FreeBSD 7.3-RELEASE Release Notes

2.1 Security Advisories

Problems described in the following security advisories have been fixed. For more information, consult the individual advisories available from http://security.FreeBSD.org/.

2.2 Kernel Changes

The closefrom(2) system call has been added. This closes any open file descriptors which are equal to or larger than the specified value. Note that this does not fail with any errors and this is not multi-thread safe.

The ddb(8) subcommands for geom(8) now supports pagination.

The futimes(2), lutimes(2), and utimes(2) system call now support a sysctl variable vfs.timestamp_precision.

The jail(8) subsystem now supports security.jail.ip4_saddrsel and security.jail.ip6_saddrsel sysctl variables to control whether to use source address selection or the primary jail address for unbound outgoing connections. The default is that the source address selection is enabled. Also, the jail parameter ip4.saddrsel and ip6.saddrsel are boolean option to enable the source address selection for IPv4 and IPv6, respectively. If the boolean parameters ip4.nosaddrsel and ip6.nosaddrsel are set, the child jails do not inherit the address selection options of the parent.

[amd64] The kmem_map KVA space has been increased to 512GB.

The lindev(4) driver has been added. This is for Linux-specific pseudo devices and currently used only for /dev/full.

FreeBSD Linux emulation layer now supports SO_PEERCRED socket option, MSG_CMSG_CLOEXEC for recvmsg(), and robust futex. The futex has been reimplemented by using sx(9) lock. Initial support of ktr(4) tracing has also been added.

A lock handling error has been fixed in interaction between malloc(3) implementation and threading library. When a multi-threaded process calls the fork(2) system call in a thread and the malloc(3) function in another thread, it caused a deadlock in the child process.

PECOFF image activator support has been removed.

FreeBSD now supports POSIX semaphores (P1003_1B_SEMAPHORES kernel option) by default.

A deadlock in the sched_ule(4) scheduler has been fixed. For more details, see EN-10:02.sched_ule.

The sglist(9) API to manage scatter/gather lists of physical addresses has been added.

FreeBSD ABI of some of the structures used by the System V IPC API has been changed internally, and it now supports shared memory segments for System V IPC which is larger than 2GB on 64-bit platforms. For new kernel modules, the kern_msgctl(), kern_semctl(), and kern_shmctl() functions will be transparently renamed to the new kern_new_*() functions by using ABI shims. The old functions remain as the old names to provide backward compatibility for older kernel modules.

A new sysctl variable security.bsd.map_at_zero has been added and set to 1 (allow) by default. This controls whether FreeBSD allows to map an object at the address 0, which is part of the user-controlled portion of the virtual address space. Disabling this has some effect on preventing an attack which injects malicious code into that location and triggers a NULL pointer dereference in the kernel.

2.3 Userland Changes

The acpidump(8) utility now supports parsing SRAT (System Resource Affinity Table used to describe affinity relationships between CPUs and memory.

The apropos(1) command no longer sets the necessary directories to PATH variable. This means if the caller does not have /bin and /usr/bin in PATH, then it does not work.

The bluetooth(3) library now supports Bluetooth HCI API.

The btpand(8) daemon now supports Bluetooth device node names in a -d option.

A bug in the chflags(1) -h option has been fixed. It used link target's flags as the original one.

The cp(1) command now preserves file flags on symbolic links when options -Rp are specified. It reported an error “function not implemented”.

The cpucontrol(8) command now allows user to perform atomic bitwise AND and OR operations on MSR registers. Two new operations (&= and |=) have been added. The first one applies bitwise AND operation between the current contents of the MSR register and the mask, and the second performs bitwise OR. The argument can be optionally prefixed with ~ inversion operator. The following is an example to clear the second bit of TSC MSR:

# cpucontrol -m 0x10&=~0x02

The cpuset(1) command now supports interrupt binding by a new option -x irq.

The default crontab(5) file no longer define a variable HOME.

The df(1) command now uses human-readable output for inode counts when an -H or -h is specified.

A bug in the dhclient(8) utility when appending a NUL-terminated text provided by a DHCP server, has been fixed.

The dhclient(8) utility now uses 68 (bootpc) as the source port for unicast DHCPREQUEST packets instead of allowing the protocol stack to pick a random source port. This fixes the behavior where dhclient(8) would never transition from RENEWING to BOUND without going through REBINDING in some networks which has a tight policy on DHCP spoofing.

The fdisk(8) utility now supports size qualifiers (K, M, and G) and * for automatic calculation in the p command.

The fetch(1) command now supports HTTP digest authentication.

The fetch(1) command now supports NO_PROXY and no_proxy environment variables to disable use of HTTP proxy. For more details, see fetch(3) manual page.

A bug in the fetch(1) command that FTP_TIMEOUT and HTTP_TIMEOUT environment variables were ignored, has been fixed.

A bug in the fetch(1) command that default parameters such as connection timeout were not set for HTTPS protocol, has been fixed. It now uses the same parameters as HTTP.

A bug in the find(1) command has been fixed. It ignored an -L option when -delete is specified. The following command can be safely used to remove broken links:

find -L . -type l -print0 | xargs rm -0

A bug in the find(1) and rm(1) command has been fixed. When a symbolic link has uchg or uappend flag, the commands attempted to clear the target file, not the symbolic link itself.

The gzip(1) command now supports uncompressing files compressed by pack(1), which is found in some commercial Unix systems.

The ktrace(1) utility now supports a new KTRACE record for sysctl(3) invocations.

FreeBSD libc library now includes fdopendir(3) function.

FreeBSD libc library now includes feature_present(3) function which checks to see if a named kernel feature is present by checking the kern.features sysctl MIB.

FreeBSD libc library now includes getpagesize(3) function that returns either the number of page sizes supported by the system or a specified subset of the supported page sizes.

The libradius(3) now supports simple embedded RADIUS server.

The lp(1) command now supports -m option to send an email after the files have been printed, and -t title option to write title on the banner page of the output. These are required by POSIX standard.

The lpq(1) command now correctly translates remote host names which contain non-standard end-of-line characters.

The man(1) command now supports manual pages in UTF-8.

The mergemaster(8) utility now uses an -L option when it invokes mtree(8) command to follow symbolic links.

The mergemaster(8) utility now supports DELETE_STALE_RC_FILES variable in mergemaster.rc file to delete stale rc.d scripts automatically.

A userland utility mfiutil(8) for the mfi(4) devices has been added. This includes basic features to monitor controller, array, and drive status, change basic attributes, create/delete arrays and spares, and flush the controller firmware. Note that this is a small utility, not a replacement of MegaCLI in the Ports Collection which is supported officially and provides more functionality.

A userland utility mptutil(8) for the mpt(4) devices has been added. This includes basic features to monitor controller, array, and drive status, change basic attributes, and create/delete arrays and spares.

The newfs_msdos(8) command now supports media which have no CHS parameter.

The ntpd(8) daemon no longer tries to bind an IPv6 anycast address.

The pkill(1) command now ignores itself and the ancestors when finding processes. An -a option has been added for backward compatible behavior.

A race condition in the ppp(8) daemon has been fixed.

The ps(1) command now supports a new flag -p. This displays descendant info with the output similar to Linux's -H (or -f).

The pwait(1) command, which waits for any process to terminate has been added.

The pwd_mkdb(8) now verifies login name length is shorter than MAXLOGNAME when a -C option is specified. Note that entries with oversized login names are still allowed in the passwd database, and getpwent*() and getpwuid*() functions return them correctly. The getpwnam*() truncates them to MAXLOGNAME - 1 when reading the database. The su(1) utility fails for the long names.

The FreeBSD runtime linker, rtld(1) has been improved. The changes include:

• The dynamic string token substitution in the rpath and soname has been implemented. This can be enabled by setting -z origin option of ld(1). Currently, it recognizes $OSNAME, $PLATFORM, $OSREL, and $ORIGIN tokens. This translation is unconditionally disabled for setuid/setgid processes.

• PIE (Position Independent Executables) support has been improved. The runtime linker now calculates relocation base for the main object, and applies the relocation adjustment for all virtual addresses encoded into the ELF structures of it in order to make it possible to load PIE binaries at a non-zero base address.

• The way the mapping of the ELF objects has been changed to make wiring of the address space possible. It now maps PROT_NONE anonymous memory over the whole range first, and then mapping the segments of the object over it. It allocates .bss by changing the protection of the range instead of remapping, and unnecessary clearing of the text segment when its end is not page-aligned has been eliminated.

• A new environment variable LD_ELF_HINTS_PATH for overriding the rtld hints file has been supported. This feature gives a convenient way of using a custom set of shared library that is not located in the default location and switch back. This environment variable is automatically unset if the process is tainted with setuid/setgid.

The strptime(3) function now supports %z format specifier.

The sysinstall(8) utility now supports a comma-separated list of network interfaces in netDev option in install.cfg.

[ia64] The sysinstall(8) utility now uses 400MB for the EFI partition instead of 100MB in the previous releases.

The tail(1) -F flag now persists in trying to open files rather than giving up when it encounters an error. ENOENT errors are not reported. This behavior is consistent with the GNU version.

The tftp(1) command now returns a correct exit status in the case of successful file transfer.

The traceroute(8) program now uses in-kernel source address selection even in a jail(8) environment.

The traceroute(8) and traceroute6(8) now support an -a flag to display AS number corresponding to the lookup IP address on each hop. It will query the number to WHOIS server specified in -A option. If no -A is specified, whois.radb.net will be used as the default value.

The tzsetup(8) command now supports an -s option to skip the initial question about adjusting the clock if not set to UTC.

The whois(1) utility has been updated. A -d option has been removed because whois.nic.mil no longer exists, and it supports searching for IPv6 addresses just like it can do for IPv4 addresses without having to explicitly specify that the ARIN server should be used to get the initial information.

The yp(8) utilities now support shadow.byname and shadow.byuid maps. These requires privileged port access.

static_arp_pairs="gw"
static_arp_gw="192.168.1.1 00:01:02:03:04:05"

2.4 Contributed Software

ISC BIND has been updated to version 9.4-ESV.

sendmail has been updated from version 8.14.3 to version 8.14.4.

The timezone database has been updated to the tzdata2010b release.

The timezone libraries (stdtime part of libc) and related binaries (zic(8) and zdump(8)) have been updated to the tzcode2009k release. Note that tzsetup(8) needs to be run after the installation.

unifdef has been updated to version 1.188.

2.5 Ports/Packages Collection Infrastructure

A bug in the pkg_info(1) command which caused a segmentation fault when an invalid long option is specified, has been fixed.

2.6 Release Engineering and Integration

FreeBSD release ISO images now have “FreeBSD-” at the beginning of the filenames.

The supported version of the GNOME desktop environment (x11/gnome2) has been updated to 2.28.2.

The supported version of the KDE desktop environment (x11/kde4) has been updated to 4.3.5.