FreeBSD/ports 46134cbsecurity/vuxml/vuln 2026.xml

security/vuxml: Document multiple Unbound vulnerabilities

* CVE-2026-32792
* CVE-2026-33278
* CVE-2026-40622
* CVE-2026-41292
* CVE-2026-42534
* CVE-2026-42923
* CVE-2026-42944
* CVE-2026-42959
* CVE-2026-42960
* CVE-2026-44390
* CVE-2026-44608

References:
https://www.nlnetlabs.nl/projects/unbound/security-advisories/

PR:             295442
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+58-0security/vuxml/vuln/2026.xml
+58-01 files

FreeBSD/ports 0da3377deskutils/fet distinfo Makefile

deskutils/fet: Update to 7.8.6

Changelog: https://lalescu.ro/liviu/fet/news.html
DeltaFile
+3-3deskutils/fet/distinfo
+1-1deskutils/fet/Makefile
+4-42 files

FreeBSD/ports a04613fwww/freenginx-devel distinfo Makefile, www/freenginx-devel/files extra-patch-passenger-build-nginx.rb extra-patch-passenger-disable-telemetry

www/freenginx-devel: third-party modules management (+)

Update third-party passenger module to 6.1.4.

Bump PORTREVISION.

Sponsored by:   tipi.work
DeltaFile
+3-3www/freenginx-devel/distinfo
+2-2www/freenginx-devel/files/extra-patch-passenger-build-nginx.rb
+2-2www/freenginx-devel/files/extra-patch-passenger-disable-telemetry
+2-2www/freenginx-devel/files/extra-patch-passenger-Configuration.c
+1-1www/freenginx-devel/Makefile
+1-1www/freenginx-devel/Makefile.extmod
+11-116 files

FreeBSD/ports c8ffb7asecurity/vuxml/vuln 2026.xml

security/vuxml: Add entry for strongSwan CVE-2026-47895

PR:             295936
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+29-0security/vuxml/vuln/2026.xml
+29-01 files

FreeBSD/src 04cee2asys/x86/include specialreg.h

intelhfi: Add IA32_PM_ENABLE bit flag define

Reviewed by: Minsoo Choo <minsoo at minsoo.io>
Differential Revision: https://reviews.freebsd.org/D56919

(cherry picked from commit 436f47a80c20a4d8395d30f81684b2d5dd35991e)
DeltaFile
+3-0sys/x86/include/specialreg.h
+3-01 files

FreeBSD/ports 797f48ewww/freenginx-devel distinfo Makefile.extmod, www/freenginx-devel/files extra-patch-openresty-drizzle-nginx-module-config

www/freenginx-devel: third-party modules management (+)

Update the following third-party modules and their dependencies
to the recent snapshots:

- echo
- encrypted session
- drizzle
- lua
- luastream
- memc
- set_misc
- srcache

Bump PORTREVISION.

Sponsored by:   tipi.work
DeltaFile
+17-17www/freenginx-devel/distinfo
+9-9www/freenginx-devel/Makefile.extmod
+2-2www/freenginx-devel/files/extra-patch-openresty-drizzle-nginx-module-config
+1-1www/freenginx-devel/Makefile
+29-294 files

FreeBSD/src 0b26973sys/kern imgact_elf.c

imgact_elf: handle unaligned phdrs

Althought non-compliant, there are binaries which have the phdrs placed
unaligned in the image.  Since we have the code to allocate memory for
off-page phdrs, the same code path can be used to handle unaligned
phdrs.

Relax the requirement for both the activated image and interpreter.

PR:     295629
Reviewed by:    emaste, markj, olce
Sponsored by:   The FreeBSD Foundation
MFC after:      1 week
Differential revision:  https://reviews.freebsd.org/D57498
DeltaFile
+5-8sys/kern/imgact_elf.c
+5-81 files

FreeBSD/src 256fa87share/examples/netgraph ngctl, sys/netgraph ng_ksocket.c

netgraph: remove remnants of IPPROTO_DIVERT

Fixes:  8624f4347e8133911b0554e816f6bedb56dc5fb3
DeltaFile
+1-1share/examples/netgraph/ngctl
+0-1sys/netgraph/ng_ksocket.c
+1-22 files

FreeBSD/src 8dca7fcstand/efi/loader bootinfo.c, stand/efi/loader/arch/amd64 elf64_freebsd.c

loader.efi: Fix when staging moves late

Prior to this commit, we'd compute the page tables and have the last
entries point to the staging area. We'd then add some more metadata to
the image and boot. This assumed the staging area didn't need to move
for this last bit of data.

However, if we go over the staging limit, when we copyin new data, we
grow the staging area, usually be moving it to a lower address.  This
overage usually happens when we're loading modules and so things work
out nicely. Sometimes we're close to the limit, and we need to do this
growing inside bi_load, after we've computed the page table, making the
page table wrong, and the code we jump to random rather than the btext
routine we normally start at.

To fix this, move computation of the table (but not its allocation) to
after bi_load, but before we call the trampoline.

This problem was most observed when loading microcode for many peole,

    [19 lines not shown]
DeltaFile
+30-17stand/efi/loader/arch/amd64/elf64_freebsd.c
+18-1stand/efi/loader/bootinfo.c
+48-182 files

FreeBSD/ports f4d9b51security/wazuh-manager pkg-plist distinfo

security/wazuh-manager: Update wazuh whl cache files to reflect arrow update

- Bump PORTREVISION
DeltaFile
+27-18security/wazuh-manager/pkg-plist
+12-12security/wazuh-manager/distinfo
+6-5security/wazuh-manager/Makefile
+45-353 files

FreeBSD/ports 1eaa451textproc/opensearch-dashboards219 Makefile, textproc/opensearch-dashboards219/files patch-src_core_server_opensearch_legacy_opensearch__client__config.js patch-plugins_securityDashboards_server_utils_next__url.js

textproc/opensearch-dashboards219: Update node20 to node24

- Remove DEPRECATED and EXPIRATION_DATE
- Bump PORTREVISIOON

With hat:       opensearch
DeltaFile
+26-0textproc/opensearch-dashboards219/files/patch-src_core_server_opensearch_legacy_opensearch__client__config.js
+26-0textproc/opensearch-dashboards219/files/patch-plugins_securityDashboards_server_utils_next__url.js
+4-6textproc/opensearch-dashboards219/Makefile
+56-63 files

FreeBSD/doc df5dc4fdocumentation/content/en/books/handbook/cutting-edge _index.adoc

handbook: Fix header capitalization
DeltaFile
+2-2documentation/content/en/books/handbook/cutting-edge/_index.adoc
+2-21 files

FreeBSD/ports 5a5c707security/strongswan distinfo Makefile

security/strongswan: Update 6.0.6 => 6.0.7

Changelog:
https://github.com/strongswan/strongswan/releases/tag/6.0.7

PR:             295936
Approved by:    blanket (fix CVE)
MFH:            2026Q2
Security:       CVE-2026-47895
Sponsored by:   Rubicon Communications, LLC ("Netgate")

(cherry picked from commit ab71842ed8cd8c3fa1e45093fc22e3efb05ccd9a)
DeltaFile
+3-3security/strongswan/distinfo
+1-1security/strongswan/Makefile
+4-42 files

FreeBSD/ports ab71842security/strongswan distinfo Makefile

security/strongswan: Update 6.0.6 => 6.0.7

Changelog:
https://github.com/strongswan/strongswan/releases/tag/6.0.7

PR:             295936
Approved by:    blanket (fix CVE)
MFH:            2026Q2
Security:       CVE-2026-47895
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+3-3security/strongswan/distinfo
+1-1security/strongswan/Makefile
+4-42 files

FreeBSD/ports 1acb0d9audio/pt2-clone distinfo Makefile

audio/pt2-clone: Update to 1.89
DeltaFile
+3-3audio/pt2-clone/distinfo
+1-1audio/pt2-clone/Makefile
+4-42 files

FreeBSD/ports 6f7042anet/py-tiny-proxy Makefile distinfo

net/py-tiny-proxy: Update to 0.3.0
DeltaFile
+4-3net/py-tiny-proxy/Makefile
+3-3net/py-tiny-proxy/distinfo
+7-62 files

FreeBSD/ports 87e1c4bsecurity/krb5-121 Makefile, security/krb5-121/files patch-lib_gssapi_krb5_import__name.c

security/krb5-12?:  Fix reachable assert when importing krb5 names

If a name token contains trailing garbage, error out from
krb5_gss_import_name() instead of crashing the process with an
assertion failure.

Commit message details obtained from upstream commit.
Obtained from:  upstream commit 07818f1fd
Reported by:    Aisle Research (Ze Sheng, Dmitrijs Trizna,
                Luigino Camastra, Guido Vranken) to krb5-bugs

(cherry picked from commit 8854e0201abe6c8292d0360c23a8be7201240016)
DeltaFile
+12-0security/krb5-121/files/patch-lib_gssapi_krb5_import__name.c
+12-0security/krb5-122/files/patch-lib_gssapi_krb5_import__name.c
+1-1security/krb5-121/Makefile
+1-1security/krb5-122/Makefile
+26-24 files

FreeBSD/ports 17cf42bsecurity/krb5-122 Makefile, security/krb5-122/files patch-lib_gssapi_spnego_spnego__mech.c

security/krb5-122: Fix null dereference in SPNEGO token processing

krb5 1.22.1 erroneously removed a check from get_negTokenResp() for
successful decoding of the mechListMIC field.  Restore the check to
prevent a null pointer dereference.

Commit message details obtained from upstream commit.
Obtained from:  Upstream commit 4ae75cded
                src commit efb5c07f91c5

(cherry picked from commit cfb473892e7ff64daa2ea4f3fdc63768eaed66d3)
DeltaFile
+11-0security/krb5-122/files/patch-lib_gssapi_spnego_spnego__mech.c
+1-0security/krb5-122/Makefile
+12-02 files

FreeBSD/ports df970d1security/krb5-122 distinfo Makefile

security/krb5-122: Update to 1.22.2

(cherry picked from commit 83b96e958e11112d9a28f1938887066c4b2598fd)
DeltaFile
+3-3security/krb5-122/distinfo
+1-1security/krb5-122/Makefile
+4-42 files

FreeBSD/ports c076388security/krb5-devel distinfo Makefile

security/krb5-devel: update to the latest MIT/KRB5 github commit

(cherry picked from commit 1d2596768f3d6c523879a55382f68c7a25fe46ed)
DeltaFile
+3-3security/krb5-devel/distinfo
+2-2security/krb5-devel/Makefile
+5-52 files

FreeBSD/ports 10ddd37security/krb5-devel distinfo Makefile, security/krb5-devel/files patch-plugins_preauth_pkinit_pkinit__crypto__openssl.c

security/krb5-devel: update to the latest MIT/KRB5 github commit

Support for OpenSSL 1.1.1 has been removed by upstream in this update.

(cherry picked from commit 1f29b1929b8217b102eeb2d2ce3ca836801622d4)
DeltaFile
+11-19security/krb5-devel/files/patch-plugins_preauth_pkinit_pkinit__crypto__openssl.c
+3-3security/krb5-devel/distinfo
+2-2security/krb5-devel/Makefile
+16-243 files

FreeBSD/ports 5300969security/krb5-devel distinfo Makefile

security/krb5-devel: update to the latest MIT/KRB5 github commit

(cherry picked from commit 526588132e8f9eed964ca434b4b2b125c92344a9)
DeltaFile
+3-3security/krb5-devel/distinfo
+2-2security/krb5-devel/Makefile
+5-52 files

FreeBSD/ports 8854e02security/krb5-121 Makefile, security/krb5-121/files patch-lib_gssapi_krb5_import__name.c

security/krb5-12?:  Fix reachable assert when importing krb5 names

If a name token contains trailing garbage, error out from
krb5_gss_import_name() instead of crashing the process with an
assertion failure.

Commit message details obtained from upstream commit.
Obtained from:  upstream commit 07818f1fd
Reported by:    Aisle Research (Ze Sheng, Dmitrijs Trizna,
                Luigino Camastra, Guido Vranken) to krb5-bugs
MFH:            2026Q2
DeltaFile
+12-0security/krb5-121/files/patch-lib_gssapi_krb5_import__name.c
+12-0security/krb5-122/files/patch-lib_gssapi_krb5_import__name.c
+1-1security/krb5-121/Makefile
+1-1security/krb5-122/Makefile
+26-24 files

FreeBSD/ports cfb4738security/krb5-122 Makefile, security/krb5-122/files patch-lib_gssapi_spnego_spnego__mech.c

security/krb5-122: Fix null dereference in SPNEGO token processing

krb5 1.22.1 erroneously removed a check from get_negTokenResp() for
successful decoding of the mechListMIC field.  Restore the check to
prevent a null pointer dereference.

Commit message details obtained from upstream commit.
Obtained from:  Upstream commit 4ae75cded
                src commit efb5c07f91c5
MFH:            2026Q2
DeltaFile
+11-0security/krb5-122/files/patch-lib_gssapi_spnego_spnego__mech.c
+1-0security/krb5-122/Makefile
+12-02 files

FreeBSD/ports 5265881security/krb5-devel distinfo Makefile

security/krb5-devel: update to the latest MIT/KRB5 github commit
DeltaFile
+3-3security/krb5-devel/distinfo
+2-2security/krb5-devel/Makefile
+5-52 files

FreeBSD/ports 737bf07sysutils/iocage/files patch-pyproject.toml iocage.in

sysutils/iocage: Fix build and runtime issues

This switches the build to pyproject.yml and hatchling to avoid
various setuptools issues.

It adds a workaround for problems with py-click, which
prevented some command line options from working properly
(especially formatting output for scripting using '-h').

While there, import small github hosted patch into the tree.

PR:             295084, 295723
Reported by:    andreas at turriff.net, echoxxzz at gmail.com
DeltaFile
+65-0sysutils/iocage/files/patch-pyproject.toml
+0-44sysutils/iocage/files/iocage.in
+41-0sysutils/iocage/files/patch-iocage__cli_list.py
+23-0sysutils/iocage/files/patch-iocage__cli_snaplist.py
+22-0sysutils/iocage/files/patch-iocage__cli_df.py
+22-0sysutils/iocage/files/patch-iocage__cli_get.py
+173-446 files not shown
+245-7012 files

FreeBSD/src a9519f7sys/dev/firewire firewire.c firewirereg.h

firewire: Fix watchdog_clock aliasing and fw_tl2xfer UAF race

Two bugs in the firewire bus layer that affect all consumers (
if_fwip, sbp):

watchdog_clock was a static local in firewire_watchdog(), shared across
all firewire_comm instances.  With two controllers (e.g. built-in +
Thunderbolt Display), both advance the same counter, so the second
controller's 15-second boot-time timeout guard expires prematurely.

fw_tl2xfer() released tlabel_lock before returning the xfer pointer.

Reviewed by:    zlei, adrian
Differential Revision:  https://reviews.freebsd.org/D57496
DeltaFile
+37-30sys/dev/firewire/firewire.c
+1-0sys/dev/firewire/firewirereg.h
+38-302 files

FreeBSD/ports 91be4bbarchivers Makefile, archivers/py-pycdlib Makefile pkg-descr

archivers/py-pycdlib: New port

PyCdlib is a pure python library to parse, write (master), and create
ISO9660 files, suitable for writing to a CD or USB.
DeltaFile
+22-0archivers/py-pycdlib/Makefile
+6-0archivers/py-pycdlib/pkg-descr
+3-0archivers/py-pycdlib/distinfo
+1-0archivers/Makefile
+32-04 files

FreeBSD/src efb5c07crypto/krb5/src/lib/gssapi/spnego spnego_mech.c

krb5: Fix null dereference in SPNEGO token processing

krb5 1.22.1 erroneously removed a check from get_negTokenResp() for
successful decoding of the mechListMIC field.  Restore the check to
prevent a null pointer dereference.

Commit message details obtained from upstream commit.
Obtained from:  Upstream commit 4ae75cded
MFC after:      3 days
DeltaFile
+2-0crypto/krb5/src/lib/gssapi/spnego/spnego_mech.c
+2-01 files

FreeBSD/src fce16f6crypto/krb5/src/lib/gssapi/krb5 import_name.c

krb5: Fix reachable assert when importing krb5 names

If a name token contains trailing garbage, error out from
krb5_gss_import_name() instead of crashing the process with an
assertion failure.

Commit message details obtained from upstream commit.
Obtained from:  upstream commit 07818f1fd
Reported by:    Aisle Research (Ze Sheng, Dmitrijs Trizna,
                Luigino Camastra, Guido Vranken) to krb5-bugs
MFC after:      3 days
DeltaFile
+2-1crypto/krb5/src/lib/gssapi/krb5/import_name.c
+2-11 files