14.4/relnotes: initial informaton added (65 entries)

Reviewed by: cperciva, ziaee
Approved by: ziaee
Differential Revision: https://reviews.freebsd.org/D55285

Author: Vladlen Popolitov

website/content/en/releases/14.4R/relnotes.adoc

@@ -118,15 +118,146 @@ This section covers changes and additions to userland applications, contributed
 [[userland-programs]]
 === Userland Application Changes
 
+The man:newfs[8] utility gains a `-u` flag to disable soft updates and soft updates journaling, providing a way to turn off the default soft updates for UFS2 filesystems.
+gitref:929ef0d36c6c[repository=src].
+{{< sponsored "Klara, Inc. | NetApp, Inc." >}}
+
+The man:sockstat[1] utility now displays UDP-Lite endpoints by default, providing visibility into these sockets alongside other network connections.
+gitref:23cda744e4da[repository=src].
+
+man:mdo[1] adds new options to control user and group IDs in launched processes, including `-k` to keep current users, `-g` and `-G` to set primary and supplementary groups, `-s` to amend supplementary groups, and `--euid`/`--ruid`/`--svuid`/`--egid`/`--rgid`/`--svgid` to override specific IDs. This provides finer-grained control over process credentials while maintaining compatibility with existing behavior.
+gitref:58f55afb301b[repository=src].
+{{< sponsored "The FreeBSD Foundation | Google LLC (GSoC 2025)" >}}
+
+The man:freebsd-update[8] utility now installs shared libraries in a specific order (libsys, libc, libthr, then others) to prevent failures during upgrades from 14.x to 15.x.
+gitref:e26928669f39[repository=src].
+{{< sponsored "https://www.patreon.com/cperciva" >}}
+
+The man:ngctl[8] utility gains a `-j` flag to attach and run inside a jail, allowing manipulation of netgraph nodes from within a jail environment. This enables administrators to manage netgraph configurations in jails where ngctl may not be directly available.
+gitref:04911babef1b[repository=src].
+
+The man:bsdinstall[8] installer no longer supports ZFS installations using MBR disk layouts. This removes a previously broken option that could cause installation failures.
+gitref:220584471931[repository=src].
+{{< sponsored "The FreeBSD Foundation" >}}
+
+man:sndctl[8], a new utility has been added for listing and modifying audio device properties using a control-driven interface similar to man:mixer[8].
+gitref:00988d12bc37[repository=src].
+{{< sponsored "The FreeBSD Foundation" >}}
+
+The man:nuageinit[7] tool now supports the chpasswd command, allowing password changes via a list or multiline string, including deprecated syntax for compatibility with some providers.
+gitref:6c912470030b[repository=src].
+{{< sponsored "OVHCloud" >}}
+
+The man:pkg[7] utility now parses command-line arguments in the same way as man:pkg[8], requiring options to be placed in the same positions. This changes the behavior of some previously accepted command sequences, such as `pkg -f bootstrap` no longer working; users must use `pkg bootstrap -f` instead.
+gitref:62947e508161[repository=src].
+{{< sponsored "The FreeBSD Foundation | The FreeBSD Foundation" >}}
+
+Adds meta and env parameters to jails, allowing arbitrary string metadata and environment information to be associated with each jail. The parameters can be set during jail creation or modified later using `jail -cm`, and can be viewed with man:jls[8]. The `security.jail.meta_maxbufsize` sysctl controls the maximum size of these parameters.
+gitref:527027da391d[repository=src].
+{{< sponsored "SkunkWerks GmbH" >}}
+
+The man:swapon[8] utility now supports encrypted swap files using man:md[4] devices with an [.filename]#.eli# suffix in man:fstab[5]. This allows encrypted swap to be configured in fstab as previously documented.
+gitref:9d80d681ee9d[repository=src].
+
 [[userland-contrib]]
 === Contributed Software
 
+OpenSSL has been updated to version 3.0.16.
+gitref:aed5a47b3a8a[repository=src].
+
+Spleen font has been updated to version 2.2.0, adding missing characters (em-dash, en-dash, hyphen, angle brackets, white square, dagger, double dagger) and improving character alignment, particularly for high-dpi displays.
+gitref:c44ec96b471e[repository=src].
+
+man:libarchive[3] updated to version 3.8.5. This includes a bug fix for bsdtar to resolve a regression in zero-length pattern handling.
+gitref:39fd1181e5b2[repository=src].
+
+man:xz[1] has been updated to version 5.8.2.
+gitref:07700b0107dc[repository=src].
+
+man:mtree[8] has been updated to version from NetBSD, improving compatibility and fixing bugs in mtree.
+gitref:f9d671f726ac[repository=src].
+
+pci_vendors database has been updated to version 2025-12-12.
+gitref:f21385688f52[repository=src].
+
+tzdata has been updated to version 2025c.
+gitref:68e2f4cc5e4e[repository=src].
+
+man:bmake[1] has been updated to version 20251111.
+gitref:c95f96dea30a[repository=src].
+
+SQLite has been updated to version 3.50.4.
+gitref:ef55f6b86626[repository=src].
+
+The unbound DNS resolver mitigates `YXDOMAIN` and nodata non-referral answer poisoning, preventing a malicious actor from exploiting a possible cache poison attack. This addresses CVE-2025-11411.
+gitref:cd40a23fb249[repository=src].
+
+OpenZFS has been updated to version 2.2.9. This release includes improvements to ARC shrinking, fixes for `zpool add` safety checks, zvol blk-mq synchronization, and BRT range conversion math.
+gitref:709465f2c4f1[repository=src].
+
+man:less[1] has been updated to version 685.
+gitref:054ae5e7b465[repository=src].
+
+USB vendor database has been updated to 2025-09-15.
+gitref:d565a5e904ed[repository=src].
+
+Unbound has been updated to version 1.24.1. This release includes a security fix for CVE-2025-11411.
+gitref:eeb41dca070f[repository=src].
+
+The man:newaliases[1] man page has been updated to clarify that it is for man:sendmail[8].
+gitref:e3df9a78da6b[repository=src].
+
+The man:kadmin[8] utility gains a new `-f` option for dumping Heimdal KDC databases in MIT-compatible format, enabling migration to MIT KDC without recreating the database from scratch.
+gitref:a93e1b731ae4[repository=src].
+
+man:mandoc[1] has been updated to version 2025-09-26. The update improves case sorting in mandoc db, adds macros for AT&T Unix versions 8 and 10, warns on blank lines in man:man[7] like man:mdoc[7], and fixes a PDF/PS footer regression.
+gitref:7fa4ccb8e4e7[repository=src].
+
+expat has been updated to version 2.7.3.
+gitref:a85cfcb61efd[repository=src].
+
+man:bc[1] and man:dc[1] have been updated to version 7.1.0.
+gitref:ab36487a79cd[repository=src].
+
+The gallant console font now includes over 4300 glyphs, adding support for Greek, Cyrillic, IPA extensions, extended Latin, Zapf Dingbats, arrows, mathematical symbols, box drawing, currency symbols, and Powerline glyphs. This expands the character set available in the console for multilingual text and symbols.
+gitref:8d2d6647d65a[repository=src].
+
+man:libucl[3] has been updated to version 0.9.2.
+gitref:0a8d8b0c878f[repository=src].
+{{< sponsored "The FreeBSD Foundation" >}}
+
+man:mandoc[1] has been updated to Groff Compat Edition with improved groff compatibility in formatting, error handling, and rendering.
+gitref:8039d22f6afd[repository=src].
+
+OpenSSH has been updated to version 10.0p2. The update removes support for the weak DSA signature algorithm and changes the default key agreement to the post-quantum hybrid algorithm mlkem768x25519-sha256. The sshd(8) authentication phase now runs in a separate sshd-auth binary.
+gitref:7ca599aa6139[repository=src].
+{{< sponsored "The FreeBSD Foundation" >}}
+
+lyaml, a Lua binding for libyaml, is now available in the base system.
+gitref:c508393e49fc[repository=src].
+
+libyaml has been updated to version 0.2.5.
+gitref:e52f11f4bbc8[repository=src].
+
+The man:nc[1] (or netcat) utility now accepts service names (e.g., 'http') in addition to port numbers for the -p option and as command-line arguments.
+gitref:0fe58344e829[repository=src].
+
 [[userland-deprecated-programs]]
 === Deprecated Applications
 
+The RIP routing protocol is deprecated and will be removed in a future release. The man pages for man:routed[8], man:rtquery[8], man:route6d[8], and man:rip6query[8] are updated to note the deprecation. Users needing RIP should use alternatives like 'bird' or 'quagga' from the ports collection.
+gitref:d350c18f98fd[repository=src].
+
 [[userland-libraries]]
 === Runtime Libraries and API
 
+The man:inet_net_ntop[3] and man:inet_net_pton[3] functions are updated to correctly handle IPv6 addresses, fixing previous incorrect behavior.
+gitref:b4871be3490d[repository=src].
+{{< sponsored "https://www.patreon.com/bsdivy" >}}
+
+The PAM library now searches for modules in [.filename]#${LOCALBASE}/lib/security#, in addition to [.filename]#${LOCALBASE}/lib#. This allows PAM modules installed by ports that follow the Linux directory convention to be found and used.
+gitref:65808459e21b[repository=src].
+
 [[kernel]]
 == Kernel
 
@@ -135,6 +266,12 @@ This section covers changes to kernel configurations, system tuning, and system
 [[kernel-general]]
 === General Kernel Changes
 
+The man:jail[8] system now restricts unprivileged users in a parent jail from scheduling, debugging, or signaling processes in subordinate jails by default. New privileges PRIV_SCHED_DIFFJAIL, PRIV_DEBUG_DIFFJAIL, and PRIV_SIGNAL_DIFFJAIL are required for such cross-jail operations. A new jail parameter allow.unprivileged_parent_tampering is introduced for backward compatibility in FreeBSD 14.x, but will be disabled by default in FreeBSD 15.x, affecting development setups that rely on cross-jail process management.
+gitref:5c6949e12ee6[repository=src].
+
+The change fixes a race condition in the powerpc context switch code that could cause the system to hang after starting all APs, particularly in qemu-system-ppc64 power9 pseries guests.
+gitref:666599639cf6[repository=src].
+
 [[drivers]]
 == Devices and Drivers
 
@@ -143,9 +280,42 @@ This section covers changes and additions to devices and device drivers since {r
 [[drivers-device]]
 === Device Drivers
 
+The man:mr_sas[4] driver now supports the Fujitsu RAID Controller SAS 6Gbit/s 1GB (D3116), which is used in Fujitsu PRIMERGY servers like the RX300 S7.
+gitref:653099bcc191[repository=src].
+
+The man:mfi[4] driver now supports the Fujitsu RAID Controller SAS 6Gbit/s 1GB (D3116) by adding its subvendor and subdevice IDs.
+gitref:3690911c355a[repository=src].
+
+The NVMe driver now supports BAR5 for Table BIR and PBA BIR, enabling FreeBSD on Google Compute Engine C4 machines.
+gitref:dca645cd3112[repository=src].
+{{< sponsored "Google" >}}
+
+The man:qat[4] driver now supports the 402xx device (IDs 0x4944/0x4945) under the existing qat_4xxx driver, and adds required firmware files.
+gitref:af51f41346ad[repository=src].
+{{< sponsored "Intel Corporation" >}}
+
+The man:smartpqi[4] driver is updated to version 4660.0.2002, providing updated support for Microchip smartpqi controllers.
+gitref:ec98cb56861f[repository=src].
+{{< sponsored "Microchip Technology Inc." >}}
+
+The man:ix[4] and man:ixv[4] drivers add support for the Intel Ethernet E610 family of devices, including new PCI IDs for backplane, SFP, 10 GbE, 2.5 GbE, and SGMII variants. This enables link speeds of 2.5G, 5G, and 10G on supported hardware.
+gitref:a728b96686e6[repository=src].
+{{< sponsored "Intel Corporation" >}}
+
+The man:epair[4] driver now supports stable MAC addresses via the `net.link.epair.ether_gen_addr` sysctl. This helps maintain consistent DHCP and dynamic DNS assignments when epair interfaces are recreated, such as after jail restarts. The default behavior remains random MAC generation, but setting the sysctl to 1 enables stable addresses.
+gitref:02f70f6633fd[repository=src].
+
+The man:iwlwifi[4] driver now includes ACPI support, enabling regulatory features for 802.11ax, 802.11be, and Per Platform Antenna Gain (PPAG) settings.
+gitref:c4496f82680c[repository=src].
+{{< sponsored "The FreeBSD Foundation" >}}
+
 [[drivers-removals]]
 === Deprecated and Removed Drivers
 
+The in-kernel MIDI sequencer is deprecated. This change adds a deprecation notice to the kernel and may affect applications that rely on this legacy interface.
+gitref:ab9c9443eec5[repository=src].
+{{< sponsored "The FreeBSD Foundation" >}}
+
 [[storage]]
 == Storage
 
@@ -154,6 +324,16 @@ This section covers changes and additions to file systems and other storage subs
 [[storage-general]]
 === General Storage
 
+The new 9P filesystem implementation (man:p9fs[4]) has been added for use with bhyve virtio-9p devices. It allows guests to access host files via share mappings and can be used as a root or non-root filesystem. The driver is loaded via `virtio_p9fs_load=YES` in [.filename]#loader.conf#.
+gitref:615fba7c6b39[repository=src].
+
+The man:tarfs[5] filesystem now correctly handles large files exceeding 4 GB and 8 GB limits. It fixes decompression errors when seeking beyond 4 GB in zstd-compressed tarballs and properly processes extended header records for files larger than 8 GB.
+gitref:35c612fbabd8[repository=src].
+{{< sponsored "Klara, Inc." >}}
+
+The man:nullfs[5] and man:unionfs[5] filesystems now perform stricter checks for jail root vnodes during dotdot lookups, preventing a potential chroot escape vulnerability.
+gitref:3feafab4a34c[repository=src].
+
 [[boot]]
 == Boot Loader Changes
 
@@ -162,6 +342,23 @@ This section covers the boot loader, boot menu, and other boot-related changes.
 [[boot-loader]]
 === Boot Loader Changes
 
+The EFI boot loader now uses firmware-provided Blt functions only when using the Graphics Output Protocol (GOP), avoiding issues on older UGA-based systems like MacBooks.
+gitref:6741fb1bd4f4[repository=src].
+
+The Raspberry Pi Zero 2W device tree blob is now included on the release SD card images, enabling support for this hardware model.
+gitref:fce5d401a803[repository=src].
+
+The bsdinstall installer now copies [.filename]#loader.efi# to all ESPs created for multi-volume ZFS datasets, providing boot redundancy if the primary disk fails.
+gitref:d8e73f45fc5f[repository=src].
+{{< sponsored "Netflix" >}}
+
+Wireless firmware packages are now included on bootonly installation media, enabling users to fetch installation files over a wireless connection.
+gitref:2ee0f3c954e7[repository=src].
+{{< sponsored "The FreeBSD Foundation" >}}
+
+The initramfs zfs boot script now uses LVM autoactivation (`vgchange -aay`) instead of unconditional activation. This respects LVM autoactivation settings like `--setautoactivation` flag and `auto_activation_volume_list` option, allowing users to control which logical volumes are activated at boot. Misconfigured setups with ZFS on top of an LV that has autoactivation disabled may no longer boot.
+gitref:79cbdb370305[repository=src].
+
 [[network]]
 == Networking
 
@@ -170,6 +367,17 @@ This section describes changes that affect networking in FreeBSD.
 [[network-general]]
 === General Network
 
+Compatibility code for IPFW versions prior to FreeBSD 8 has been removed to simplify the codebase. Users or third-party modules that still rely on the old compatibility interfaces must migrate before upgrading.
+gitref:57865e505aef[repository=src].
+{{< sponsored "The FreeBSD Foundation" >}}
+
+[[wireless-networking]]
+=== Wireless Networking
+
+The net80211 subsystem has been updated to properly support VHT160 and VHT80P80 channel widths with modern access points, aligning with changes from 802.11ac-2013 to 802.11-2020. This enables VHT160 and VHT80P80 in the LinuxKPI 802.11 driver compatibility code, affecting wireless performance and compatibility.
+gitref:ccdd6285df5d[repository=src].
+{{< sponsored "The FreeBSD Foundation" >}}
+
 [[hardware]]
 == Hardware Support
 
@@ -180,6 +388,9 @@ Please see link:https://www.freebsd.org/releases/{localRel}R/hardware[the list o
 [[hardware-virtualization]]
 === Virtualization Support
 
+man:bhyve[8] now reports SVM as disabled in the VM control register, preventing hangs on AMD systems with recent Windows guests.
+gitref:321a15380668[repository=src].
+
 [[documentation]]
 == Documentation
 
@@ -188,6 +399,15 @@ This section covers changes to manual (man:man[1]) pages and other documentation
 [[man-pages]]
 === Man Pages
 
+Updates the UPDATING file to document that example files are now installed in [.filename]#/usr/share/examples# as intended, due to a prior fix in the build system.
+gitref:d149be3a0cbe[repository=src].
+
+The man:dtrace_fbt[4] man page is added, documenting the DTrace fbt provider.
+gitref:0c91fa982437[repository=src].
+
+The man:mtree[8] utility's man page is updated to clarify that the `type` keyword remains mandatory and is not removed by `-R all`. This ensures consistent behavior and prevents potential misinterpretation of the command.
+gitref:f957857c4835[repository=src].
+
 [[ports]]
 == Ports Collection and Package Infrastructure
 
@@ -198,3 +418,27 @@ This section covers changes to the FreeBSD Ports Collection, package infrastruct
 
 [[future-releases]]
 == General Notes Regarding Future FreeBSD Releases
+FreeBSD 15.0 is not expected to include support for 32-bit platforms other than armv7.
+The armv6, i386, and powerpc platforms are deprecated and will be removed.
+64-bit systems will still be able to run older 32-bit binaries.
+
+The FreeBSD Project expects to support armv7 as a Tier 2 architecture in FreeBSD 15.0 and stable/15.
+However, the Project also anticipates that armv7 may be removed in FreeBSD 16.0.
+The Project will provide an update on the status of armv7 for both 15.x and 16.x at the time of 15.0 release.
+
+Support for executing 32-bit binaries on 64-bit platforms via the `COMPAT_FREEBSD32` option will continue for at least the stable/15 and stable/16 branches.
+Support for compiling individual 32-bit applications via `cc -m32` will also continue for at least the stable/15 branch, which includes suitable headers in [.filename]#/usr/include# and libraries in [.filename]#/usr/lib32#.
+
+Ports will not include support for deprecated 32-bit platforms for FreeBSD 15.0 and later releases.
+These future releases will not include binary packages or support for building packages from ports for deprecated 32-bit platforms.
+
+The FreeBSD stable/14 and earlier branches will retain existing 32-bit kernel and world support.
+Ports will retain existing support for building ports and packages for 32-bit systems on stable/14 and earlier branches as long as those branches are supported by the ports system.
+However, all 32-bit platforms are Tier-2 or Tier-3, and support for individual ports should be expected to degrade as upstreams deprecate 32-bit platforms.
+
+With the current support schedule, stable/14 will reach end of life (EOL) around 5 years after the release of FreeBSD 14.0-RELEASE.
+The EOL of stable/14 will mark the end of support for deprecated 32-bit platforms, including source releases, pre-built packages, and support for building applications from ports.
+With the release of 14.0-RELEASE in November 2023, support for deprecated 32-bit platforms will end in November 2028.
+
+The Project may choose to alter this approach when FreeBSD 15.0 is released by extending some level of support for one or more of the deprecated platforms in 15.0 or later.
+Any alterations will be driven by community feedback and committed efforts to support these platforms.