Copyright � 2013-2014 The FreeBSD Documentation Project
FreeBSD is a registered trademark of the FreeBSD Foundation.
IBM, AIX, OS/2, PowerPC, PS/2, S/390, and ThinkPad are trademarks of International Business Machines Corporation in the United States, other countries, or both.
IEEE, POSIX, and 802 are registered trademarks of Institute of Electrical and Electronics Engineers, Inc. in the United States.
Intel, Celeron, EtherExpress, i386, i486, Itanium, Pentium, and Xeon are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
SPARC, SPARC64, and UltraSPARC are trademarks of SPARC International, Inc in the United States and other countries. SPARC International, Inc owns all of the SPARC trademarks and under licensing agreements allows the proper use of these trademarks by its members.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this document, and the FreeBSD Project was aware of the trademark claim, the designations have been followed by the “™” or the “�” symbol.
The release notes for FreeBSD 10.0-RELEASE contain a summary of the changes made to the FreeBSD base system on the 10.0-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.
This document contains the release notes for FreeBSD 10.0-RELEASE. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.
The latest, up-to-date version of the release notes are
available online at http://www.FreeBSD.org/releases/10.0R/relnotes.html
.
This distribution of FreeBSD
10.0-RELEASE is a release distribution. It can be
found at http://www.FreeBSD.org/releases/
or
any of its mirrors. More information on obtaining this (or other)
release distributions of FreeBSD can be found in the “Obtaining
FreeBSD” appendix to the FreeBSD Handbook.
All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with “late-breaking” information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 10.0-RELEASE can be found on the FreeBSD Web site.
This section describes the most user-visible new or changed features in FreeBSD since 9.2-RELEASE.
Typical release note items document recent security advisories issued after 9.2-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.
Problems described in the following security advisories have been fixed. For more information, consult the individual advisories available from FreeBSD Security Information.
Advisory | Date | Topic |
---|---|---|
SA-13:14.openssh | 19�November�2013 | OpenSSH AES-GCM memory corruption vulnerability |
SA-14:01.bsnmpd | 14�January�2014 | bsnmpd remote denial of service vulnerability |
SA-14:02.ntpd | 14�January�2014 | ntpd distributed reflection Denial of Service vulnerability |
SA-14:03.openssl | 14�January�2014 | OpenSSL multiple vulnerabilities |
SA-14:04.bind | 14�January�2014 | BIND remote denial of service vulnerability |
Capsicum has been enabled in the kernel by default, allowing sandboxing of several programs that work within the “capabilities mode”.
[amd64,i386] The drm2(4) Radeon GPU driver, which works for GPUs up-to Radeon HD 6000 and partially supports the Radeon HD 7000 family, has been added. This driver was ported from Linux 3.8. [r254885]
The use of unmapped VMIO buffers eliminates the need to perform TLB shootdown for mapping on buffer creation and reuse, greatly reducing the amount of IPIs for shootdown on big-SMP machines and eliminating up to 25-30% of the system time on i/o intensive workloads. [r248508]
[amd64] The maximum amount of memory the FreeBSD kernel can address has been increased from 1TB to 4TB. [r254466]
The ddb(4) kernel debugger now has an
output capture facility. Input and output from ddb(4) can
now be captured to a memory buffer for later inspection using
sysctl(8) or a textdump. The new
capture
command controls this feature.
The ddb(4) debugger now supports a simple scripting facility, which supports a set of named scripts consisting of a set of ddb(4) commands. These commands can be managed from within ddb(4) or with the use of the new ddb(8) utility. More details can be found in the ddb(4) manual page.
[amd64,i386] Support was added for the new Intel on-CPU Bull Mountain random number generator, found on IvyBridge and supposedly later CPUs, accessible with the RDRAND instruction. [r240135]
[amd64] The BSD Hypervisor, bhyve(8) is included with FreeBSD. bhyve(8) requires Intel CPUs with VT-x and Extended Page Table (EPT) support. These features are on all Nehalem models and beyond (e.g. Nehalem and newer), but not on the lower-end Atom CPUs. [r245652]
virtio(4) support has been added. virtio(4) is the name for the paravirtualization interface developed for the Linux KVM, but since adopted to other virtual machine hypervisors (with the notable exception of Xen). This work brings in a BSD-licensed clean-room implementation of the virtio kernel drivers for disk IO (virtio_blk(4) and virtio_scsi(4)), network IO (vtnet(4)), memory ballooning (virtio_balloon(4)), and PCI. Tested with on Qemu/KVM, VirtualBox, and bhyve(4). [r227652]
[amd64,i386] Paravirtualized
drivers which support Microsoft Hyper-V have been imported and
made part of the amd64 GENERIC kernel. For i386, these
drivers are not part of GENERIC, so the following lines must
be added to /boot/loader.conf
to load
these drivers: [r255524]
hv_ata_pci_disengage_load="YES" hv_netsvc_load="YES" hv_utils_load="YES" hv_vmbus_load="YES"
Alternatively, the Hyper-V drivers can be added to the
i386 kernel by adding device hyperv
to the
kernel config, and then recompiling the kernel. Please refer
to FreeBSD
and Microsoft Windows Server Hyper-V support for full
instructions on how to set up Hyper-V support under
FreeBSD.
The vmx(4) driver has been added. vmx(4) is a VMware VMXNET3 ethernet driver ported from OpenBSD. [r254738]
[amd64,i386] Xen PVHVM virtualization is now part of the GENERIC kernel. [r255744]
Raspberry PI support has been added. Refer to these setup instructions and this quick start guide. [r239922]
The default ABI on ARM is now the ARM EABI. This brings a number of improvements and allows future support for VFP and Thumb-2. [r253396]
ARM support has been greatly improved, including support for ARMv6 and ARMv7, SMP and thread-local storage (TLS). Additionally support for some newer SoC like the MV78x60 and OMAP4 was added. See the announcement for further details. [r239268]
Superpages support on ARM has been added. Superpages support provides improved performance and scalability by allowing TLB translations to dynamically cover large physical memory regions. All ARMv6 and ARMv7-based platforms can take advantage of this feature. See the ARM Superpages status page for further details. [r254918]
Support for version 2.0 of the USB Audio reference design has been added. New devices should support higher bandwidth, increased sampling frequency and wider dynamic range. [r240609]
The firmware for the mxge(4) driver has been to 1.4.55. [r236212]
The re(4) driver has been overhauled to fix a number of issues. This driver now has Wake On LAN (WOL) support.
The vr(4) driver has been overhauled to fix a number of outstanding issues. It also now works on all architectures.
[amd64,i386] The wpi(4) driver has been updated to include a number of stability fixes.
The cxgbe(4) driver has been updated to support 40G/10G Ethernet NICs based on Chelsio's Terminator 5 (T5) ASIC. [r248925]
The iw_cxgbe driver has been added. This is an experimental iWARP/RDMA driver (kernel verbs only) for Chelsio's T4 and T5 based cards. [r256694]
The Open Fabrics Enterprise Distribution (OFED) and OFED Infiniband core has been updated to the same version as supplied by Linux version 3.7 [r255932]
The Mellanox Infiniband driver has been updated to firmware version 2.30.3200 for ConnectX3 NICs. Support has been added for ConnectX3 VPI NICs, where each port can be used as Infiniband 56 GB/s or Ethernet 40 GB/s. Support has been added for dynamically loading kernel modules for Infiniband core (ibcore) and IP over Infiniband (ipoib). [r255932]
netmap(4) has been added. netmap(4) is a framework for high-performance direct-to-hardware packet IO, offering low latency and high PPS rates to userland applications while bypassing any kernel-side packet processing. With netmap(4) it is trivially possible to fully saturate a 10 Gbps network interface with minimal packet sizes. For more information, see: Netmap Project. [r227614]
carp(4) has been rewritten to make addresses more sane from the viewpoint of routing daemons such as quagga/zebra. It also brings support for a single redundant address on the subnet (carpdev), switching state with ifconfig(8), better locking and using modern kernel interfaces to allocate multicast memberships. Configuration of the CARP protocol via ifconfig(8) has changed, as well as the format of CARP events submitted to devd(8). See carp(4) for more information. The arpbalance feature of carp(4) is currently not supported anymore. [r228571]
The pf(4) firewall now supports fine-grain locking and better utilization on multi-CPU machines, resulting in significant improvements in performance. [r240233]
Support for up to 65536 routing tables has been introduced. [r250700]
Support for setting/matching differentiated services codepoints (DSCP) in IP header has been added to ipfw(8). [r248552]
The aac(4) driver now supports volumes larger than 2TB in size.
The hptrr(4) driver has been updated to version 1.2 from Highpoint.
nvme(4) has been added and provides NVM Express support. NVM Express is an optimized register interface, command set and feature set of PCI Express (PCIe)-based Solid-State Drives (SSDs). For more information, see nvmexpress.org. [r240616]
A new kernel-based iSCSI target and initiator has been added. [r255570]
UFS filesystems can now be enlarged with growfs(8) while mounted read-write. This is especially useful for virtual machines, allowing the addition of more harddrive space without interruption of service. [r243246]
A state of the art FUSE implementation is now part of the base system. It allows the use of nearly all fusefs file systems. [r241519]
bsdinstall(8) now supports installing ZFS on the root file system. It includes a single configuration menu that allows you to select all of the required details, including which drives to use, what ZFS RAID level to use (taking into consideration the selected number of drives), GPT or MBR, GELI encryption, forcing 4K sectors, pool name, etc. [r256361]
Support for L2ARC compression has been added to ZFS. [r252140]
The zio nop-write improvement from Illumos was imported into FreeBSD. To reduce I/O, nop-write skips overwriting data if the (cryptographically secure) checksum of new data matches the checksum of existing data. It also saves space if snapshots are in use. This improvement only works on datasets with enabled compression, disabled deduplication and sha256 checksums. ZFS will now compare the checksums of incoming writes to the checksum of the existing on-disk data and avoid issuing any write I/O for data that has not changed. This will reduce I/O as well as space usage because if the old block is referenced by a snapshot, both copies of the block are kept even though both contain the same data. [r243524]
On platforms where clang(1) is the default system compiler (such as i386, amd64, arm), GCC and GNU libstdc++ are no longer built by default. clang(1) and libc++ from LLVM are used on these platforms by instead. GCC 4.2.1 and libstdc++ are still built and used by default on pc98 and all other platforms where clang(1) is not the default system compiler. [r255321]
clang(1) and llvm have been updated to version 3.3 release. Please refer to Clang 3.3 Release Notes. [r251662]
BIND has been
removed from the base system. unbound(8), which is
maintained by NLnet Labs, has been imported to support local DNS
resolution functionality with DNSSEC. Note that it is not a
replacement of BIND and the latest
versions of BIND is still available
in the Ports Collection.
With this change, nslookup and dig are no longer a part of the
base system. Users should instead use host(1) and
drill(1) Alternatively, nslookup and dig can be obtained by
installing dns/bind-tools
port. [r255949]
sysinstall has been removed from the base system. Auxiliary libraries and tools used by sysinstall such as libdisk, libftpio, and sade have also been removed. sysinstall has been replaced by bsdinstall(8) and bsdconfig(8). [r225937]
freebsd-version(1) has been added. This tool makes a best effort to determine the version and patch level of the installed kernel and userland. [r256106]
GNU patch has been removed from the base system, and replaced by a BSD-licensed patch(1) program. [r255191]
GNU sort has been removed from the base system, and replaced by a BSD-licensed sort(1) program. [r241511]
Berkeley yacc (byacc) has been imported from invisible island. This brings bison compatibilities to yacc(1) while preserving full backwards compatibility with previous version of yacc(1). [r235723]
lex(1) has been replaced by flex 2.5.37. [r250881]
make(1) has been replaced with the “Portable” BSD make tool (bmake) from NetBSD. [r250699]
Support for usernames up to 32 characters. [r243023]
The adduser(8) utility now supports
a -M
option to set the mode of a new user's
home directory.
BSD-licensed versions of ar(1) and ranlib(1), based on libarchive(3), have replaced the GNU Binutils versions of these utilities.
BSD-licensed versions of bc(1) and dc(1) have replaced their GNU counterparts.
chflags(1) now supports
a -v
flag for verbose output and
a -f
flag to ignore errors with the same
semantics as (for example) chmod(1).
For compatibility with other implementations, cp(1) now
supports a -a
flag, which is equivalent to
specifying the -RrP
flags.
BSD-licensed version of cpio(1) based on
libarchive(3), has replaced the GNU cpio. Note that the
GNU cpio is still installed as
gcpio
.
The env(1) program now supports -u
which will completely
unset the given variable name
name
by
removing it from the environment, instead of just setting it to
a null value.
The fdopendir(3) library function has been added.
The fetch(3) library now supports HTTP
1.1 If-Modified-Since behavior. The fetch(1) program now
supports -i
which will only download the specified HTTP URL if the content
is newer than filename
filename
.
find(1) has been enhanced by the addition of a number of primaries that were present in GNU find but not FreeBSD find(1).
kgdb(1) now supports a new add-kld
command to make it easier to debug crash dumps with kernel
modules.
The ls(1) program now supports a -D
option to specify a date format string to be used with the long
format (-l
) output.
nc(1) now supports a -O
switch to
disable the use of TCP options.
nc(1)'s -o
switch has been deprecated.
It will be removed in a future release.
The ping6(8) utility now returns 2
when the packet transmission was successful but no responses
were received (this is the same behavior as ping(8)).
It returned a non-zero value before this change.
The realpath(1) utility now supports
a -q
flag to suppress warnings; it now also
accepts multiple paths on its command line.
sh(1) has many bug fixes, some new features, and will now refuse to parse some invalid scripts. Additionally, it now has filename completion and defaults to the “emacs” editing mode.
The split(1) utility now supports a -n
flag to split a file into a certain number of chunks.
The tar(1) utility now supports a -Z
flag to enable compress(1)-style
compression/decompression.
The tar(1) utility now supports a
--numeric-owner
flag to ignore user/group names
on create and extract.
The tar(1) utility now supports the
-S
flag to sparsify files on extraction.
The tar(1) utility now supports a -s
flag to substitute filenames based on the specified regular
expression.
The tcgetsid(3) library function has been added to return the process group ID for the session leader for the controlling terminal. It is defined in IEEE Std 1003.1-2001 (POSIX).
top(1) now supports a -P
flag to
provide per-CPU usage statistics.
zdump(8) is now working properly on 64-bit architectures.
traceroute(8) now has the ability to print the AS
number for each hop with the new -a
switch; a
new -A
option allows selecting a particular
WHOIS server.
traceroute6(8) now supports a -U
flag
to send probe packets with no upper-layer protocol, rather than
the usual UDP probe packets.
rc.d/sendmail
now
generates and uses an SSL certificate by default when
sendmail_enable="YES"
. This will allow
remote MTA to use STARTTLS to encrypt incoming email. The
certification is signed with a key that is thrown away and is
not a substitute for generating your own properly if you need
to use STARTTLS authentication. Options to control the
certificate generation is documented in
rc.d/sendmail
. [r256773]
The followoing rc(8) scripts have been added:
rc(8) Script | Function |
---|---|
ctld | iSCSI target daemon startup script |
iscsictl | iSCSI initiator management utility startup script |
iscsid | iSCSI initiatior daemon startup script |
kfd | Kerberos ticket forwarding daemon startup script |
local_unbound | Unbound startup script for the local caching resolver |
postrandom | Generates a new entropy file at system boot |
swap | Replaces |
swaplate | Enables swap with “late” set at system boot |
utx | User accounting database startup and shutdown script |
The following rc(8) scripts have been removed:
rc(8) Script | Reason |
---|---|
encswap | Replaced by |
named | Removed with BIND |
swap1 | Replaced by |
jemalloc(3) has been updated to 3.4.0. See this link for more details. [r251300]
AMD has been updated from 6.0.10 to 6.1.5.
awk has been updated to the 20121220 release.
CVS has been removed from the base system, but is still available from Ports Collection. [r251794]
Subversion has been imported into the base system and is installed as svnlite. svnlite should only be used for checking out the FreeBSD source trees and committing, and does not replace the full Subversion port. [r251886]
file has been updated to 5.11. [r234449]
hostapd has been updated from 0.5.8 to 0.5.10. [r252726]
IPFilter has been updated to 5.1.2.
less has been updated to v458. [r250592]
ncurses has been updated to 5.7-20081102.
OpenSSH has been updated to 6.4.
OpenPAM has been updated to the Micrampelis release. [r236109]
sendmail has been updated from 8.14.1 to 8.14.7.
The timezone database has been updated from the tzdata2008h release to the tzdata2009m release.
The stdtime part of libc, zdump(8) and zic(8) have
been updated from the tzcode2004a
release to the tzcode2009h release.
If you have upgraded from source or via the
freebsd-update(8), then please run tzsetup(8) to
install a new /etc/localtime
.
WPA Supplicant has been updated to 2.0. [r252726]
xz has been updated from snapshot as of 12 April 2010 to 5.0.0.
The pkg_add, pkg_create, pkg_delete, pkg_info, pkg_updating, and pkg_version utilities have been removed. pkg(7) must now be used to install binary packages. pkg(7) is the next generation FreeBSD package manager, also referred to as “pkgng”. If upgrading from a previous FreeBSD release, be sure to run pkg2ng to convert the old package database to the new format. [r257444]
[amd64,i386] Beginning with FreeBSD 6.2-RELEASE, binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the freebsd-update(8) utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC or SMP kernels distributed as a part of an official FreeBSD release. The freebsd-update(8) utility requires that the host being upgraded have Internet connectivity.
Source-based upgrades (those based on recompiling the FreeBSD
base system from source code) from previous versions are
supported, according to the instructions in
/usr/src/UPDATING
.
Upgrading FreeBSD should, of course, only be attempted after backing up all data and configuration files.
This file, and other release-related documents, can be downloaded from http://www.FreeBSD.org/releases/.
For questions about FreeBSD, read the documentation before contacting <[email protected]>.
All users of FreeBSD release should subscribe to the <[email protected]> mailing list.
For questions about this documentation, e-mail <[email protected]>.