HardenedBSD/src ee47293usr.sbin/unbound/daemon Makefile

HBSD: Disable SafeStack for the Unbound daemon

When Unbound is built with SafeStack, attempts to kill the running
daemon process with SIGTERM does not kill the process. Instead, the
daemon stops responding.

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
Reported-by:    @northboot
issue:          #110
MFC-to:         15-STABLE
DeltaFile
+1-0usr.sbin/unbound/daemon/Makefile
+1-01 files

HardenedBSD/src c66cb44sys/netpfil/pf pf.c, usr.sbin/bsnmpd/modules/snmp_pf pf_snmp.c

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
DeltaFile
+4-2sys/netpfil/pf/pf.c
+1-2usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
+5-42 files

HardenedBSD/src df2e9ecsys/netpfil/pf pf.c, usr.sbin/bsnmpd/modules/snmp_pf pf_snmp.c

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+4-2sys/netpfil/pf/pf.c
+1-2usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
+5-42 files

HardenedBSD/src b831a1asys/dev/bnxt/bnxt_re ib_verbs.c bnxt_re.h, sys/dev/qlnx/qlnxe qlnx_os.c

Merge branch 'freebsd/14-stable/main' into hardened/14-stable/master
DeltaFile
+33-28usr.sbin/bhyve/bhyve.8
+14-10sys/dev/qlnx/qlnxe/qlnx_os.c
+4-4sys/security/mac_ipacl/mac_ipacl.c
+3-3sys/dev/bnxt/bnxt_re/ib_verbs.c
+3-1sys/netlink/route/iface.c
+2-2sys/dev/bnxt/bnxt_re/bnxt_re.h
+59-482 files not shown
+62-518 files

HardenedBSD/src 7703c66sys/fs/unionfs union_vnops.c union_vfsops.c, sys/kern vfs_default.c vnode_if.src

Merge branch 'freebsd/15-stable/main' into hardened/15-stable/main
DeltaFile
+34-32usr.sbin/bhyve/bhyve.8
+45-0sys/fs/unionfs/union_vnops.c
+25-2sys/fs/unionfs/union_vfsops.c
+1-2sys/kern/vfs_default.c
+1-1sys/kern/vnode_if.src
+1-0sys/sys/vnode.h
+107-376 files

HardenedBSD/ports 0345c35astro/gpscorrelate Makefile, astro/gpscorrelate/files patch-exif-gps.cpp

Merge branch 'freebsd/main' into hardenedbsd/main
DeltaFile
+61-37astro/gpscorrelate/Makefile
+0-95astro/gpscorrelate/files/patch-exif-gps.cpp
+36-0science/paraview/files/patch-ffmpeg8-fix
+9-9multimedia/libtheora/files/patch-Makefile.in
+9-9net/lavinmq/distinfo
+9-8net/lavinmq/Makefile
+124-15856 files not shown
+206-25162 files

HardenedBSD/ports 9fb28ebastro/gpscorrelate Makefile distinfo, astro/gpscorrelate/files patch-exif-gps.cpp patch-unixtime.h

astro/gpscorrelate: update to v2.3

gpscorrelate has a new maintainer, Dan Fandrich,
and the former maintainer, Daniel Foote, recognizes the change.
<https://github.com/freefoote/gpscorrelate?tab=readme-ov-file#status>

Update the port to the new location,
<https://dfandrich.github.io/gpscorrelate/>
update to v2.3, switch to Github downloads, hook up self-test suite,
make DOCS and (new) NLS options work right.

Reported by:    Dan Fandrich
see also: <https://github.com/dfandrich/gpscorrelate/issues/36>

ChangeLog:      https://raw.githubusercontent.com/dfandrich/gpscorrelate/refs/tags/2.3/RELEASES
DeltaFile
+60-36astro/gpscorrelate/Makefile
+0-95astro/gpscorrelate/files/patch-exif-gps.cpp
+0-10astro/gpscorrelate/files/patch-unixtime.h
+3-2astro/gpscorrelate/distinfo
+63-1434 files

HardenedBSD/ports f70a98edevel/esbuild distinfo Makefile

devel/esbuild: update to 0.27.1
DeltaFile
+5-5devel/esbuild/distinfo
+1-2devel/esbuild/Makefile
+6-72 files

HardenedBSD/ports c1633denet/lavinmq distinfo Makefile

net/lavinmq: update to 2.6.1

- https://github.com/cloudamqp/lavinmq/blob/main/CHANGELOG.md#261---2025-12-07

Sponsored by:   SkunkWerks, GmbH
DeltaFile
+9-9net/lavinmq/distinfo
+9-8net/lavinmq/Makefile
+18-172 files

HardenedBSD/src eaa424eusr.sbin/bsnmpd/modules/snmp_pf pf_snmp.c

snmp_pf: remove errno usage after pfctl_get_status_h change

pfctl_get_status_h() does not set errno, so don't log it.

PR:             291936
Reviewed by:    kp
DeltaFile
+1-2usr.sbin/bsnmpd/modules/snmp_pf/pf_snmp.c
+1-21 files

HardenedBSD/src 3e5025eusr.sbin/bhyve bhyve.8

bhyve.8: Fix consistency and terms in manpage

Correct inconsistent spelling of terms and duplication.

Reviewed by:    ziaee
MFC after:      3 days
Differential Revision:  https://reviews.freebsd.org/D54332

(cherry picked from commit 5819f8b285fc55a75e5dea56ffe73b376525150c)
DeltaFile
+33-28usr.sbin/bhyve/bhyve.8
+33-281 files

HardenedBSD/src 535fac0usr.sbin/bhyve bhyve.8

bhyve.8: Fix consistency and terms in manpage

Correct inconsistent spelling of terms and duplication.

Reviewed by:    ziaee
MFC after:      3 days
Differential Revision:  https://reviews.freebsd.org/D54332

(cherry picked from commit 5819f8b285fc55a75e5dea56ffe73b376525150c)
DeltaFile
+34-32usr.sbin/bhyve/bhyve.8
+34-321 files

HardenedBSD/ports cb94369sysutils/bastille distinfo Makefile

sysutils/bastille: Upgrade port to 1.3.2.251225

PR:             291945
Release Notes:  https://github.com/BastilleBSD/bastille/releases/tag/1.3.2.251225
DeltaFile
+3-3sysutils/bastille/distinfo
+1-1sysutils/bastille/Makefile
+4-42 files

HardenedBSD/src 2e76993sys/netpfil/pf pf.c

pf: don't reject route-to'd too-large packets

If we're sending a packet via pf_route()/pf_route6() we check for packet
size and potentially generate ICMP(6) packet too big messages. If we do,
don't consider this a rejected packet. That is, return PF_PASS and set
the mbuf to NULL rather than returning PF_DROP.

This matters for locally generated packets, because with PF_DROP we
can end up returning EACCES to userspace, causing the connection to
terminate. Instead, with PF_PASS and a NULL mbuf this is translated to
PFIL_CONSUMED, which does not return an error to userspace.

MFC after:      2 weeks
Sponsored by:   Rubicon Communications, LLC ("Netgate")
DeltaFile
+4-2sys/netpfil/pf/pf.c
+4-21 files

HardenedBSD/ports e14a177astro/celestia Makefile, audio/icecast Makefile

*/*: Chase multimedia/libtheora shlib bump
DeltaFile
+1-1multimedia/gstreamer1-plugins-theora/Makefile
+1-1astro/celestia/Makefile
+1-1audio/icecast/Makefile
+1-1audio/ices/Makefile
+1-1audio/libshout/Makefile
+1-1cad/opencascade/Makefile
+6-632 files not shown
+38-2638 files

HardenedBSD/ports d5574ccmultimedia/recordmydesktop Makefile

multimedia/recordmydesktop: Add missing deps

Fixes build with multimedia/libtheora 1.2.0.

audio/libvorbis wasn't needed by libtheora, but this port was
piggybacking off of it.

With hat:       multimedia@
DeltaFile
+3-2multimedia/recordmydesktop/Makefile
+3-21 files

HardenedBSD/ports f680a14multimedia/libtheora pkg-plist Makefile, multimedia/libtheora/files patch-Makefile.in patch-configure

multimedia/libtheora: Update to 1.2.0

https://gitlab.xiph.org/xiph/theora/-/releases/v1.2.0
DeltaFile
+9-9multimedia/libtheora/files/patch-Makefile.in
+0-15multimedia/libtheora/files/patch-configure
+6-6multimedia/libtheora/pkg-plist
+3-5multimedia/libtheora/Makefile
+3-2multimedia/libtheora/distinfo
+21-375 files

HardenedBSD/ports 2ed6825games/nexuiz Makefile

games/nexuiz: Add missing deps

Fixes build with multimedia/libtheora 1.2.0.

audio/libvorbis wasn't needed by libtheora, but this port was
piggybacking off of it.

With hat:       multimedia@
DeltaFile
+4-2games/nexuiz/Makefile
+4-21 files

HardenedBSD/ports ae44a7edns/openresolv distinfo Makefile

dns/openresolv: update to 3.17.4

Changes:        https://github.com/NetworkConfiguration/openresolv/releases/tag/v3.17.4
DeltaFile
+3-3dns/openresolv/distinfo
+1-1dns/openresolv/Makefile
+4-42 files

HardenedBSD/ports 5c30d21science/paraview/files patch-ffmpeg8-fix

science/paraview: Fix build with FFMpeg 8

Backport upstream commits from VTK to fix build with FFMpeg 8.

Approved by:    portmgr (blanket)
DeltaFile
+36-0science/paraview/files/patch-ffmpeg8-fix
+36-01 files

HardenedBSD/ports bf11245net/haproxy28 distinfo Makefile

net/haproxy28: update to version 2.8.18.
DeltaFile
+3-3net/haproxy28/distinfo
+1-1net/haproxy28/Makefile
+4-42 files

HardenedBSD/ports 836d99dnet/haproxy30 distinfo Makefile

net/haproxy30: update to version 3.0.14.
DeltaFile
+3-3net/haproxy30/distinfo
+1-1net/haproxy30/Makefile
+4-42 files

HardenedBSD/src 2fef1a6sys/netlink/route iface.c

netlink: Don't directly access ifnet members

Summary:
Remove the final direct access of struct ifnet members from netlink.
Since only the first address is used, create the iterator and then free,
without fully iterating.

Reviewed By:    kp
Sponsored by:   Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D42972

(cherry picked from commit b224af946a17b8e7a7b4942157556b5bc86dd6fb)
DeltaFile
+3-1sys/netlink/route/iface.c
+3-11 files

HardenedBSD/src f95ddf7sys/compat/linuxkpi/common/src linux_80211.c

LinuxKPI: Use IfAPI to get LLADDR

Reviewed by:    bz, emaste
Differential Revision: https://reviews.freebsd.org/D47525

(cherry picked from commit 57609cb2de149a3c99c43e98d37cfa4784958f73)
DeltaFile
+1-1sys/compat/linuxkpi/common/src/linux_80211.c
+1-11 files

HardenedBSD/src bcd1e5fsys/security/mac_ipacl mac_ipacl.c

mac_ipacl: Use IfAPI

Use `if_t` instead of `struct ifnet *`, and if_name() accessor.

Sponsored by:   Juniper Networks, Inc.

(cherry picked from commit b820820ece099a73511d7daec407d78f38185a9b)
DeltaFile
+4-4sys/security/mac_ipacl/mac_ipacl.c
+4-41 files

HardenedBSD/src 16d50efsys/dev/qlnx/qlnxe qlnx_os.c

qlnx: Convert recent changes to IfAPI

Sponsored by:   Juniper Networks, Inc.
Reviewed by:    zlei
Differential Revision: https://reviews.freebsd.org/D47533

(cherry picked from commit 1eaecc214ea2bfde84f4194c1d0e20b18117343f)
DeltaFile
+14-10sys/dev/qlnx/qlnxe/qlnx_os.c
+14-101 files

HardenedBSD/src 63b0b8bsys/dev/bnxt/bnxt_re ib_verbs.c bnxt_re.h

bnxt: Use IfAPI accessors where able

Summary:
Don't directly access ifnet members, it's a private structure.

Sponsored by:   Juniper Networks, Inc.
Differential Revision: https://reviews.freebsd.org/D47353

(cherry picked from commit 84d7ec4c657f406c6cbd29baf32c8e057b663d17)
DeltaFile
+3-3sys/dev/bnxt/bnxt_re/ib_verbs.c
+2-2sys/dev/bnxt/bnxt_re/bnxt_re.h
+2-2sys/dev/bnxt/bnxt_re/main.c
+7-73 files

HardenedBSD/ports 9233132astro/gpscorrelate Makefile

astro/gpscorrelate: Take maintainership.

There is a new maintainer upstream, Dan Fandrich,
and he has new versions and FreeBSD in his CI pipelines.
Update to 2.3 coming up.
DeltaFile
+1-1astro/gpscorrelate/Makefile
+1-11 files

HardenedBSD/ports 9fe9a46editors/remarkable pkg-plist Makefile, editors/remarkable/files patch-remarkable_RemarkableWindow.py

Merge branch 'freebsd/main' into hardenedbsd/main
DeltaFile
+55-0editors/remarkable/pkg-plist
+54-0editors/remarkable/Makefile
+11-5sysutils/bottom/distinfo
+15-0editors/remarkable/files/patch-remarkable_RemarkableWindow.py
+5-5net/nats-server/distinfo
+7-1net/nats-server/pkg-descr
+147-116 files not shown
+163-1612 files

HardenedBSD/src da6f395sys/fs/unionfs union_vfsops.c

unionfs: detect common deadlock-producing mount misconfigurations

When creating a unionfs mount, it's fairly easy to shoot oneself
in the foot by specifying upper and lower file hierarchies that
resolve back to the same vnodes.  This is fairly easy to do if
the sameness is not obvious due to aliasing through nullfs or other
unionfs mounts (as in the associated PR), and will produce either
deadlock or failed locking assertions on any attempt to use the
resulting unionfs mount.

Leverage VOP_GETLOWVNODE() to detect the most common cases of
foot-shooting at mount time and fail the mount with EDEADLK.
This is not meant to be an exhaustive check for all possible
deadlock-producing scenarios, but it is an extremely cheap and
simple approach that, unlike previous proposed fixes, also works
in the presence of nullfs aliases.

PR:             172334
Reported by:    ngie, Karlo Miličević <karlo98.m at gmail.com>

    [5 lines not shown]
DeltaFile
+25-2sys/fs/unionfs/union_vfsops.c
+25-21 files