FreeBSD The Power to Serve

FreeBSD 11.3-RELEASE Release Notes

Abstract

The release notes for FreeBSD 11.3-RELEASE contain a summary of the changes made to the FreeBSD base system on the 11.3-STABLE development line. This document lists applicable security advisories that were issued since the last release, as well as significant changes to the FreeBSD kernel and userland. Some brief remarks on upgrading are also presented.

Introduction

This document contains the release notes for FreeBSD 11.3-RELEASE. It describes recently added, changed, or deleted features of FreeBSD. It also provides some notes on upgrading from previous versions of FreeBSD.

This distribution of FreeBSD 11.3-RELEASE is a release distribution. It can be found at https://www.FreeBSD.org/releases/ or any of its mirrors. More information on obtaining this (or other) release distributions of FreeBSD can be found in the Obtaining FreeBSD' appendix to the FreeBSD Handbook.

All users are encouraged to consult the release errata before installing FreeBSD. The errata document is updated with "late-breaking" information discovered late in the release cycle or after the release. Typically, it contains information on known bugs, security advisories, and corrections to documentation. An up-to-date copy of the errata for FreeBSD 11.3-RELEASE can be found on the FreeBSD Web site.

This document describes the most user-visible new or changed features in FreeBSD since 11.2-RELEASE. In general, changes described here are unique to the 11.3-STABLE branch unless specifically marked as MERGED features.

Typical release note items document recent security advisories issued after 11.2-RELEASE, new drivers or hardware support, new commands or options, major bug fixes, or contributed software upgrades. They may also list changes to major ports/packages or release engineering practices. Clearly the release notes cannot list every single change made to FreeBSD between releases; this document focuses primarily on security advisories, user-visible changes, and major architectural improvements.

Upgrading from Previous Releases of FreeBSD

[amd64,i386] Binary upgrades between RELEASE versions (and snapshots of the various security branches) are supported using the freebsd-update(8) utility. The binary upgrade procedure will update unmodified userland utilities, as well as unmodified GENERIC kernels distributed as a part of an official FreeBSD release. The freebsd-update(8) utility requires that the host being upgraded have Internet connectivity.

Source-based upgrades (those based on recompiling the FreeBSD base system from source code) from previous versions are supported, according to the instructions in /usr/src/UPDATING.

Important: Upgrading FreeBSD should only be attempted after backing up all data and configuration files.

Security and Errata

This section lists the various Security Advisories and Errata Notices since 11.2-RELEASE.

Security Advisories

Advisory Date Topic

FreeBSD-SA-18:08.tcp

06 August 2018

Resource exhaustion in TCP reassembly

FreeBSD-SA-18:09.l1tf

14 August 2018

L1 Terminal Fault (L1TF) Kernel Information Disclosure

FreeBSD-SA-18:10.ip

14 August 2018

Resource exhaustion in IP fragment reassembly

FreeBSD-SA-18:11.hostapd

14 August 2018

Unauthenticated EAPOL-Key Decryption Vulnerability

FreeBSD-SA-18:12.elf

12 September 2018

Improper ELF header parsing

FreeBSD-SA-18:13.nfs

27 November 2018

Multiple vulnerabilities

FreeBSD-SA-18:14.bhyve

4 December 2018

Insufficient bounds checking

FreeBSD-SA-18:15.bootpd

19 December 2018

Buffer overflow

FreeBSD-SA-19:01.syscall

5 February 2019

Kernel data register leak

FreeBSD-SA-19:02.fd

5 February 2019

File description reference count leak

FreeBSD-SA-19:03.wpa

14 May 2019

Multiple vulnerabilities

FreeBSD-SA-19:04.ntp

14 May 2019

Authenticated denial of service in ntpd(8)

FreeBSD-SA-19:05.pf

14 May 2019

IPv6 fragment reassembly panic in pf(4)

FreeBSD-SA-19:06.pf

14 May 2019

ICMP/ICMP6 packet filter bypass in pf(4)

FreeBSD-SA-19:07.mds

14 May 2019

Microarchitectural Data Sampling

FreeBSD-SA-19:09.iconv

2 July 2019

iconv(3) buffer overflow

FreeBSD-SA-19:11.cd_ioctl

2 July 2019

Privilege escalation in cd(4)

Errata Notices

Errata Date Topic

FreeBSD-EN-18:08.lazyfpu

12 September 2018

Regression in Lazy FPU remediation

FreeBSD-EN-18:09.ip

27 September 2018

IP fragment remediation causes IPv6 reassembly failure

FreeBSD-EN-18:10.syscall

27 September 2018

Null pointer dereference in freebsd4_getfsstat system call

FreeBSD-EN-18:11.listen

27 September 2018

Denial of service in listen system call

FreeBSD-EN-18:12.mem

27 September 2018

Small kernel memory disclosures in two system calls

FreeBSD-EN-18:13.icmp

27 November 2018

ICMP buffer underwrite

FreeBSD-EN-18:14.tzdata

27 November 2018

Timezone database information update

FreeBSD-EN-18:15.loader

27 November 2018

Deferred kernel loading breaks loader password

FreeBSD-EN-18:16.ptrace

19 December 2018

Kernel panic when attaching to stopped process

FreeBSD-EN-18:17.vm

19 December 2018

Kernel panic under load on Intel Skylake™ CPUs

FreeBSD-EN-18:18.zfs

19 December 2018

ZFS vnode reclaim deadlock

FreeBSD-EN-19:03.sqlite

9 January 2019

sqlite update

FreeBSD-EN-19:04.tzdata

9 January 2019

Timezone database information update

FreeBSD-EN-19:05.kqueue

9 January 2019

kqueue race condition and kernel panic

FreeBSD-EN-19:08.tzdata

14 May 2019

Timezone database information update

FreeBSD-EN-19:09.xinstall

14 May 2019

install(1) broken with partially matching relative paths

Userland

This section covers changes and additions to userland applications, contributed software, and system utilities.

Userland Configuration Changes

The jail(8) utility has been updated to include a new jail.conf(5) parameter, allow.read_msgbuf, which prevents jailed processes and users from accessing the dmesg(8) buffer. This parameter is set to false by default. (r339446)

The system crontab(5), /etc/crontab, has been updated to set PATH for consistency with the cron(8) daemon. (r342103)

The default devd.conf(5) has been updated to prevent duplicated hostapd(8) and wpa_supplicant(8) startup via devd(8). (r343469)

A new variable, init_exec, has been added to kenv(1), allowing init(8) to run an executable file after opening the console, replacing init(8) as PID 1. (r346479)

Userland Application Changes

The cpuset(1), sockstat(1), ipfw(8), and ugidfw(8) utilities have been updated to support jail(8) names. (r336040)

The newfs_msdos(8) utililty has been updated to include a new flag, -T, which is used to specify the timestamp for build reproducibility. (r336328)

The dd(1) utility has been updated to add a new status`operand, `progress, which reports the current status on a single line every second. (r338364)

The last(1) utility has been updated to include libxo(3) support. (r338451)

The lastlogin(8) utility has been updated to include libxo(3) support. (r338452)

The traceroute(8) utility has been updated to include libcasper(3) support. (r338475)

The diff(1) utility has been updated to implement -B and --ignore-blank-lines support. (r339160)

The makewhatis(1) utility has been updated to prevent operating within read-only directories. (r340963)

The jail(8) utility has been updated to add a new flag, -e, which takes a jail.conf(5) parameter as an argument and prints a list of non-wildcard jails with the specified parameter. (r341790)

The ktrdump(8) utility has been updated to include the -l flag which enables "live" mode when specified. (r342706)

The trim(8) utility has been added, which deletes content for blocks on flash-based storage devices that use wear-leveling algorithms. (r343118)

The gzip(1) utility has been updated to add -l support for xz(1) files. (r343251)

The newfs(8) and tunefs(8) utilities have been updated to allow underscores in label names. (r343538) (Sponsored by Netflix)

The pfctl(8) utility has been updated to provide clearer output and reference the net.pf.request_maxcount sysctl(8) if a defined table is too large. (r344020)

The newfs(8) and tunefs(8) utilities have been updated to allow dashes in label names. (r344052)

The fdisk(8) utility has been updated to support sectors larger than 2048 bytes. (r344490)

The sh(1) utility has been updated to add the pipefail option which simplifies checking the exit status of all commands in a pipeline. (r345561)

The patch(1) utility has been updated to exit successfully if the input patch file is zero-length. (r345878)

The spi(8) utility has been added, which is used to communicate with devices on an SPI bus through the userland. (r346518)

Contributed Software

The xz(1) utility has been updated to version 5.2.4. (r334607)

The file(1) utility has been updated to version 5.34. (r337827)

The ELF Tool Chain has been updated to version r3614. (r338414) (Sponsored by The FreeBSD Foundation)

The lld utility has been updated to add -z interpose, marking the object file as an interposer. (r339100) (Sponsored by The FreeBSD Foundation)

The file(1) utility has been updated to fix incorrect date reporting for dump(8) files. (r343079)

The LUA loader(8) has been merged. (r344220)

The ntpd(8) utilities have been updated to version 4.2.8p13. (r344884)

The clang, llvm, lld, lldb, and compiler-rt utilities as well as libc++ have been updated to upstream version 8.0.0. (r346296)

The WPA utilities have been updated to version 2.8. (r346981)

OpenSSL has been updated to version 1.0.2s. (r348343)

The libarchive(3) library has been updated to version 3.3.3, with additional fixes from upstream. (r348607)

OpenPAM has been updated to the latest upstream version. (r348980)

/etc/rc.d Scripts

Support for auxiliary RAM has been added to /etc/rc.initdiskless. (r340611)

The rcorder(8) utility has been updated to add support for /etc/rc.resume. (r340966)

The jail_conf definition, which defaults to /etc/jail.conf, has been moved from the jail(8) rc(8) script to /etc/defaults/rc.conf. (r341792)

The rc_service variable has been added to rc.subr(8), which defaults to the path of the service being executed in case the service needs to re-invoke itself. (r343046)

Timezone data files have been updated to version 2019b. (r349620)

/etc/periodic Scripts

The periodic(8) weekly 340.noid script has been updated to prevent decending into the root directory of jails. (r341794)

Runtime Libraries and API

The pcap(3) library has been updated to version 1.9.0 (pre-release). (r335640)

The setproctitle_fast(3) function has been added, which is optimized for high-frequency process title updates. (r336449)

The kqueue(2) system call has been updated to allow updating EVFILT_TIMER. (r337418) (Sponsored by Dell EMC)

The pthread_get_name_np(3) function has been added, which is used to retrieve the function name associated with a thread. (r338405)

The pthread(3) library has been updated to improve POSIX compliance. (r338707)

Kernel

This section covers changes to kernel configurations, system tuning, and system control parameters that are not otherwise categorized.

General Kernel Changes

The ddb(4) debugging utility has been updated to print command-line arguments to a process. (r339857) (Sponsored by Panzura)

The number of MSI IRQs have been converted from a constant to a tunable. The default remains at 512, which can now be changed during boot with the machdep.num_msi_irqs sysctl(8). (r342656)

The kernel will now log the jail(8) ID when logging a process exit. The jail(8) ID 0 represents processes that are not jailed. (r343084) (Sponsored by Modirum MDPay)

Warnings for features deprecated in future releases will now be printed on all FreeBSD versions. (r348753)

Devices and Drivers

This section covers changes and additions to devices and device drivers since 11.2-RELEASE.

Device Drivers

The ichwd(4) driver has been updated to include support for TCO watchdog timers in the Lewisburg PCH (C620) chipset. (r340182) (Sponsored by Panzura)

The random(4) driver has been updated to improve performance during expensive reseeding. (r345981)

The ae(4), bm(4), cs(4), de(4), dme(4), ed(4), ep(4), ex(4), fe(4), pcn(4), sf(4), sn(4), tl(4), tx(4), txp(4), vx(4), wb(4), and xe(4) drivers have been marked as deprecated, and are not present in FreeBSD 13.0. (r347962)

Network Drivers

The oce(4) driver has been updated to version 11.0.50.0. (r338938)

The TP-Link TL-WN321G™ network adapter now uses the run(4) driver instead of the rum(4) driver. (r340369)

The mlx4en(4) and mlx5en(4) drivers have been updated to version 3.5.0. (r341987) (Sponsored by Mellanox Technologies)

The lagg(4) driver has been updated to allow changing the MTU without requiring destroying and recreating the interface. (r342206) (Sponsored by iXsystems)

The ccr(4) driver has been added, providing support for Chelsio T6™ cryptography accelerators. (r345040) (Sponsored by Chelsio Communications)

The cxgbe(4) driver has been updated to include support for hash filters, NAT offloading, and SMAC/DMAC swapping filters. (r346855) (Sponsored by Chelsio Communications)

The cxgbe(4) T4, T5, and T6 firmware has been updated to version 1.23.0.0. (r346940) (Sponsored by Chelsio Communications)

The ixl(4) driver has been updated version 1.11.9. (r349181) (Sponsored by Intel Corporation)

The ixlv(4) driver has been updated version 1.5.8. (r349181) (Sponsored by Intel Corporation)

Hardware Support

This section covers general hardware support for physical machines, hypervisors, and virtualization environments, as well as hardware changes and updates that do not otherwise fit in other sections of this document.

Hardware Support

The vt(4) keyboard mapping has been updated to include uk.macbook.kbd support. (r342254)

Virtualization Support

Support for PS/2 scan codes for NumLock, ScrollLock, and numerical keypad keys has been added to bhyve(8). (r341758) (Sponsored by iXsystems)

Storage

This section covers changes and additions to file systems and other storage subsystems, both local and networked.

General Storage

Deprecation warnings have been added for weaker algorithms when creating geli(8) providers. (r348588)

ZFS

An issue that could result in a system hang during ZFS vnode reclamation has been fixed. (r341828) (Sponsored by Klara Systems)

The ZFS filesystem has been updated to implement parallel mounting. (r346690) (Sponsored by Gandi.net)

Boot Loader Changes

This section covers the boot loader, boot menu, and other boot-related changes.

Boot Loader Changes

The functionality provided by zfsloader has been added to loader(8). Once the system boot blocks have been updated following UPDATING, zfsloader is no longer needed. A hard link to loader(8) has been added to ease in the transition. (r344399)

The loader(8) has been updated to extend geli(8) support to all architectures. (r344399)

The UEFI boot loader(8) has been updated to better determine the system console type and device if not defined in loader.conf(5). (r344403)

Networking

This section describes changes that affect networking in FreeBSD.

General Network Changes

The ipfw(8) firewall has been updated to include new rule options, record-state, set-limit, and defer-action. (r337461)

Support for NAT64 CLAT has been added, as defined in RFC6877. (r346212) (Sponsored by Yandex LLC)

Warnings have been added for IPSec algorithms deprecated in RFC 8221. (r348482)

Ports Collection and Package Infrastructure

This section covers changes to the FreeBSD Ports Collection, package infrastructure, and package maintenance and installation tools.

Packaging Changes

The pkg(8) utility has been updated to version 1.10.5.

The KDE desktop environment has been updated to version 5.15.3.

The GNOME desktop environment has been updated to version 3.28.

Release Engineering and Integration

This section convers changes that are specific to the FreeBSD Release Engineering processes.

Integration Changes

The default size of virtual machine disk images has been reduced from 30GB to 3GB. The raw disk images may be resized with truncate(1), after which the growfs rc(8) script will resize the filesystem within the virtual machine. Other disk image formats should be resized with the appropriate tool provided by the hypervisor being used. (r347037) (Sponsored by The FreeBSD Foundation)