HardenedBSD/ports 735ab65devel/git-cinnabar distinfo Makefile.crates, java/jgraphx/files patch-build.xml

Merge branch 'freebsd/main' into hardenedbsd/main
DeltaFile
+139-133devel/git-cinnabar/distinfo
+114-58sysutils/nut/pkg-plist
+67-64devel/git-cinnabar/Makefile.crates
+51-0security/vuxml/vuln/2026.xml
+34-0sysutils/nut/files/patch-configure.ac
+30-0java/jgraphx/files/patch-build.xml
+435-25543 files not shown
+583-41349 files

HardenedBSD/ports 725535cjava/jcalendar Makefile, java/jcalendar/files patch-build.xml

java/jcalendar: unpin openjdk8

Builds fine with modern JDK.

Approved-by:    no maintainer
DeltaFile
+10-0java/jcalendar/files/patch-build.xml
+1-2java/jcalendar/Makefile
+11-22 files

HardenedBSD/ports 6a6eca9java/jgraphx Makefile, java/jgraphx/files patch-build.xml

java/jgraphx: unpin openjdk8

Builds fine with modern JDK.
Dependency math/scilab uses openjdk8 so this needs to generate
Java 8 compatible class files.

Approved-by:    no maintainer
DeltaFile
+30-0java/jgraphx/files/patch-build.xml
+1-2java/jgraphx/Makefile
+31-22 files

HardenedBSD/ports ac3df5cdevel/gitaly distinfo, net/gitlab-agent distinfo

www/gitlab: security and patch update to 18.10.3

Changes:        https://about.gitlab.com/releases/2026/04/08/patch-release-gitlab-18-10-3-released/
Security:       099d4998-33cc-11f1-a7d1-2cf05da270f3
DeltaFile
+13-13devel/gitaly/distinfo
+6-6www/gitlab/distinfo
+5-5net/gitlab-agent/distinfo
+5-5www/gitlab-pages/distinfo
+5-5www/gitlab-workhorse/distinfo
+1-1www/gitlab/Makefile.common
+35-356 files

HardenedBSD/ports a6b92casysutils/go-ntfy distinfo Makefile

sysutils/go-ntfy: Update to 2.21.0

ChangeLogs:

- https://github.com/binwiederhier/ntfy/releases/tag/v2.20.1
- https://github.com/binwiederhier/ntfy/releases/tag/v2.21.0
DeltaFile
+7-7sysutils/go-ntfy/distinfo
+2-2sysutils/go-ntfy/Makefile
+9-92 files

HardenedBSD/ports 2092162audio/ft2-clone distinfo Makefile

audio/ft2-clone: Update to 2.14
DeltaFile
+3-3audio/ft2-clone/distinfo
+1-1audio/ft2-clone/Makefile
+4-42 files

HardenedBSD/ports f47fb0cnet/krakend-ce distinfo Makefile

net/krakend-ce: Update 2.13.3 => 2.13.4

Approved by:            db@, yuri@ (Mentors, implicit)
DeltaFile
+5-5net/krakend-ce/distinfo
+1-1net/krakend-ce/Makefile
+6-62 files

HardenedBSD/ports 3577d03security/vuxml/vuln 2026.xml

security/vuxml: document gitlab vulnerabilities
DeltaFile
+51-0security/vuxml/vuln/2026.xml
+51-01 files

HardenedBSD/ports d4a4f6dfilesystems/ltfs distinfo Makefile

filesystems/ltfs: Update to 2.4.8.3
DeltaFile
+5-3filesystems/ltfs/distinfo
+4-3filesystems/ltfs/Makefile
+9-62 files

HardenedBSD/ports f1a045edatabases/timescaledb distinfo pkg-plist

databases/timescaledb: Update to 2.26.2
DeltaFile
+3-3databases/timescaledb/distinfo
+3-0databases/timescaledb/pkg-plist
+1-1databases/timescaledb/Makefile
+7-43 files

HardenedBSD/src 45079cdusr.sbin/bsdinstall/scripts mirrorselect

installer: Add download.freebsd.org to mirror list

download.freebsd.org is backed by project mirrors and a CDN, which
should benefit most users.

Sponsored by:   The FreeBSD Foundation
Reviewed by:    delphij (releng)
MFC after:      3 days
Differential Revision: https://reviews.freebsd.org/D54849
DeltaFile
+12-1usr.sbin/bsdinstall/scripts/mirrorselect
+12-11 files

HardenedBSD/ports 7fd0334sysutils/screen-devel distinfo

sysutils/screen-devel: Update distfile

When unpacking the tarballs there is no material difference between the
old and the new files. Additionally, there is no difference when
comparing the two tarballs after unzipping the .gz files. One must
conclude the files are compressed differently as the new .gz file is 4K
smaller then the previous file.

MFH:    2026Q2
DeltaFile
+3-3sysutils/screen-devel/distinfo
+3-31 files

HardenedBSD/src 84ce651sys/sys extattr.h

<sys/extattr.h>: use designated initializers for EXTATTR_NAMESPACE_NAMES

This is not a functional change, but it makes it more clear upon
inspection of the definition that the mapping property described is
preserved.  Maybe more importantly, if one ends up getting an index
wrong or punching a hole in the name array unexpectedly, then it'll
hopefully manifest more clearly as a (null) or nullptr deref rather than
potentially just emitting the wrong namespace name.

It's noted that this almost certainly invalidates its use in C++, but
there aren't really any known C++ consumers of it- let's just cross
that bridge if we get there.

Reviewed by:    kib, mckusick, rmacklem
Sponsored by:   Klara, Inc.
Differential Revision:  https://reviews.freebsd.org/D55323
DeltaFile
+3-3sys/sys/extattr.h
+3-31 files

HardenedBSD/src 22fba3ausr.bin/find function.c find.1, usr.bin/find/tests find_test.sh

find: add -xattr and -xttrname

We use -xattr in our openrsync tests for convenience, and it seems like
a good addition to FreeBSD.  -xattr and -xattrname will both consult all
available namespaces by default, but -xattrname allows filtering by
namespace using a "user:" or "system:" prefix.

Inspired by:    https://github.com/apple-oss-distributions/shell_cmds
Reviewed by:    kib, rmacklem
Sponsored by:   Klara, Inc.
Differential Revision:  https://reviews.freebsd.org/D55286
DeltaFile
+94-0usr.bin/find/function.c
+80-0usr.bin/find/tests/find_test.sh
+21-2usr.bin/find/find.1
+2-0usr.bin/find/option.c
+2-0usr.bin/find/extern.h
+199-25 files

HardenedBSD/src 9a8d333lib/libc/gen memfd_create.c, lib/libsys shm_open.2

libc: fix memfd_create's HUGETLB handling

The 'simplification' commit referenced below actually broke one aspect
of MFD_HUGETLB: the caller isn't supposed to be required to specify a
size.  MFD_HUGETLB by itself without a shift mask just requests a large
page, so we revert that part of memfd_create() back.

While we're here, fix up the related parts of the manpages a little bit,
since MFD_HUGETLB is actually supported.  The manpage claims that we
would return ENOSYS if forced mappings weren't supported, but this was
actually not true.  However, that seems like a very important
distinction to make between ENOSYS and EOPNOTSUPP, so fix the
implementation to match the docs.

Fixes:  8b8cf4ece660f ("memfd_create: simplify HUGETLB support [...]")
Reviewed by:    kib, markj
Differential Revision:  https://reviews.freebsd.org/D56114
DeltaFile
+45-0tests/sys/posixshm/posixshm.h
+13-25tests/sys/posixshm/posixshm_test.c
+35-0tests/sys/posixshm/memfd_test.c
+27-4lib/libsys/shm_open.2
+16-7lib/libc/gen/memfd_create.c
+136-365 files

HardenedBSD/src 0bf4d22sys/kern kern_event.c

kqueue: don't leak file refs on failure to knote_attach()

We'll subsequently just knote_free() since the knote is barely
constructed, but that bypasses any logic that might release references
on owned files/fops.  Defer clearing those until the knote actually owns
them and update the comment to draw the line more clearly.

Reviewed by:    kib
Differential Revision:  https://reviews.freebsd.org/D56318
DeltaFile
+10-6sys/kern/kern_event.c
+10-61 files

HardenedBSD/src c6dd40fsys/kern kern_event.c

kqueue: slightly clarify the flow in knlist_cleardel()

This is purely a cosmetic change to make it a little easier on the eyes,
rather than jumping back to the else branch up top.  Re-flow it to use
another loop on the outside and just inline the re-lock before we repeat
after awaking from fluxwait.

The !killkn path should maybe issue a wakeup if there's a thread in
KQ_SLEEP so that userland can observe the EOF, but this isn't a
practical problem today: pretty much every case of knlist_clear is tied
to a file descriptor and called in the close(2) path.  As a consequence,
potentially affected knotes are almost always destroyed before we even
get to knlist_clear().

Reviewed by:    kib, markj
Differential Revision:  https://reviews.freebsd.org/D56226
DeltaFile
+29-21sys/kern/kern_event.c
+29-211 files

HardenedBSD/src 0c9cec8tests/sys/kqueue kqueue_fork.c

tests: kqueue: add a basic test for CPONFORK

Just copy over a timer and a write-filter, be sure that we can observe
both in the child.  Maybe the timer should check for a minimum time
passed, but I don't know that we'd be likely to get that wrong.

This also adds a negative test with a kqueue that is *not* set for
CPONFORK being added to the first one, made readable, and confirming
that we don't see a knote for it in the child.

Some other improvements to the test noted in the review are planned in
the short term, but they're not particularly worth blocking adding this
as a basic sanity check.

Reviewed by:    kib, markj
Differential Revision:  https://reviews.freebsd.org/D56223
DeltaFile
+140-0tests/sys/kqueue/kqueue_fork.c
+140-01 files

HardenedBSD/ports 26332d7devel/git-delta distinfo Makefile.crates, misc/github-copilot-language-server/files package-lock.json

Merge remote-tracking branch 'internal/freebsd/main' into hardenedbsd/main
DeltaFile
+253-129devel/git-delta/distinfo
+126-64devel/git-delta/Makefile.crates
+173-0net/ucx/files/patch-src_uct_tcp_tcp__iface.c
+87-0net/ucx/files/patch-src_uct_sm_mm_base_mm__iface.c
+61-0net/ucx/files/patch-src_ucs_async_thread.c
+28-28misc/github-copilot-language-server/files/package-lock.json
+728-22149 files not shown
+999-36055 files

HardenedBSD/ports add51aedevel/ocaml-opam/files patch-Makefile

HBSD: Resolve merge conflict

Signed-off-by:  Shawn Webb <shawn.webb at hardenedbsd.org>
DeltaFile
+0-5devel/ocaml-opam/files/patch-Makefile
+0-51 files

HardenedBSD/src 9f7080bsecure/lib/libcrypto/man/man3 X509V3_EXT_print.3 Makefile

crypto/openssl: add new manpage from release 3.5.6

MFC after:      1 day (the security issues warrant a quick backport).
MFC with:       10a428653ee7216475f1ddce3fb4cbf1200319f8
DeltaFile
+108-0secure/lib/libcrypto/man/man3/X509V3_EXT_print.3
+2-0secure/lib/libcrypto/man/man3/Makefile
+110-02 files

HardenedBSD/src 5254e16secure/lib/libcrypto/man/man3 SSL_CTX_set1_curves.3 SSL_CONF_cmd.3, secure/lib/libcrypto/man/man7 property.7

crypto/openssl: update artifacts to match 3.5.6 release artifacts

A new manpage and any associated links will be added in the next commit.

MFC after:      1 day (the security issues warrant a quick backport).
MFC with:       10a428653ee7216475f1ddce3fb4cbf1200319f8
DeltaFile
+442-346secure/usr.bin/openssl/man/openssl-ciphers.1
+85-36secure/lib/libcrypto/man/man3/SSL_CTX_set1_curves.3
+56-48sys/crypto/openssl/aarch64/vpsm4_ex-armv8.S
+27-2secure/lib/libcrypto/man/man7/property.7
+9-11secure/lib/libcrypto/man/man3/SSL_CONF_cmd.3
+12-3secure/lib/libcrypto/man/man3/PKCS5_PBE_keyivgen.3
+631-446903 files not shown
+1,654-1,424909 files

HardenedBSD/src 10a4286crypto/openssl CHANGES.md NEWS.md, crypto/openssl/doc/man1 openssl-ciphers.pod.in

MFV: crypto/openssl: update to 3.5.6

This change brings in version 3.5.6 of OpenSSL, which features
several security fixes (the highest of which is a MEDIUM severity
issue), as well as some miscellaneous feature updates.

Please see the release notes [1] for more details.

PS Apologies for the confusing merge commits -- I was testing out a
new automated update process and failed to catch the commit message
issues until after I pushed the change.

1. https://github.com/openssl/openssl/blob/openssl-3.5.6/NEWS.md

MFC after:      1 day (the security issues warrant a quick backport).
Merge commit 'ab5fc4ac933ff67bc800e774dffce15e2a541e90'
DeltaFile
+438-329crypto/openssl/doc/man1/openssl-ciphers.pod.in
+363-212crypto/openssl/CHANGES.md
+232-195crypto/openssl/NEWS.md
+152-213crypto/openssl/util/platform_symbols/windows-symbols.txt
+84-35crypto/openssl/doc/man3/SSL_CTX_set1_curves.pod
+109-1crypto/openssl/test/evp_extra_test.c
+1,378-985250 files not shown
+3,695-2,017256 files

HardenedBSD/src 36d9714sys/geom geom_event.c

geom: Make g_waitidle() wait for orphaned providers

This is motivated by the following race in the ZFS zvol code.

When a zvol is created, we create a GEOM-backed zvol, which results in a
/dev/zvol/<zvol path> device file, created by GEOM::dev.  If volmode=dev
is specified, zvol_set_volmode_impl() will wither the GEOM, then create
a device file with the same name.  This sometimes fails because
g_wither_geom() is asynchronous, so we end up trying to create a device
file while the old one still exists.  I want to fix this by adding a
g_waitidle() call to zvol_os_remove_minor().

g_waitidle() is not sufficient: GEOM::dev does not destroy the device
until g_dev_orphan() is called.  (In fact the device destruction is
asynchronous too, but the delist_dev() call is sufficient to address
this race.)  So, I propose modifying g_waitidle() to block until
orphaned providers are processed.

PR:             258766

    [3 lines not shown]
DeltaFile
+1-1sys/geom/geom_event.c
+1-11 files

HardenedBSD/ports 30af77agraphics/mesa-devel distinfo Makefile

graphics/mesa-devel: update to 26.0.b.3410

Changes:        https://gitlab.freedesktop.org/mesa/mesa/-/compare/aa39da83383...1f0370616a6
DeltaFile
+3-3graphics/mesa-devel/distinfo
+2-2graphics/mesa-devel/Makefile
+5-52 files

HardenedBSD/ports d2205e2games/veloren-weekly distinfo Makefile

games/veloren-weekly: update to s20260408

Changes:        https://gitlab.com/veloren/veloren/-/compare/1c0a37f006...308212a458
DeltaFile
+3-3games/veloren-weekly/distinfo
+2-2games/veloren-weekly/Makefile
+5-52 files

HardenedBSD/ports db7a86adevel/xdg-dbus-proxy distinfo Makefile

devel/xdg-dbus-proxy: update to 0.1.7

Changes:        https://github.com/flatpak/xdg-dbus-proxy/releases/tag/0.1.7
Reported by:    GitHub (watch releases)
DeltaFile
+3-3devel/xdg-dbus-proxy/distinfo
+1-1devel/xdg-dbus-proxy/Makefile
+4-42 files

HardenedBSD/ports 1abcfdddevel/git-cinnabar distinfo Makefile.crates

devel/git-cinnabar: update to 0.7.4

Changes:        https://github.com/glandium/git-cinnabar/releases/tag/0.7.4
Reported by:    GitHub (watch releases)
DeltaFile
+139-133devel/git-cinnabar/distinfo
+67-64devel/git-cinnabar/Makefile.crates
+2-3devel/git-cinnabar/Makefile
+208-2003 files

HardenedBSD/ports 1143ba2multimedia/navidrome distinfo Makefile

multimedia/navidrome: Update to 0.61.1

ChangeLogs:

- https://github.com/navidrome/navidrome/releases/tag/v0.61.0
- https://github.com/navidrome/navidrome/releases/tag/v0.61.1
DeltaFile
+7-7multimedia/navidrome/distinfo
+3-4multimedia/navidrome/Makefile
+10-112 files

HardenedBSD/ports 6b96f65databases/proxysql distinfo Makefile, databases/proxysql/files patch-lib_proxysql__utils.cpp patch-lib_proxy__protocol__info.cpp

databases/proxysql: Update to 3.0.7
DeltaFile
+0-13databases/proxysql/files/patch-lib_proxysql__utils.cpp
+0-12databases/proxysql/files/patch-lib_proxy__protocol__info.cpp
+0-11databases/proxysql/files/patch-lib_log__utils.cpp
+10-0databases/proxysql/files/patch-deps_Makefile
+3-3databases/proxysql/distinfo
+1-2databases/proxysql/Makefile
+14-416 files