FreeBSD The Power to Serve

FreeBSD 9.3-RELEASE Release Notes

Abstract

The release notes for FreeBSD 9.3-RELEASE contain a summary of the changes made to the FreeBSD base system on the 9.3-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.


Table of Contents

Introduction

This document contains the release notes for FreeBSD 9.3-RELEASE. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.

This distribution of FreeBSD 9.3-RELEASE is a release distribution. It can be found at http://www.FreeBSD.org/releases/ or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the "Obtaining FreeBSD" appendix to the FreeBSD Handbook.

All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 9.3-RELEASE can be found on the FreeBSD Web site.

What’s New

This section describes the most user-visible new or changed features in FreeBSD since 9.2-RELEASE.

Typical release note items document recent security advisories issued after 9.2-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.

Security Advisories

Problems described in the following security advisories have been fixed. For more information, consult the individual advisories available from http://security.FreeBSD.org/.

Advisory Date Topic

FreeBSD-SA-14:01.bsnmpd

14 January 2014

Fix bsnmpd(1) remote denial of service vulnerability

FreeBSD-SA-14:02.ntpd

14 January 2014

Disable "monitor" feature in ntpd(8) by default

FreeBSD-SA-14:04.bind

14 January 2014

Remote denial of service vulnerability

FreeBSD-SA-14:05.nfsserver

8 April 2014

Deadlock in the NFS server

FreeBSD-SA-14:06.openssl

8 April 2014

ECDSA side channel leak

FreeBSD-SA-14:08.tcp

30 April 2014

TCP reassembly vulnerability

FreeBSD-SA-14:11.sendmail

26 May 2014

Sendmail improper close-on-exec flag handling

FreeBSD-SA-14:12.ktrace

3 June 2014

ktrace(1) kernel memory disclosure

FreeBSD-SA-14:13.pam

3 June 2014

Incorrect error handling in PAM policy parser

FreeBSD-SA-14:14.openssl

5 June 2014

Multiple vulnerabilities

FreeBSD-SA-14:16.file

24 June 2014

Multiple vulnerabilities

FreeBSD-SA-14:17.kmem

8 July 2014

Kernel memory disclosure in control messages and SCTP notifications

Kernel Changes

The arcmsr(4) driver has been updated to version 1.20.00.28. r256033

The isci(4) driver is now loadable via kldload(8). r256437 (Sponsored by The FreeBSD Foundation)

System-level sysctl(8) values are now exposed to the system for the ixgbe(4) device. r256759

The mfi(4) driver has been updated to support MegaRAID Invader controllers. r256924

A kernel panic triggered in zfs_root() after a failed rollback has been fixed. r257119

A new sysctl(8), debug.devfs_iosize_max_clamp has been added which enables and disables SSIZE_MAX-sized I/O requests on devfs(5) files. r257125 (Sponsored by The FreeBSD Foundation)

A new sysctl(8), kern.disallow_high_osrel, has been added which disables executing the images compiled on a userland with a higher major version number than the major version number of the running kernel. r257126 (Sponsored by The FreeBSD Foundation)

A kernel panic triggered by unmounting a busy zfs(8) filesystem has been fixed. r257253

A deadlock triggered by powering off a USB device has been fixed. r257373

The ichsmb(4) driver has been updated to support Intel Lynx Point PCH SMBus devices. r258214

The ata(4) driver has been updated to support Coleto Creek devices. r258215

The ahci(4) driver has been updated to support the PCI-express solid state drive in the Apple® MacBook Air (model A1465). r258217

The sysctl(8) vfs.zfs.arc_meta_limit can now be changed at runtime. r258635

The mmap(2) system call has been updated to more optimally use superpages and provide support for tweaking the alignment of virtual mappings. r258870

A workaround has been implemented in the bge(4) driver for hung transmission on BCM5719 and BCM5720 chipsets. r258962

A kernel panic when listing sysctls on a system with INVARIANTS enabled has been fixed. r259002

A new sysctl(8), kern.supported_archs has been added, which will list the MACHINE_ARCH values whose binaries can be run on the system. r259466

Several problems that could trigger kernel panic on kldload(8) and kldunload(8) have been fixed. r259519 (Sponsored by Spectra Logic)

A kernel panic triggered by some multi-threaded applications has been fixed. r260082 (Sponsored by The FreeBSD Foundation)

The runfw(4) firmware has been renamed from runfw to run.fw for consistency with other firmware files. r260134

A new sysctl(8), kern.panic_reboot_wait_time, has been added. This allows tuning the amount of time the system will wait before rebooting after panic(9). The kern.panic_reboot_wait_time value defaults to the kernel configuration option, PANIC_REBOOT_WAIT_TIME. r260433

Hardware Random Number Generators have been disabled by default. r260644

Support for GPS ports has been added to the uhso(4) driver. r261485

A memory leak of compressed buffers has been fixed in l2arc_write_done(). r262116

The netmap(4) framework has been updated to match the version in head/, which includes netmap pipes, kqueue support, and enhanced VALE switch port. r262153

A deadlock triggered by sending a mounted zfs(8) snapshot has been fixed. r262175

Support for SIIG X1 PCI-e has been added to ppc(4). r262231

Support for the ext4 filesystem has been enabled, supporting read-only mounts. r262564

A kernel panic triggered by inserting a USB ethernet device on VIMAGE-enabled systems has been fixed. r262594

TTM, a memory manager used by video drivers, has been merged. r262988 (Sponsored by The FreeBSD Foundation)

Support for /sys/kernel/random/uuid has been added to linprocfs(5). r263103

A memory leak in the zpool_in_use() function has been fixed. r263128

The extensible_dataset zpool(8) feature has been added. See zpool-features(7) for more information. r263391

A memory leak has been fixed in libzfs. r263408

The vt(4) driver has been merged from head/. r263817,263818 (Sponsored by The FreeBSD Foundation)

The mpr(4) device has been added, providing support for LSI Fusion-MPT 3 12Gb SCSI/SATA controllers. r265729 (Sponsored by LSI, Spectra Logic)

A kernel bug that inhibited proper functionality of the dev.cpu.0.freq sysctl(8) on Intel® processors with Turbo Boost ™ enabled has been fixed. r266167

Support for xen(4) hardware-assisted virtualization, XENHVM, is now available as a loadable module, xenhvm.ko. r266269

Hardware Support

Trackpad support for Apple® MacBook products has been added. r261510

The nve(4) driver has been deprecated, and the nfe(4) driver should be used instead. r261973

The mfi(4) driver has been updated to support MegaRAID Fury cards. r262968

The Radeon KMS driver has been added. r263170,263171

The aacraid(4) driver has been updated to version 3.2.5. r263340

Network Interface Support

The re(4) driver has been updated to add preliminary support for the RTL8106E chipset. r257611

The re(4) driver has been updated to support the RTL8168G, RTL8168GU and RTL8411B chipsets. r257614,257616

The re(4) driver has been updated to add preliminary support for the RTL8168EP chipset. r257618

The oce(4) driver has been updated to version 10.0.664.0. r258586

The qlxgbe(4) driver has been imported from head/. r258898

The qlxge(4) driver has been imported from head/. r258936

The bge(4) driver has been updated to support the BCM5725 chipset. r258965

The bge(4) driver has been updated to support the BCM57764, BCM57767, BCM57782, BCM57786 and BCM57787 chipsets. r258967

The run(4) driver has been updated to support MediaTek/Ralink chipsets RT5370 and RT5372. r259457

The usb(4) wireless radiotap headers have been realigned, allowing wireless adapters to work on arm, mips, and other similar platforms where alignment is important. r259460

The run(4) firmware has been updated to version 0.33. r260119

The bxe(4) driver has been merged from head/, providing support for Broadcom NetXtreme II 10Gb PCIe adapters. r260252

The run(4) driver has been updated to include support for the MediaTek/Ralink RT3593 chipset. r261865

The run(4) driver has been updated to include support for the DLINK DWA-127 wireless adapter. r261933

The axge(4) driver has been added. r262153

The urndis(4) driver has been imported from OpenBSD. r262362

The bxe(4) driver has been updated to version 1.78.78. r263582

File Systems

The zfs(8) filesystem has been updated to support the bookmarks feature. r263410

Userland Changes

A new flag -c, has been added to pgrep(1) and pkill(1), which restricts the process lookup to the specified login class. r256054

The ddb(8) utility has been updated to add show ioapic and show all ioapics. r257496

Setting nmbcluster values to their current value will now be ignored, instead of failing with an error. r258183

The /var/cache directory is now created with mode 0755 instead of mode 0750, since this directory is used by many third-party applications, which makes dropping group privileges impossible. r258763

The uname(1) utility has been updated to include the -U and -K flags, which print the __FreeBSD_version for the running userland and kernel, respectively. r258818

The fetch(3) library has been updated to support SNI (Server Name Identification), allowing to use virtual hosts on HTTPS. r258844

A segmentation fault and internal compiler error bug in gcc(1) triggered by throwing a warning before parsing any tokens has been fixed. r259243

Several updates to gcc(1) have been imported from Google. r259269,259406 (Contributed / provided by Google)

A byte-order bug in the Heimdal gss_pseudo_random() function which would prevent interoperability with other Kerberos implementations has been fixed. In particular, this would prevent interoperability with the MIT implementation. r259448

The hastctl(8) utility has been updated to output the current queue sizes. r260007

The ps(1) utility will no longer truncate the command output column. r260197

The protect(1) command has been added, which allows exempting processes from being killed when swap is exhausted. r260208

The gmirror(8) utility now prevents deactivating the last component of a mirror. r260507

A new gmirror(8) command, gmirror destroy, has been added, which will destroy the geom(8) and erase the gmirror(8) metadata. r260507

The etcupdate(8) utility, a tool for managing updates to files in /etc, has been merged from head/. r260650

The find(1) utility has been updated to fix incorrect behavior with the -lname and -ilname flags. r260651

The hw.uart.console is now always updated when the comconsole setup changes. r260868,260869

The kldload(8) utility has been updated to display a message directing to dmesg(8), instead of the cryptic message "Exec format error". r260909

A bug that could trigger an infinite loop in KDE and X has been fixed. r261674

The newsyslog(8) utility has been changed to use the size of the file, instead of the blocks the file takes on the disk to match the behavior documented in newsyslog.conf(5). r262076

A bug in zdb(8) which would cause numeric parameters to a flag as being treated as additional flags has been fixed. r262105

The pciconf(8) utility now has a -V flag, which lists information such as serial numbers for each device. r262134

A bug that would allow creating a zfs(8) snapshot of an inconsistent dataset has been fixed. r262158

Receiving a zfs(8) dataset with zfs recv -F now properly destroys any snapshots that were created since the incremental source snapshot. r262160

Installation from a read-only .OBJDIR has been fixed. r263031

A new shared library directory, /usr/lib/private, has been added for internal-use shared libraries. r263031

A default libmap32.conf has been added, for 32-bit applications. r263031

The libucl library, a JSON-compatible configuration file parsing library, has been imported. r263032

The pkg(7) package management utility has been syncronized with head/. This implements binary package signature verification when bootstrapping the system with pkg bootstrap. r263038

The system timezone data files have been updated to version tzdata2014a. r263042

The NetBSD make(1) utility, bmake has been imported for compatibility with the FreeBSD Ports Collection. It is installed as bmake, and the make remains the FreeBSD version. r263212

The fetch(3) library now supports Last-Modified timestamps which return UTC instead of GMT. r263326

Aliases for the zfs(8) commands list -t snap and snap have been added to match Oracle® Solaris 11. r263404

A new flag, -p, has been added to the zfs(8) list command, providing output in a parseable form. r263406

OpenPAM has been updated to Nummularia (20130907), which incorporates several bug fixes and documentation improvements. The openpam_ttyconv(3) library has been completely rewritten. r263421

The sh(1) command interpreter has been updated to expand assignments after export, local, and readonly differently. As result of this change, variable assignment such as local v=$1 will assign the first positional parameter to v, even if $1 contains spaces, and local w=~/myfile will expand the tilde (~). r264423

The find(1) utility has been updated to implement -ignore_readdir_race. Prior to this change, -ignore_readdir_race existed as an option for GNU find(1) compatibility, and was ignored if specified. A counter primary, -noignore_readdir_race now also exists, and is the default behavior. r264699

The ps(1) utility has been updated to include the -J flag, used to filter output by matching ail(8) IDs and names. Additionally, argument 0 can be used to -J to only list processes running on the host system. r266286

The top(1) utility has been updated to filter by jail(8) ID or name, in followup to the ps(1) change in r265229. r266287

The Blowfish crypt(3) default format has been changed to $2b$. r266818

The default newsyslog.conf(5) now includes files in the /etc/newsyslog.conf.d/ and /usr/local/etc/newsyslog.conf.d/ directories by default for newsyslog(8). r267114

A new flag, "onifconsole" has been added to /etc/ttys. This allows the system to provide a login prompt via serial console if the device is an active kernel console, otherwise it is equivalent to off. r267243

The arc4random(3) library has been updated to match that of FreeBSD-CURRENT. r267379

The pmcstat(8) utility has been updated to include a new flag, -l, which ends event collection after the specified number of seconds. r267411

The FreeBSD Project has migrated from the GNATS bug tracking system to Bugzilla. The send-pr(1) utility used for submitting problem reports has been replaced with a stub shell script that instructs to use the Bugzilla web interface. r267911

periodic(8) Scripts

The /etc/periodic/security/800.loginfail periodic(8) script has been refined to catch more authentication failures and reduce false positives. r263662

rc(8) Scripts

Support for "first boot" scripts has been added to rc(8). See rc(8) and rc.conf(5) for implementation details. r256917

The rc(8) system will now re-source rc.conf(5) on receipt of SIGALRM. r260432

Contributed Software

The readline(3) library has been updated to version 1.104. r255934

Sendmail has been updated to version 8.14.9. r266711

BIND has been updated to version 9.9.5. r262706 (Sponsored by DK Hostmaster A/S)

The xz(1) utility has been updated to a post-5.0.5 snapshot. r263286

OpenSSH has been updated to version 6.6p1. r263970

OpenSSL has been updated to version 0.9.8za. r267285

Ports and Packages

Important:

Note to FreeBSD desktop users: please read this section carefully, especially before upgrading ports that depend on Xorg.

In April 2014, the FreeBSD Ports collection switched to a newer version of Xorg that supports KMS (Kernel Mode Setting).

Users upgrading from earlier versions of FreeBSD 9.x or FreeBSD 8.x should be aware of several things regarding Xorg:

  • When applications are built from the FreeBSD Ports Collection or installed from the new_xorg pkg(8) repository, the newer, KMS-aware version of Xorg is used.

  • The KMS version of Xorg does not switch back to text mode after leaving the X desktop environment, and the system console will not be visible. The new vt(4) console driver supports graphic consoles and keeps the console visible after X has exited. The vt(4) driver must be compiled into the kernel. A VT kernel configuration example file is included in 9.3-RELEASE, but is not compiled or enabled by default. See vt(4) and the vt(4) wiki page for additional information.

  • Packages for KDE4 are not available in the default (latest) pkg(8) repository, however are available in the new_xorg repository. See the announcement email for details on how to use the new_xorg repository.

    The older Xorg that does not support KMS can still be installed from the latest upstream pkg(8) repository and the packages included on the 9.3-RELEASE DVD.

    However, it is important to note that some newer applications require the newer Xorg, and will not work with the old version. The newer [Xorg is recommended, and should be used unless not compatible with legacy graphics cards.

    To continue using the old version of Xorg when building from the FreeBSD Ports Collection, set WITHOUT_NEW_XORG=yes in make.conf(5).

Release Engineering and Integration

As part of the release build, the etcupdate(8) utility will bootstrap the system, allowing etcupdate(8) to work after the first upgrade of a system. r260891

The release.sh script and release Makefile have been updated to use pkg(7) to populate the dvd installation medium. r262879 (Sponsored by The FreeBSD Foundation)

The services.mkdb(8) utility has been updated to support multiple byte orders. Similar to cap_mkdb(1), the services.db will be created with proper endinanness as part of cross-architecture release builds. r263028

Upgrading from Previous Releases of FreeBSD

Upgrading Using freebsd-update(8) or a Source-Based Procedure

[amd64,i386] Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the freebsd-update(8) utility. The binary upgrade procedure will update unmodified userland utilities, as well as an unmodified GENERIC kernel, distributed as a part of an official FreeBSD release. The freebsd-update(8) utility requires that the host being upgraded have Internet connectivity.

Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported using to the instructions in /usr/src/UPDATING.

For more specific information about upgrading instructions, see FreeBSD 9.3-RELEASE Installation Instructions.

Important:

Upgrading FreeBSD should only be attempted after backing up all data and configuration files.

User-Visible Incompatibilities

FreeBSD 9.0 and later versions have several configuration incompatibilities with earlier versions of FreeBSD. These differences are best understood before upgrading. Please read this section and the Upgrading Section in 9.0-RELEASE Release Notes carefully before submitting a problem report and/or posting a question to the FreeBSD mailing lists.