nuageinit: fix command injection and related issues
- Add shell_escape() helper to safely escape shell arguments
- Apply shell_escape to all user-controlled values in shell commands:
adduser (usershow, useradd, lock, primary_group, groups)
addgroup (groupshow, groupadd, members)
exec_change_password (usermod)
settimezone (tzsetup root and timezone)
install_package (pkg package names)
- Escape double quotes in hostname when writing rc.conf.d/hostname
- Add missing 'local' declaration for resolvconf_command in nameservers()
- Escape interface name in resolvconf -a command
- Change open_resolvconf_conf() from 'w' to 'a' mode to prevent
data loss when nameservers() is called multiple times
- Clean up stale resolvconf.conf at the start of each boot
(skip on postnet to preserve config written by first call)
Approved by: re (cperciva)
MFC After: 1 day
[3 lines not shown]
Make "make update-packages" idempotent
If the user runs "make update-packages" without bumping BRANCH, then it
isn't possible to copy packages from the old location to the new one
(because the two locations are the same). So just skip that step.
Approved by: re (cperciva)
Sponsored by: ConnectWise
PR: 295085
Reviewed by: ivy, emaste
Differential Revision: https://reviews.freebsd.org/D56872
(cherry picked from commit bd1e789b8452a8c2f166a3b4defb95330c71dadd)
(cherry picked from commit 89a0148521aefe0a190d4b62749186c705962d32)
Fix LOCAL_PEERCRED in 32-bit compat mode
Previously the cr_pid field would be incorrectly copied to userland, due
to a size mismatch between the structure as defined in 32-bit vs 64-bit
builds. Fix it by converting the structure before copying it to
userland.
Approved by: re (cperciva)
PR: 294833
Sponsored by: ConnectWise
Reviewed by: emaste
Differential Revision: https://reviews.freebsd.org/D56675
(cherry picked from commit 1d24638d3e8875e4b99a4b5e39f4241e37221b3d)
(cherry picked from commit 3298d82ea34059354dc1ff1a60d8b7d3e495c2cd)
pkg-stage.sh: Add ext2 and ntfs
Having these packages available on release media may help users who
need to sneakernet other packages (e.g. firmware) from systems running
Linux or Windows.
Approved by: re (cperciva)
Suggested by: vladlen, ziaee
MFC after: 3 days
(cherry picked from commit 6881fd278d80ac63b4d511fc130a79ff16d1bb48)
(cherry picked from commit 01d5910b8766671afdbd9e274fd62b397aca9e1a)
release/tools: use same pkg settings in containers as in /etc/pkg/FreeBSD.conf
Instructions in /etc/pkg/FreeBSD.conf and elsewhere recommend putting
changes in /usr/local/etc/pkg/repos/FreeBSD.conf so bring OCI containers
into line as well.
Reviewed by: dfr, ivy
Differential Revision: https://reviews.freebsd.org/D54090
Approved by: re (cperciva)
MFC after: 5 days
Sponsored by: SkunkWerks, GmbH
(cherry picked from commit c73ae67348998a0056145e88debbea9ff6860c4f)
(cherry picked from commit d889f6c466d4cec73c34bc71093d08b25e321071)
bsdinstall: do pkgbase installations with the "script" command
"bsdinstall script" will now do a pkgbase installation by default. The
system components to install can be specified in the COMPONENTS
variable, and have the same names as those used in the interactive
installer. bsdinstall will still do a legacy distset installation if
DISTRIBUTIONS is defined in the installerconfig file.
Approved by: re (cperciva)
PR: 290375
Sponsored by: ConnectWise
Reviewed by: ziaee, ivy, jduran
Differential Revision: https://reviews.freebsd.org/D56717
(cherry picked from commit dc14ae4217a0babb1240f813b642edc2d7b955a6)
(cherry picked from commit 1f5869130f6ebd299e65a627eff23a8c3d360afb)
krb5: Fix two NegoEx parsing vulnerabilities
Bring in upstream commit 2e75f0d93 fixing two CVEs. Upstream commit
log is:
In parse_nego_message(), check the result of the second call to
vector_base() before dereferencing it. In parse_message(), check for
a short header_len to prevent an integer underflow when calculating
the remaining message length.
Reported by Cem Onat Karagun.
CVE-2026-40355:
In MIT krb5 release 1.18 and later, if an application calls
gss_accept_sec_context() on a system with a NegoEx mechanism
registered in /etc/gss/mech, an unauthenticated remote attacker can
trigger a null pointer dereference, causing the process to terminate.
[13 lines not shown]
OpenSSH: Update to 10.3p1
Full release notes are available at
https://www.openssh.com/txt/release-10.3
Selected highlights from the release notes:
* ssh(1), sshd(8): remove bug compatibility for implementations
that don't support rekeying. If such an implementation tries to
interoperate with OpenSSH, it will now eventually fail when the
transport needs rekeying.
* ssh(1), sshd(8): support IANA-assigned codepoints for SSH agent
forwarding, as per draft-ietf-sshm-ssh-agent. Support for the new
names is advertised via the EXT_INFO message. If a server offers
support for the new names, then they are used preferentially.
* ssh(1): add a ~I escape option that shows information about the
current SSH connection.
[10 lines not shown]
pkg-stage.sh: Add ext2 and ntfs
Having these packages available on release media may help users who
need to sneakernet other packages (e.g. firmware) from systems running
Linux or Windows.
Suggested by: vladlen, ziaee
MFC after: 3 days
(cherry picked from commit 6881fd278d80ac63b4d511fc130a79ff16d1bb48)
databases/postgresql??-*: Upgrade to latest version
The PostgreSQL Global Development Group has released an update to all
supported versions of PostgreSQL, including 18.4, 17.10, 16.14, 15.18,
and 14.23. This release fixes 11 security vulnerabilities and over 60
bugs reported over the last several months.
Release notes: https://www.postgresql.org/docs/release/
PostgreSQL 14 EOL Notice
PostgreSQL 14 will stop receiving fixes on November 12, 2026. If you are
running PostgreSQL 14 in a production environment, we suggest that you
make plans to upgrade to a newer, supported version of PostgreSQL.
Please see our versioning policy for more information.
Security: 7185ecc9-4fb7-11f1-bc50-6cc21735f730CVE-2026-6472, CVE-2026-6473, CVE-2026-6474,
CVE-2026-6475, CVE-2026-6476, CVE-2026-6477,
[2 lines not shown]
Revert "nvme: Only attach to storage NVMe devices"
This reverts commit 0a19464bf7afa35ce2aa7649152bc3a7629faa98. It's
incorrect for ahci attachments. Reverting to merge to stable/15
to merge to releng/15.1 for the release.
Sponsored by: Netflix
boot: Replace occurrences of qualified name with full path
In many parts of this chapter the use of "qualified name" and
"unqualified name" was used to refer to a full path to a file (or just
the filename). This terminology is used more in networking terms (i.e.
fully qualified hostname) and is strange to use when referring to files
and directories in a filesystem. It leads to confusion for the reader,
which is why I replaced it throughout the chapter with the more commonly
used term "full path" where appropriate.
While here, remove some whitespaces at the end of sentences.
PR: 292300
