Date: Fri, 19 Mar 2010 18:33:40 +0000 (UTC) From: Hiroki Sato <hrs@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r205342 - releng/7.3/release/doc/en_US.ISO8859-1/relnotes Message-ID: <201003191833.o2JIXeBX031015@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hrs Date: Fri Mar 19 18:33:40 2010 New Revision: 205342 URL: http://svn.freebsd.org/changeset/base/205342 Log: Update relnotes (final round, hopefully): SA-09:09,10,11,12,14,15,16,17,10:01,02,03, security.jail.ip[46]_saddrsel, acpidump(8) SRAT support (acpi(4) entry removed)[1], sched_ule(4) deadlock fixed (EN-10:02), superpages enabled by default on amd64 (superpages entry revised)[1], security.bsd.map_at_zero, boot2 on pc98 reimplemented, vgapci(4) MSI/MSI-X proxying (item of the old pci(4) item removed)[1], bce(4) bugfix, cxgb(4) firmware 7.8.0[2], fxp(4) + TSO = poor performance fixed, mxge(4) firmware 1.4.48b, ste(4) improvements, vlan(4) now in GENERIC, gstripe(8) default stripe size is now 64KB, fetch(1) HTTP digest auth support, fetch(1) NO_PROXY/no_proxy support, getpagesize(3) added, mergemaster(8) DELETE_STALE_RC_FILES support, tftp(1) exit status fixed, traceroute(8) address selection in jail, whois(1) -d removed, $vlans_IF in rc.conf added, ISC BIND 9.4-ESV, tzdata2010b, GNOME 2.28.2, and KDE 4.3.5. Spotted by: jhb[1] and np[2] Approved by: re (implicitly) Modified: releng/7.3/release/doc/en_US.ISO8859-1/relnotes/article.sgml Modified: releng/7.3/release/doc/en_US.ISO8859-1/relnotes/article.sgml ============================================================================== --- releng/7.3/release/doc/en_US.ISO8859-1/relnotes/article.sgml Fri Mar 19 17:48:34 2010 (r205341) +++ releng/7.3/release/doc/en_US.ISO8859-1/relnotes/article.sgml Fri Mar 19 18:33:40 2010 (r205342) @@ -120,7 +120,6 @@ advisories available from <ulink url="http://security.FreeBSD.org/"></ulink>.</para>; -<!-- <informaltable frame="none" pgwide="0"> <tgroup cols="3"> <colspec colwidth="1*"> @@ -136,25 +135,89 @@ <tbody> <row> - <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:01.lukemftpd.asc" - >SA-09:01.lukemftpd</ulink></entry> - <entry>07 January 2009</entry> - <entry><para>Cross-site request forgery in - &man.lukemftpd.8;</para></entry> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:09.pipe.asc" + >SA-09:09.pipe</ulink></entry> + <entry>10 June 2009</entry> + <entry><para>Local information disclosure via direct pipe writes</para></entry> + </row> + + <row> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:10.ipv6.asc" + >SA-09:10.ipv6</ulink></entry> + <entry>10 June 2009</entry> + <entry><para>Missing permission check on SIOCSIFINFO_IN6 ioctl</para></entry> + </row> + + <row> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:11.ntpd.asc" + >SA-09:11.ntpd</ulink></entry> + <entry>10 June 2009</entry> + <entry><para>ntpd stack-based buffer-overflow vulnerability</para></entry> + </row> + + <row> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:12.bind.asc" + >SA-09:12.bind</ulink></entry> + <entry>29 July 2009</entry> + <entry><para>BIND &man.named.8; dynamic update message remote DoS</para></entry> + </row> + + <row> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:14.devfs.asc" + >SA-09:14.devfs</ulink></entry> + <entry>2 Oct 2009</entry> + <entry><para>Devfs / VFS NULL pointer race condition</para></entry> + </row> + + <row> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:15.ssl.asc" + >SA-09:15.ssl</ulink></entry> + <entry>3 Dec 2009</entry> + <entry><para>SSL protocol flaw</para></entry> + </row> + + <row> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:16.rtld.asc" + >SA-09:16.rtld</ulink></entry> + <entry>3 Dec 2009</entry> + <entry><para>Improper environment sanitization in &man.rtld.1;</para></entry> + </row> + + <row> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-09:17.freebsd-update.asc" + >SA-09:17.freebsd-update</ulink></entry> + <entry>3 Dec 2009</entry> + <entry><para>Inappropriate directory permissions in &man.freebsd-update.8;</para></entry> + </row> + + <row> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-10:01.bind.asc" + >SA-10:01.bind</ulink></entry> + <entry>6 Jan 2010</entry> + <entry><para>BIND &man.named.8; cache poisoning with DNSSEC validation</para></entry> + </row> + + <row> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-10:02.ntpd.asc" + >SA-10:02.ntpd</ulink></entry> + <entry>6 Jan 2010</entry> + <entry><para>ntpd mode 7 denial of service</para></entry> + </row> + + <row> + <entry><ulink url="http://security.freebsd.org/advisories/FreeBSD-SA-10:03.zfs.asc" + >SA-10:03.zfs</ulink></entry> + <entry>6 Jan 2010</entry> + <entry><para>ZFS ZIL playback with insecure permissions</para></entry> </row> </tbody> </tgroup> </informaltable> ---> </sect2> <sect2 id="kernel"> <title>Kernel Changes</title> - <para>The &man.acpi.4; subsystem now supports parsing SRAT - (System Resource Affinity Table used to describe affinity - relationships between CPUs and memory.</para> - <para>The &man.closefrom.2; system call has been added. This closes any open file descriptors which are equal to or larger than the specified value. Note that this does not fail with @@ -167,6 +230,21 @@ system call now support a sysctl variable <varname>vfs.timestamp_precision</varname>.</para> + <para>The &man.jail.8; subsystem now supports + <varname>security.jail.ip4_saddrsel</varname> and + <varname>security.jail.ip6_saddrsel</varname> sysctl variables + to control whether to use source address selection or the + primary jail address for unbound outgoing connections. The + default is that the source address selection is enabled. + Also, the jail parameter <varname>ip4.saddrsel</varname> and + <varname>ip6.saddrsel</varname> are boolean option to enable + the source address selection for IPv4 and IPv6, respectively. + If another boolean parameters + <varname>ip4.nosaddrsel</varname> and + <varname>ip6.nosaddrsel</varname> are set, the child jails do + not inherit the address selection options of the + parent.</para> + <para arch="amd64">The <varname>kmem_map</varname> KVA space has been increased to 512GB.</para> @@ -193,13 +271,17 @@ (<varname>P1003_1B_SEMAPHORES</varname> kernel option) by default.</para> + <para>A deadlock in the &man.sched.ule.4; scheduler has been + fixed. For more details, see <ulink + url="http://security.freebsd.org/advisories/FreeBSD-EN-10:02.sched_ule.asc">EN-10:02.sched_ule</ulink>.</para>; + <para>&os; now supports shared memory segments for System V IPC which is larger than 2GB on 64-bit platforms. For more details, see <filename>/usr/src/UPDATING</filename> file.</para> <para>The &man.sglist.9; API to manage scatter/gather lists of - phyiscal addresses has been added.</para> + physical addresses has been added.</para> <para>&os; ABI of some of the structures used by the System V IPC API has been changed internally. For new kernel modules, @@ -211,19 +293,19 @@ shims. The old functions remain as the old names to provide backward compatibility for older kernel modules.</para> - <para arch="amd64,i386">The &os; virtual memory - subsystem now supports fully transparent use of - <application>superpages</application> for application memory; - application memory pages are dynamically promoted to or - demoted from superpages without any modification to - application code. This change offers the benefit of large - page sizes such as improved virtual memory efficiency and - reduced TLB (translation lookaside buffer) misses without - downsides like application changes and virtual memory - inflexibility. This can be enabled by setting a loader tunable - <varname>vm.pmap.pg_ps_enabled</varname> to - <literal>1</literal> and is enabled by default on - &arch.amd64;.</para> + <para arch="amd64">The <application>superpages</application> in + the &os; virtual memory subsystem is now enabled by + default.</para> + + <para>A new sysctl variable + <varname>security.bsd.map_at_zero</varname> has been added and + set to <literal>1</literal> (allow) by default. This controls + whether &os; allows to map an object at the address + <literal>0</literal>, which is part of the user-controlled + portion of the virtual address space. Disabling this has some + effect on preventing an attack which injects malicious code + into that location and triggers a NULL pointer dereference in + the kernel.</para> <sect3 id="boot"> <title>Boot Loader Changes</title> @@ -246,6 +328,10 @@ <para>A bug in the boot loader has been fixed. It failed to recognize GPT correctly when the system supports both of MBR and GPT and they are synchronized with each other.</para> + + <para arch="pc98">The <application>boot2</application> program + has been replaced with the latest version for + &arch.i386;.</para> </sect3> <sect3 id="proc"> @@ -266,6 +352,29 @@ <para>The &man.cpufreq.4; driver now supports Phenom (Family 10h).</para> + <para arch="amd64,i386">CPU cache flushing has been optimized + when changing caching attributes of pages by doing nothing + for CPUs that support self-snooping and using + <literal>CLFLUSH</literal> instead of a full cache + invalidate when possible. &os; does not use + <literal>CLFLUSH</literal> on Intel CPUs due to problems + with flushing the local APIC range by default. This can be + controlled via the <varname>hw.clflush_disable</varname> + loader tunable. A setting of <literal>1</literal> disables + the use of <literal>CLFLUSH</literal>. A setting of + <literal>0</literal> allows <literal>CLFLUSH</literal> to be + used for Intel CPUs when <literal>CPUID_SS</literal> is not + present. This fixes a kernel panic occurred on Xen which + disables self-snooping.</para> + + <para arch="sparc64">The epic(4) driver for the front panel + LEDs in Sun Fire V215/V245 has been added.</para> + + <para arch="sparc64">The fire(4) driver for + <quote>Fire</quote> JBus to PCIe bridges found in at least + the Sun Fire V215/V245 and Sun Ultra 25/45 machines has been + added.</para> + <para arch="amd64,i386">The &man.hwpmc.4; driver for Hardware Performance Monitoring Counter support has been added. This consists of the kernel driver, &man.pmc.3; interface @@ -291,11 +400,6 @@ been added. This reports all of the supported page sizes on the system.</para> - <para>The &man.pci.4; subsystem now supports proxying of PCI - Express MSI/MSI-X (Message Signaled Interrupt) requests and - bus interrupt requests for child devices. This allows child - devices to use MSI/MSI-X interrupts.</para> - <para>PCI Express memory-mapped configuration space access, ACPI MCFG table support, and BAR (Base Address Register) handling in the &man.pci.4; subsystem has been improved. @@ -313,19 +417,35 @@ <para><application>DRM</application> now supports Radeon HD 4200 (RS880), 4770 (RV740), and R6/7xx 3D, and Intel G41 chips.</para> + + <para>The vgapci(4) driver for PCI VGA display devices + which can attach devices as the children now supports + proxying of PCI MSI/MSI-X (Message Signaled Interrupt) + requests and bus interrupt requests for the child devices. + This allows child devices to use MSI/MSI-X interrupts.</para> </sect4> <sect4 id="net-if"> <title>Network Interface Support</title> <para>The &man.alc.4; driver for Atheros AR8131/AR8132 PCIe - ethernet controller has been added.</para> + Ethernet controller has been added.</para> + + <para>A bug in the &man.bce.4; driver has been fixed. When + adding a &man.bce.4; interface on the system as a + &man.lagg.4; member with the LACP aggregation protocol + enabled network communication via the &man.bce.4; + interface stopped completely. Although the &man.bce.4; + interface worked if it was not a &man.lagg.4; member, the + incoming traffic statistics which can be found in + &man.netstat.1; output was incorrect because every packet + was recognized as full-sized one.</para> <para>Several bugs in the &man.bge.4; driver have been fixed. It caused a panic when a lot of traffic is being handled on the interface while the system is shutting down, and had a DMA issue when buffer address crosses a - multple of the 4GB boundaries.</para> + multiple of the 4GB boundaries.</para> <para>The &man.bge.4; driver now supports TSO (TCP segmentation offloading) for BCM5755 or newer @@ -337,7 +457,7 @@ devices.</para> <para>The &man.cxgb.4; driver has been upgraded to the - latest version. The firmware version is 7.1.0.</para> + latest version. The firmware version is 7.8.0.</para> <para>The &man.et.4; driver now supports IPv4/TCP/UDP Tx checksum offloading.</para> @@ -346,7 +466,8 @@ multicast filter re-programming is now more robust. A bug which caused incorrect IP packet length in the header when TSO (TCP segmentation offloading) is enabled has been - fixed.</para> + fixed. This fixes poor performance when TSO is enabled in + the previous releases.</para> <para>The &man.msk.4; driver has been improved for robust operation. Also, it now supports Yukon FE+ A0 including @@ -354,8 +475,9 @@ 88E8070.</para> <para>Several bugs in the &man.mxge.4; driver have been - fixed. It could lost the promiscuous flag on resetting - and a kernel panic on the hardware fault.</para> + fixed and the firmware version is now 1.4.48b. It could + lost the promiscuous flag on resetting and a kernel panic + on the hardware fault.</para> <para>A bug in the &man.nfe.4; driver has been fixed. It caused buffer allocation failure for jumbo frames.</para> @@ -376,6 +498,17 @@ default is <literal>1</literal>. For more details, see &man.nge.4; manual page.</para> + <para>The &man.ste.4; driver has been improved and now works + on all supported platforms. It now supports + suspend/resume and WoL (Wake-on-Lan). Hardware MAC + statistics can be obtained via a new sysctl variable + <varname>dev.ste.<replaceable>N</replaceable>.stats</varname>. + Another new sysctl variables + <varname>dev.ste.<replaceable>N</replaceable>.int_rx_mod</varname> + has been added to control RX interrupt moderation time. + The default value is <literal>150</literal> (150us). For + more details, see &man.ste.4; manual page.</para> + <para>The &man.vge.4; driver has been improved. It now supports hardware checksum offloading for &man.vlan.4; tagged frames and WoL (Wake-on-Lan). Hardware MAC @@ -431,6 +564,9 @@ convenient shortcut ported from NetBSD to obtain network interface name using file descriptor for character device.</para> + + <para>The &man.vlan.4; driver is now enabled in the + <filename>GENERIC</filename> kernel.</para> </sect3> <sect3 id="disks"> @@ -447,7 +583,7 @@ <option>ATA_REQUEST_TIMEOUT</option>.</para> <para>A bug in the &man.ata.4; driver has been fixed. It - could generate an I/O request larger than contoller's + could generate an I/O request larger than controller's maximum I/O size and caused a kernel panic.</para> <para>An algorithm for <literal>load</literal> balancing mode @@ -462,6 +598,9 @@ It could not handle a GPT header whose size is greater than 92 bytes which is written by OpenSolaris.</para> + <para>The default stripe size of &man.gstripe.8; GEOM class + has been changed from 4KB to 64KB.</para> + <para>The &man.hptrr.4; driver now supports a new loader tunable <varname>hw.hptrr.attach_generic</varname> to prevent the driver from being attached to some Marvell chips @@ -512,7 +651,7 @@ for caching or the ZFS Intent Log, and partial &man.chflags.2; support. It also includes some &os;-specific additions, such as booting from ZFS file systems, removal of ARC - size limitations, ARC backpressure (which allows ZFS to work + size limitations, ARC back pressure (which allows ZFS to work without tunables on &arch.amd64;), and many bugfixes.</para> </sect3> </sect2> @@ -520,6 +659,10 @@ <sect2 id="userland"> <title>Userland Changes</title> + <para>The &man.acpidump.8; utility now supports parsing SRAT + (System Resource Affinity Table used to describe affinity + relationships between CPUs and memory.</para> + <para>The &man.apropos.1; command no longer sets the necessary directories to <varname>PATH</varname> variable. This means if the caller does not have <filename @@ -583,6 +726,14 @@ M, and G) and <literal>*</literal> for automatic calculation in the <command>p</command> command.</para> + <para>The &man.fetch.1; command now supports HTTP digest + authentication.</para> + + <para>The &man.fetch.1; command now supports + <varname>NO_PROXY</varname> and <varname>no_proxy</varname> + environment variables to disable use of HTTP proxy. For more + details, see &man.fetch.3; manual page.</para> + <para>A bug in the &man.fetch.1; command that <varname>FTP_TIMEOUT</varname> and <varname>HTTP_TIMEOUT</varname> environment variables were @@ -621,6 +772,11 @@ named kernel feature is present by checking the <varname>kern.features</varname> sysctl MIB.</para> + <para>&os; <application>libc</application> library now includes + &man.getpagesize.3; function that returns either the number of + page sizes supported by the system or a specified subset of + the supported page sizes.</para> + <para>The &man.libradius.3; now supports simple embedded RADIUS server.</para> @@ -640,6 +796,11 @@ <option>-L</option> option when it invokes &man.mtree.8; command to follow symbolic links.</para> + <para>The &man.mergemaster.8; utility now supports + <varname>DELETE_STALE_RC_FILES</varname> variable in + <filename>mergemaster.rc</filename> file to delete stale rc.d + scripts automatically.</para> + <para>A userland utility &man.mfiutil.8; for the &man.mfi.4; devices has been added. This includes basic features to monitor controller, array, and drive status, @@ -712,18 +873,31 @@ an error. <literal>ENOENT</literal> errors are not reported. This behavior is consistent with the GNU version.</para> + <para>The &man.tftp.1; command now returns a correct exit status + in the case of successful file transfer.</para> + + <para>The &man.traceroute.8; program now uses in-kernel source + address selection even in a &man.jail.8; environment.</para> + <para>The &man.traceroute.8; and &man.traceroute6.8; now support an <option>-a</option> flag to display AS number corresponding to the lookup IP address on each hop. It will query the number to WHOIS server specified in <option>-A</option> option. If no <option>-A</option> is specified, - <hostid>whois.radb.net</hostid> will be used as the default - value.</para> + <hostid>whois.radb.net</hostid> will be used as the default value.</para> <para>The &man.tzsetup.8; command now supports an <option>-s</option> option to skip the initial question about adjusting the clock if not set to UTC.</para> + <para>The &man.whois.1; utility has been updated. A + <option>-d</option> option has been removed because + <hostid>whois.nic.mil</hostid> no longer exists, and it + supports searching for IPv6 addresses just like it can do for + IPv4 addresses without having to explicitly specify that the + ARIN server should be used to get the initial + information.</para> + <para>The &man.yp.8; utilities now support <filename>shadow.byname</filename> and <filename>shadow.byuid</filename> maps. These requires @@ -740,6 +914,16 @@ for interfaces created via <varname>cloned_interfaces</varname></para> + <para>The &man.rc.conf.5; file now supports + <varname>vlans_<replaceable>IF</replaceable></varname> for + creating &man.vlan.4; interfaces. If a vlan interface is a + number, then that number is treated as the vlan tag for the + interface and the interface will be named + <quote><replaceable>IF</replaceable>.<replaceable>N</replaceable></quote>. + Otherwise, the vlan tag must be provided via a + <option>vlan</option> parameter in a <varname>create_args_<replaceable>IF</replaceable></varname> + variable.</para> + <para>The <filename>rc.d/fsck</filename> script now supports options for <varname>fsck_y_enable</varname> via <varname>fsck_y_flags</varname>.</para> @@ -787,13 +971,13 @@ static_arp_gw="192.168.1.1 00:01:02:03:0 <title>Contributed Software</title> <para><application>ISC BIND</application> has been updated to - version 9.4.3-P4.</para> + version 9.4-ESV.</para> <para><application>sendmail</application> has been updated from version 8.14.3 to version 8.14.4.</para> <para>The timezone database has been updated - to the <application>tzdata2009u</application> release.</para> + to the <application>tzdata2010b</application> release.</para> <para>The timezone binary has been updated to the <application>tzcode2009k</application> release.</para> @@ -815,12 +999,16 @@ static_arp_gw="192.168.1.1 00:01:02:03:0 <para>&os; release ISO images now have <quote>FreeBSD-</quote> at the beginning of the filenames.</para> - </sect2> - - <sect2 id="doc"> - <title>Documentation</title> - <para></para> + <para>The supported version of the + <application>GNOME</application> desktop environment + (<filename role="package">x11/gnome2</filename>) has been + updated to 2.28.2.</para> + + <para>The supported version of the + <application>KDE</application> desktop environment (<filename + role="package">x11/kde4</filename>) has been updated to + 4.3.5.</para> </sect2> </sect1>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201003191833.o2JIXeBX031015>