Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 26 Nov 2009 20:55:44 +0000 (UTC)
From:      Hiroki Sato <hrs@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org
Subject:   svn commit: r199847 - in stable/8/release/doc: en_US.ISO8859-1/relnotes en_US.ISO8859-1/share/sgml share/sgml
Message-ID:  <200911262055.nAQKtijU092885@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: hrs
Date: Thu Nov 26 20:55:44 2009
New Revision: 199847
URL: http://svn.freebsd.org/changeset/base/199847

Log:
  Add entries of Release Notes for 8.0R temporarily.
  
  Reviewed by:	thompsa, linimon, and brd.

Modified:
  stable/8/release/doc/en_US.ISO8859-1/relnotes/article.sgml
  stable/8/release/doc/en_US.ISO8859-1/share/sgml/release.dsl
  stable/8/release/doc/share/sgml/release.dsl
  stable/8/release/doc/share/sgml/release.ent

Modified: stable/8/release/doc/en_US.ISO8859-1/relnotes/article.sgml
==============================================================================
--- stable/8/release/doc/en_US.ISO8859-1/relnotes/article.sgml	Thu Nov 26 20:25:57 2009	(r199846)
+++ stable/8/release/doc/en_US.ISO8859-1/relnotes/article.sgml	Thu Nov 26 20:55:44 2009	(r199847)
@@ -4,11 +4,6 @@
 
 <!ENTITY % release PUBLIC "-//FreeBSD//ENTITIES Release Specification//EN">
 %release;
-
-<!-- Text constants which probably don't need to be changed.-->
-
-<!ENTITY % include.historic "IGNORE">
-<!ENTITY % no.include.historic "IGNORE">
 ]>
 
 <article>
@@ -57,7 +52,7 @@
   <title>Introduction</title>
 
   <para>This document contains the release notes for &os;
-    &release.current;.  It
+    &release.current;.	It
     describes recently added, changed, or deleted features of &os;.
     It also provides some notes on upgrading
     from previous versions of &os;.</para>
@@ -66,7 +61,7 @@
 
   <para>The &release.type; distribution to which these release notes
     apply represents the latest point along the &release.branch; development
-    branch since &release.branch; was created.  Information regarding pre-built, binary
+    branch since &release.branch; was created.	Information regarding pre-built, binary
     &release.type; distributions along this branch
     can be found at <ulink url="&release.url;"></ulink>.</para>
 
@@ -87,7 +82,7 @@
 
   <para>This distribution of &os; &release.current; is a
     &release.type; distribution.  It can be found at <ulink
-    url="&release.url;"></ulink> or any of its mirrors.  More
+    url="&release.url;"></ulink> or any of its mirrors.	 More
     information on obtaining this (or other) &release.type;
     distributions of &os; can be found in the <ulink
     url="&url.books.handbook;/mirrors.html"><quote>Obtaining
@@ -100,455 +95,2340 @@
   <para>All users are encouraged to consult the release errata before
     installing &os;.  The errata document is updated with
     <quote>late-breaking</quote> information discovered late in the
-    release cycle or after the release.  Typically, it contains
+    release cycle or after the release.	 Typically, it contains
     information on known bugs, security advisories, and corrections to
     documentation.  An up-to-date copy of the errata for &os;
     &release.current; can be found on the &os; Web site.</para>
 
 </sect1>
 
-<sect1 id="new">
-  <title>What's New</title>
-
-  <para>This section describes
-    the most user-visible new or changed features in &os;
-    since &release.prev;.
-    In general, changes described here are unique to the &release.branch;
-    branch unless specifically marked as &merged; features.
-  </para>
-
-  <para>Typical release note items
-    document recent security advisories issued after
-    &release.prev;,
-    new drivers or hardware support, new commands or options,
-    major bug fixes, or contributed software upgrades.  They may also
-    list changes to major ports/packages or release engineering
-    practices.  Clearly the release notes cannot list every single
-    change made to &os; between releases; this document focuses
-    primarily on security advisories, user-visible changes, and major
-    architectural improvements.</para>
-
-  <sect2 id="security">
-    <title>Security Advisories</title>
-
-    <para></para>
-
-  </sect2>
-
-  <sect2 id="kernel">
-    <title>Kernel Changes</title>
-
-    <para>A new &man.cpuset.2; API has been added
-      for thread to CPU binding and CPU resource grouping and
-      assignment.  The &man.cpuset.1; userland utility has been added
-      to allow manipulation of processor sets.</para>
-
-    <para role="merged">The &man.ddb.4; kernel debugger now has an output capture
-      facility.  Input and output from &man.ddb.4; can now be captured
-      to a memory buffer for later inspection using &man.sysctl.8; or
-      a textdump.  The new <command>capture</command> command controls
-      this feature.</para>
-
-    <para role="merged">The &man.ddb.4; debugger now supports a simple scripting
-      facility, which supports a set of named scripts consisting of a
-      set of &man.ddb.4; commands.  These commands can be managed from
-      within &man.ddb.4; or with the use of the new &man.ddb.8;
-      utility.  More details can be found in the &man.ddb.4; manual
-      page.</para>
-
-    <para role="merged">The kernel now supports a new textdump format of kernel
-      dumps.  A textdump provides higher-level information via
-      mechanically generated/extracted debugging output, rather than a
-      simple memory dump.  This facility can be used to generate brief
-      kernel bug reports that are rich in debugging information, but
-      are not dependent on kernel symbol tables or precisely
-      synchronized source code.  More information can be found in the
-      &man.textdump.4; manual page.</para>
-
-    <para>Kernel support for M:N threading has been removed.  While
-      the KSE (Kernel Scheduled Entities) project was quite successful
-      in bringing threading to FreeBSD, the M:N approach taken by the
-      KSE library was never developed to its full potential.
-      Backwards compatibility for applications using KSE threading
-      will be provided via &man.libmap.conf.5; for dynamically linked
-      binaries.  The &os; Project greatly appreciates the work of
-      &a.julian;, &a.deischen;, and &a.davidxu; on KSE support.</para>
-
-    <para>The &os; kernel now exports information about certain kernel
-      features via the <varname>kern.features</varname> sysctl tree.
-      The &man.feature.present.3; library call provides a convenient
-      interface for user applications to test the presence of
-      features.</para>
-
-    <para arch="amd64">The &os; kernel now has support for large
-      memory page mappings (<quote>superpages</quote>).</para>
-
-    <para arch="amd64,i386,ia64,powerpc" role="merged">The ULE
-      scheduler is now the default process scheduler
-      in <filename>GENERIC</filename> kernels.</para>
-
-    <sect3 id="boot">
-      <title>Boot Loader Changes</title>
-
-      <para arch="amd64,i386" role="merged">The BTX kernel used by the boot
-	loader has been changed to invoke BIOS routines from real
-	mode.  This change makes it possible to boot &os; from USB
-	devices.</para>
-
-      <para arch="amd64,i386" role="merged">A new gptboot boot loader has
-        been added to support booting from a GPT labeled disk.  A
-        new <command>boot</command> command has been added to
-        &man.gpt.8;, which makes a GPT disk bootable by writing the
-        required bits of the boot loader, creating a new boot
-        partition if required.</para>
-
-    </sect3>
-
-    <sect3 id="proc">
-      <title>Hardware Support</title>
-
-      <para role="merged">The &man.cmx.4; driver, a driver for Omnikey CardMan 4040
-        PCMCIA smartcard readers, has been added.</para>
-
-      <para>The &man.syscons.4; driver now supports Colemak keyboard layout.</para>
-
-      <para role="merged">The &man.uslcom.4; driver, a driver for Silicon
-        Laboratories CP2101/CP2102-based USB serial adapters, has been
-        imported from OpenBSD.</para>
-
-      <sect4 id="mm">
-	<title>Multimedia Support</title>
-
-	<para></para>
-
-      </sect4>
-
-      <sect4 id="net-if">
-	<title>Network Interface Support</title>
-
-	<para>The &man.ale.4; driver has been added to provide support
-	  for Atheros AR8121/AR8113/AR8114 Gigabit/Fast Ethernet controllers.</para>
-
-	<para>The &man.em.4; driver has been split into two drivers
-	  with some common parts.  The &man.em.4; driver will continue
-	  to support adapters up to the 82575, as well as new
-	  client/desktop adapters.  A new &man.igb.4; driver
-	  will support new server adapters.</para>
-
-	<para>The &man.jme.4; driver has been added to provide support
-	  for PCIe network adapters based on JMicron JMC250 Gigabit
-	  Ethernet and JMC260 Fast Ethernet controllers.</para>
-
-	<para>The &man.malo.4; driver has been added to provide
-	  support for Marvell Libertas 88W8335 based PCI network
-	  adapters.</para>
-
-	<para>The firmware for the &man.mxge.4; driver has been
-	  updated from 1.4.25 to 1.4.29.</para>
-
-	<para>The &man.sf.4; driver has been overhauled to improve its
-	  performance and to add support for checksum offloading.  It
-	  should also work on all architectures.</para>
-
-	<para>The &man.re.4; driver has been overhauled to fix a
-	  number of issues.  This driver now has Wake On LAN (WOL)
-	  support.</para>
-
-	<para>The &man.vr.4; driver has been overhauled to fix a
-	  number of outstanding issues.  It also now works on all
-	  architectures.</para>
-
-	<para arch="amd64,i386" role="merged">The &man.wpi.4; driver has
-	  been updated to include a number of stability fixes.</para>
-
-      </sect4>
-    </sect3>
-
-    <sect3 id="net-proto">
-      <title>Network Protocols</title>
-
-      <para>The &man.bpf.4; packet filter and capture facility now
-        supports a zero-copy mode of operation, in which buffers are
-        loaned from a user process to the kernel.  This feature can
-        be enabled by setting
-        the <varname>net.bpf.zerocopy_enable</varname> sysctl
-        variable to <literal>1</literal>.</para>
-
-      <para>ISDN4BSD(I4B), <filename>netatm</filename>, and all
-        related subsystems have been removed due to lack of
-        multi-processor support.</para>
-
-      <para role="merged">A bug in TCP options padding, where the wrong padding
-        bytes were used, has been fixed.</para>
-
-    </sect3>
-
-    <sect3 id="disks">
-      <title>Disks and Storage</title>
-
-      <para role="merged">The &man.aac.4; driver now supports volumes larger than
-        2TB in size.</para>
-
-      <para>The &man.ata.4; driver now supports a spindown command for
-        disks; after a configurable amount of time, if no requests
-        have been received for a disk, the disk will be spun down
-        until the next request.  The &man.atacontrol.8; utility now
-        supports a <command>spindown</command> command to configure
-        this feature.</para>
-
-      <para role="merged">The &man.hptrr.4; driver has been updated to version 1.2
-        from Highpoint.</para>
-
-    </sect3>
-
-    <sect3 id="fs">
-      <title>File Systems</title>
-
-      <para>A problem with using &man.mmap.2; on ZFS filesystems has
-        been fixed.</para>
-
-      <para>A new kernel-mode NFS lock manager has been added,
-        improving performance and behavior of NFS locking.  A new
-        &man.clear.locks.8; command has been added to clear locks held
-        on behalf of an NFS client.</para>
-
-    </sect3>
-  </sect2>
-
-  <sect2 id="userland">
-    <title>Userland Changes</title>
-
-    <para role="merged">The &man.adduser.8; utility now supports
-      a <option>-M</option> option to set the mode of a new user's
-      home directory.</para>
-
-    <para>BSD-licensed versions of &man.ar.1; and &man.ranlib.1;,
-      based on <filename>libarchive</filename>, have replaced the GNU
-      Binutils versions of these utilities.</para>
-
-    <para role="merged">&man.chflags.1; now supports a <option>-v</option> flag for
-      verbose output and a <option>-f</option> flag to ignore errors
-      with the same semantics as (for example)
-      &man.chmod.1;.</para>
-
-    <para>For compatiblity with other implementations, &man.cp.1; now
-      supports a <option>-a</option> flag, which is equivalent to
-      specifying the <option>-RrP</option> flags.</para>
-
-    <para>BSD-licensed version of &man.cpio.1; based on
-      <filename>libarchive</filename>, has replaced the GNU cpio.
-      Note that the GNU cpio is still installed as
-      <filename>gcpio</filename>.</para>
-
-    <para>The &man.env.1; program now supports <option>-u
-      <replaceable>name</replaceable></option>
-      which will completely unset the given variable
-      <replaceable>name</replaceable> by removing it from the environment,
-      instead of just setting it to a null value.</para>
-
-    <para>The &man.fdopendir.3; library function has been added.</para>
-
-    <para role="merged">The &man.fetch.3; library now support HTTP 1.1
-      If-Modified-Since behavior.  The &man.fetch.1; program now
-      supports <option>-i <replaceable>filename</replaceable></option>
-      which will only download the specified HTTP URL if the content
-      is newer than <replaceable>filename</replaceable>.</para>
-
-    <para>&man.find.1; has been enhanced by the addition of a number
-      of primaries that were present in GNU find but not &os;
-      &man.find.1;.</para>
-
-    <para>&man.jexec.8; now supports <option>-h
-      <replaceable>hostname</replaceable></option> option to specify the
-      jail where the command will be executed.</para>
-
-    <para>&man.kgdb.1; now supports a new <command>add-kld</command>
-      command to make it easier to debug crash dumps with kernel
-      modules.</para>
-
-    <para>The &man.ls.1; program now supports a <option>-D</option>
-      option to specify a date format string to be used with the long
-      format (<option>-l</option>) output.</para>
-
-    <para>&man.nc.1; now supports a <option>-O</option> switch to
-      disable the use of TCP options.</para>
-
-    <para>The &man.ping6.8; utility now returns <literal>2</literal>
-      when the packet transmission was successful but no responses
-      were received (this is the same behavior as &man.ping.8;).
-      It returned a non-zero value before this change.</para>
-
-    <para>The &man.procstat.1; utility has been added to display
-      detailed information about processes.</para>
-
-    <para role="merged">The &man.realpath.1; utility now supports
-      a <option>-q</option> flag to suppress warnings; it now also
-      accepts multiple paths on its command line.</para>
-
-    <para>The &man.split.1; utility now supports a <option>-n</option>
-      flag to split a file into a certain number of chunks.</para>
-
-    <para>The &man.tar.1; utility now supports a <option>-Z</option>
-      flag to enable &man.compress.1;-style
-      compression/decompression.</para>
-
-    <para>The &man.tar.1; utility now supports a
-      <option>--numeric-owner</option> flag to ignore user/group names
-      on create and extract.</para>
-
-    <para>The &man.tar.1; utility now supports an
-      <option>-S</option> flag to sparsify files on extraction.</para>
-
-    <para>The &man.tar.1; utility now supports a <option>-s</option>
-      flag to substitute filenames based on the specified regular
-      expression.</para>
-
-    <para>The &man.tcgetsid.3; library function has been added to
-      return the process group ID for the session leader for the
-      controlling terminal.  It is defined in IEEE Std 1003.1-2001
-      (POSIX).</para>
-
-    <para>&man.top.1; now supports a <option>-P</option> flag to
-      provide per-CPU usage statistics.</para>
-
-    <para>&man.zdump.8; is now working properly on 64 bit architectures.
-      </para>
-
-    <para>&man.traceroute.8; now has the ability to print the AS
-      number for each hop with the new <option>-a</option> switch; a
-      new <option>-A</option> option allows selecting a particular
-      WHOIS server.</para>
-
-    <para>&man.traceroute6.8; now supports a <option>-U</option> flag
-      to send probe packets with no upper-layer protocol, rather than
-      the usual UDP probe packets.</para>
-
-    <sect3 id="rc-scripts">
-      <title><filename>/etc/rc.d</filename> Scripts</title>
-
-      <para></para>
-
-    </sect3>
-  </sect2>
-
-  <sect2 id="contrib">
-    <title>Contributed Software</title>
-
-    <para role="merged"><application>AMD</application> has been updated from 6.0.10
-      to 6.1.5.</para>
-
-    <para role="merged"><application>awk</application> has been updated from 1 May
-      2007 release to the 23 October 2007 release.</para>
-
-    <para role="merged"><application>bzip2</application> has been updated from 1.0.4
-      to 1.0.5.</para>
-
-    <para><application>CVS</application> has been updated from 1.11.17
-      to a post-1.11.22 snapshot from 10 March 2008.</para>
-
-    <para><application>FILE</application> has been updated from 4.23
-      to 5.03.</para>
-
-    <para><application>hostapd</application> has been
-      updated from 0.5.8 to 0.5.10.</para>
-
-    <para><application>IPFilter</application> has been updated from
-      4.1.23 to 4.1.28.</para>
-
-    <para><application>less</application> has been updated from
-      v408 to v429.</para>
-
-    <para><application>ncurses</application> has been updated from
-      5.6-20061217 to 5.6-20080503.</para>
-
-    <para role="merged"><application>OpenSSH</application> has been updated
-      from 4.5p1 to 5.1p1.</para>
-
-    <para role="merged"><application>OpenPAM</application> has been updated from the
-      Figwort release to the Hydrangea release.</para>
-
-    <para role="merged"><application>sendmail</application> has been updated from
-      8.14.1 to 8.14.3.</para>
-
-    <para role="merged">The timezone database has been updated from
-      the <application>tzdata2008h</application> release to
-      the <application>tzdata2009j</application> release.</para>
-
-    <para>The stdtime part of libc, &man.zdump.8 and &man.zic.8
-      have been updated from the <application>tzcode2004a</application>
-      release to the <application>tzcode2009h</application> release.
-      If you have upgraded from source or via the &man.freebsd-update.8,
-      then please run &man.tzsetup.8 to install a new /etc/localtime.
-      </para>
-
-    <para><application>WPA Supplicant</application> has been
-      updated from 0.5.8 to 0.5.10.</para>
-
-  </sect2>
-
-  <sect2 id="ports">
-    <title>Ports/Packages Collection Infrastructure</title>
-
-    <para>The &man.pkg.create.1; utility now supports
-      <option>-n</option>.  When this option is specified and a
-      package tarball exists, it will not be overwritten.  This is
-      useful when multiple packages are saved with several consecutive
-      runs of &man.pkg.create.1; with the <option>-Rb</option>
-      options.</para>
-
-    <para>The pkg_sign and pkg_check utilities for cryptographically
-      signing &os; packages have been removed.  They were only useful
-      for packages compressed using &man.gzip.1;; however
-      &man.bzip2.1; compression has been the norm for some time
-      now.</para>
-
-  </sect2>
-
-  <sect2 id="releng">
-    <title>Release Engineering and Integration</title>
-
-    <para role="merged">The supported version of
-      the <application>GNOME</application> desktop environment
-      (<filename role="package">x11/gnome2</filename>) has been
-      updated from 2.20.1 to 2.22.</para>
-
-  </sect2>
-
-  <sect2 id="doc">
-    <title>Documentation</title>
-
-    <para></para>
-
-  </sect2>
-</sect1>
-
-<sect1 id="upgrade">
-  <title>Upgrading from previous releases of &os;</title>
+  <sect1 id="new">
+    <title>What's New</title>
 
-  <para arch="amd64,i386">Beginning with &os; 6.2-RELEASE,
-    binary upgrades between RELEASE versions (and snapshots of the
-    various security branches) are supported using the
-    &man.freebsd-update.8; utility.  The binary upgrade procedure will
-    update unmodified userland utilities, as well as unmodified GENERIC or
-    SMP kernels distributed as a part of an official &os; release.
-    The &man.freebsd-update.8; utility requires that the host being
-    upgraded have Internet connectivity.</para>
-
-  <para>An older form of binary upgrade is supported through the
-    <command>Upgrade</command> option from the main &man.sysinstall.8;
-    menu on CDROM distribution media.  This type of binary upgrade
-    may be useful on non-&arch.i386;, non-&arch.amd64; machines
-    or on systems with no Internet connectivity.</para>
-
-  <para>Source-based upgrades (those based on recompiling the &os;
-    base system from source code) from previous versions are
-    supported, according to the instructions in
-    <filename>/usr/src/UPDATING</filename>.</para>
-
-  <important>
-    <para>Upgrading &os; should, of course, only be attempted after
-      backing up <emphasis>all</emphasis> data and configuration
-      files.</para>
-  </important>
-</sect1>
+    <para>This section describes the most user-visible new or changed
+      features in &os; since &release.prev;, and changes shown in
+      Release Notes for the previous releases are marked as
+      <literal>[7.1R]</literal> and <literal>[7.2R]</literal>.</para>
+
+    <para>Typical release note items document recent security
+      advisories issued after &release.prev;, new drivers or hardware
+      support, new commands or options, major bug fixes, or
+      contributed software upgrades.  They may also list changes to
+      major ports/packages or release engineering practices.  Clearly
+      the release notes cannot list every single change made to &os;
+      between releases; this document focuses primarily on security
+      advisories, user-visible changes, and major architectural
+      improvements.</para>
+
+    <sect2 id="security">
+      <title>Security Advisories</title>
+
+      <para>Problems described in the following security advisories have
+	been fixed.  For more information, consult the individual
+	advisories available from
+	<ulink url="http://security.FreeBSD.org/"></ulink>.</para>;
+
+      <informaltable frame="none" pgwide="0">
+	<tgroup cols="3">
+	  <colspec colwidth="1*">
+	  <colspec colwidth="1*">
+	  <colspec colwidth="3*">
+	    <thead>
+	      <row>
+		<entry>Advisory</entry>
+		<entry>Date</entry>
+		<entry>Topic</entry>
+	      </row>
+	    </thead>
+
+	    <tbody>
+	      <row role="7.1">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:05.openssh.asc"
+			      >SA-08:05.openssh</ulink></entry>
+		<entry>17&nbsp;April&nbsp;2008</entry>
+		<entry><para>OpenSSH X11-forwarding privilege escalation</para></entry>
+	      </row>
+
+	      <row role="7.1">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:06.bind.asc"
+			      >SA-08:06.bind</ulink></entry>
+		<entry>13&nbsp;July&nbsp;2008</entry>
+		<entry><para>DNS cache poisoning</para></entry>
+	      </row>
+
+	      <row role="7.1">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:07.amd64.asc"
+			      >SA-08:07.amd64</ulink></entry>
+		<entry>3&nbsp;September&nbsp;2008</entry>
+		<entry><para>amd64 swapgs local privilege escalation</para></entry>
+	      </row>
+
+	      <row role="7.1">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:08.nmount.asc"
+			      >SA-08:08.nmount</ulink></entry>
+		<entry>3&nbsp;September&nbsp;2008</entry>
+		<entry><para>&man.nmount.2; local arbitrary code execution</para></entry>
+	      </row>
+
+	      <row role="7.1">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:09.icmp6.asc"
+			      >SA-08:09.icmp6</ulink></entry>
+		<entry>3&nbsp;September&nbsp;2008</entry>
+		<entry><para>Remote kernel panics on IPv6 connections</para></entry>
+	      </row>
+
+	      <row role="7.1">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:10.nd6.asc"
+			      >SA-08:10.nd6</ulink></entry>
+		<entry>1&nbsp;October&nbsp;2008</entry>
+		<entry><para>IPv6 Neighbor Discovery Protocol routing vulnerability</para></entry>
+	      </row>
+
+	      <row role="7.1">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:11.arc4random.asc"
+			      >SA-08:11.arc4random</ulink></entry>
+		<entry>24&nbsp;November&nbsp;2008</entry>
+		<entry><para>&man.arc4random.9; predictable sequence vulnerability</para></entry>
+	      </row>
+
+	      <row role="7.1">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:12.ftpd.asc"
+			      >SA-08:12.ftpd</ulink></entry>
+		<entry>23&nbsp;December&nbsp;2008</entry>
+		<entry><para>Cross-site request forgery in &man.ftpd.8;</para></entry>
+	      </row>
+
+	      <row role="7.1">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-08:13.protosw.asc"
+			      >SA-08:13.protosw</ulink></entry>
+		<entry>23&nbsp;December&nbsp;2008</entry>
+		<entry><para>netgraph / bluetooth privilege escalation</para></entry>
+	      </row>
+
+	      <row role="7.2">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:01.lukemftpd.asc"
+			      >SA-09:01.lukemftpd</ulink></entry>
+		<entry>07&nbsp;January&nbsp;2009</entry>
+		<entry><para>Cross-site request forgery in
+		  &man.lukemftpd.8;</para></entry>
+	      </row>
+
+	      <row role="7.2">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:02.openssl.asc"
+			      >SA-09:02.openssl</ulink></entry>
+		<entry>07&nbsp;January&nbsp;2009</entry>
+		<entry><para>OpenSSL incorrectly checks for malformed
+		  signatures</para></entry>
+	      </row>
+
+	      <row role="7.2">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:03.ntpd.asc"
+			      >SA-09:03.ntpd</ulink></entry>
+		<entry>13&nbsp;January&nbsp;2009</entry>
+		<entry><para>ntpd cryptographic signature
+		  bypass</para></entry>
+	      </row>
+
+	      <row role="7.2">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:04.bind.asc"
+			      >SA-09:04.bind</ulink></entry>
+		<entry>13&nbsp;January&nbsp;2009</entry>
+		<entry><para>BIND DNSSEC incorrect checks for
+		  malformed signatures</para></entry>
+	      </row>
+
+	      <row role="7.2">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:05.telnetd.asc"
+			      >SA-09:05.telnetd</ulink></entry>
+		<entry>16&nbsp;February&nbsp;2009</entry>
+		<entry><para>telnetd code execution
+		  vulnerability</para></entry>
+	      </row>
+
+	      <row role="7.2">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:06.ktimer.asc"
+			      >SA-09:06.ktimer</ulink></entry>
+		<entry>23&nbsp;March&nbsp;2009</entry>
+		<entry><para>Local privilege escalation</para></entry>
+	      </row>
+
+	      <row role="7.2">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:07.libc.asc"
+			      >SA-09:07.libc</ulink></entry>
+		<entry>04&nbsp;April&nbsp;2009</entry>
+		<entry><para>Information leak in &man.db.3;</para></entry>
+	      </row>
+
+	      <row role="7.2">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:08.openssl.asc"
+			      >SA-09:08.openssl</ulink></entry>
+		<entry>22&nbsp;April&nbsp;2009</entry>
+		<entry><para>Remotely exploitable crash in
+		  OpenSSL</para></entry>
+	      </row>
+
+	      <row role="8.0">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc"
+			      >SA-09:09.pipe</ulink></entry>
+		<entry>10&nbsp;June&nbsp;2009</entry>
+		<entry><para>Local information disclosure via direct pipe writes</para></entry>
+	      </row>
+
+	      <row role="8.0">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc"
+			      >SA-09:10.ipv6</ulink></entry>
+		<entry>10&nbsp;June&nbsp;2009</entry>
+		<entry><para>Missing permission check on SIOCSIFINFO_IN6 ioctl</para></entry>
+	      </row>
+
+	      <row role="8.0">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:11.ntpd.asc"
+			      >SA-09:11.ntpd</ulink></entry>
+		<entry>10&nbsp;June&nbsp;2009</entry>
+		<entry><para>ntpd stack-based buffer-overflow vulnerability</para></entry>
+	      </row>
+
+	      <row role="8.0">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:12.bind.asc"
+			      >SA-09:12.bind</ulink></entry>
+		<entry>29&nbsp;July&nbsp;2009</entry>
+		<entry><para>BIND &man.named.8; dynamic update message remote DoS</para></entry>
+	      </row>
+	      <row role="8.0">
+		<entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:14.devfs.asc"
+			      >SA-09:14.devfs</ulink></entry>
+		<entry>2&nbsp;Oct&nbsp;2009</entry>
+		<entry><para>Devfs / VFS NULL pointer race condition</para></entry>
+	      </row>
+	    </tbody>
+	</tgroup>
+      </informaltable>
+    </sect2>
+
+    <sect2 id="kernel">
+      <title>Kernel Changes</title>
+
+      <para role="8.0">The &os; <filename>GENERIC</filename> kernel now
+	includes Trusted BSD MAC (Mandatory Access Control) support.
+	No MAC policy module is loaded by default.</para>
+
+      <para role="8.0" arch="i386">A loader
+	tunable <varname>hw.clflush_disable</varname> has been added
+	to avoid panic (trap 9)
+	at <function>map_invalidate_cache_range()</function> even if
+	Intel CPU is used.  This tunable can be set
+	to <literal>-1</literal> (default), <literal>0</literal> and
+	<literal>1</literal>.  The <literal>-1</literal> is same as
+	the current behavior, which automatically
+	disables <literal>CLFLUSH</literal> on Intel CPUs without
+	<literal>CPUID_SS</literal> (this should occurr on Xen
+	only).	You can specify <literal>1</literal> when this panic
+	happens on non-Intel CPUs (such as AMD's).  Because disabling
+	<literal>CLFLUSH</literal> can reduce performance, you can try
+	with setting <literal>0</literal> on Intel CPUs
+	without <literal>SS</literal> to
+	use <literal>CLFLUSH</literal> feature.</para>
+
+      <para role="8.0">The &os; newbus subsystem is now MPSAFE.</para>
+
+      <para role="8.0">The &man.jail.8; subsystem has been updated.  Changes include:</para>
+
+      <itemizedlist role="7.2">
+	<listitem>
+	  <para role="8.0">A new virtualization container
+	    named <quote>vimage</quote> has been implemented.  This is
+	    not enabled by default.  To enable this, add the following
+	    kernel options to your kernel configuration file and
+	    rebuild the kernel:</para>
+
+	  <programlisting>options	VIMAGE</programlisting>
+
+	  <para>Note that <literal>options SCTP</literal> in the
+	    <filename>GENERIC</filename> kernel is not compatible with
+	    <literal>options VIMAGE</literal>.  This limitation will
+	    be fixed in the next release.</para>
+
+	  <para>The vimage is a jail with a virtualized instance of
+	    the &os; network stack.  It can be created by using
+	    &man.jail.8; command like this:</para>
+
+	  <screen>&prompt.root; jail -c vnet name=<replaceable>vnet1</replaceable> host.hostname=<replaceable>vnet1.example.net</replaceable> path=/ persist</screen>
+
+	  <para>The vimage has own loopback interface and a separated
+	    network stack including the L3 routing tables.  Network
+	    interfaces on the system can be moved by using
+	    &man.ifconfig.8; <option>vnet</option> option between the
+	    different vimage jails and outside of them.</para>
+
+	  <para>Furthermore, the &man.epair.4; pseudo-interface driver
+	    has been added to help communication between vimage jails.
+	    It emulates a pair of back-to-back connected Ethernet
+	    interfaces.	 For example, the following commands create an
+	    interface pair of &man.epair.4;:</para>
+
+	  <screen>&prompt.root; ifconfig epair0 create
+epair0a
+&prompt.root; ifconfig epair0a
+epair0a: flags=8842&lt;BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; metric 0 mtu 1500
+	ether 02:c0:64:00:07:0a
+&prompt.root; ifconfig epair0b
+epair0b: flags=8842&lt;BROADCAST,RUNNING,SIMPLEX,MULTICAST&gt; metric 0 mtu 1500
+	ether 02:c0:64:00:08:0b</screen>
+
+	  <para>The &man.epair.4; pseudo-interfaces and any physical
+	    interfaces on the system can be moved between vimage jails
+	    by using &man.ifconfig.8; <option>vnet</option> option as
+	    described above.  Even after half of an &man.epair.4; pair
+	    is moved, the back-to-back connection still valid and can
+	    be used for inter-jail communication.</para>
+
+	  <para>Note that vimage is still considered as an
+	    experimental feature.</para>
+	</listitem>
+
+	<listitem>
+	  <para>A jail can now have arbitrary named parameters similar
+	    to environmental variables and the fixed jail parameters
+	    in the previous releases have been replaced with them.
+	    The jail name can now be used for identifying the jail in
+	    &man.jexec.8; and &man.killall.1;.</para>
+	</listitem>
+
+	<listitem>
+	  <para>Multiple IPv4 and/or IPv6 addresses per jail are now
+	    supported.  It is even possible to have jails without
+	    an IP address at all, which basically gives one a chrooted
+	    environment with restricted process view and no
+	    networking.</para>
+	</listitem>
+
+	<listitem>
+	  <para>SCTP (&man.sctp.4;) with IPv6 in jails has been
+	    implemented.</para>
+	</listitem>
+
+	<listitem>
+	  <para>Specific CPU binding by using &man.cpuset.1; has been
+	    implemented.  Note that the current implementation allows
+	    the superuser inside of the jail to change the CPU
+	    bindings specified.</para>
+	</listitem>
+
+	<listitem>
+	  <para>A &man.jail.8; can start with a specific route
+	    FIB now.</para>
+	</listitem>
+
+	<listitem>
+	  <para>The &man.ddb.8; kernel debugger now supports a
+	    <literal>show jails</literal> subcommand.</para>
+	</listitem>
+
+	<listitem>
+	  <para>Compatibility support which permits 32-bit jail
+	    binaries to be used on 64-bit systems to manage jails has
+	    been added.</para>
+	</listitem>
+
+	<listitem>
+	  <para>Note that both version numbers of
+	    <literal>jail</literal> and <literal>prison</literal> in
+	    the &man.jail.8; have been updated for the new
+	    features.</para>
+	</listitem>
+      </itemizedlist>
+
+      <para role="8.0">The &man.ksyms.4;, kernel symbol table
+	interface driver has been added.  It creates a character
+	device <filename>/dev/ksyms</filename> and provides
+	read-only access to a snapshot of the kernel symbol
+	table.</para>
+
+      <para role="8.0" arch="amd64,i386">The &os; Linux emulation
+	layer has been updated to version 2.6.16 and the default Linux
+	infrastructure port is
+	<filename>emulators/linux_base-f10</filename> (Fedora
+	10).</para>
+
+      <para role="8.0" arch="amd64,i386">The &os; virtual memory
+	subsystem now supports fully transparent use of
+	<application>superpages</application> for application memory;
+	application memory pages are dynamically promoted to or
+	demoted from superpages without any modification to
+	application code.  This change offers the benefit of large
+	page sizes such as improved virtual memory efficiency and
+	reduced TLB (translation lookaside buffer) misses without
+	downsides like application changes and virtual memory
+	inflexibility. This can be enabled by setting a loader tunable
+	<varname>vm.pmap.pg_ps_enabled</varname> to
+	<literal>1</literal> and is enabled by default on
+	&arch.amd64;.</para>
+
+      <para role="7.2">The &man.ddb.8; kernel debugger now supports a
+	<command>show mount</command> subcommand.</para>
+
+      <para role="7.2">The &os; DTrace subsystem now supports a probe for
+	process execution.</para>
+
+      <para role="7.2" arch="amd64">The &os; kernel virtual address
+	space has been increased to 6GB. This allows subsystems to use
+	larger virtual memory space than before.  For example, the
+	&man.zfs.8; adaptive replacement cache (ARC) requires large
+	kernel memory space to cache file system data, so it benefits
+	from the increased address space.  Note that the ceiling on
+	the kernel map size is now 60% of the size of physical memory
+	rather than an absolute quantity.</para>
+
+      <para role="7.2">The &man.kld.4; now supports installing 32-bit
+	system calls to the &os; syscall translation layer from kernel
+	modules.</para>
+
+      <para role="7.2">The &man.ktr.4; now supports a new KTR tracepoint in the
+	<literal>KTR_CALLOUT</literal> class to note when a callout
+	routine finishes executing.</para>
+
+      <para role="7.2">Types of variables used to track the amount of allocated
+	System V shared memory have been changed from
+	<literal>int</literal> to <literal>size_t</literal>.  This
+	makes it possible to use more than 2 GB of memory for shared
+	memory segments on 64-bit architectures.  Please note the new
+	BUGS section in &man.shmctl.2; and
+	<filename>/usr/src/UPDATING</filename> for limitations of this
+	temporary solution.</para>
+
+      <para role="7.2">The &man.sysctl.3; leaf nodes have a flag to tag
+	themselves as MPSAFE now.</para>
+
+      <para role="7.2">The &os; 32-bit system call translation layer now
+	supports installing 32-bit system calls for
+	<literal>VFS_AIO</literal>.</para>
+
+      <para role="7.1">The &man.clock.gettime.2; and the related system calls now
+	support a clock ID <literal>CLOCK_THREAD_CPUTIME_ID</literal>,
+	as defined in POSIX.</para>
+
+      <para role="7.1">The &man.cpuset.2; system call has been added.  This is an
+	API for thread to CPU binding and CPU resource grouping and
+	assignment.</para>
+
+      <para role="7.1">The DTrace, a comprehensive dynamic tracing framework and
+	&man.dtrace.1; userland utility have been imported from
+	OpenSolaris.  DTrace provides a powerful infrastructure to
+	permit administrators, developers, and service personnel to
+	concisely answer arbitrary questions about the behavior of the
+	operating system and user programs.</para>
+
+      <para role="7.1">The &man.ddb.4; kernel debugger now has an output capture
+	facility.  Input and output from &man.ddb.4; can now be captured
+	to a memory buffer for later inspection using &man.sysctl.8; or
+	a textdump.  The new <command>capture</command> command controls
+	this feature.</para>
+
+      <para role="7.1">The &man.ddb.4; debugger now supports a simple scripting
+	facility, which supports a set of named scripts consisting of a
+	set of &man.ddb.4; commands.  These commands can be managed from
+	within &man.ddb.4; or with the use of the new &man.ddb.8;
+	utility.  More details can be found in the &man.ddb.4; manual
+	page.</para>
+
+      <para role="7.1">The &man.ddb.4; <command>ex</command> command now supports
+	an <option>/S</option> mode which interprets and prints the
+	value at the requested address as a symbol.  For example,
+	<userinput>ex /S <replaceable>aio_swake</replaceable></userinput>
+	prints the name of the function currently registered in
+	via <replaceable>aio_swake</replaceable> hook.</para>
+
+      <para role="7.1">The &man.ddb.4; <command>show conifhk</command> command has
+	been added.  This lists hooks currently waiting for completion
+	in <function>run_interrupt_driven_config_hooks()</function>.</para>
+
+      <para role="7.1">The &man.fcntl.2; system call now supports
+	<literal>F_DUP2FD</literal> command.  This is equivalent to
+	&man.dup.2;, and compatible with the Sun Solaris and the IBM
+	AIX.</para>
+
+      <para role="7.1">The &os;'s &man.linux.4; ABI support now implements
+	<function>sched_setaffinity()</function> and
+	<function>sched_getaffinity()</function> using real CPU affinity
+	setting primitives.</para>
+
+      <para role="7.1">The &man.procstat.1; utility has been added. This is a
+	process inspection utility which provides some of the missing
+	functionality from &man.procfs.5; and new functionality for monitoring
+	and debugging specific processes.</para>
+
+      <para role="7.1">The client side functionality of &man.rpc.lockd.8; has been
+	implemented in the &os; kernel.  This implementation provides the
+	correct semantics for &man.flock.2; style locks which are used
+	by the &man.lockf.1; command line tool and the &man.pidfile.3;
+	library.  It also implements recovery from server restarts and
+	ensures that dirty cache blocks are written to the server before
+	obtaining locks (allowing multiple clients to use file locking
+	to safely share data).	Also, a new kernel option
+	<literal>options NFSLOCKD</literal> has been added and enabled
+	by default.  If the kernel support is enabled, &man.rpc.lockd.8;
+	automatically detects and uses the functionality.</para>
+
+      <para role="7.1">The &os; kernel now supports a new textdump format of kernel
+	dumps.	A textdump provides higher-level information via
+	mechanically generated/extracted debugging output, rather than a
+	simple memory dump. This facility can be used to generate brief
+	kernel bug reports that are rich in debugging information, but
+	are not dependent on kernel symbol tables or precisely
+	synchronized source code.  More information can be found in the
+	&man.textdump.4; manual page.</para>
+
+      <para role="7.1">The &man.wait4.2; system call now supports
+	<option>WNOWAIT</option> flag to keep the process whose status
+	is returned in a waitable state and <option>WSTOPPED</option>
+	which is equivalent to <option>WUNTRACED</option>.</para>
+
+      <para role="7.1" arch="amd64,i386,sparc64">The &os; kernel now has
+	initial support of binding interrupts to CPUs.</para>
+
+      <para role="7.1" arch="amd64,i386"> The &man.sched.ule.4; scheduler is now the default
+	process scheduler in <filename>GENERIC</filename>
+	kernels.</para>
+
+      <para role="7.1">The sysctl
+	variables <varname>kern.features.compat_freebsd[456]</varname>
+	have been added.  These are corresponding to the kernel options
+	<literal>COMPAT_FREEBSD[456]</literal>.</para>
+
+      <sect3 id="boot">
+	<title>Boot Loader Changes</title>
+
+	<para role="8.0">The <application>boot0</application> boot
+	  loader now preserves volume ID at offset
+	  0x1b8 used in other operating systems </para>
+
+	<para role="8.0">The &man.boot0cfg.8; utility now supports a
+	  new <option>-i</option> option to set the volume ID.</para>
+
+	<para role="7.2">The &man.boot.8; now supports 4-byte volume ID that

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200911262055.nAQKtijU092885>