cap_net: do not allow new limits to drop keys from the old ones
If the old limit had family/hosts/sockaddr set, the new limit must
have them too. Before, a missing key in the new limit was treated as
"allow any", which let a caller silently extend their limits.
Reported by: Joshua Rogers of AISLE Research Team
Reviewed by: markj
MFC after: 1 day
Differential Revision: https://reviews.freebsd.org/D56991
(cherry picked from commit d705a519525f2acae3c1efba11436ec6ee8aea0a)
cap_net: do not allow new limits to drop keys from the old ones
If the old limit had family/hosts/sockaddr set, the new limit must
have them too. Before, a missing key in the new limit was treated as
"allow any", which let a caller silently extend their limits.
Reported by: Joshua Rogers of AISLE Research Team
Reviewed by: markj
MFC after: 1 day
Differential Revision: https://reviews.freebsd.org/D56991
(cherry picked from commit d705a519525f2acae3c1efba11436ec6ee8aea0a)
net-mgmt/thanos: Fix BUILD_DATE syntax to fix build
* Change the syntax of BUILD_DATE after switching to GO_LDFLAGS as
port was using double quotes but Uses/go.mk has single quotes where it
interpolates GO_LDFLAGS, which requires use of different syntax.
* Also switch date format of BUILD_DATE to classic ISO 8601.
PR: 295384
Reported by: Chad Jacob Milios <milios at ccsys.com>
Approved by: db@, yuri@ (Mentors, implicit)
Fixes: 2af7cdf6fd59 * net-mgmt/thanos: improve port
databases/rocksdb: Fix build with PIE
RocksDB's build_detect_platform sets PROFILING_FLAGS=-pg when the compiler
supports it. The two benchmark targets table_reader_bench and log_write_bench
are then linked with -pg, which causes the linker to pull in FreeBSD's gcrt1.o
(the profiling CRT). gcrt1.o contains R_X86_64_64 absolute relocations that are
incompatible with -pie, resulting in a link failure when WITH_PIE=yes is set.
PR: 295260
Approved by: sunpoet (maintainer)
Sponsored by: Netflix
powerpc: Remove stale include line from MPC85XX
The stale include line caused config -m to fail with an error trying
to parse the config file during make universe/tinderbox which in turn
caused universe/tinderbox to abort without building any powerpc
kernels (or subsequent architectures such as riscv64) with the error:
make[2]: freebsd/main/Makefile:767: Target architecture for powerpc/conf/MPC85XX unknown. config(8) likely too old.
in .for loop from freebsd/main/Makefile:761 with kernel = MPC85XX
in make[2] in directory "freebsd/main"
make[2]: stopped making "universe_kernels" in freebsd/main
*** Error code 1
Reported by: npn, many others
Fixes: fd8d34ce272b ("dpaa: Migrate from NCSW base to a home-grown driver")
science/v_sim: fix plist
It seems that Python files are not always installed at the same location
depending on the platform.
Since I’m there register missing dependencies with minor improvements.
PR: 295393
Reported by: D. Engberg
www/nginx-devel: Update to 1.31.0
Changes with nginx 1.31.0 13 May
2026
*) Security: when using the "proxy_set_body" directive, an attacker
might inject data in the proxied request to an HTTP/2 backend
(CVE-2026-42926).
Thanks to Mufeed VH of Winfunc Research.
*) Security: a heap memory buffer overflow might occur in a worker
process while handling a specially crafted request by
ngx_http_rewrite_module, potentially resulting in arbitrary code
execution (CVE-2026-42945).
Thanks to Leo Lin.
*) Security: a heap memory buffer overread might occur in a worker
process while handling a specially crafted response by
ngx_http_scgi_module or ngx_http_uwsgi_module, allowing an
[69 lines not shown]
