HardenedBSD/src e6da1d2bin/sh sh.1, release/tools vmimage.subr

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
DeltaFile
+252-157sys/kern/sched_ule.c
+214-183sys/kern/sched_4bsd.c
+234-0sys/kern/sched_shim.c
+83-113release/tools/vmimage.subr
+182-9bin/sh/sh.1
+103-7sys/sys/sched.h
+1,068-46942 files not shown
+1,259-67248 files

HardenedBSD/src 03912e0share/man/man7 tuning.7, share/man/man9 intro.9

Merge branch 'freebsd/current/main' into hardened/current/master
DeltaFile
+26-0share/man/man7/tuning.7
+19-2sys/kern/sched_4bsd.c
+8-8sys/powerpc/powermac/platform_powermac.c
+7-0tools/tools/nanobsd/embedded/common
+5-1share/mk/src.opts.mk
+1-3share/man/man9/intro.9
+66-145 files not shown
+74-1611 files

HardenedBSD/src 5051544lib/libc/net getnetbydns.c, sys/powerpc/aim moea64_native.c

Merge branch 'freebsd/15-stable/main' into hardened/15-stable/main
DeltaFile
+90-9sys/powerpc/powermac/platform_powermac.c
+5-0sys/powerpc/aim/moea64_native.c
+3-0lib/libc/net/getnetbydns.c
+98-93 files

HardenedBSD/ports e7da9e9math/R-cran-mnormt distinfo Makefile, textproc/television distinfo Makefile.crates

Merge branch 'freebsd/main' into hardenedbsd/main
DeltaFile
+5-7textproc/television/distinfo
+3-3math/R-cran-mnormt/distinfo
+2-3textproc/television/Makefile.crates
+2-2math/R-cran-mnormt/Makefile
+1-2textproc/television/Makefile
+13-175 files

HardenedBSD/src 10a0132sys/powerpc/powermac platform_powermac.c

powerpc: explicitly cast the timebase printfs

This is causing compilation issues on powerpc:powerpc GENERIC.

(cherry picked from commit 03e4cc9fdeb2a6445f13cd41b471927a0f722fff)
DeltaFile
+8-8sys/powerpc/powermac/platform_powermac.c
+8-81 files

HardenedBSD/src 03e4cc9sys/powerpc/powermac platform_powermac.c

powerpc: explicitly cast the timebase printfs

This is causing compilation issues on powerpc:powerpc GENERIC.
DeltaFile
+8-8sys/powerpc/powermac/platform_powermac.c
+8-81 files

HardenedBSD/ports d999bcfmath/R-cran-mnormt distinfo Makefile

math/R-cran-mnormt: Update to 2.1.2

Switch WWW to canonical form.

Changelog: https://cran.r-project.org/web/packages/mnormt/news.html
DeltaFile
+3-3math/R-cran-mnormt/distinfo
+2-2math/R-cran-mnormt/Makefile
+5-52 files

HardenedBSD/src 0a45c88sys/powerpc/aim moea64_native.c

powerpc: disable the TLBIE lock, it's not needed for POWER8

According to POWER8_UM_v1.3_16MAR2016 3.8.3 Translation Lookaside
Buffer (TLB), POWER8 supports lockless TLBIE operations.

Locally Tested:

* IBM POWER8 Revision 2.0, dual socket, 160 threads

Differential Revision:  https://reviews.freebsd.org/D54855
Approved by:    jhibbits

(cherry picked from commit 9a5baa9c585652fb7bd4ccd45d567204caf349f2)
DeltaFile
+5-0sys/powerpc/aim/moea64_native.c
+5-01 files

HardenedBSD/src b30d064sys/powerpc/powermac platform_powermac.c

powerpc: add a best-effort SMP time base sync for G5's that need it

There's no timebase freeze platform routine registered on my dual 2.3GHz
G5 PPC970FX Apple PowerMac.

For platforms without an explicit timebase freeze/unfreeze, we'll have to
make do with what we have - which for now is an explicit hand-crafted
spinlock/rendezvous method.

* For existing platforms, they'll still continue to clock freeze /
  rendezvous; albeit with some stronger atomic bits now (from jhibbits@.)
* Instead of the fallback being "no timesync", implement a
  best-effort one which does a similar rendezvous barrier between
  BSP and APs, but instead of freeze/unfreeze the first instruction
  after the CPUs all register they're ready is to set the timebase.

This has resulted in many reboots of my Powermac G5 dual-socket device
correctly starting and running in SMP mode.


    [4 lines not shown]
DeltaFile
+90-9sys/powerpc/powermac/platform_powermac.c
+90-91 files

HardenedBSD/src c443f5dshare/man/man9 intro.9

intro.9: grammar
DeltaFile
+1-1share/man/man9/intro.9
+1-11 files

HardenedBSD/src 7f537f4share/man/man9 intro.9

intro.9: deduplicate vm_page Xrs

PR:             292820
Submitted by:   Kraytonian
MFC after:      1 week
DeltaFile
+0-2share/man/man9/intro.9
+0-21 files

HardenedBSD/ports 330e604textproc/television distinfo Makefile.crates

textproc/television: Update to 0.15.0

Changelog:
https://github.com/alexpasmantier/television/releases/tag/0.15.0
DeltaFile
+5-7textproc/television/distinfo
+2-3textproc/television/Makefile.crates
+1-2textproc/television/Makefile
+8-123 files

HardenedBSD/src f54f362tools/tools/nanobsd/embedded common

nanobsd: embedded: Stub out experimental functions

Stub out both experimental functions introduced in ecc039be7fdd when
doing embedded builds.

Fixes:          ecc039be7fdd ("nanobsd: Add a NO_ROOT build option")
MFC after:      3 days
DeltaFile
+7-0tools/tools/nanobsd/embedded/common
+7-01 files

HardenedBSD/src 2b22e05lib/libc/net getnetbydns.c

libc: Don't use uninitialised string for getnetbyaddr[_r](0) DNS lookup

If net is all-zero, the loop to extract all leading non-zero octets will
iterate zero times and leave nn with the value 4, which the following
switch statement to initialise qbuf does not handle. As a result,
_dns_getnetbyaddr will look up the PTR record for this uninitialised
string, which will leak the pre-existing contents of that stack memory
to the DNS resolver and, if remote and not otherwise protected, network.

Note that _dns_getnetbyaddr is only used if nsswitch.conf is configured
to enable the "dns" source for the "networks" database, which is not the
default configuration in FreeBSD.

For glibc this same bug, in code also derived from BIND's, was issued
CVE-2026-0915. This commit adopts the same behaviour as glibc's fix,
which is to regard a net of 0 as being for 0.0.0.0. Apparently NetBSD
will return NS_UNAVAIL instead, which may or may not make more sense,
but in general glibc compatibility tends to cause less friction when
there's not a good reason to avoid it.

    [7 lines not shown]
DeltaFile
+3-0lib/libc/net/getnetbydns.c
+3-01 files

HardenedBSD/src ba56760share/mk src.opts.mk

Revert "src.opts.mk: Enable LLDB by default globally"

This breaks the riscv64 build; clearly the version we have in-tree is
not new enough to work. That or our build system needs tweaking. Either
way, we're not ready for this, and enabling it without testing was
misguided.

This reverts commit c59a47dc6c016dff74466cecb160459980a5d782.
DeltaFile
+5-1share/mk/src.opts.mk
+5-11 files

HardenedBSD/src efc1cfacontrib/capsicum-test linux.cc capability-fd.cc, tests/sys/capsicum linux.cc capability-fd.cc

Merge remote-tracking branch 'origin/hardened/current/master' into hardened/current/cross-dso-cfi
DeltaFile
+0-1,500contrib/capsicum-test/linux.cc
+1,500-0tests/sys/capsicum/linux.cc
+0-1,359contrib/capsicum-test/capability-fd.cc
+1,359-0tests/sys/capsicum/capability-fd.cc
+1,097-0tests/sys/capsicum/procdesc.cc
+0-1,097contrib/capsicum-test/procdesc.cc
+3,956-3,956134 files not shown
+11,872-10,021140 files

HardenedBSD/ports 440d322sysutils/bareos22-server Makefile pkg-plist, sysutils/bareos22-server/files chio-bareos patch-core-cmake_BareosInstallConfigFiles.cmake

Merge branch 'freebsd/main' into hardenedbsd/main
DeltaFile
+0-2,558www/bareos22-webui/pkg-plist
+0-240sysutils/bareos22-server/Makefile
+0-190sysutils/bareos22-server/files/chio-bareos
+0-164sysutils/bareos22-server/pkg-plist
+0-118sysutils/bareos22-server/files/patch-core-cmake_BareosInstallConfigFiles.cmake
+0-109sysutils/bareos22-server/pkg-plist.client
+0-3,37987 files not shown
+219-4,45593 files

HardenedBSD/ports 81dfe97dns/dnsmasq-devel Makefile distinfo, dns/dnsmasq-devel/files patch-inotify

dns/dnsmasq-devel: update to v2.93test2

Changes: (notably --log-malloc)

* ed2ba5b 2026-01-26 | Optimise TCP send. (HEAD -> master, tag: v2.93test2, origin/master, origin/HEAD) [Simon Kelley]
* 729c16a 2026-01-26 | Rationalise DNS TCP buffer use. [Simon Kelley]
* 80acb76 2026-01-24 | Don't start malloc() logging until the log system is configured. [Simon Kelley]
* f1fa05d 2026-01-24 | Don't log free(NULL) calls. [Simon Kelley]
* b148ba4 2026-01-24 | Add --log-malloc debugging option. [Simon Kelley]
* 81f6196 2026-01-24 | Fix memory allocation in blockdata_retrieve() [Simon Kelley]
* cb32170 2026-01-18 | Fix DNSSEC fail with CNAME replies to DS queries. (tag: v2.93test1) [Simon Kelley]
* 8eb3684 2026-01-18 | Log SERVFAIL from usptream servers. [Simon Kelley]
* 8fa68a6 2025-12-19 | The only_failed argument has been added to the log-queries parameter. [Pavel Bozhko]
* 1269f07 2026-01-15 | Fix DNSSEC failure with spurious RRSIGs. [Simon Kelley]
* e1faf70 2026-01-14 | Support Inotify in FreeBSD. [Matthias Andree]
* f603a4f 2026-01-12 | Fix a corner-case in DNSSEC validation with wildcards. [Simon Kelley]
* c090f1d 2025-12-06 | Terminate TCP child processes that arise from UDP truncated replies. [Simon Kelley]
* fa48bdb 2025-12-05 | Tidy up code in in do_tcp_connection() which filters incoming connections. [Simon Kelley]
DeltaFile
+0-40dns/dnsmasq-devel/files/patch-inotify
+5-5dns/dnsmasq-devel/Makefile
+3-3dns/dnsmasq-devel/distinfo
+8-483 files

HardenedBSD/ports 3c2399edevel/py-rtree Makefile

devel/py-rtree: Fix build
DeltaFile
+1-0devel/py-rtree/Makefile
+1-01 files

HardenedBSD/src fdcd67bsys/kern subr_firmware.c

firmware: Fix inverted FIRMWARE_GET_NOWARN logic

The try_binary_file() function has inverted logic for the
FIRMWARE_GET_NOWARN flag.  When the flag is set (meaning "don't warn"),
the code sets warn=true and makes noise anyway.

Invert the assignment to warn to correctly suppress warnings when
FIRMWARE_GET_NOWARN is set.

Reviewed by:    kevans
Differential Revision:  https://reviews.freebsd.org/D54955
DeltaFile
+1-1sys/kern/subr_firmware.c
+1-11 files

HardenedBSD/ports 649e3cfsecurity/vuxml/vuln 2026.xml

security/vuxml: populate missing <name> for security/zeek

Reported by:    Dan Langille
Fixes:  03bfa3969e0d
DeltaFile
+1-1security/vuxml/vuln/2026.xml
+1-11 files

HardenedBSD/src b249cb2sys/kern sched_4bsd.c kern_synch.c, sys/sys sched.h proc.h

SCHED_4BSD: maybe_resched() cannot schedule ast() for curthread

maybe_resched() needs to schedule TDA_SCHED for curthread, but this
requires taking curthread lock while owning some other thread lock.
To avoid introducing the order:
- Use a scheduler-private TDP flag.
- Register an unconditional TDA_SCHED_PRIV for 4BSD.
When an AST needs to be scheduled, i.e. the current thread must do
context switch in the return to userspace path, set the flag.
Then the ast handler calls ast_scheduler(), which gives the same
effect as scheduling TDA_AST.

The overhead is a single function call on each userspace return, for
4BSD case.

Reported and tested by: pho (previous version)
Reviewed by:    markj
Sponsored by:   The FreeBSD Foundation
MFC after:      1 week
Differential revision:  https://reviews.freebsd.org/D54945
DeltaFile
+19-2sys/kern/sched_4bsd.c
+2-0sys/sys/sched.h
+1-1sys/kern/kern_synch.c
+1-0sys/sys/proc.h
+23-34 files

HardenedBSD/ports 573fbd6portuguese/aspell-pt_PT Makefile pkg-plist

portuguese/aspell-pt_PT: upgrade to 20190329-1-0
DeltaFile
+6-3portuguese/aspell-pt_PT/Makefile
+4-2portuguese/aspell-pt_PT/pkg-plist
+3-2portuguese/aspell-pt_PT/distinfo
+13-73 files

HardenedBSD/ports f460781textproc/el-aspell Makefile distinfo

textproc/el-aspell: upgrade to 0.08

Remark: the previous version number, dated 2002, is higher, but
actually for Aspell 5; this one is newer and really for Aspell 6.

Also define the license.
DeltaFile
+7-4textproc/el-aspell/Makefile
+3-2textproc/el-aspell/distinfo
+2-0textproc/el-aspell/pkg-plist
+12-63 files

HardenedBSD/ports 183ec63textproc Makefile, textproc/hus-aspell Makefile pkg-plist

textproc/hus-aspell: new port, Aspell dictionary for Huastec
DeltaFile
+13-0textproc/hus-aspell/Makefile
+4-0textproc/hus-aspell/pkg-plist
+3-0textproc/hus-aspell/distinfo
+3-0textproc/hus-aspell/pkg-descr
+1-0textproc/Makefile
+24-05 files

HardenedBSD/ports df4649fportuguese/aspell-pt_BR Makefile pkg-plist

portuguese/aspell-pt_BR: upgrade to 20131030-12-0
DeltaFile
+6-3portuguese/aspell-pt_BR/Makefile
+4-2portuguese/aspell-pt_BR/pkg-plist
+3-2portuguese/aspell-pt_BR/distinfo
+13-73 files

HardenedBSD/ports e8b204ctextproc Makefile, textproc/mg-aspell Makefile pkg-plist

textproc/mg-aspell: new port, Aspell Malagasy dictionary
DeltaFile
+13-0textproc/mg-aspell/Makefile
+4-0textproc/mg-aspell/pkg-plist
+3-0textproc/mg-aspell/distinfo
+1-0textproc/mg-aspell/pkg-descr
+1-0textproc/Makefile
+22-05 files

HardenedBSD/ports 2df38e4security/zeek distinfo Makefile

security/zeek: security/zeek: Update to 8.0.6

    https://github.com/zeek/zeek/releases/tag/v8.0.6

This release fixes the following potential DoS vulnerability:

 - Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding
   or Content-Length headers set in MIME entities within HTTP bodies
   and change the analyzer behavior.

This release fixes the following bugs:

 - A missing state check was added to the finalize_redis hook in
   the Redis analyzer

 - A bug was fixed when attempting to append a vector to itself
   that would cause an infinite loop.

 - A memory leak was fixed that occurred when looping over tables

    [3 lines not shown]
DeltaFile
+3-3security/zeek/distinfo
+1-1security/zeek/Makefile
+4-42 files

HardenedBSD/ports 03bfa39security/vuxml/vuln 2026.xml

security/vuxml: Mark security/zeek < 8.0.6 as vulnerable as per:

    https://github.com/zeek/zeek/releases/tag/v8.0.6

This release fixes the following potential DoS vulnerability:

 - Zeek's HTTP analyzer can be tricked into interpreting Transfer-Encoding
   or Content-Length headers set in MIME entities within HTTP bodies
   and change the analyzer behavior.

Reported by:    Tim Wojtulewicz
DeltaFile
+28-0security/vuxml/vuln/2026.xml
+28-01 files

HardenedBSD/src 0730a05share/man/man7 tuning.7

tuning.7: document schedulers knobs

Reviewed by:    emaste, olce, ziaee
Sponsored by:   The FreeBSD Foundation
MFC after:      1 week
Differential revision:  https://reviews.freebsd.org/D54951
DeltaFile
+26-0share/man/man7/tuning.7
+26-01 files