diff --git a/website/content/en/releases/13.0R/relnotes.adoc b/website/content/en/releases/13.0R/relnotes.adoc index 046186e239..d39a8b433f 100644 --- a/website/content/en/releases/13.0R/relnotes.adoc +++ b/website/content/en/releases/13.0R/relnotes.adoc @@ -1,728 +1,756 @@ --- title: "FreeBSD 13.0-RELEASE Release Notes" sidenav: download --- :releaseCurrent: 13.0-RELEASE :releaseBranch: 13-STABLE :releasePrev: 12.2-RELEASE :releaseNext: 13.1-RELEASE :releaseType: release include::shared/en/urls.adoc[] = FreeBSD {releaseCurrent} Release Notes :doctype: article :toc: macro :toclevels: 1 :icons: font == Abstract [.abstract-title] The release notes for FreeBSD {releaseCurrent} contain a summary of the changes made to the FreeBSD base system on the {releaseBranch} development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented. [[intro]] == Introduction This document contains the release notes for FreeBSD {releaseCurrent}. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD. The {releaseType} distribution to which these release notes apply represents the latest point along the {releaseBranch} development branch since {releaseBranch} was created. Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[https://www.FreeBSD.org/releases/]. The {releaseType} distribution to which these release notes apply represents a point along the {releaseBranch} development branch between {releasePrev} and the future {releaseNext}. Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[https://www.FreeBSD.org/releases/]. This distribution of FreeBSD {releaseCurrent} is a {releaseType} distribution. It can be found at https://www.FreeBSD.org/releases/[https://www.FreeBSD.org/releases/] or any of its mirrors. More information on obtaining this (or other) {releaseType} distributions of FreeBSD can be found in the link:{handbook}mirrors[Obtaining FreeBSD appendix] to the link:{handbook}[FreeBSD Handbook]. All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD {releaseCurrent} can be found on the FreeBSD Web site. This document describes the most user-visible new or changed features in FreeBSD since {releasePrev}. In general, changes described here are unique to the {releaseBranch} branch unless specifically marked as MERGED features. Typical release note items document recent security advisories issued after {releasePrev}, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. [[upgrade]] == Upgrading from Previous Releases of FreeBSD Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the man:freebsd-update[8] utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release. The man:freebsd-update[8] utility requires that the host being upgraded have Internet connectivity. Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in [.filename]#/usr/src/UPDATING#. Upgrading powerpc64 systems from earlier FreeBSD Releases is NOT supported. Users need to reinstall, due to using new ABI. [IMPORTANT] ==== Upgrading FreeBSD should only be attempted after backing up _all_ data and configuration files. ==== [IMPORTANT] ==== Updating UEFI ESP partitions (the partition the firmware boots from) has changed. See <> for important details. ==== [[security-errata]] == Security and Errata This section lists the various Security Advisories and Errata Notices since {releasePrev}. [[security]] === Security Advisories [.informaltable] [cols="1,1,1", frame="none", options="header"] |=== | Advisory | Date | Topic -|No advisories. -| -| +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:03.pam_login_access.asc[FreeBSD-SA-21:03.pam_login_access] +| 24 February 2021 +| login.access fails to apply rules + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:04.jail_remove.asc[FreeBSD-SA-21:04.jail_remove] +| 24 February 2021 +| man:jail_remove[2] fails to kill all jailed processes + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc[FreeBSD-SA-21:05.jail_chdir] +| 24 February 2021 +| man:jail_attach[2] relies on the caller to change the cwd + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:06.xen.asc[FreeBSD-SA-21:06.xen] +| 24 February 2021 +| Xen grant mapping error handling issues + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:07.openssl.asc[FreeBSD-SA-21:07.openssl] +| 25 March 2021 +| Multiple vulnerabilities in OpenSSL + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:08.vm.asc[FreeBSD-SA-21:08.vm] +| 6 April 2021 +| Memory disclosure by stale virtual memory mapping + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:09.accept_filter.asc[FreeBSD-SA-21:09.accept_filter] +| 6 April 2021 +| double free in man:accept_filter[9] socket configuration interface + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:10.jail_mount.asc[FreeBSD-SA-21:10.jail_mount] +| 6 April 2021 +| jail escape possible by mounting over jail root |=== [[errata]] === Errata Notices [.informaltable] [cols="1,1,1", frame="none", options="header"] |=== | Errata | Date | Topic |No notices. | | |=== // Sample release notes entry. //The man:fsck_msdosfs[8] utility includes a variety of enhancements, including reducing the memory footprint, a new flag, `-M`, which disables the use of man:mmap[2], and others. gitref:9708ba9f29[repository=src] [[userland]] == Userland This section covers changes and additions to userland applications, contributed software, and system utilities. [[userland-config]] === Userland Configuration Changes man:rc.subr[8] now honors `${name}_env` in all man:rc[8] scripts. Previously, environment variables set by a user via `${name}_env` were ignored if the service defined a custom `*_cmd` variable to control the behavior of the `run_rc_command` function, for example, `start_cmd`, instead of relying on variables like `command` and `command_args`. gitref:d15e810db9a5[repository=src] man:init[8], man:service[8], and man:cron[8] will now adopt user/class environment variables by default (excluding `PATH`). Notably, environment variables for all cron jobs and man:rc[8] services can now be set via man:login.conf[5]. gitref:21c1a93c048f[repository=src], gitref:736a5a6d1dbb[repository=src], gitref:7466dbd68487[repository=src] The default config for man:newsyslog[8] will now only include files from the /etc/newsyslog.conf.d/ and /usr/local/etc/newsyslog.conf.d/ directories if the filename ends with ".conf" and does not begin with a "." character. This matches the man:syslog.conf[5] functionality, and also prevents ".sample" or ".pkgnew" files being included. gitref:9165316ff6bf[repository=src] The kernel now supports enforcing a W^X memory mapping policy for user processes. The policy is not enforced by default but can be enabled by setting the `kern.elf32.allow_wx` and `kern.elf64.allow_wx` sysctls to 0. Individual binaries can be exempted from the policy by man:elfctl[1] via the `wxneeded` feature. gitref:2e1c94aa1fd5[repository=src] {{< sponsored "The FreeBSD Foundation" >}} [[userland-programs]] === Userland Application Changes The man:calendar[1] utility again supports nested C pre-processor conditionals and now supports the C++ comment syntax in addition to the C syntax. gitref:19b5c307548[repository=src] The man:calendar[1] utility consistently prints dates according to the locale of the invoking user, not the possibly varying locales of included files. gitref:f1560bd080a[repository=src] The man:calendar[1] utility uses the correct paths for included files if invoked with the -a option. gitref:19b5c307548[repository=src] The man:calendar[1] utility no longer installs data files other than calendar.freebsd. The data files are now provided by the deskutils/calendar-data port. gitref:d20d6550187[repository=src] The man:daemon[8] utility now supports the `-H` flag to close and re-open the output file when SIGHUP is received. This permits rotation of the output file via man:newsyslog[8]. gitref:4cd407ec933[repository=src] The man:daemon[8] utility no longer blocks SIGTERM during the restart delay. gitref:09a3675d961[repository=src] The man:devd[8] utility now reports a `kernel` system event when the system resumes from sleep rather than a `kern` system event. gitref:f87655ec7694[repository=src] The man:diskinfo[8] utility now reports the physical device name GEOM attribute when available. gitref:b5961be1ab7[repository=src] Removed userland support for FreeBSD/i386 a.out executables. gitref:9bc6c7219a37[repository=src], gitref:50a40d091170[repository=src], gitref:0713c7b88cf0[repository=src] {{< sponsored "The FreeBSD Foundation" >}} Removed the man:elf2aout[1] utility. gitref:dd99ab06f360[repository=src] The man:freebsd-update[8] utility now displays progress for the "Fetching files..." stage. gitref:d6e1e31a0e6[repository=src] The man:freebsd-update[8] utility now supports the `-p` flag, which ensures password db changes are included in [.filename]#/etc/passwd# via man:pwd_mkdb[8]. gitref:9b6591109e8[repository=src] {{< sponsored "The FreeBSD Foundation" >}} The man:freebsd-update[8] utility now supports the `updatesready` and `showconfig` commands to check for updates and check the configuration respectively. gitref:8cfda118cbd[repository=src] The manual page for the man:freebsd-update[8] utility documents using the `PAGER` environment variable for non-interactive use. gitref:32f4592764d[repository=src] Removed the obsolete version of the GNU debugger that was installed to [.filename]#/usr/libexec# for use by man:crashinfo[8]. Detailed kernel crash information can be obtained by installing modern GDB from ports or packages. gitref:1c0ea326aa6d[repository=src] Removed the obsolete binutils 2.17 and man:gcc[1] 4.2.1 from the tree. All supported architectures now use the LLVM/clang toolchain. gitref:0ad202f312f6[repository=src], gitref:a04ec978b369[repository=src], gitref:57f804675e65[repository=src], gitref:90b9aa475e9e[repository=src] {{< sponsored "The FreeBSD Foundation" >}} Removed the GPL-licensed version of man:dtc[1]. The BSD-licensed version is now built and installed unconditionally. gitref:134b378392a8[repository=src] {{< sponsored "The FreeBSD Foundation" >}} The manual page for the man:gstat[8] utility now documents the use of interactive keyboard commands. gitref:cfaa2958dc4[repository=src] The manual page for the man:inetd[8] utility now includes an example of how to use netcat as an HTTP proxy. gitref:a58fc861516[repository=src] The manual page for the man:inetd[8] utility now includes comments for all examples. gitref:26a4a61a285[repository=src] Removed the man:ctm[1] utility. It is now provided by the `misc/ctm` port. gitref:385e98080cab[repository=src] The BSD version of man:grep[1] is now installed by default. The obsolete GNU version that was the previous default has been removed. gitref:8aff76fb37b5[repository=src], gitref:47d1ad2413da[repository=src] Removed the man:amd[8] automount daemon. Its functionality is provided by man:autofs[5]. gitref:13f7dbe822d5[repository=src] {{< sponsored "The FreeBSD Foundation" >}} [[userland-contrib]] === Contributed Software Replaced the man:bc[1] and man:dc[1] utilities with the version developed by Gavin D. Howard. The new versions do not depend on an external large number library, offer GNU bc extensions, are much faster than and fix POSIX compliance issues of the programs they replace. They support POSIX message catalogs and come with localized messages in Chinese, Dutch, English, French, German, Japanese, Polish, Portugueze, and Russian. The previous implementation is still available in FreeBSD-13 and can be selected instead of the new one by the build option `WITHOUT_GH_BC`. gitref:c41fef90a7d[repository=src] The clang, lld, and lldb utilities and compiler-rt, llvm, libunwind, and libc++ libraries have been updated to version 11.0.1. gitref:39b7445e15cd[repository=src] [[userland-deprecated-programs]] === Deprecated Applications [[userland-libraries]] === Runtime Libraries and API The new man:getlocalbase[3] function in libutil retrieves the LOCALBASE path in a standard way. gitref:30d21d27953[repository=src] Removed the man:cap_random[3] function as it has been superseded by man:getrandom[2]. gitref:a76f78dc3f43[repository=src] A new Linux-compatible man:copy_file_range[2] system call supports efficient file copies. In particular, this system call permits the kernel to request that an NFSv4.2 server perform a copy operation locally on the server. gitref:bbbbeca3e9a3[repository=src] The man:regex[3] function no longer accepts redundant escapes for most ordinary characters. This will cause applications such as man:sed[1] and man:grep[1] to reject regular expressions using these escapes. gitref:adeebf4cd47c[repository=src] New man:aio_readv[2] and man:aio_writev[2] system calls provide vectored analogues of man:aio_read[2] and man:aio_write[2]. gitref:022ca2fc7fe0[repository=src] powerpc64 switched to ELFv2 ABI at the same time it switched to LLVM. This brings us to a parity with modern Linux distributions. This also makes the binaries from previous FreeBSD versions incompatible with 13.0-RELEASE. Kernel still supports ELFv1, so jails and chroots using older FreeBSD versions are still compatible. gitref:e4399d169acc[repository=src] Removed CU-SeeMe support from man:libalias[3]. gitref:65a1d63665b[repository=src] [[kernel]] == Kernel This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized. [[kernel-general]] === General Kernel Changes Processes that attach to a man:jail[8] will now completely rebase their man:cpuset[1] onto the jail's cpuset. Notably, if a process had been assigned a numbered cpuset then it will be assigned a new numbered set that is the combination of CPUs allowed to the attaching process and the jail. Processes belonging to the superuser will implicitly widen their CPU mask as needed if they share no CPUs in common with the jail. Overhauled the in-kernel cryptographic framework to better support modern cryptographic algorithms as well as simplify the interface for both device drivers and framework consumers. gitref:c03414326909[repository=src] {{< sponsored "Chelsio Communications" >}} man:geli[8] now reports the use of accelerated software cryptography (such as AES-NI on x86 CPUs) as "accelerated software" rather than "hardware". This is purely a change in naming, and does not imply reduced performance or support. gitref:a3d565a1188f[repository=src] {{< sponsored "Chelsio Communications" >}} Removed support for Kerberos GSS algorithms deprecated by RFCs 6649 and 8429. gitref:dee3aa83d1b6[repository=src] {{< sponsored "Chelsio Communications" >}} Removed support for previously-deprecated algorithms in man:geli[8]. gitref:e2b9919398c3[repository=src] {{< sponsored "Chelsio Communications" >}} Removed support for IPsec algorithms deprecated by RFC 8221 as well as Triple DES. gitref:16aabb761c0a[repository=src] {{< sponsored "Chelsio Communications" >}} Removed support for previously-deprecated cryptographic algorithms from man:cryptodev[4] and the in-kernel cryptographic framework. gitref:6c80c319ef88[repository=src] {{< sponsored "Chelsio Communications" >}} Refactored the amd64 DMAR driver to provide a generic I/O MMU framework which can be used by other architectures. As part of this, renamed the amd64-specific `ACPI_DMAR` kernel option to `IOMMU`. gitref:6186bfbd1880[repository=src] {{< sponsored "DARPA" >}} {{< sponsored "AFRL" >}} Added a driver for the Arm System Memory Management Unit version 3.2 to the aarch64 architecture. The driver is enabled by the `IOMMU` kernel option. gitref:4cc8701067e1[repository=src] {{< sponsored "DARPA" >}} {{< sponsored "AFRL" >}} {{< sponsored "Innovate UK" >}} The GENERIC kernels for amd64 and i386 now include man:aesni[4] to support accelerated software cryptography for man:geli[8] by default. gitref:074a91f746bd[repository=src] The GENERIC kernel for aarch64 now includes man:armv8crypto[4] to support accelerated software cryptography for man:geli[8] by default. gitref:074a91f746bd[repository=src] Added Safe Memory Reclamation (SMR) to the kernel, a light weight variant of epoch reclamation closely coupled to man:uma[9]. This has been applied in parts of the VM subsystem and VFS layer to improve scalability on high core count systems. gitref:d4665eaa6638[repository=src] Removed support for procfs-based process debugging. gitref:59838c1a197[repository=src] Added the man:netgdb[4] facility, allowing the man:gdb[4] kernel debugger to be used over the network. gitref:dda17b3672f2[repository=src] Added the man:backlight[9] subsystem. gitref:675aae732d3[repository=src] {{< sponsored "The FreeBSD Foundation" >}} Added a CAM-Newbus SDIO support module. gitref:67ca7330cf3[repository=src] {{< sponsored "The FreeBSD Foundation" >}} [[drivers]] == Devices and Drivers This section covers changes and additions to devices and device drivers since {releasePrev}. [[drivers-device]] === Device Drivers Removed several network drivers for obsolete Ethernet adapters: * man:bm[4] BMAC gitref:9e774e53407b[repository=src] * man:cs[4] Crystal Semiconductor CS8900/CS8920 gitref:e1edf1240b33[repository=src] * man:de[4] DEC DC21x4x gitref:08ac01a92c88[repository=src] * man:ed[4] NE-2000 and WD-80x3 gitref:05aa6e583be3[repository=src] * man:ep[4] 3Com Etherlink III (3c5x9) ISA gitref:e153ee663af1[repository=src] * man:ex[4] Intel EtherExpress Pro/10 and Pro/10+ gitref:3ee01a13855b[repository=src] * man:fe[4] Fujitsu MB86960A/MB86965A gitref:dd262716a1e0[repository=src] * man:hme[4] Sun Microelectronics STP2002-STQ gitref:9ee99cec1f36[repository=src] * man:pcn[4] AMD PCnet gitref:607790d10fdb[repository=src] * man:sf[4] Starfire gitref:3b70dd81f56f[repository=src] * man:sn[4] SMC 91Cxx gitref:90089841deba[repository=src] * man:tl[4] Texas Instruments ThunderLAN gitref:7c897ca91fe1[repository=src] * man:tx[4] SMC 83c17x gitref:b1b1c2fe385c[repository=src] * man:txp[4] 3Com 3XP Typhoon/Sidewinder (3CR990) gitref:be345ff023d9[repository=src] * man:vx[4] 3Com EtherLink III / Fast EtherLink III (3c59x) PCI gitref:e8504bf9e7a0[repository=src] * man:wb[4] Winbond W89C840F gitref:02fae06a11b4[repository=src] * man:xe[4] Xircom PCMCIA gitref:7a582e5374c8[repository=src] The man:qat[4] driver has been added, supporting some of the cryptographic acceleration functions of the Intel QuickAssist (QAT) device. The man:qat[4] driver supports the QAT devices integrated with Atom C2000 and C3000 and Xeon C620 and D-1500 platforms, and the Intel QAT Adapter 8950. gitref:72143e89bb43[repository=src] {{< sponsored "Rubicon Communications, LLC (\"Netgate\")" >}} Removed the man:ubsec[4] driver for obsolete Broadcom BCM58xx crypto accelerators. gitref:97e251327f95[repository=src] {{< sponsored "Chelsio Communications" >}} Removed the deprecated man:ufm[4] driver for USB FM tuners. gitref:209d3fb41fe[repository=src] Removed the deprecated man:ctau[4] and man:cx[4] drivers. gitref:2733d8c96c6f[repository=src] {{< sponsored "The FreeBSD Foundation" >}} Removed the man:vpo[4] driver for parallel port SCSI adapters. gitref:51691e26d06[repository=src] A new man:safexcel[4] driver supports cryptographic requests via the EIP-97 packet processing module found on the ESPRESSObin. gitref:b356ddf07671[repository=src] {{< sponsored "Rubicon Communications, LLC" >}} A new man:usbhid[4] driver uses drivers from the man:hid[4] framework for USB HID devices instead of man:ukbd[4], man:ums[4], and man:uhid[4]. man:usbhid[4] is enabled by adding `hw.usb.usbhid.enable=1` to [.filename]#/boot/loader.conf# and adding `usbhid` to `kld_list=""` in [.filename]#/etc/rc.conf#. gitref:b62f6dfaed3d[repository=src] The suite of VirtIO device drivers now support the VirtIO V1 spec. This improves FreeBSD's compatibility as a guest operating system with various hypervisors and emulators including the ability to run on the link:https://wiki.qemu.org/images/4/4e/Q35.pdf[Q35 chipset] under QEMU. A new man:ossl[4] driver supports optimized software cryptography on aarch64, amd64, and i386 using assembly routines from OpenSSL. gitref:ba610be90a7c[repository=src] {{< sponsored "Netflix" >}}, gitref:22bd0c9731d7[repository=src] {{< sponsored "The FreeBSD Foundation" >}} The man:armv8crypto[4] driver which supports software cryptography on ARMv8 CPUs now supports AES-XTS which is used by man:geli[8]. gitref:4979620ece98[repository=src] The man:armv8crypto[4] driver now supports AES-GCM which is used by IPsec and kernel TLS. gitref:f76393a6305b6[repository=src] {{< sponsored "Ampere Computing" >}} man:ixl[4] was ported to powerpc64. gitref:c5568ba08741[repository=src] man:mrsas[4] was ported to powerpc64. gitref:e34a057ca6eb[repository=src] man:aacraid[4] was ported to powerpc64. gitref:d8c51c6f74b6[repository=src] man:virtio[4] was ported to powerpc64. gitref:f272c8de6e47[repository=src] man:hwpmc[4] gained support for POWER8 and POWER9. gitref:68dd71825601[repository=src] man:cpld[4] driver was written for powerpc64 and powerpcspe. gitref:2a05eb9f3c4b[repository=src], gitref:ccb1ebe01caa[repository=src] The man:cgem[4] ethernet driver now supports 64-bit physical addresses. gitref:facdd1cd2045[repository=src] Added the man:axp[4] driver, supporting the 10G ethernet controller found on AMD EPYC processors. gitref:7113afc84c0[repository=src] Added support for Intel Speed Shift to man:cpufreq[4]. gitref:4577cf3744b[repository=src] Added a driver for pwm-backlight compatible devices, such as the one found on the Pinebook and Pinebook Pro. gitref:38d94a4bc75[repository=src] {{< sponsored "The FreeBSD Foundation" >}} [[storage]] == Storage This section covers changes and additions to file systems and other storage subsystems, both local and networked. [[storage-general]] === General Storage For man:iscsi[4] and man:ctld[8], support for specifying network QoS in the form of DiffServ Codepoints (DSCP) and Ethernet Priority Code Point (PCP) was added. gitref:ddf1072aac49[repository=src] {{< sponsored "NetApp" >}} The man:ctld[8] utility now supports the `-t` flag to test the validity of configuration files. gitref:7fcbecd004f[repository=src] Removed the man:nand[4] device framework and man:nandfs[5] filesystem and associated utilities. gitref:f5a95d9a0794[repository=src] Removed the `GEOM_SCHED` class and accompanying man:gsched[8] tool. gitref:86c06ff8864[repository=src] man:gnop[8] can now apply configurable delays to read and write requests to simulate a slow disk. gitref:4f80c85519d5[repository=src] The kernel now provides a default implementation for the `SEEK_DATA` and `SEEK_HOLE` man:ioctl[2]'s for filesystems which do not support sparse files. gitref:2e1b32c0e3fc[repository=src] The NFS client and server now support NFSv4.2 (RFC 7862) and Extended Attributes (RFC 8276). gitref:c057a378180e[repository=src] Attempts to read a directory fail with `EISDIR` by default. The `-d skip` flags can be passed to man:grep[1] to suppress errors in stderr when non-recursively grepping a list that includes directories. gitref:dcef4f65ae39[repository=src] The NFS server now permits credentials specified via `-maproot` or `-mapall` in man:exports[5] to include more than 16 groups. gitref:cc5efdde94bf[repository=src] The NFS client and server now support NFS over TLS. The additional userland daemons are not built by default but can be enabled by building a new world that includes a KTLS-enabled OpenSSL via the `WITH_OPENSSL_KTLS` option. gitref:6e4b6ff88fde[repository=src], gitref:2c76eebca71b[repository=src], gitref:59f6f5e23c1a[repository=src] A new `nfsv4_server_only` variable can be set to `YES` in [.filename]#/etc/rc.conf# to only enable support for NFSv4. This avoids the need to run man:rpcbind[8] on an NFS server. gitref:4389a5661034[repository=src] Updated the man:fusefs[5] protocol to 7.28 along with adding support for `FUSE_COPY_FILE_RANGE` and `FUSE_LSEEK`. gitref:92bbfe1f0d1f[repository=src] The ZFS implementation is now provided by OpenZFS. gitref:9e5787d2284e[repository=src] {{< sponsored "iXsystems" >}} Added the man:pvscsi[4] driver, supporting the para-virtualized SCSI controller in VMWare products like ESXi. gitref:052e12a5084[repository=src] {{< sponsored "VMWare" >}} {{< sponsored "Panzura" >}} [[boot]] == Boot Loader Changes This section covers the boot loader, boot menu, and other boot-related changes. The man:efibootmgr[8] utility now supports the `-b` flag to specify an index of a specific boot entry to create or modify. gitref:a2581e80212[repository=src] {{< sponsored "Netflix" >}} The man:efibootmgr[8] utility now supports the `-E` flag to query which EFI System Partition was used to boot the system. gitref:1cdb8eb8fe1[repository=src] {{< sponsored "Netflix" >}} The man:efibootmgr[8] utility now supports the `-f` and `-F` flags to set or clear a request to boot to the UEFI user interface on the next boot. gitref:83c4237258d[repository=src] {{< sponsored "Ampere Computing, Inc." >}} Prior releases had a complete MS-DOS formatted filesystem packaged into [.filename]#/boot/boot1.efifat#. Older versions of FreeBSD installed this filesystem image into a raw partition. However, uses of the ESP have proliferated, making this inflexible approach no longer desirable. Users have varied needs for the size of this partition, and multiple booting setups require more detailed access. To update old ESP partitions, users should stop using the man:gpart[8] utility. Instead, ESP partitions should be mounted as MS-DOS filesystems as [.filename]#/boot/efi#, and [.filename]#/boot/loader.efi# should be copied to [.filename]#/boot/efi/efi/boot/bootx64.efi# if the default setup is used. If the man:efibootmgr[8] utility is used to customize the boot environment, this file should be copied to the location set with the `-l` flag. [[network]] == Networking This section describes changes that affect networking in FreeBSD. [[network-general]] === General Network A new type of man:mbuf[9] (network data buffer) can represent multiple, unmapped physical pages as a single buffer. This improves the performance of man:sendfile[2] by reducing the length of mbuf linked lists in socket buffers. gitref:82334850ea45[repository=src], gitref:cec06a3edc52[repository=src] {{< sponsored "Netflix" >}} The kernel now supports in-kernel framing and encryption of Transport Layer Security (TLS) data on TCP sockets for TLS versions 1.0 through 1.3. Transmit offload via in-kernel crypto drivers is supported for MtE cipher suites using AES-CBC as well as AEAD cipher suites using AES-GCM. Receive offload via in-kernel crypto drivers is supported for AES-GCM cipher suites for TLS 1.2. Using KTLS requires the use of a KTLS-aware userland SSL library. The OpenSSL library included in the base system does not enable KTLS support by default, but support can be enabled by building with the `WITH_OPENSSL_KTLS` option. gitref:b2e60773c6b0[repository=src], gitref:6554362c6640[repository=src], gitref:f1f934754638[repository=src], gitref:3c0e56850511[repository=src], gitref:c1c52cd57e88[repository=src] {{< sponsored "Netflix" >}} {{< sponsored "Chelsio Communications" >}} man:tcp[4] now supports Proportional Rate Reduction (as described by RFC6937) to improve SACK loss recovery during burst loss and ACK thinning scenarios. This feature is enabled by default. A new man:sysctl[8], `net.inet.tcp.do_prr`, can be set to `0` to restore the prior behavior. PRR should generally help improve loss recovery performance and prevent numerous preventable retransmit timeout (RTO) stalls. This surpasses the prior behavior, but a strictly packet conserving variant can be enabled. A misconfigured token bucket traffic policer can cause persistent loss even during loss recovery. In that case, activating the conservative PRR variant may prevent some retransmission timeouts (RTO) and associated session stalls for a few milliseconds while behaving less optimal in the general case. A new man:sysctl[8], `net.inet.tcp.do_prr_conservative`, can be set to `1` to enable strictly packet conserving behavior (at most 1 segment for each ACK received), while the normal variant may send up to 2 segments per received ACK - helping in cases of ACK thinning or significant burst loss events. gitref:0e1d7c25c5ab[repository=src] {{< sponsored "NetApp" >}} The man:cc_cubic[4] man:tcp[4] congestion control algorithm aligns more closely with the standard in RFC8312. gitref:40f9078ff9d9[repository=src] {{< sponsored "NetApp" >}} The amount of queued packets in for unresolved ARP/NDP entries has been increased to 16. gitref:0da3f8c98d17d9[repository=src] Stacked VLAN (802.1ad) support has been added. gitref:c7cffd65c5d8[repository=src]. The man:ping[8] utility now supports setting network QoS, with IP DSCP gitref:6034024daddb[repository=src] and Ethernet PCP gitref:81a6f4c7ae69[repository=src]. {{< sponsored "NetApp" >}} Merged the man:ping[8] and man:ping6[8] utilities. man:ping[8] supports both IPv4 and IPv6. A legacy man:ping6[8] is retained for backwards compatibility. gitref:3cde9171d2d5[repository=src] SCTP support is now available as a new [.filename]#sctp.ko# kernel module and is no longer compiled into GENERIC by default. gitref:e64080e79c53[repository=src] {{< sponsored "The FreeBSD Foundation" >}} [[network-routing]] == Routing FreeBSD 13 features a rewritten routing stack. It is based on the introduction of nexthops - objects holding all necessary state to pass a packet to the desired destination. gitref:a666325282ea[repository=src] Multipath routing support has been rewritten in more scalable fashion, featuring 64-wide multipath routes with O(1) lookup time. gitref:fedeb08b6a58[repository=src]. The `RADIX_MPATH` kernel option got replaced with `ROUTE_MPATH`, which is turned on by default. Additionally, the `net.route.multipath` sysctl has been added to control the feature in runtime. gitref:d1d941c5b910[repository=src], gitref:d5fe384b4d41[repository=src] Support for custom route lookup algorithms has been added. The framework decouples control-plane and data-plane, resulting in both faster lookups and better convergence times for large tables under load. gitref:f5baf8bb12f3[repository=src] DPDK librte-based IPv4/IPv6 route lookup algorithms has been added, optimising control-plane and data-plane for large routing tables. gitref:537d13437314[repository=src] Interface fib is now used for proxyarp checks. gitref:66bc03d41566[repository=src] Loopback route installation has been fixed for the interfaces in different fibs using the same prefix. gitref:9fdbf7eef5c0[repository=src] Number of fibs can now be changed at runtime by controlling `net.fibs` sysctl. gitref:f5247a232a33[repository=src] `net.add_addr_allfibs` sysctl default has been changed to 0. gitref:2d3982419593[repository=src] Temporal routes (routes with `-expire` time set) expiration have been for both IPv4 and IPv6. gitref:34a5582c47c7[repository=src] Duplicate routes installation issue for /32 or /128 interface aliases has been fixed. gitref:81728a538d24[repository=src] IPv6 interface routes are now marked with RTF_PINNED like their IPv4 counterparts. gitref:81728a538d24[repository=src] The {{< manpage "route" "8">}} network auto-guessing has been eliminated by removing remnants of classful behavior. gitref:d28210b2c2aa[repository=src] Sysctl `net.inet6.ip6.deembed_scopeid` , making it possible to disable IPv6 scope de-embedding, has been removed. gitref:bec053ffe01d[repository=src] [[hardware]] == Hardware Support This section covers general hardware support for physical machines, hypervisors, and virtualization environments, as well as hardware changes and updates that do not otherwise fit in other sections of this document. === AMD64 The amd64 architecture now supports Hygon Dhyana Family 18h processors. gitref:2ee49fac82fc[repository=src] The amd64 architecture now supports 57-bit virtual addresses (LA57) on supported CPUs. This permits user processes to use up to 56 bits of virtual address space. This also includes support for five layer nested page tables used by bhyve. gitref:9ce875d9b59d[repository=src] {{< sponsored "The FreeBSD Foundation" >}} [[ARM-ARM64]] === arm64 The 64-bit ARM architecture known as arm64 or AArch64 is promoted to Tier-1 status for FreeBSD 13. https://lists.freebsd.org/pipermail/freebsd-arm/2021-April/023602.html[Announcement] Added a driver for the Broadcom "GENET" ethernet driver found on the Raspberry Pi 4B. It was derived in part from NetBSD's version of the driver. gitref:2cd0c529781a[repository=src] Added support for using Address Space Identifiers (ASIDs) to the arm64 pmap. This improves TLB utilization for some workloads. gitref:50e3ab6bcf8c[repository=src] The man:linux[4] ABI compatibility layer is now enabled by default. gitref:6659d8e7c26[repository=src] {{< sponsored "The FreeBSD Foundation" >}} Added support for the man:gdb[4] kernel debugger. gitref:bbfa199cbc16[repository=src] {{< sponsored "The FreeBSD Foundation" >}} Added support for building ISO installer images. gitref:6dadc5d1cdec[repository=src] {{< sponsored "The FreeBSD Foundation" >}} Added SD card configuration files for the Rock64 and RockPro64. gitref:b407a449ac4c[repository=src] gitref:0edb2e1d0caa[repository=src] === ARMv5 Removed support for version 5 of the 32-bit ARM architecture. Building for `TARGET=arm` now defaults to a `TARGET_ARCH` of `armv7`. gitref:eb4977bd0fb2[repository=src] === Allwinner The aw_gpio driver now suppots GPIO interrupts. gitref:0fe5379c6a9[repository=src] A new aw_pwm driver supports Pulse Width Modulation (PWM) hardware on Allwinner boards. PWM channels can be configured with man:pwm[8]. gitref:277a038d0da[repository=src] The AXP803/AXP813 drivers now report battery sensor information. gitref:66bddb4c701[repository=src] Audio now works on H3/H5 SoCs. gitref:bfcf888a87a[repository=src] Infrared receiver now works on the H3 SoC. gitref:012fba460ac[repository=src] USB DRD now works on multiple Allwinner SoCs. This means that some USB ports can be used as peripherals. gitref:aea49d9fed9[repository=src] === RockChip A new rk_pwm driver supports PWM hardware on the RK3399. PWM channels can be configured with man:pwm[8]. gitref:bcd380e88b2[repository=src] External PCI-express adapters are now supports for the RK3399 SoC. gitref:dfd1d0fcabe[repository=src] USB3 found in RK3328 and RK3399 is now supported. gitref:7d888a5b2be[repository=src] if_dwc now supports flow control. gitref:2b4a66ed171[repository=src] if_dwc now supports checksum offloading. gitref:98ea5a7b9a1[repository=src] === POWER All powerpc architectures switched to LLVM and are currently mostly similar to amd64 toolchain-wise. gitref:678da4a27447[repository=src] powerpc (32-bit) switched to Secure-PLT. gitref:e861dab45186[repository=src] powerpc64le (64-bit little endian port) was introduced, targeting POWER8 and newer processors. gitref:b75abea4d087[repository=src] Radix MMU support for powerpc64 and powerpc64le (experimental, disabled by default). gitref:65bbba25d214[repository=src] Superpages support for powerpc64 and powerpc64le (experimental, disabled by default). gitref:e2d6c417e303[repository=src] LinuxKPI support. gitref:937a05ba81c3[repository=src] Support QEMU/KVM pseries without hugepages. gitref:b934fc74683b[repository=src] Support for handling kernel minidumps. gitref:d3c34fc0f473[repository=src] Optimized memcpy, memmove, bcopy, strncpy and strcpy. gitref:e16c18650cdc[repository=src], gitref:181e35008cfb[repository=src], gitref:075fb85f0904[repository=src] XIVE interrupt controller driver for POWER9, which improves performance by about 10%. gitref:d49fc192c141[repository=src] Converting pmap drivers to ifunc improved performance by about 20%. gitref:45b69dd63[repository=src] Plenty of stability fixes, which fix many kernel panics. Plenty of other performance improvements - performance during bulk -a package building is at least 60% higher. === Sparc Removed support for the `sparc64` architecture (SPARC 9). gitref:58aa35d42975[repository=src] [[hardware-virtualization]] === Virtualization Support The man:bhyve[8] utility supports additional COM3 and COM4 serial ports. gitref:eed1cc6cdfa[repository=src] Removed the deprecated bvmconsole and bvmdebug device models from man:bhyve[8] and the associated kernel device drivers for FreeBSD guests. gitref:c4df8cbfde5[repository=src] The man:bhyve[8] utility works reliably with more VNC clients including the macOS "Screen Sharing" application. gitref:2bb4be0f865[repository=src] The man:bhyve[8] utility now supports VirtIO-9p (aka VirtFS) filesystem sharing. gitref:100353cfbf8[repository=src] {{< sponsored "Conclusive Engineering (development), vStack.com (funding)" >}} The man:bhyve[8] utility now supports virtual machine snapshots. This feature is still in active development and is not yet enabled by default. gitref:483d953a86a[repository=src] {{< sponsored "University Politehnica of Bucharest, Matthew Grooms (student scholarships), iXsystems" >}} The man:bhyve[8] utility now supports a VM Generation Counter ACPI device. gitref:9cb339cc7b8[repository=src] The man:bhyve[8] utility now supports PCI HDAudio devices. gitref:7e3c7420615[repository=src] [[ports]] == Ports Collection and Package Infrastructure This section covers changes to the FreeBSD Ports Collection, package infrastructure, and package maintenance and installation tools. [[ports-packages]] === Packaging Changes [[future-releases]] == General Notes Regarding Future FreeBSD Releases [[future-releases-cputype]] === Default `CPUTYPE` Change The default `CPUTYPE` for the i386 architecture is now `686` (instead of `486`). This means that binaries require a 686-class CPU by default including, but not limited to, binaries provided by the FreeBSD Release Engineering team. The FreeBSD 13.0 code base continues to support older CPUs. Users who need to run on 486- or 586-class CPUs need to build their own releases. As the embedded market is the primary user of cores based on i486 and i586, end-user impact is expected to be minimal. Most embedded systems have custom builds already. Although some minor adjustments will be necessary, it will be on par with the effort required to move between major versions. Server and desktop machines based on these CPU types are generally over 20 years old. Most have been retired or are too resource poor to make FreeBSD 13.0 an attractive upgrade. There were several factors taken into account for this change. Most applications need 64-bit atomics for proper operation. While those operations can be emulated in the kernel on i486, they cannot be emulated in userland. Updating the default allows compiler generated code to select the right atomics in those cases, allow better optimizations and produce better error messages when necessary. The older library and/or include file approaches are much less optimal in resulting code and diagnostics. Current compiler technology produces better, faster, and/or smaller binaries for i686 than for i486. Several bugs in compiler support for i486 code generation attest to its lesser use in the wider ecosystem. In the wider ecosystem, i686 has been the default for many years so has received more testing and more optimization. Finally, the 32-bit amd64 libraries have been i686 since their inception. These factors strongly suggest that a i686 default will provide such an improved enough user experience to offset the minor pain for those few users of the older technology. As the majority of 32-bit testing is done by developers using the lib32 libraries on 64-bit hardware with the `COMPAT_FREEBSD32` option in the kernel, this change ensures better coverage and user experience. This also aligns with what the majority of Linux(R) distributions have been doing for quite some time. This is expected to be the final bump of the default `CPUTYPE` in i386. diff --git a/website/content/en/releases/13.1R/errata.adoc b/website/content/en/releases/13.1R/errata.adoc index b153493574..e09bb8f309 100644 --- a/website/content/en/releases/13.1R/errata.adoc +++ b/website/content/en/releases/13.1R/errata.adoc @@ -1,97 +1,98 @@ --- title: "FreeBSD 13.1-RELEASE Errata" sidenav: download --- :release: 13.1-RELEASE :releaseNext: 13.2-RELEASE :releaseBranch: 13-STABLE = FreeBSD {release} Errata == Abstract This document lists errata items for FreeBSD {release}, containing significant information discovered after the release or too late in the release cycle to be otherwise included in the release documentation. This information includes security advisories, as well as news relating to the software or documentation that could affect its operation or usability. An up-to-date version of this document should always be consulted before installing this version of FreeBSD. This errata document for FreeBSD {release} will be maintained until the release of FreeBSD {releaseNext}. == Table of Contents * <> * <> * <> * <> * <> [[intro]] == Introduction This errata document contains "late-breaking news" about FreeBSD {release}. Before installing this version, it is important to consult this document to learn about any post-release discoveries or problems that may already have been found and fixed. Any version of this errata document actually distributed with the release (for example, on a CDROM distribution) will be out of date by definition, but other copies are kept updated on the Internet and should be consulted as the "current errata" for this release. These other copies of the errata are located at https://www.FreeBSD.org/releases/, plus any sites which keep up-to-date mirrors of this location. Source and binary snapshots of FreeBSD {releaseBranch} also contain up-to-date copies of this document (as of the time of the snapshot). For a list of all FreeBSD CERT security advisories, see https://www.FreeBSD.org/security/. [[security]] == Security Advisories [width="100%",cols="40%,30%,30%",options="header",] |=== |Advisory |Date |Topic |link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:09.elf.asc[FreeBSD-SA-22:09.elf] |9 August 2022 |Out of bound read in elf_note_prpsinfo() +|link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:10.aio.asc[FreeBSD-SA-22:10.aio] |9 August 2022 |AIO credential reference count leak |link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:11.vm.asc[FreeBSD-SA-22:11.vm] |9 August 2022 |Memory disclosure by stale virtual memory mapping |link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:12.lib9p.asc[FreeBSD-SA-22:12.lib9p] |9 August 2022 |Missing bounds check in 9p message handling |link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:13.zlib.asc[FreeBSD-SA-22:13.zlib] |30 August 2022 |zlib heap buffer overflow |link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:14.heimdal.asc[FreeBSD-SA-22:14.heimdal] |29 November 2022 (revised)|Multiple vulnerabilities in Heimdal |link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:15.ping.asc[FreeBSD-SA-22:15.ping] |29 November 2022 |Stack overflow in ping(8) |link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:01.geli.asc[FreeBSD-SA-23:01.geli] |8 February 2023 |GELI silently omits the keyfile if read from stdin |link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:03.openssl.asc[FreeBSD-SA-23:03.openssl] |16 February 2023 |Multiple vulnerabilities in OpenSSL |link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:04.pam_krb5.asc[FreeBSD-SA-23:04.pam_krb5] |21 June 2023 |Network authentication attack via pam_krb5 |link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:06.ipv6.asc[FreeBSD-SA-23:06.ipv6] |1 August 2023 |Remote denial of service in IPv6 fragment reassembly |link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:07.bhyve.asc[FreeBSD-SA-23:07.bhyve] |1 August 2023 |bhyve privileged guest escape via fwctl |link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:08.ssh.asc[FreeBSD-SA-23:08.ssh] |1 August 2023 |Potential remote code execution via ssh-agent forwarding |link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:09.pam_krb5.asc[FreeBSD-SA-23:09.pam_krb5] |1 August 2023 |Network authentication attack via pam_krb5 |=== [[errata]] == Errata Notices [width="100%",cols="40%,30%,30%",options="header",] |=== |Errata |Date |Topic |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:16.kqueue.asc[FreeBSD-EN-22:16.kqueue] |9 August 2022 |kevent(2) timers fire too often |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:17.cam.asc[FreeBSD-EN-22:17.cam] |9 August 2022 |Kernel memory corruption during SCSI error recovery |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:19.pam_exec.asc[FreeBSD-EN-22:19.pam_exec] |9 August 2022 |NULL pointer dereference in pam_exec(8) |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:20.tzdata.asc[FreeBSD-EN-22:20.tzdata] |30 August 2022 |Timezone database information update |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:21.zfs.asc[FreeBSD-EN-22:21.zfs] |1 November 2022 |ZFS B-Tree use-after-free |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:22.tzdata.asc[FreeBSD-EN-22:22.tzdata] |1 November 2022 |Timezone database information update |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:23.vm.asc[FreeBSD-EN-22:23.vm] |1 November 2022 |Memory pages become unreclaimable |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:24.zfs.asc[FreeBSD-EN-22:24.zfs] |1 November 2022 |ZFS snapshot directories not accessible over NFS |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:25.tcp.asc[FreeBSD-EN-22:25.tcp] |1 November 2022 |Possible data corruption with TCP SACK retransmissions |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:26.cam.asc[FreeBSD-EN-22:26.cam] |1 November 2022 |CAM ioctl(2) compatibility breakage |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:27.loader.asc[FreeBSD-EN-22:27.loader] |1 November 2022 |UEFI loader failing to boot older amd64 kernels |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:28.heimdal.asc[FreeBSD-EN-22:28.heimdal] |29 November 2022 |Regression in Heimdal KDC |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:01.tzdata.asc[FreeBSD-EN-23:01.tzdata] |8 February 2023 |Timezone database information update |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:02.sdhci.asc[FreeBSD-EN-23:02.sdhci] |8 February 2023 |sdhci(4) broken write-protect settings |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:03.ena.asc[FreeBSD-EN-23:03.ena] |8 February 2023 |ena driver crash after reset in 7th gen AWS instance types |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:04.ixgbe.asc[FreeBSD-EN-23:04.ixgbe] |8 February 2023 |ixgbe incorrectly reports input errors for 82599ES |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:05.tzdata.asc[FreeBSD-EN-23:05.tzdata] |21 June 2023 |Timezone database information update |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:06.loader.asc[FreeBSD-EN-23:06.loader] |21 June 2023 |x86 kernel console configuration |link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:07.mpr.asc[FreeBSD-EN-23:07.mpr] |21 June 2023 |mpr(4) may fail to initialize devices |=== [[open-issues]] == Open Issues No open issues. [[late-news]] == Late-Breaking News [2022-07-12] A late issue was discovered with RISCV virtual machine images, wherein the images produced would result in a zero-byte file. As such, the images have been removed. diff --git a/website/content/en/releases/13.1R/relnotes.adoc b/website/content/en/releases/13.1R/relnotes.adoc index c2171e970c..5103717230 100644 --- a/website/content/en/releases/13.1R/relnotes.adoc +++ b/website/content/en/releases/13.1R/relnotes.adoc @@ -1,435 +1,628 @@ --- title: "FreeBSD 13.1-RELEASE Release Notes" sidenav: download --- :releaseCurrent: 13.1-RELEASE :releaseBranch: 13-STABLE :releasePrev: 13.0-RELEASE :releaseNext: 13.2-RELEASE :releaseType: release include::shared/en/urls.adoc[] = FreeBSD {releaseCurrent} Release Notes :doctype: article :toc: macro :toclevels: 1 :icons: font == Abstract [.abstract-title] The release notes for FreeBSD {releaseCurrent} contain a summary of the changes made to the FreeBSD base system on the {releaseBranch} development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented. [[intro]] == Introduction This document contains the release notes for FreeBSD {releaseCurrent}. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD. The {releaseType} distribution to which these release notes apply represents the latest point along the {releaseBranch} development branch since {releaseBranch} was created. Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[https://www.FreeBSD.org/releases/]. The {releaseType} distribution to which these release notes apply represents a point along the {releaseBranch} development branch between {releasePrev} and the future {releaseNext}. Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[https://www.FreeBSD.org/releases/]. This distribution of FreeBSD {releaseCurrent} is a {releaseType} distribution. It can be found at https://www.FreeBSD.org/releases/[https://www.FreeBSD.org/releases/] or any of its mirrors. More information on obtaining this (or other) {releaseType} distributions of FreeBSD can be found in the link:{handbook}mirrors[Obtaining FreeBSD appendix] to the link:{handbook}[FreeBSD Handbook]. All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD {releaseCurrent} can be found on the FreeBSD Web site. This document describes the most user-visible new or changed features in FreeBSD since {releasePrev}. In general, changes described here are unique to the {releaseBranch} branch unless specifically marked as MERGED features. Typical release note items document recent security advisories issued after {releasePrev}, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. [[upgrade]] == Upgrading from Previous Releases of FreeBSD Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the man:freebsd-update[8] utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release. The man:freebsd-update[8] utility requires that the host being upgraded have Internet connectivity. Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in [.filename]#/usr/src/UPDATING#. Users of all powerpc architectures, after successful kernel and world installation, will need to run manually "kldxref /boot/kernel". [IMPORTANT] ==== Upgrading FreeBSD should only be attempted after backing up _all_ data and configuration files. ==== [IMPORTANT] ==== After upgrading, sshd (from OpenSSH 8.8p1) will not accept new connections until it is restarted. After installing the new userland, either reboot (as specified in the source update procedure), or execute `service sshd restart`. ==== -//// -XXX: gjb will fill this in just before the release is final [[security-errata]] == Security and Errata This section lists the various Security Advisories and Errata Notices since {releasePrev}. [[security]] === Security Advisories [width="100%",cols="40%,30%,30%",options="header",] |=== |Advisory |Date |Topic -|link:https://www.freebsd.org/security/advisories/FreeBSD-SA-20:31.icmp6.asc[FreeBSD-SA-20:31.icmp6] |1 December 2020 |Use-after-free in error message handling + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:03.pam_login_access.asc[FreeBSD-SA-21:03.pam_login_access] +| 24 February 2021 +| login.access fails to apply rules + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:04.jail_remove.asc[FreeBSD-SA-21:04.jail_remove] +| 24 February 2021 +| man:jail_remove[2] fails to kill all jailed processes + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:05.jail_chdir.asc[FreeBSD-SA-21:05.jail_chdir] +| 24 February 2021 +| man:jail_attach[2] relies on the caller to change the cwd + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:06.xen.asc[FreeBSD-SA-21:06.xen] +| 24 February 2021 +| Xen grant mapping error handling issues + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:08.vm.asc[FreeBSD-SA-21:08.vm] +| 6 April 2021 +| Memory disclosure by stale virtual memory mapping + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:09.accept_filter.asc[FreeBSD-SA-21:09.accept_filter] +| 6 April 2021 +| double free in man:accept_filter[9] socket configuration interface + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:10.jail_mount.asc[FreeBSD-SA-21:10.jail_mount] +| 6 April 2021 +| jail escape possible by mounting over jail root + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:11.smap.asc[FreeBSD-SA-21:11.smap] +| 26 May 2021 +| SMAP bypass + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:12.libradius.asc[FreeBSD-SA-21:12.libradius] +| 26 May 2021 +| Missing message validation in man:libradius[3] + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:13.bhyve.asc[FreeBSD-SA-21:13.bhyve] +| 24 August 2021 +| Missing error handling in man:bhyve[8] device models + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:14.ggatec.asc[FreeBSD-SA-21:14.ggatec] +| 24 August 2021 +| Remote code execution in man:ggatec[8] + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:15.libfetch.asc[FreeBSD-SA-21:15.libfetch] +| 24 August 2021 +| libfetch out of bounds read + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:16.openssl.asc[FreeBSD-SA-21:16.openssl] +| 24 August 2021 +| Multiple OpenSSL vulnerabilities + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:01.vt.asc[FreeBSD-SA-22:01.vt] +| 11 January 2022 +| vt console buffer overflow + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:02.wifi.asc[FreeBSD-SA-22:02.wifi] +| 15 March 2022 +| Multiple WiFi issues + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:03.openssl.asc[FreeBSD-SA-22:03.openssl] +| 15 March 2022 +| OpenSSL certificate parsing infinite loop + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:04.netmap.asc[FreeBSD-SA-22:04.netmap] +| 6 April 2022 +| Potential jail escape vulnerabilities in netmap + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:05.bhyve.asc[FreeBSD-SA-22:05.bhyve] +| 6 April 2022 +| Bhyve e82545 device emulation out-of-bounds write + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:06.ioctl.asc[FreeBSD-SA-22:06.ioctl] +| 6 April 2022 +| mpr/mps/mpt driver ioctl heap out-of-bounds write + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:07.wifi_meshid.asc[FreeBSD-SA-22:07.wifi_meshid] +| 6 April 2022 +| 802.11 heap buffer overflow + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:08.zlib.asc[FreeBSD-SA-22:08.zlib] +| 6 April 2022 +| zlib compression out-of-bounds write + |=== [[errata]] === Errata Notices [width="100%",cols="40%,30%,30%",options="header",] |=== |Errata |Date |Topic -|link:https://www.freebsd.org/security/advisories/FreeBSD-EN-20:19.audit.asc[FreeBSD-EN-20:19.audit] |1 December 2020 |execve/fexecve system call auditing + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:12.divert.asc[FreeBSD-EN-21:12.divert] +| 26 May 2021 +| Kernel double free when transmitting on a divert socket + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:13.mpt.asc[FreeBSD-EN-21:13.mpt] +| 26 May 2021 +| man:mpt[4] I/O errors with a large maxphys value + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:14.pms.asc[FreeBSD-EN-21:14.pms] +| 26 May 2021 +| man:pms[4] data corruption + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:15.virtio.asc[FreeBSD-EN-21:15.virtio] +| 26 May 2021 +| man:virtio[4] device probing fails + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:16.bc.asc[FreeBSD-EN-21:16.bc] +| 26 May 2021 +| dc update + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:17.libradius.asc[FreeBSD-EN-21:17.libradius] +| 1 June 2021 +| Incorrect validation in man:rad_get_attr[3] + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:18.libc%2B%2B.asc[FreeBSD-EN-21:18.libc++] +| 29 June 2021 +| Missing {cpp}20 headers in lib{cpp} + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:19.libcasper.asc[FreeBSD-EN-21:19.libcasper] +| 29 June 2021 +| libcasper assertion failure + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:20.vlan.asc[FreeBSD-EN-21:20.vlan] +| 29 June 2021 +| Missing backwards compatibility in man:vlan[4] + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:21.ipfw.asc[FreeBSD-EN-21:21.ipfw] +| 29 June 2021 +| Kernel panic with ipfw link-layer filtering enabled + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:22.linux_futex.asc[FreeBSD-EN-21:22.linux_futex] +| 29 June 2021 +| Linux compatibility layer man:futex[2] system call vulnerability + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:23.virtio_blk.asc[FreeBSD-EN-21:23.virtio_blk] +| 24 August 2021 +| man:virtio_blk[4] fails to attach on some hypervisors + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:24.libcrypto.asc[FreeBSD-EN-21:24.libcrypto] +| 24 August 2021 +| OpenSSL 1.1.1e API functions not exported + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:25.bhyve.asc[FreeBSD-EN-21:25.bhyve] +| 24 August 2021 +| Fix NVMe iovec construction for large IOs + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:26.libevent.asc[FreeBSD-EN-21:26.libevent] +| 3 November 2021 +| libevent1 ABI breakage + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:27.caroot.asc[FreeBSD-EN-21:27.caroot] +| 3 November 2021 +| Root certificate bundle update + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:28.vmci.asc[FreeBSD-EN-21:28.vmci] +| 3 November 2021 +| Fix kernel panic in vmci driver initialization + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-21:29.tzdata.asc[FreeBSD-EN-21:29.tzdata] +| 3 November 2021 +| Timezone database information update + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:01.fsck_ffs.asc[FreeBSD-EN-22:01.fsck_ffs] +| 11 January 2022 +| fsck_ffs fails to correct certain errors + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:02.xsave.asc[FreeBSD-EN-22:02.xsave] +| 11 January 2022 +| Incorrect XSAVE state size + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:03.hyperv.asc[FreeBSD-EN-22:03.hyperv] +| 11 January 2022 +| vPCI compatibility improvements with certain Hyper-V releases + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:05.tail.asc[FreeBSD-EN-22:05.tail] +| 11 January 2022 +| tail -F fails to follow some types of log rotation + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:06.libalias.asc[FreeBSD-EN-22:06.libalias] +| 11 January 2022 +| Incorrect fragmented IPv4 packet handling in libalias + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:07.la57.asc[FreeBSD-EN-22:07.la57] +| 1 February 2022 +| Intel CPU LA57 boot failure + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:10.zfs.asc[FreeBSD-EN-22:10.zfs] +| 15 March 2022 +| ZFS writes fail to update file size + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:11.zfs.asc[FreeBSD-EN-22:11.zfs] +| 15 March 2022 +| ZFS man:lseek[2] inconsistencies + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:12.zfs.asc[FreeBSD-EN-22:12.zfs] +| 15 March 2022 +| ZFS panic upon concurrent 'zfs list' calls + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:14.tzdata.asc[FreeBSD-EN-22:14.tzdata] +| 22 March 2022 +| Timezone database information update + |=== -//// [[userland]] == Userland This section covers changes and additions to userland applications, contributed software, and system utilities. [[userland-config]] === Userland Configuration Changes // SAMPLE ENTRY: // A new man:rc.conf[5] variable has been added, `linux_mounts_enable`, which controls if Linux(R)-specific filesystems are mounted in [.filename]#/compat/linux# if `linux_enable` is set to `YES`. {{< revision "364883" >}} (Sponsored by The FreeBSD Foundation) The `-i` flag is now added to man:rtsol[8] and man:rtsold[8] by default in `/etc/defaults/rc.conf`. gitref:a0fc5094bf4c[repository=src] (Sponsored by https://www.patreon.com/cperciva[https://www.patreon.com/cperciva]) [[userland-programs]] === Userland Application Changes The `-i` option has been added to man:rtsol[8] and man:rtsold[8] to disable the random delay between zero and one seconds, speeding up the boot process. gitref:8056b73ea163[repository=src] (Sponsored by https://www.patreon.com/cperciva[https://www.patreon.com/cperciva]) For 64-bit architectures, the base system is now built with Position Independent Executable (PIE) support enabled by default. It may be disabled using the `WITHOUT_PIE` knob. A clean build is required. gitref:396e9f259d96[repository=src] There is a new `zfskeys` man:rc[8] service script, which allows for automatic decryption of ZFS datasets encrypted with ZFS native encryption during boot. See the man:rc.conf[5] manual page for more information. gitref:33ff39796ffe[repository=src], gitref:8719e8a951b7[repository=src] (Sponsored by Modirum and Klara Inc.) The NVMe emulation in man:bhyve[8] has been upgraded to version 1.4 of the NVMe specification. gitref:b7a2cf0d9102[repository=src] - gitref:eae02d959363[repository=src] NVMe iovec construction for large IOs in man:bhyve[8] has been fixed. The problem was exposed by the UEFI driver included with Rocky Linux 8.4. gitref:a7761d19dacd[repository=src] Extra Alt Gr mappings for Brazillian Portuguese ABNT2 keyboards were added. gitref:310623908c20[repository=src] The `chroot` facility now supports unprivileged operation, and the man:chroot[8] program now has a `-n` option to enable its use. gitref:460b4b550dc9[repository=src] (Sponsored by EPSRC) The CAM library has been modified to use man:realpath[3] on device names before parsing them, which allows tools such as man:camcontrol[8] and man:smartctl[8] to be friendlier when symlinks are in use. gitref:e32acf95ea25[repository=src] man:md5sum[1] and similar message-digest programs compatible with those on Linux were added by having the corresponding BSD programs run with the `-r` option if the program name ends in `sum`. gitref:c0d5665be0dc[repository=src] (Sponsored by Netflix) man:svnlite[1] is disabled in the build by default. gitref:a4f99b3c2384[repository=src] man:mpsutil[8] has been extended to show adapter information and to control NCQ. gitref:395bc3598b47[repository=src] Problems after downloading firmware to a device using man:camcontrol[8] were fixed by forcing a rescan of the LUN after the firmware download. gitref:327da43602cc[repository=src] (Sponsored by Netflix) A new mode has been added to the scripted partition editor for variant disk names in man:bsdinstall[8]. If the disk parameter `DEFAULT` is set in place of an actual device name, or no disk is specified for the `PARTITIONS` parameter, the installer will follow the logic used in the automatic-partitioning mode, in which it will either provide a selection dialog for one of several disks if several are present or automatically select it if there is only one. This simplifies the creation of fully-automatic installation media for hardware or VMs with varying disk names. gitref:5ec4eb443e81[repository=src] [[userland-contrib]] === Contributed Software Building of LLDB has been enabled on all powerpc architectures. gitref:cb1bee9bd34[repository=src] One True Awk has been updated to the latest from upstream (20210215). All the FreeBSD patches but one have now been either upstreamed or discarded. Notable changes include: * Locale is no longer used for ranges * Various bugs fixed * Better compatibility with `gawk` and `mawk` The one remaining FreeBSD change, likely to be removed in FreeBSD 14, is that we still allow hex numbers, prefixed with `0x`, to be parsed and interpreted as hex numbers, while all other awks (now including One True Awk) interpret them as `0`, in line with awk's historic behavior. `zlib` has been upgraded to version 1.2.12. `libarchive` has been upgraded to verion 3.6.0 with additional bug and security fixes from the upcoming patchlevel release. Release notes are available at https://github.com/libarchive/libarchive/releases[https://github.com/libarchive/libarchive/releases]. The `ssh` package has been updated to OpenSSH v8.8p1, including a security update and bug fixes. Other updates include these changes: * man:ssh[1]: When prompting whether to record a new host key, accept that key's fingerprint as a synonym for "yes." * man:ssh-keygen[1]: When acting as a CA and signing certificates with an RSA key, default to using the `rsa-sha2-512` signature algorithm. * man:ssh[1]: `UpdateHostkeys` is enabled by default, subject to some conservative preconditions. * man:scp[1]: The behavior of remote to remote copies (e.g. `scp host-a:/path host-b:`) has been changed to transfer through the local host by default. * man:scp[1] has experimental support for transfers using the SFTP protocol as a replacement for the venerable SCP/RCP protocol that it has traditionally used. The use of FIDO/U2F hardware authenticators has been enabled in `ssh`, using the new public key types `ecdsa-sk` and `ed25519-sk`, along with corresponding certificate types. FIDO/U2F support is described in https://www.openssh.com/txt/release-8.2[https://www.openssh.com/txt/release-8.2]. gitref:a613d68fff9a[repository=src] (Sponsored by The FreeBSD Foundation) [[userland-libraries]] === Runtime Libraries and API Assembly optimized code for OpenSSL has been added on powerpc, powerpc64 and powerpc64le. gitref:ce35a3bc852[repository=src] The detection of CPU features accelerating crypto operations for ARMv7 and ARM64 has been fixed, speeding up `aes-256-gcm` and `sha256` substantially. gitref:32a2fed6e71f[repository=src] (Sponsored by Ampere Computing LLC and Klara Inc.) Building ASAN and UBSAN libraries has been enabled on riscv64 and riscv64sf. gitref:8c56b338da7[repository=src] OFED libraries are now built on riscv64 and riscv64sf. gitref:2b978245733[repository=src] OPENMP libraries are now built on riscv64 and riscv64sf. gitref:aaf56e35569[repository=src] [[kernel]] == Kernel This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized. [[kernel-general]] === General Kernel Changes Output corruption on serial console on powerpc64 has been fixed. gitref:dca829138ca[repository=src] CAS has been changed to support Radix MMU. gitref:cc8e726c85b[repository=src] Running FreeBSD with HPT superpages enabled on QEMU with TCG has been fixed on powerpc64(le). gitref:f05174ed354[repository=src] Superpages support has been added to pmap_mincore on powerpc64(le). gitref:32b50b8520d[repository=src] HWCAP/HWCAP2 aux args support was added on arm64 for 32-bit ARM binaries. This fixes build/run of golang under `COMPAT32` emulation. gitref:28e22482279f[repository=src] (Sponsored by Rubicon Communications, LLC ("Netgate")) [[drivers]] == Devices and Drivers This section covers changes and additions to devices and device drivers since {releasePrev}. [[drivers-device]] === Device Drivers The man:igc[4] driver was introduced for the Intel I225 Ethernet controller. This controller supports 2.5G/1G/100Mb/10Mb speeds, and allows tx/rx checksum offload, TSO, LRO, and multi-queue operation. gitref:d7388d33b4dd[repository=src] (Sponsored by Rubicon Communications, LLC ("Netgate")) A fix for VGA / HDMI console with AST2500 during boot on powerpc64(le) has been added. gitref:c41d129485e[repository=src] PCI common read/write functions are fixed on big endian targets in man:virtio[4]. gitref:7e583075a41[repository=src], gitref:8d589845881[repository=src] Big-endian support has been added to man:mpr[4]. gitref:7d45bf699dc[repository=src], gitref:2954aedb8e5[repository=src], gitref:c80a1c1072d[repository=src] Max I/O size has been reduced to avoid DMA issues in man:aacraid[4]. gitref:572e3575dba[repository=src] A bug preventing a virtual guest using man:virtio_random[8] from shutting down or rebooting has been fixed. gitref:fa67c45842bb[repository=src] The man:ice[4] driver has been updated to 1.34.2-k, adding firmware logging and initial DCB support. gitref:a0cdf45ea1d1[repository=src] (Sponsored by Intel Corporation) The man:mgb[4] network interface driver has been added, with support for Microchip devices LAN7430 PCIe Gigabit Ethernet controller with PHY and LAN7431 PCIe Gigabit Ethernet controller with RGMII interface. The driver has a number of caveats and limitations, but is functional. gitref:e0262ffbc6ae[repository=src] (Sponsored by The FreeBSD Foundation) Support has been added for link status, media, and VLAN MTU with the man:cdce[4] device. gitref:973fb85188ea[repository=src] The man:iwlwifi[4] driver along with a LinuxKPI 802.11 compatibility layer was added to supplement man:iwm[4] for newer Intel Wireless chipsets. (Sponsored by The FreeBSD Foundation) Kernel crash dumps can now be saved on SD cards and eMMC modules using a `dwmmc` controller when the kernel is configured with the `MMCCAM` option. gitref:79c3478e76c3[repository=src] Kernel crash dumps can now be saved on SD cards using an `sdhci` controller when the kernel is configured with the `MMCCAM` option. gitref:8934d3e7b9b9[repository=src] [[drivers-platform]] === Supported Platforms Support has been added for the HiFive Unmatched RISC-V board. [[storage]] == Storage This section covers changes and additions to file systems and other storage subsystems, both local and networked. [[storage-general]] === General Storage [[storage-zfs]] === ZFS Changes ZFS has been upgraded to OpenZFS release 2.1.4. OpenZFS release notes can be found at https://github.com/openzfs/zfs/releases[https://github.com/openzfs/zfs/releases]. [[storage-nfs]] === NFS Changes Two new daemons, man:rpc.tlsclntd[8] and man:rpc.tlsservd[8], are now built by default on amd64 and arm64. They provide support for NFS-over-TLS as described in the Internet Draft entitled "Towards Remote Procedure Call Encryption By Default". These daemons are built when WITH_OPENSSL_KTLS is specified. They use KTLS to encrypt/decrypt all NFS RPC message traffic, and provide optional verification of machine identity via X.509 certificates. gitref:2c76eebca71b[repository=src] gitref:59f6f5e23c1a[repository=src] The default minor version used for an NFSv4 mount has been changed to the highest minor version supported by the NFSv4 server. This default can be overridden by using the `minorversion` mount option. gitref:8a04edfdcbd2[repository=src] A new NFSv4.1/4.2 mount option `nconnect` has been added that can be used to specify the number of TCP connections that will be used for the mount, up to a maximum of 16. The first (default) TCP connection will be used for all RPCs that consist of small RPC messages. The RPCs that can consist of large RPC messages (Read/Readdir/ReaddirPlus/Write) will be sent on the additional TCP connections in a round-robin fashion. If either the NFS client or NFS server have multiple network interfaces aggregated together, or a network interface that uses multiple queues, this can increase NFS performance for the mount. gitref:9ec7dbf46b0a[repository=src] A sysctl called `vfs.nfsd.srvmaxio` has been added that can be used to increase the NFS server's maximum I/O size from 128Kbytes to any power of 2 up to 1Mbyte. It can only be set when the nfsd threads are not running, and will normally require an increase in `kern.ipc.maxsockbuf` to at least the value recommended by the console log message generated when setting `vfs.nfsd.srvmaxio` is first attempted. gitref:9fb6e613373c[repository=src] [[storage-ufs]] === UFS Changes Following gitref:5cc52631b3b8[repository=src], man:fsck_ffs[8] did not work for background fsck in preen mode where UFS was tuned for soft updates without soft update journaling. Fixed: gitref:fb2feceac34c[repository=src] [[boot]] == Boot Loader Changes This section covers the boot loader, boot menu, and other boot-related changes. [[boot-loader]] === Boot Loader Changes UEFI boot is improved for amd64. The loader detects whether the loaded kernel can handle the in-place staging area (non-copying mode). The default is `copy_staging auto`. Auto-detection can be overridden, for example: with `copy_staging enable`, the loader will unconditionally copy the staging area to 2M, regardless of kernel capabilities. Also, the code to grow the staging area is more robust; for growth to occur, it's no longer necessary to hand-tune and recompile the loader. (Sponsored by https://www.freebsdfoundation.org[The FreeBSD Foundation]) `boot1` and `loader` have been fixed on powerpc64le. gitref:8a62b07bce7[repository=src] [[boot-process]] === Other Boot Changes Performance improvements have been made to man:loader[8], man:nvme[4], man:random[4], man:rtsold[8], and x86 clock calibration, which collectively yield a significant speedup in system boot time. Configuration changes on the EC2 platform provide additional benefits, resulting in {releaseCurrent} booting over twice as fast as {releasePrev}. (Sponsored by https://www.patreon.com/cperciva[https://www.patreon.com/cperciva]) EC2 images are now built by default to boot using UEFI instead of legacy BIOS. Note that UEFI is not supported by Xen-based EC2 instances or by "bare metal" EC2 instances. gitref:65f22ccf8247[repository=src] (Sponsored by https://www.patreon.com/cperciva[https://www.patreon.com/cperciva]) Support was added for recording EC2 AMI Ids in the AWS Systems Manager Parameter Store. FreeBSD will be using the public prefix `/aws/service/freebsd`, resulting in parameter names which look like `/aws/service/freebsd/amd64/base/ufs/13.1/RELEASE`. gitref:242d1c32e42c[repository=src] (Sponsored by https://www.patreon.com/cperciva[https://www.patreon.com/cperciva]) [[network]] == Networking This section describes changes that affect networking in FreeBSD. [[network-general]] === General Network The handling of the lowest address on an IPv4 (sub)net (host 0) has been changed so that packets are not sent as a broadcast unless this address has been set as the broadcast address. This makes the lowest address usable for a host. The old behavior can be restored with the `net.inet.ip.broadcast_lowest` sysctl. See https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-lowest-address/[https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-lowest-address/] for background information. gitref:3ee882bf21af[repository=src] [[future-releases]] == General Notes Regarding Future FreeBSD Releases [[future-releases-cputype]] === Default `CPUTYPE` Change Starting with FreeBSD-13.0, the default `CPUTYPE` for the i386 architecture will change from `486` to `686`. This means that, by default, binaries produced will require a 686-class CPU, including but not limited to binaries provided by the FreeBSD Release Engineering team. FreeBSD 13.0 will continue to support older CPUs, however users needing this functionality will need to build their own releases for official support. As the primary use for i486 and i586 CPUs is generally in the embedded market, the general end-user impact is expected to be minimal, as new hardware with these CPU types has long faded, and much of the deployed base of such systems is nearing retirement age, statistically. There were several factors taken into account for this change. For example, i486 does not have 64-bit atomics, and while they can be emulated in the kernel, they cannot be emulated in the userland. Additionally, the 32-bit amd64 libraries have been i686 since their inception. As the majority of 32-bit testing is done by developers using the lib32 libraries on 64-bit hardware with the `COMPAT_FREEBSD32` option in the kernel, this change ensures better coverage and user experience. This also aligns with what the majority of Linux(R) distributions have been doing for quite some time. This is expected to be the final bump of the default `CPUTYPE` in i386. [IMPORTANT] ==== This change does not affect the FreeBSD 12.x series of releases. ==== diff --git a/website/content/en/releases/13.2R/relnotes.adoc b/website/content/en/releases/13.2R/relnotes.adoc index 222d3eda7b..575079f1ef 100644 --- a/website/content/en/releases/13.2R/relnotes.adoc +++ b/website/content/en/releases/13.2R/relnotes.adoc @@ -1,430 +1,555 @@ --- title: "FreeBSD 13.2-RELEASE Release Notes" sidenav: download --- :releaseCurrent: 13.2-RELEASE :releaseBranch: 13-STABLE :releasePrev: 13.1-RELEASE :releaseNext: 13.3-RELEASE :releaseType: release include::shared/en/urls.adoc[] = FreeBSD {releaseCurrent} Release Notes :doctype: article :toc: macro :toclevels: 1 :icons: font == Abstract [.abstract-title] The release notes for FreeBSD {releaseCurrent} contain a summary of the changes made to the FreeBSD base system on the {releaseBranch} development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented. [[intro]] == Introduction This document contains the release notes for FreeBSD {releaseCurrent}. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD. The {releaseType} distribution to which these release notes apply represents the latest point along the {releaseBranch} development branch since {releaseBranch} was created. Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[]. The {releaseType} distribution to which these release notes apply represents a point along the {releaseBranch} development branch between {releasePrev} and the future {releaseNext}. Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[]. This distribution of FreeBSD {releaseCurrent} is a {releaseType} distribution. It can be found at https://www.FreeBSD.org/releases/[] or any of its mirrors. More information on obtaining this (or other) {releaseType} distributions of FreeBSD can be found in the link:{handbook}mirrors[Obtaining FreeBSD appendix] to the link:{handbook}[FreeBSD Handbook]. All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD {releaseCurrent} can be found on the FreeBSD Web site. This document describes the most user-visible new or changed features in FreeBSD since {releasePrev}. In general, changes described here are unique to the {releaseBranch} branch unless specifically marked as MERGED features. Typical release note items document recent security advisories issued after {releasePrev}, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. [[upgrade]] == Upgrading from Previous Releases of FreeBSD Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the man:freebsd-update[8] utility. The link:{handbook}cutting-edge/#freebsdupdate-upgrade[binary upgrade procedure] will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release. The man:freebsd-update[8] utility requires that the host being upgraded have Internet connectivity. Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in [.filename]#/usr/src/UPDATING#. Users of all PowerPC architectures, after successful kernel and world installation, must run `kldxref /boot/kernel` manually. [IMPORTANT] ==== Upgrading FreeBSD should only be attempted after backing up **all** data and configuration files. ==== [IMPORTANT] ==== After installing the new userland software, running daemons are still from the previous version. After installing the user-level components with the second invocation of freebsd-update, or via an upgrade from source with `installworld`, the system should be rebooted to start everything with the new software. For example, older versions of `sshd` failed to process incoming connections correctly after the new [.filename]#/usr/sbin/sshd# was installed; rebooting started a new `sshd` and other daemons. ==== -//// -XXX: gjb will fill this in just before the release is final [[security-errata]] == Security and Errata This section lists the various Security Advisories and Errata Notices since {releasePrev}. [[security]] === Security Advisories [width="100%",cols="40%,30%,30%",options="header",] |=== |Advisory |Date |Topic -|link:https://www.freebsd.org/security/advisories/FreeBSD-SA-20:31.icmp6.asc[FreeBSD-SA-20:31.icmp6] |1 December 2020 |Use-after-free in error message handling + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:03.openssl.asc[FreeBSD-SA-22:03.openssl] +| 15 March 2022 +| OpenSSL certificate parsing infinite loop + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:04.netmap.asc[FreeBSD-SA-22:04.netmap] +| 6 April 2022 +| Potential jail escape vulnerabilities in netmap + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:05.bhyve.asc[FreeBSD-SA-22:05.bhyve] +| 6 April 2022 +| Bhyve e82545 device emulation out-of-bounds write + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:06.ioctl.asc[FreeBSD-SA-22:06.ioctl] +| 6 April 2022 +| mpr/mps/mpt driver ioctl heap out-of-bounds write + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:07.wifi_meshid.asc[FreeBSD-SA-22:07.wifi_meshid] +| 6 April 2022 +| 802.11 heap buffer overflow + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:08.zlib.asc[FreeBSD-SA-22:08.zlib] +| 6 April 2022 +| zlib compression out-of-bounds write + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:09.elf.asc[FreeBSD-SA-22:09.elf] +| 9 August 2022 +| Out of bound read in elf_note_prpsinfo() + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:11.vm.asc[FreeBSD-SA-22:11.vm] +| 9 August 2022 +| Memory disclosure by stale virtual memory mapping + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:12.lib9p.asc[FreeBSD-SA-22:12.lib9p] +| 9 August 2022 +| Missing bounds check in 9p message handling + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:13.zlib.asc[FreeBSD-SA-22:13.zlib] +| 30 August 2022 +| zlib heap buffer overflow + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:14.heimdal.asc[FreeBSD-SA-22:14.heimdal] +| 15 November 2022 +| Multiple vulnerabilities in Heimdal [REVISED] + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-22:15.ping.asc[FreeBSD-SA-22:15.ping] +| 29 November 2022 +| Stack overflow in man:ping[8] + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:01.geli.asc[FreeBSD-SA-23:01.geli] +| 8 February 2023 +| GELI silently omits the keyfile if read from stdin + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:02.openssh.asc[FreeBSD-SA-23:02.openssh] +| 16 February 2023 +| OpenSSH pre-authentication double free + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:03.openssl.asc[FreeBSD-SA-23:03.openssl] +| 16 February 2023 +| Multiple vulnerabilities in OpenSSL + |=== [[errata]] === Errata Notices [width="100%",cols="40%,30%,30%",options="header",] |=== |Errata |Date |Topic -|link:https://www.freebsd.org/security/advisories/FreeBSD-EN-20:19.audit.asc[FreeBSD-EN-20:19.audit] |1 December 2020 |execve/fexecve system call auditing + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:14.tzdata.asc[FreeBSD-EN-22:14.tzdata] +| 22 March 2022 +| Timezone database information update + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:16.kqueue.asc[FreeBSD-EN-22:16.kqueue] +| 9 August 2022 +| man:kevent[2] timers fire too often + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:17.cam.asc[FreeBSD-EN-22:17.cam] +| 9 August 2022 +| Kernel memory corruption during SCSI error recovery + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:19.pam_exec.asc[FreeBSD-EN-22:19.pam_exec] +| 9 August 2022 +| NULL pointer dereference in man:pam_exec[8] + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:20.tzdata.asc[FreeBSD-EN-22:20.tzdata] +| 30 August 2022 +| Timezone database information update + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:21.zfs.asc[FreeBSD-EN-22:21.zfs] +| 1 November 2022 +| ZFS B-Tree use-after-free + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:22.tzdata.asc[FreeBSD-EN-22:22.tzdata] +| 1 November 2022 +| Timezone database information update + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:23.vm.asc[FreeBSD-EN-22:23.vm] +| 1 November 2022 +| Memory pages become unreclaimable + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:24.zfs.asc[FreeBSD-EN-22:24.zfs] +| 1 November 2022 +| ZFS snapshot directories not accessible over NFS + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:25.tcp.asc[FreeBSD-EN-22:25.tcp] +| 28 August 2022 +| Possible data corruption with TCP SACK retransmissions + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:26.cam.asc[FreeBSD-EN-22:26.cam] +| 1 November 2022 +| CAM man:ioctl[2] compatibility breakage + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:27.loader.asc[FreeBSD-EN-22:27.loader] +| 1 November 2022 +| UEFI loader failing to boot older amd64 kernels + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-22:28.heimdal.asc[FreeBSD-EN-22:28.heimdal] +| 29 November 2022 +| Regression in Heimdal KDC + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:01.tzdata.asc[FreeBSD-EN-23:01.tzdata] +| 8 February 2022 +| Timezone database information update + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:02.sdhci.asc[FreeBSD-EN-23:02.sdhci] +| 8 February 2023 +| man:sdhci[4] broken write-protect settings + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:03.ena.asc[FreeBSD-EN-23:03.ena] +| 8 February 2023 +| ena driver crash after reset in 7th gen AWS instance types + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:04.ixgbe.asc[FreeBSD-EN-23:04.ixgbe] +| 8 February 2023 +| ixgbe incorrectly reports input errors for 82599ES + |=== -//// [[userland]] == Userland This section covers changes and additions to userland applications, contributed software, and system utilities. [[userland-config]] === Userland Configuration Changes // SAMPLE ENTRY: // A new man:rc.conf[5] variable has been added, `linux_mounts_enable`, which controls if Linux(R)-specific filesystems are mounted in [.filename]#/compat/linux# if `linux_enable` is set to `YES`. // gitref:1234567890ab[repository=src] (Sponsored by The FreeBSD Foundation) The man:growfs[7] startup script will now add a swap partition while expanding the root file system if possible, and if one did not previously exist. This is primarily useful when installing on an SD card using a raw image. A new man:rc.conf[5] variable has been added, `growfs_swap_size`, which can control the addition if necessary. See man:growfs[7] for details. The `zfskeys` startup script supports autoloading of keys stored on ZFS. gitref:2411090f6940[repository=src] (Sponsored by Klara Inc.) A new RC script, `zpoolreguid` has been added, which will assign a new GUID to one or more zpools, useful for virtualization environments when sharing datasets. The `hostid` startup script will now generate a random (version 4) UUID if there is no [.filename]#/etc/hostid# file and no valid UUID from hardware. Also, if there is no [.filename]#/etc/machine-id# file, the `hostid_save` script will store a compact version of the hostid (one without hyphens) in [.filename]#/etc/machine-id#. This file is used by libraries such as GLib. gitref:17333d92643d[repository=src] gitref:a379d5c5efb2[repository=src] gitref:71d88613d129[repository=src] It is now possible to add default routes for FIBs other than the primary by using the `defaultrouter_fibN` and `ipv6_defaultrouter_fibN` man:rc.conf[5] variables. gitref:c6ec1b441ad3[repository=src] (Sponsored by ScaleEngine Inc.) [[userland-programs]] === Userland Application Changes The man:bhyve[8] utility has gained virtio-input device emulation support. This will be used to inject keyboard/mouse input events into a guest. The command line syntax is: `-s ,virtio-input,/dev/input/eventX`. gitref:6192776124c5[repository=src] The man:kdump[1] utility has gained support for decoding Linux system calls. The man:killall[1] utility now allows sending signals to processes with their controlling terminal on man:pts[4] using the syntax `-t pts/N`. gitref:a76fa7bb6cb7[repository=src] An man:nproc[1] utility has been added, compatible with the Linux program of the same name. The man:timeout[1] utility has been moved from [.filename]#/usr/bin# to [.filename]#/bin#. The man:pciconf[8] utility has added support for decoding ACS extended capability. gitref:dde4103a465b[repository=src] (Sponsored by Chelsio Communications) The man:procstat[1] utility can now print information about advisory locks on files with the newly added `advlock` command. gitref:f9daaf452a8a[repository=src] The man:pwd_mkdb[8] utility no longer copies comments from [.filename]#/etc/master.passwd# to [.filename]#/etc/passwd#. gitref:3e955733117d[repository=src] MSS clamping has been improved for man:ppp[8]. gitref:301bff9bdd62[repository=src] Metric aliasing has been changed in man:prometheus_sysctl_exporter[8] to avoid confusing Prometheus server due to conflicting metric names. The `tcp_log_bucket` UMA zone has been renamed to `tcp_log_id_bucket`, and `tcp_log_node` was renamed to `tcp_log_id_node` for consistency. Sysctl variables with `(LEGACY)` in their descriptions are no longer being exported, these are used by ZFS sysctls that have been replaced by others, many of which alias to the same Prometheus metric name (like `vfs.zfs.arc_max` and `vfs.zfs.arc.max`). gitref:e4f508d5a211[repository=src] (Sponsored by Axcient) The man:uuidgen[1] utility has a new option `-r` to generate a random UUID, version 4. gitref:8fd1953b7eb2[repository=src] When invoked by man:inetd[8], `ctlstat -P` will now produce output suitable for ingestion into Prometheus; see man:ctlstat[8]. gitref:f7896015fcde[repository=src] (Sponsored by Axcient) [[userland-contrib]] === Contributed Software Gavin Howard's `bc` has been upgraded to version 6.2.4. `expat` (`libbsdxml`) has been upgraded to version 2.5.0. `file` has been upgraded to version 5.43. `less` has been upgraded to version 608. `libarchive` has been upgraded to version 3.6.2 with many reliability fixes. Release notes are available at https://github.com/libarchive/libarchive/releases[]. `libedit` has been upgraded to version 2022-04-11. `LLVM` and the `clang` compiler have been upgraded to version 14.0.5. Supported `LLVM` sanitizers are now enabled on `powerpc64` and variants. `mandoc` has been upgraded to version 1.14.6. `OpenSSH` has been upgraded to version 9.3p1. `OpenSSL` has been upgraded to version 1.1.1t. `sendmail` has been upgraded to version 8.17.1. gitref:68e86d5265bc[repository=src] `sqlite3` has been upgraded to version 3.40.1. `tzcode` has been upgraded to version 2022g with improved timezone change detection and reliability fixes. `tzdata` has been upgraded to version 2023c. `unbound` has been upgraded to version 1.17.1. `xz` has been upgraded to version 5.4.1. `xz-embedded` has been upgraded to 3f438e15109229bb14ab45f285f4bff5412a9542. `zlib` has been upgraded to version 1.2.13. [[userland-libraries]] === Runtime Libraries and API Support of SHA-512/224 has been added to `libmd`. gitref:e04ee7d95ef6[repository=src] (Sponsored by Klara, Inc.) Linux-style system call tracing is now supported by man:sysdecode[3] and man:kdump[1]. The native pthread library functions can now support Linux semantics. [[kernel]] == Kernel This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized. [[kernel-general]] === General Kernel Changes The man:bhyve[8] hypervisor and kernel module man:vmm[4] now support more than 16 vCPUs in a guest. By default bhyve permits each guest to create the same number of vCPUs as the count of physical CPUs on the host. This limit can be adjusted via the loader tunable `hw.vmm.maxcpu`. gitref:3e02f8809aec[repository=src] Address Space Layout Randomization (ASLR) is enabled for 64-bit executables by default. It can be disabled as needed if applications fail unexpectedly, for example with segmentation faults. To disable for a single invocation, use the man:proccontrol[1] command: `proccontrol -m aslr -s disable command`. To disable ASLR for all invocations of a binary, use the man:elfctl[1] command: `elfctl -e +noaslr file`. Problems should be reported via the problem reporting system, https://bugs.freebsd.org[], or posting to the `freebsd-stable@FreeBSD.org` mailing list. gitref:10192e77cfac[repository=src] (Sponsored by Stormshield) A workaround has been implemented for a hardware page invalidation problem on Intel Alder Lake (twelfth generation) and Raptor Lake (thirteenth generation) hybrid CPUs. The bug can lead to file system corruption with UFS and MSDOSFS, and probably other memory corruption. The slower cores (E-cores) automatically use a slower method of page invalidation with the workaround. gitref:567cc4e6bfd9[repository=src] (Sponsored by The FreeBSD Foundation) A new kernel configuration knob is available, `SPLIT_KERNEL_DEBUG`, which controls splitting of kernel and module debug data into separate standalone files. This interacts with the `WITHOUT_KERNEL_SYMBOLS` option, which operates differently than in 13.0-RELEASE and {releasePrev}, but similarly to prior releases; it now controls only installation of the debug data. The defaults are `WITH_KERNEL_SYMBOLS` and `WITH_SPLIT_KERNEL_DEBUG`, allowing the kernel and modules without debug data to be installed in [.filename]#/boot#, and standalone debugging files to be installed in [.filename]#/usr/lib/debug#, as was done by default in releases before 13.0-RELEASE. Using `WITHOUT_KERNEL_SYMBOLS` and `WITH_SPLIT_KERNEL_DEBUG`, standalone debugging files are generated but not installed, as when using `WITHOUT_KERNEL_SYMBOLS` in releases before 13.0-RELEASE. Finally, using `WITHOUT_KERNEL_SYMBOLS` and `WITHOUT_SPLIT_KERNEL_DEBUG` installs the kernel and modules with built-in debugging information in [.filename]#/boot#, as in {releasePrev} using `WITHOUT_KERNEL_SYMBOLS`. gitref:0c4d13c521aa[repository=src] (Sponsored by The FreeBSD Foundation) On the PowerPC, a radix pmap in pseries is supported for ISA 3.0. This should make pseries significantly faster on POWER9 instances, as fewer hypercalls are needed to manage pmap now. gitref:c74c77531248[repository=src] Support for man:ptrace[2] is now available for Linux processes on arm64. gitref:99950e8beb72[repository=src] In order to facilitate ABI compatibility of `stable` branches, the CPU affinity system calls are now more tolerant of CPU sets that are smaller than used by the kernel. This will facilitate increases to the size of the kernel set, `MAXCPU`. gitref:72bc1e6806cc[repository=src] 64-bit man:linux[4] ABI support was added for saving CPU floating point state across signal delivery. gitref:0b82c544de58[repository=src], gitref:20d601714206[repository=src] vDSO (virtual dynamic shared object) support has been nearly completed in the man:linux[4] ABI. gitref:a340b5b4bd48[repository=src] The state of the arm64 man:linux[4] ABI was brought to parity with the amd64 man:linux[4] ABI. gitref:0b82c544de58[repository=src], gitref:a340b5b4bd48[repository=src] [[drivers]] == Devices and Drivers This section covers changes and additions to devices and device drivers since {releasePrev}. [[drivers-device]] === Device Drivers The man:em[4] driver now correctly supports the full range of receive buffer sizes available on newer chips 82580 and i350. gitref:3f8306cf8e2d[repository=src] The man:ena[4] driver has been upgraded to version 2.6.2. (Sponsored by Amazon, Inc.) Basic support for Intel Alder Lake CPUs has been implemented for man:hwpmc[4]. gitref:b8ef2ca9eae9[repository=src] The man:ice[4] driver has been updated to version 1.37.7-k. The man:irdma[4] RDMA driver was introduced for the Intel E810 Ethernet Controller, supporting both RoCEv2 and iWARP protocols in per-PF manner, RoCEv2 being the default, and was upgraded to version 1.1.5-k. gitref:42bad04a2156[repository=src] (Sponsored by Intel Corporation) Initial support is now available for DPAA2 (second generation Data Path Acceleration Architecture – a hardware-level networking architecture found in some NXP SoCs). It runs NXP-supplied firmware which provides DPAA2 objects as an abstraction layer, and provides a `dpni` network interface. gitref:d5a64a935bc9[repository=src] (Sponsored by Bare Enthusiasm :) and Traverse Technologies) The man:iwlwifi[4] driver for Intel wireless interfaces was updated. (Sponsored by The FreeBSD Foundation) The man:rtw88[4] driver was added to support several Realtek wireless PCI interfaces. It is currently limited to 802.11 a/b/g operation. See https://wiki.freebsd.org/WiFi/Rtw88[] for additional information. There were many additions and improvements to the KPI for support of Linux device drivers. (Sponsored by The FreeBSD Foundation) [[storage]] == Storage This section covers changes and additions to file systems and other storage subsystems, both local and networked. [[storage-nfs]] === NFS Changes A problem causing NFS server hangs has been fixed; the problem was caused by a bug with SACK handling in TCP. [[storage-ufs]] === UFS Changes It is now possible to take snapshots on UFS filesystems when running with journaled soft updates. Thus it is now possible to do background dumps on live filesystems running with journaled soft updates. Background dumps are requested by using the `-L` flag to man:dump[8]. (In previous releases UFS snapshots were incompatible with journaled soft updates.) gitref:3f908eed27b4[repository=src] (Sponsored by The FreeBSD Foundation) [[boot]] == Boot Loader Changes This section covers the boot loader, boot menu, and other boot-related changes. [[boot-loader]] === Boot Loader Changes The `teken.fg_color` and `teken.bg_color` man:loader.conf[5] variables now accept a `bright` or `light` prefix (and color numbers 8 through 15) to select bright colors. gitref:1dcb6002c500[repository=src] (Sponsored by The FreeBSD Foundation). See also gitref:233ab015c0d7[repository=src] Several bugs have been fixed in man:loader[8] that caused the video console output to disappear. These appeared to be hangs after the boot loader starts the kernel. (Sponsored by Netflix) [[network]] == Networking This section describes changes that affect networking in FreeBSD. [[network-general]] === General Network The kernel man:wg[4] WireGuard driver has been reintegrated; it provides Virtual Private Network (VPN) interfaces using the WireGuard protocol. gitref:5ae69e2f10da[repository=src] (Sponsored by Rubicon Communications, LLC ("Netgate") and The FreeBSD Foundation) KTLS (the kernel TLS implementation) has added receive offload support for TLS 1.3. Receive offload is now supported for TLS 1.1 through 1.3; send offload is supported for TLS 1.0 through 1.3. gitref:1462dc95f796[repository=src] (Sponsored by Netflix) The man:netlink[4] network configuration protocol is now available. It is a communication protocol defined in RFC 3549, and uses a raw socket to exchange configuration information between user space and kernel. It is used by third-party routing programs and by the man:linux[4] ABI. The man:netlink[4] protocol is not included in the GENERIC configuration in {releaseCurrent}, but is available as a kernel module. gitref:6058f6cc48f5[repository=src] Radix tables and lookups are now supported for MAC addresses in man:ipfw[4]. This allows MAC address tables to be constructed and used for filtering. gitref:c31f8b7bd895[repository=src] Kernel modules dpdk_lpm4 and dpdk_lpm6 are now available and can be loaded via man:loader.conf[5]. They provide optimized routing functions for hosts with a very large amount of routing tables. They can be configured via man:route[8] and are part of the modular FIB lookup mechanism. gitref:0ca122044369[repository=src] There are numerous bug fixes in TCP and SCTP. [[future-releases]] == General Notes Regarding Future FreeBSD Releases `OPIE` has been deprecated and will be removed in FreeBSD 14.0. The man:ce[4] and man:cp[4] synchronous serial drivers have been deprecated and will be removed in FreeBSD 14.0. Drivers for ISA sound cards have been deprecated and will be removed in FreeBSD 14.0. gitref:d7620b6ec941[repository=src] (Sponsored by The FreeBSD Foundation) The man:mergemaster[8] utility has been deprecated and will be removed in FreeBSD 14.0. Its replacement is man:etcupdate[8]. gitref:5fa16e3c50c5[repository=src] (Sponsored by The FreeBSD Foundation) The man:minigzip[1] utility has been deprecated and will be removed in FreeBSD 14.0. gitref:84d3fc26e3a2[repository=src] The remaining components of ATM in netgraph (NgATM) have been deprecated and will be removed in FreeBSD 14.0. Support for ATM NICs was removed previously. The Telnet daemon, man:telnetd[8], has been deprecated and will be removed in FreeBSD 14.0. The Telnet client is not affected. The VINUM class in man:geom[8] has been deprecated and will be removed in a future release. [[future-releases-cputype]] === Default `CPUTYPE` Change Starting with FreeBSD-13.0, the default `CPUTYPE` for the i386 architecture will change from `486` to `686`. This means that, by default, binaries produced will require a 686-class CPU, including but not limited to binaries provided by the FreeBSD Release Engineering team. FreeBSD 13.x will continue to support older CPUs, however users needing this functionality will need to build their own releases for official support. As the primary use for i486 and i586 CPUs is generally in the embedded market, the general end-user impact is expected to be minimal, as new hardware with these CPU types has long faded, and much of the deployed base of such systems is nearing retirement age, statistically. There were several factors taken into account for this change. For example, i486 does not have 64-bit atomics, and while they can be emulated in the kernel, they cannot be emulated in the userland. Additionally, the 32-bit amd64 libraries have been i686 since their inception. As the majority of 32-bit testing is done by developers using the lib32 libraries on 64-bit hardware with the `COMPAT_FREEBSD32` option in the kernel, this change ensures better coverage and user experience. This also aligns with what the majority of Linux(R) distributions have been doing for quite some time. This is expected to be the final bump of the default `CPUTYPE` in i386. [IMPORTANT] ==== This change does not affect the FreeBSD 12.x series of releases. ==== diff --git a/website/content/en/releases/13.3R/relnotes.adoc b/website/content/en/releases/13.3R/relnotes.adoc index fad01dc7a3..4f769fc445 100644 --- a/website/content/en/releases/13.3R/relnotes.adoc +++ b/website/content/en/releases/13.3R/relnotes.adoc @@ -1,330 +1,453 @@ --- title: "FreeBSD 13.3-RELEASE Release Notes" sidenav: download --- :releaseCurrent: 13.3-RELEASE :releaseBranch: 13-STABLE :releasePrev: 13.2-RELEASE :releaseNext: 13.4-RELEASE :releasePrev14: 14.0-RELEASE :releaseType: release include::shared/en/urls.adoc[] = FreeBSD {releaseCurrent} Release Notes :doctype: article :toc: macro :toclevels: 1 :icons: font == Abstract [.abstract-title] The release notes for FreeBSD {releaseCurrent} contain a summary of the changes made to the FreeBSD base system on the {releaseBranch} development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented. [[intro]] == Introduction This document contains the release notes for FreeBSD {releaseCurrent}. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD. The {releaseType} distribution to which these release notes apply represents the latest point along the {releaseBranch} development branch since {releaseBranch} was created. Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[]. The {releaseType} distribution to which these release notes apply represents a point along the {releaseBranch} development branch between {releasePrev} and the future {releaseNext}. Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[]. This distribution of FreeBSD {releaseCurrent} is a {releaseType} distribution. It can be found at https://www.FreeBSD.org/releases/[] or any of its mirrors. More information on obtaining this (or other) {releaseType} distributions of FreeBSD can be found in the link:{handbook}mirrors[Obtaining FreeBSD appendix] to the link:{handbook}[FreeBSD Handbook]. All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD {releaseCurrent} can be found on the FreeBSD Web site. This document describes the most user-visible new or changed features in FreeBSD {releaseBranch} since {releasePrev}. Note that some of the changes described here are also available in FreeBSD {releasePrev14}. Typical release note items document recent security advisories issued after {releasePrev}, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. [[upgrade]] == Upgrading from Previous Releases of FreeBSD Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the man:freebsd-update[8] utility. See the release-specific upgrade procedure, link:../installation/#upgrade-binary[FreeBSD {releaseCurrent} upgrade information], with more details in the FreeBSD handbook link:{handbook}cutting-edge/#freebsdupdate-upgrade[binary upgrade procedure]. This will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release. The man:freebsd-update[8] utility requires that the host being upgraded have Internet connectivity. Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in [.filename]#/usr/src/UPDATING#. [IMPORTANT] ==== Upgrading FreeBSD should only be attempted after backing up **all** data and configuration files. ==== [IMPORTANT] ==== After installing the new userland software, running daemons are still from the previous version. After installing the user-level components with the second invocation of freebsd-update, or via an upgrade from source with `installworld`, the system should be rebooted to start everything with the new software. For example, older versions of `sshd` failed to process incoming connections correctly after the new [.filename]#/usr/sbin/sshd# was installed; rebooting started a new `sshd` and other daemons. ==== -//// -XXX: Release Engineering Lead will fill this in just before the release is final [[security-errata]] == Security and Errata This section lists the various Security Advisories and Errata Notices since {releasePrev}. [[security]] === Security Advisories [width="100%",cols="40%,30%,30%",options="header",] |=== |Advisory |Date |Topic -|link:https://www.freebsd.org/security/advisories/FreeBSD-SA-20:31.icmp6.asc[FreeBSD-SA-20:31.icmp6] |1 December 2020 |Use-after-free in error message handling + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:04.pam_krb5.asc[FreeBSD-SA-23:04.pam_krb5] +| 21 June 2023 +| Network authentication attack via pam_krb5 + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:06.ipv6.asc[FreeBSD-SA-23:06.ipv6] +| 1 August 2023 +| Remote denial of service in IPv6 fragment reassembly + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:07.bhyve.asc[FreeBSD-SA-23:07.bhyve] +| 1 August 2023 +| bhyve privileged guest escape via fwctl + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:08.ssh.asc[FreeBSD-SA-23:08.ssh] +| 1 August 2023 +| Potential remote code execution via ssh-agent forwarding + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:09.pam_krb5.asc[FreeBSD-SA-23:09.pam_krb5] +| 1 August 2023 +| Network authentication attack via pam_krb5 + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:10.pf.asc[FreeBSD-SA-23:10.pf] +| 6 September 2023 +| pf incorrectly handles multiple IPv6 fragment headers + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:11.wifi.asc[FreeBSD-SA-23:11.wifi] +| 6 September 2023 +| Wi-Fi encryption bypass + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:12.msdosfs.asc[FreeBSD-SA-23:12.msdosfs] +| 3 October 2023 +| msdosfs data disclosure + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:13.capsicum.asc[FreeBSD-SA-23:13.capsicum] +| 3 October 2023 +| copy_file_range insufficient capability rights check + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:14.smccc.asc[FreeBSD-SA-23:14.smccc] +| 3 October 2023 +| arm64 boot CPUs may lack speculative execution protections + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:15.stdio.asc[FreeBSD-SA-23:15.stdio] +| 7 November 2023 +| libc stdio buffer overflow + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:16.cap_net.asc[FreeBSD-SA-23:16.cap_net] +| 8 November 2023 +| Incorrect libcap_net limitation list manipulation + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:17.pf.asc[FreeBSD-SA-23:17.pf] +| 5 December 2023 +| TCP spoofing vulnerability in man:pf[4] + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:18.nfsclient.asc[FreeBSD-SA-23:18.nfsclient] +| 12 December 2023 +| NFS client data corruption and kernel memory disclosure + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:19.openssh.asc[FreeBSD-SA-23:19.openssh] +| 19 December 2023 +| Prefix Truncation Attack in the SSH protocol + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-24:01.bhyveload.asc[FreeBSD-SA-24:01.bhyveload] +| 14 February 2024 +| man:bhyveload[8] host file access + |=== [[errata]] === Errata Notices [width="100%",cols="40%,30%,30%",options="header",] |=== |Errata |Date |Topic + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:05.tzdata.asc[FreeBSD-EN-23:05.tzdata] +| 21 June 2023 +| Timezone database information update + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:06.loader.asc[FreeBSD-EN-23:06.loader] +| 21 June 2023 +| x86 kernel console configuration + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:07.mpr.asc[FreeBSD-EN-23:07.mpr] +| 21 June 2023 +| man:mpr[4] may fail to initialize devices + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:09.freebsd-update.asc[FreeBSD-EN-23:09.freebsd-update] +| 6 September 2023 +| freebsd-update incorrectly merges files on upgrade + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:10.pci.asc[FreeBSD-EN-23:10.pci] +| 6 September 2023 +| PCI-e hot-plug is broken with certain devices + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:11.caroot.asc[FreeBSD-EN-23:11.caroot] +| 6 September 2023 +| Root certificate bundle update + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:12.freebsd-update.asc[FreeBSD-EN-23:12.freebsd-update] +| 3 October 2023 +| freebsd-update to 14.0 fails + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:13.freebsd-update.asc[FreeBSD-EN-23:13.freebsd-update] +| 8 November 2023 +| freebsd-update does not handle deep boot environments + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:14.regcomp.asc[FreeBSD-EN-23:14.regcomp] +| 8 November 2023 +| Incorrect regular expression escape handling + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:15.sanitizer.asc[FreeBSD-EN-23:15.sanitizer] +| 1 December 2023 +| Clang sanitizer failure with ASLR enabled + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:16.openzfs.asc[FreeBSD-EN-23:16.openzfs] +| 1 December 2023 +| OpenZFS data corruption + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:21.tty.asc[FreeBSD-EN-23:21.tty] +| 24 November 2023 +| man:tty[4] IUTF8 causes a kernel panic + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:22.vfs.asc[FreeBSD-EN-23:22.vfs] +| 5 December 2023 +| ZFS snapshot directories not accessible over NFS + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-24:02.libutil.asc[FreeBSD-EN-24:02.libutil] +| 14 February 2024 +| Login class resource limits and CPU mask bypass + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-24:03.kqueue.asc[FreeBSD-EN-24:03.kqueue] +| 14 February 2024 +| man:kqueue_close[2] page fault on exit using man:rfork[2] + |=== -//// + [[userland]] == Userland This section covers changes and additions to userland applications, contributed software, and system utilities. [[userland-config]] === Userland Configuration Changes // SAMPLE ENTRY: // A new man:rc.conf[5] variable has been added, `linux_mounts_enable`, which controls if Linux(R)-specific filesystems are mounted in [.filename]#/compat/linux# if `linux_enable` is set to `YES`. // gitref:1234567890ab[repository=src] (Sponsored by The FreeBSD Foundation) The man:libtacplus[3] library has been improved so that man:tacplus.conf[5] now follows POSIX shell syntax rules. This may cause TACACS+ authentication to fail if the shared secret contains a single quote, double quote, or backslash character which isn't already properly quoted or escaped. The library allows additional AV pairs to be configured, up to 255. gitref:5761f8a7de9f[repository=src] (Sponsored by Klara, Inc.) Programs such as man:login[1] that utilize man:setusercontext[3] will now allow the process priority to be set from the [.filename]#~/.login_conf# file if the credentials permit setting it. Also, the priority may be specified in man:login.conf[5] as `inherit`, indicating that the process priority is inherited from the parent process. Similarly, the `umask` value may now be specified as `inherit`. gitref:8b359002747a[repository=src] gitref:e074746fec21[repository=src] gitref:16e02df98ad6[repository=src] (Sponsored by Kumacom SAS) The configuration file and security output changes reported by man:periodic[8] that are emailed to system administrators now use reduced context to minimize unrelated content. The options passed to man:diff[1] to produce the daily output can be controlled by a `daily_diff_flags` variable in man:rc.conf[5]; the options passed to man:diff[1] for the security scripts are controlled by `security_status_diff_flags`. gitref:4c14a3a6aebe[repository=src] gitref:6d9195b5f763[repository=src] The default location for downloading leapsecond information has been updated to use the canonical source, as the previous location was no longer supported. gitref:d19b59cfe594[repository=src] The man:powerd[8] daemon is now enabled by default in [.filename]#/etc/rc.conf# on the arm64 `RPI` image for Raspberry Pi systems, allowing the system to run at full speed as needed. Users with non-default turbo settings may want to disable it. gitref:e889b5a892b6[repository=src] The umask for a service may now be specified in man:rc.conf[5] using the variable _umask, where the service is named . gitref:2d6a03dd43c7[repository=src] [[userland-programs]] === Userland Application Changes The man:head[1] and man:tail[1] programs now support the `-q` (quiet) and `-v` (verbose) options consistently. Numeric arguments may now use SI suffixes supported by man:expand_number[3]. gitref:585762c3733f[repository=src] The man:objdump[1] utility from LLVM is now available. Some LLVM objdump options have a different output format than GNU objdump; man:readelf[1] is available for inspecting ELF files, and GNU objdump is available from the [.filename]#devel/binutils# port or package. The man:tftpd[8] server can be configured to allow writes to files in a chrooted environment that are not world-writable using the new `-S` option. gitref:b71dde1aeba2[repository=src] [[userland-contrib]] === Contributed Software `expat` has been upgaded to version 2.6.0. Several Heimdal security fixes have been applied to mitigate vulnerabilities in the Kerberos Key Distribution Center. The `libfido2` authentication token library has been updated to version 1.13.0. gitref:b27bad1e0373[repository=src] gitref:079a1c2059e7[repository=src] gitref:d79e0d1735e3[repository=src] (Sponsored by The FreeBSD Foundation) `LLVM` and the `clang` compiler have been upgraded to version 17.0.6. `nvi` (man:vi[1]) has been upgraded to version 2.2.1. `sendmail` has been upgraded to version 8.18.1. This version enforces stricter RFC compliance by default, especially with respect to line endings. This may cause issues with receiving messages from non-compliant MTAs; please see the first 8.18.1 release note in link:https://ftp.sendmail.org/RELEASE_NOTES[] for mitigations. gitref:b36ddb27b3b9[repository=src] `OpenSSH` has been updated to version 9.6p1, including a number of security fixes. The most significant are fixes for a newly-discovered weakness in the SSH transport protocol. man:ssh-keygen[1] now generates Ed25519 keys by default. man:sshd[8] now accurately preserves quoting of subsystem commands and arguments. gitref:f26eafdfafb0[repository=src] gitref:221a6bc397ad[repository=src] gitref:2cd20d9bc807[repository=src] (Sponsored by The FreeBSD Foundation) `tzdata` has been upgraded to version 2024a. `unbound` has been upgraded to version 1.19.1, including security fixes. gitref:c6edb21e3763[repository=src] `xz` has been upgraded to version 5.4.5. The man:zlib[3] library has been updated to version 1.3.1. gitref:f2de7ba78a49[repository=src] gitref:05e3998add1c[repository=src] [[kernel]] == Kernel This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized. [[kernel-general]] === General Kernel Changes The man:intro[9] introduction to the kernel programming interfaces has been completely rewritten. gitref:5a0c410787b8[repository=src] (Sponsored by The FreeBSD Foundation) [[drivers]] == Devices and Drivers This section covers changes and additions to devices and device drivers since {releasePrev}. [[drivers-device]] === Device Drivers Multiple PCI MCFG regions are now supported on x86 systems, enabling support for PCI config access for domains (segments) other than 0. gitref:0fb0306a89ad[repository=src] A problem with the `graid` implementation of Promise RAID1 created with 4 or more disks has been fixed. The array worked only until reboot. gitref:394ceefc2f2f[repository=src] The man:iwlwifi[4] driver for Intel wireless interfaces has been updated, supporting chipsets up to BE200. (Sponsored by The FreeBSD Foundation) (Sponsored by minipci.biz) The man:rtw88[4] driver for Realtek wireless PCI interfaces has been updated. There have been many stability fixes to native and LinuxKPI-based wireless drivers. (Sponsored by The FreeBSD Foundation) The man:smsc[4] driver for USB Ethernet adapters will now obtain the MAC address from bootargs on Raspberry Pi systems that pass it, and will otherwise fall back to use of man:ether_gen_addr[9] to generate a stable MAC address if none is provided by the hardware. gitref:3d96ee7c7dcc[repository=src] [[storage]] == Storage This section covers changes and additions to file systems and other storage subsystems, both local and networked. [[storage-general]] === General Storage In the course of debugging and resolving a problem with vnode recycling in the generic file system code, sysctls for vnode-related statistics have been grouped under `vfs.vnode` for greater visibility. gitref:77a8bd148796[repository=src] [[storage-nfs]] === NFS Changes The NFS server (man:nfsd[8], man:nfsuserd[8], man:mountd[8], man:gssd[8], and man:rpc.tlsservd[8]) can be run in an appropriately configured vnet jail. The vnet jail must be on its own file system, have the `allow.nfsd` jail parameter set on it, and `enforce_statfs` cannot be set to `0`. Use of UDP and pNFS server configurations are not permitted. See man:jail[8], man:nfsd[8], and man:mountd[8]. gitref:b4805d577787[repository=src] A new `syskrb5` mount option is available that allows a Kerberized NFSv4.1/4.2 mount to be done without any Kerberos credential (TGT or keytab) at mount time. See man:mount_nfs[8]. gitref:0644746d5091[repository=src] [[storage-zfs]] === ZFS Changes `OpenZFS` has been upgraded to version 2.1.14. gitref:7005cd440405[repository=src] gitref:e6c1e181ba7f[repository=src] gitref:d9a61490b098[repository=src] gitref:f5eac6541278[repository=src] The man:zfsd[8] daemon will now fault disks that generate too many I/O delay events. gitref:e2ce586899ff[repository=src] (Sponsored by Axcient) [[network]] == Networking This section describes changes that affect networking in FreeBSD. [[network-general]] === General Network The logging priority of syslog messages due to overflow of a socket listen queue can now be set using the sysctl `kern.ipc.sooverprio`. The default is 7, corresponding to LOG_DEBUG. A value of -1 suppresses logging. See man:listen[2]. gitref:773c91ccc892[repository=src] The netgraph man:ng_ipfw[4] module no longer truncates cookies to 16 bits, allowing a full 32 bits. gitref:0b9242dea68c[repository=src] Support for IPv6 RFC 4620 nodeinfo is now disabled by default. gitref:5c4e8a631097[repository=src] (Sponsored by The FreeBSD Foundation) pf filter rules can be optionally enabled for packets delivered locally to enable pf rdr rules for connections initiated from the host. This can change the behavior of rules which match packets delivered to `lo0`. To enable this feature, use the commands `sysctl net.pf.filter_local=1; service pf restart`. When enabled, it is best to ensure that packets delivered locally are not filtered, e.g. by adding a `set skip on lo` rule. gitref:6dfb2c2dce0f[repository=src] [[hardware]] == Hardware Support This section covers general hardware support for physical machines, hypervisors, and virtualization environments, as well as hardware changes and updates that do not fit in other sections of this document. [[hardware-arch]] === Hardware Architecture Support The BeagleBone Black (armv7) is no longer supported; it does not work with the current boot files (DTB). [[hardware-virtualization]] === Virtualization Support The Google Virtual NIC (man:gve[4]) is now supported. gitref:4e846759f0a3[repository=src] (Sponsored by Google) [[future-releases]] == General Notes Regarding Future FreeBSD Releases FreeBSD 15.0 is not expected to include support for 32-bit platforms other than armv7. The armv6, i386, and powerpc platforms are deprecated and will be removed. 64-bit systems will still be able to run older 32-bit binaries. We expect to support armv7 as a Tier 2 architecture in FreeBSD 15.0 and stable/15. However, we also anticipate that armv7 may be removed in FreeBSD 16.0. We will provide an update on the status of armv7 for both 15.x and 16.x at the time of 15.0 release. Support for executing 32-bit binaries on 64-bit platforms via the `COMPAT_FREEBSD32` option will continue for at least the stable/15 and stable/16 branches. Support for compiling individual 32-bit applications via `cc -m32` will also continue for at least the stable/15 branch, which includes suitable headers in [.filename]#/usr/include# and libraries in [.filename]#/usr/lib32#. Ports will not include support for deprecated 32-bit platforms for FreeBSD 15.0 and later releases. These future releases will not include binary packages or support for building packages from ports for deprecated 32-bit platforms. The FreeBSD stable/14 and earlier branches will retain existing 32-bit kernel and world support. Ports will retain existing support for building ports and packages for 32-bit systems on stable/14 and earlier branches as long as those branches are supported by the ports system. However, all 32-bit platforms are Tier-2 or Tier-3, and support for individual ports should be expected to degrade as upstreams deprecate 32-bit platforms. With the current support schedule, stable/14 will reach end of life (EOL) 5 years after the release of FreeBSD {releasePrev14}. The EOL of stable/14 will mark the end of support for deprecated 32-bit platforms, including source releases, pre-built packages, and support for building applications from ports. With the release of {releasePrev14} in November 2023, support for deprecated 32-bit platforms will end in November 2028. The project may choose to alter this approach when FreeBSD 15.0 is released by extending some level of support for one or more of the deprecated platforms in 15.0 or later. Any alterations will be driven by community feedback and committed efforts to support these platforms. Use FreeBSD {releasePrev14} and following minor releases, or the stable/14 branch, to migrate off 32-bit platforms. diff --git a/website/content/en/releases/14.0R/relnotes.adoc b/website/content/en/releases/14.0R/relnotes.adoc index 14d6e83b7a..2d3ba5333f 100644 --- a/website/content/en/releases/14.0R/relnotes.adoc +++ b/website/content/en/releases/14.0R/relnotes.adoc @@ -1,983 +1,995 @@ --- title: "FreeBSD 14.0-RELEASE Release Notes" sidenav: download --- :releaseCurrent: 14.0-RELEASE :releaseBranch: 14-STABLE :releasePrev: 13.2-RELEASE :releaseNext: 14.1-RELEASE :releaseType: release include::shared/en/urls.adoc[] = FreeBSD {releaseCurrent} Release Notes :doctype: article :toc: macro :toclevels: 1 :icons: font == Abstract [.abstract-title] The release notes for FreeBSD {releaseCurrent} contain a summary of the changes made to the FreeBSD base system on the {releaseBranch} development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented. [[intro]] == Introduction This document contains the release notes for FreeBSD {releaseCurrent}. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD. The {releaseType} distribution to which these release notes apply represents the latest point along the {releaseBranch} development branch since {releaseBranch} was created. Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[]. The {releaseType} distribution to which these release notes apply represents a point along the {releaseBranch} development branch between {releasePrev} and the future {releaseNext}. Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[]. This distribution of FreeBSD {releaseCurrent} is a {releaseType} distribution. It can be found at https://www.FreeBSD.org/releases/[] or any of its mirrors. More information on obtaining this (or other) {releaseType} distributions of FreeBSD can be found in the link:{handbook}mirrors[Obtaining FreeBSD appendix] to the link:{handbook}[FreeBSD Handbook]. All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD {releaseCurrent} can be found on the FreeBSD Web site. This document describes the most user-visible new or changed features in FreeBSD since {releasePrev}. In general, changes described here are unique to the {releaseBranch} branch unless specifically marked as MERGED features. Typical release note items document recent security advisories issued after {releasePrev}, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. [[upgrade]] == Upgrading from Previous Releases of FreeBSD Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the man:freebsd-update[8] utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release. The man:freebsd-update[8] utility requires that the host being upgraded have Internet connectivity. Note that freebsd-update cannot be used to roll back to the previous release after updating to a new major version. Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in [.filename]#/usr/src/UPDATING#. There have been a number of improvements in the boot loaders, and upgrading the boot loader on the boot partition is recommended in most cases, in particular if the system boots via EFI. If the root is on a ZFS file system, updating the boot loader is mandatory if the pool is to be upgraded, and the boot loader update must be done first. Note that ZFS pool upgrades are not recommended for root file systems in most cases, but updating the boot loader can avoid making the system unbootable if the pool is upgraded in the future. The bootstrap update procedure depends on the boot method (EFI or BIOS), and also on the disk partitioning scheme. The next several sections address each in turn. Notes for systems that boot via EFI, using either binary or source upgrades: There are one or more copies of the boot loader on the MS-DOS EFI System Partition (ESP), used by the firmware to boot the kernel. The location of the boot loader in use can be determined using the command `efibootmgr -v`. The value displayed for `BootCurrent` should be the number of the current boot configuration used to boot the system. The corresponding entry of the output should begin with a `+` sign, such as +Boot0000* FreeBSD HD(1,GPT,f859c46d-19ee-4e40-8975-3ad1ab00ac09,0x800,0x82000)/File(\EFI\freebsd\loader.efi) nda0p1:/EFI/freebsd/loader.efi (null) The ESP may already be mounted on [.filename]#/boot/efi#. Otherwise, the partition may be mounted manually, using the partition listed in the `efibootmgr` output (`nda0p1` in this case): `mount_msdosfs /dev/nda0p1 /boot/efi`. See man:loader.efi[8] for another example. The value in the `File` field in the `efibootmgr -v` output, `\EFI\freebsd\loader.efi` in this case, is the MS-DOS name for the boot loader in use on the ESP. If the mount point is [.filename]#/boot/efi#, this file will translate to `/boot/efi/efi/freebsd/loader.efi`. (Case does not matter on MS-DOSFS file sytems; FreeBSD uses lower case.) Another common value for `File` would be `\EFI\boot\bootXXX.efi`, where `XXX` is `x64` for amd64, `aa64` for aarch64, or `riscv64` for riscv64; this is the default bootstrap if none is configured. Both the configured and default boot loaders should be updated by copying from [.filename]#/boot/loader.efi# to the correct path in [.filename]#/boot/efi#. For systems that boot via BIOS and use the GPT partition scheme, bootstrap upgrades are optional unless a ZFS root pool will be upgraded (which is discouraged). Upgrades are only possible if the `freebsd-boot` partition is at least 180K. (512K is now standard.) The device name and the partition index can be identified using the command `gpart show`, such as: => 34 246162605 ada0 GPT (224G) 34 1024 1 freebsd-boot (512K) When using ZFS, the bootcode can be updated by running the command `gpart bootcode -b /boot/pmbr -p /boot/gptzfsboot -i 1 ada0`. If updating with a UFS root, the bootcode can be updated by running the command `gpart bootcode -b /boot/pmbr -p /boot/gptboot -i 1 ada0`, although this should not be necessary. Note that the `freebsd-boot` partition size is running up against a hard limit, and this scheme may not be supportable in the future. Users of such systems should consider an upgrade to EFI, possibly by carving space from an existing swap partition. If the system boots via BIOS and uses the MBR partition scheme, or has a GPT `freebsd-boot` partition smaller than 180K, then it is not possible to update the bootcode, and therefore to upgrade the root ZFS storage pool. [IMPORTANT] ==== Upgrading FreeBSD should only be attempted after backing up _all_ data and configuration files. ==== [[security-errata]] == Security and Errata This section lists the various Security Advisories and Errata Notices since {releasePrev}. [[security]] === Security Advisories [.informaltable] [cols="1,1,1", frame="none", options="header"] |=== | Advisory | Date | Topic -|No advisories. -| -| +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-21:07.openssl.asc[FreeBSD-SA-21:07.openssl] +| 25 March 2021 +| Multiple vulnerabilities in OpenSSL + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:15.stdio.asc[FreeBSD-SA-23:15.stdio] +| 7 November 2023 +| libc stdio buffer overflow + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:16.cap_net.asc[FreeBSD-SA-23:16.cap_net] +| 8 November 2023 +| Incorrect libcap_net limitation list manipulation |=== [[errata]] === Errata Notices [.informaltable] [cols="1,1,1", frame="none", options="header"] |=== | Errata | Date | Topic -|No notices. -| -| +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:13.freebsd-update.asc[FreeBSD-EN-23:13.freebsd-update] +| 8 November 2023 +| man:freebsd-update[8] does not handle deep boot environments + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:14.regcomp.asc[FreeBSD-EN-23:14.regcomp] +| 8 November 2023 +| Incorrect regular expression escape handling |=== [[mfc-highlights]] == Significant changes merged into FreeBSD 13.1 and FreeBSD 13.2 FreeBSD 14.0 includes over two and a half years of development since the release of FreeBSD 13.0. Some of this work was cherry-picked into older development branches, and was included in FreeBSD 13 minor releases. For 64-bit architectures, the base system is built with Position Independent Executable (PIE) support enabled by default. It may be disabled using the `WITHOUT_PIE` knob. gitref:9a227a2fd642[repository=src] (Sponsored by Stormshield) There is a new `zfskeys` man:rc[8] service script, which allows for automatic decryption of ZFS datasets encrypted with ZFS native encryption during boot. The `zfskeys` startup script supports autoloading of keys stored on ZFS. See the man:rc.conf[5] manual page for more information. gitref:33ff39796ffe[repository=src], gitref:8719e8a951b7[repository=src], gitref:97aeda224356[repository=src] (Sponsored by Modirum and Klara Inc.) The `chroot` facility supports unprivileged operation, and the man:chroot[8] program has a `-n` option to enable its use. gitref:a40cf4175c90[repository=src] (Sponsored by EPSRC) man:md5sum[1] and similar message-digest programs compatible with those on Linux were added by having the corresponding BSD programs run with the `-r` option if the program name ends in `sum`. gitref:086feed850c3[repository=src] (Sponsored by Netflix) The use of FIDO/U2F hardware authenticators has been enabled in `ssh`, using the new public key types `ecdsa-sk` and `ed25519-sk`, along with corresponding certificate types. FIDO/U2F support is described in https://www.openssh.com/txt/release-8.2[https://www.openssh.com/txt/release-8.2]. gitref:e9a994639b2a[repository=src] (Sponsored by The FreeBSD Foundation) The man:igc[4] driver for the Intel I225 Ethernet controller has been added, supporting 2.5 Gbps operation. gitref:517904de5cca[repository=src] (Sponsored by Rubicon Communications, LLC ("Netgate")) The man:mgb[4] network interface driver has been added, with support for Microchip devices LAN7430 PCIe Gigabit Ethernet controller with PHY and LAN7431 PCIe Gigabit Ethernet controller with RGMII interface. The driver has a number of caveats and limitations, but is functional. gitref:e0262ffbc6ae[repository=src] (Sponsored by The FreeBSD Foundation) Two new daemons, man:rpc.tlsclntd[8] and man:rpc.tlsservd[8], are now built by default on amd64 and arm64. They provide support for NFS-over-TLS as described in the Internet Draft entitled "Towards Remote Procedure Call Encryption By Default". These daemons are built when WITH_OPENSSL_KTLS is specified. They use KTLS to encrypt/decrypt all NFS RPC message traffic, and provide optional verification of machine identity via X.509 certificates. gitref:2b9cbc85d727[repository=src] gitref:59f6f5e23c1a[repository=src] UEFI firmware boot compatibility is improved for amd64. See the man:loader.efi[8] `amd64 Nocopy` section for more detailed information. gitref:f75caed644a5[repository=src](Sponsored by https://www.freebsdfoundation.org[The FreeBSD Foundation]) Boot time performance improvements have been made to many kernel subsystems. (Sponsored by https://www.patreon.com/cperciva[https://www.patreon.com/cperciva]) man:nvme[4] error handling has been significantly improved. The handling of the lowest address on an IPv4 (sub)net (host 0) has been changed so that packets are not sent as a broadcast unless this address has been set as the broadcast address. This makes the lowest address usable for a host. The old behavior can be restored with the `net.inet.ip.broadcast_lowest` sysctl. See https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-lowest-address/[https://datatracker.ietf.org/doc/draft-schoen-intarea-unicast-lowest-address/] for background information. gitref:fd0765933c3c[repository=src] The man:growfs[7] startup script will now add a swap partition while expanding the root file system if possible, and if one did not previously exist. This is primarily useful when installing on an SD card using a raw image. A new man:rc.conf[5] variable has been added, `growfs_swap_size`, which can control the addition if necessary. See man:growfs[7] for details. A new RC script, `zpoolreguid` has been added, which will assign a new GUID to one or more zpools, useful for virtualization environments when sharing datasets. The `hostid` startup script will now generate a random (version 4) UUID if there is no [.filename]#/etc/hostid# file and no valid UUID from hardware. Also, if there is no [.filename]#/etc/machine-id# file, the `hostid_save` script will store a compact version of the hostid (one without hyphens) in [.filename]#/etc/machine-id#. This file is used by libraries such as GLib. gitref:62a149bf6219[repository=src] gitref:862aab6281a5[repository=src] gitref:baf1e9713969[repository=src] gitref:ecad3f5c4d92[repository=src] gitref:d6852eed98ed[repository=src] It is now possible to add default routes for FIBs other than the primary by using the `defaultrouter_fibN` and `ipv6_defaultrouter_fibN` man:rc.conf[5] variables. gitref:30659d1dcbcc[repository=src] (Sponsored by ScaleEngine Inc.) The man:bhyve[8] utility has gained virtio-input device emulation support. This can be used to inject keyboard/mouse input events into a guest. The command line syntax is: `-s ,virtio-input,/dev/input/eventX`. gitref:054accac71e0[repository=src] The man:kdump[1] utility has gained support for decoding Linux system calls. An man:nproc[1] utility has been added, compatible with the Linux program of the same name. The man:uuidgen[1] utility has a new option `-r` to generate a random UUID, version 4. gitref:f176fe8e7f63[repository=src] The man:bhyve[8] hypervisor and kernel module man:vmm[4] now support more than 16 vCPUs in a guest. By default bhyve permits each guest to create the same number of vCPUs as the count of physical CPUs on the host. This limit can be adjusted via the loader tunable `hw.vmm.maxcpu`. gitref:ee98f99d7a68[repository=src] Address Space Layout Randomization (ASLR) is enabled for 64-bit executables by default. It can be disabled as needed if applications fail unexpectedly, for example with segmentation faults. To disable for a single invocation, use the man:proccontrol[1] command: `proccontrol -m aslr -s disable command`. To disable ASLR for all invocations of a binary, use the man:elfctl[1] command: `elfctl -e +noaslr file`. Problems should be reported via the problem reporting system, https://bugs.freebsd.org[], or posting to the `freebsd-stable@FreeBSD.org` mailing list. gitref:b014e0f15bc7[repository=src] (Sponsored by Stormshield) LLVM's AddressSanitizer can be used in amd64 kernels. See the man:kasan[9] manual page for more information. gitref:38da497a4dfc[repository=src] (Sponsored by The FreeBSD Foundation) A workaround has been implemented for a hardware page invalidation problem on Intel Alder Lake (twelfth generation) and Raptor Lake (thirteenth generation) hybrid CPUs. The bug can lead to file system corruption with UFS and MSDOSFS, and probably other memory corruption. The slower cores (E-cores) automatically use a slower method of page invalidation with the workaround. gitref:cde70e312c3f[repository=src] (Sponsored by The FreeBSD Foundation) The state of the arm64 man:linux[4] ABI was brought to parity with the amd64 man:linux[4] ABI. gitref:ccc510b46340[repository=src], gitref:9931033bbfbe[repository=src] In order to facilitate ABI compatibility of `stable` branches, the CPU affinity system calls are now more tolerant of CPU sets that are smaller than used by the kernel. This will facilitate increases to the size of the kernel set, `MAXCPU`. gitref:47a57144af25[repository=src] gitref:f35093f8d6d8[repository=src] (Sponsored by Juniper Networks, Inc.) It is now possible to take snapshots on UFS filesystems when running with journaled soft updates. Thus it is now possible to do background dumps on live filesystems running with journaled soft updates. Background dumps are requested by using the `-L` flag to man:dump[8]. (In previous releases UFS snapshots were incompatible with journaled soft updates.) gitref:78f412987605[repository=src] (Sponsored by The FreeBSD Foundation) The kernel man:wg[4] WireGuard driver has been reintegrated; it provides Virtual Private Network (VPN) interfaces using the WireGuard protocol. gitref:744bfb213144[repository=src] (Sponsored by Rubicon Communications, LLC ("Netgate") and The FreeBSD Foundation) KTLS (the kernel TLS implementation) has added receive offload support for TLS 1.3. Receive offload is now supported for TLS 1.1 through 1.3; send offload is supported for TLS 1.0 through 1.3. gitref:05a1d0f5d7ac[repository=src] (Sponsored by Netflix) Radix tables and lookups are now supported for MAC addresses in man:ipfw[4]. This allows MAC address tables to be constructed and used for filtering. gitref:81cac3906eb9[repository=src] //// // Sample release notes entry. The man:fsck_msdosfs[8] utility includes a variety of enhancements, including reducing the memory footprint, a new flag, `-M`, which disables the use of man:mmap[2], and others. gitref:9708ba9f29[repository=src] //// [[releaseCurrent-highlights]] == Changes new to {releaseCurrent} [[userland]] == Userland This section covers changes and additions to userland applications, contributed software, and system utilities. [[userland-config]] === Userland Configuration Changes The default shell for the root user is now man:sh[1], which has many new features for interactive use. gitref:d410b585b6f0[repository=src] The default mail transport agent (MTA) is now the Dragonfly Mail Agent (man:dma[8]) rather than man:sendmail[8]. Configuration of the MTA is done via man:mailer.conf[5]. man:sendmail[8] and its configuration remain available. gitref:a67b925ff3e5[repository=src] The `mta_start_script` configuration variable has been retired from man:rc.conf[5], along with the `othermta` startup script. gitref:616f32ea6da7[repository=src] man:jail[8] now supports `.include` directives in man:jail.conf[5] files, with support for filename globbing. gitref:e82a62943529[repository=src] The one-time password facility OPIE, man:opie[4], has been removed from the base system. If you still wish to use it, install the package:security/opie[] port. Otherwise, make sure to remove or comment out any mention of `pam_opie` and `pam_opieaccess` from your PAM policies. man:etcupdate[8] will normally take care of this for the stock policies. gitref:0aa2700123e2[repository=src] The `SHARED_TOOLCHAIN` build configuration option has been removed. Building a statically-linked toolchain is still possible using the general `NO_SHARED` option. gitref:77f6be448408[repository=src] (Sponsored by The FreeBSD Foundation) Locale handing has been upgraded to CLDR 41.0 and Unicode 14.0. gitref:e87ec409fa9b[repository=src] The layout configuration has been added for the new French bépo keyboard (version 1.1rc2) normalized by French national organization for standardization as "NF Z71‐300". gitref:abdcd967dc0c[repository=src] An `rc.d` script (see man:rc[8]) is now allowed to have a `status` method even if it does not define `procname` or have a PID file. gitref:2651609fcbd7[repository=src] [[userland-programs]] === Userland Application Changes The man:base64[1] utility has been added. gitref:540a99289bb1[repository=src] The man:bhyve[8] hypervisor now has optional TPM (Trusted Platform Module) passthrough support. This is not direct access, but commands from the guest are forwarded to the physical TPM. gitref:67c26eb2a57c[repository=src] GPU passthrough has been improved in man:bhyve[8] for AMD and Intel GPUs. This is a work in progress; passthrough does not work in all cases, and the configuration is not yet documented. The man:cpuset[1] utility has been moved from [.filename]#/usr/bin# to [.filename]#/bin# so that it is always available during startup processing. [.filename]#/usr/bin/cpuset# is now a symbolic link. gitref:f05948d4e98d[repository=src] The man:date[1] utility now has a `-z` option for timezone conversion. gitref:31edf56b1571[repository=src] The man:diff[1] utility now supports a `--color` option for colorized output. gitref:f38702e5a52e[repository=src] The deprecated man:fmtree[8] utility has been removed. gitref:e4d63c5d5ff8[repository=src] man:freebsd-update[8] now documents that files under [.filename]#/var/db/freebsd-update# may be deleted if an upgrade is not in progress and rollback will not be required. gitref:80b003e81684[repository=src] (Sponsored by The FreeBSD Foundation) A new man:fwget[8] utility inspects the system for peripherals that need firmware, and installs the appropriate packages for them. For now, only the PCI subsystem is supported, and only video firmware for Intel and AMD GPUs is known. gitref:d198b8774d2c[repository=src] gitref:d198b8774d2c[repository=src] (Sponsored by Beckhoff Automation GmbH & Co. KG) The usability of man:head[1] and man:tail[1] has been improved by consistently supporting the `-q` and `-v` options, allowing numbers with SI suffixes, and removing the 2^31 limit on lines for man:head[1]. gitref:643ac419fafb[repository=src] man:makefs[8] now has experimental ZFS support. It can create a ZFS pool, backed by a single disk vdev, containing one or more datasets populated from the staging directory. gitref:240afd8c1fcc[repository=src] (Sponsored by The FreeBSD Foundation) The man:minigzip[1] utility has been removed. gitref:278d080bad9F[REPOSITory=src] The man:mandoc[1] utility has a workaround for lack of macro processing in list `-width` handling, resulting in more accurate widths for list columns. gitref:bbb2d2ce4220[repository=src] (Sponsored by Dell EMC Isilon) The man:mixer[8] utility no longer tries to guess whether a volume is absolute or a percent. It now accepts a percentage with `%` appended, otherwise a volume is absolute. gitref:4014365e4219[repository=src] The `netcat` utility man:nc[1] can now be an `if_tun` (man:tun[4]) broker. gitref:cef7ab70ff44[repository=src] (Sponsored by Zenarmor) (Sponsored by OPNsense) (Sponsored by Klara, Inc.) The man:netstat[1] utility now computes correct column widths with the `-i` option, making the `-w` option unnecessary. gitref:372e3d561d82[repository=src] The man:portsnap[8] utility has been removed. Users are encouraged to fetch the ports tree by using `pkg install git` and then `git clone \https://git.FreeBSD.org/ports.git /usr/ports`. gitref:df53ae0fdd98[repository=src] The man:pw[8] and man:bsdinstall[8] programs now create home directories for users in [.filename]#/home# by default rather than [.filename]#/usr/home#. The default symbolic link for [.filename]#/home#, referencing [.filename]#/usr/home#, is no longer created. gitref:bbb2d2ce4220[repository=src] The man:sleep[1] utility now accepts units other than seconds, and accepts multiple delay values that are summed (for example, `1h 30m`). gitref:34978f7edd15[repository=src] gitref:be038c3afcae[repository=src] The man:sockstat[1] utility is now run in a sandbox with capsicum. gitref:94dc57159532[repository=src] gitref:c5a2d8c5f517[repository=src] The man:systat[1] utility has a new command, `iolat`, which reports I/O latencies computed by the CAM I/O scheduler. gitref:22054f88914b[repository=src] (Sponsored by Netflix) A new utility, man:tcpsso[8], is able to apply a socket option to an existing TCP endpoint, for example changing the congestion control module or the TCP stack. gitref:881631a2a371[repository=src] (Sponsored by Netflix) The Telnet daemon, man:telnetd[8], has been removed. A port is available if necessary, package:net/freebsd-telnetd[]. The client is not affected. gitref:0eea46fb1f83[repository=src] The `PROFILE` option is disabled by default, thus profiled versions of system libraries are not provided. Hardware-based profiling (e.g. man:hwpmc[4]) is preferred. gitref:fe52b7f60ef4[repository=src] (Sponsored by The FreeBSD Foundation) Compressed debug sections in binaries are enabled by default on little-endian targets. gitref:47363e99d3d3[repository=src] (Sponsored by The FreeBSD Foundation) //XXX This belongs in a "build" section, maybe with the preceding 3 items. Configuration has been added to produce armv7 distribution sets, which can be useful in building jails on arm64. gitref:ac099daf6742[repository=src] [[userland-contrib]] === Contributed Software One True Awk (man:awk[1]) has been updated to 20210727, which is 1st edition. (2nd edition will be included in {releaseNext}.) All the FreeBSD patches but one have now been either up-streamed or discarded. Notable changes include: locale is no longer used for ranges; better compatibility with `gawk` and `mawk`. Note that hex strings are interpreted as numbers as in earlier FreeBSD versions. This will change in FreeBSD 15 to agree with upstream and current POSIX standards. gitref:f39dd6a97844[repository=src] gitref:23f24377b1a9[repository=src] gitref:628bd30ab5a4[repository=src] The man:bc[1] and man:dc[1] commands have been updated to version 6.6.0, which fixes a problem with line editing and complex scripts with multiple read() commands, and adds some functions to bc's (non-standard) extended math library. `libbsdxml` (`expat`, man:libbsdxml[3]) has been upgraded to version 2.4.7. gitref:7ed8e142a00d[repository=src] `libfido2` has been upgraded to version 1.13.0. gitref:f540a43052c1[repository=src] gitref:3e696dfb7009[repository=src] gitref:95321fff46ec[repository=src] (Sponsored by The FreeBSD Foundation) The man:llvm-objdump[1] utility is now always installed as man:objdump[1]. gitref:86edb11e7491[repository=src] (Sponsored by The FreeBSD Foundation) OpenSSH has been upgraded to version 9.5p1. Full release notes are at https://www.openssh.com/txt/release-9.5[]. gitref:676824f5cdf9[repository=src] (Sponsored by The FreeBSD Foundation) The man:scp[1] utility now defaults to the SFTP protocol, rather than the legacy scp/rcp protocol. This removes the need for double-quoting wildcard expansion characters. gitref:fb5aabcb990b[repository=src] (Sponsored by The FreeBSD Foundation) RSA/SHA-1 signatures are now disabled by default in man:ssh[1]. It is possible to enable them on a per-host basis in a user's [.filename]#~/.ssh/config# file. gitref:8c22023ca5e1[repository=src] (Sponsored by The FreeBSD Foundation) The `VerifyHostKeyDNS` option for man:ssh[1] now defaults to `no`, following the OpenSSH distribution. The `X11Forwarding` option also defaults to `no`. gitref:41ff5ea22cb9[repository=src] gitref:77934b7a1301[repository=src] (Sponsored by The FreeBSD Foundation) HPN option handling has been removed from OpenSSH. HPN support was deprecated long ago, but the configuration options were still accepted (and ignored) for backwards compatibility. gitref:348bea10b6f2[repository=src] (Sponsored by The FreeBSD Foundation) The `VersionAddendum` option has been removed from the man:ssh[1] client. gitref:bffe60ead024[repository=src] (Sponsored by The FreeBSD Foundation) OpenSSL has been upgraded to version 3.0.12. This is a major upgrade from version 1.1.1, which has reached its end of life. Many components of the base system use a backward-compatible API, but will be migrated later. gitref:aa7957345732[repository=src] gitref:930cec16d9ee[repository=src] gitref:b077aed33b7b[repository=src] (Sponsored by The FreeBSD Foundation) `tcpdump` has been upgraded to version 4.99.4. gitref:ee67461e5682[repository=src] gitref:171a7bbfc048[repository=src] gitref:1ad8d2ee1f7d[repository=src] (Sponsored by The FreeBSD Foundation) `libpcap` has been upgraded to version 1.10.4. gitref:6f9cba8f8b5e[repository=src] gitref:dd744a896be3[repository=src] (Sponsored by The FreeBSD Foundation) `xz` has been upgraded to version 5.4.3. `zlib` has been upgraded to version 1.3. `zstd` has been upgraded to version 1.5.2. (Sponsored by Klara, Inc) [[userland-deprecated-programs]] === Deprecated Applications man:mergemaster[8] has been deprecated. Its replacement is man:etcupdate[8]. gitref:398b12691b4f[repository=src] (Sponsored by The FreeBSD Foundation) [[userland-libraries]] === Runtime Libraries and API The `libncursesw` library (see man:ncurses[3X]) has been split into `libtinfow` and `libncursesw`. Linker scripts should make this transparent for consumers. man:pkg-config[8] files are now installed, to ease ports detecting the `ncurses` setup from base. gitref:396851c20aeb[repository=src] The man:ncurses[3X] library is now able to use man:terminfo[5] as well as man:termcap[5], and uses terminfo preferentially. gitref:61f66a1f4403[repository=src] The default search path for terminfo databases in man:ncurses[3X] now includes [.filename]#/usr/local/share/terminfo#, facilitating the use of a database from ports or packages. gitref:b75fb12b6827[repository=src] The prototype of man:qsort_r[3] has been modified to match POSIX, which adopted the glibc-based interface. gitref:af3c78886fd8[repository=src] The `COMPAT_LIB32` build option has been implemented for aarch64 (arm64) and is enabled by default. This provides armv7 32-bit-compatible libraries and header files for arm64 systems for building and running most armv7 32-bit binaries. gitref:f1d5183124d3[repository=src] gitref:d5d97bed4ab6[repository=src] gitref:a1b675731301[repository=src] [[cloud]] == Cloud Support This section covers changes in support for cloud environments. FreeBSD now provides experimental ZFS-root EC2 AMIs on AWS. (Sponsored by https://www.patreon.com/cperciva[]) FreeBSD now provides experimental cloud-init EC2 AMIs on AWS. See the package:net/cloud-init[] port for information. (Sponsored by https://www.patreon.com/cperciva[]) FreeBSD now provides arm64 as well as amd64 images for Azure. Both UFS and experimental ZFS images are available. Gen2 VMs are now supported. (Sponsored by The FreeBSD Foundation) (Sponsored by Microsoft) The Microsoft Azure Network Adapter (MANA) VF (virtual function) is now supported. gitref:ce110ea12fce[repository=src] (Sponsored by Microsoft) The Google Virtual NIC (man:gve[4]) is now supported. gitref:54dfc97b0bd9[repository=src] (Sponsored by Google) [[kernel]] == Kernel This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized. [[kernel-general]] === General Kernel Changes The SMP system now supports up to 1024 cores on amd64 and arm64. Many kernel CPU sets are now dynamically allocated to avoid consuming excessive memory. The kernel cpuset ABI has been updated to support the higher limit. gitref:76887e84be97[repository=src] gitref:d1639e43c589[repository=src] gitref:9051987e40c5[repository=src] gitref:e0c6e8910898[repository=src] (Sponsored by The FreeBSD Foundation) The ACPI system now supports the `_CR3` critical standby (`S3`) threshold. gitref:b8a0dfb17e3b[repository=src] The `acpi_timer_test` is disabled by default, forcing the use of ACPI-fast rather than ACPI-safe, and speeding the boot process. The broken-ACPI-timers workaround can be re-enabled by setting the `hw.acpi.timer_test_enabled=1` tunable. If timekeeping issues are observed, please test with `hw.acpi.timer_test_enabled=1` in man:loader.conf[8] and report if that fixes the problem. gitref:a8b89dff6ac0[repository=src] man:boottrace[4] is a new kernel-userspace interface for capturing trace events during system boot and shutdown. Event annotations are present in the boot and shutdown paths in the kernel; system utilities (man:init[8], man:shutdown[8], man:reboot[8]); and man:rc[8] scripts (via man:boottrace[8]). man:boottrace[4] focuses on ease of use and is aimed primarily at system administrators. It is available in the default `GENERIC` kernel and can be enabled by toggling a man:sysctl[8] variable. gitref:da5b7e90e740[repository=src] gitref:5a8fceb3bd9f[repository=src] gitref:7b0a665d72c0[repository=src] gitref:13ec1e3155c7[repository=src] gitref:318d0db5fe8a[repository=src] gitref:1ae2c59bcf21[repository=src] (Sponsored by NetApp, Inc.) (Sponsored by Klara, Inc) Support has been added to the kernel crypto for the XChaCha20-Poly1035 AEAD cipher. gitref:8f35841f1f35[repository=src] (Sponsored by The FreeBSD Foundation) An API has been added to the kernel crypto for curve25519. gitref:0c6274a819ff[repository=src] (Sponsored by The FreeBSD Foundation) FreeBSD can now run inside the Firecracker VMM via the amd64 `FIRECRACKER` kernel configuration. gitref:469ad8603127[repository=src] (Sponsored by https://www.patreon.com/cperciva[]) FreeBSD now reboots faster. The `kern.reboot_wait_time` sysctl has been added to control the delay before rebooting after printing all kernel messages on the console. It defaults to 0. Setting it to 1 restores the previous behavior (1 second delay). gitref:84ec7df0d796[repository=src] (Sponsored by https://www.patreon.com/cperciva[]) A new DTrace provider, `kinst`, has been added; see man:dtrace_kinst[4]. The provider allows kernel instructions to be traced, similar to the FBT (function boundary tracing) provider except that all instructions may be probed instead of just logical entry and return instructions. gitref:f0bc4ed144fc[repository=src] (Sponsored by Google, Inc. via GSoC 2022) `kinst` was ported to arm64 and riscv. gitref:07864a8a2466[repository=src] gitref:2d7bb03adb43[repository=src] (Sponsored by The FreeBSD Foundation) LLVM's MemorySanitizer can now be used in amd64 kernels. See the man:kmsan[9] manual page for more information. gitref:a422084abbda[repository=src] (Sponsored by The FreeBSD Foundation) LLVM's AddressSanitizer can now be used in arm64 kernels as well as amd64. See the man:kasan[9] manual page for more information. gitref:89c52f9d59fa[repository=src] (Sponsored by Juniper Networks, Inc.) (Sponsored by Klara, Inc.) Support for asymmetric cryptographic operations has been removed from the kernel open cryptographic framework (OCF), as they are not used by modern OpenSSL versions. gitref:76681661be28[repository=src] A native man:timerfd[2] facility has been added to facilitate porting Linux programs that use timerfd. Previously, timerfd was only available under Linux emulation. For programs written only for FreeBSD, the man:kqueue[2] EVFILT_TIMER filter is preferred for establishing arbitrary timers. gitref:af93fea71038[repository=src] The process visibility policy controlled by the `security.bsd.see_jail_proc` man:sysctl[8] knob was hardened by preventing unauthorized users from attempting to kill, change priority of or debug processes with same (real) UID in a sub-jail at random, which, provided the PID of such a process is guessed correctly, would succeed even if these processes are not visible to them. It was also made overridable by MAC policies, as are the other process visibility policies. gitref:7e21c691f295[repository=src] gitref:63c01c18a8d3[repository=src] (Sponsored by Kumacom, SAS) (Sponsored by The FreeBSD Foundation) The process visibility policy controlled by the `security.bsd.see_other_gids` man:sysctl[8] knob was fixed to consider the real group of a process instead of its effective group when determining whether the user trying to access the process is a member of one of the process' groups. The rationale is that some user should continue to see processes it has launched even when they acquire further privileges by virtue of the setgid bit, whereas they should not see processes launched by a privileged user that temporarily enters the user's primary group. This new behavior is consistent with what `security.bsd.see_other_uids` has always been doing for user IDs (i.e., considering some process' real user ID and not the effective ID). gitref:26ff4836c888[repository=src] (Sponsored by Kumacom, SAS) (Sponsored by The FreeBSD Foundation) The Zenbleed bug affecting AMD Zen2 processors is now automatically mitigated (via chicken bit), preventing misbehavior and data leaks on affected machines. If needed, applying the mitigation can be manually controlled via the `machdep.mitigations.zenbleed.enable` man:sysctl[8] knob. Please consult the new man:mitigations[7] manual page for more information. gitref:aea76bab1416[repository=src] (Sponsored by The FreeBSD Foundation) [[drivers]] == Devices and Drivers This section covers changes and additions to devices and device drivers since {releasePrev}. [[drivers-device]] === Device Drivers The default speed for serial communication in boot loaders, kernel, and userland is now 115200 bps. Note that the early x86 BIOS bootloader (i.e., `boot0sio`) does not support rates above 9600 bps and is not changed. `boot0sio` users may set BOOT_COMCONSOLE_SPEED=9600 to use 9600 for all of the boot components, or use the standard `boot0` and have the `boot2` stage start with the serial port at 115200. gitref:4722ceb7d53e[repository=src] (Sponsored by The FreeBSD Foundation) The default bell tone is now 800Hz. It can be set with man:kbdcontrol[1] again. There is integration with man:devd[8] for people wishing to use their sound cards for the beep. gitref:ba48d52ca6c8[repository=src] gitref:4ac3d08a9693[repository=src] gitref:2533eca1c2b9[repository=src] (Sponsored by Netflix) When using the default man:vt[4] console, the audible bell is no longer enabled by default. It can be enabled with these commands: `sysctl kern.vt.enable_bell=1` and `kbdcontrol -b normal`. gitref:225639e7db68[repository=src] Improvements have been made in DPAA2 (second generation Data Path Acceleration Architecture -- a hardware-level networking architecture found in some NXP SoCs). It runs NXP-supplied firmware which provides DPAA2 objects as an abstraction layer, and provides a `dpni` network interface. Separation between DPAA2 channels has been improved significantly in order to isolate access to the DMA resources and cleanup operations, and avoid kernel panics under heavy network load (1 Gbit/s links). Other improvements include FDT/ACPI MDIO support, netboot over DPAA2 and separate command portals (DPMCP) support. Support for the Arm Corelink DMC-620 Memory Controller, and the CMN-600 Coherent Mesh Network Controller, have been added to man:hwpmc[4] and `libpmc`. See man:pmc.dmc-620[3] and man:pmc.cmn-600[3]. gitref:1459a22787ea[repository=src] gitref:59191f3573f6[repository=src] (Sponsored by ARM) (Sponsored by Ampere Computing) A fix has been implemented for frame buffer addressing that affects frame buffers mapped above 4 GB physical on i386 and Book-E powerpc. gitref:a78bb831a17f[repository=src] The man:iwlwifi[4] driver for Intel wireless interfaces has been updated to the latest version, supporting chipsets up to WiFi 6E AX411/AX211/AX210, and with preparations for upcoming BX and SC chipsets. (Sponsored by The FreeBSD Foundation) The man:rtw88[4] driver for Realtek wireless PCI interfaces has been updated. A kvm_clock driver has been added for the KVM paravirtualized clock. gitref:6c69c6bb4c7f[repository=src] (Sponsored by Juniper Networks, Inc.) (Sponsored by Klara, Inc.) There have been stability fixes and enhancements to the KPI to support Linux device drivers, along with the net80211 layer for wireless drivers. (Sponsored by The FreeBSD Foundation) NVMe disks are now `nda` devices by default, for example `nda0`; see man:nda[4]. Symbolic links for the previous man:nvd[4] device names are created in [.filename]#/dev#. However, configuration such as man:fstab[5] should be updated to refer to the new device names. Options to control the use of `nda` devices and symbolic links are described in man:nda[4]. gitref:bdc81eeda05d[repository=src] (Sponsored by Netflix) The previous man:qat[4] driver has been replaced with Intel's QAT driver. The new version provides additional interfaces to the chipset's cryptographic and compression offload functionality. This will have no visible change for most users; however, the new driver does not support Atom C2000 chipsets. To preserve support for those chipsets, the old driver has been renamed to `qat_c2xxx`. Users of man:qat[4] on C2000 hardware will thus need to ensure that man:qat_c2xxx[4] is loaded instead of man:qat[4]. gitref:78ee8d1c4cda[repository=src] gitref:f4f56ff43dbd[repository=src] (Sponsored by Intel Corporation) [[drivers-removals]] === Deprecated and Removed Drivers The man:pms[4] driver, `pmspcv`, has been removed from the `GENERIC` kernel configurations for x86, as it was large and uncommonly used. It can be loaded as a module by placing `pmspcv_load="YES"` in man:loader.conf[5]. gitref:95e4f5ef7cce[repository=src] (Sponsored by Rubicon Communications, LLC ("Netgate")) The VESA option has been removed from the x86 `GENERIC` and `MINIMAL` kernel configurations. It is still available as a kernel module. VESA is not used by the default console, man:vt[4]. gitref:777526ed8382[repository=src] gitref:b8cf1c5c30a5[repository=src] (Sponsored by The FreeBSD Foundation) Drivers for ISA sound cards have been removed. gitref:92e6b4712b53[repository=src] gitref:df51e63eb5d7[repository=src] gitref:aa83e9b189d6[repository=src] gitref:754decef384a[repository=src] gitref:5126e5eeeb5e[repository=src] gitref:716924cb4832[repository=src] gitref:9054e296819f[repository=src] (Sponsored by The FreeBSD Foundation) The AHB bus front end has been removed from man:ath[4], as it was used only by MIPS. gitref:37c8ee8847fa[repository=src] The deprecated man:amr[4] driver has been removed. gitref:60de2867c9fc[repository=src] (Sponsored by Netflix) The obsolete man:iscsi_initiator[4] has been removed. Its replacement, man:iscsi[4], was introduced several major releases ago. gitref:48cb3fee2586[repository=src] (Sponsored by The FreeBSD Foundation) The deprecated man:iir[4] driver has been removed. gitref:399188a2c60c[repository=src] (Sponsored by Netflix) The deprecated man:mn[4] sync serial driver has been removed. gitref:0cff00ae682a[repository=src] (Sponsored by The FreeBSD Foundation) The deprecated man:mly[4] driver has been removed. gitref:a9620045a5b9[repository=src] (Sponsored by Netflix) The deprecated man:nlmrsa[4] driver has been removed. gitref:6a06b00a0d1f[repository=src] (Sponsored by Chelsio Communications) The deprecated man:twa[4] driver has been removed. gitref:8722e05ae149[repository=src] (Sponsored by Netflix) [[storage]] == Storage This section covers changes and additions to file systems and other storage subsystems, both local and networked. [[storage-general]] === General Storage man:gconcat[8] and its kernel support now have the ability to append devices to the concatenated device that were not present when the gconcat device was created. gitref:d575e81fbcfa[repository=src] A new man:gunion[8] utility tracks changes to a read-only disk on a writable disk. This can be useful for making tentative changes to the disk, such as file system repairs or software upgrades, and then either committing or reverting them. gitref:c7996ddf8000[repository=src] (Sponsored by Netflix) In the course of debugging and resolving a problem with vnode recycling in the generic file system code, sysctls for vnode-related statistics have been grouped under `vfs.vnode` for greater visibility. gitref:d3e647891243[repository=src] [[storage-nfs]] === NFS Changes NFS now supports running an NFS server in a VNET jail, including man:nfsd[8], man:nfsuserd[8], man:mountd[8], man:gssd[8], and man:rpc.tlsservd[8]. The VNET jail must be on its own file system, have the `allow.nfsd` jail parameter set, and `enforce_statfs` cannot be set to `0`. Use of UDP and pNFS server configurations is not permitted. gitref:7344856e3a6d[repository=src] and many others For NFSv4 mounts, the NFS client now uses the highest minor version of NFSv4 supported by the NFS server by default instead of minor version 0. The `minorversion` mount option may be used to override this default. gitref:a145cf3f73c7[repository=src] The FreeBSD NFS client can now be set to use a 1 Mbyte I/O size via the `vfs.maxbcachebuf` tunable; the Linux NFS client can also do 1 Mbyte I/O. The value of `kern.ipc.maxsockbuf` will need to be increased to do this. A console message will suggest a setting for it. Note that the maximum I/O size for the FreeBSD NFS server can be increased to any power of 2 up to 1 Mbyte using the sysctl `vfs.nfsd.srvmaxio` while man:nfsd[8] is not running. gitref:ee29e6f31111[repository=src] The NFSv4.1/4.2 client and server will now generate console messages if sessions are broken, suggesting that users check to ensure that the values in [.filename]#/etc/hostid# strings are unique for all NFSv4.1/4.2 clients. gitref:b875d4f5ddcb[repository=src] gitref:0685c73cfe88[repository=src] NFSv4.1/4.2 mounts with the `intr` mount option are now fairly usable, although not 100% correct, so long as the `nolockd` mount option is used as well. See the man:mount_nfs[8] manual page for more information. gitref:981ef32230b2[repository=src] gitref:33721eb991d8[repository=src] A new `syskrb5` mount option is availble for Kerberized NFSv4.1/4.2 mounts. A feature of NFSv4.1/4.2 is used to provide `AUTH_SYS` authentication, and thus no Kerberos credential is required at mount time. See man:mount_nfs[8]. gitref:896516e54a8c[repository=src] Support for `SP4_MACH_CRED` has been added in NFS mount protocol in the NFS server. That facility is used by the Linux NFSv4.1/4.2 client for Kerberized mounts. It was handled by a fallback in the past, but is now supported directly. gitref:330aa8acdec7[repository=src] gitref:ff2f1f691cdb[repository=src] [[storage-ufs]] === UFS Changes It is now possible to perform background file system checks using a snapshot on UFS file systems running with journaled soft updates. (Sponsored by The FreeBSD Foundation) Superblocks, cylinder group maps, and inodes have had check hashes added to detect corruption. Far more extensive checks are made of the superblock (120) and cylinder groups (20) than just the magic number check done previously. (Sponsored by The FreeBSD Foundation) The man:libufs[3] library has been updated to include these checks so that they are now done by all the filesystem utilities. The checks are implemented in one kernel file that is also included by libufs. Another change to libufs is that the code to find alternate superblocks has been moved from man:fsck_ffs[8] into the shared file so it is now available in the kernel loader as well as all the filesystem utilities. (Sponsored by The FreeBSD Foundation) [[storage-zfs]] === ZFS Changes OpenZFS has been upgraded to version 2.2. New features include: * block cloning, which allows shallow copies of blocks in file copies. This is optional, and disabled by default; it can be enabled with `sysctl vfs.zfs.bclone_enabled=1`. * scrub error log (`zpool scrub -e`) * BLAKE3 checksums, which are fast, and are now the recommended secure checksums * corrective `zfs receive` can heal corrupted data * vdev and zpool user properties, similar to dataset user properties. Performance improvements include: * fully adaptive ARC, a unified ARC that minimizes the need for manual tuning * zstd early abort, improving efficiency with uncompressible data * I/O prefetch improvements * general optimization. ZFS has been enabled on 32-bit powerpc/powerpcspe. gitref:63715498ac6b[repository=src] [[storage-other]] === Other Storage Changes The man:msdosfs[5] file system now records available directory entries in the root directory of FAT12 and FAT16 file systems (e.g. EFI boot partitions) and reports them as inodes. gitref:c33db74b5323[repository=src] The man:msdosfs[5] file system now correctly calculates the available and used blocks of FAT12 and FAT16 file systems, and no longer rejects mounting file systems created using valid but uncommon parameters. gitref:0728695c63e[repository=src] The synthetic file systems (man:devfs[5], man:procfs[5], etc.) now report 0 blocks used so that they are not reported as 100% full. gitref:88a795e80c03f[repository=src] The man:tarfs[5] file system has been added, which is backed by POSIX tar archives optionally compressed with man:zstd[1]. gitref:69d94f4c7608[repository=src] (Sponsored by Juniper Networks, Inc.) (Sponsored by Klara, Inc.) [[boot]] == Boot Changes This section covers the boot loader, boot menu, and other boot-related changes. [[boot-loader]] === Boot Loader Changes The lua-flavored man:loader[8] will now interpret [.filename]#.lua# files that appear in `loader_conf_files` as lua, and execute them in a sandbox. Existing loader environment variables are available as globals in the sandbox, and any global variable set, if not a table value, will be reflected in the loader environment upon successful execution of the configuration file. Environment variables with names that aren't valid lua names may be accessed as indices of `_ENV`; e.g., `_ENV['net.fibs']`. gitref:3cb2f5f369ec[repository=src] EC2 instances now boot using UEFI where available, substantially speeding the boot process. gitref:b43d7aa09b3c[repository=src] gitref:bcf9147144f3[repository=src] (Sponsored by https://www.patreon.com/cperciva[]) [[network]] == Networking This section describes changes that affect networking in FreeBSD. [[network-general]] === General Network man:carp[4] now supports configuration of the address to which carp messages are sent, allowing the use of unicast addresses. This is useful in certain virtual configurations. See man:carp[4] and man:ifconfig[8]. gitref:137818006de5[repository=src] Layer 3 filtering on man:if_bridge[4] will do surprising things which aren't fail-safe, so `net.link.bridge.pfil_member` and `net.link.bridge.pfil_bridge` now default to zero. gitref:22893e584032[repository=src] man:netlink[4] is a user/kernel communication protocol defined in RFC 3549 and used primarily for network configuration. It has been expanded, improved, and enabled by default. A number of network configuration utilities have been converted to use netlink. gitref:3091d980f581[repository=src] The deprecated `NgATM` (netgraph ATM support) and remaining ATM support have been removed. The man:pf[4] packet filter now supports scrubbing with OpenBSD syntax and behavior. If there are no FreeBSD scrub rules, a global flag `set reassemble yes | no [no-df]` determines whether packet reassembly is done. Scrubbing, like setting tos, ttl, etc, can be done in match and pass rules, which also makes it stateful. Match rules are now fully supported, as on OpenBSD, not only for man:dummynet[4] queues. gitref:39282ef356db[repository=src] (Sponsored by InnoGames GmbH) man:pfsync[4] can now use IPv6 transport. gitref:6fc7fc2dbb2b[repository=src] (Sponsored by InnoGames GmbH) (Sponsored by The FreeBSD Foundation) The man:pfsync[4] packet format has been extended to improve support for queuing, scrubbing and route-to rules. This format is incompatible with older releases. The old format can be selected using `ifconfig pfsync0 version 1301`. This is especially important if members of a pfsync cluster are not upgraded simultaneously. WiFi 6 support has been added to wpa (man:wpa_supplicant[8] and man:hostapd[8]). gitref:c1d255d3ffdb[repository=src] gitref:3968b47cd974[repository=src] gitref:bd452dcbede6[repository=src] [[network-inet]] === Internet Networking The `6to4` interface for IPv6 over IPv4, man:if_stf[4], now supports IPv6 Rapid Deployment (6rd) (RFC5969). gitref:19dc64451179[repository=src] (Sponsored by Rubicon Communications, LLC ("Netgate")) The man:rtsol[8] and man:rtsold[8] programs now have a `-i` option to disable the random delay of up to a second that is used by default. The default options for these programs in man:rc.conf[5] include `-i`. gitref:231bac4ccc43[repository=src] gitref:e29711da2352[repository=src] (Sponsored by https://www.patreon.com/cperciva[]) The handling of IPv6 `nodeinfo` (RFC 4620) has been disabled by default. gitref:b73183d1a243[repository=src] (Sponsored by The FreeBSD Foundation) The man:sysctl[8] option `net.inet.tcp.nolocaltimewait` is now enabled by default. This prevents creation of timewait entries for TCP connections that were terminated locally. gitref:92b3e07229ba[repository=src] The default congestion control mechanism for TCP is now CUBIC. For long duration data transfers, CUBIC allocates a slightly higher fraction of the available bandwidth, when competing against NewReno. gitref:bb1d472d79f7[repository=src] (Sponsored by NetApp, Inc.) IPv4 was changed not to broadcast the lowest address on a subnet (host 0) unless it is configured as the broadcast address. This allows the lowest address on a subnet to be used for a host. gitref:fd0765933c3c[repository=src] [[hardware]] == Hardware Support This section covers general hardware support for physical machines, hypervisors, and virtualization environments, as well as hardware changes and updates that do not fit in other sections of this document. Please see link:https://www.freebsd.org/releases/14.0R/hardware[the list of hardware] supported by {releaseCurrent}, as well as link:https://www.freebsd.org/platforms/[the platforms page] for the complete list of supported CPU architectures. [[hardware-arch]] === Hardware Architecture Support The project no longer provides armv6 artifacts with {releaseCurrent}. Support for the MIPS architecture, and related hardware, has been removed. MIPS will remain supported on the 13-STABLE branch for the duration of its lifetime. Support for the software floating point variant of the RISC-V architecture, riscv64sf, has been retired. All available hardware is supported by the regular riscv64 architecture. [[hardware-virtualization]] === Virtualization Support [[documentation]] == Documentation This section covers changes to manual (man:man[1]) pages and other documentation shipped with the base system. [[man-pages]] === Man Pages Many tweaks and clean-ups have been made to improve the accuracy of the man:hier[7] page. Many of the pages in section 9, kernel documentation, have been reviewed and updated for accuracy. The introduction to the kernel documentation manual pages, man:intro[9], has been completely rewritten. gitref:84f9f2c5cf78[repository=src] (Sponsored by The FreeBSD Foundation) The man:mi_switch[9] page has been rewritten and improved. gitref:175db7b58270[repository=src] (Sponsored by The FreeBSD Foundation) A new man:kern_yield[9] page has been added. gitref:30cd6fd75d463[repository=src] (Sponsored by The FreeBSD Foundation) Some obsolete section 9 pages have been removed. gitref:d1c7405ef68a[repository=src] gitref:52f9a2823c64[repository=src] gitref:b54391a1f831[repository=src] (Sponsored by The FreeBSD Foundation) [[ports]] == Ports Collection and Package Infrastructure This section covers changes to the FreeBSD Ports Collection, package infrastructure, and package maintenance and installation tools. [[ports-packages]] === Packaging Changes [[future-releases]] == General Notes Regarding Future FreeBSD Releases FreeBSD 15.0 is not expected to include support for 32-bit platforms other than armv7. The armv6, i386, and powerpc platforms are deprecated and will be removed. 64-bit systems will still be able to run older 32-bit binaries. We expect to support armv7 as a Tier 2 architecture in FreeBSD 15.0 and stable/15. However, we also anticipate that armv7 may be removed in FreeBSD 16.0. We will provide an update on the status of armv7 for both 15.x and 16.x at the time of 15.0 release. Support for executing 32-bit binaries on 64-bit platforms via the `COMPAT_FREEBSD32` option will continue for at least the stable/15 and stable/16 branches. Support for compiling individual 32-bit applications via `cc -m32` will also continue for at least the stable/15 branch, which includes suitable headers in [.filename]#/usr/include# and libraries in [.filename]#/usr/lib32#. Ports will not include support for deprecated 32-bit platforms for FreeBSD 15.0 and later releases. These future releases will not include binary packages or support for building packages from ports for deprecated 32-bit platforms. The FreeBSD stable/14 and earlier branches will retain existing 32-bit kernel and world support. Ports will retain existing support for building ports and packages for 32-bit systems on stable/14 and earlier branches as long as those branches are supported by the ports system. However, all 32-bit platforms are Tier-2 or Tier-3, and support for individual ports should be expected to degrade as upstreams deprecate 32-bit platforms. With the current support schedule, stable/14 will reach end of life (EOL) 5 years after the release of FreeBSD {releaseCurrent}. The EOL of stable/14 will mark the end of support for deprecated 32-bit platforms, including source releases, pre-built packages, and support for building applications from ports. With the release of {releaseCurrent} in November 2023, support for deprecated 32-bit platforms will end in November 2028. The project may choose to alter this approach when FreeBSD 15.0 is released by extending some level of support for one or more of the deprecated platforms in 15.0 or later. Any alterations will be driven by community feedback and committed efforts to support these platforms. Use FreeBSD {releaseCurrent} and following releases, or the stable/14 branch, to migrate off 32-bit platforms. diff --git a/website/content/en/releases/14.1R/relnotes.adoc b/website/content/en/releases/14.1R/relnotes.adoc index 4c5315a9d6..d121f65fad 100644 --- a/website/content/en/releases/14.1R/relnotes.adoc +++ b/website/content/en/releases/14.1R/relnotes.adoc @@ -1,361 +1,456 @@ --- title: "FreeBSD 14.1-RELEASE Release Notes" sidenav: download --- :releaseCurrent: 14.1-RELEASE :releaseBranch: 14-STABLE :releasePrev: 14.0-RELEASE :releaseNext: 14.2-RELEASE :releaseType: "release" include::shared/en/urls.adoc[] = FreeBSD {releaseCurrent} Release Notes :doctype: article :toc: macro :toclevels: 1 :icons: font == Abstract [.abstract-title] The release notes for FreeBSD {releaseCurrent} contain a summary of the changes made to the FreeBSD base system on the {releaseBranch} development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented. [[intro]] == Introduction This document contains the release notes for FreeBSD {releaseCurrent}. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD. The {releaseType} distribution to which these release notes apply represents the latest point along the {releaseBranch} development branch since {releaseBranch} was created. Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[]. The {releaseType} distribution to which these release notes apply represents a point along the {releaseBranch} development branch between {releasePrev} and the future {releaseNext}. Information regarding pre-built, binary {releaseType} distributions along this branch can be found at https://www.FreeBSD.org/releases/[]. This distribution of FreeBSD {releaseCurrent} is a {releaseType} distribution. It can be found at https://www.FreeBSD.org/releases/[] or any of its mirrors. More information on obtaining this (or other) {releaseType} distributions of FreeBSD can be found in the link:{handbook}mirrors[Obtaining FreeBSD appendix] to the link:{handbook}[FreeBSD Handbook]. All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD {releaseCurrent} can be found on the FreeBSD Web site. This document describes the most user-visible new or changed features in FreeBSD since {releasePrev}. In general, changes described here are unique to the {releaseBranch} branch unless specifically marked as MERGED features. Typical release note items document recent security advisories issued after {releasePrev}, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements. [[upgrade]] == Upgrading from Previous Releases of FreeBSD Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the man:freebsd-update[8] utility. See the release-specific upgrade procedure, link:../installation/#upgrade-binary[FreeBSD {releaseCurrent} upgrade information], with more details in the FreeBSD handbook link:{handbook}cutting-edge/#freebsdupdate-upgrade[binary upgrade procedure]. This will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release. The man:freebsd-update[8] utility requires that the host being upgraded have Internet connectivity. Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in [.filename]#/usr/src/UPDATING#. [IMPORTANT] ==== Upgrading FreeBSD should only be attempted after backing up _all_ data and configuration files. ==== [[security-errata]] == Security and Errata This section lists the various Security Advisories and Errata Notices since {releasePrev}. [[security]] === Security Advisories [.informaltable] [cols="1,1,1", frame="none", options="header"] |=== | Advisory | Date | Topic -|No advisories. -| -| +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:15.stdio.asc[FreeBSD-SA-23:15.stdio] +| 7 November 2023 +| libc stdio buffer overflow + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:16.cap_net.asc[FreeBSD-SA-23:16.cap_net] +| 8 November 2023 +| Incorrect libcap_net limitation list manipulation + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:17.pf.asc[FreeBSD-SA-23:17.pf] +| 5 December 2023 +| TCP spoofing vulnerability in man:pf[4] + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:18.nfsclient.asc[FreeBSD-SA-23:18.nfsclient] +| 12 December 2023 +| NFS client data corruption and kernel memory disclosure + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-23:19.openssh.asc[FreeBSD-SA-23:19.openssh] +| 19 December 2023 +| Prefix Truncation Attack in the SSH protocol + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-24:01.bhyveload.asc[FreeBSD-SA-24:01.bhyveload] +| 14 February 2024 +| man:bhyveload[8] host file access + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-24:02.tty.asc[FreeBSD-SA-24:02.tty] +| 14 February 2024 +| man:jail[2] information leak + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-SA-24:03.unbound.asc[FreeBSD-SA-24:03.unbound] +| 28 March 2024 +| Multiple vulnerabilities in unbound |=== [[errata]] === Errata Notices [.informaltable] [cols="1,1,1", frame="none", options="header"] |=== | Errata | Date | Topic -|No notices. -| -| +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:13.freebsd-update.asc[FreeBSD-EN-23:13.freebsd-update] +| 8 November 2023 +| freebsd-update does not handle deep boot environments + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:14.regcomp.asc[FreeBSD-EN-23:14.regcomp] +| 8 November 2023 +| Incorrect regular expression escape handling + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:15.sanitizer.asc[FreeBSD-EN-23:15.sanitizer] +| 1 December 2023 +| Clang sanitizer failure with ASLR enabled + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:16.openzfs.asc[FreeBSD-EN-23:16.openzfs] +| 1 December 2023 +| OpenZFS data corruption + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:17.ossl.asc[FreeBSD-EN-23:17.ossl] +| 5 December 2023 +| man:ossl[4]'s AES-GCM implementation may give incorrect results + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:18.openzfs.asc[FreeBSD-EN-23:18.openzfs] +| 5 December 2023 +| High CPU usage by ZFS kernel threads + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:19.pkgbase.asc[FreeBSD-EN-23:19.pkgbase] +| 5 December 2023 +| Incorrect pkgbase version number for FreeBSD 14.0 + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:20.vm.asc[FreeBSD-EN-23:20.vm] +| 5 December 2023 +| Incorrect results from the kernel physical memory allocator + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:21.tty.asc[FreeBSD-EN-23:21.tty] +| 24 November 2023 +| man:tty[4] IUTF8 causes a kernel panic + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-23:22.vfs.asc[FreeBSD-EN-23:22.vfs] +| 5 December 2023 +| ZFS snapshot directories not accessible over NFS + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-24:01.tzdata.asc[FreeBSD-EN-24:01.tzdata] +| 14 February 2024 +| Timezone database information update + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-24:02.libutil.asc[FreeBSD-EN-24:02.libutil] +| 14 February 2024 +| Login class resource limits and CPU mask bypass + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-24:03.kqueue.asc[FreeBSD-EN-24:03.kqueue] +| 14 February 2024 +| man:kqueue_close[2] page fault on exit using man:rfork[2] + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-24:04.ip.asc[FreeBSD-EN-24:04.ip] +| 14 February 2024 +| Kernel panic triggered by man:bind[2] + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-24:05.tty.asc[FreeBSD-EN-24:05.tty] +| 28 March 2024 +| TTY Kernel Panic + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-24:06.wireguard.asc[FreeBSD-EN-24:06.wireguard] +| 28 March 2024 +| Insufficient barriers in WireGuard man:if_wg[4] + +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-24:07.clang.asc[FreeBSD-EN-24:07.clang] +| 28 March 2024 +| Clang crash when certain optimization is enabled +| link:https://www.FreeBSD.org/security/advisories/FreeBSD-EN-24:08.kerberos.asc[FreeBSD-EN-24:08.kerberos] +| 28 March 2024 +| Kerberos segfaults when using weak crypto |=== [[userland]] == Userland This section covers changes and additions to userland applications, contributed software, and system utilities. [[userland-config]] === Userland Configuration Changes A new `kdc_restart` variable is available that manages man:kdc[8] (or `krb5kdc`) under man:daemon[8]. Set `kdc_restart="YES"` in man:rc.conf[5] to auto restart kdc on abnormal termination. Set `kdc_restart_delay="N"` to the number of seconds to delay before restarting the kdc. gitref:abc4b3088941[repository=src] By default, changes shown in email by the man:periodic[8] facility from the `daily` scripts show less context than before to reduce the size of the output. The behavior can be controlled by the `daily_diff_flags` variable in man:periodic.conf[5]. Similarly, the changes shown by the security scripts show less context than previously, controlled by the `security_status_diff_flags` variable in man:periodic.conf[5]. gitref:538994626b9f[repository=src], gitref:37dc394170a5[repository=src], gitref:128e78ffb084[repository=src] [[userland-programs]] === Userland Application Changes The man:adduser[8] utility, used by man:bsdinstall[8], will now create a ZFS dataset for a new user's home directory if the parent directory resides on a ZFS dataset. A command-line option is available to disable use of a separate dataset. ZFS encryption is also available. gitref:516009ce8d38[repository=src] The man:date[1] program now supports nanoseconds. For example: `date -Ins` prints "2024-04-22T12:20:28,763742224+02:00" and `date +%N` prints "415050400". gitref:eeb04a736cb9[repository=src] The man:dtrace[1] utility can now generate machine-readable output in JSON, XML, and HTML using man:libxo[3]. gitref:aef4504139a4[repository=src] (Sponsored by Innovate UK) The man:lastcomm[1] utility now displays timestamps with a precision of seconds. gitref:692c0a2e80c1[repository=src] (Sponsored by DSS Gmbh) The man:ldconfig[8] utility now supports hints files of either byte order. The default format is the native byte-order of the host. gitref:fa7b31166ddb[repository=src] OpenSSH has been upgraded to version 9.7p1. Full release notes are at https://www.openssh.com/txt/release-9.7[] and https://www.openssh.com/txt/release-9.6[] . gitref:a25789646d71[repository=src], gitref:464fa66f639b[repository=src] (Sponsored by The FreeBSD Foundation) The man:usbconfig[8] utility now reads the descriptions of usb vendor and products from [.filename]#/usr/share/misc/usb_vendors# when available, similar to what man:pciconf[8] does. gitref:7b9a772f9f64[repository=src] [[userland-contrib]] === Contributed Software One True Awk (man:awk[1]) has been updated to 2nd Edition, with new -csv support and UTF-8 support. gitref:daf917daba9c[repository=src] Clang/LLVM have been upgraded to version 18.1.5. gitref:90a5e985e5f4[repository=src] The man:libarchive[3] library has been upgraded to version 3.7.4. gitref:8774c92e32b2[repository=src] The man:sendmail[8] suite has been upgraded to version 8.18.1, addressing CVE-2023-51765. gitref:58ae50f31e95[repository=src] The man:unbound[8] resolver has been upgraded to version 1.20.0, and addresses "`The DNSBomb`" vulnerability, CVE-2024-33655. gitref:dcde37c4170b[repository=src] [[userland-libraries]] === Runtime Libraries and API The man:setusercontext[3] routine in `libutil` will now set the process priority (nice) from the [.filename]#.login.conf# file from the home directory under appropriate conditions, as well as the system man:login.conf[5]. The priority can now have the value `inherit`, indicating that the priority should be unchanged from that of the parent process. Similarly, the umask can have the value `inherit`. gitref:6f6186e19fe5[repository=src], gitref:a8c273b3c97f[repository=src], gitref:d2d66fedc418[repository=src] (Sponsored by Kumacom SAS) Many string and memory operations in the C library now use SIMD (single instruction multiple data) extensions for improved performance when available on amd64 systems; see man:simd[7]. (Sponsored by The FreeBSD Foundation) There is now a much better implementation of the 128-bit `tgammal` function in the math library, man:math[3], on platforms that support it. gitref:8df6c930c151[repository=src] [[cloud]] == Cloud Support This section covers changes in support for cloud environments. {releaseCurrent} supports cloudinit, including the `nuageinit` startup script and support for a `config-drive` partition. It is compatible with OpenStack and many hosting facilities. See the https://cloud-init.io[cloud-init] web site and the commit messages, gitref:16a6da44e28d[repository=src] gitref:227e7a205edf[repository=src]. (Sponsored by OVHcloud) [[kernel]] == Kernel This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized. [[kernel-general]] === General Kernel Changes The `fpu_kern_enter` and `fpu_kern_leave` routines have been implemented for powerpc, allowing the use of man:ossl[4] crypto functions in the kernel that use floating point and vector registers. gitref:91e53779b4fc[repository=src] [[drivers]] == Devices and Drivers This section covers changes and additions to devices and device drivers since {releasePrev}. [[drivers-device]] === Device Drivers A driver is available for man:ice[4] Ethernet network controllers in the Intel E800 series, which support 100 Gb/s operation. It was upgraded to version 1.39.13-k. gitref:71d104536b51[repository=src] gitref:f6de0a7c94e9[repository=src] (Sponsored by Intel Corporation) Numerous stability improvements have been in the man:iwlwifi[4] driver for Intel Wi-Fi devices. (Sponsored by The FreeBSD Foundation) Multiple PCI MCFG regions are now supported on amd64 and i386, allowing PCI configuration space access for domains (segments) other than 0. gitref:4b5f64408804[repository=src] The man:smsc[4] Ethernet driver can now fetch the value of `smsc95xx.macaddr` passed by some Raspberry Pi models and use it for the MAC address. It always uses a stable MAC address even if there is no address in EEPROM. gitref:028e4c6548e4[repository=src] The `snd_clone` framework has been removed from the sound subsystem, including related sysctls, simplifying the system. The per-channel nodes ([.filename]#/dev/dspX.Y#) are no longer created, just the primary device ([.filename]#/dev/dspX#). gitref:e6c51f6db8d7[repository=src] (Sponsored by The FreeBSD Foundation) Audio now supports asynchronous device detach. This greatly simplifies hot plugging and unplugging of things such as USB headsets, and eases use of PulseAudio in cases that require operating system sleep and wake (suspend and resume). gitref:d692c314d29a[repository=src] (Sponsored by The FreeBSD Foundation) [[storage]] == Storage This section covers changes and additions to file systems and other storage subsystems, both local and networked. [[storage-nfs]] === NFS The man:mountd[8] server has been modified to use man:strunvis[3] to decode directory names in man:exports[5] file(s). This allows special characters, such as blanks, to be embedded in the directory name. `vis -M` may be used to encode such directory names; see man:vis[1]. gitref:2c83f1ada435[repository=src] New man:sysctl[8] variables have been added under `kern.rpc.unenc` and `kern.rpc.tls`, which allow an NFS server administrator to determine how much NFS-over-TLS is being used. A large number of failed handshakes might indicate an NFS configuration problem. gitref:b8e137d8d32d[repository=src] [[storage-ufs]] === UFS Soft updates are now enabled by default when creating a new UFS file system with man:newfs[8]. gitref:6b2af2d88ffd[repository=src] [[storage-zfs]] === ZFS OpenZFS has been upgraded to version 2.2.4. gitref:78c9d8f1ce65[repository=src] [[boot]] == Boot Loader Changes This section covers the boot loader, boot menu, and other boot-related changes. [[boot-loader]] === Boot Loader Changes The man:loader[8] now reads local configuration files listed in the variable `local_loader_conf_files` after other configuration files, defaulting to [.filename]#/boot/loader.conf.local#. gitref:a25531db0fc2[repository=src] The man:loader[8] can now be configured to read specific configuration files based on the planar maker, planar product, system product and uboot m_product variables from the SMBIOS. For the moment, the best documentation is the git commit message, gitref:3eb3a802a31b[repository=src]. Console detection in man:loader[8] has been improved on EFI systems. If there is no ConOut variable, ConIn is checked. If multiple devices are found, serial is preferred. gitref:20a6f4779ac6[repository=src] (Sponsored by Netflix) Frame buffer support in man:loader[8] can now use a text-only video driver, resulting in space savings. gitref:57ca2848c0aa[repository=src] (Sponsored by Netflix) The detection of ACPI is now done earlier in man:loader.efi[8] on arm64 systems. The copy of [.filename]#loader.efi# on the EFI partition should be updated on arm64 systems using ACPI. gitref:05cf4dda599a[repository=src] gitref:16c09de80135[repository=src] The LinuxBoot loader can be used to boot FreeBSD from Linux on aarch64 systems as well as amd64. gitref:46010641267[repository=src] (Sponsored by Netflix) [[network]] == Networking This section describes changes that affect networking in FreeBSD. [[network-general]] === General Network ARP (man:arp[4]) support for 802-standard networks has been restored; it had been accidentally removed with FDDI support. (This is different than the Ethernet standard encapsulation.) gitref:d776dd5fbd48[repository=src] It is possible to build a kernel with IPv6 support (INET6) without IPv4 (INET). gitref:6df9fa1c6b83[repository=src] and others The netgraph man:ng_ipfw[4] module no longer truncates cookies to 16 bits, allowing a full 32 bits. gitref:dadf64c5586e[repository=src] [[hardware]] == Hardware Support This section covers general hardware support for physical machines, hypervisors, and virtualization environments, as well as hardware changes and updates that do not otherwise fit in other sections of this document. Please see link:https://www.freebsd.org/releases/14.1R/hardware[the list of hardware] supported by {releaseCurrent}, as well as link:https://www.freebsd.org/platforms/[the platforms page] for the complete list of supported CPU architectures. [[documentation]] == Documentation This section covers changes to manual (man:man[1]) pages and other documentation shipped with the base system. [[man-pages]] === Man Pages A new man:networking[7] manual page provides a quickstart guide to connecting the system to networks including Wi-Fi, and links to other manual pages and the handbook. gitref:39f92a4c4c49[repository=src] [[future-releases]] == General Notes Regarding Future FreeBSD Releases FreeBSD 15.0 is not expected to include support for 32-bit platforms other than armv7. The armv6, i386, and powerpc platforms are deprecated and will be removed. 64-bit systems will still be able to run older 32-bit binaries. We expect to support armv7 as a Tier 2 architecture in FreeBSD 15.0 and stable/15. However, we also anticipate that armv7 may be removed in FreeBSD 16.0. We will provide an update on the status of armv7 for both 15.x and 16.x at the time of 15.0 release. Support for executing 32-bit binaries on 64-bit platforms via the `COMPAT_FREEBSD32` option will continue for at least the stable/15 and stable/16 branches. Support for compiling individual 32-bit applications via `cc -m32` will also continue for at least the stable/15 branch, which includes suitable headers in [.filename]#/usr/include# and libraries in [.filename]#/usr/lib32#. Ports will not include support for deprecated 32-bit platforms for FreeBSD 15.0 and later releases. These future releases will not include binary packages or support for building packages from ports for deprecated 32-bit platforms. The FreeBSD stable/14 and earlier branches will retain existing 32-bit kernel and world support. Ports will retain existing support for building ports and packages for 32-bit systems on stable/14 and earlier branches as long as those branches are supported by the ports system. However, all 32-bit platforms are Tier-2 or Tier-3, and support for individual ports should be expected to degrade as upstreams deprecate 32-bit platforms. With the current support schedule, stable/14 will reach end of life (EOL) 5 years after the release of FreeBSD {releasePrev}. The EOL of stable/14 will mark the end of support for deprecated 32-bit platforms, including source releases, pre-built packages, and support for building applications from ports. With the release of {releasePrev} in November 2023, support for deprecated 32-bit platforms will end in November 2028. The project may choose to alter this approach when FreeBSD 15.0 is released by extending some level of support for one or more of the deprecated platforms in 15.0 or later. Any alterations will be driven by community feedback and committed efforts to support these platforms. Use FreeBSD {releasePrev} and following minor releases, or the stable/14 branch, to migrate off 32-bit platforms.