BSD Commit Log Search

   bump libunbound

   new unbound

   Merge changes between unbound 1.24.2 and 1.25.1

   Import unbound 1.25.1 (previous was 1.24.2)

   Bug Fixes

   Fix CVE-2026-33278, Possible remote code execution during DNSSEC validation.
   Thanks to Qifan Zhang, Palo Alto Networks, for the report.

   Fix CVE-2026-42944, Heap overflow and crash with multiple nsid, cookie,
   padding EDNS options. Thanks to Qifan Zhang, Palo Alto Networks, for the
   report.

   Fix CVE-2026-42959, Crash during DNSSEC validation of malicious content. Thanks
   to Qifan Zhang, Palo Alto Networks, for the report.

   Fix CVE-2026-32792, Packet of death with DNSCrypt. Thanks to Andrew Griffiths
   from 'calif.io' for the report.

   Fix CVE-2026-40622, "Ghost domain name" variant. Thanks to Qifan Zhang, Palo
   Alto Networks, for the report.

    [25 lines not shown]

   mi pmap: support code for HW updated referenced and modified PTE bits

   Previously the MI PMAP would rely on mod/ref emulation to update
   mdpg_attrs if a page was modified or referenced. Now support checking
   each mapping's HW modified PTE bits (and updating mdpg_attrs).

   mi pmap: aarch64: fix ref/mod emulation in pmap_fault_fixup

   If a PTE changes in pmap_fault_fixup the entry in the TLB needs
   to be invalidated.

   While I'm here use atomic_load_relaxed to fetch the PTE and fix a
   comment.

   risc-v: fix ref/mod emulation PTE handling.

   The previous code has zero chance of working and now that pmap_test_mod_ref
   exists it can prove this code is correct.

   mi pmap: provide pmap_test_mod_ref

   Sprinkle commented out PMAP_DEBUG for MI PMAP kernels

   One semicolon is enough. ;; -> ;

   aarch64: pmap: misc improvements to pmap_test_mod_ref

   - remove the need for pmap_debugva by using uvm_km_{alloc,free}
   - deactivate curlwp so the kernel pmap is always activate
   - sprinkle pmap_udpate()
    CVS: ----------------------------------------------------------------------

   axen(4): brush up

   Align .Cd introduced in previous with the others.

   Don't abuse -tag for -item.  Mark up ifconfig media types.

   Drop confusing parens around the sentence that says autoselect is the
   default.  The next sentence is the logical continuation of that
   thought, and yet it was outside the parens, torn away from the
   sentence it expands upon.

   Avoid most 30-40 character runs of alphabet soup.  A slash and an 'A'
   is an especially nasty combination.  Fortunately, commas are a thing.
   Give remaining slashes a bit of kerning.

   octeon: Add second errata syncw in membar_release

   The second syncw is relevant to CN5xxx/Octeon+ for us (ERLite), we don't
   currently support CN3xxx but attempt to clarify the commentary around all
   this.

   There is a seemingly similar detail on cnMIPS, the SYNC_PLUNGER, which is not
   dealt with or changed here.  This syncw is specifically to work around two
   related errata in CN3xxx and CN5xxx.

   The OCTEON2 path is a future breadcrumb, we don't build it yet.

   Reviewed by: skrll@

   KASSERT -> KASSERTMSG

   s/SET_FEATYRE/SET_FEATURES/ in comment.

   if_ether.h: render "Energy-Efficient Ethernet" consistently

   While here, also render "VLAN" consistently.

   if_wm*: render "Energy-Efficient Ethernet" consistently

   axen.4: note examples of presently unsupported features

   (These could go under a bugs section, but it perhaps makes more sense
   to keep all this information together.)

   axen.4: add and adjust examples of supported devices

   Noted to work with TP-Link UE300 (those that come with ASIX chips,
   apparently some come with an RTL8153) and UE306. While here, also
   correct the transliteration of "Kuroutoshikou", following OpenBSD.

   tcp: set initial RTO to 1s per RFC 6298

   Lower TCPTV_SRTTDFLT from 3s to 1s and adjust the t_rttvar seed in
   tcp_tcpcb_template() so the pre-measurement TCP_REXMTVAL() equals
   TCPTV_SRTTDFLT (was 2*TCPTV_SRTTDFLT).  Active opens and SYN|ACK
   retransmits now start at 1s and back off 1, 2, 4, ... per RFC 6298
   sections 2.1 and 5.5.  Post-first-sample RTO is unchanged.

   Pin tcp_msl_remote_threshold to its previous numeric default (3*PR_SLOWHZ)
   so the SRTTDFLT change does not move an unrelated TIME_WAIT-shortening
   tunable.

   This is conceptually https://reviews.freebsd.org/D18941 which we ran at a
   large CDN, modified for NetBSD's stack.

   fix various typos, mainly in comments.

   unbound 1.25.1 security release out

   s/FOTRAN/FORTRAN/

   new bind

   bump libdns

   merge changes between bind-9.20.22 and 9.20.23

   Import bind 9.20.23 (previous was 9.20.22)

   Security Fixes
   Limit resolver server list size. (CVE-2026-3592)

   When resolving a domain with many nameservers that shared overlapping
   IP addresses (e.g., 10 NS records all pointing at the same set of
   addresses), BIND could previously waste time querying duplicate
   addresses and build up excessively large server lists. Addresses
   in the resolver's server list are now deduplicated so that each
   unique IP is only queried once per resolution attempt, regardless
   of how many NS records point to it. The number of addresses stored
   per nameserver name is also now capped at six (combined A and AAAA),
   preventing memory and CPU overhead from domains with unusually
   large NS/glue sets.

   ISC would like to thank Shuhan Zhang from Tsinghua University for
   reporting this issue. [GL #5641]

    [222 lines not shown]

   play cheap tricks to draw bold characters with alpha fonts as well, because
   on this hardware we can get away with it

   properly support WSATTR_HILIT

   properly support RI_FULLCLEAR

   add & support RI_FULLCLEAR