The FreeBSD Project $FreeBSD$ 2000 2001 2002 The FreeBSD Documentation Project The release notes for &os; &release.current; contain a summary of the changes made in the &os; base system since &release.prev;. Both changes for kernel and userland are listed, as well as applicable security advisories that were issued since the last release. Some brief remarks on upgrading are also presented. This document contains the release notes for &os; &release.current; on the &arch.print; hardware platform. It describes new features of &os; that have been added (or changed) since &release.prev;. It also provides some notes on upgrading from previous versions of &os;. The &release.type; distribution to which these release notes apply represents a point along the &release.branch; development branch between &release.prev; and the future &release.next;. Some pre-built, binary &release.type; distributions along this branch can be found at . ]]> This distribution of &os; &release.current; is a &release.type; distribution. It can be found at or any of its mirrors. More information on obtaining this (or other) &release.type; distributions of &os; can be found in the Obtaining FreeBSD appendix to the FreeBSD Handbook. ]]> This section describes the most user-visible new or changed features in &os; since &release.prev;. Typical release note items document new drivers or hardware support, new commands or options, major bugfixes, or contributed software upgrades. Security advisories issued after &release.prev; are also listed. In general, changes described here are unique to the &release.branch; branch unless specifically marked as &merged; features. Many additional changes were made to &os; that are not listed here for lack of space. For example, documentation was corrected and improved, minor bugs were fixed, insecure coding practices were audited and corrected, and source code was cleaned up. The &man.amdpm.4; driver has been added to provide access to the system monitoring functions of the AMD 756 chipset. &merged; The &man.agp.4; driver for AGP devices has been added. &merged; A new &man.ddb.4; command show pcpu lists some of the per-CPU data. Two new &man.ddb.4; commands, hwatch and dhwatch, have been introduced. Analogous to watch and dwatch, they install hardware watchpoints (as opposed to software watchpoints) if supported by the architecture. &merged; &man.devfs.5;, which allows entries in the /dev directory to be built automatically and supports more flexible attachment of devices, has been largely reworked. &man.devfs.5; is now enabled by default and can be disabled by the NODEVFS kernel option. The dgm driver has been removed in favor of the digi driver. A new digi driver has been added to support PCI Xr-based and ISA Xem Digiboard cards. A new &man.digictl.8; program is (mainly) used to re-initialize cards that have external port modules attached such as the PC/Xem. An &man.eaccess.2; system call has been added, similar to &man.access.2; except that the former uses effective credentials rather than real credentials. Support has been added for EBus-based devices. The &man.ichsmb.4; driver for the Intel 82801AA (ICH) SMBus controller and compatibles has been added. &merged; Each &man.jail.2; environment can now run under its own securelevel. The tunable sysctl variables for &man.jail.2; have moved from jail.* to the security.* hierarchy. Other security-related sysctl variables have moved from kern.security.* to security.*. The kern.maxvnodes limit now properly limits the number of vnodes in use. Previously only vnodes with no cached pages could be freed; this could allow the number of vnodes to grow without limit on large-memory machines accessing many small files. A vnlru kernel thread helps to flush and reuse vnodes. &merged; The kernel message buffer is now accessible by the (machine-independent) kern.msgbuf sysctl variable; &man.dmesg.8; no longer needs to be SGID kmem. &merged; The kernel environment is now dynamic, and can be changed via the new &man.kenv.2; system call. The &man.kqueue.2; event notification facility was added to the &os; kernel. This is a new interface which is able to replace &man.poll.2;/&man.select.2;, offering improved performance, as well as the ability to report many different types of events. Support for monitoring changes in sockets, pipes, fifos, and files are present, as well as for signals and processes. &merged; A new KVA_SPACE kernel option can be used to reconfigure the size of the kernel virtual address space. &merged; The &man.labpc.4; driver has been removed due to bitrot. The loader and kernel linker now look for files named linker.hints in each directory with KLDs for a module name and version to KLD filename mapping. The new &man.kldxref.8; utility is used to generate these files. Linux emulation now supports the kernel functionality required by the emulators/linux_base-7 (RedHat 7.X emulation) port. &merged; Linux emulation now requires options SYSVSEM in the kernel configuration. &merged; &man.lomac.4;, a Low-Watermark Mandatory Access Control security facility, has been added as a kernel module. It provides a drop-in security mechanism in addition to the traditional UID-based security facilities, requiring no additional configuration from the administrator. Work on this feature was sponsored by DARPA and NAI Labs. The maxusers kernel configuration parameter is now a boot-time tunable variable. The kernel parameters derived from maxusers are now also tunables and can be overridden at boot-time. The hz parameter is also now a tunable. &merged; Specifying a value of 0 for the maxusers kernel configuration parameter will now cause an appropriate value to be calculated at boot-time (between 32 and 384, depending on the amount of memory present). This value is now the default for all GENERIC kernels. &merged; A MAXMEM kernel option, along with the hw.physmem loader tunable, can be used to artificially reduce the memory size of a machine for testing (or other purposes). &merged; The kernel configuration parameters MAXTSIZ, DFLDSIZ, MAXDSIZ, DFLSSIZ, MAXSSIZ, and SGROWSIZ are all loader tunables (kern.maxtsiz, kern.maxdfldsiz, etc.). &merged; &man.mutex.9; profiling code has been added, enabled by the MUTEX_PROFILING kernel configuration option. It enables the debug.mutex.prof.* hierarchy of sysctl variables. The NCPU, NAPIC, NBUS, and NINTR kernel configuration options, for configuring SMP kernels, have been removed. NCPU is now set to a maximum of 16, and the other, aforementioned options are now dynamic. &merged; A &man.nmdm.4; null-modem terminal driver has been added. &merged; The O_DIRECT flag has been added to &man.open.2; and &man.fcntl.2;. Specifying this flag for open files will attempt to minimize the cache effects of reading and writing. &merged; An &man.orm.4; device has been added to claim the option ROMs in the ISA memory I/O space, to prevent other drivers from mistakenly assigning addresses that conflict with these ROMs. &merged; PECOFF (Win32 Execution file format) support has been added. The pmc driver, which supports the power management controller of the NEC PC-98NOTE, has been added. &merged; POSIX.1b Shared Memory Objects are now supported. The implementation uses regular files, but automatically enables the MAP_NOSYNC flag when they are &man.mmap.2;-ed. &merged; Replaced the PQ_*CACHE options with a single PQ_CACHESIZE option to be set to the cache size in kilobytes. The old options are still supported for backwards compatibility. &merged; The &man.puc.4; (PCI Universal Communications) driver has been added, to help connect PCI-based serial ports to the &man.sio.4; driver. &merged; The &man.random.4; device has been rewritten to use the Yarrow algorithm. It harvests entropy from a variety of interrupt sources, including the console devices, Ethernet and point-to-point network interfaces, and mass-storage devices. Entropy from the &man.random.4; device is now periodically saved to files in /var/db/entropy, as well as at shutdown time. The semantics of /dev/random have changed; it never blocks waiting for entropy bits but generates a stream of pseudo-random data and now behaves exactly as /dev/urandom. A new kernel option, options REGRESSION, enables interfaces and functionality intended for use during correctness and regression testing. Support has been added for SBus-based devices. The se driver, which supports the Siemens SAB82532 serial chip found on many newer Sparc Ultra machines, has been added. The &man.snp.4; device is no longer static and can now be compiled as a module. &merged; The &man.spic.4; driver, which provides access to the Jog Dial device on some Sony laptops, has been added. &man.moused.8; support for this device has also been added. &merged; The &man.syscons.4; driver now supports keyboard-controlled pasting, by default bound to Shift-Insert. Support for USB devices was added to the GENERIC kernel and to the installation programs to support USB devices out of the box. Note that SRM does not support USB devices at the moment, so you must still use an AT keyboard if you are not using a serial console. &merged; The &man.umodem.4; driver for USB modems has been added. Support is provided for the 3Com 5605 and Metricom Ricochet GS wireless USB modems. &merged; The &man.uscanner.4; driver for basic USB scanner support using SANE has been added. See the SANE home page for supported scanners. The HP ScanJet 4100C, 5200C and 6300C are known to be working. &merged; The &man.ucom.4; device driver has been added, to support USB modems, serial devices, and other programs that need to look like a tty. The related &man.uplcom.4; and &man.uvscom.4; drivers provide specific support for the Prolific PL-2303 serial adapter and the SUNTAC Slipper U VS-10U, respectively. To increase security, the UCONSOLE kernel configuration option has been removed. The UserConfig boot-time kernel configuration feature, usually used to enable, disable, or configure ISA devices, has been removed. Its functionality has been replaced by the kernel hints file in /boot/device.hints. The USER_LDT kernel option is now activated by default. A VESA S3 linear framebuffer driver has been added. The &man.viapm.4; driver for VIA SMBus power management controllers has been added. &merged; Write combining for crashdumps has been implemented. This feature is useful when write caching is disabled on both SCSI and IDE disks, where large memory dumps could take up to an hour to complete. &merged; The kernel crashdump infrastructure has been revised, to support new platforms and in general clean up the logic in the code. One implication of this change is that the on-disk format for kernel dumps has changed, and is now byte-order-agnostic. Extremely large swap areas (>67 GB) no longer panic the system. Support for threads under Linux emulation has been added. The buildkernel target now gets the name of the configuration(s) to build from the KERNCONF variable, not KERNEL. It is no longer required, in some cases, for a buildworld to precede a buildkernel. (The buildworld is still required when upgrading across major releases, across binutil updates and when &man.config.8; changes version.) &merged; The out-of-swap process termination code now begins killing processes earlier to avoid deadlocks; it now also takes into account the swap space used by processes when computing the process sizes. &merged; Linker sets are now self-contained; &man.gensetdefs.8; is unnecessary and has been removed. Network device cloning has been implemented, and the &man.gif.4; device has been modified to take advantage of it. Thus, instead of specifying how many &man.gif.4; interfaces are available in kernel configuration files, &man.ifconfig.8;'s create option should be used when another device instance is desired. &merged; It is now possible to hardwire kernel environment variables (such as tuneables) at compile-time using &man.config.8;'s ENV directive. Idle zeroing of pages can be enabled with the vm.idlezero_enable sysctl variable. The load addresses of kernels are now exported to the symbol table and various hard-coded constants have been removed so that utilities such as &man.ps.1; can work with kernels compiled at different addresses. &merged; Coredumps of large processes (or of a large number of processes) no longer lock up the machine for long periods of time. &merged; The Kernel-Scheduled Entity project has made changes to the kernel scheduler to more efficiently handle multi-threaded programs. The kernel now has support for multiple low-level console devices. The new &man.conscontrol.8; utility helps to manage the different consoles. The console driver has gained support for TGA-based display adapters. The kernel on the installation CDs is now separated from the mfsroot image. This permits the use of a full kernel when installing from CD on machines that support CD booting (instead of the stripped-down kernel used on floppies). &merged; The system load average computation now adds some jitter to the timing of samples, in order to avoid synchronization with processes that run periodically. &merged; If a debugging kernel with modules is being built (i.e. using makeoptions DEBUG=-g), the modules will now be built with debugging support as well, for completeness. A side effect of this change is that modules built and installed with debugging kernels will now occupy more space on disk than they did previously. &merged; The kernel dump device can now be set via the dumpdev loader tunable. As a result, it is now possible to obtain crash dumps from panics during the late stages of kernel initialization (before the system enters into single-user mode). &merged; The kernel memory allocator is now a slab memory allocator, similar to that used in Solaris. This is a SMP-safe memory allocator that has near-linear performance as the number of CPUs increases. It also allows for reduced memory fragmentation. SMP support has been largely reworked, incorporating code from BSD/OS 5.0. One of the main features of SMPng (SMP Next Generation) is to allow more processes to run in kernel, without the need for spin locks that can dramatically reduce the efficiency of multiple processors. Interrupt handlers now have contexts associated with them that allow them to be blocked, which reduces the need to lock out interrupts. Support for the 80386 processor has been removed from the GENERIC kernel, as this code seriously pessimizes performance on other IA32 processors. The I386_CPU kernel option to support the 80386 processor is now mutually exclusive with support for other IA32 processors; this should slightly improve performance on the 80386 due to the elimination of runtime processor type checks. Custom kernels that will run on the 80386 can still be built by changing the cpu options in the kernel configuration file to only include I386_CPU. AlphaServer 1200 (Tincup) has been tested and works OK. Currently it does not want to boot from CD or floppy but a transplanted disk that was installed on another Alpha works well. &merged; The API UP1100 mainboard has been verified to work. The API CS20 1U high server has been verified to work. The DEC3000 series support has been removed from the mfsroot floppy image so that it fits on a 1.44 Mbyte floppy again. As the DEC3000 is currently only usable diskless this should not cause any problems. Support for AlphaServer 2100A (Lynx) has been added. Kernel code has been added that allows older generation Alpha CPUs (EV4 and EV5) to emulate instructions of the newer Alpha CPU generations. This enables the use of binary-only programs like Adobe Acrobat 4 on EV4 and EV5. SMP support for the Alpha is now operational. Detection for new processors, such as the FC-PGA2 Pentium III (Tualatin), Transmeta Crusoe, and Transmeta Crusoe LongRun, has been added. &merged; Support for the following hardware has been removed from the installation kernel to make it fit on a 1.44MB floppy again: Multia, NoName, PC64, EB64, Aspen Alpine, sa (SCSI tape), amr, parallel port support, vx (3c590, 3c595), pcn (AMD Am79C97x PCI 10/100), sf (Adaptec AIC-6915), sis (SiS 900/SiS 7016), ste (Sundance ST201 (D-Link DFE-550TX)), wb (Winbond W89C840F). Support for Streaming SIMD Extensions (SSE) has been introduced. The CPU_ENABLE_SSE kernel option controls whether support is compiled into the kernel. &merged; The CPU_ATHLON_SSE_HACK kernel option has been added, which attempts to enable the SSE feature bit on newer Athlon CPUs if the BIOS has forgotten to enable it. &merged; The UltraSPARC platform is now supported by &os;. The following machines are supported to at least some degree: Ultra 1/2/5/10/30/60, Enterprise 220R/420R, Netra T1 AC200/DC200, Netra T 105, and Blade 100. SMP is supported, and has been tested on the Ultra 2, Ultra 60, Enterprise 220R, and Enterprise 420R. On some systems, the BIOS does not activate the I/O ports and memory of PC devices, thus making them unusable. The PCI_ENABLE_IO_MODES kernel option forces &os; to enable these devices so that they can be used. &merged; boot2 now supports a -n option to disallow boot interruption by keypresses. &merged; A new cdboot bootstrap utility for CDROMs provides better compatability with some BIOS implementations that do not completely implement the El Torito bootable CDROM standard. This boot loader supports no emulation mode booting, thus eliminating the need for an emulated floppy disk image on a bootable CDROM. &merged; The i386 boot loader now has support for a nullconsole console type, for use on systems with neither a video console nor a serial port. &merged; The &man.loader.8; now has optional support (enabled at compile-time, off by default) for loading bzip2-compressed kernels and modules. &merged; Support for Intel's Wired for Management 2.0 (PXE) was added to the &os; boot loader. Due to API differences, the older PXE versions are not supported. This allow network booting using DHCP. &merged; The &os; boot loader now contains a workaround to support CDROM booting on certain IBM BIOSs that expect the first sector of the emulated floppy to contain a valid MS-DOS BPB that they can modify. &merged; The &os; boot loader now supports a -p flag to force the kernel to pause after each line of output during the probing phase. &merged; The &os; boot loader is now capable of booting from filesystems with block sizes larger than 8K. &merged; The kernel and modules have been moved to the directory /boot/kernel, so they can be easily manipulated together. The boot loader has been updated to make this change as seamless as possible. The &man.an.4; driver for Cisco Aironet cards now supports Wired Equivalent Privacy (WEP) encryption, settable via &man.ancontrol.8;. &merged; The &man.an.4; driver now supports the Cisco Aironet 350 series of adaptors. &merged; The &man.an.4; driver now supports monitor mode, settable via the -M option to &man.ancontrol.8;. &merged; The &man.an.4; driver now supports Cisco LEAP, as well as the Home WEP key. The Linux Aironet utilities are now supported under emulation. &merged; Generic support for ARCNET token-based networks has been added. &merged; The &man.bge.4; driver has been added to support the Broadcom BCM570x family of Gigabit Ethernet controllers, including the 3Com 3c996-T, the SysKonnect SK-9D21 and SK-9D41, and the built-in Gigabit Ethernet NICs on Dell PowerEdge 2550 servers. Output TCP/IP checksum offload, jumbo frames and VLAN tag insertion/stripping are supported, as well as interrupt moderation. &merged; The cm driver has been added to support SMC COM90cx6 ARCNET network adapters. &merged; The &man.dc.4; driver now supports NICs based on the Xircom 3201 and Conexant LANfinity RS7112 chips. The &man.dc.4; driver now has support for VLANs. &merged; The &man.de.4; driver now performs round-robin arbitration between the transmit and receive units of the 21143, instead of giving priority to the receive unit. This gives a 10–15% performance improvement in the forwarding rate under heavy load. &merged; The &man.ed.4; driver is now supported. Linksys Fast Ethernet PCCARD cards supported by the &man.ed.4; driver now require the addition of flag 0x80000 to their config line in &man.pccard.conf.5;. This flag is not optional. These Linksys cards will not be recognized without it. &merged; A bug in the &man.ed.4; driver that could cause panics with very short packets and BPF or bridging active has been fixed. &merged; The &man.ed.4; driver now has support for D-Link DL10022 chips, necessary for the NetGear FA-410TX and other cards. As a result, device miibus is required in kernel configurations using the &man.ed.4; driver. &merged; The &man.el.4; driver can now be loaded as a module. The &man.em.4; driver has been added to support NICs based on the Intel 82542, 82543, and 82544 Gigabit Ethernet controller chips. The driver supports transmit/receive checksum offload and jumbo frames on 82543 and 82544-based adapters. &merged; The &man.faith.4; device is now loadable, unloadable, and clonable. &merged; Support for Fujitsu MB86960A/MB86965A based Ethernet PC-Cards has been added back in the &man.fe.4; driver. &merged; The &man.fpa.4; driver now supports Digital's DEFPA FDDI adaptors on the Alpha. &merged; The &man.fxp.4; driver now requires a device miibus entry in the kernel configuration file. &merged; The &man.fxp.4; driver now contains a workaround for PCI protocol violations caused by defects in some systems based on the Intel ICH2/ICH2-M chip. The workaround is to rewrite the EEPROM on the interface to disable Dynamic Standby Mode; once the EEPROM is rewritten, the system needs to be rebooted for the new settings to take effect. &merged; The &man.fxp.4; driver now supports Intel's loadable microcode to implement receive-side interrupt coalescing and packet bundling, on NICs that support these features. This support can be activated by the use of the link0 option to &man.ifconfig.8;. &merged; The gem driver has been added to support the Sun GEM Gigabit Ethernet and ERI Fast Ethernet adapters. The &man.gx.4; driver has been added to support NICs based on the Intel 82542 and 82543 Gigabit Ethernet controller chips. Both fiber and copper variants of the cards are supported. Both boards support VLAN tagging/insertion, and the 82543 additionally supports TCP/IP checksum offload. &merged; The hme driver has been added to support the Sun HME Fast Ethernet adapter, onboard on many Sun Ultra series machines. The &man.lge.4; driver has been added to support the Level 1 LXT1001 NetCellerator Gigabit Ethernet controller chip. This device is used on some fiber optic GigE cards from SMC, D-Link and Addtron. Jumbograms and TCP/IP checksum offload on receive are supported, although hardware VLAN filtering is not. &merged; The my driver, which supports the Myson Fast Ethernet and Gigabit Ethernet adapters, has been added. &merged; Added the &man.nge.4; driver, which supports PCI Gigabit Ethernet adapters based on the National Semiconductor DP83820 and DP83821 Gigabit Ethernet controller chips, including the D-Link DGE-500T, SMC EZ Card 1000 (SMC9462TX), Asante FriendlyNet GigaNIC 1000TA and 1000TPC and Addtron AEG320T. This driver supports transmit and receive checksum offloading. &merged; The &man.pcn.4; driver, which supports the AMD PCnet/FAST, PCnet/FAST+, PCnet/FAST III, PCnet/PRO, PCnet/Home, and HomePNA adapters, has been added. Although these cards are already supported by the &man.lnc.4; driver, the &man.pcn.4; driver runs these chips in 32-bit mode and uses the RX alignment feature to achieve zero-copy receive. This driver is also machine-independent, so it will work on both the i386 and Alpha platforms. The &man.lnc.4; driver is still needed to support non-PCI cards. &merged; The &man.ray.4; driver, which supports the Webgear Aviator wireless network cards, has been committed. The operation of &man.ray.4; interfaces can be modified by &man.raycontrol.8;. &merged; The sbni driver, for supporting the Granch SBNI12 series of ISA and PCI point-to-point communications interfaces, has been added. The sysutils/sbniconfig port in the &os; Ports Collection can be used for configuring these devices. &merged; Added support for PCI Ethernet adapters based on the SiS 900 and SiS 7016 Fast Ethernet controller chips (for example, as seen on the SiS 635 and 735 motherboard chipsets), as well as the National Semiconductor DP83815 chipset (including the NetGear FA311-TX and FA312-TX) in the form of the &man.sis.4; driver. This device has support for VLANs. &merged; The snc driver for the National Semiconductor DP8393X (SONIC) Ethernet controller has been added. Currently, this driver is only used on the PC-98 architecture. &merged; The &man.stf.4; device is now clonable. The &man.tap.4; driver, a virtual Ethernet device driver for bridged configurations, has been added. This device is clonable. &merged; The &man.ti.4; driver now supports the Alteon AceNIC 1000baseT Gigabit Ethernet and Netgear GA620T 1000baseT Gigabit cards. &merged; The &man.ti.4; driver correctly masks VLAN tags. &merged; The &man.txp.4; driver has been added to support NICs based on the 3Com 3XP Typhoon/Sidewinder (3CR990) chipset. &merged; &man.vlan.4; devices are now loadable, unloadable, and clonable. &merged; The &man.wi.4; driver now has support for Prism II and Prism 2.5-based NICs. 104/128-bit WEP now works on Prism cards. &merged; The &man.wi.4; driver now supports using a &os; host as a wireless access point. This functionality can be enabled using the mediaopt hostap option of &man.ifconfig.8;. This feature requires a wireless adapter based on the Prism II chipset. &merged; The &man.wi.4; driver now has support for bsd-airtools. &merged; The xe driver can now be built as a module. &merged; The &man.xl.4; driver now supports the 3Com 3C556 and 3C556B MiniPCI adapters used on some laptops. &merged; The &man.xl.4; driver now supports reception of VLAN tagged frames (on the Cyclone or newer chipsets). &merged; The &man.xl.4; driver now supports send- and receive-side TCP/IP checksum offloading for NICs implementing this feature, such as the 3C905B, 3C905C, and 3C980C. &merged; A bug in the &man.xl.4; driver, related to statistics overflow interrupt handling, was causing slowdowns at medium to high packet rates; this has been fixed. &merged; The per-interface ifnet structure now has the ability to indicate a set of capabilities supported by a network interface, and which ones are enabled. &man.ifconfig.8; has support for querying these capabilities. &merged; Performance with hosts having a large number of IP aliases has been improved, by replacing the per-interface if_inaddr linear list with a hash table. &merged; Network devices now automatically appear as special files in /dev/net. Interface hardware ioctls (not protocol or routing) can be performed on these devices. The SIOCGIFCONF ioctl may be performed on the special /dev/network node. Selected network drivers now implement a semi-polling mode, which makes systems much more resilient to attacks and overloads. To enable polling, the following options are required in a kernel configuration file: options DEVICE_POLLING options HZ=1000 # not compulsory but strongly recommended The kern.polling.enable sysctl variable will then activate polling mode; with the kern.polling.user_frac sysctl indicating the percentage of CPU time to be reserved for userland. The devices initially supporting polling are &man.dc.4;, &man.fxp.4;, &man.rl.4;, and &man.sis.4;. More details can be found in the &man.polling.4; manual page. &merged; The packet-forwarding performance of certain network drivers (specifically &man.dc.4; and &man.sis.4;) has been enhanced by the elimination of unnecessary buffer copies. &merged; &man.accept.filter.9;, a kernel feature to reduce overheads when accepting and reading new connections on listening sockets, has been added. &merged; The proxy modifier to &man.arp.8;'s -d option has been renamed to pub, for consistency with the -s option. The only keyword has been added to the -s and -S flags, to be used in creating proxy-only published entries. &merged; The read timeout feature of &man.bpf.4; now works more correctly with &man.select.2;/&man.poll.2;, and therefore with pthreads. &merged; &man.bridge.4; and &man.dummynet.4; have received some enhancements and bug fixes, and are now loadable modules. &merged; &man.bridge.4; now has better support for multiple, fully-independent bridging clusters, and is much more stable in the presence of dynamic attachments and detatchments. Full support for VLANs is also supported. &merged; ICMP ECHO and TSTAMP replies are now rate limited. TCP RSTs generated due to packets sent to open and unopen ports are now limited by separate counters. Each rate limiting queue now has its own description. ICMP UNREACH_FILTER_PROHIB messages can now RST TCP connections in the SYN_SENT state if the correct sequence numbers are sent back, as controlled by the net.inet.tcp.icmp_may_rst sysctl. &merged; IP multicast now works on VLAN devices. Several other bugs in the VLAN code have also been fixed. A bug in the IPSec processing for IPv4, which caused the inbound SPD checks to be ignored, has been fixed. &merged; &man.ipfw.4; now filters correctly in the presence of ECN bits in TCP segments. &merged; A new ng_eiface netgraph module has been added, which appears as an Ethernet interface but delivers its Ethernet frames to a Netgraph hook. &merged; A new &man.ng.etf.4; netgraph node allows Ethernet type packets to be filtered to different hooks depending on ethertype. &merged; The &man.ng.gif.4; and &man.ng.gif.demux.4; netgraph nodes, for operating on &man.gif.4; devices, have been added. The &man.ng.ip.input.4; netgraph node, for queueing IP packets into the main IP input processing code, has been added. The &man.ng.mppc.4; and &man.ng.bridge.4; node types have been added to the &man.netgraph.4; subsystem. The &man.ng.ether.4; node is now dynamically loadable. Miscellaneous bug fixes and enhancements have also been made. &merged; A new netgraph node type &man.ng.one2many.4; for multiplexing and demultiplexing packets over multiple links has been added. &merged; A new sysctl net.inet.ip.check_interface, which is on by default, causes IP to verify that an incoming packet arrives on an interface that has an address matching the packet's destination address. &merged; A new sysctl net.link.ether.inet.log_arp_wrong_iface has been added to control the suppression of logging when ARP replies arrive on the wrong interface. &merged; A new options RANDOM_IP_ID kernel option causes the ID field of IP packets to be randomized. This closes a minor information leak which allows a remote observer to determine the rate at which the machine is generating packets, since the default behavior is to increment a counter for each packet sent. &merged; SLIP has been removed from the mfsroot floppy image. TCP has received some bug fixes for its delayed ACK behavior. &merged; TCP now supports the NewReno modification to the TCP Fast Recovery algorithm. This behavior can be controlled via the net.inet.tcp.newreno sysctl variable. &merged; TCP now uses a more aggressive timeout for initial SYN segments; this allows initial connection attempts to be dropped much faster. &merged; The TCP_COMPAT_42 kernel option has been removed. &merged; The TCP_RESTRICT_RST kernel option has been removed. Similar functionality can be achieved with the net.inet.tcp.blackhole sysctl variable. &merged; TCP now has RFC 1323 extensions enabled by default in &man.rc.conf.5;. &merged; RFC 1323 and RFC 1644 TCP extensions are now disabled for a connection in progress if no response has been received by the third SYN segment sent. This behavior tries to work around (very old) terminal servers with buggy VJ header compression implementations. &merged; The TCP implementation no longer requires the allocation of a TCP template structure for each connection; this should reduce the buffer usage on large systems handling many connections. &merged; TCP's default buffer sizes, controlled by the net.inet.tcp.sendspace and net.inet.tcp.recvspace sysctl variables, have been increased to 32K and 64K respectively. Previously, the default for both buffer sizes was 16K. To try to avoid increasing congestion, the default value for net.inet.tcp.local_slowstart_flightsize has been changed from infinity to 4. &merged; On busy hosts, the new larger buffer sizes may require manually increasing the NMBCLUSTERS parameter, either in the kernel configuration file or via the kern.ipc.nmbclusters loader tunable. netstat -mb can be used to monitor the state of mbuf clusters. TCP now supports RFC 1948 (Defending Against Sequence Number Attacks). The net.inet.tcp.isn_reseed_interval sysctl variable controls the reseeding of the secret data used in the RFC 1948 initial sequence number calculations. &merged; The TCP implementation in &os; now implements a cache of outstanding, received SYN segments. Incoming SYN segments now cause entries to be placed in the cache until the TCP three-way handshake is complete, at which point, memory is allocated for the connection as usual. In addition, all TCP Initial Sequence Numbers (ISNs) are used as cookies, allowing entries in the cache to be dropped, but still have their corresponding ACKs accepted later. The combination of the so-called syncache and syncookies features makes a host much more resistant to TCP-based Denial of Service attacks. Work on this feature was sponsored by DARPA and NAI Labs. &merged; A bug in the TCP implementation, which could cause connections to stall if a sender saw a zero-sized window, has been corrected. &merged; The TCP implementation now properly ignores packets addressed to IP-layer broadcast addresses. &merged; The ephemeral port range used for TCP and UDP has been changed to 49152–65535 (the old default was 1024–5000). This increases the number of concurrent outgoing connections/streams. Support for the Adaptec FSA family of PCI-SCSI RAID controllers has been added, in the form of the &man.aac.4; driver. This driver includes proper handling of commands initiated by the adapter, addition/removal of disk devices, crashdump functionality, and &man.ioctl.2; commands necessary for the management CLI, and is fully qualified and sanctioned by Adaptec. &merged; The &man.ahc.4; driver has received numerous updates, bugfixes, and enhancements. Among various improvements are improved compatibility with chips in RAID Port mode and systems with AAA and/or ARO cards installed, as well as performance improvements. Some bugs were also fixed, including a rare hang on Ultra2/U160 controllers. &merged; The &man.asr.4; driver, which provides support for the Adaptec SCSI RAID controller family, as well as the DPT SmartRAID V and VI families, has been added. &merged; The &man.asr.4; driver now supports the Adaptec 2000S and 2005S Zero-Channel RAID controllers. &merged; The &man.ata.4; driver now has support for ATA100 controllers. In addition, it now supports the ServerWorks ROSB4 ATA33 chipset, the CMD 648 ATA66 and CMD 649 ATA100 chipsets, and the Cyrix 5530. &merged; To provide more flexible configuration, the various options for the &man.ata.4; driver are now boot loader tunables, rather than kernel configure-time options. &merged; The &man.ata.4; driver now has support for tagged queuing, which is enabled by the hw.ata.tags loader tunable. &merged; The &man.ata.4; driver now has support for ATA pseudo RAID controllers as the Promise Fasttrak and HighPoint HPT370 controllers. &merged; The &man.ata.4; driver now supports a wider variety of SiS chipsets, as listed in the Hardware Notes. &merged; The &man.ata.4; driver now has support for creating, deleting, querying, and rebuilding ATA RAIDs under control of &man.atacontrol.8;. &merged; The BurnProof(TM) feature, for applicable ATAPI CD-ROM burners, is now supported. &merged; The &man.ata.4; driver now has support for 48-bit addressing. Devices larger than 137GB are now supported. &merged; The &man.ata.4; driver now contains fixes for some data corruption problems on systems using the VIA 82C686B Southbridge chip. &merged; The CAM error recovery code has been updated. The &man.cd.4; driver now has support for write operations. This allows writing to DVD-RAM, PD and similar drives that probe as CD devices. Note that change affects only random-access writeable devices, not sequential-only writeable devices such as CD-R drives, which are supported by &man.cdrecord.1; (a part of sysutils/cdrtools in the Ports Collection. &merged; The ciss driver, for devices utilizing the Common Interface for SCSI-3 Support, has been added. This driver supports the Compaq SmartRAID 5* family of RAID controllers (5300, 532, 5i). &merged; The &man.fdc.4; floppy disk has undergone a number of enhancements. Density selection for common settings is now automatic; the driver is also much more flexible in setting the densities of various subdevices. The &man.geom.4; disk I/O request transformation framework has been added; this extensible framework is designed to support a wide variety of operations on I/O requests on their way from the upper kernel to the device drivers. The ida disk driver now has crashdump support. &merged; The iir driver has been added to support the Intel Integrated RAID controllers, as well as prior ICP Vortex controllers. A bug that made certain CDROM drives fail to attach when connected to a SCSI card driven by &man.isp.4; has been fixed. &merged; The &man.isp.4; driver is now proactive about discovering Fibre Channel topology changes. The &man.isp.4; driver now supports target mode for Qlogic SCSI cards, including Ultra2 and Ultra3 and dual bus cards. The &man.isp.4; driver now supports the Qlogic 2300 and 2312 Optical Fibre Channel PCI cards. &merged; &man.md.4;, the memory disk device, has had the functionality of &man.vn.4; incorporated into it. &man.md.4; devices can now be configured by &man.mdconfig.8;. &man.vn.4; has been removed. The Memory Filesystem (MFS) has also been removed. The &man.mly.4; driver, for Mylex PCI to SCSI AccelRAID and eXtremeRAID controllers with firmware 6.X and later, has been added. &merged; The ncv, nsp, and stg drivers have been ported from NetBSD/pc98. They support the NCR 53C50 / Workbit Ninja SCSI-3 / TMC 18C30, 18C50 based PC-Card/ISA SCSI controllers. All three drivers can be built and loaded as modules. &merged; The ofw driver, a basic OpenFirmware disk driver, has been added. Some problems in &man.sa.4; error handling have been fixed, including the tape drive spinning indefinitely upon &man.mt.1; stat problem. The &man.twe.4; 3ware ATA RAID driver has added. &merged; The &man.vinum.4; volume manager has received some bug fixes and enhancements. The &man.wd.4; compatibility devices were removed from the &man.ata.4; driver. &merged; Support for named extended attributes was added to the &os; kernel. This allows the kernel, and appropriately privileged userland processes, to tag files and directories with attribute data. Extended attributes were added to support the TrustedBSD Project, in particular ACLs, capability data, and mandatory access control labels (see /usr/src/sys/ufs/ufs/README.extattr for details). Due to a licensing change, softupdates have been integrated into the main portion of the kernel source tree. As a consequence, softupdates are now available with the GENERIC kernel. &merged; A filesystem snapshot capability has been added to FFS. Details can be found in /usr/src/sys/ufs/ffs/README.snapshot. Softupdates for FFS have received some bug fixes and enhancements. When running with softupdates, &man.statfs.2; and &man.df.1; will track the number of blocks and files that are committed to being freed. A bug in FFS that could cause superblock corruption on very large filesystems has been corrected. &merged; The Inode Filesystem (IFS) has been added; more information can be found in /usr/src/sys/ufs/ifs/README. The ISO-9660 filesystem now has a hook that supports a loadable character conversion routine. The sysutils/cd9660_unicode port contains a set of common conversions. &merged; &man.kernfs.5; is obsolete and has been retired. A bug in the NFS client that caused bogus access times with O_EXCL|O_CREAT opens was fixed. &merged; A new NFS hash function (based on the Fowler/Noll/Vo hash algorithm) has been implemented to improve NFS performance by increasing the efficiency of the nfsnode hash tables. &merged; Client-side NFS locks have been implemented. The client-side and server-side of the NFS code in the kernel used to be intertwined in various complex ways. They have been split apart for ease of maintenance and further development. Support for file system Access Control Lists (ACLs) has been introduced, allowing more fine-grained control of discretionary access control on files and directories. This support was integrated from the TrustedBSD Project. More details can be found in /usr/src/sys/ufs/ufs/README.acls. The directory layout preference algorithm for FFS (dirprefs) has been changed. Rather than scattering directory blocks across a disk, it attempts to group related directory blocks together. Operations traversing large directory hierarchies, such as the &os; Ports tree, have shown marked speedups. This change is transparent and automatic for new directories. &merged; smbfs (CIFS) support in kernel has been added. The userland programs &man.smbutil.1; and &man.mount.smbfs.8; can be used to work with SMB shares. Note that &man.mount.smbfs.8; will automatically load the smbfs.ko module into the kernel, even if LIBMCHAIN and LIBICONV were not compiled into the kernel. &merged; For consistency, the fdesc, fifo, null, msdos, portal, umap, and union filesystems have been renamed to fdescfs, fifofs, msdosfs, nullfs, portalfs, umapfs, and unionfs. Where applicable, modules and mount_* programs have been renamed. Compatibility glue has been added to &man.mount.8; so that msdos filesystem entries in &man.fstab.5; will work without changes. pseudofs, a pseudo-filesystem framework, has been added. &man.linprocfs.5; and &man.procfs.5; have been modified to use pseudofs. A simple hash-based lookup optimization for large directories called dirhash has been added. Conditional on the UFS_DIRHASH kernel option (enabled by default in the GENERIC kernel), it improves the speed of operations on very large directories at the expense of some memory. &merged; The virtual memory subsystem now backs UFS directory memory requirements by default (this behavior is controlled via the vfs.vmiodirenable sysctl variable). &merged; A bug that prevented the root filesystem from being mounted from a SCSI CDROM has been fixed (ATAPI CDROMs were always supported). &merged; A number of bugs in the filesystem code, discovered through the use of the fsx filesystem test tool, have been fixed. Under certain circumstances (primarily related to use of NFS), these bugs could cause data corruption or kernel panics. &merged; Network filesystems (such as NFS and smbfs filesystems) listed in /etc/fstab can now be properly mounted during startup initialization; their mounts are deferred until after the network is initialized. Read-only support for the Universal Disk Format (UDF) has been added. This format is used on packet-written CD-RWs and most commercial DVD-Video disks. The &man.mount.udf.8; command can be used to mount these disks. The pccard driver and &man.pccardc.8; now support multiple beep types upon card insertion and removal. &merged; On many modern hosts, PCCARD devices can be configured to route their interrupts via either the ISA or PCI interrupt paths. The &man.pcic.4; driver has been updated to support both interrupt paths (formerly, only routing via ISA was supported). &merged; In most cases, configuration of PCMCIA devices in laptops is simpler and more flexible. In addition, various Cardbus bridge PCI cards (such as those used by Orinoco PCI NICs) are now supported. Some hosts may experience problems, such as hangs or panics, with PCI interrupt routing; they can frequently be made to work by forcing the older-style ISA interrupt routing. The following lines, placed in /boot/loader.conf, may fix the problem: hw.pcic.intr_path="1" hw.pcic.irq="0" When installing &os; on such a system, typing the following lines to the boot loader may be helpful in starting up &os; for the first time: ok set hw.pcic.intr_path="1" ok set hw.pcic.irq="0" Preliminary Cardbus support under NEWCARD has been added. This code supports the TI113X, TI12XX, TI125X, Ricoh 5C46/5C47, Topic 95/97/100 and Cirrus Logic PD683X bridges. 16-bit PC Card support is not yet functional. The &man.pcm.4; driver now supports the ESS Solo 1, Maestro-1, Maestro-2, and Maestro-2e; Forte Media fm801, ESS Maestro-2e, and VIA Technologies VT82C686A sound card/chipsets, and has received some other updates. Separate drivers for the SoundBlaster 8 and SoundBlaster 16 now replace an older, unified driver. A driver for the CMedia CMI8338/CMI8738 sound chips has been added. A driver for the CS4281 sound chip has been added. A driver for the S3 SonicVibes chipset has been added. &merged; A driver for the Avance Logic ALS4000 has been added. &merged; A driver for the ESS Maestro-3/Allegro has been added, however due to licensing restrictions, it cannot be compiled into the kernel. &merged; To use this driver, add the following line to /boot/loader.conf: snd_maestro3_load="YES" The &man.bktr.4; driver has been updated to 2.18. This update provides a number of new features. New tuner types have been added, and improvements to the KLD module and to memory allocation have been made. Bugs in &man.devfs.5; when unloading and reloading have been fixed. Support for new Hauppauge Model 44xxx WinTV Cards (the ones with no audio mux) has been added. &merged; The ufm driver, supporting the D-Link DSB-R100 USB Radio, has been added. &merged; When sound modules are built, one can now load all the drivers and infrastructure by kldload snd. &merged; A new API has been added for sound cards with hardware volume control. A driver for the Intel 443MX, 810, 815, and 815E integrated sound devices has been added. &merged; The via82c686 sound driver now supports the VIA VT8233. &merged; The ich sound driver now support the SiS 7012 chipset. &merged; Drivers have been added to support the Direct Rendering Infrastructure, which can used to provide 3D acceleration within XFree86. Video cards supported include the 3Dlabs Oxygen GMX 2000 (gammadrm), AGP Matrox G200/G400/G450/G550 (mgadrm), 3dfx Voodoo 3/4/5/Banshee (tdfxdrm), AGI ATI Rage 128 (r128drm), and AGP ATI Radeon (radeondrm). The Forth Inspired Command Language (FICL) used in the boot loader has been updated to 3.02. Support for Advanced Configuration and Power Interface (ACPI), a multi-vendor standard for configuration and power management, has been added. This functionality has been provided by the Intel ACPI Component Architecture project, as of the ACPI CA 20020308 snapshot. Some backward compatability for applications using the older APM standard has been provided. IPFilter has been updated to 3.4.27. &merged; IPFilter now supports IPv6. &merged; isdn4bsd has been updated to version 1.0.2. The &man.ifpi.4; driver for supporting the AVM Fritz!Card PCI controller has been added. &merged; The &man.ifpi2.4; driver for supporting the AVM Fritz!Card PCI version 2 controller has been added. &merged; The &man.ihfc.4; driver for supporting Cologne Chip Designs HFC devices under isdn4bsd has been added. &merged; The &man.itjc.4; driver for supporting NETjet-S / Teles PCI-TJ devices under isdn4bsd has been added. &merged; Experimental support for the Eicon.Diehl DIVA 2.0 and 2.02 ISA PnP ISDN cards has been added to the &man.isic.4; isdn4bsd driver. &merged; The &man.isic.4; driver now supports the Compaq Microcom 610 ISDN ISA PnP card. &merged; Active CAPI-based ISDN cards manufactured by AVM are now supported using the &man.i4bcapi.4; and the &man.iavc.4; driver. The supported cards are the AVM B1 PCI and AVM B1 ISA Basic Rate cards and the AVM T1 Primary Rate cards. &merged; A new maxconnecttime keyword is now accepted in &man.isdnd.rc.5; files to limit the time a connection may remain open. &merged; &man.isdnphone.8; now supports a -k option for sending messages via the keypad facility to a PBX or exchange office. &merged; isdn4bsd now supports Q.931 subaddressing. The IPv6 stack is now based on a snapshot based on the KAME Project's IPv6 snapshot as of 28 May, 2001. Most of the items listed in this section are a result of this import. lists userland updates to the KAME IPv6 stack. &merged; &man.gif.4; is now based on RFC 2893, rather than RFC 1933. The IFF_LINK2 interface flag can be used to control ingress filtering. &merged; IPSec has received some enhancements, including the ability to use the Rijndael and SHA2 algorithms. IPSec RC5 support has been removed due to patent issues. &merged; &man.stf.4; now conforms to RFC 3056; the IFF_LINK2 interface flag can be used to control ingress filtering. &merged; IPv6 has better checking of illegal addresses (such as loopback addresses) on physical networks. &merged; The IPV6_V6ONLY socket option is now completely supported. The kernel's default behavior with respect to this option is controlled by the net.inet6.ip6.v6only sysctl variable. &merged; RFC 3041 (Privacy Extensions for Stateless Address Autoconfiguration) is now supported. It can be enabled via the net.inet6.ip6.use_tempaddr sysctl variable. &merged; &man.sysinstall.8; now allows the user to select one of two security profiles at install-time. These profiles enable different levels of system security by enabling or disabling various system services in &man.rc.conf.5; on new installs. &merged; A bug in which malformed ELF executable images can hang the system has been fixed (see security advisory FreeBSD-SA-00:41). &merged; A security hole in Linux emulation was fixed (see security advisory FreeBSD-SA-00:42). &merged; String-handling library calls in many programs were fixed to reduce the possibility of buffer overflow-related exploits. &merged; TCP now uses stronger randomness in choosing its initial sequence numbers (see security advisory FreeBSD-SA-00:52). &merged; Several buffer overflows in &man.tcpdump.1; were corrected (see security advisory FreeBSD-SA-00:61). &merged; A security hole in &man.top.1; was corrected (see security advisory FreeBSD-SA-00:62). &merged; A potential security hole caused by an off-by-one-error in &man.gethostbyname.3; has been fixed (see security advisory FreeBSD-SA-00:63). &merged; A potential buffer overflow in the &man.ncurses.3; library, which could cause arbitrary code to be run from within &man.systat.1;, has been corrected (see security advisory FreeBSD-SA-00:68). &merged; A vulnerability in &man.telnetd.8; that could cause it to consume large amounts of server resources has been fixed (see security advisory FreeBSD-SA-00:69). &merged; The nat deny_incoming command in &man.ppp.8; now works correctly (see security advisory FreeBSD-SA-00:70). &merged; A vulnerability in &man.csh.1;/&man.tcsh.1; temporary files that could allow overwriting of arbitrary user-writable files has been closed (see security advisory FreeBSD-SA-00:76). &merged; The &man.ssh.1; binary is no longer SUID root by default. &merged; Some fixes were applied to the Kerberos IV implementation related to environment variables, a possible buffer overrun, and overwriting ticket files. &merged; &man.telnet.1; now does a better job of sanitizing its environment. &merged; Several vulnerabilities in &man.procfs.5; were fixed (see security advisory FreeBSD-SA-00:77). &merged; A bug in OpenSSH in which a server was unable to disable &man.ssh-agent.1; or X11Forwarding was fixed (see security advisory FreeBSD-SA-01:01). &merged; A bug in &man.ipfw.8; and &man.ip6fw.8; in which inbound TCP segments could incorrectly be treated as being part of an established connection has been fixed (see security advisory FreeBSD-SA-01:08). &merged; A bug in &man.crontab.1; that could allow users to read any file on the system in valid &man.crontab.5; syntax has been fixed (see security advisory FreeBSD-SA-01:09). &merged; A vulnerability in &man.inetd.8; that could allow read-access to the initial 16 bytes of wheel-accessible files has been fixed (see security advisory FreeBSD-SA-01:11). &merged; A bug in &man.periodic.8; that used insecure temporary files has been corrected (see security advisory FreeBSD-SA-01:12). &merged; OpenSSH now has code to prevent (instead of just mitigating through connection limits) an attack that can lead to guessing the server key (not host key) by regenerating the server key when an RSA failure is detected (see security advisory FreeBSD-SA-01:24). &merged; A number of programs have had output formatting strings corrected so as to reduce the risk of vulnerabilities. &merged; A number of programs that use temporary files now do so more securely. &merged; A bug in ICMP that could cause an attacker to disrupt TCP and UDP sessions has been corrected. &merged; A bug in &man.timed.8;, which caused it to crash if send certain malformed packets, has been corrected (see security advisory FreeBSD-SA-01:28). &merged; A bug in &man.rwhod.8;, which caused it to crash if send certain malformed packets, has been corrected (see security advisory FreeBSD-SA-01:29). &merged; A security hole in &os;'s FFS and EXT2FS implementations, which allowed a race condition that could cause users to have unauthorized access to data, has been fixed (see security advisory FreeBSD-SA-01:30). &merged; A remotely-exploitable vulnerability in &man.ntpd.8; has been closed (see security advisory FreeBSD-SA-01:31). &merged; A security hole in IPFilter's fragment cache has been closed (see security advisory FreeBSD-SA-01:32). &merged; Buffer overflows in &man.glob.3;, which could cause arbitrary code to be run on an FTP server, have been closed. In addition, to prevent some forms of DOS attacks, &man.glob.3; allows specification of a limit on the number of pathname matches it will return. &man.ftpd.8; now uses this feature (see security advisory FreeBSD-SA-01:33). &merged; Initial sequence numbers in TCP are more thoroughly randomized (see security advisory FreeBSD-SA-01:39). Due to some possible compatibility issues, the behavior of this security fix can be enabled or disabled via the net.inet.tcp.tcp_seq_genscheme sysctl variable.&merged; A vulnerability in the &man.fts.3; routines (used by applications for recursively traversing a filesystem) could allow a program to operate on files outside the intended directory hierarchy. This bug has been fixed (see security advisory FreeBSD-SA-01:40). &merged; OpenSSH now switches to the user's UID before attempting to unlink the authentication forwarding file, nullifying the effects of a race. A flaw allowed some signal handlers to remain in effect in a child process after being exec-ed from its parent. This allowed an attacker to execute arbitrary code in the context of a setuid binary. This flaw has been corrected (see security advisory FreeBSD-SA-01:42). &merged; A remote buffer overflow in &man.tcpdump.1; has been fixed (see security advisory FreeBSD-SA-01:48). &merged; A remote buffer overflow in &man.telnetd.8; has been fixed (see security advisory FreeBSD-SA-01:49). &merged; The new net.inet.ip.maxfragpackets and net.inet.ip6.maxfragpackets sysctl variables limit the amount of memory that can be consumed by IPv4 and IPv6 packet fragments, which defends against some denial of service attacks (see security advisory FreeBSD-SA-01:52). &merged; All services in inetd.conf are now disabled by default for new installations. &man.sysinstall.8; gives the option of enabling or disabling &man.inetd.8; on new installations, as well as editing inetd.conf. &merged; A flaw in the implementation of the &man.ipfw.8; me rules on point-to-point links has been corrected. Formerly, me filter rules would match the remote IP address of a point-to-point interface in addition to the intended local IP address (see security advisory FreeBSD-SA-01:53). &merged; A vulnerability in &man.procfs.5;, which could allow a process to read sensitive information from another process's memory space, has been closed (see security advisory FreeBSD-SA-01:55). &merged; The PARANOID hostname checking in tcp_wrappers now works as advertised (see security advisory FreeBSD-SA-01:56). &merged; A local root exploit in &man.sendmail.8; has been closed (see security advisory FreeBSD-SA-01:57). &merged; A remote root vulnerability in &man.lpd.8; has been closed (see security advisory FreeBSD-SA-01:58). &merged; A race condition in &man.rmuser.8; that briefly exposed a world-readable /etc/master.passwd has been fixed (see security advisory FreeBSD-SA-01:59). &merged; A vulnerability in UUCP has been closed (see security advisory FreeBSD-SA-01:62). All non-root-owned binaries in standard system paths now have the schg flag set to prevent exploit vectors when run by &man.cron.8;, by root, or by a user other then the one owning the binary. In addition, &man.uustat.1; is now run via /etc/periodic/daily/410.status-uucp as uucp, not root. In &os; -CURRENT, UUCP has since been moved to the Ports Collection and no longer a part of the base system. &merged; A security hole in the form of a buffer overflow in the &man.semop.2; system call has been closed. &merged; A security hole in OpenSSH, which could allow users to execute code with arbitrary privileges if UseLogin yes was set, has been closed. Note that the default value of this setting is UseLogin no. (See security advisory FreeBSD-SA-01:63.) &merged; The use of an insecure temporary directory by &man.pkg.add.1; could permit a local attacker to modify the contents of binary packages while they were being installed. This hole has been closed. (See security advisory FreeBSD-SA-02:01.) &merged; A race condition in &man.pw.8;, which could expose the contents of /etc/master.passwd, has been eliminated. (See security advisory FreeBSD-SA-02:02.) &merged; A bug in &man.k5su.8; could have allowed a process that had given up superuser privileges to regain them. This bug has been fixed. (See security advisory FreeBSD-SA-02:07.) &merged; An off-by-one bug has been fixed in OpenSSH's multiplexing code. This bug could have allowed an authenticated remote user to cause &man.sshd.8; to execute arbitrary code with superuser privileges, or allowed a malicious SSH server to execute arbitrary code on the client system with the privileges of the client user. (See security advisory FreeBSD-SA-02:13.) &merged; A programming error in zlib could result in attempts to free memory multiple times. The &man.malloc.3;/&man.free.3; routines used in &os; are not vulnerable to this error, but applications receiving specially-crafted blocks of invalid compressed data could be made to function incorrectly or abort. This zlib bug has been fixed. For a workaround and solutions, see security advisory FreeBSD-SA-02:18. &merged; Bugs in the TCP SYN cache (syncache) and SYN cookie (syncookie) implementations, which could cause legitimate TCP/IP traffic to crash a machine, have been fixed. For a workaround and patches, see security advisory FreeBSD-SA-02:20. &merged; A routing table memory leak, which could allow a remote attacker to exhaust the memory of a target machine, has been fixed. A workaround and patches can be found in security advisory FreeBSD-SA-02:21. &merged; A bug with memory-mapped I/O, which could cause a system crash, has been fixed. For more information about a solution, see security advisory FreeBSD-SA-02:22. &merged; A security hole, in which SUID programs could be made to read from or write to inappropriate files through manipulation of their standard I/O file descriptors, has been fixed. Information regarding a solution can be found in security advisory FreeBSD-SA-02:23. &merged; A bug has been fixed in the implementation of the TCP SYN cache (syncache), which could allow a remote attacker to deny access to a service when accept filters (see &man.accept.filter.9;) were in use. This bug has been fixed. &merged; If the first argument to &man.ancontrol.8; or &man.wicontrol.8; doesn't start with a -, it is assumed to be an interface. &man.apmd.8; now has the ability to monitor battery levels and execute commands based on percentage or minutes of battery life remaining via the apm_battery configuration directive. See the commented-out examples in /etc/apmd.conf for the syntax. &merged; &man.arp.8; now prints the applicable interface name for each ARP entry. &merged; &man.arp.8; now prints [fddi] or [atm] tags for addresses on interfaces of those types. &man.at.1; now supports the -r command-line option to remove jobs and the -t option to specify times in POSIX time format. &man.atacontrol.8; has been added to control various aspects of the &man.ata.4; driver. &merged; The system &man.awk.1; now refers to BWK awk. GNU awk is now available as &man.gawk.1;. &man.boot98cfg.8;, a PC-98 boot manager installation and configuration utility, has been added. &merged; &man.burncd.8; now supports a -m option for multisession mode (the default behavior now is to close disks as single-session). A -l option to take a list of image files from a filename was also added; - can be used as a filename for stdin. &merged; &man.burncd.8; now supports Disk At Once (DAO) mode, selectable via the -d flag. &man.burncd.8; now has the ability to write VCDs/SVCDs. &man.c89.1; has been converted from a shell script to a binary executable, fixing some minor bugs. &merged; A minimalized version of &man.camcontrol.8; is now available on the installation floppy. This allows it to rescan for devices that have been connected after booting, or to show the devices attached to SCSI busses (e. g. from within the emergency holographic shell). &merged; &man.cat.1; now has the ability to read from UNIX-domain sockets. &merged; &man.cdcontrol.1; now supports a cdid command, which calculates and displays the CD serial number, using the same algorithm used by the CDDB database. &merged; &man.cdcontrol.1; now uses the CDROM environment variable to pick a default device. &merged; &man.cdcontrol.1; now supports next and prev commands to skip forwards or backwards a specified number of tracks while playing an audio CD. &merged; On ATAPI CDROM drives, &man.cdcontrol.1; now supports a speed command to set the maximum speed to be used by the drive. &man.chflags.1; has moved from /usr/bin to /bin. &man.chio.1; now has the ability to specify elements by volume tag instead of by their physical location as well as the ability to return an element to its previous location. &merged; &man.chmod.1; now supports a -h for changing the mode of a symbolic link. &man.chown.8; now correctly follows symbolic links named as command line arguments if run without -R. &merged; &man.chown.8; no longer takes . as a user/group delimeter. This change was made to support usernames containing a .. Use of the CSMG_* macros no longer require inclusion of <sys/param.h> &man.col.1; now takes a -p flag to force unknown control sequences to be passed through unchanged. &merged; The compat3x distribution has been updated to include libraries present in &os; 3.5.1-RELEASE. &merged; A compat4x distribution has been added for compatibility with &os; 4-STABLE. &man.config.8; is now better about converting various warnings that should have been errors into actual fatal errors with an exit code. This ensures that make buildkernel doesn't quietly ignore them and build a bogus kernel without a human to read the errors. &merged; A number of buffer overflows in &man.config.8; have been fixed. &merged; A new &man.csplit.1; utility, which splits files based on context, has been added. &man.ctags.1; no longer creates a corrupt tags file if the source file used // (C++-style) comments. &merged; The &man.daemon.8; program, a command-line interface to &man.daemon.3;, has been added. It detaches itself from its controlling terminal and executes a program specified on the command line. This allows the user to run an arbitrary program as if it were written to be a daemon. devinfo, a simple tool to print the device tree and resource usage by devices, has been added. &man.df.1; now takes a -l option to only display information about locally-mounted filesystems. &merged; &man.disklabel.8; now supports partition sizes expressed in kilobytes, megabytes, or gigabytes, in addition to sectors. &merged; &man.diskpart.8; has been declared obsolete, and has been removed. &man.dmesg.8; now has a -a option to show the entire message buffer, including &man.syslogd.8; records and /dev/console output. &merged; &man.du.1; now takes a -I command-line flag to ignore/skip files and subdirectories matching a specified shell-glob mask. &merged; &man.dump.8; now supports inheritance of the nodump flag down a hierarchy. &merged; The -T option to &man.dump.8; no longer swallows an extra argument. &merged; &man.dump.8; has a new -D option, allowing the path to the /etc/dumpdates file to be changed. &merged; &man.dump.8; now supplies progress information in its process title, useful for monitoring automated backups. &merged; &man.dump.8; now supports a new -S to allow it to just print out the dump size estimates and exit. &man.edquota.8; now takes a -f option to allow limiting the prototype quota distribution (specified with -p) to a single filesystem. &merged; /etc/rc.firewall and /etc/rc.firewall6 will no longer add their own hardcoded rules in the cases of a rules file in the firewall_type variable or a non-existent firewall type. (The motivation for this change is to avoid acting on assumptions about a site's firewall policies.) In addition, the closed firewall type now works as documented in the &man.rc.firewall.8; manual page. &merged; The functionality of /etc/security has been been moved into a set of scripts under the &man.periodic.8; framework, to make local customization easier and more maintainable. These scripts now reside in /etc/periodic/security/. &merged; &man.expr.1; is now compliant with the POSIX Utility Syntax Guidelines. Some programs depend on the old, historic behavior (the devel/libtool port/package was/is a notable example). In these situations, the EXPR_COMPAT environment variable can be defined, which causes &man.expr.1; to behave more like previous versions. &man.fbtab.5; now accepts glob matching patterns for target devices, not just individual devices and directories. &man.fdisk.8; no longer attempts to search for a device if none has been specified on the command line, but instead tries to figure out the default device name from the root device. &man.fdread.1;, a program to read data from floppy disks, has been added. It is a counterpart to &man.fdwrite.1; and is designed to provide a means of recovering at least some data from bad media, and to obviate for a complex invocation of &man.dd.1;. &man.find.1; now takes the -empty flag, which returns true if a file or directory is empty. &merged; &man.find.1; now takes the -iname and -ipath primaries for case-insensitive matches, and the -regexp and -iregexp primaries for regular-expression matches. The -E flag now enables extended regular expressions. &merged; &man.find.1; now has the -anewer, -cnewer, -mnewer, -okdir, and -newer[acm][acmt] primaries for comparisons of file timestamps. The latter primaries can be specified with various units of time. &merged; &man.finger.1; now has the ability to support fingering aliases, via the &man.finger.conf.5; file. &merged; &man.finger.1; now has support for a .pubkey file. &man.fmt.1; has been rewritten; the rewrite fixes a number of bugs compared to its prior behavior. &merged; &man.fmtcheck.3;, a function for checking consistency of format string arguments, has been added. &merged; &man.fold.1; now supports a -b flag to break at byte positions and a -s to break at word boundaries. &man.fsdb.8; now supports a blocks command to list the blocks allocated by a particular inode. &merged; &man.fsck.8; wrappers have been imported; this feature provides infrastructure for &man.fsck.8; to work on different types of filesystems (analogous to &man.mount.8;). The behavior of &man.fsck.8; when dealing with various passes (a la /etc/fstab) has been modified to accommodate multiple-disk filesystems. &man.fsck.8; now has support for foreground (-F) and background (-B) checks. Traditionally, &man.fsck.8; is invoked before the filesystems are mounted and all checks are done to completion at that time. If background checking is available, &man.fsck.8; is invoked twice. It is first invoked at the traditional time, before the filesystems are mounted, with the -F flag to do checking on all the filesystems that cannot do background checking. It is then invoked a second time, after the system has completed going multiuser, with the -B flag to do checking on all the filesystems that can do background checking. Unlike the foreground checking, the background checking is started asynchronously so that other system activity can proceed even on the filesystems that are being checked. Boot-time enabling of this feature is controlled by the background_fsck option in &man.rc.conf.5;. Shortly after the receipt of a SIGINFO signal (normally control-T from the controlling tty), &man.fsck.ffs.8; will now output a line indicating the current phase number and progress information relevant to the current phase. &merged; &man.fsck.ffs.8; now supports background filesystem checks to mounted FFS filesystems with the -B option (softupdates must be enabled on these filesystems). The -F flag now determines whether a specified filesystem needs foreground checking. A new &man.fsck.msdosfs.8; utility has been added to check the consistency of MS-DOS filesystems. &merged; &man.ftpd.8; now supports a -r flag for read-only mode and a -E flag to disable EPSV. It also has some fixes to reduce information leakage and the ability to specify compile-time port ranges. &merged; &man.ftpd.8; now supports -o and -O options to disable the RETR command; the former for everybody, and the latter only for guest users. Coupled with -A and appropriate file permissions, these can be used to create a relatively safe anonymous FTP drop box for others to upload to. &man.gdb.1; now supports hardware watchpoints (using the kernel's debug register + support that has been introduced in &os; 4.0). &merged; The &man.getprogname.3; and &man.setprogname.3; library functions have been added to manipulate the name of the current program. They are used by error-reporting routines to produce consistent output. &merged; &man.gprof.1; now has a -K option to enable dynamic symbol resolution from the currently-running kernel. With this change, properly-compiled KLD modules are now able to be profiled. &man.growfs.8;, a utility for growing FFS filesystems, has been added. &man.ffsinfo.8;, a utility for dump all the meta-information of an existing filesystem, has also been added. &merged; The &man.groups.1; and &man.whoami.1; shell scripts are now unnecessary; their functionality has been completely folded into &man.id.1;. &merged; The &man.ibcs2.8;, &man.linux.8;, &man.osf1.8;, and &man.svr4.8; scripts, whose sole purpose was to load emulation kernel modules, have been removed. The kernel module system will automatically load them as needed to fulfill dependencies. &man.indent.1; has gained some new formatting options. &merged; &man.ifconfig.8; can set the link-layer address of an interface using the link parameter. &merged; &man.ifconfig.8; can now accept addresses in slash/CIDR notation. &merged; &man.ifconfig.8; now has support for setting parameters for IEEE 802.11 wireless network devices. &man.wi.4; and &man.an.4; devices are supported, and partial support is provided for &man.awi.4; devices. &merged; &man.ifconfig.8; no longer displays the list of supported media by default. Instead it displays it when the -m flag is given. &merged; The syntax of &man.inetd.8;'s support for &man.faithd.8; is now compatible with that of other BSDs. &merged; The ident protocol support in &man.inetd.8; has been cleaned up and updated. &merged; &man.inetd.8; now has the ability to manage UNIX-domain sockets. &merged; By default, &man.inetd.8; is no longer run by &man.rc.8; at boot-time, although &man.sysinstall.8; gives the option of enabling it during binary installations. &man.inetd.8; can also be enabled by adding the following line to /etc/rc.conf: inetd_enable="YES" &man.install.1; has a number of new features, including the -b and -B options for backing up existing target files and the -S option for safe (atomic copy) operation. The -c (copy) flag is now the default, and the -D (debugging) flag has been withdrawn. &man.install.1; now issues a warning if -d (create directories) and -C (copy changed files only) are used together. &merged; IP Filter is now supported by the &man.rc.conf.5; boot-time configuration and initialization. &merged; &man.ipfstat.8; now supports the -t option to turn on a &man.top.1;-like display. &merged; &man.ipfw.8; will now avoid the display of dynamic firewall rules unless the -d flag is passed to it. The -e option lists expired dynamic rules. &merged; &man.ipfw.8; has a new feature (me) that allows for packet matching on interfaces with dynamically-changing IP addresses. &merged; &man.ipfw.8; has a new limit type of firewall rule, which limits the number of sessions between address pairs. &merged; &man.ipfw.8; filter rules can now match on the value of the IPv4 precedence field. &man.ip6fw.8; now has the ability to use a preprocessor and use the -q (quiet) flag when reading from a file. &merged; &man.ispppcontrol.8; has been deleted, and its functionality has been folded into &man.spppcontrol.8;. &merged; &man.kenv.1;, a command to dump the kernel environment, has been added. &merged; &man.kenv.1; now has the ability to set or delete kernel environment variables. &man.keyinfo.1; is now a C program, rather than a Perl script. &merged; The &man.kget.8; utility has been removed (it was only useful for UserConfig, which is not present in &os; &release.current;). &man.killall.1; is now a C program, rather than a Perl script. As a result, its -m option now uses the regular expression syntax of &man.regex.3;, rather than that of &man.perl.1;. &merged; &man.killall.1; now allows non-root users to kill SUID root processes that they started, the same as the Perl version did. &merged; &man.killall.1; no longer tries to kill zombie processes unless the -z flag is specified. The &man.kldconfig.8; utility has been added to make it easier to manipulate the kernel module search path. &merged; ktrdump, a utility to dump the ktr trace buffer from userland, has been added. &man.last.1; now implements a -d that provides a snapshot of who was logged in at a particular date and time. &merged; &man.last.1; now supports a -y flag, which causes the year to be included in the session start time. &merged; The &man.lastlogin.8; utility, which prints the last login time of each user, has been imported from NetBSD. &merged; &man.ldconfig.8; now checks directory ownerships and permissions for greater security; these checks can be disabled with the -i flag. &merged; &man.ldd.1; can now be used on shared libraries, in addition to executables. &merged; &man.ldd.1; now supports a -a flag to list all the objects that are needed by each loaded object. libc is now thread-safe by default; libc_r contains only thread functions. libcrypt and libdescrypt have been unified to provide a configurable password authentication hash library. Both the md5 and des hash methods are provided unless the des hash is specifically compiled out. &merged; libcrypt now has support for Blowfish password hashing. &merged; libdisk can now do install-time configuration of the boot0 boot loader. &merged; libstand now has support for filesystems containing bzip2-compressed files. &merged; libstand now has support for overwriting the contents of a file on a UFS filesystem (it cannot expand or truncate files because the filesystem may be dirty or inconsistent). libstand now has support for loading large kernels and modules split across several physical media. &merged; The default TCP port range used by libfetch for passive FTP retrievals has changed; this affects the behavior of &man.fetch.1;, which has gained the -U option to restore the old behavior. &merged; libfetch now has support for an authentication callback. &merged; libfetch now has support for a HTTP_USER_AGENT environment variable. &merged; libgmp has been superceded by libmp. The functions from libposix1e have been integrated into libc. libusb has been renamed as libusbhid, following NetBSD's naming conventions. &merged; &man.ln.1; now takes an -i option to request user confirmation before overwriting an existing file. &merged; &man.ln.1; now takes a -h flag to avoid following a target that is a link, with a -n flag for compatibility with other implementations. &merged; &man.logger.1; can now send messages directly to a remote syslog. &merged; &man.login.1; now exports environment variables set by PAM modules. &merged; &man.lpc.8; has been improved; lpc clean is now somewhat safer, and a new lpc tclean command has been added to check to see what files would be removed by lpc clean. &merged; &man.lpd.8; now takes two new options: -c will log all connection errors to &man.syslogd.8;, while -W will allow connections from non-reserved ports. &merged; &man.lpd.8; now has some support for o-type print-file actions in its control files, which allows printing of PostScript files generated by MacOS 10.1. &merged; &man.lpd.8; now recognizes the -s flag as the preferred synonym for -p (these flags cause &man.lpd.8; not to open a socket for network print jobs). &merged; &man.lpr.1;, &man.lpq.1;, and &man.lpd.8; have received a few minor enhancements. &merged; Catching up with most other network utilities in the base system, &man.lpr.1;, &man.lpd.8;, &man.syslogd.8;, and &man.logger.1; are now all IPv6-capable. &merged; lprm - now works for remote printer queues. &merged; &man.ls.1; can produce colorized listings with the -G flag (and appropriate terminal support). The CLICOLOR environment variable can be set to enable colorized listings by default. &merged; &man.ls.1; now accepts a -h flag, which when combined with the -l flag, causes file sizes to be printed with unit suffixes, such that the number of digits printed is less than three. &merged; &man.m4.1; now accepts a -s flag to cause it to emit #line directives for use by &man.cpp.1;. &merged; &man.mail.1; now takes a -E flag to avoid sending messages with empty bodies. &merged; &man.make.1; has gained the :C/// (regular expression substitution), :L (lowercase), and :U (uppercase) variable modifiers. These were added to reduce the differences between the &os; and OpenBSD/NetBSD &man.make.1; programs. &merged; Bugs in &man.make.1;, among which include broken null suffix behavior, bad assumptions about current directory permissions, and potential buffer overflows, have been fixed. &merged; The new CPUTYPE make.conf variable controls the compilation of processor-specific optimizations in various pieces of code such as OpenSSL. &merged; The &os; Makefile infrastructure now supports the WARNS directive from NetBSD. This directive controls the addition of compiler warning flags to CFLAGS in a relatively compiler-neutral manner. &merged; &man.man.1; is no longer installed SUID man, in order to reduce vulnerabilities associated with generating catpages (preformatted manual pages cached for repeated viewing). As a result, &man.man.1; can no longer create system catpages on a regular user's behalf. It is still able to do so if the user has write permissions to the directory holding catpages (e.g. a user's own manpages) or if the running user is root. The &man.mdmfs.8; command has been added; it is a wrapper around &man.mdconfig.8;, &man.disklabel.8;, &man.newfs.8;, and &man.mount.8; that mimics the command line option set of the deprecated &man.mount.mfs.8;. &man.mergemaster.8; now sources an /etc/mergemaster.rc file and also prompts the user to run recommended commands (such as newaliases) as needed. &merged; &man.mergemaster.8; now supports two new flags. The -p flag enables a pre-buildworld mode to files known to be essential to the success of the buildworld and installworld system updating steps. The -C flag, used after a successful &man.mergemaster.8; run, compares options in /etc/rc.conf to the default options in /etc/defaults/rc.conf. &merged; &man.mk.cmds.1; and the associated libss have been removed; they have been unused for quite some time. &merged; &man.moused.8; now takes a -a option to control mouse acceleration. &merged; &man.mtree.8; now includes support for a file that lists pathnames to be excluded when creating and verifying prototypes. This makes it easier to use &man.mtree.8; as a part of an intrusion-detection system. &merged; &man.mv.1; now takes a (nonstandard) -n to automatically answer no when it would ask to overwrite a file. &man.natd.8; now supports a -log_ipfw_denied option to log packets that cannot be re-injected because they are blocked by &man.ipfw.8; rules. &merged; The in use percentage metric displayed by &man.netstat.1; now really reflects the percentage of network mbufs used. &merged; &man.netstat.1; now has a -W flag that tells it not to truncate addresses, even if they're too long for the column they're printed in. &merged; &man.netstat.1; now keeps track of input and output packets on a per-address basis for each interface. &merged; &man.netstat.1; now has a -z flag to reset statistics. &merged; &man.netstat.1; now has a -S flag to print address numerically but port names symbolically. &merged; &man.newfs.8; now implements write combining, which can make creation of new filesystems up to seven times faster. &merged; &man.newfs.8; now takes a -U option to enable softupdates on a new filesystem. &merged; The default number of cylinders per group in &man.newfs.8; is now computed to be the maximum allowable given the current filesystem parameters. It can be overridden with the -c option. Formerly, the default was fixed at 16. This change leads to better &man.fsck.8; performance and reduced fragmentation. &merged; The default block and fragment sizes for new filesystems created by &man.newfs.8; are now 16384 and 2048 bytes, respectively (the old defaults were 8192 and 1024 bytes). This change generally provides increased performance, at the expense of some wasted disk space. &merged; A number of archaic features of &man.newfs.8; have been removed; these implement tuning features that are essentially useless on modern hard disks. These features were controlled by the -O, -d, -k, -l, -n, -p, -r, -t, and -x flags. &man.newsyslog.8; now has the ability to compress log files using &man.bzip2.1;. &merged; NFS now works over IPv6. &man.ngctl.8; now supports a write command to send a data packet down a given hook. &merged; &man.nl.1;, a line numbering filter program, has been added. &merged; nsswitch support has been merged from NetBSD. By creating an &man.nsswitch.conf.5; file, &os; can be configured so that various databases such as &man.passwd.5; and &man.group.5; can be looked up using flat files, NIS, or Hesiod. The old hosts.conf file is no longer used. PAM support has been added for account management and sessions. PAM configuration is now specified by files in /etc/pam.d/, rather than a single /etc/pam.conf file. /etc/pam.d/README has more details. A &man.pam.ftp.8; module has been added to allow authentication of anonymous FTP users. A &man.pam.ftpusers.8; module has been added to perform checks against the &man.ftpusers.5; file. A &man.pam.lastlog.8; module has been added to record sessions in the &man.utmp.5;, &man.wtmp.5;, and &man.lastlog.5; databases. A &man.pam.login.access.8; module has been added, to allow checking against /etc/login.access. The &man.pam.nologin.8; module, which can disallow logins using &man.nologin.5;, has been added. The &man.pam.opie.8; and &man.pam.opieaccess.8; modules have been added to control authentication via &man.opie.4;. A &man.pam.passwdqc.8; module has been added, to check the quality of passwords submitted during password changes. A &man.pam.rhosts.8; module has been added to support &man.rhosts.5; authentication. The &man.pam.rootok.8; module, which can be used to authenticate only the superuser, has been added. A &man.pam.securetty.8; module has been added to check the security of a TTY, as listed in &man.ttys.5;. A &man.pam.self.8; module, which allows self-authentication of a user, has been added. A &man.pam.ssh.8; module has been added to allow the use of SSH passphrases and keypairs for authentication. This module also handles session management by invoking &man.ssh-agent.1;. &merged; A &man.pam.wheel.8; module has been added to permit authentication to members of a group, which defaults to wheel. &man.passwd.1; and &man.pw.8; now select the password hash algorithm at run time. See the passwd_format attribute in /etc/login.conf. &merged; &man.patch.1; now accepts a -i command-line flag to read a patch from a file, rather than standard input. &merged; &man.pax.1; has received a number of enhancements, including &man.cpio.1; functionality, &man.tar.1; compatibility enhancements, -z and -Z flags for &man.gzip.1; and &man.compress.1; functionality, and a number of bug fixes. &man.pciconf.8; now supports a -v option to display the vendor/device information of configured devices, in conjunction with the -l option. The default vendor/device database can be found at /usr/share/misc/pci_vendors. &merged; The behavior of &man.periodic.8; is now controlled by /etc/defaults/periodic.conf and /etc/periodic.conf. &merged; &man.ping.8; now supports a -m option to set the TTL of outgoing packets. &merged; &man.ping.8; now supports a -A option to beep when packets are lost. &merged; Userland &man.ppp.8; has received a number of updates and bug fixes. &merged; &man.ppp.8; has gained the tcpmssfixup option, which adjusts outgoing and incoming TCP SYN packets so that the maximum receive segment size is no larger than allowed by the interface MTU. &merged; &man.ppp.8; now supports IPv6. &man.pppd.8; (the control program for kernel-level PPP) is now installed mode 4550 and root:dialer, rather than mode 4555 (in other words, it is no longer world-executable). Users of &man.pppd.8; may need to change their group settings. &merged; &man.pr.1; now supports the -f and -p flags to pause output going to a terminal. &merged; The -W option to &man.ps.1; (to extract information from a specified swap device) has been useless for some time; it has been removed. &merged; &man.pwd.1; can now double as &man.realpath.1;, a program to resolve pathnames to their underlying physical paths. &merged; &man.pwd.1; now supports the -L flag to print the logical current working directory. The pseudo-random number generator implemented by &man.rand.3; has been improved to provide less biased results. &man.rc.8; now has an framework for handling dependencies between &man.rc.conf.5; variables. &merged; &man.rc.8; now deletes all non-directory files in /var/run and /var/spool/lock at boot time. &merged; &man.rcmd.3; now supports the use of the RSH environment variable to specify a program to use other than &man.rsh.1; for remote execution. As a result, programs such as &man.dump.8;, can use &man.ssh.1; for remote transport. &man.rdist.1; has been retired from the base system, but is still available from &os; Ports Collection as net/44bsd-rdist. &man.reboot.8; now takes a -k to specify the next kernel to boot. &merged; The &man.renice.8; command implements a -n option, which specifies an increment to be applied to the priority of a process. The &man.resolver.3; in &os; now implements EDNS0 support, which will be necessary when working with IPv6 transport-ready resolvers/DNS servers. &merged; The &man.rfork.thread.3; library call has been added as a helper function to &man.rfork.2;. Using this function should avoid the need to implement complex stack swap code. &merged; The -v option to &man.rm.1; now displays the entire pathname of a file being removed. &man.route.8; is now more verbose when changing indirect routes, in the case of a gateway route that is the same route as the one being modified. &merged; &man.route.8; now uses host/bits syntax instead of net/bits syntax, for compatibility with &man.netstat.1;. &merged; &man.route.8; can now create proxy only published ARP entries. &merged; The &man.route.8; add command now supports the -ifp and -ifa modifiers. &merged; &man.rpcbind.8; has replaced &man.portmap.8;. &man.rpcgen.1; now uses /usr/bin/cpp (as on NetBSD), not /usr/libexec/cpp. &man.rpc.lockd.8; has been imported from NetBSD. This daemon provides support for servicing client NFS locks. The performance of the ELF dynamic linker &man.rtld.1; has been improved. &merged; RSA Security has waived all patent rights to the RSA algorithm. As a result, the native OpenSSL implementation of the RSA algorithm is now activated by default, and the security/rsaref port and the librsaUSA and librsaINTL libraries are no longer required for USA and non-USA residents respectively. &merged; &man.rtld.1; will now print the names of all objects that cause each object to be loaded, if the LD_TRACE_LOADED_OBJECTS_ALL environment variable is defined. &man.savecore.8; now supports a -k option to prevent clearing a crash dump after saving it. It also attempts to avoid writing large stretches of zeros to crash dump files to save space and time. &merged; &man.savecore.8; now works correctly on machines with 2 GB or more of RAM. &merged; &man.sed.1; now takes a -E option for extended regular expression support. &merged; &man.sed.1; now takes a -i option to enable in-place editing of files. &man.send-pr.1; now takes a -a option to include a file into the Fix: section of a problem report. &merged; The &man.setfacl.1; and &man.getfacl.1; commands have been added to manage file system Access Control Lists. &man.setproctitle.3; has been moved from libutil to libc. &merged; &man.sh.1; now implements test as a built-in command for improved efficiency. &merged; &man.sh.1; no longer implements printf as a built-in command because it was considered less valuable compared to the other built-in commands (this functionality is, of course, still available through the &man.printf.1; executable). &man.sockstat.1; now has -c and -l flags for listing connected and listening sockets, respectively. &merged; &man.split.1; now has the ability to split a file longer than 2GB. &merged; &man.split.1; now supports a -a option to specify the number of letters to use for the suffix of split files. In preparation for meeting SUSv2/POSIX <sys/select.h> requirements, struct selinfo and related functions have been moved to <sys/selinfo.h>. The &man.strnstr.3; and &man.strcasestr.3; variants of &man.strstr.3; have been implemented. &merged; &man.stty.1; now has support for an erase2 control character, so that, for example, both the Delete and Backspace keys can be used to erase characters. &merged; &man.style.perl.7;, a style guide for Perl code in the &os; base system, has been added. &merged; &man.su.1; now uses PAM for authentication. Boot-time &man.syscons.4; configuration was moved to a machine-independent /etc/rc.syscons. &merged; &man.sysctl.8; now supports a -N option to print out variable names only. &merged; &man.sysctl.8; has replaced the -A and -X options with -ao and -ax respectively; the former options are now deprecated. The -w option is deprecated as well; it is not needed to determine the user's intentions. &merged; &man.sysctl.8; now supports a -e option to separate variable names and values by = rather than :. This feature is useful for producing output that can be fed back to &man.sysctl.8;. &merged; &man.sysctl.8; now accepts a -d to print the descriptions of variables. &man.sysinstall.8; now properly preserves /etc/mail during a binary upgrade. &merged; &man.sysinstall.8; now uses some more intuitive defaults thanks to some new dialog support functions. &merged; The default root partition in &man.sysinstall.8; is now 100MB on the i386 and 120MB on the Alpha. &man.sysinstall.8; now lives in /usr/sbin, which simplifies the installation process. The &man.sysinstall.8; manpage is also installed in a more consistent fashion now. &man.sysinstall.8; now has the ability to load KLDs as a part of the installation. &merged; When run from the installation media, &man.sysinstall.8; will automatically load any device drivers found in the /stand/modules directory of the mfsroot floppy or filesystem image. Note that any drivers so loaded will not appear in the kernel's boot messages; the &man.sysinstall.8; debugging screen will provide additional information. &merged; &man.sysinstall.8; now enables Soft Updates by default on all filesystems it creates, except for the root filesystem. &merged; &man.sysinstall.8; has received updates for its auto partitioning mode which provide more reasonable defaults for the sizes of partitions that are created; auto-sized partitions can now also recover the space that becomes available when other partitions are deleted. &merged; &man.sysinstall.8; no longer mounts the &man.procfs.5; filesystem by default on new installs. &man.sysinstall.8; now has rudimentary support for retrieving packages from the correct volume of a multiple-volume installation (such as a multi-CD distribution). &merged; &man.syslogd.8; can take a -n option to disable DNS queries for every request. &merged; &man.syslogd.8; now supports a LOG_CONSOLE facility (disabled by default), which can be used to log /dev/console output. &merged; &man.syslogd.8; now has the ability to bind to a specific address (as opposed to using every available one) via the -b option. &merged; &man.syslogd.8; now accepts a -c flag to disable repeated line compression. &merged; &man.tail.1; now has the ability to work on files longer than 2GB. &merged; &man.tar.1; now supports the TAR_RSH variable, principally to enable the use of &man.ssh.1; as a transport. &merged; &man.telnet.1; now does autologin and encryption by default; a new -y option turns off encryption. &man.telnet.1; now supports a -u flag to allow connections to UNIX-domain (AF_UNIX) sockets. &merged; &man.tftp.1; and &man.tftpd.8; now support IPv6. &merged; &man.tftpd.8; now takes the -c and -C options, which allow the server to &man.chroot.2; based on the IP address of the connecting client. &man.tftp.1; and &man.tftpd.8; can now transfer files larger than 65535 blocks. &merged; &man.tftpd.8; now supports RFC 2349 (TFTP Timeout Interval and Transfer Size Options); this feature is required by some firmware like EFI boot managers (at least on HP i2000 Itanium servers) in order to boot an image using TFTP. &man.timed.8; now works on the alpha. A version of Transport Independent RPC (TI-RPC) has been imported. &man.tmpnam.3; will now use the TMPDIR environment variable, if set, to specify the location of temporary files. &merged; &man.tip.1; has been updated from OpenBSD, and has the ability to act as a &man.cu.1; substitute. &man.top.1; will now use the full width of its tty. &man.touch.1; now takes a -h option to operate on a symbolic link, rather than what the link points to. The &man.truncate.1; utility, which truncates or extends the length of files, has been added. &merged; Ukrainian language support has been added to the &os; console. &merged; UUCP has been removed from the base system. It can be found in the Ports Collection, in net/freebsd-uucp. &man.unexpand.1; now supports a -t to specify tabstabs analogous to &man.expand.1;. &man.units.1; has received some updates and bugfixes. &merged; &man.usbdevs.8; now supports a -d flag to show the device driver associated with each device. The &man.usbhidctl.1; utility has been added to manipulate USB Human Interface Devices. &merged; &man.uuencode.1; and &man.uudecode.1; now accept a -o option to set their output files. They can also do base64 encoding and decoding when given the -m flag. &merged; &man.vidcontrol.1; now accepts a -g parameter to select custom text geometry in the VESA_800x600 raster text mode. &merged; &man.vidcontrol.1; now allows the user to omit the font size specification when loading a font, and has some better error-handling. &merged; &man.vidcontrol.1; now supports a -p option to take a snapshot of a &man.syscons.4; video buffer. These snapshots can be manipulated by the graphics/scr2png utility in the Ports Collection. &merged; &man.vidcontrol.1; now supports a -C option to clear the history buffer for a given tty, as well as a -h option to set the size of the history buffer. &merged; The default stripe size in &man.vinum.8; has been changed from 256KB to 279KB, to spread out superblocks more evenly between stripes. &man.wall.1; now supports a -g flag to write a message to all users of a given group. &merged; &man.watch.8; now takes a -f option to specify a &man.snp.4; device to use. &merged; &man.which.1; is now a C program, rather than a Perl script. &man.who.1; now has a number of new options: -H shows column headings; -T shows &man.mesg.1; state; -m is an equivalent to am i; -u shows idle time; -q to list names in columns. &man.whois.1; now directs queries for IP addresses to ARIN. If a query to ARIN references APNIC or RIPE, the appropriate server will also be queried, provided that the -Q option is not specified. &merged; &man.whois.1; supports a -c option to specify a country code to help direct queries towards a particular whois server. &merged; &man.xargs.1; now supports a -I replstr option that allows the user to tell &man.xargs.1; to insert the data read from standard input at specific points in the command line arguments rather than at the end. (A &os;-specific -J option is similar, but is now deprecated in favor of the more portable -I option.) &man.xargs.1; now supports a -L option to force its utility argument to be called after some number of lines. The compiler chain now uses the FSF-supplied C/C++ runtime initialization code. This change brings about better compatibility with code generated from the various egcs and gcc ports, as well as the stock public FSF source. &merged; The threads library has gained some signal handling changes, bug fixes, and performance enhancements (including zero system call thread switching). &man.gdb.1; thread support has been updated to match these changes. &merged; Significant additions have been made to internationalization support; &os; now has complete locale support for the LC_MONETARY, LC_NUMERIC, and LC_MESSAGES categories. A number of applications have been updated to take advantage of this support. &merged; Locale names have been changed to improve compatibility with the names used by X11R6, as well as a number of other UNIX versions. As an example, the en_US.ISO_8859-1 locale name has been changed to en_US.ISO8859-1. Entries in /etc/locale.alias provide backward compatibility. &merged; /usr/src/share/examples/BSD_daemon/ now contains a scalable Beastie graphic. &merged; As part of an ongoing process, many manual pages were improved, both in terms of their formatting markup and in their content. &merged; A number of utilities and libraries were enhanced to improve their conformance with the Single UNIX Specification (SUSv3) and IEEE Std 1003.1-2001 (POSIX.1). Specific features added have been listed in the release notes for each utility. The standards conformance of each utility or library function is generally listed in its manual page. am-utils has been updated to 6.0.7. A 10 February 2002 snapshot of awk from Bell Labs (variously known as BWK awk or The One True AWK) has been imported. It is available as awk or nawk. bc has been updated from 1.04 to 1.06. &merged; The ISC library from the BIND distribution is now built as libisc. &merged; BIND is now built with the NOADDITIONAL flag, which causes &man.named.8; to operate in a more consistent fashion for certain common misconfigurations. &merged; BIND has been updated to 8.3.1-REL. &merged; Binutils has been updated to 2.12.0. bzip2 1.0.2 has been imported; this brings the &man.bzip2.1; program and the libbz2 library to the base system. &merged; The &man.ee.1; Easy Editor has been updated to 1.4.2. &merged; file has been updated to 3.37. gcc has been updated to a snapshot of the 2.95 development branch from 20 March 2002 (this snapshot includes changes made after the release of gcc 2.95.3). &man.gcc.1; now uses a unified libgcc rather than a separate one for threaded and non-threaded programs. /usr/lib/libgcc_r.a can be removed. &merged; &man.gcc.1; now supports the environment variable GCC_OPTIONS, which can hold a set of default options for GCC. &merged; GNATS has been updated to 3.113. &merged; GNU awk has been updated to 3.1.0. It is now available as gawk. gperf has been updated to 2.7.2. groff and its related utilities have been updated to FSF version 1.17.2. This import brings in a new &man.mdoc.7; macro package (sometimes referred to as mdocNG), which removes many of the limitations of its predecessor. &merged; Heimdal Kerberos has been updated to 0.4e. &merged; The version of IPFilter provided with &os; now includes the &man.ipfs.8; program, which allows state information created for NAT entries and stateful rules to be saved to disk and restored after a reboot. Boot-time configuration of these features is supported by &man.rc.conf.5;. &merged; The ISC DHCP client has been updated to 3.0.1RC8. &merged; Kerberos IV has been updated to 1.0.5. &merged; The &man.more.1; command has been replaced by &man.less.1;, although it can still be run as more. &merged; Version 371 of less has been imported. libpcap has been updated to 0.6.2. &merged; libreadline has been updated to 4.2. libz has been updated to 1.1.4. lint has been updated to snapshot of NetBSD &man.lint.1; as of 3 March 2002. lukemftp (the FTP client from NetBSD) has replaced the &os; &man.ftp.1; program. Among its new features are more automation methods, better standards compliance, transfer rate throttling, and a customizable command-line prompt. Some environment variables and command-line arguments have changed. The FTP daemon from NetBSD, otherwise known as lukemftpd, has been imported and is available as &man.lukemftpd.8;. &man.m4.1; has been imported from OpenBSD, as of 26 April 2002. ncurses has been updated to 5.2-20010512. The NTP suite of programs has been updated to 4.1.0. &merged; OpenPAM (Cinnamon release) has been imported, replacing Linux-PAM. The OPIE one-time-password suite has been updated to 2.4. It has completely replaced the functionality of S/Key. Perl has been updated to version 5.6.1. &man.routed.8; has been updated to version 2.22. &merged; Version 1.4.4 of the smbfs userland utilities have been imported. tcpdump has been updated to 3.6.3. &merged; The &man.csh.1; shell has been replaced by &man.tcsh.1;, although it can still be run as csh. tcsh has been updated to version 6.11. &merged; The contributed version of tcp_wrappers now includes the &man.tcpd.8; helper daemon. While not strictly necessary in a standard &os; installation (because &man.inetd.8; already incorporates this functionality), this may be useful for &man.inetd.8; replacements such as xinetd. texinfo has been updated to 4.1. &merged; top has been updated to version 3.5b12. &man.traceroute.8; now takes its default maximum TTL value from the net.inet.ip.ttl sysctl variable. &merged; The timezone database has been updated to the tzdata2002c release. &merged; cvs has been updated to 1.11.1p1. &merged; The default value for &man.cvs.1;'s CVS_RSH variable is now ssh, rather than rsh. &merged; &man.cvs.1; now supports a -T option to update a sandbox's CVS/Template file from the repository. &merged; &man.cvs.1; diff now supports the -j option to perform differences against a revision relative to a branch tag. &merged; CVSup, a frequently used utility in the &os; Ports Collection, was formerly installable using several ports and packages. The net/cvsup-bin and net/cvsupd-bin ports/packages are no longer necessary or available; the net/cvsup port should be used instead. &merged; CVSup has been updated to 16.1_3, which is available in the &os; Ports Collection as net/cvsup. This update fixes a long-standing (but only recently encountered) bug which affects the timestamps on all files after Sun Sep 9 01:46:40 UTC 2001 (1,000,000,000 seconds after the UNIX epoch). &merged; The IPv6 stack is now based on a snapshot based on the KAME Project's IPv6 snapshot as of 28 May, 2001. Most of the items listed in this section are a result of this import. lists kernel updates to the KAME IPv6 stack. &merged; &man.faithd.8; now supports a configuration file for access control. &merged; &man.ifconfig.8; can now perform the functions of &man.gifconfig.8;. &merged; &man.ifconfig.8; can now perform the functions of &man.prefix.8;. &man.prefix.8; is now a shell script for partial backwards compatibility. &merged; &man.ndp.8; now implements garbage collection for stale NDP entries, as described in RFC 2461 (Neighbor Discovery for IP Version 6 (IPv6)). &merged; &man.pim6dd.8; and &man.pim6sd.8; have been removed due to restrictive licensing conditions. These programs are available in the ports collection as net/pim6dd and net/pim6sd. &merged; &man.route6d.8; now supports an -n flag to avoid updating the kernel forwarding table. &merged; The -R (router renumbering) option to &man.rtadvd.8; is currently ignored. &merged; OpenSSH has been updated to 2.9, which provides support for the SSH2 protocol (now the default) and DSA keys. &man.ssh-add.1; and &man.ssh-agent.1; can now handle DSA keys, with support for authentication forwarding. OpenSSH users in the USA no longer need to rely on the restrictively-licensed RSAREF toolkit which is required to handle RSA keys. Among other new features: A client and server for &man.sftp.1; has been added. &man.scp.1; can now handle files larger than 2 GBytes. A limit on the number of outstanding, unauthenticated connections in &man.sshd.8; has been added. Support has been added for the Rijndael encryption algorithm. Rekeying of existing sessions is now supported, and an experimental SOCKS4 proxy has been added to &man.ssh.1;. &merged; OpenSSH has been updated to version 3.1. Among the changes: The *2 files are obsolete (for example, ~/.ssh/known_hosts can hold the contents of ~/.ssh/known_hosts2). &man.ssh-keygen.1; can import and export keys using the SECSH Public Key File Format, for key exchange with several commercial SSH implementations. &man.ssh-add.1; now adds all three default keys. &man.ssh-keygen.1; no longer defaults to a specific key type; one must be specified with the -t option. OpenSSH can now authenticate using OPIE passwords. PAM support for OpenSSH has been added. A long-standing bug in OpenSSH, which sometimes resulted in a dropped session when an X11-forwarded client was closed, was fixed. Kerberos compatibility has been added to OpenSSH. &merged; OpenSSH has been modified to be more resistant to traffic analysis by requiring that non-echoed characters are still echoed back in a null packet, as well as by padding passwords sent so as not to hint at password lengths. &merged; &man.sshd.8; is now enabled by default on new installs. &merged; &man.sshd.8; X11Forwarding is now turned on by default on the server (any risk is to the client, where it is already disabled by default). &merged; In /etc/ssh/sshd_config, the ConnectionsPerPeriod parameter has been deprecated in favor of MaxStartups. &merged; OpenSSH now has a VersionAddendum configuration setting for &man.sshd.8; to allow changing the part of the OpenSSH version string after the main version number. OpenSSL has been updated to 0.9.6c. OpenSSL now has support for machine-dependent ASM optimizations, activated by the new MACHINE_CPU and/or CPUTYPE make.conf variables. &merged; sendmail has been updated from version 8.9.3 to version 8.12.3. Important changes include: &man.sendmail.8; is no longer installed as a set-user-ID root binary (now set-group-ID smmsp); new default file locations (see /usr/src/contrib/sendmail/cf/README); &man.newaliases.1; is limited to root and trusted users; STARTTLS encryption; and the MSA port (587) is turned on by default. See /usr/src/contrib/sendmail/RELEASE_NOTES for more information. &merged; &man.mail.local.8; is no longer installed as a set-user-ID binary. If you are using a /etc/mail/sendmail.cf from the default sendmail.cf included with &os; any time after 3.1.0, you are fine. If you are using a hand-configured sendmail.cf and mail.local for delivery, check to make sure the F=S flag is set on the Mlocal line. Those with .mc files who need to add the flag can do so by adding the following line to their .mc file and regenerating the sendmail.cf file: MODIFY_MAILER_FLAGS(`LOCAL',`+S')dnl Note that FEATURE(`local_lmtp') already does this. &merged; The default /etc/mail/sendmail.cf disables the SMTP EXPN and VRFY commands. &merged; &man.vacation.1; has been updated to use the version included with sendmail. &merged; The sendmail configuration building tools are installed in /usr/share/sendmail/cf/. &merged; New make.conf options: SENDMAIL_MC and SENDMAIL_ADDITIONAL_MC. See /usr/share/examples/etc/make.conf for more information. &merged; /etc/mail/Makefile now supports: the new SENDMAIL_MC make.conf option; the ability to build .cf files from .mc files; generalized map rebuilding; rebuilding the aliases file; and the ability to stop, start, and restart sendmail. &merged; The smmsp and mailnull users have been added to /etc/master.passwd. In the absence of a confDEF_USER_ID setting, by default, sendmail will use the mailnull user for extra security. Previously, if the mailnull user did not exist, the daemon user was used. This change may generate some permissions issues when mailing to files or to programs (such as mail/majordomo). &merged; The previous behavior can be restored by adding the following line to a system's *.mc configuration file: define(`confDEF_USER_ID', `daemon') Beginning with the import of sendmail 8.12.2, multiple sendmail daemons (some required to handle outgoing mail) are started by &man.rc.8;, even if the sendmail_enable variable is set to NO. To completely disable sendmail, sendmail_enable must be set to NONE. Alternatively, for systems using a different MTA, the mta_start_script can be used to point to a different startup script (more details can be found in &man.rc.sendmail.8;). &merged; By default, &man.rc.8; no longer enables sendmail for inbound SMTP connections. Note that &man.sysinstall.8; may override this default for a binary installation, based on what security profile is selected. This functionality can also be manually enabled by adding the following line to /etc/rc.conf: sendmail_enable="YES" BSDPAN, a collection of modules that provides tighter integration of Perl into the &os; Ports Collection, has been added. &man.pkg.create.1; and &man.pkg.add.1; can now work with packages that have been compressed using &man.bzip2.1;. &man.pkg.add.1; will use the PACKAGEROOT environment variable to determine a mirror site for new packages. &merged; &man.pkg.create.1; now records dependencies in dependency order rather than in the order specified on the command line. This improves the functioning of pkg_add -r. &merged; &man.pkg.create.1; now supports a -b to create a package file from a locally-installed package. &merged; When requested to delete multiple packages, &man.pkg.delete.1; will now attempt to remove them in dependency order rather than the order specified on the command line. &merged; &man.pkg.delete.1; now can perform glob/regexp matching of package names. In addition, it supports a -a option for removing all packages and a -i option for &man.rm.1;-style interactive confirmation. &merged; &man.pkg.delete.1; now supports a -r option for recursive package removal. &merged; &man.pkg.info.1; now supports globbing against names of installed packages. The -G option disables this behavior, and the -x option causes regular expression matching instead of shell globbing. &merged; &man.pkg.info.1; can now accept a -g flag for verifying an installed package against its recorded checksums (to see if it's been modified post-installation). Naturally, this mechanism is only as secure as the contents of /var/db/pkg if it's to be used for auditing purposes. &merged; &man.pkg.sign.1; and &man.pkg.check.1; have been added to digitally sign and verify the signatures on binary package files. &merged; For some time, &os; 5.0-CURRENT (as well as some 4.X releases) included a pkg_update(1) utility to update installed packages, as well as their dependencies. This utility has been removed; a superset of its functionality can be found in the sysutils/portupgrade port. &man.pkg.version.1; now has a version number comparison routine that corresponds to the Porters Handbook. It also has a -t option for testing address comparisons. &merged; &man.pkg.version.1; now takes a -s flag to limit its operation to ports/packages matching a given string. &merged; Version numbers of installed packages have a new (backward-compatible) syntax, which supports the PORTREVISION and PORTEPOCH variables in Ports Collection Makefiles. These changes help keep track of changes in the ports collection entries such as security patches or &os;-specific updates, which aren't reflected in the original, third-party software distributions. &man.pkg.version.1; can now compare these new-style version numbers. &merged; To improve performance and disk utilization, the ports skeletons in the &os; Ports Collection have been restructured. Installed ports and packages should not be affected. &merged; All packages and ports now contain an origin directive, which makes it easier for programs such as &man.pkg.version.1; to determine the directory from which a package was built. &merged; The Ports Collection infrastructure now uses XFree86 4.X as the default version of the X Window System for the purposes of satisfying dependencies. To return to using XFree86 3.X, add the following line to /etc/make.conf: &merged; XFREE86_VERSION=3 The bin distribution has been renamed base, in order to make creation of combined install/recovery disks easier. ISO images and CDROMs now use the cdboot boot loader by default. This eliminates the need for an emulated floppy disk image on a bootable CDROM and allows for a full GENERIC kernel to be used for CDROM installations, at the expense of compatability with some old BIOSs. XFree86 4.2.0 is now the default version of the X Window System supported by &man.sysinstall.8;. It installs XFree86 as a set of standard binary packages, so the usual package utilities such as &man.pkg.info.1; can be used to examine/manipulate its components. &merged; It is now possible to make releases of &os; &release.current; on a &os; 4-STABLE host. Cross-architecture (building a release for a target architecture on a host of a different architecture) releases are also possible. See &man.release.7; for details. If you're upgrading from a previous release of &os;, you generally will have three options: Using the binary upgrade option of &man.sysinstall.8;. This option is perhaps the quickest, although it presumes that your installation of &os; uses no special compilation options. Performing a complete reinstall of &os;. Technically, this is not an upgrading method, and in any case is usually less convenient than a binary upgrade, in that it requires you to manually backup and restore the contents of /etc. However, it may be useful in cases where you want (or need) to change the partitioning of your disks. From source code in /usr/src. This route is more flexible, but requires more disk space, time, and more technical expertise. Upgrading from very old versions of &os; may be problematic; in cases like this, it is usually more effective to perform a binary upgrade or a complete reinstall. Please read the INSTALL.TXT file for more information, preferably before beginning an upgrade. If you are upgrading from source, please be sure to read /usr/src/UPDATING as well. Finally, if you want to use one of various means to track the -STABLE or -CURRENT branches of &os;, please be sure to consult the -CURRENT vs. -STABLE section of the FreeBSD Handbook. Upgrading &os; should, of course, only be attempted after backing up all data and configuration files.