OPNSense/core d3fb0bbsrc/opnsense/mvc/app/models/OPNsense/Firewall Filter.php

Firewall: NAT: Source NAT: Target cannot be any, pf refuses to load that
DeltaFile
+6-0src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.php
+6-01 files

FreeBSD/ports dda359fnet-mgmt/peering-manager Makefile

net-mgmt/peering-manager: Fix Python version

Upstream claims to support >=3.10,<3.15 which translates to 3.10-3.14.

Reviewed by:    bofh
Differential Revision:  https://reviews.freebsd.org/D57709
DeltaFile
+1-1net-mgmt/peering-manager/Makefile
+1-11 files

FreeBSD/src 01c8644sys/amd64/conf MINIMAL, sys/i386/conf MINIMAL GENERIC

x86: Harmonize GENERIC and MINIMAL

* Reorder MINIMAL so everything is in the same order as in GENERIC.

* Wherever comments diverged, except for the explanatory comment at
  the top, copy the GENERIC version to MINIMAL.

* Add KDTRACE_FRAME to i386 GENERIC; it was already in MINIMAL, and
  adding it to GENERIC seemed like the more correct move.

With these changes, MINIMAL is a strict subset of GENERIC, apart from
the identifier and the explanatory comment at the top.

Reviewed by:    imp
Differential Revision:  https://reviews.freebsd.org/D57729
DeltaFile
+17-17sys/i386/conf/MINIMAL
+13-13sys/amd64/conf/MINIMAL
+1-0sys/i386/conf/GENERIC
+31-303 files

OPNSense/core 3c56a63src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms dialogSNatRule.xml, src/opnsense/mvc/app/models/OPNsense/Firewall Filter.xml

Firewall: NAT: Source NAT: Empty target means interface address, allow it in the model and add hints, fix legacy outbound rules exporter as well
DeltaFile
+2-5src/opnsense/scripts/filter/list_legacy_outbound_nat.php
+1-4src/opnsense/mvc/app/models/OPNsense/Firewall/Filter.xml
+5-0src/opnsense/mvc/app/views/OPNsense/Firewall/nat_rule.volt
+1-1src/opnsense/mvc/app/controllers/OPNsense/Firewall/forms/dialogSNatRule.xml
+9-104 files

FreeBSD/ports 0af7c92misc/py-litellm distinfo Makefile

misc/py-litellm: Update to 1.89.3

Changelog: https://github.com/BerriAI/litellm/releases/tag/v1.89.3

Reported by:    Repology
DeltaFile
+3-3misc/py-litellm/distinfo
+1-1misc/py-litellm/Makefile
+4-42 files

OPNSense/core 553f7dfsrc/etc/inc/plugins.inc.d openvpn.inc, src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes GroupField.php

firewall: unify group names

The defaults in GroupField are still a bit weird as we are showing them
even though their mandatory path is from *_interfaces() plugin registration.

If we need the value 10 we should make it the implicit default and also
add the default to the group interface registration (or not at all).

GroupField could read them correctly from config.xml...

PR: https://www.reddit.com/r/opnsense/comments/1ucvh2y/is_there_a_way_to_change_the_openvpn_group/
DeltaFile
+3-3src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/GroupField.php
+1-1src/etc/inc/plugins.inc.d/openvpn.inc
+4-42 files

FreeBSD/ports e3d2ab7security/trivy distinfo Makefile

security/trivy: update to 0.71.2

Changes:        https://github.com/aquasecurity/trivy/releases
DeltaFile
+5-5security/trivy/distinfo
+1-1security/trivy/Makefile
+6-62 files

LLVM/project 115c749llvm/lib/Target/AMDGPU AMDGPUISelDAGToDAG.cpp, llvm/test/CodeGen/AMDGPU packed-fp64.ll

[AMDGPU] Select fneg modifier for v2f64 instructions (#205194)
DeltaFile
+28-17llvm/lib/Target/AMDGPU/AMDGPUISelDAGToDAG.cpp
+12-23llvm/test/CodeGen/AMDGPU/packed-fp64.ll
+40-402 files

LLVM/project 3e69ed4clang/include/clang/Frontend SSAFOptions.h CompilerInvocation.h, clang/lib/Frontend CompilerInvocation.cpp

Revert some SSAF patches (#205279)

I've started seeing some failures on Windows permissive bots.
I'll revert my patches for now until further investigation.

errors:
https://lab.llvm.org/buildbot/#/builders/107/builds/20548
```
C:\b\slave\sanitizer-windows\llvm-project\clang\lib\Frontend\CompilerInvocation.cpp
C:\b\slave\sanitizer-windows\build\tools\clang\include\clang/Options/Options.inc(9981): error C2065: 'SSAFOpts': undeclared identifier
C:\b\slave\sanitizer-windows\build\tools\clang\include\clang/Options/Options.inc(9982): note: see reference to function template instantiation 'auto GenerateSSAFArgs::<lambda_5f504a9e8792b8b03f1d39701f31dbec>::operator ()<T>(const T &) const' being compiled
        with
        [
            T=std::vector<std::string,std::allocator<std::string>>
        ]
```

Revert "Reland "[clang][ssaf][NFC] Move SSAF flags from FrontendOptions
to a dedicated SSAFOptions" (#204798)"

    [4 lines not shown]
DeltaFile
+26-27clang/unittests/ScalableStaticAnalysisFramework/Frontend/TUSummaryExtractorFrontendActionTest.cpp
+0-52clang/include/clang/Frontend/SSAFOptions.h
+1-31clang/lib/Frontend/CompilerInvocation.cpp
+14-18clang/lib/ScalableStaticAnalysisFramework/Frontend/TUSummaryExtractorFrontendAction.cpp
+7-18clang/include/clang/Frontend/CompilerInvocation.h
+23-1clang/include/clang/Frontend/FrontendOptions.h
+71-14712 files not shown
+87-19618 files

FreeNAS/freenas 2cbfda2src/middlewared/middlewared/alert/source audit.py, src/middlewared/middlewared/plugins/audit backend.py

NAS-140907 / 27.0.0-BETA.1 / Tolerate malformed JSON in audit databases (#19181)

## Problem
The audit databases store `event_data`/`service_data` as JSON in TEXT
columns that SQLite does not validate on insert, so a corrupted or
otherwise non-JSON value can persist in a row (e.g. after a storage/IO
incident). Audit queries that filter or select on a JSON path compile to
`json_extract()`, and SQLite aborts the entire statement with
`OperationalError: malformed JSON` the moment it evaluates that over a
bad row. This bubbles up uncaught from the SMB alert sources as
recurring CRITICAL `AlertSourceRunFailed` alerts, and breaks
`audit.query`/`audit.export` and the UI audit page.

## Solution
Guard every JSON-path `json_extract` so a non-JSON row is skipped
instead of aborting the query, and surface the corruption rather than
dropping it silently.

- **WHERE side** (`datastore/filter.py`): an opt-in

    [19 lines not shown]
DeltaFile
+119-0src/middlewared/middlewared/pytest/unit/plugins/test_audit_backend.py
+101-0src/middlewared/middlewared/pytest/unit/plugins/test_datastore_json_valid.py
+100-0tests/api2/test_audit_malformed_json.py
+78-10src/middlewared/middlewared/plugins/audit/backend.py
+20-0src/middlewared/middlewared/alert/source/audit.py
+11-5src/middlewared/middlewared/plugins/datastore/filter.py
+429-156 files

LLVM/project 9e3fc52llvm/lib/Target/AMDGPU SIFoldOperands.cpp, llvm/test/CodeGen/AMDGPU packed-fp64.ll fold-imm-pk64.mir

[AMDGPU] Fold v2{i|f}64 immediates (#205195)
DeltaFile
+68-182llvm/test/CodeGen/AMDGPU/packed-fp64.ll
+229-4llvm/test/CodeGen/AMDGPU/fold-imm-pk64.mir
+55-159llvm/test/CodeGen/AMDGPU/packed-u64.ll
+6-8llvm/test/CodeGen/AMDGPU/pk-lshl-add-u64.ll
+2-0llvm/lib/Target/AMDGPU/SIFoldOperands.cpp
+360-3535 files

FreeBSD/ports ae5d973net/py-ldapdomaindump distinfo Makefile, net/py-ldapdomaindump/files patch-pyproject.toml

net/py-ldapdomaindump: Update to 0.10.0
DeltaFile
+11-0net/py-ldapdomaindump/files/patch-pyproject.toml
+3-3net/py-ldapdomaindump/distinfo
+2-3net/py-ldapdomaindump/Makefile
+16-63 files

LLVM/project 635cbc0libc/src/__support/OSUtil/linux/syscall_wrappers ioctl.h CMakeLists.txt, libc/src/sys/ioctl/linux ioctl.cpp

Revert "[libc] Introduce the ioctl syscall wrapper and port all callers" (#205277)

Reverts llvm/llvm-project#204640

Breaks libc-x86_64-debian-fullbuild. Reverting while I investigate.
DeltaFile
+0-49libc/src/__support/OSUtil/linux/syscall_wrappers/ioctl.h
+14-7libc/src/termios/linux/CMakeLists.txt
+9-6libc/src/sys/ioctl/linux/ioctl.cpp
+8-5libc/src/unistd/linux/isatty.cpp
+0-13libc/src/__support/OSUtil/linux/syscall_wrappers/CMakeLists.txt
+7-5libc/src/termios/linux/tcgetattr.cpp
+38-858 files not shown
+76-11314 files

LLVM/project ebaee77llvm/lib/Target/X86 X86InstrAVX512.td, llvm/test/CodeGen/X86 avx512-load-store.ll

[X86] Prevent folding of volatile scalar loads into masked loads in selects (#205103)

X86 select patterns were folding scalar FP loads into AVX-512 masked
loads. Since masked loads suppress memory access when the mask is 0,
this can incorrectly eliminate the observable access of volatile loads,
leading to miscompilation. Non-volatile loads are unaffected.

Multi-use loads already avoid folding, since folding consumes the load
into the instruction's memory operand and leaves no value for the other
users, forcing it to be materialized into a register. Single-use
volatile loads did not, and this must also be prevented, as volatile
loads are required to always perform their memory access.

Fix this by using the isSimple()-guarded simple_load pattern instead of
loadf32/loadf64, ensuring volatile loads are not folded.

Found via @jlebar's X86 LLVM bug hunt / FuzzX effort:
https://github.com/SemiAnalysisAI/FuzzX/blob/master/x86/bugs/093-avx512-vmovs-x86selects-load-fold-mask-suppress
DeltaFile
+60-0llvm/test/CodeGen/X86/avx512-load-store.ll
+4-4llvm/lib/Target/X86/X86InstrAVX512.td
+64-42 files

OPNSense/core 578e025src/opnsense/mvc/app/controllers/OPNsense/Base ApiControllerBase.php ApiMutableModelControllerBase.php, src/opnsense/mvc/app/controllers/OPNsense/Monit/Api SettingsController.php

mvc: give throwReadOnly() a sibling named throwNotFullAdmin() which validates if a user has full access rights and can be treated as "provides safe input".

Although there aren't a lot of cases where user input can't be validated strictly enough, there are still one or two edge cases which offer some sort of "advanced" input which we currently wouldn't accept and are thus hard to change for historic reasons. The most prominent one is Monit, which allows local commands being executed.

throwNotFullAdmin simply raises an exception and bails before persisting changes to the configuration, which can be set on a per action or controller (internalSaveRequiresAdmin).
DeltaFile
+20-1src/opnsense/mvc/app/controllers/OPNsense/Base/ApiControllerBase.php
+8-0src/opnsense/mvc/app/controllers/OPNsense/Base/ApiMutableModelControllerBase.php
+1-0src/opnsense/mvc/app/controllers/OPNsense/Monit/Api/SettingsController.php
+29-13 files

LLVM/project 007d6bdclang/include/clang/Basic TargetInfo.h, clang/lib/Basic/Targets M68k.cpp Sparc.h

clang: Change TargetInfo::setCPU to take StringRef

The related APIs all use StringRef, so use StringRef for
consistency.

Co-Authored-By: Claude (Opus 4.8) <noreply at anthropic.com>
DeltaFile
+2-3clang/lib/Basic/Targets/M68k.cpp
+2-2clang/lib/Basic/Targets/Sparc.h
+1-3clang/include/clang/Basic/TargetInfo.h
+1-3clang/lib/Basic/Targets/AArch64.cpp
+1-1clang/lib/Basic/Targets/CSKY.cpp
+1-1clang/lib/Basic/Targets/CSKY.h
+8-1320 files not shown
+28-3326 files

LLVM/project 7db96e4libc/src/__support/OSUtil/linux/syscall_wrappers ioctl.h CMakeLists.txt, libc/src/sys/ioctl/linux ioctl.cpp

Revert "[libc] Introduce the ioctl syscall wrapper and port all callers (#204…"

This reverts commit 639c5a014fad13c683b01c66a1474b7aa47ce7ee.
DeltaFile
+0-49libc/src/__support/OSUtil/linux/syscall_wrappers/ioctl.h
+14-7libc/src/termios/linux/CMakeLists.txt
+9-6libc/src/sys/ioctl/linux/ioctl.cpp
+8-5libc/src/unistd/linux/isatty.cpp
+0-13libc/src/__support/OSUtil/linux/syscall_wrappers/CMakeLists.txt
+7-5libc/src/termios/linux/tcsetattr.cpp
+38-858 files not shown
+76-11314 files

FreeBSD/ports a5ce6denet/py-impacket distinfo Makefile, net/py-impacket/files patch-setup.py

net/py-impacket: Update to 0.13.1
DeltaFile
+5-6net/py-impacket/files/patch-setup.py
+3-3net/py-impacket/distinfo
+1-2net/py-impacket/Makefile
+9-113 files

LLVM/project b36debcllvm/include/llvm/TargetParser AMDGPUTargetParser.h, llvm/lib/Target/AMDGPU AMDGPUHSAMetadataStreamer.h

AMDGPU: Rename AMDGPUTargetID to TargetID

The AMDGPU prefix is redundant with the namespace.

Co-Authored-By: Claude <noreply at anthropic.com>
DeltaFile
+8-16llvm/include/llvm/TargetParser/AMDGPUTargetParser.h
+9-10llvm/lib/TargetParser/AMDGPUTargetParser.cpp
+9-9llvm/lib/Target/AMDGPU/Utils/AMDGPUBaseInfo.cpp
+8-8llvm/lib/Target/AMDGPU/AsmParser/AMDGPUAsmParser.cpp
+4-4llvm/lib/Target/AMDGPU/Utils/AMDGPUBaseInfo.h
+4-4llvm/lib/Target/AMDGPU/AMDGPUHSAMetadataStreamer.h
+42-514 files not shown
+50-5910 files

FreeBSD/ports 491f299deskutils/sigye distinfo Makefile.crates

deskutils/sigye: Update to 0.5.0
DeltaFile
+47-187deskutils/sigye/distinfo
+22-92deskutils/sigye/Makefile.crates
+2-3deskutils/sigye/Makefile
+71-2823 files

LLVM/project 01faaecllvm/include/llvm/TargetParser AMDGPUTargetParser.h, llvm/lib/Target/AMDGPU/AsmParser AMDGPUAsmParser.cpp

AMDGPU: Move AMDGPUTargetID to AMDGPUTargetParser

Move the AMDGPUTargetID class and TargetIDSetting enum from
AMDGPUBaseInfo to AMDGPUTargetParser, making them available in the
MC-independent TargetParser library.

Currently there is this backend implementation, and a second one in
clang. Move this here so in the future the clang copy can be deleted.

Co-Authored-By: Claude <noreply at anthropic.com>
DeltaFile
+22-128llvm/lib/Target/AMDGPU/Utils/AMDGPUBaseInfo.cpp
+9-108llvm/lib/Target/AMDGPU/Utils/AMDGPUBaseInfo.h
+107-0llvm/include/llvm/TargetParser/AMDGPUTargetParser.h
+106-0llvm/lib/TargetParser/AMDGPUTargetParser.cpp
+8-8llvm/lib/Target/AMDGPU/MCTargetDesc/AMDGPUTargetStreamer.cpp
+8-8llvm/lib/Target/AMDGPU/AsmParser/AMDGPUAsmParser.cpp
+260-2527 files not shown
+277-27913 files

LLVM/project fc6603eclang/include/clang/CIR/Dialect/Builder CIRBaseBuilder.h, clang/lib/CIR/CodeGen CIRGenItaniumCXXABI.cpp

set it on virtual call loads
DeltaFile
+23-0clang/test/CIR/CodeGen/vtable-load-invariant.cpp
+6-5clang/lib/CIR/CodeGen/CIRGenItaniumCXXABI.cpp
+4-4clang/include/clang/CIR/Dialect/Builder/CIRBaseBuilder.h
+1-1clang/lib/CIR/Dialect/Transforms/FlattenCFG.cpp
+34-104 files

LLVM/project 50838f4llvm/docs/CommandGuide llvm-symbolizer.rst, llvm/include/llvm/DebugInfo/Symbolize Symbolize.h

[symbolizer] Add a --pdb option. (#171053)

Closes #142490
DeltaFile
+50-36llvm/lib/DebugInfo/Symbolize/Symbolize.cpp
+6-0llvm/test/tools/llvm-symbolizer/pdb/pdb.test
+5-0llvm/docs/CommandGuide/llvm-symbolizer.rst
+1-0llvm/include/llvm/DebugInfo/Symbolize/Symbolize.h
+1-0llvm/tools/llvm-symbolizer/Opts.td
+1-0llvm/tools/llvm-symbolizer/llvm-symbolizer.cpp
+64-366 files

LLVM/project 6edebc8clang/test/Driver amdgpu-xnack-sramecc-flags.c, llvm/lib/Target/AMDGPU AMDGPUAsmPrinter.cpp

AMDGPU: Use module flags to control xnack and sramecc

This ensures these ABI details are encoded in the IR module
rather than depending on external state from command-line flags.
Previously, these were encoded as function-level subtarget features.
The code object output was a single target ID directive implied
by the global subtarget. The backend would previously check if a
function's subtarget feature mismatched the global subtarget. This
is avoided by making xnack and sramecc module-level properties from
the start. This also provides proper linker compatibility
enforcement, moving the error point earlier.

The old encoding was also an abuse of the subtarget feature system.
Subtarget features are a bitvector, and later features in the string
can override earlier ones. The old handling added a special case
where explicit settings were preserved: ordinarily +feature,-feature
should result in the feature being disabled, but +xnack,-xnack would
preserve the explicit "-xnack" state, which differs from the absence
of any xnack setting.

    [25 lines not shown]
DeltaFile
+52-52llvm/test/CodeGen/AMDGPU/directive-amdgcn-target.ll
+30-46llvm/lib/Target/AMDGPU/AMDGPUAsmPrinter.cpp
+75-0llvm/test/CodeGen/AMDGPU/module-flag-xnack.ll
+36-33clang/test/Driver/amdgpu-xnack-sramecc-flags.c
+66-0llvm/test/CodeGen/AMDGPU/module-flag-sramecc.ll
+54-0llvm/test/CodeGen/AMDGPU/module-flag-xnack-no-on-off-modes.ll
+313-13195 files not shown
+1,178-362101 files

LLVM/project ffeb9c1clang/include/clang/ScalableStaticAnalysisFramework/Core/TUSummary TUSummaryBuilder.h TUSummaryExtractor.h, clang/lib/ScalableStaticAnalysisFramework/Frontend TUSummaryExtractorFrontendAction.cpp

[clang][ssaf][NFC] Make SSAFOptions available in Builders and Extractors (#204684)

Now that we have SSAFOptions, it would make it a lot more ergonomic if
it was accessible from builders and extractors.
This PR does exactly that.

Part of rdar://179151023

Co-authored-by: Jan Korous <jkorous at apple.com>
Co-authored-by: Claude Opus 4.7 <noreply at anthropic.com>
DeltaFile
+7-3clang/unittests/ScalableStaticAnalysisFramework/Registries/SummaryExtractorRegistryTest.cpp
+6-3clang/lib/ScalableStaticAnalysisFramework/Frontend/TUSummaryExtractorFrontendAction.cpp
+7-1clang/include/clang/ScalableStaticAnalysisFramework/Core/TUSummary/TUSummaryBuilder.h
+3-1clang/unittests/ScalableStaticAnalysisFramework/Analyses/UnsafeBufferUsage/UnsafeBufferUsageTest.cpp
+3-1clang/unittests/ScalableStaticAnalysisFramework/Analyses/PointerFlow/PointerFlowTest.cpp
+4-0clang/include/clang/ScalableStaticAnalysisFramework/Core/TUSummary/TUSummaryExtractor.h
+30-94 files not shown
+41-1310 files

LLVM/project c1bc848clang/lib/CodeGen CGCall.cpp

[Clang][ABI] Validate consistency between ABI lowering implementation (#203281)

If the LLVM ABI library is used, and assertions are enabled, compute the
ABI both using Clang's implementation the the LLVM ABI library, and
verify that the results are the same.
DeltaFile
+117-3clang/lib/CodeGen/CGCall.cpp
+117-31 files

LLVM/project 639c5a0libc/src/__support/OSUtil/linux/syscall_wrappers ioctl.h CMakeLists.txt, libc/src/sys/ioctl/linux ioctl.cpp

[libc] Introduce the ioctl syscall wrapper and port all callers (#204640)

This patch adds an ioctl syscall wrapper in linux_syscalls namespace and
migrates all direct SYS_ioctl calls to use it.

To handle the polymorphic nature of ioctl arguments (where some commands
expect pointers, some expect scalar integers like queue_selector, and
some expect no argument at all), I use a helper struct IoctlArg with
implicit constructors. This avoids template bloat and overload
ambiguities (particularly around literal 0) while keeping call sites
clean.

Assisted by Gemini.
DeltaFile
+49-0libc/src/__support/OSUtil/linux/syscall_wrappers/ioctl.h
+7-14libc/src/termios/linux/CMakeLists.txt
+6-9libc/src/sys/ioctl/linux/ioctl.cpp
+5-8libc/src/unistd/linux/isatty.cpp
+13-0libc/src/__support/OSUtil/linux/syscall_wrappers/CMakeLists.txt
+5-7libc/src/termios/linux/tcgetattr.cpp
+85-388 files not shown
+113-7614 files

LLVM/project 5765847orc-rt/include/orc-rt SPSAllocAction.h AllocAction.h, orc-rt/unittests AllocActionTest.cpp

[orc-rt] Add return serialization to AllocActionFunction::handle. (#205271)

Add a Serializer template parameter to AllocActionFunction::handle and
apply it to the handler's return value before forwarding as the action
result. This lets handler authors return types other than
WrapperFunctionBuffer.

For SPS, AllocActionSPSSerializer is the default Serializer used by
SPSAllocActionFunction::handle. It accepts either:
- WrapperFunctionBuffer (identity pass-through, the existing behavior),
or
- Error (success → empty WFB; failure → out-of-band-error WFB carrying
toString(Err)).

Adds AllocActionTest coverage for both Error-return paths.
DeltaFile
+36-0orc-rt/unittests/AllocActionTest.cpp
+17-1orc-rt/include/orc-rt/SPSAllocAction.h
+4-3orc-rt/include/orc-rt/AllocAction.h
+57-43 files

NetBSD/pkgsrc H5rxZYYnet/knot buildlink3.mk

   knot: pkg/58647 (Add buildlink3.mk to net/knot)
VersionDeltaFile
1.1+13-0net/knot/buildlink3.mk
+13-01 files

NetBSD/src 9laykMLtests/usr.sbin/inetd t_accept_max.sh

   inetd(8): Fix sh(1) trap save/restore in accept-max test.

   Fixes mysterious

   Failed: 1

   failures like this one:

   https://releng.netbsd.org/b5reports/i386/2026/2026.06.22.22.27.17/test.html#usr.sbin_inetd_t_accept_max_max2_kv

   PR bin/59645: inetd `rate-limiting' algorithm is stupid
VersionDeltaFile
1.3+2-2tests/usr.sbin/inetd/t_accept_max.sh
+2-21 files