The FreeBSD Project $FreeBSD$ 2000 2001 2002 2003 2004 The FreeBSD Documentation Project The release notes for &os; &release.current; contain a summary of This document lists applicable security advisories that were issued since the last release, as well as significant changes to the &os; kernel and userland. Some brief remarks on upgrading are also presented. This document contains the release notes for &os; &release.current; on the &arch.print; hardware platform. It describes recently added, changed, or deleted features of &os;. It also provides some notes on upgrading from previous versions of &os;. The &release.type; distribution to which these release notes apply represents a point along the &release.branch; development branch between &release.prev; and the future &release.next;. Some pre-built, binary &release.type; distributions along this branch can be found at . ]]> This distribution of &os; &release.current; is a &release.type; distribution. It can be found at or any of its mirrors. More information on obtaining this (or other) &release.type; distributions of &os; can be found in the Obtaining FreeBSD appendix to the FreeBSD Handbook. ]]> Users who are new to the &release.branch; series of &os; &release.type;s should also read the Early Adopters Guide to &os; &release.current;. This document can generally be found in the same location as the release notes (either as a part of a &os; distribution or on the &os; Web site). It contains important information regarding the advantages and disadvantages of using &os; &release.current;, as opposed to releases based on the &os; 4-STABLE development branch. All users are encouraged to consult the release errata before installing &os;. The errata document is updated with late-breaking information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for &os; &release.current; can be found on the &os; Web site. This section describes Typical release note items document recent security advisories issued after &release.prev.historic;, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to &os; between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. The dgb (DigiBoard intelligent serial card) driver has been removed due to breakage. Its replacement is the &man.digi.4; driver, which supports all the hardware of the dgb driver. The loran (Loran-C receiver) driver has been removed due to breakage and lack of maintainership. The ULE scheduler is now the default scheduler in the GENERIC kernel. For the average user, interactivity is reported to be better in many cases. This means less skipping and jerking in interactive applications while the machine is very busy. This will not prevent problems due to overloaded disk subsystems, but it does help with overloaded CPUs. On SMP machines, ULE has per-CPU run queues which allow for CPU affinity, CPU binding, and advanced HyperThreading support, as well as providing a framework for more optimizations in the future. As fine-grained kernel locking continues, the scheduler will be able to make more efficient use of the available parallel resources. A serial console-capable version of boot0 has been added. It can be written to a disk using &man.boot0cfg.8; and specifying /boot/boot0sio as the argument to the -b option. cdboot now works around a BIOS problem observed on some systems when booting from USB CDROM drives. The &man.dc.4; driver now supports sparc64 Davicom cards that store their MAC address in OpenFirmware. The hea (Efficient Networks, Inc. ENI-155p ATM adapter) driver has been removed due to breakage. Its functionality has been subsumed into the &man.en.4; driver. The lmc (LAN Media Corp. PCI WAN adapter) driver has been removed due to breakage and lack of maintainership. A wrapper system has been added to allow binary Windows NDIS miniport network drivers to be used with FreeBSD. For more information, see the &man.ndis.4; and &man.ndiscvt.8; manual pages. Several bugs related to multicast and promiscuous mode handling in the &man.sk.4; driver have been fixed. Some bugs in the IPsec implementation from the KAME Project have been fixed. These bugs were related to freeing memory objects before all references to them were removed, and could cause erratic behavior or kernel panics after flushing the Security Policy Database (SPD). The PFIL_HOOKS option is now enabled by default in the GENERIC kernel. The most notable effect of this change is to make IPFilter work correctly when loaded as a kernel module. The following TCP features are now enabled by default: RFC 3042 (Limited Retransmit), RFC 3390 (increased initial congestion window sizes), TCP bandwidth-delay product limiting. More information can be found in &man.tcp.4;. &os;'s TCP implementation now includes support for a minimum MSS (settable via the net.inet.tcp.minmss sysctl variable) and a rate limit on connections that send many small TCP segments within a short period of time (via the net.inet.tcp.minmssoverload sysctl variable). Connections exceeding this limit may be reset and dropped. This feature provides protection against a class of resource exhaustion attacks. A number of bugs in the &man.ata.4; driver have been fixed. Most notably, master/slave device detection should work better, and some problems with timeouts should be resolved. A bug in GEOM that could result in I/O hangs in some rare cases has been fixed. A panic in the NFSv4 client has been fixed; this occurred when attempting operations against an NFSv3/NFSv2-only server. The SMBFS client now has support for SMB request signing, which prevents man in the middle attacks and is required in order to connect to Windows 2003 servers in their default configuration. As signing each message imposes a significant performance penalty, this feature is only enabled if the server requires it; this may eventually become an option to &man.mount.smbfs.8;. The meteor (video capture) driver has been removed due to breakage and lack of maintainership. The configuration files used by the &man.resolver.5; now support the timeout: and attempts: keywords. &man.ipfw.8; now supports a -b flag to print only the action and comment for each rule, thus omitting the rule body. A bugfix has been applied to NSS support, which fixes problems when using third-party NSS modules (such as net/nss_ldap) and groups with large membership lists. The ACPI-CA code has been updated from the 20030619 snapshot to the 20031203 snapshot. Security improvements from CVS 1.11.10 and 1.11.11 have been backported. Specifically, certain malformed module requests are now rejected, and when using cvs pserver mode, attempts to authenticate as root are rejected and recorded via &man.syslog.3;. OpenSSH has been updated from 3.6.1p1 to 3.7.1p2. Users with existing &os; systems are highly encouraged to read the Early Adopter's Guide to &os; &release.current;. This document generally has the filename EARLY.TXT on the distribution media, or any other place that the release notes can be found. It offers some notes on upgrading, but more importantly, also discusses some of the relative merits of upgrading to &os; 5.X versus running &os; 4.X. Upgrading &os; should, of course, only be attempted after backing up all data and configuration files.