What’s New in Oracle Solaris 11.4 SRU 87

Oracle Solaris 11.4 SRU 87 is now available via “pkg update” from the support repository or by downloading the SRU from My Oracle Support Doc ID 2433412.1. Highlights of the changes in this release are given in the release announcement and important information to read before installing it is provided in the Readme linked from the above support document. This blog post provides more details about selected new features and interface changes in this SRU, as well as some preparation work for changes coming in future SRUs.

Security and Compliance Features

useradd(8) account activation options

Since Solaris 11.0, useradd(8) has created accounts in the UP (uninitialised password) state. An admin with the solaris.passwd.assign authorization needed to activate the account by either setting a password or running passwd -N to mark the account as an non-password login, NP, which allowed it to be used for cron and SSH public key authentication without having a valid UNIX password value.

Starting in Solaris 11.4.78, the system started enforcing that an account in the UP state could not be logged in even with an SSH public key. However, various third party tools, including Ansible, assume that an account created by useradd(8) can be logged into if there are valid SSH public keys configured.

A new option -N to useradd(8) is now provided in SRU 87 to allow placing a new account directly into the NP state without needing a separate invocation of passwd(1). Running useradd -D -N sets this flag as part of the default flags, so it doesn’t need to be specified on every invocation.

A new option -U was also added to specify that the account should be created in the UP state as was previously done, allowing to override the default on a specific invocation, or to reset the default for further invocations.

Accounts in the NP state can only access the system if a user has configured an SSH authentication mechanism other than ‘password’, such as a public key or GSSAPI/Kerberos. See the ‘SECURITY’ section in the sshd(8) man page for more information.

sxadm(8) update for AMD Transient Scheduler Attacks mitigation

First added in SRU 85, this SRU includes new sxadm(8) extensions for Transient Scheduler Attack (TSA) vulnerabilities in AMD CPUs which are covered by CVE-2024-36348, CVE-2024-36349, CVE-2024-36350 and CVE-2024-36357.

• TSA is a new extension for AMD machines that will be enabled if the processor is vulnerable and has a mitigation available for the TSA vulnerabilities.
• TSA_L1_NO is a new readonly extension that will be enabled if the CPU is not vulnerable to Level 1 data cache exploits that are part of the TSA vulnerabilities.
• TSA_SQ_NO is a new readonly extension that will be enabled if the CPU is not vulnerable to store queue exploits that are part of the TSA vulnerabilities.

Intel and SPARC systems are not susceptible to any of the TSA vulnerabilities. On those systems the TSA_L1_NO and TSA_SQ_NO extensions will be displayed as permanently enabled readonly extensions to reflect this.

Data Management Features

fmthard(8) -c (clear) and -e (GPT/EFI) options

SRU 87 added the -c flag to fmthard(8) to clear (zero) all labels and backup labels from a device: This includes MBR, VTOC, and GPT/EFI labels.

SRU 87 also documents the fmthard -e option to force writing a GPT/EFI label instead of a VTOC label.

Networking Features

BIND configuration and compatibility check service

SRU 87 introduces a new SMF service, svc:/system/check/bind which runs named-checkconf(1) on the file listed in the svc:/network/dns/server:default property options/configuration_file (prepended with property options/chroot as applicable). Any deprecated features or errors will be reported in the service log and the service will be placed into the degraded state if any are reported.

This will help prepare for upgrades to BIND 9.20, which has removed some features that were deprecated in the current BIND 9.18 release.

Performance and Observability

New cableinfo(8) peer command to croinfo(8)

This project enhanced fmd(8)’s understanding of cables by modeling a ‘cable-bay’ receptacle and a new ‘cable-tip’ occupant. For SAS cables, support was added for the SFF8636 specification for both HBA cable-bays and DE3-24* IOM cable-bays. This work provides FMA with cable presence, cable FRU, and cable characteristics and capability information: enabling FRU remove notification of cable-tips, improved AK bundle data detailing cables, and future enhancements to SAS cabling diagnosis.

A new hardlink (/usr/sbin/cableinfo) to /usr/sbin/croinfo was created to restrict output to information about cables. Depending on the output options chosen, the output may be as follows.

root# cableinfo -o CRen
C:chassis-serial  R:receptacle-name  e:occupant-model               n:occupant-part
----------------  -----------------  -----------------------------  ---------------
1805XC301B        SAS0               SAS-MiniHD4x-AO-3_6_12Gbps-3M  ORCL-7348776
1805XC301B        SAS1               SAS-MiniHD4x-AO-3_6_12Gbps-3M  ORCL-7348776
1805XC301B        SAS2               SAS-MiniHD4x-AO-3_6_12Gbps-3M  ORCL-7348776
1805XC301B        SAS3               SAS-MiniHD4x-AO-3_6_12Gbps-3M  ORCL-7348776
1805XC301B        SAS0               SAS-MiniHD4x-AO-3_6_12Gbps-3M  ORCL-7348776
1805XC301B        SAS1               SAS-MiniHD4x-AO-3_6_12Gbps-3M  ORCL-7348776
1805XC301B        SAS2               SAS-MiniHD4x-AO-3_6_12Gbps-3M  ORCL-7348776
1805XC301B        SAS3               SAS-MiniHD4x-AO-3_6_12Gbps-3M  ORCL-7348776
1651NMS007        PORT0              SAS-MiniHD4x-PC-3_6Gbps-2M     SC-SA-4444-2M
1651NMS007        PORT1              SAS-MiniHD4x-AO-3_6_12Gbps-3M  ORCL-7348776
1651NMS007        PORT2              -                              -
1651NMS007        PORT3              SAS-MiniHD4x-AO-3_6_12Gbps-3M  ORCL-7348776

Virtualization Features

Improved devalias management for LDoms Guest Domains

SRU 87 adds support for improved devalias management for guest domains within the LDoms Manager (ldmd). Two specific enhancements are provided:

• Automatic detection of on-board disk and net devices belonging to a guest, causing a devalias entry for disk or net, as appropriate, to be added to the guest MD such that OBP recognizes them.
• New CLI subcommands for ldm(8): add-devalias, list-devalias, remove-devalias. These are supported for guest domains only, not the control domain.

No longer used ‘_sys_’ memory blocks now returned to free memory pool by ldmd

The LDoms Manager (ldmd) allocates memory for “system” purposes, e.g. Machine Descriptions, DAX command queues, LDC extended mapin tables, etc. These are listed as _sys_ segments by ldm’s various listing commands. Previously, when these _sys_ memory allocations were no longer needed (e.g. the domain that required its use was destroyed), it would remain in a separate pool for potential future such allocations. Starting with SRU 87, if enough of these system segments are freed to constitute an entire mblock (mblock sizes are dependent on platform and specific use), the memory is released to the global free memory pool.

There might be specific cases where this behavior is less than ideal (e.g. one set of domains is being destroyed, to be followed by another set being configured). In that case, set the ldmd/disable_free_sys_memory SMF property of the ldmd service to true, then refresh & restart it to disable this feature.

solaris10 branded zone support for gzip/bzip2 compressed flar archives

SRU 81 added support for installing solaris10(7) branded zones from gzip/bzip2 compressed ustar/xustar/pax archives. SRU 87 adds support for externally compressed S10 Flash Archives, aka flar, allowing users to give zoneadm install a flar archive with either a .gz or .bz2 suffix:

zoneadm -z s10z install -u -a /root/s10u11-x86.flar.bz2

System Management Features

Oracle Cloud Agent

SRU 87 adds the new pkg:/system/management/oracle-cloud-agent package to the Solaris support package repository, OCI marketplace images, and the solaris-cloud-guest package group.

Currently this package provides only two of the Oracle Cloud Agent plugins: gomon (performance monitoring) and runcommand. It installs two new SMF services:

• svc:/system/management/oracle-cloud-agent
• svc:/system/management/oracle-cloud-agent-heartbeat

The runcommand plugin will execute commands as the new ocarun user, which has the Oracle Cloud Agent Profile assigned via Solaris RBAC. Commands can be submitted to the runcommand plugin via the OCI CLI or REST API. See Running Commands on an Instance for details.

Enhancements for Developers

GCC 15 added

Version 15 of the GNU Compiler Collection has been added, including compilers for C, C++, Ada, Fortran, Go, and Objective C. See GCC 15 Release Series: Changes, New Features, and Fixes for more information on the changes in this generation of the GNU family of compilers, and Porting to GCC 15 for information on changes you may need to make to code and/or compiler flags in order to build it with GCC 15.

When building 64-bit x86 code, the Solaris gcc-15 packages have also been patched to bring back the -msave-args argument found in some older versions of gcc on Solaris, such as the gcc 3.4.3 packages included in Solaris 10. This argument makes gcc generate code to save integer registers containing function arguments on the stack at function entry for improved debugging. For compatibility with other platforms, -mpreserve-args is accepted as an alias for this option.

MDB API to get annotations by type

The mdb(1) debugger has an API, mdb_get_annotation_byval(), that allows dcmds and annotation callbacks to get the annotations for other types. In the common case, it is called from another annotation callback, with the result from mdb_annotation_get_uintval() to allow structure members to be annotated using the annotation for particular type.

A new interface is now provided in SRU 87 to allow mdb modules to annotate members based on type without writing any actual code:

size_t mdb_annotate_bytype(uintptr_t addr, char *buf,
    size_t len, const void *arg, const mdb_annotation_arg_t *maa);

Here the bike_make member of struct bike is annotated with the annotation for bike_make_t:

static mdb_annotation_t bike_info_annotation[] = {
      {
          .ma_type = MDB_BUILD_TYPE_STRING(int),
          .ma_struct = MDB_BUILD_TYPE_STRING(struct bike),
          .ma_member = BUILD_STRING(bike_make),
          .ma_callback = mdb_annotate_bytype,
          .ma_arg = MDB_BUILD_TYPE_STRING(bike_make_t)
      }
};

MDB API to set array lengths

Many data structures contain fixed or flexible arrays where the number of members of the array that are used are either directly or indirectly stored in the data structure. This new API allows mdb to utilise this information to limit or extend the number of elements reported.

Given a flexible array describing a bike shed:

struct bikeshed {
    uint_t bs_nbikes;
    bike_t bs_bikes[];
};

The new API allows specifying a single entry to a module’s mdb_typemap_t array:

MDB_ARRAYMAP_BYMEMBER(struct bikeshed, bs_bikes, bs_nbikes)

CTF_K_SLICE support

Solaris CTF has added support for the CTF_K_SLICE kind from GNU CTF, in order to better represent bitfields in C structures & unions. SRU 87 adds support for reading CTF_K_SLICE data and displaying it in the mdb debugger. A future SRU will add CTF_K_SLICE data to the CTF output by Solaris tools, including the CTF included in Solaris binaries, and add support for handling it in the scat debugging tool.

Desktop Features

Firefox and Thunderbird ESR 140

Firefox and Thunderbird have been updated from the ESR 128 release train to the ESR 140 release train. For information on the changes in these releases, see the Firefox 140 ESR Release Notes, and Thunderbird 140 Release Notes.

Before Upgrading to SRU 87

Migration from PHP 8.1 to a later version

Prior SRUs provided packages for PHP versions 8.1, 8.2, 8.3, and 8.4. PHP 8.1 has been removed in SRU 87, since the PHP community is ending support for 8.1 at the end of December 2025.

All locally built applications and ISV applications that use the system provided PHP 8.1 need to migrate to a later PHP version before updating to SRU 87. The PHP Group has supplied information on Migrating from PHP 8.1.x to PHP 8.2.x, Migrating from PHP 8.2.x to PHP 8.3.x, and Migrating from PHP 8.3.x to PHP 8.4.x, to help with this.

Migration from Python 3.9 to 3.11 or 3.13

SRU 86 provided packages for Python versions 3.9, 3.11, and 3.13. SRU 87 has obsoleted the packages for Python 3.9, since upstream support for Python 3.9 ended in October 2025. Python 3.9 packages will be removed on upgrade unless steps are taken similar to those described for Python 3.7 in Oracle Solaris has obsoleted Python 3.7. But I still need it – what do I do?. Otherwise all locally built applications and ISV applications that use the system provided Python 3.9 need to migrate to a later version before upgrading to SRU 87 or later. See Porting to Python 3.10, Porting to Python 3.11, Porting to Python 3.12, and Porting to Python 3.13 to help with this. Migration of Solaris delivered core functionality is complete and was delivered incrementally over a number of SRUs.

For Python code which used the standard library modules cgi or cgitb that were removed from the Python standard libary in Python 3.13 by PEP-594, SRU 87 has added the legacy-cgi Python module to ease migration to Python 3.13 and later releases.

Preparation for Upcoming SRUs

The following are a subset of the removals planned for future SRUs. See End of Feature Notices for Oracle Solaris 11 for the complete list of removals announced so far.

Migration from gcc 12 to a later version

SRU 87 provides packages for versions 12, 13, 14, and 15 of the GNU Compiler Collection. GCC 12 will be removed in a future SRU. Users of the gccgo compiler need to note that the removal of GCC 12 will also include the removal of the libgo.so.21 library used by Go programs compiled with GCC 12, and that they thus will need to recompile any such programs with a newer version of gccgo before upgrading to an SRU with GCC 12 removed.

Migration from MySQL 8.0 to 8.4

SRU 78 added packages for version 8.4 of the MySQL database alongside the existing packages for version 8.0. Upstream support for MySQL 8.0 is scheduled to end in April 2026 and it is planned for removal in a future Solaris 11.4 SRU. Administrators of MySQL 8.0 databases should follow the instructions in MySQL 8.4 Reference Manual: Upgrading MySQL to migrate their databases to version 8.4 before upgrading to an SRU in which 8.0 has been removed.

Migration from OKM to KMIP

Support for Oracle Key Manager (OKM) via pkcs11_kms(7) may be removed from a future Oracle Solaris 11.4 SRU. Systems should be migrated to using a key management system using the OASIS KMIP standard supported by pkcs11_kmip(7), such as Oracle Key Vault (OKV).

Migration from PCRE to PCRE2

SRU 87 provides packages for both ABI versions 1 and 2 of the Perl Compatible Regular Expressions (PCRE) library, as provided by library/pcre (version 8.45) and library/pcre2 (version 10.42). Upstream ended support for the version 1 API/ABI after June 2021 and recommends all users port to version 2. Migration of the Solaris delivered packages to the new version is ongoing and continues to be delivered incrementally over a number of SRUs. Once this is complete, the package for version 1 will be obsoleted and removed on upgrade. All locally built applications and ISV applications that use the system provided libpcre need to migrate to libpcre2 as soon as possible.