1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
|
<articleinfo>
<title>&os;/&arch; &release.current; Release Notes</title>
<corpauthor>The FreeBSD Project</corpauthor>
<pubdate>$FreeBSD$</pubdate>
<copyright>
<year>2000</year>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<year>2004</year>
<holder role="mailto:doc@FreeBSD.org">The FreeBSD Documentation Project</holder>
</copyright>
<abstract>
<para>The release notes for &os; &release.current; contain a summary
of
<![ %include.historic; [
the changes made to the &os; base system since &release.prev;.
]]>
<![ %no.include.historic; [
recent changes made to the &os; base system on the &release.branch;
development branch.
]]>
This document lists applicable security advisories that were issued since
the last release, as well as significant changes to the &os;
kernel and userland.
Some brief remarks on upgrading are also presented.</para>
</abstract>
</articleinfo>
<sect1 id="intro">
<title>Introduction</title>
<para>This document contains the release notes for &os;
&release.current; on the &arch.print; hardware platform. It
describes recently added, changed, or deleted features of &os;.
It also provides some notes on upgrading
from previous versions of &os;.</para>
<![ %release.type.snapshot [
<para>The &release.type; distribution to which these release notes
apply represents a point along the &release.branch; development
branch between &release.prev; and the future &release.next;. Some
pre-built, binary &release.type; distributions along this branch
can be found at <ulink url="&release.url;"></ulink>.</para>
]]>
<![ %release.type.release [
<para>This distribution of &os; &release.current; is a
&release.type; distribution. It can be found at <ulink
url="&release.url;"></ulink> or any of its mirrors. More
information on obtaining this (or other) &release.type;
distributions of &os; can be found in the <ulink
url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors.html"><quote>Obtaining
FreeBSD</quote> appendix</ulink> to the <ulink
url="http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/">FreeBSD
Handbook</ulink>.</para>
]]>
<para>Users who are new to the &release.branch; series of &os;
&release.type;s should also read the <quote>Early Adopters Guide
to &os; &release.current;</quote>. This document can generally be
found in the same location as the release notes (either as a part of a
&os; distribution or on the &os; Web site). It contains important
information regarding the advantages and disadvantages of using
&os; &release.current;, as opposed to releases based on the &os;
4-STABLE development branch.</para>
<para>All users are encouraged to consult the release errata before
installing &os;. The errata document is updated with
<quote>late-breaking</quote> information discovered late in the
release cycle or after the release. Typically, it contains
information on known bugs, security advisories, and corrections to
documentation. An up-to-date copy of the errata for &os;
&release.current; can be found on the &os; Web site.</para>
</sect1>
<sect1 id="new">
<title>What's New</title>
<para>This section describes
<![ %include.historic; [
the most user-visible new or changed features in &os;
since &release.prev;.
In general, changes described here are unique to the &release.branch;
branch unless specifically marked as &merged; features.
]]>
<![ %no.include.historic; [
many of the user-visible new or changed features in &os;
since &release.prev;. It includes items that are unique to the
&release.branch; branch, as well as some features that may have been
recently merged to
other branches (after &os; &release.prev.historic;). The latter
items are marked as &merged;.
]]>
</para>
<para>Typical release note items
document recent security advisories issued after
&release.prev.historic;,
new drivers or hardware support, new commands or options,
major bug fixes, or contributed software upgrades. They may also
list changes to major ports/packages or release engineering
practices. Clearly the release notes cannot list every single
change made to &os; between releases; this document focuses
primarily on security advisories, user-visible changes, and major
architectural improvements.</para>
<sect2 id="security">
<title>Security Advisories</title>
<para>A bug in &man.mksnap.ffs.8; has been fixed; it caused the creation of a
filesystem snapshot to reset the flags on the filesystem to
their default values. The possible consequences depended on local
usage, but could include disabling extended access control lists
or enabling the use of setuid executables stored on an untrusted
filesystem. This bug also affected the &man.dump.8;
<option>-L</option> option, which uses &man.mksnap.ffs.8;. Note
that &man.mksnap.ffs.8; is normally only available to the
superuser and members of the <groupname>operator</groupname>
group. For more information, see security advisory <ulink
url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:01.mksnap_ffs.asc">FreeBSD-SA-04:01</ulink>.</para>
<para>A bug with the System V Shared Memory interface
(specifically the &man.shmat.2; system call) has been fixed.
This bug can cause a shared memory segment to reference
unallocated kernel memory. In turn, this can permit a local
attacker to gain unauthorized access to parts of kernel memory,
possibly resulting in disclosure of sensitive information,
bypass of access control mechanisms, or privilege escalation.
More details can be found in security advisory <ulink
url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:02.shmat.asc">FreeBSD-SA-04:02</ulink>.
&merged;</para>
<para>A programming error in the &man.jail.attach.2; system call
has been fixed. This error could allow a process with superuser
privileges inside a &man.jail.8; environment to change its root
directory to that of a different jail, and thus gain full read
and write access to files and directories within the target
jail. More information can be found in security advisory <ulink
url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:03.jail.asc">FreeBSD-SA-04:03</ulink>.</para>
<para>A potential low-bandwidth denial-of-service attack against
the &os; TCP stack has been prevented by limiting the number of
out-of-sequence TCP segments that can be held at one time. More
details can be found in security advisory <ulink
url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:04.tcp.asc">FreeBSD-SA-04:04</ulink>.
&merged;</para>
<para>A bug in <application>OpenSSL</application>'s SSL/TLS
ChangeCipherSpec message processing could result in
a null pointer dereference, has been fixed.
This could allow a remote attacker to crash an
<application>OpenSSL</application>-using
application and cause a denial-of-service on the system.
More details can be found in security advisory <ulink
url="ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-04:05.openssl.asc">FreeBSD-SA-04:05</ulink>.
&merged;</para>
</sect2>
<sect2 id="kernel">
<title>Kernel Changes</title>
<para arch="i386">The &man.acpi.toshiba.4; driver has been added
to use Toshiba's Hardware Control Interface to manipulate
certain hardware features on Toshiba laptops.</para>
<para>The &man.acpi.video.4; driver has been added to provide
control display switching and backlight brightness using the
ACPI Video Extensions.</para>
<para>&man.devfs.5; path rules now work correctly on
directories.</para>
<para arch="i386,pc98">The dgb (DigiBoard intelligent serial card) driver has been
removed due to breakage. Its replacement is the &man.digi.4; driver,
which supports all the hardware of the dgb driver.</para>
<para arch="i386">The loran (Loran-C receiver) driver has been removed due to
breakage and lack of maintainership.</para>
<para>The raid(4), RAIDframe disk driver from NetBSD has been removed.
This is currently non-functional, and would require some amount of work
to make it work under the &man.geom.4; API in 5-CURRENT.</para>
<para>The &man.ubser.4; device driver has been added to support
BWCT console management serial adapters.</para>
<para>The ULE scheduler is now the default scheduler in the
<filename>GENERIC</filename> kernel. For the average user,
interactivity is reported to be better in many cases. This
means less <quote>skipping</quote> and <quote>jerking</quote> in
interactive applications while the machine is very busy. This
will not prevent problems due to overloaded disk subsystems, but
it does help with overloaded CPUs. On SMP machines, ULE has
per-CPU run queues which allow for CPU affinity, CPU binding,
and advanced HyperThreading support, as well as providing a
framework for more optimizations in the future. As fine-grained
kernel locking continues, the scheduler will be able to make
more efficient use of the available parallel resources.</para>
<!-- Above this line, sort kernel changes by manpage/keyword-->
<para>The device driver infrastructure (as well as many drivers)
have been updated. Among the changes: Many more drivers now use
automatically-assigned major numbers (instead of the old static
major numbers). Enhanced functions to support cloning of
pseudodevices. Several changes to the driver API, including a
new <varname>d_version</varname> field in <varname>struct
cdevsw</varname>. Note that third-party device drivers will
require recompiling after this change.</para>
<para>The kernel's file descriptor allocation code has been
updated, and is now derived from similar code in OpenBSD.</para>
<para arch="sparc64">On &os;/sparc64, <varname>time_t</varname>
has been changed from a 32-bit value to a 64-bit value.
<note>
<para>Since this change is not backward-compatible,
any programs which were built on an older system using
a 32-bit <varname>time_t</varname> and
call system routines for handling
<varname>time_t</varname> values, will have to be recompiled.
More detailed information and notice on upgrading from
the source can be found in
<filename>/usr/src/UPDATING.64BTT</filename>.</para>
</note>
</para>
<para arch="i386">It is now possible to compile the &os;/i386
kernel with the Intel C/C++ Compiler (as in the <filename
role="package">lang/icc</filename> port).</para>
<sect3 id="proc">
<title>Platform-Specific Hardware Support</title>
<para arch="i386">Several old drivers for ISA cards have been removed,
including
the asc driver for GI1904-based hand scanners,
the ctx driver for CORTEX-I Frame Grabber,
the gp driver for National Instruments AT-GPIB and AT-GPIB/TNT boards,
the gsc driver for the Genius GS-4500 hand scanner,
the le driver for DEC EtherWORKS II and III ethernet controllers,
the rdp driver for RealTek RTL 8002-based pocket ethernet adapters,
the spigot driver for the Creative Labs Video Spigot video-acquisition board,
the stl and stli drivers for Stallion Technologies multiport serial
controllers, and the wt driver for Archive/Wangtek cartridge tapes.
They are currently non-functional, and would require a considerable
amount of work to make them work under the new API in 5-CURRENT.
The userland support such as related ioctls and utilities including
sasc and sgsc has also been removed.</para>
</sect3>
<sect3 id="boot">
<title>Boot Loader Changes</title>
<para arch="i386">A serial console-capable version of
<filename>boot0</filename> has been added. It can be written
to a disk using &man.boot0cfg.8; and specifying
<filename>/boot/boot0sio</filename> as the argument to the
<option>-b</option> option.</para>
<para arch="i386"><filename>cdboot</filename> now works around a
BIOS problem observed on some systems when booting from USB
CDROM drives.</para>
<!-- Above this line, order boot loader changes by keyword-->
</sect3>
<sect3 id="net-if">
<title>Network Interface Support</title>
<para arch="i386">The &man.arl.4; driver, which supports
Aironet Arlan 655 wireless adapters has been added.</para>
<para arch="sparc64">The &man.dc.4; driver now supports sparc64
Davicom cards that store their MAC address in
OpenFirmware.</para>
<para arch="i386,pc98">The hea (Efficient Networks, Inc. ENI-155p ATM adapter)
driver has been removed due to breakage. Its functionality
has been subsumed into the &man.en.4; driver.</para>
<para>A short hiccup in the &man.em.4; during parameter
reconfiguration, has been fixed. &merged;</para>
<para arch="i386">The lmc (LAN Media Corp. PCI WAN adapter) driver has been
removed due to breakage and lack of maintainership.</para>
<para arch="i386">&os; now provides a binary compatibility layer
for using µsoft.windows; NDIS drivers for network
adapters under &os;/i386. It includes a relocator/linker for
&windows; <filename>.SYS</filename> files to interface with
the &os; kernel and emulates various parts of the NDIS API
using native &os; kernel functions. This system supports PCI
and CardBus network devices, and is designed principally for
Ethernet and wireless network interfaces.
For more information, see the &man.ndis.4; and
&man.ndiscvt.8; manual pages.</para>
<para>The &man.ng.atmllc.4; Netgraph node type, which handles
RFC 1483 ATM LLC encapsulation, has been added.</para>
<para>The &man.ng.vlan.4; NetGraph node type, which supports
IEEE 802.1Q VLAN tagging has been added. &merged;</para>
<para>Several bugs related to multicast and promiscuous mode
handling in the &man.sk.4; driver have been fixed.</para>
<para>The &man.udav.4; driver has been added. It provides
support for USB Ethernet adapters based on the Davicom DM9601
chipset.</para>
</sect3>
<sect3 id="net-proto">
<title>Network Protocols</title>
<para>The &man.gre.4; tunnel driver now supports WCCP version
2.</para>
<para>Some bugs in the IPsec implementation from the KAME
Project have been fixed. These bugs were related to freeing
memory objects before all references to them were removed, and
could cause erratic behavior or kernel panics after flushing
the Security Policy Database (SPD).</para>
<para>The <literal>PFIL_HOOKS</literal> option is now enabled by
default in the <filename>GENERIC</filename> kernel. The most
notable effect of this change is to make
<application>IPFilter</application> work correctly when loaded
as a kernel module.</para>
<para>The following TCP features are now enabled by default: RFC
3042 (Limited Retransmit), RFC 3390 (increased initial
congestion window sizes), TCP bandwidth-delay product
limiting. More information can be found in &man.tcp.4;.</para>
<para>&os;'s TCP implementation now includes support for a
minimum MSS (settable via the
<varname>net.inet.tcp.minmss</varname> sysctl variable) and a
rate limit on connections that send many small TCP segments
within a short period of time (via the
<varname>net.inet.tcp.minmssoverload</varname> sysctl
variable). Connections exceeding this limit may be reset and
dropped. This feature provides protection against a class of
resource exhaustion attacks.</para>
<para>The TCP implementation now includes partial (output-only)
support for RFC 2385 (TCP-MD5) digest support. This feature,
enabled with the <literal>TCP_SIGNATURE</literal> and
<literal>FAST_IPSEC</literal> kernel options, is a TCP option
for authenticating TCP sessions. &man.setkey.8; now includes
support for the TCP-MD5 class of security associations.
&merged;</para>
</sect3>
<sect3 id="disks">
<title>Disks and Storage</title>
<para>The &man.ata.4; driver now supports cardbus ATA/SATA
controllers.</para>
<para>A number of bugs in the &man.ata.4; driver have been
fixed. Most notably, master/slave device detection should
work better, and some problems with timeouts should be
resolved.</para>
<para>The &man.umass.4; driver now supports the missing
ATAPI MMC commands and handles the timeout properly.</para>
</sect3>
<sect3 id="fs">
<title>File Systems</title>
<para>The EXT2FS file system code now includes partial support
for large (> 4GB) files. This support is partial in that
it will refuse to create large files on filesystems that have
not been upgraded to <literal>EXT2_DYN_REV</literal> or that
don not have the
<literal>EXT2_FEATURE_RO_COMPAT_LARGE_FILE</literal> flag set
in the superblock.</para>
<para>A bug in GEOM that could result in I/O hangs in some rare
cases has been fixed.</para>
<para>A new geom_concat class has been added to concatenate
multiple disks to appear as a single larger disk. The
&man.gconcat.8; utility is used for configurating concatenated
disks.</para>
<para>A panic in the NFSv4 client has been fixed; this occurred
when attempting operations against an NFSv3/NFSv2-only
server.</para>
<para>The SMBFS client now has support for SMB request signing,
which prevents <quote>man in the middle</quote> attacks and is
required in order to connect to Windows 2003 servers in their
default configuration. As signing each message imposes a
significant performance penalty, this feature is only enabled
if the server requires it; this may eventually become an
option to &man.mount.smbfs.8;.</para>
<para>The <filename>gbde_swap</filename> script, which supports
gbde-enabled swap devices has been added into
<filename>/etc/rc.d</filename>.
When the <varname>gbde_swap_enable</varname> variable is specified
in &man.rc.conf.5;, a swap device named
<filename>/dev/<replaceable>foo.bde</replaceable></filename>
in &man.fstab.5;
is automatically attached at boot time with the device
<filename>/dev/<replaceable>foo</replaceable></filename>
and a random key, which
generated by computing the MD5 checksum of 512 bytes read
from <filename>/dev/random</filename>.
Note that this prevents recovery of kernel dumps.</para>
<para>The <filename>mixer</filename> script has been added into
<filename>/etc/rc.d</filename>.
It saves the current settings of all audio mixers present
in the system on shutdown and restores the settings on boot.</para>
</sect3>
<sect3 id="mm">
<title>Multimedia Support</title>
<para>The meteor (video capture) driver has been removed due to
breakage and lack of maintainership.</para>
</sect3>
</sect2>
<sect2 id="userland">
<title>Userland Changes</title>
<para>&man.indent.1; now supports a <option>-ldi</option> option
to control indentation of local variables. A number of other
tunings were made to this utility.</para>
<para>&man.ifconfig.8; now supports renaming of network interfaces
at run-time using the <option>name</option> parameter.</para>
<para>&man.ifconfig.8; now prints the &man.polling.4; status
on the interface. &merged;</para>
<para>&man.ip6fw.8; now supports a <option>-n</option> flag to
stop it from making any changes to the rules in the kernel</para>
<para>&man.ipfw.8; now supports a <option>-b</option> flag to
print only the action and comment for each rule, thus omitting
the rule body.</para>
<para>&man.killall.1; now supports a <option>-e</option> flag to
make the <option>-u</option> operate on effective, rather than
real, user ids. &merged;</para>
<para>&man.libalias.3; now has support (and a new API) for
multiple aliasing instances in a single process. The existing
API has been reimplemented in terms of the new one to preserve
compatibility.</para>
<para>A <filename>libarchive</filename> library for manipulation
of compressed and uncompressed archive files has been
added. More details can be found in &man.libarchive.3;.</para>
<para arch="pc98"><filename>libdisk</filename> now uses the
correct PC98 disk partition value for &os;. This permits the
&man.sysinstall.8; disk partition editor to correctly create a
single &os; partition covering the entire disk. &merged;</para>
<para><filename>libdisk</filename> now uses
<varname>d_addr_t</varname> for disk addresses.
This allows &man.sysinstall.8; to properly handle disks
and filesystems more than 1 TB.</para>
<para arch="i386,pc98,amd64,ia64">The library formerly known as
<filename>libkse</filename> has been renamed
<filename>libpthread</filename> and is now the default threading
library on the i386, amd64, and ia64 platforms.
<application>GCC</application>'s <option>-pthread</option>
option has been changed to use <filename>libpthread</filename>
rather than <filename>libc_r</filename>.
<note>
<para>Users with older binaries (for example, ports compiled
before this change was made) should use &man.libmap.conf.5;
to map <filename>libc_r</filename> and/or
<filename>libkse</filename> to
<filename>libpthread</filename>.</para>
</note>
<note>
<para>Users with NVIDIA-supplied drivers and libraries may
need to use a &man.libmap.conf.5; that maps
<filename>libpthread</filename> references to the older
<filename>libc_r</filename> since these drivers and
utilities do not work with
<filename>libpthread</filename>.</para>
</note>
<para>
<para>The &man.logins.1; utility has been added to display
information about user and system accounts.</para>
<para>&man.mountd.8; now supports the <option>-p</option> option,
which allows users to specify a known port for use
in firewall rulesets.</para>
<para>&man.newfs.8; and &man.mdmfs.8; now support a
<option>-l</option> flag to enable them to set the MAC
multilabel flag on new filesystems without requiring the use of
&man.tunefs.8;.</para>
<para>&man.nologin.8; now reports login attempts via
&man.syslogd.8;.</para>
<para>&man.nologin.8; has been moved from <filename>/sbin/nologin</filename>
to <filename>/usr/sbin/nologin</filename>, and
<filename>/sbin/nologin</filename> remains as a symbolic link
for backward compatibility.</para>
<para>A bugfix has been applied to NSS support, which fixes
problems when using third-party NSS modules (such as <filename
role="package">net/nss_ldap</filename>) and groups with large
membership lists.</para>
<para>&man.pw.8; now supports a <option>-H</option> option, which
accepts an encrypted password on a file descriptor. &merged;</para>
<para>The configuration files used by the &man.resolver.3; now
support the <literal>timeout:</literal> and
<literal>attempts:</literal> keywords.</para>
<para>The &man.resolver.3; and associated interfaces are now much
more reentrant and thread-safe. Multiple DNS lookups can now be
run at the same time, showing major improvements in the
performance of some multi-threaded applications. Some
multi-threaded programs need to be recompiled; examples from the
Ports Collection are <filename
role="package">www/mozilla</filename> and variants, <filename
role="package">mail/evolution</filename>, <filename
role="package">devel/gnomevfs</filename>, and <filename
role="package">devel/gnomevfs2</filename>.</para>
<para>&man.savecore.8; now works correctly for dump files larger
than 2GB.</para>
<para>A bug in &man.script.1; has been fixed so that it now works
correctly if its stdin is closed. This fix prevents a
potentially dangerous interaction with the <filename
role="package">sysutils/portupgrade</filename> package; if it was
run non-interactively, it could remove all out-of-date
ports without reinstalling them.</para>
<para>The &man.sdpd.8; Bluetooth Service Discovery Protocol daemon
has been added.</para>
<para>Many userland utilities in the base system (mostly GNU
contributed utilities) now use the system version of
&man.getopt.long.3;, rather than the GNU version.</para>
</sect2>
<sect2 id="contrib">
<title>Contributed Software</title>
<para>The <application>ACPI-CA</application> code has been updated
from the 20030619 snapshot to the 20040311 snapshot.</para>
<para><application>awk</application> from Bell Labs has been
updated from the 29 July 2003 release to the 7 February 2004
release.</para>
<para>Security improvements from <application>CVS</application>
1.11.10 and 1.11.11 have been backported. Specifically, certain
malformed module requests are now rejected, and when using
<command>cvs pserver</command> mode, attempts to authenticate as
<username>root</username> are rejected and recorded via
&man.syslog.3;.</para>
<para><application>gdtoa</application> (a library that performs
conversions of numbers between binary and decimal form) has been
updated from version 20030324 to version 20040118.</para>
<para><application>GNU grep</application> has been updated from
2.4d to 2.4.2.</para>
<para><application>GNU readline</application> 4.3 has been updated
with official patches 001 through 005.</para>
<para>The <application>GNU regex</application> library has been
updated to the version included with <application>GNU
grep</application> 2.4.2.</para>
<para>The <application>GNU tar</application> implementation in the
base system is now called <filename>gtar</filename>, with
<filename>tar</filename> being a link to
<filename>gtar</filename>.</para>
<para><application>OpenPAM</application> has been updated from the
Dogwood release to the Eelgrass release.</para>
<para><application>OpenSSH</application> has been updated from
3.6.1p1 to 3.8p1.
<note>
<para>The configuration defaults for &man.sshd.8; have been
changed. SSH protocol version 1 is no longer enabled by
default. In addition, password authentication over SSH is
disabled by default if PAM is enabled.</para>
</note>
</para>
<para><application>pf</application>, OpenBSD's packet filter as of
OpenBSD 3.4, has been imported into &os; source tree and is now installed
by default. A new user <username>proxy</username>, and two new
groups <username>authpf</username> and <username>proxy</username>,
which <application>pf</application> needs, are added as well.
<note>
<para>On upgrading from the source, these user accounts must be
added in advance. The <varname>NO_PF</varname> variable
in <filename>make.conf</filename> can be used to prevent
<application>pf</application> from building.</para>
</note>
<para>Several userland utilities of OpenBSD's
<application>pf</application> have been imported.
<filename>libexec/ftp-proxy</filename> is an ftp proxy for
<application>pf</application>,
<filename>sbin/pfctl</filename> is an equivalent to
<filename>sbin/ipf</filename>,
<filename>sbin/pflogd</filename>
is a daemon logging packets via <literal>if_pflog</literal>
in pcap format, and
<filename>usr.sbin/authpf</filename> is an authentication shell
to modify pf rulesets.</para>
<para><application>routed</application> has been updated from
release 2.22 to release 2.27 from rhyolite.com. Note that for
users relying on RIP's MD5 authentication feature,
&man.routed.8; routed is now incompatible with previous versions
of &os;; however it is now compatible with implementations from
Sun, Cisco and other vendors.</para>
<para><application>sendmail</application> has been updated from
version 8.12.10 to version 8.12.11. &merged;</para>
</sect2>
<sect2 id="ports">
<title>Ports/Packages Collection Infrastructure</title>
<para>The <literal>SIZE</literal> attribute for distfiles,
which can be used for checking file sizes before fetching,
has been added and enabled by default.
<varname>DISABLE_SIZE</varname> is a user control knob
to disable the distfile size checking. This is especially
useful on old &os; versions which didn't have &man.fetch.1;
support for this, and for some FTP proxies which always
report incorrect or bogus sizes.</para>
</sect2>
<sect2 id="releng">
<title>Release Engineering and Integration</title>
<para arch="i386,pc98">The building process for boot floppy images
has been completely overhauled. The most significant change is
that the loader now boots a stock <filename>GENERIC</filename>
kernel split across multiple disks (two at the time of this
writing). This greatly improves installations that begin with a
boot from floppy disk, because they now use exactly the same
kernel (and thus support the same hardware) as CDROM
installations. The stripped-down <filename>MFSROOT</filename>
kernel is no longer needed, and the <filename>mfsroot</filename>
image no longer requires kernel modules. The
<filename>boot.flp</filename> and
<filename>driver.flp</filename> images are also obsolete and no
longer built.</para>
</sect2>
<sect2 id="doc">
<title>Documentation</title>
<para></para>
</sect2>
</sect1>
<sect1 id="upgrade">
<title>Upgrading from previous releases of &os;</title>
<para>Users with existing &os; systems are
<emphasis>highly</emphasis> encouraged to read the <quote>Early
Adopter's Guide to &os; &release.current;</quote>. This document generally has
the filename <filename>EARLY.TXT</filename> on the distribution
media, or any other place that the release notes can be found. It
offers some notes on upgrading, but more importantly, also
discusses some of the relative merits of upgrading to &os;
5.<replaceable>X</replaceable> versus running &os;
4.<replaceable>X</replaceable>.</para>
<important>
<para>Upgrading &os; should, of course, only be attempted after
backing up <emphasis>all</emphasis> data and configuration
files.</para>
</important>
</sect1>
|