Oracle Solaris 11.4 SRU 78 is now available via ‘pkg update’ from the support repository or by downloading the SRU from My Oracle Support Doc ID 2433412.1. Highlights of the changes in this release are given in the release announcement and important information to read before installing it is provided in the Readme linked from the above support document. This blog post provides more details about selected new features and interface changes in this SRU, as well as some preparation work for changes coming in future SRUs.
Security and Compliance Features
File extraction by cpio(1) restricted to the current working directory
Previously, cpio(1) has allowed files to be extracted anywhere based on the paths specified in the archive. Both absolute and relative pathnames (including those with a “..“) were extracted to those paths. This required the user to be responsible for making sure that the extractions would not occur to locations that they may not desire, especially if the user had elevated privileges.
Starting in SRU 78, cpio(1) is no longer able to extract to files outside of the current working directory by default. The -x option can be used to allow files to be extracted to such paths, as was done in previous releases. See the cpio(1) man page.
OpenSSL 3 as default compilation/script environment
Before SRU 78, links such as /usr/bin/openssl and /usr/include/openssl pointed to the OpenSSL 1.0.2 versions. Now that the migration of all the Solaris packaged consumers of OpenSSL to rely on OpenSSL 3.0 has completed, these links have been updated in SRU 78 to point to the OpenSSL 3.0 versions instead, in preparation for the removal of OpenSSL 1.0.2 in a later SRU (see below for more on that).
sxadm(8) update for AMD Speculative Return Stack Overflow Vulnerabilities
The sxadm(8) command in SRU 78 has added three new extensions, SBPB, SRSO_NO, and SRSO_USER_KERNEL_NO to indicate whether the CPU is vulnerable to or has mitigations in place for the AMD Speculative Return Stack Overflow (SRSO, aka “Inception”) vulnerabilities which are covered by CVE-2023-20569. SRSO_NO and SRSO_USER_KERNEL_NO will always be shown as enabled on all SPARC and Intel CPUs, and some models of AMD CPUs, to indicate they are not affected by these issues. On affected models of AMD CPUs, SBPB will be shown as enabled if the CPU has loaded the necessary microcode updates with the mitigations.
Performance and Observability
New iostat -b option for backend statistics of LDom/KZ guest devices
This SRU adds a new command line option -b to the iostat(8) tool to display backend statistics for virtual devices assigned to guests (Kernel Zones or LDom guests). The virtual device in this context is either a virtual block device, a “vdisk” (LDoms) or “zvblk” (Kernel Zones), or it is a physical SCSI device such as a SCSI disk or tape device exported through the Virtual storage area network (SAN) service.
The user can limit the output by passing device names as command line arguments or by using iostat‘s option -z to omit devices with no IO activity from the report.
See the ldm(8) manual page for the definition of the “backend”, and the iostat(8) man page for more on this option.
iostat wildcard character support for disk report selection
The iostat(8) tool has always accepted a ‘disk’ argument to explicitly select devices to report. The device matching algorithm has used simple string matching to compare device names in the system against the argument string. However, this was impractical on systems with many disk or with long disk names as typing a disk name that includes WWN (SAN) is inconvenient.
To make the tool more user-friendly, this SRU adds wildcard matching using the fnmatch(3C) API.
Some command line examples of how to use wildcard characters:
# match a string inside the name
iostat -xnb \*99F8\* 1 1
extended device statistics
r/s w/s kr/s kw/s wait actv wsvc_t asvc_t %w %b device
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0 0 c0t600144F05A7587000000661799F80002d0
# match target 0-3 on controller 1
iostat -xnb c1t[0-2]d\* 1 1
extended device statistics
r/s w/s kr/s kw/s wait actv wsvc_t asvc_t %w %b device
0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.8 0 0 c1t0d0
Pattern matching also stacks with the -b (backend) option. It provides a generic way to filter the results based on KZ name or LDom vdisk name, etc. For example:
# show virtual disk backends on virtual disk service primary-vds0
iostat -xnb \*@primary-vds0 1 1
extended device statistics
r/s w/s kr/s kw/s wait actv wsvc_t asvc_t %w %b device
0.3 2.3 24.2 20.1 0.0 0.0 0.0 1.2 0 0 bookable-10-163-102-134@primary-vds0
See the iostat(8) man page for details of this feature, and fnmatch(5) for details of the pattern matching syntax.
Virtualization Features
LDoms Virtual Disk now supports reporting device block size & count
The LDoms virtual disk client (vdc) driver now provides block size and count properties that may be displayed by the devprop(8) command.
Bug fixes and performance improvements for virtual HBA
Among other improvements, the vsan module now is more efficient when dynamically processing configuration changes.
Status option (-S) added to ldm(8) list-domain and list-devices subcommands on Oracle SPARC platforms
SRU 78 adds support for the -S option to the list-domain and list-devices subcommands of the ldm(8) command on Oracle SPARC platforms. This option was previously supported only for Fujitsu’s SPARC platforms, and has been either ignored or elicited “NA” output on Oracle SPARC platforms before SRU 78.
The status information is provided for CPU and memory resources only, and depicts whether the resource has been faulted by FMA. The option semantics and output formats are now identical between Oracle and Fujitsu platforms.
Blacklisted resources are not reported via this option; the -B option to the list-devices subcommand already reports on evacuated and blacklisted resources.
Installation and Software Management Features
pkg(7) user action uid selection no longer uses reserved range
Previously, if a user action in an IPS package did not specify a uid, it was assigned the next available free uid from the 0-99 range reserved for use by the OS, even if it was a non-OS-provided package, which could cause conflicts if an OS package that used the same uid was installed later.
Starting in SRU 78, IPS was changed to allocate the first free uid in the install image that is in the range 100-499, which is now reserved for package use; and useradd(8) was changed to allocate the first free uid above 1000 when no explicit uid is given. Equivalent changes were made for gid assignment when no explicit gid is given.
Enhancements for Developers
ctfmerge -t use with -a
SRU 78 removes the restriction from the ctfmerge(1) utility prohibiting the mutual use of the -a and -t options.
::kill dcmd for kmdb
SRU 78 adds a ::kill dcmd for kmdb to queue a signal to send to a user-space process when the kernel is resumed. When a process receives a signal posted from kmdb using the ::kill dcmd it will have a siginfo(3head) si_code of SI_KMDB. See the kmdb(1) man page for details.
Precision modifier for mdb_printf et al
SRU 78 adds support for mdb_printf et al to accept a precision modifier as printf(3c) does for floating point. mdb_printf et al now treats any numerical modifier after a . in a format string as the precision for that value. This precision can then be used by any format that prints a value with a decimal point to specify how many digits after the decimal point should be printed. These are %E, %e, %G, %g, %y, and %Z.
To print an hrtime_t to 6 decimal places the format will now be %.6y rather than %6y as it was before this change. It is possible to give a width as well so %40.3y now pads the output to 40 characters while printing the time to 3 decimal places.
New helper functions in mdb for annotations
In SRU 78, the mdb API has deprecated mdb_annotate_string() and provided a replacement mdb_annotate_str() which accepts an extra opaque data structure to allow the callback to get more information about the annotation. This allows an annotation callback to tell mdb if it has annotated an entire array, such as annotating arrays of char as strings. To this end a new API mdb_annotation_set_annotated_array() is provided, which can be called by annotation callbacks if they are annotating more than one element in an array. If the annotation calls this routine ::print will not attempt to print subsequent members of an array.
Additionally a new helper function, mdb_annotate_time(), has been added to mdb in SRU 78 for annotating times, allowing annotations of timestamp resolution and reference points.
Another helper function, mdb_maa2mgaf(), has been added to mdb to create an mdb_get_annotation_flags_t from an mdb_annotation_arg_t in an annotation callback.
mdb ::operators dcmd
A new ::operators dcmd has been added to mdb in SRU 78 to print short descriptions of all of the mdb operators for quick reference.
Python 3.13
Python 3.13 has been added alongside versions 3.9 and 3.11 in SRU 78, and matching versions of most python module packages have been added as well. See What’s New In Python 3.13 and What’s New In Python 3.12 for information about what’s changed since 3.11, and what changes are necessary to port your Python code to 3.13.
Ruby 3.3
Ruby 3.3 has been added alongside version 3.1 in SRU 78. See the Ruby 3.3.0 release notes and Ruby 3.3 NEWS file for information about what’s changed in this release and what changes are necessary to port your Ruby code to 3.3.
Other Changes
PSUtils replaced with PSPDFUtils
The PSUtils package provided a number of utilities for manipulating Postscript files, but has been abandoned by the original author for a while now. In SRU 78, it has been replaced by a new version from a new author, which adds PDF support among other changes. Some previous utilities, like psmerge to merge Postscript files, are no longer included.
Man page improvements
In addition to documenting the changes listed above, the man pages in SRU 78 include a number of other updates, including:
- Internationalization man pages: add information about which sets of interfaces are currently recommended (the gettext family) and which are provided mainly for backwards compatibility with older standards such as SVID and older X/Open standards (the gettxt and catgets families).
- SVR4 packaging man pages: provide information about IPS replacements that should be used instead on Solaris 11.
- History sections added to a number of pages, including getconf(1), confstr(3c), sysconf(3c), libc(3lib), proc(5), mount(8), and zfs(8).
- shadow(5): added information on the special values of the password field: *LK*, *AL*, NP, and UP.
Before Upgrading to SRU 78
Migration from gcc 11 to a later version
SRU 78 provides packages for versions 12, 13, and 14 of the GNU Compiler Collection. GCC 11 has been removed in this SRU. Users of the gccgo compiler need to note that the removal of GCC 11 also includes the removal of the libgo.so.19 library used by Go programs compiled with GCC 11, and that they thus will need to recompile any such programs with a newer version of gccgo before upgrading to SRU 78.
Migration from GTK 2 to a later version
Previous SRUs provided packages for versions 2, 3, and 4 of the GTK toolkit. The GTK 2 packages have been removed in SRU 78. Upstream support for GTK 2 ended in December 2020 when GTK 4 was released. All of the GUI applications provided in Solaris were already moved to GTK 3 or 4 in previous SRUs, in preparation for this removal. All locally built applications and ISV applications that use the system provided gtk2 package need to migrate to gtk3 or gtk4 before upgrading to SRU 78. See Migrating from GTK 2.x to GTK 3 and Migrating from GTK 3.x to GTK 4 for help with migrating your applications.
Migration from Perl 5.36 to 5.38
Previous SRUs provided packages for Perl versions 5.36 and 5.38. The Perl 5.36 packages have been removed in SRU 78. Upstream support for Perl 5.36 has ended. All locally built applications and ISV applications that use the system provided Perl 5.36 need to migrate to a later version as soon as possible. See https://perldoc.perl.org/perl5380delta for information on the changes between Perl 5.36 and 5.38. Migration of Solaris delivered core functionality was delivered incrementally over a number of SRUs and has been completed.
Preparation for Upcoming SRUs
The following are a subset of the removals planned for future SRUs. See End of Feature Notices for Oracle Solaris 11 for the complete list of removals announced so far.
Migration from MySQL 8.0 to 8.4
SRU 78 added packages for version 8.4 of the MySQL database alongside the existing packages for version 8.0. Upstream support for MySQL 8.0 is scheduled to end in April 2026 and it is planned for removal in a future Solaris 11.4 SRU. Administrators of MySQL 8.0 databases should follow the instructions in MySQL 8.4 Reference Manual: Upgrading MySQL to migrate their databases to version 8.4 before upgrading to an SRU in which 8.0 has been removed.
Migration from OpenSSL 1.0.2 to 3.0
SRU 78 provides packages for both versions 1.0.2 & 3.0 of the OpenSSL libraries. OpenSSL 1.0.2 will be removed in a future SRU; likely no earlier than the May 2025 SRU. All locally built applications and ISV applications that use the system provided OpenSSL 1.0.2 need to migrate to OpenSSL 3.0 as soon as possible. The OpenSSL Foundation has supplied a OpenSSL 3.0 migration guide to help with this. Migration to OpenSSL 3 of Solaris delivered packages was delivered incrementally over a number of SRUs and has been completed in SRU 78.
Migration from PCRE to PCRE2
SRU 78 provides packages for both ABI versions 1 and 2 of the Perl Compatible Regular Expressions (PCRE) library, as provided by library/pcre (version 8.45) and library/pcre2 (version 10.42). Upstream ended support for the version 1 API/ABI after June 2021 and recommends all users port to version 2. Migration of the Solaris delivered packages to the new version is ongoing and continues to be delivered incrementally over a number of SRUs. Once this is complete, the package for version 1 will be obsoleted and removed on upgrade. All locally built applications and ISV applications that use the system provided libpcre need to migrate to libpcre2 as soon as possible.
Migration from Python 3.9 to 3.11 or 3.13
SRU 78 provides packages for Python versions 3.9, 3.11, and 3.13. Upstream support for Python 3.9 will end in October 2025. Python 3.9 will be removed in a future SRU. All locally built applications and ISV applications that use the system provided Python 3.9 need to migrate to a later version as soon as possible. See Porting to Python 3.10, Porting to Python 3.11, Porting to Python 3.12, and Porting to Python 3.13 to help with this. Migration of Solaris delivered core functionality is ongoing and is being delivered incrementally over a number of SRUs.