分类: BSD
2005-11-10 17:57:08
Copyright © 2000, 2001, 2002, 2003, 2004, 2005 The FreeBSD Documentation Project
$FreeBSD: src/release/doc/en_US.ISO8859-1/relnotes/common/new.sgml,v 1.883.2.7.2.1 2005/10/21 16:01:46 yar Exp $
FreeBSD is a registered trademark of the FreeBSD Foundation.
IBM, AIX, EtherJet, Netfinity, OS/2, PowerPC, PS/2, S/390, and ThinkPad are trademarks of International Business Machines Corporation in the United States, other countries, or both.
IEEE, POSIX, and 802 are registered trademarks of Institute of Electrical and Electronics Engineers, Inc. in the United States.
Intel, Celeron, EtherExpress, i386, i486, Itanium, Pentium, and Xeon are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Sparc, Sparc64, SPARCEngine, and UltraSPARC are trademarks of SPARC International, Inc in the United States and other countries. Products bearing SPARC trademarks are based upon architecture developed by Sun Microsystems, Inc.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this document, and the FreeBSD Project was aware of the trademark claim, the designations have been followed by the “™” or the “®” symbol.
The release notes for FreeBSD 6.0-RELEASE contain a summary of the changes made to the FreeBSD base system on the 6-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.
This document contains the release notes for FreeBSD 6.0-RELEASE on the i386 hardware platform. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.
This distribution of FreeBSD 6.0-RELEASE is a release distribution. It can be found at or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the to the .
All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with “late-breaking” information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 6.0-RELEASE can be found on the FreeBSD Web site.
This section describes the most user-visible new or changed features in FreeBSD since 5.4-RELEASE. In general, changes described here are unique to the 6-STABLE branch unless specifically marked as [MERGED] features.
Typical release note items document recent security advisories issued after 5.4-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.
A bug in the utility, which allows a malicious HTTP server to cause arbitrary portions of the client's memory to be overwritten, has been fixed. For more information, see security advisory . [MERGED]
A bug in and which could allow a malicious local user to read parts of kernel memory or perform a local denial of service attack by causing a system panic, has been fixed. For more information, see security advisory . [MERGED]
Two buffer overflows in the TELNET client program have been corrected. They could have allowed a malicious TELNET server or an active network attacker to cause to execute arbitrary code with the privileges of the user running it. More information can be found in security advisory . [MERGED]
An information disclosure vulnerability in the system call, which could permit it to transmit random parts of kernel memory, has been fixed. More details are in security advisory . [MERGED]
An information leak vulnerability in the SIOCGIFCONF , which leaked 12 bytes of kernel memory, has been fixed. More details are in security advisory . [MERGED]
Several programming errors in , which could potentially cause arbitrary code to be executed on CVS servers, have been corrected. Further information can be found in security advisory . [MERGED]
An error in the default permissions on the /dev/iir device node, which allowed unprivileged local users can send commands to the hardware supported by the driver, has been fixed. For more information, see security advisory . [MERGED]
A bug in the validation of system call input arguments, which may allow kernel memory to be disclosed to a user process, has been fixed. For more information, see security advisory . [MERGED]
Several information disclosure vulnerabilities in various parts of the kernel have been fixed. For more information, see security advisory . [MERGED]
Because of an information disclosure vulnerability on processors using Hyper-Threading Technology (HTT), the machdep.hyperthreading_allowed sysctl variable has been added. It defaults to 1 (HTT enabled) on FreeBSD CURRENT, and 0 (HTT disabled) on the 4-STABLE and 5-STABLE development branches and supported security fix branches. More information can be found in security advisory . [MERGED]
A bug in the utility which allows a malicious remote user to cause a denial-of-service by using specially crafted packets, has been fixed. For more information, see security advisory . [MERGED]
Two problems in the utility have been fixed. These may allow a local user to modify permissions of arbitrary files and overwrite arbitrary local files when uncompressing a file. For more information, see security advisory . [MERGED]
A bug in BIND 9 DNSSEC has been fixed. When DNSSEC is enabled, this bug may allow a remote attacker to inject a specially crafted packet which will cause to terminate. For more information, see security advisory . [MERGED]
A bug has been fixed in that could cause packets to be matched incorrectly against a lookup table. This bug only affects SMP machines or UP machines that have the PREEMPTION kernel option enabled. More information is contained in security advisory . [MERGED]
Two security-related problems have been fixed in . These include a potential denial of service and unauthorized manipulation of file permissions. For more information, see security advisory . [MERGED]
Two problems in FreeBSD's TCP stack have been fixed. They could allow attackers to stall existing TCP connections, creating a denial-of-service situation. More information is contained in security advisory . [MERGED]
Support for 80386 processors (the I386_CPU kernel configuration option) has been removed. Users running this class of CPU should use FreeBSD 5.X or earlier.
The kernel debugger now supports a show alllocks command, which dumps a list of processes and threads currently holding sleep mutexes (and spin mutexes for the current thread). [MERGED]
The kernel crash dump format has been changed to ELF to support large memory (more than 4GB) environments.
The driver is now available as a loadable kernel module.
The feature now supports a new sysctl security.jail.chflags_allowed, which controls the behavior of within a jail. If set to 0 (the default), then a jailed root user is treated as an unprivileged user; if set to 1, then a jailed root user is treated the same as an unjailed root user. [MERGED]
A sysctl security.jail.getfsstatroot_only has been renamed to security.jail.enforce_statfs and now supports the following policies:
| Value | Policy |
|---|---|
| 0 | Show all mount-points without any restrictions. |
| 1 | Show only mount-points below jail's chroot and show only part of the mount-point's path (for example, if the jail's chroot directory is /jails/foo and mount-point is /jails/foo/usr/home, only /usr/home will be shown). |
| 2 | Show only mount-point where jail's chroot directory is placed. |
The loader tunable debug.mpsafevm has been enabled by default. [MERGED]
, a kernel memory allocator designed to help detect “tamper-after-free” scenarios, has been added. This must be explicitly enabled via options DEBUG_MEMGUARD, plus small kernel modifications. It is generally intended for use by kernel developers.
struct ifnet and the network interface API have been changed. Due to ABI incompatibility, all drivers not in the FreeBSD base system need to be updated to use the new API and recompiled.
A number of bugs have been fixed in the ULE scheduler. [MERGED]
Fine-grained locking to allow much of the VFS stack to run without the Giant lock has been added. This is enabled by default on the alpha, amd64, and i386 architectures, and can be disabled by setting the loader tunable (and sysctl variable) debug.mpsafevfs to 0.
A bug in Inter-Processor Interrupt (IPI) handling, which could cause SMP systems to crash under heavy load, has been fixed. More details are contained in errata note . [MERGED]
System V IPC objects (message queues, semaphores, and shared memory) now have support for Mandatory Access Control policies, notably , , , and .
Memory allocation for legacy PCI bridges has been limited to the top 32MB of RAM. Many older, legacy bridges only allow allocation from this range. This change only applies to devices which do not have their memory assigned by the BIOS. This change fixes the “bad Vcc” error of CardBus bridges (). [MERGED]
The MIBs beginning with “debug” now require the kernel option options SYSCTL_DEBUG. This option is disabled by default.
The generic driver interface has been added and many device drivers including ({tty,cua}x), ({tty,cua}c), ({tty,cua}D), ({tty,cua}m), ({tty,cua}R), ({tty,cua}z), ({tty,cua}A), ({tty,cua}d), sx ({tty,cua}G), ({tty,cua}u), ({tty,cua}y), ({tty,cua}U), and ({tty,cua}y) have been rewritten to use it. Note that /etc/remote and /etc/ttys have been updated as well.
The driver has been added. This driver provides a software loopback mechanism that can implement a virtual AT keyboard similar to what the driver does for terminals.
FreeBSD always uses the local APIC timer even on uni-processor systems now.
The default HZ parameter (which controls various kernel timers) has been increased from 100 to 1000 on the i386 and ia64. It has been reduced from 1024 to 1000 on the amd64 to reduce synchronization effects with other system clocks.
The maximum length of shell commands has changed from 128 bytes to PAGE_SIZE. By default, this value is either 4KB (i386, pc98, amd64, and powerpc) or 8KB (sparc64 and ia64). As a result, compatibility modules need to be rebuilt to stay synchronized with data structure changes in the kernel.
A new tunable vm.blacklist has been added. This can hold a space or comma separated list of physical addresses. The pages containing these physical addresses will not be added to the free list and thus will effectively be ignored by the FreeBSD VM system. The physical addresses of any ignored pages are listed in the message buffer as well.
A serial console-capable version of boot0 has been added. It can be written to a disk using and specifying /boot/boot0sio as the argument to the -b option.
cdboot now works around a BIOS problem observed on some systems when booting from USB CDROM drives.
The autoboot loader command now supports the prompt parameter.
The autoboot loader command will now prevent the user from interrupting the boot process at all if the autoboot_delay variable is set to -1. [MERGED]
A loader menu option to set hint.atkbd.0.flags=0x1 has been added. This setting allows USB keyboards to work if no PS/2 keyboard is attached.
The beastie boot menu has been disabled by default.
The driver now turns the ACPI and PCI devices off or to a lower power state when suspending, and back on again when resuming. This behavior can be disabled by setting the debug.acpi.do_powerstate and hw.pci.do_powerstate sysctls to 0.
The driver for IBM laptops has been added. It provides support for the various hotkeys and reading fan status and thermal sensors.
The driver for handling -controlled buttons on Fujitsu laptops has been added.
The acpi_sony driver, which supports the Sony Notebook Controller on various Sony laptops has been added.
The , , and drivers have been rewritten in more bus-independent way, and now support the EBus found on the sparc64 platform.
A framework for flexible processor speed control has been added. It provides methods for various drivers to control CPU power utilization by adjusting the processor speed. More details can be found in the manual page. [MERGED] Currently supported drivers include ichss (Intel SpeedStep for ICH), acpi_perf (ACPI CPU performance states), and acpi_throttle (ACPI CPU throttling). The latter two drivers are contained in the driver. These can individually be disabled by setting device hints such as hint.ichss.0.disabled="1".
Support for the PadLock Security Co-processor in VIA C3 processors has been added to the subsystem.
The hardware performance monitoring counter driver has been added. This driver virtualizes the hardware performance monitoring facilities in modern CPUs and provides support for using these facilities from user level processes. For more details, see manual pages of , associated libraries, and associated userland utilities.
Support for the OLDCARD subsystem has been removed. The NEWCARD system is now used for all PCCARD device support.
The pcii driver has been added to support GPIB-PCIIA IEEE-488 cards. [MERGED]
The driver now supports a 0x8 (bit 3) flag to disable testing the keyboard port during the device probe as this can cause hangs on some machines, specifically Compaq R3000Z series amd64 laptops.
The driver, which supports direct access to the Intel 8255A programmable peripheral interface (PPI) chip running in mode 0 (simple I/O) has been added.
The driver now has improved support for Synaptics Touchpad users. It now has better tracking of slow-speed movement and support for various extra buttons and dials. These features can be tuned with the hw.psm.synaptics.* hierarchy of sysctl variables.
The driver now supports VESA (15, 16, 24, and 32 bit) modes. To enable this feature, two kernel options SC_PIXEL_MODE and VESA (or corresponding kernel module) are needed.
The driver now supports the FTDI FT2232C chip.
The driver now supports handling of the CTS signal.
The driver has been improved.
The driver now supports suspend and resume operation.
The driver now has some added functionality, including volume control on more inputs and recording capability on some devices. [MERGED]
The driver has been updated to split the transmit rate control algorithm into a separate module. One of device ath_rate_onoe, device ath_rate_amrr, or device ath_rate_sample must be included in the kernel configuration when using the driver.
The driver now supports the framework, as well as the BCM5714, 5721, 5750, 5751, 5751M and 5789 chips. [MERGED]
The USB Communication Device Class Ethernet driver has been added. [MERGED]
The driver is now MPSAFE. [MERGED]
The driver is now MPSAFE. [MERGED]
The driver is now MPSAFE. [MERGED]
The driver now supports the framework and is MPSAFE. [MERGED]
The driver is now MPSAFE.
The driver now supports the framework. [MERGED]
The driver is now MPSAFE.
In the driver, hardware support for VLAN tagging is now disabled by default due to some interactions between this feature and promiscuous mode. [MERGED]
Ethernet flow control is now disabled by default in the driver, to prevent problems on a subnet when a system panics or is left in the kernel debugger. [MERGED]
The gx(4) driver has been removed because it is no longer maintained actively and the driver supports all of the supported hardware.
The driver is now MPSAFE. [MERGED]
The (for Intel PRO/Wireless 2100), (for Intel PRO/Wireless 2200BG/2225BG/2915ABG), (for Ralink Technology RT2500), and (for Ralink Technology RT2500USB) drivers have been added.
The driver is now MPSAFE. [MERGED]
The musycc driver, for the LanMedia LMC1504 T1/E1 network interface card, has been removed due to disuse.
The driver is now MPSAFE.
Drivers using the device driver wrapper mechanism are now built and loaded differently. The driver can now be pre-built as a module or statically compiled into a kernel. Individual drivers can now be built with the utility; the result is a kernel module that can be loaded into a running kernel using . [MERGED]
The driver, which supports the nVidia nForce MCP Networking Adapter, has been added.
The driver is now MPSAFE.
The driver now supports the framework. [MERGED]
The driver now has support for device polling and and is MPSAFE. [MERGED]
Several programming errors in the driver have been corrected. These bugs were particular to SMP systems, and could cause panics, page faults, aborted SSH connections, or corrupted file transfers. More details can be found in errata note . [MERGED]
The driver now has support for . This driver also now supports jumbo frames on Yukon-based interfaces. [MERGED]
The driver now has support for .
The driver now has support for device polling ().
Support for 802.11 devices in the framework has been greatly overhauled. In addition to architectural changes, it includes completed 802.11g, WPA, 802.11i, 802.1x, WME/WMM, AP-side power-saving, and plugin frameworks for cryptography modules, authenticators, and access control. Note in particular that WEP now requires the wlan_wep module to be loaded (or compiled) into the kernel.
The driver now supports . [MERGED]
The MTU feedback in IPv6 has been disabled when the sender writes data that must be fragmented. [MERGED]
The Common Address Redundancy Protocol (CARP) has been implemented. CARP comes from OpenBSD and allows multiple hosts to share an IP address, providing high availability and load balancing. For more information, see the manual page. [MERGED]
The network bridging implementation, originally from NetBSD, has been added. It supports the IEEE 802.1D Spanning Tree Protocol, individual interface devices for each bridge, and filtering of bridged packets. The utility now supports configuration of .
The IPDIVERT option is now available as a kernel loadable module. If this module is not loaded, will refuse to install divert rules and will return the error message “protocol not supported”.
The system can work with debug.mpsafenet=1 (this tunable is 1 by default) when the gid, jail, and/or uid rule options are used. [MERGED]
The and systems now support IPv6.
now supports classification and tagging of packets via a divert socket. It is also possible to specify rules that match TCP packets with specific payload sizes.
The ipfw fwd rule now supports the full packet destination manipulation when the kernel option options IPFIREWALL_FORWARD_EXTENDED is specified in addition to options IPFIRWALL_FORWARD. This kernel option disables all restrictions to ensure proper behavior for locally generated packets and allows redirection of packets destined to locally configured IP addresses. Note that rules have to be carefully crafted to make sure that things like PMTU discovery do not break. [MERGED]
The system now supports IPv4 only rules.
now allows redirect rules to work for non-TCP/UDP packets. [MERGED]
Ongoing work is reducing the use of the Giant lock by the network protocol stack and improving the locking strategies.
The libalias library can now be built as a kernel module.
The link state change notifications of network interfaces are sent to /dev/devctl now.
A new NetGraph node provides a simple interface between the and facilities.
A new NetGraph node has been added to perform NAT functions.
A new NetGraph node allows a router running FreeBSD to do NetFlow version 5 exports. [MERGED]
A new NetGraph node has been added. This supports altering MSS options of TCP packets.
The driver now includes Frame Relay support. [MERGED]
The driver is now MPSAFE.
The FreeBSD routing table now requires gateways for routes to be of the same address family as the route itself. The utility now rejects a combination of different address families. For example:
# route add 10.1.1.1 -inet6 fe80::1%fxp0
The new sysctl net.link.tap.user_open has been implemented. This allows unprivileged access to device nodes based on file system permissions.
A bug in TCP that sometimes caused RST packets to be ignored if the receive window was zero bytes has been fixed. [MERGED]
The RST handling of the FreeBSD TCP stack has been improved to make reset attacks as difficult as possible while maintaining compatibility with the widest range of TCP stacks. The algorithm is as follows: For connections in the ESTABLISHED state, only resets with sequence numbers exactly matching last_ack_sent will cause a reset; all other segments will be silently dropped. For connections in all other states, a reset anywhere in the window will cause the connection to be reset. All other segments will be silently dropped. Note that this behavior technically violates the RFC 793 specification; the conventional (but less secure) behavior can be restored by setting a new sysctl net.inet.tcp.insecure_rst to 1. [MERGED]
Several bugs in the TCP SACK implementation have been fixed. [MERGED]
RFC 1644 T/TCP support has been removed. This is because the design is based on a weak security model that can easily permit denial-of-service attacks. This TCP extension has been considered a defective one in a recent Internet Draft.
The KAME IPv4 IPsec implementation integrated in FreeBSD now supports TCP-MD5. [MERGED]
Random ephemeral port number allocation has led to some problems with port reuse at high connection rates. This feature is now disabled during periods of high connection rates; whenever new connections are created faster than net.inet.ip.portrange.randomcps per second, port number randomization is disabled for the next net.inet.ip.portrange.randomtime seconds. The default values for these two sysctl variables are 10 and 45, respectively. [MERGED]
Fine-grained locking has been applied to many of the data structures in the IPX/SPX protocol stack. While not fully MPSAFE at this point, it is generally safe to use IPX/SPX without the Giant lock (in other words, the debug.mpsafenet sysctl variable may be set to 1).
Unix domain sockets now support the LOCAL_CREDS and LOCAL_CONNWAIT options. The LOCAL_CREDS option provides a mechanism for the receiver to receive the credentials of the process as a control message. The LOCAL_CONNWAIT option causes the function to block until has been called on the listening socket. For more details, see the manual page.
The driver is now safe for use on systems using . [MERGED]
The driver has been added. It supports the Areca ARC-11xx and ARC-12xx series of SATA RAID controllers. [MERGED]
The family of drivers has been overhauled and updated. It has been split into modules that can be loaded and unloaded independently (the atapci and ata modules are prerequisites for the device subdrivers, which are atadisk, atapicd, atapifd, atapist, and ataraid). On supported SATA controllers, devices can be hot inserted/removed. ATA RAID support has been rewritten and supports a number of new metadata formats. The atapicd driver no longer supports CD changers. This update has been referred to as “ATA mkIII”.
The SHSEC GEOM class has been added. It provides for the sharing of a secret between multiple GEOM providers. All of these providers must be present in order to reveal the secret. This feature is controlled by the utility. [MERGED]
A new GEOM-based disk encryption facility, GEOM_ELI, has been added. It uses the framework for hardware acceleration and supports different cryptographic algorithms. See for more information. [MERGED]
The driver, which supports the HighPoint RocketRAID 182x series, has been added. [MERGED]
The driver now support kernel crash dumps on some modern ServeRAID models. [MERGED]
The driver has been removed. [MERGED]
The default SCSI boot-time probe delay in the GENERIC kernel has been reduced from fifteen seconds to five seconds.
The old vinum(4) subsystem has been removed in favor of the new -based version.
The driver has been updated to the 9.2 release (for FreeBSD 5.2.1) distributed from the 3ware website.
Information about newly-mounted cd9660 file systems (such as the presence of RockRidge extensions) is now only printed if the kernel was booted in verbose mode. This change was made to reduce the amount of (generally unnecessary) kernel log messages. [MERGED]
Recomputing the summary information for “dirty” UFS and UFS2 file systems is no longer done at mount time, but is now done by background . This change improves the startup speed when mounting large file systems after a crash. The prior behavior can be restored by setting the vfs.ffs.compute_summary_at_mount sysctl variable to a non-zero value. [MERGED]
A kernel panic in the NFS server has been fixed. More details can be found in errata note . [MERGED]
Read-only support for ReiserFS version 3 has been added. See for details.
The and binary diff and binary patching tools have been added.
The utility now allows commands (such as eject) to take place after fixating a disk.
The utility now supports the -h flag, which supports changing flags on symbolic links.
The program now supports a -v flag to write the command to standard error before it is executed.
The program now supports a -S string option to split the string and pass them to the command as the command-line arguments.
The program now supports a -P altpath option to set the command search path used to look for the command.
The program now uses the 212 and 213 status codes for directory and file status correctly (211 was used in the previous versions). This behavior is described in RFC 959. [MERGED]
The create command of the utility now supports a -f command-line flag to force creation of a GPT even when there is an MBR record on a disk. [MERGED]
The function now queries A DNS resource records before AAAA records when AF_UNSPEC is specified. Some broken DNS servers return NXDOMAIN against non-existent AAAA queries, even when it should return NOERROR with empty return records. This is a problem for an IPv4/IPv6 dual stack node because the NXDOMAIN
