BSD Commit Log Search

   Reserve the first MB of the DVA address space because qwx(4) doesn't
   succeed in doing DMA when the DVA is 0x1000 and PCI-PCI bridges may not
   forward address in part of that first MB as well.

   ok chris@

   Error out  on presence of Content-Length and Transfer-Encoding headers
   for GET, HEAD and other methods that should have no body.

   Ignoring the Content-Length header makes httpd vulnerable to
   HTTP request smuggling. A crafted GET request may embed an extra
   HTTP request which could bypass a proxy or WAF but then is handled
   by httpd.

   Remove the special case for TRACE and CONNECT in the Content-Length
   handling. Move those checks into the method switch at the end of the
   header parsing phase and by that also cover more methods including
   GET and HEAD. If either header is present simply abort the connection,
   nobody should send extra data along GET and HEAD requests.

   Add an an explicit HTTP_METHOD_TRACE case above the default case
   to indicated that we deliberately don't handle TRACE requests.

   This security vulnerability was found by Nicola Staller of SySS GmbH.

   With and OK rsadowski@ previous version also OK florian@

   update to py3-virtualenv-21.0.0

   Fix checking of of RL_FLAG_PCIE and accidental clobbering of sc->rl_flags

   confirmed by sthen and kettenis@ "please apply that fix"

   enable forced resolvers that aren't in a preference block

   allows a config such as:

       preference { autoconf }
       forwarder { 127.0.0.1 port 5300 }
       force forwarder { local }

   also fix a typo while i'm here

   ok florian

   update to anubis-1.25.0

   update to libmaxminddb0.13.2 (no real change for us)

   Add hints regarding colors etc used by default in recent GDB releases

   so that we can just answer "check the readme" when asked about it. :)

   databases/postgresql: update -stable from 17.7 to 17.9

   fixes CVE-2026-2003, CVE-2026-2004, CVE-2026-2005 & CVE-2026-2006
   see https://www.postgresql.org/docs/release/17.8/
   and https://www.postgresql.org/docs/release/17.9/
   discussed with jeremy@ (MAINTAINER)

   regress/mmap: Test hints in VM-area edge cases

   Test mmap(2) with hint above VM_MAXUSER_ADDRESS without MAP_FIXED.
   This tests uvm_map.c,v 1.355.

   Also test the lower boundary below PAGE_SIZE.

   ok kettenis@

   Update mame to 0.286.

   geo/gpxsee: update to 15.11

   bugfix update to 5.516

   Do not free buffer after adding to paste (since it now owns it).

   Add missing version bump to 6.6.1

   update to wireshark-4.4.14

   update to wireshark-4.4.14

   KDE Plasma 6.6.1, Bugfix Release for February

   https://kde.org/announcements/changelogs/plasma/6/6.6.0-6.6.1/

   Security update to vaultwarden-1.35.4

   This release contains security fixes:
   - GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to
     access a cipher from a different user (fully encrypted) if they
     already know its internal UUID.
   - GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with
     manager-level access within an organization to modify collections they
     can access, even if they do not have management permissions for them.
   - GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with
     manager-level access within an organization to modify collections they
     are not assigned. These are private for now, pending CVE assignment.

   Changes: https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.4

   OK kirill@

   Enable 64-bit DMA transfers on the PCIe variants of re(4) cards.

   ok kettenis

   update to freerdp-2.11.8

   remove PORTROACH marker, this is the last 2.x release (updating is
   blocked, 3.x needs a more complete posix timers implementation)

   Not 666

   Improve the discussion about "tmppath"
   feedback from various people based upon my first attempts.

   pledge "tmppath" goes away because it sucks.  The history is kind of
   sad:  unveil(2) was invented by Bob Beck and myself because a couple
   of us struggled and couldn't expand the "tmppath" mechanism to general use.
   unveil(2) ended up being kind of "upside down" different, and so we never
   deleted "tmppath" because the refactorings seemed complicated.
   However over the last two weeks, we're removed all the "tmppath" in base
   pretty easily, and the 18 ports using it have also been fixed.
   The majority of situations now use unveil "/tmp" "rwc", unveil "/" "r" or
   similar, and then pledge "rpath wpath cpath", and this is generally needed
   to satisfy the mkstemp(3) family of functions in libc.
   Use of "tmppath" will now cause pledge(2) to return EINVAL.  There is
   no backwards compatible way of mimic the behaviour correctly using
   kernel-internal unveil hackery.
   Prompted by a report from David Leadbeater; and extensive conversations
   with beck and semarie.

   Update various lifetimes.

   This raises the router, dns and nat64 lifetimes from 30 minutes to 60
   minutes and lowers the prefix valid lifetime from 90 minutes to 60
   minutes.

   This brings us in line with the values of draft-ietf-6man-slaac-renum
   which is going to be published soon.

   Aligning all these lifetimes to a single value (60 minutes) makes
   sense because the information is transmitted in one router
   advertisement packet. It does not make sense for one piece of
   information to time out before another.

   OK phessler

   fix conflict tag

   Sptted by semarie@

   Call igmp_sendpkt() and mld6_sendpkt() with pktinfo argument.

   Gather all information needed to send an IGMP or MLD6 packet in a
   struct pktinfo.  This allows splitting access to multicast data
   structures from sending packets.  Then adding locks to multicast
   will be easier.

   OK mvs@

   ixl(4) can handle 64 bit DMA transfers.

   OK kettenis@ jmatthew@

   MFC update to pizauth-1.0.10

   update to pizauth-1.0.10, from Laurence Tratt (maintainer)
   drops tmppath pledge, thanks for updating this so quickly Laurie