API has been added
- for thread to CPU binding and CPU resource grouping and
- assignment. The &man.cpuset.1; userland utility has been added
- to allow manipulation of processor sets.</para>
-
- <para role="merged">The &man.ddb.4; kernel debugger now has an output capture
- facility. Input and output from &man.ddb.4; can now be captured
- to a memory buffer for later inspection using &man.sysctl.8; or
- a textdump. The new <command>capture</command> command controls
- this feature.</para>
-
- <para role="merged">The &man.ddb.4; debugger now supports a simple scripting
- facility, which supports a set of named scripts consisting of a
- set of &man.ddb.4; commands. These commands can be managed from
- within &man.ddb.4; or with the use of the new &man.ddb.8;
- utility. More details can be found in the &man.ddb.4; manual
- page.</para>
-
- <para role="merged">The kernel now supports a new textdump format of kernel
- dumps. A textdump provides higher-level information via
- mechanically generated/extracted debugging output, rather than a
- simple memory dump. This facility can be used to generate brief
- kernel bug reports that are rich in debugging information, but
- are not dependent on kernel symbol tables or precisely
- synchronized source code. More information can be found in the
- &man.textdump.4; manual page.</para>
-
- <para>Kernel support for M:N threading has been removed. While
- the KSE (Kernel Scheduled Entities) project was quite successful
- in bringing threading to FreeBSD, the M:N approach taken by the
- KSE library was never developed to its full potential.
- Backwards compatibility for applications using KSE threading
- will be provided via &man.libmap.conf.5; for dynamically linked
- binaries. The &os; Project greatly appreciates the work of
- &a.julian;, &a.deischen;, and &a.davidxu; on KSE support.</para>
-
- <para>The &os; kernel now exports information about certain kernel
- features via the <varname>kern.features</varname> sysctl tree.
- The &man.feature.present.3; library call provides a convenient
- interface for user applications to test the presence of
- features.</para>
-
- <para arch="amd64">The &os; kernel now has support for large
- memory page mappings (<quote>superpages</quote>).</para>
-
- <para arch="amd64,i386,ia64,powerpc" role="merged">The ULE
- scheduler is now the default process scheduler
- in <filename>GENERIC</filename> kernels.</para>
-
- <sect3 id="boot">
- <title>Boot Loader Changes</title>
-
- <para arch="amd64,i386" role="merged">The BTX kernel used by the boot
- loader has been changed to invoke BIOS routines from real
- mode. This change makes it possible to boot &os; from USB
- devices.</para>
-
- <para arch="amd64,i386" role="merged">A new gptboot boot loader has
- been added to support booting from a GPT labeled disk. A
- new <command>boot</command> command has been added to
- &man.gpt.8;, which makes a GPT disk bootable by writing the
- required bits of the boot loader, creating a new boot
- partition if required.</para>
-
- </sect3>
-
- <sect3 id="proc">
- <title>Hardware Support</title>
-
- <para role="merged">The &man.cmx.4; driver, a driver for Omnikey CardMan 4040
- PCMCIA smartcard readers, has been added.</para>
-
- <para>The &man.syscons.4; driver now supports Colemak keyboard layout.</para>
-
- <para role="merged">The &man.uslcom.4; driver, a driver for Silicon
- Laboratories CP2101/CP2102-based USB serial adapters, has been
- imported from OpenBSD.</para>
-
- <sect4 id="mm">
- <title>Multimedia Support</title>
-
- <para></para>
-
- </sect4>
-
- <sect4 id="net-if">
- <title>Network Interface Support</title>
-
- <para>The &man.ale.4; driver has been added to provide support
- for Atheros AR8121/AR8113/AR8114 Gigabit/Fast Ethernet controllers.</para>
-
- <para>The &man.em.4; driver has been split into two drivers
- with some common parts. The &man.em.4; driver will continue
- to support adapters up to the 82575, as well as new
- client/desktop adapters. A new &man.igb.4; driver
- will support new server adapters.</para>
-
- <para>The &man.jme.4; driver has been added to provide support
- for PCIe network adapters based on JMicron JMC250 Gigabit
- Ethernet and JMC260 Fast Ethernet controllers.</para>
-
- <para>The &man.malo.4; driver has been added to provide
- support for Marvell Libertas 88W8335 based PCI network
- adapters.</para>
-
- <para>The firmware for the &man.mxge.4; driver has been
- updated from 1.4.25 to 1.4.29.</para>
-
- <para>The &man.sf.4; driver has been overhauled to improve its
- performance and to add support for checksum offloading. It
- should also work on all architectures.</para>
-
- <para>The &man.re.4; driver has been overhauled to fix a
- number of issues. This driver now has Wake On LAN (WOL)
- support.</para>
-
- <para>The &man.vr.4; driver has been overhauled to fix a
- number of outstanding issues. It also now works on all
- architectures.</para>
-
- <para arch="amd64,i386" role="merged">The &man.wpi.4; driver has
- been updated to include a number of stability fixes.</para>
-
- </sect4>
- </sect3>
-
- <sect3 id="net-proto">
- <title>Network Protocols</title>
-
- <para>The &man.bpf.4; packet filter and capture facility now
- supports a zero-copy mode of operation, in which buffers are
- loaned from a user process to the kernel. This feature can
- be enabled by setting
- the <varname>net.bpf.zerocopy_enable</varname> sysctl
- variable to <literal>1</literal>.</para>
-
- <para>ISDN4BSD(I4B), <filename>netatm</filename>, and all
- related subsystems have been removed due to lack of
- multi-processor support.</para>
-
- <para role="merged">A bug in TCP options padding, where the wrong padding
- bytes were used, has been fixed.</para>
-
- </sect3>
-
- <sect3 id="disks">
- <title>Disks and Storage</title>
-
- <para role="merged">The &man.aac.4; driver now supports volumes larger than
- 2TB in size.</para>
-
- <para>The &man.ata.4; driver now supports a spindown command for
- disks; after a configurable amount of time, if no requests
- have been received for a disk, the disk will be spun down
- until the next request. The &man.atacontrol.8; utility now
- supports a <command>spindown</command> command to configure
- this feature.</para>
-
- <para role="merged">The &man.hptrr.4; driver has been updated to version 1.2
- from Highpoint.</para>
-
- </sect3>
-
- <sect3 id="fs">
- <title>File Systems</title>
-
- <para>A problem with using &man.mmap.2; on ZFS filesystems has
- been fixed.</para>
-
- <para>A new kernel-mode NFS lock manager has been added,
- improving performance and behavior of NFS locking. A new
- &man.clear.locks.8; command has been added to clear locks held
- on behalf of an NFS client.</para>
-
- </sect3>
- </sect2>
-
- <sect2 id="userland">
- <title>Userland Changes</title>
-
- <para role="merged">The &man.adduser.8; utility now supports
- a <option>-M</option> option to set the mode of a new user's
- home directory.</para>
-
- <para>BSD-licensed versions of &man.ar.1; and &man.ranlib.1;,
- based on <filename>libarchive</filename>, have replaced the GNU
- Binutils versions of these utilities.</para>
-
- <para role="merged">&man.chflags.1; now supports a <option>-v</option> flag for
- verbose output and a <option>-f</option> flag to ignore errors
- with the same semantics as (for example)
- &man.chmod.1;.</para>
-
- <para>For compatiblity with other implementations, &man.cp.1; now
- supports a <option>-a</option> flag, which is equivalent to
- specifying the <option>-RrP</option> flags.</para>
-
- <para>BSD-licensed version of &man.cpio.1; based on
- <filename>libarchive</filename>, has replaced the GNU cpio.
- Note that the GNU cpio is still installed as
- <filename>gcpio</filename>.</para>
-
- <para>The &man.env.1; program now supports <option>-u
- <replaceable>name</replaceable></option>
- which will completely unset the given variable
- <replaceable>name</replaceable> by removing it from the environment,
- instead of just setting it to a null value.</para>
-
- <para>The &man.fdopendir.3; library function has been added.</para>
-
- <para role="merged">The &man.fetch.3; library now support HTTP 1.1
- If-Modified-Since behavior. The &man.fetch.1; program now
- supports <option>-i <replaceable>filename</replaceable></option>
- which will only download the specified HTTP URL if the content
- is newer than <replaceable>filename</replaceable>.</para>
-
- <para>&man.find.1; has been enhanced by the addition of a number
- of primaries that were present in GNU find but not &os;
- &man.find.1;.</para>
-
- <para>&man.jexec.8; now supports <option>-h
- <replaceable>hostname</replaceable></option> option to specify the
- jail where the command will be executed.</para>
-
- <para>&man.kgdb.1; now supports a new <command>add-kld</command>
- command to make it easier to debug crash dumps with kernel
- modules.</para>
-
- <para>The &man.ls.1; program now supports a <option>-D</option>
- option to specify a date format string to be used with the long
- format (<option>-l</option>) output.</para>
-
- <para>&man.nc.1; now supports a <option>-O</option> switch to
- disable the use of TCP options.</para>
-
- <para>The &man.ping6.8; utility now returns <literal>2</literal>
- when the packet transmission was successful but no responses
- were received (this is the same behavior as &man.ping.8;).
- It returned a non-zero value before this change.</para>
-
- <para>The &man.procstat.1; utility has been added to display
- detailed information about processes.</para>
-
- <para role="merged">The &man.realpath.1; utility now supports
- a <option>-q</option> flag to suppress warnings; it now also
- accepts multiple paths on its command line.</para>
-
- <para>The &man.split.1; utility now supports a <option>-n</option>
- flag to split a file into a certain number of chunks.</para>
-
- <para>The &man.tar.1; utility now supports a <option>-Z</option>
- flag to enable &man.compress.1;-style
- compression/decompression.</para>
-
- <para>The &man.tar.1; utility now supports a
- <option>--numeric-owner</option> flag to ignore user/group names
- on create and extract.</para>
-
- <para>The &man.tar.1; utility now supports an
- <option>-S</option> flag to sparsify files on extraction.</para>
-
- <para>The &man.tar.1; utility now supports a <option>-s</option>
- flag to substitute filenames based on the specified regular
- expression.</para>
-
- <para>The &man.tcgetsid.3; library function has been added to
- return the process group ID for the session leader for the
- controlling terminal. It is defined in IEEE Std 1003.1-2001
- (POSIX).</para>
-
- <para>&man.top.1; now supports a <option>-P</option> flag to
- provide per-CPU usage statistics.</para>
-
- <para>&man.zdump.8; is now working properly on 64 bit architectures.
- </para>
-
- <para>&man.traceroute.8; now has the ability to print the AS
- number for each hop with the new <option>-a</option> switch; a
- new <option>-A</option> option allows selecting a particular
- WHOIS server.</para>
-
- <para>&man.traceroute6.8; now supports a <option>-U</option> flag
- to send probe packets with no upper-layer protocol, rather than
- the usual UDP probe packets.</para>
-
- <sect3 id="rc-scripts">
- <title><filename>/etc/rc.d</filename> Scripts</title>
-
- <para></para>
-
- </sect3>
- </sect2>
-
- <sect2 id="contrib">
- <title>Contributed Software</title>
-
- <para role="merged"><application>AMD</application> has been updated from 6.0.10
- to 6.1.5.</para>
-
- <para role="merged"><application>awk</application> has been updated from 1 May
- 2007 release to the 23 October 2007 release.</para>
-
- <para role="merged"><application>bzip2</application> has been updated from 1.0.4
- to 1.0.5.</para>
-
- <para><application>CVS</application> has been updated from 1.11.17
- to a post-1.11.22 snapshot from 10 March 2008.</para>
-
- <para><application>FILE</application> has been updated from 4.23
- to 5.03.</para>
-
- <para><application>hostapd</application> has been
- updated from 0.5.8 to 0.5.10.</para>
-
- <para><application>IPFilter</application> has been updated from
- 4.1.23 to 4.1.28.</para>
-
- <para><application>less</application> has been updated from
- v408 to v429.</para>
-
- <para><application>ncurses</application> has been updated from
- 5.6-20061217 to 5.6-20080503.</para>
-
- <para role="merged"><application>OpenSSH</application> has been updated
- from 4.5p1 to 5.1p1.</para>
-
- <para role="merged"><application>OpenPAM</application> has been updated from the
- Figwort release to the Hydrangea release.</para>
-
- <para role="merged"><application>sendmail</application> has been updated from
- 8.14.1 to 8.14.3.</para>
-
- <para role="merged">The timezone database has been updated from
- the <application>tzdata2008h</application> release to
- the <application>tzdata2009j</application> release.</para>
-
- <para>The stdtime part of libc, &man.zdump.8 and &man.zic.8
- have been updated from the <application>tzcode2004a</application>
- release to the <application>tzcode2009h</application> release.
- If you have upgraded from source or via the &man.freebsd-update.8,
- then please run &man.tzsetup.8 to install a new /etc/localtime.
- </para>
-
- <para><application>WPA Supplicant</application> has been
- updated from 0.5.8 to 0.5.10.</para>
-
- </sect2>
-
- <sect2 id="ports">
- <title>Ports/Packages Collection Infrastructure</title>
-
- <para>The &man.pkg.create.1; utility now supports
- <option>-n</option>. When this option is specified and a
- package tarball exists, it will not be overwritten. This is
- useful when multiple packages are saved with several consecutive
- runs of &man.pkg.create.1; with the <option>-Rb</option>
- options.</para>
-
- <para>The pkg_sign and pkg_check utilities for cryptographically
- signing &os; packages have been removed. They were only useful
- for packages compressed using &man.gzip.1;; however
- &man.bzip2.1; compression has been the norm for some time
- now.</para>
-
- </sect2>
-
- <sect2 id="releng">
- <title>Release Engineering and Integration</title>
-
- <para role="merged">The supported version of
- the <application>GNOME</application> desktop environment
- (<filename role="package">x11/gnome2</filename>) has been
- updated from 2.20.1 to 2.22.</para>
-
- </sect2>
-
- <sect2 id="doc">
- <title>Documentation</title>
-
- <para></para>
-
- </sect2>
-</sect1>
-
-<sect1 id="upgrade">
- <title>Upgrading from previous releases of &os;</title>
+ <sect1 id="new">
+ <title>What's New</title>
- <para arch="amd64,i386">Beginning with &os; 6.2-RELEASE,
- binary upgrades between RELEASE versions (and snapshots of the
- various security branches) are supported using the
- &man.freebsd-update.8; utility. The binary upgrade procedure will
- update unmodified userland utilities, as well as unmodified GENERIC or
- SMP kernels distributed as a part of an official &os; release.
- The &man.freebsd-update.8; utility requires that the host being
- upgraded have Internet connectivity.</para>
-
- <para>An older form of binary upgrade is supported through the
- <command>Upgrade</command> option from the main &man.sysinstall.8;
- menu on CDROM distribution media. This type of binary upgrade
- may be useful on non-&arch.i386;, non-&arch.amd64; machines
- or on systems with no Internet connectivity.</para>
-
- <para>Source-based upgrades (those based on recompiling the &os;
- base system from source code) from previous versions are
- supported, according to the instructions in
- <filename>/usr/src/UPDATING</filename>.</para>
-
- <important>
- <para>Upgrading &os; should, of course, only be attempted after
- backing up <emphasis>all</emphasis> data and configuration
- files.</para>
- </important>
-</sect1>
+ <para>This section describes the most user-visible new or changed
+ features in &os; since &release.prev;, and changes shown in
+ Release Notes for the previous releases are marked as
+ <literal>[7.1R]</literal> and <literal>[7.2R]</literal>.</para>
+
+ <para>Typical release note items document recent security
+ advisories issued after &release.prev;, new drivers or hardware
+ support, new commands or options, major bug fixes, or
+ contributed software upgrades. They may also list changes to
+ major ports/packages or release engineering practices. Clearly
+ the release notes cannot list every single change made to &os;
+ between releases; this document focuses primarily on security
+ advisories, user-visible changes, and major architectural
+ improvements.</para>
+
+ <sect2 id="security">
+ <title>Security Advisories</title>
+
+ <para>Problems described in the following security advisories have
+ been fixed. For more information, consult the individual
+ advisories available from
+ <ulink url="http://security.FreeBSD.org/"></ulink>.</para>
+
+ <informaltable frame="none" pgwide="0">
+ <tgroup cols="3">
+ <colspec colwidth="1*">
+ <colspec colwidth="1*">
+ <colspec colwidth="3*">
+ <thead>
+ <row>
+ <entry>Advisory</entry>
+ <entry>Date</entry>
+ <entry>Topic</entry>
+ </row>
+ </thead>
+
+ <tbody>
+ <row role="7.1">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:05.openssh.asc"
+ >SA-08:05.openssh</ulink></entry>
+ <entry>17 April 2008</entry>
+ <entry><para>OpenSSH X11-forwarding privilege escalation</para></entry>
+ </row>
+
+ <row role="7.1">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:06.bind.asc"
+ >SA-08:06.bind</ulink></entry>
+ <entry>13 July 2008</entry>
+ <entry><para>DNS cache poisoning</para></entry>
+ </row>
+
+ <row role="7.1">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:07.amd64.asc"
+ >SA-08:07.amd64</ulink></entry>
+ <entry>3 September 2008</entry>
+ <entry><para>amd64 swapgs local privilege escalation</para></entry>
+ </row>
+
+ <row role="7.1">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:08.nmount.asc"
+ >SA-08:08.nmount</ulink></entry>
+ <entry>3 September 2008</entry>
+ <entry><para>&man.nmount.2; local arbitrary code execution</para></entry>
+ </row>
+
+ <row role="7.1">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:09.icmp6.asc"
+ >SA-08:09.icmp6</ulink></entry>
+ <entry>3 September 2008</entry>
+ <entry><para>Remote kernel panics on IPv6 connections</para></entry>
+ </row>
+
+ <row role="7.1">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:10.nd6.asc"
+ >SA-08:10.nd6</ulink></entry>
+ <entry>1 October 2008</entry>
+ <entry><para>IPv6 Neighbor Discovery Protocol routing vulnerability</para></entry>
+ </row>
+
+ <row role="7.1">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:11.arc4random.asc"
+ >SA-08:11.arc4random</ulink></entry>
+ <entry>24 November 2008</entry>
+ <entry><para>&man.arc4random.9; predictable sequence vulnerability</para></entry>
+ </row>
+
+ <row role="7.1">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:12.ftpd.asc"
+ >SA-08:12.ftpd</ulink></entry>
+ <entry>23 December 2008</entry>
+ <entry><para>Cross-site request forgery in &man.ftpd.8;</para></entry>
+ </row>
+
+ <row role="7.1">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc"
+ >SA-08:13.protosw</ulink></entry>
+ <entry>23 December 2008</entry>
+ <entry><para>netgraph / bluetooth privilege escalation</para></entry>
+ </row>
+
+ <row role="7.2">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:01.lukemftpd.asc"
+ >SA-09:01.lukemftpd</ulink></entry>
+ <entry>07 January 2009</entry>
+ <entry><para>Cross-site request forgery in
+ &man.lukemftpd.8;</para></entry>
+ </row>
+
+ <row role="7.2">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:02.openssl.asc"
+ >SA-09:02.openssl</ulink></entry>
+ <entry>07 January 2009</entry>
+ <entry><para>OpenSSL incorrectly checks for malformed
+ signatures</para></entry>
+ </row>
+
+ <row role="7.2">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:03.ntpd.asc"
+ >SA-09:03.ntpd</ulink></entry>
+ <entry>13 January 2009</entry>
+ <entry><para>ntpd cryptographic signature
+ bypass</para></entry>
+ </row>
+
+ <row role="7.2">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:04.bind.asc"
+ >SA-09:04.bind</ulink></entry>
+ <entry>13 January 2009</entry>
+ <entry><para>BIND DNSSEC incorrect checks for
+ malformed signatures</para></entry>
+ </row>
+
+ <row role="7.2">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:05.telnetd.asc"
+ >SA-09:05.telnetd</ulink></entry>
+ <entry>16 February 2009</entry>
+ <entry><para>telnetd code execution
+ vulnerability</para></entry>
+ </row>
+
+ <row role="7.2">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:06.ktimer.asc"
+ >SA-09:06.ktimer</ulink></entry>
+ <entry>23 March 2009</entry>
+ <entry><para>Local privilege escalation</para></entry>
+ </row>
+
+ <row role="7.2">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:07.libc.asc"
+ >SA-09:07.libc</ulink></entry>
+ <entry>04 April 2009</entry>
+ <entry><para>Information leak in &man.db.3;</para></entry>
+ </row>
+
+ <row role="7.2">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:08.openssl.asc"
+ >SA-09:08.openssl</ulink></entry>
+ <entry>22 April 2009</entry>
+ <entry><para>Remotely exploitable crash in
+ OpenSSL</para></entry>
+ </row>
+
+ <row role="8.0">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc"
+ >SA-09:09.pipe</ulink></entry>
+ <entry>10 June 2009</entry>
+ <entry><para>Local information disclosure via direct pipe writes</para></entry>
+ </row>
+
+ <row role="8.0">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc"
+ >SA-09:10.ipv6</ulink></entry>
+ <entry>10 June 2009</entry>
+ <entry><para>Missing permission check on SIOCSIFINFO_IN6 ioctl</para></entry>
+ </row>
+
+ <row role="8.0">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:11.ntpd.asc"
+ >SA-09:11.ntpd</ulink></entry>
+ <entry>10 June 2009</entry>
+ <entry><para>ntpd stack-based buffer-overflow vulnerability</para></entry>
+ </row>
+
+ <row role="8.0">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:12.bind.asc"
+ >SA-09:12.bind</ulink></entry>
+ <entry>29 July 2009</entry>
+ <entry><para>BIND &man.named.8; dynamic update message remote DoS</para></entry>
+ </row>
+ <row role="8.0">
+ <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:14.devfs.asc"
+ >SA-09:14.devfs</ulink></entry>
+ <entry>2 Oct 2009</entry>
+ <entry><para>Devfs / VFS NULL pointer race condition</para></entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+ </sect2>
+
+ <sect2 id="kernel">
+ <title>Kernel Changes</title>
+
+ <para role="8.0">The &os; <filename>GENERIC</filename> kernel now
+ includes Trusted BSD MAC (Mandatory Access Control) support.
+ No MAC policy module is loaded by default.</para>
+
+ <para role="8.0" arch="i386">A loader
+ tunable <varname>hw.clflush_disable</varname> has been added
+ to avoid panic (trap 9)
+ at <function>map_invalidate_cache_range()</function> even if
+ Intel CPU is used. This tunable can be set
+ to <literal>-1</literal> (default), <literal>0</literal> and
+ <literal>1</literal>. The <literal>-1</literal> is same as
+ the current behavior, which automatically
+ disables <literal>CLFLUSH</literal> on Intel CPUs without
+ <literal>CPUID_SS</literal> (this should occurr on Xen
+ only). You can specify <literal>1</literal> when this panic
+ happens on non-Intel CPUs (such as AMD's). Because disabling
+ <literal>CLFLUSH</literal> can reduce performance, you can try
+ with setting <literal>0</literal> on Intel CPUs
+ without <literal>SS</literal> to
+ use <literal>CLFLUSH</literal> feature.</para>
+
+ <para role="8.0">The &os; newbus subsystem is now MPSAFE.</para>
+
+ <para role="8.0">The &man.jail.8; subsystem has been updated. Changes include:</para>
+
+ <itemizedlist role="7.2">
+ <listitem>
+ <para role="8.0">A new virtualization container
+ named <quote>vimage</quote> has been implemented. This is
+ not enabled by default. To enable this, add the following
+ kernel options to your kernel configuration file and
+ rebuild the kernel:</para>
+
+ <programlisting>options VIMAGE</programlisting>
+
+ <para>Note that <literal>options SCTP</literal> in the
+ <filename>GENERIC</filename> kernel is not compatible with
+ <literal>options VIMAGE</literal>. This limitation will
+ be fixed in the next release.</para>
+
+ <para>The vimage is a jail with a virtualized instance of
+ the &os; network stack. It can be created by using
+ &man.jail.8; command like this:</para>
+
+ <screen>&prompt.root; jail -c vnet name=<replaceable>vnet1</replaceable> host.hostname=<replaceable>vnet1.example.net</replaceable> path=/ persist</screen>
+
+ <para>The vimage has own loopback interface and a separated
+ network stack including the L3 routing tables. Network
+ interfaces on the system can be moved by using
+ &man.ifconfig.8; <option>vnet</option> option between the
+ different vimage jails and outside of them.</para>
+
+ <para>Furthermore, the &man.epair.4; pseudo-interface driver
+ has been added to help communication between vimage jails.
+ It emulates a pair of back-to-back connected Ethernet
+ interfaces. For example, the following commands create an
+ interface pair of &man.epair.4;:</para>
+
+ <screen>&prompt.root; ifconfig epair0 create
+epair0a
+&prompt.root; ifconfig epair0a
+epair0a: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
+ ether 02:c0:64:00:07:0a
+&prompt.root; ifconfig epair0b
+epair0b: flags=8842<BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
+ ether 02:c0:64:00:08:0b</screen>
+
+ <para>The &man.epair.4; pseudo-interfaces and any physical
+ interfaces on the system can be moved between vimage jails
+ by using &man.ifconfig.8; <option>vnet</option> option as
+ described above. Even after half of an &man.epair.4; pair
+ is moved, the back-to-back connection still valid and can
+ be used for inter-jail communication.</para>
+
+ <para>Note that vimage is still considered as an
+ experimental feature.</para>
+ </listitem>
+
+ <listitem>
+ <para>A jail can now have arbitrary named parameters similar
+ to environmental variables and the fixed jail parameters
+ in the previous releases have been replaced with them.
+ The jail name can now be used for identifying the jail in
+ &man.jexec.8; and &man.killall.1;.</para>
+ </listitem>
+
+ <listitem>
+ <para>Multiple IPv4 and/or IPv6 addresses per jail are now
+ supported. It is even possible to have jails without
+ an IP address at all, which basically gives one a chrooted
+ environment with restricted process view and no
+ networking.</para>
+ </listitem>
+
+ <listitem>
+ <para>SCTP (&man.sctp.4;) with IPv6 in jails has been
+ implemented.</para>
+ </listitem>
+
+ <listitem>
+ <para>Specific CPU binding by using &man.cpuset.1; has been
+ implemented. Note that the current implementation allows
+ the superuser inside of the jail to change the CPU
+ bindings specified.</para>
+ </listitem>
+
+ <listitem>
+ <para>A &man.jail.8; can start with a specific route
+ FIB now.</para>
+ </listitem>
+
+ <listitem>
+ <para>The &man.ddb.8; kernel debugger now supports a
+ <literal>show jails</literal> subcommand.</para>
+ </listitem>
+
+ <listitem>
+ <para>Compatibility support which permits 32-bit jail
+ binaries to be used on 64-bit systems to manage jails has
+ been added.</para>
+ </listitem>
+
+ <listitem>
+ <para>Note that both version numbers of
+ <literal>jail</literal> and <literal>prison</literal> in
+ the &man.jail.8; have been updated for the new
+ features.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para role="8.0">The &man.ksyms.4;, kernel symbol table
+ interface driver has been added. It creates a character
+ device <filename>/dev/ksyms</filename> and provides
+ read-only access to a snapshot of the kernel symbol
+ table.</para>
+
+ <para role="8.0" arch="amd64,i386">The &os; Linux emulation
+ layer has been updated to version 2.6.16 and the default Linux
+ infrastructure port is
+ <filename>emulators/linux_base-f10</filename> (Fedora
+ 10).</para>
+
+ <para role="8.0" arch="amd64,i386">The &os; virtual memory
+ subsystem now supports fully transparent use of
+ <application>superpages</application> for application memory;
+ application memory pages are dynamically promoted to or
+ demoted from superpages without any modification to
+ application code. This change offers the benefit of large
+ page sizes such as improved virtual memory efficiency and
+ reduced TLB (translation lookaside buffer) misses without
+ downsides like application changes and virtual memory
+ inflexibility. This can be enabled by setting a loader tunable
+ <varname>vm.pmap.pg_ps_enabled</varname> to
+ <literal>1</literal> and is enabled by default on
+ &arch.amd64;.</para>
+
+ <para role="7.2">The &man.ddb.8; kernel debugger now supports a
+ <command>show mount</command> subcommand.</para>
+
+ <para role="7.2">The &os; DTrace subsystem now supports a probe for
+ process execution.</para>
+
+ <para role="7.2" arch="amd64">The &os; kernel virtual address
+ space has been increased to 6GB. This allows subsystems to use
+ larger virtual memory space than before. For example, the
+ &man.zfs.8; adaptive replacement cache (ARC) requires large
+ kernel memory space to cache file system data, so it benefits
+ from the increased address space. Note that the ceiling on
+ the kernel map size is now 60% of the size of physical memory
+ rather than an absolute quantity.</para>
+
+ <para role="7.2">The &man.kld.4; now supports installing 32-bit
+ system calls to the &os; syscall translation layer from kernel
+ modules.</para>
+
+ <para role="7.2">The &man.ktr.4; now supports a new KTR tracepoint in the
+ <literal>KTR_CALLOUT</literal> class to note when a callout
+ routine finishes executing.</para>
+
+ <para role="7.2">Types of variables used to track the amount of allocated
+ System V shared memory have been changed from
+ <literal>int</literal> to <literal>size_t</literal>. This
+ makes it possible to use more than 2 GB of memory for shared
+ memory segments on 64-bit architectures. Please note the new
+ BUGS section in &man.shmctl.2; and
+ <filename>/usr/src/UPDATING</filename> for limitations of this
+ temporary solution.</para>
+
+ <para role="7.2">The &man.sysctl.3; leaf nodes have a flag to tag
+ themselves as MPSAFE now.</para>
+
+ <para role="7.2">The &os; 32-bit system call translation layer now
+ supports installing 32-bit system calls for
+ <literal>VFS_AIO</literal>.</para>
+
+ <para role="7.1">The &man.clock.gettime.2; and the related system calls now
+ support a clock ID <literal>CLOCK_THREAD_CPUTIME_ID</literal>,
+ as defined in POSIX.</para>
+
+ <para role="7.1">The &man.cpuset.2; system call has been added. This is an
+ API for thread to CPU binding and CPU resource grouping and
+ assignment.</para>
+
+ <para role="7.1">The DTrace, a comprehensive dynamic tracing framework and
+ &man.dtrace.1; userland utility have been imported from
+ OpenSolaris. DTrace provides a powerful infrastructure to
+ permit administrators, developers, and service personnel to
+ concisely answer arbitrary questions about the behavior of the
+ operating system and user programs.</para>
+
+ <para role="7.1">The &man.ddb.4; kernel debugger now has an output capture
+ facility. Input and output from &man.ddb.4; can now be captured
+ to a memory buffer for later inspection using &man.sysctl.8; or
+ a textdump. The new <command>capture</command> command controls
+ this feature.</para>
+
+ <para role="7.1">The &man.ddb.4; debugger now supports a simple scripting
+ facility, which supports a set of named scripts consisting of a
+ set of &man.ddb.4; commands. These commands can be managed from
+ within &man.ddb.4; or with the use of the new &man.ddb.8;
+ utility. More details can be found in the &man.ddb.4; manual
+ page.</para>
+
+ <para role="7.1">The &man.ddb.4; <command>ex</command> command now supports
+ an <option>/S</option> mode which interprets and prints the
+ value at the requested address as a symbol. For example,
+ <userinput>ex /S <replaceable>aio_swake</replaceable></userinput>
+ prints the name of the function currently registered in
+ via <replaceable>aio_swake</replaceable> hook.</para>
+
+ <para role="7.1">The &man.ddb.4; <command>show conifhk</command> command has
+ been added. This lists hooks currently waiting for completion
+ in <function>run_interrupt_driven_config_hooks()</function>.</para>
+
+ <para role="7.1">The &man.fcntl.2; system call now supports
+ <literal>F_DUP2FD</literal> command. This is equivalent to
+ &man.dup.2;, and compatible with the Sun Solaris and the IBM
+ AIX.</para>
+
+ <para role="7.1">The &os;'s &man.linux.4; ABI support now implements
+ <function>sched_setaffinity()</function> and
+ <function>sched_getaffinity()</function> using real CPU affinity
+ setting primitives.</para>
+
+ <para role="7.1">The &man.procstat.1; utility has been added. This is a
+ process inspection utility which provides some of the missing
+ functionality from &man.procfs.5; and new functionality for monitoring
+ and debugging specific processes.</para>
+
+ <para role="7.1">The client side functionality of &man.rpc.lockd.8; has been
+ implemented in the &os; kernel. This implementation provides the
+ correct semantics for &man.flock.2; style locks which are used
+ by the &man.lockf.1; command line tool and the &man.pidfile.3;
+ library. It also implements recovery from server restarts and
+ ensures that dirty cache blocks are written to the server before
+ obtaining locks (allowing multiple clients to use file locking
+ to safely share data). Also, a new kernel option
+ <literal>options NFSLOCKD</literal> has been added and enabled
+ by default. If the kernel support is enabled, &man.rpc.lockd.8;
+ automatically detects and uses the functionality.</para>
+
+ <para role="7.1">The &os; kernel now supports a new textdump format of kernel
+ dumps. A textdump provides higher-level information via
+ mechanically generated/extracted debugging output, rather than a
+ simple memory dump. This facility can be used to generate brief
+ kernel bug reports that are rich in debugging information, but
+ are not dependent on kernel symbol tables or precisely
+ synchronized source code. More information can be found in the
+ &man.textdump.4; manual page.</para>
+
+ <para role="7.1">The &man.wait4.2; system call now supports
+ <option>WNOWAIT</option> flag to keep the process whose status
+ is returned in a waitable state and <option>WSTOPPED</option>
+ which is equivalent to <option>WUNTRACED</option>.</para>
+
+ <para role="7.1" arch="amd64,i386,sparc64">The &os; kernel now has
+ initial support of binding interrupts to CPUs.</para>
+
+ <para role="7.1" arch="amd64,i386"> The &man.sched.ule.4; scheduler is now the default
+ process scheduler in <filename>GENERIC</filename>
+ kernels.</para>
+
+ <para role="7.1">The sysctl
+ variables <varname>kern.features.compat_freebsd[456]</varname>
+ have been added. These are corresponding to the kernel options
+ <literal>COMPAT_FREEBSD[456]</literal>.</para>
+
+ <sect3 id="boot">
+ <title>Boot Loader Changes</title>
+
+ <para role="8.0">The <application>boot0</application> boot
+ loader now preserves volume ID at offset
+ 0x1b8 used in other operating systems </para>
+
+ <para role="8.0">The &man.boot0cfg.8; utility now supports a
+ new <option>-i</option> option to set the volume ID.</para>
+
+ <para role="7.2">The &man.boot.8; now supports 4-byte volume ID that
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-src-stable
mailing list